Interceptor Optical Network Security System Design …„¢ Optical Network Security System Design...

Interceptor™ Optical Network Security System

Design Guide

Chapter 5: Secure NetworkDesign Methodology

}

Copyright © 2010 Network Integrity Systems, Inc.

All rights reserved.

The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Network Integrity Systems, Inc. The software described in this document is furnished under a license agreement and may be used only in accordance with the terms of that license. The software license agreement is included in this document.

TrademarksNetwork Integrity Systems, Inc., the Network Integrity Systems, Inc. logo, and Interceptor are trademarks of Network Integrity Systems, Inc. Other brands and product names are trademarks or registered trademarks of their respective holders.

Statement of ConditionsIn the interest of improving internal design, operational function, and/or reliability, Network Integrity Systems, Inc. reserves the right to make changes to the products described in this document without notice. Network Integrity Systems, Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.

INTERCEPTOR™ Design Guide

© 2010 Network Integrity Systems, Inc. – All Rights Reserved – Issue DG.8.2010 30

Chapter 5 | Secure Network Design Methodology

This section of the Design Guide details several of the basic decisions that must be made in order to establish your se-cure network design methodology. Over the past five or ten years, secure network requirements have changed dramati-cally, and the solutions that were deployed in the past are no longer the best options for the future. Given the explosion in connectivity requirements, the need for increased network scalability and performance has escalated. For example, speeds have increased from 10Mbps to as high as 10Gbps, with the expectations of a 100 Gbps in the near future. Thus, combined with increased concerns surrounding the security and availability of mission-critical networks, it is absolutely essential to periodically assess the network design methodology that serves as the foundation of your secure network deployments. The information in this section will guide you through that assessment process.

Deployment Scope

In order to choose an effective design methodology, it is absolutely critical to define, and if necessary, to limit, the specific scope of the secure network deployment. For many smaller deployments, the nature of the requirement defines the scope, such as, extending SIPRNet to a single office in one particular building. For larger deployments, however, it is often necessary to divide the project or deployment into individual segments that have similar requirements. For example, indoor deployments should be considered separately from outdoor deployments, building riser deployments from horizontal network deployments, and intelligence or command buildings from support buildings. While dividing the deployment into many segments requires additional work, by doing so engineers and end users ensure that they choose a design methodology that closely matches and supports each individual segment’s specific operational and performance criteria. The alternative to doing so is a “one-size fits all” approach for secure network deployments that drastically in-creases total cost of ownership and often limits scalability and performance on the network in one or more areas.

Thus, the first step is to determine the individual scope of network deployment or deployments by utilizing the seg-mented approach as discussed above. Then, given a particular deployment, the specific operational and performance criteria or requirements that the PDS system must meet must be determined.




The following hypothetical provides a concrete design-methodology example.

For years, Bravo Command had used a secure network design methodology employing EMT as a hardened carrier PDS system for its SIPRNet deployments inside its facility. With the growth of personnel and increased requirements for SIPRNet, personnel gradually were relocated to portable trailers outside of the main facility, and J6 was tasked with delivering SIPRNet connectivity to each of these trailers. Opting to use EMT as a PDS for SIPRNet deployments, the J6 installed an extensive network of EMT pipes between the main facility and each of the temporary trailers.

The trailers were originally planned for ten to twelve individuals and to be in place for six to nine months, but after more than two years, the trailers were still active and then housing in excess of twenty personnel. The SIPRNet requirements had more than doubled, and the J6 was faced with having to deploy JWICS to some of the trailers. Not only had the capacity of the hardened carrier PDS system been completely exhausted, but several sections of the EMT began to break up and pull apart, which significantly compromised the integrity and security of the PDS system. After spending $100,000 on the original EMT installation, the J6 then was forced to spend another $80,000 on maintaining and expanding the PDS. Currently, with the JWICS requirements looming, it is faced with another $100,000 investment to build a second EMT hardened carrier PDS system to augment the first one. Moreover, the trailers are being considered permanent structures in the facility.

While its original design methodology of an EMT hardened carrier system was very effective for the in-building de-ployments, the J6 did not define the scope and requirements of this specific secure network deployment. As a result, its design methodology did not meet the operational and performance criteria of the “temporary” trailers, causing the J6 to spend three times more than necessary on the PDS system and still have to contend with the ongoing maintenance and potential replacement of the PDS due to the loss of integrity and security.

Accurately pre-defining the scope of a deployment leads to a lower total cost of ownership and the ability to scale whenever necessary.



Key Decision: Whether fiber optic cable or copper cable is ideal for your network.

Network Media

Historically, government agencies and military installations have relied heavily on copper cabling for voice and data cable requirements. However, with the increase in bandwidth demand, even commercial networks have seen copper cables steadily being replaced with fiber optic cables. Today, well over ninety percent of all outside plant data networks, seventy-five percent of all building trunk or riser networks, over sixty percent of all datacenter cabling, and over thirty percent of all horizontal cabling or workstation drops is now being deployed using fiber optic cables.

The reason behind this shift is:

1. Network bandwidth and performance requirements are continually increasing;

2. Copper cabling presents significant limitations;

3. The cost of optical components and equipment is steadily decreasing.

In less than ten years, copper cable has evolved through three different generations in order to keep up with bandwidth and performance demands. During the same time period, fiber optic cable has only evolved through a single genera-tion (62.5µm multimode fiber and 50µm laser-optimized fiber), and this evolution was not driven primarily by network demands, but rather by a change in the type of optical emitter that was being used in switches.

Considering the economics of network deployments, the largest cost of any deployment is the installation of the net-work, including the associated labor. From a total cost of ownership perspective, an agency would have had to pay three times as much to keep up with advances in copper cabling as it would have if it had initially deployed its network using fiber optic cable. While optical network equipment is still more expensive than copper network equipment, the prices have dropped by more than forty-percent over the past few years because of both the increased numbers of optical network deployments and also the reduced cost of components due to economies of scale. Finally, due to the recent economic climate, the cost of copper has been increasing steadily over the past several years, further decreasing the gap between the cost of fiber optic and copper networks.




In addition to the cost and performance advantages that optical networks provide, there are significant security advan-tages as well, especially when installed in a PDS system. TEMPEST issues have been a concern for network equipment and ensuring effective red/black separation as stipulated by The Director of Central Intelligence Directive (DCID) 6/9. A specific concern with network cabling is the potential existence of compromising electromagnetic emanations that originate from the cables. Because copper cables operate on the principle of electrical transmission, there is a high concern and need to protect such cables against these compromising emanations. Protection is accomplished by either using shielded copper cables and connectors or installing all copper cables inside of EMT to minimize the emanations, or both.

However, both of these methods drastically increase the cost of deployment. Even if an agency utilizes shielded cables, there is much debate over whether it is safe or acceptable to run multiple-classifications on shielded copper cables through the same PDS system. Thus, if requirements change, or access needs increase to a higher classification, there may be a need to install a completely new PDS system if copper cables are used instead of fiber optic cables. This drasti-cally increases total cost of ownership.

Price Category-6 UTP Category -6 FTP Comparison (Unshielded) (Shielded)

Cable Pricing (per ft.) $0.45 per ft. $0.75 per ft.

Connector Price $6.00 each $8.00 each

Installation labor ‘X’ ‘X’ + 30%

50-Drop Network Cost $3,975 $6,425 (a 60% increase) Comparison (Material Only)

Table 1: Price Comparison between Category-6 UTP vs. Category-6 FTP

In comparison, fiber optic cables are immune to EMI and RFI interference, and produce no compromising emanations, since the information is transmitted optically and not electrically. For this reason alone, many government agencies mandated that all classified networks be deployed using fiber optic cables. Even if the computers that access the net-work still require a copper connection (or have a copper NIC installed), the agencies would rather deploy fiber-to-copper media converters, if needed, than run the risk of compromising national security information because of the emanations. While fiber optic networks once cost as much as sixty percent more than a similar copper network, fiber optic cable is now less than ten percent more expensive than its copper counterpart. After factoring in the cost of employing EMT or using shielded copper cables, the cost of a fiber optic network becomes comparatively lower. Further, while copper cable costs have been increasing, fiber optic cable prices have been steadily decreasing.

Because there are no compromising emanations associated with fiber optic cable networks, government agencies are also able to run multiple classifications through the same PDS system without any concern of signal bleed-over. In fact, some agencies have even allowed multiple classifications to be deployed in the same cable, as long as the classifications are separated in distinct buffer tubes, ribbons, or subunits (see Figure on the next page). This compatibility greatly en-hances the scalability of the network as well as the PDS system to meet future secure network requirements.

Given its security, scalability, and performance advantages, optical cabling has become the de facto standard for any secure network deployment, especially with the dramatic changes in the costs of fiber optic and copper cable and con-nectors.




Figure 1: Fiber Optic Cable with Distinct Subunits (Buffer Tubes.)


Classified (SIPR) Fibers

SIPR: Secret Internet Router NetworkNPR: Non-Classified Protocol Router Network

Unclassified (NIPR) Fibers



Choosing an INTERCEPTOR Model

Key Decision: Whether to employ basic INTERCEPTOR units or INTERCEPTOR+Plus units for your network.

There are two different types of INTERCEPTOR equipment: the basic INTERCEPTOR unit that uses dark fibers to monitor cables, and the INTERCEPTOR+Plus model that uses either active or dark fibers to monitor cables. The following sections of this guide will compare and contrast both INTERCEPTOR models and assist with the decision of which product to select for your particular network deployment.

The basic INTERCEPTOR is the least expensive INTERCEPTOR unit available. The primary advantage of the basic unit is that it can be installed on any network, new or old, as long as it contains dark (unused) fibers that can be dedicated to the alarm monitoring. On the other hand, the basic INTERCEPTOR requires dedicated dark fibers to operate, unlike the INTERCEPTOR+Plus. Further, there is no migration path for network growth; thus, if spare fibers are available initially, but more are required for data in the future, the end user will be forced to buy an INTERCEPTOR+Plus unit.

Unlike the basic INTERCEPTOR, an INTERCEPTOR+Plus is able to be installed on any fiber in the cable–active or dark. Additionally, the INTERCEPTOR+Plus can be installed on any network–new or old. Further, it can seamlessly adapt to network growth; that is, it is able to utilize dark fibers previously used for only monitoring for carrying network traffic. One downside is that the INTERCEPTOR+Plus is more expensive than basic INTERCEPTOR units. Also, these units re-quire an RTU for each channel, if used on active fiber.

The following questions will assist with making the decision of which INTERCEPTOR model to deploy as part of your alarmed carrier PDS system:

Yes No Are there or will there be at least 25% spare, dark fibers available in the cables in your network?

In other words, are there patchcords installed from a closet or zone box to the workstation or maxed out cables between telecom rooms?

Do you expect less than 30% growth in the next three to five years of either personnel in the facility or requirements for SIPRNet/JWICS access?

Is the initial deployment cost currently a more pressing issue than the total cost of ownership?

If you answered “yes” to all three of these questions, then the basic INTERCEPTOR model is likely to be a suitable op-tion for your network deployment. However, if you presently have less than twenty-five percent spare fibers in some of your network cables, or expect greater than thirty percent growth in either personnel or SIPRNet/JWICS requirements over the next three to five years, then it is a more prudent investment to select the INTERCEPTOR+Plus model as your alarmed carrier PDS solution. If you are still undecided on which INTERCEPTOR product to use, or are unsure of the answer to any of the above questions, then the safest choice is to use the INTERCEPTOR+Plus model.

When using INTERCEPTOR+Plus units to protect active fibers, an RTU is required to be installed at the far end of the network in place of the fiber loopback. However, the RTU purchase can be deferred, until the dark fibers need to be placed into service.




Secure Network Conveyance: INTERCEPTOR and Interlocking Armored Cables

Any cabling that leaves from a CAA or RAA must be protected and provide adequate resistance to overt, covert, or sur-reptitious attack. This requirement does not necessarily entail preventing an attack, but rather to make it more difficult to access the PDS and to make detection easier. For legacy alarmed carrier PDS systems that relied on “sensing” fibers installed alongside the data cables, a hardened carrier such as an EMT or engineered raceway still had to be constructed to protect the cables, but the alarm system at least allowed the hardened carrier to be built out-of-view above the ceiling. Obviously, having to pay for both a hardened carrier and a PDS alarm system drastically increased the cost of deploying these legacy alarmed carrier PDS solutions.

However, with the technological advancements made possible by INTERCEPTOR, several CTTAs have recently approved the use of an interlocking armored cable, monitored by INTERCEPTOR to be used in place of the hardened carrier for both SIPRNet and JWICS deployments. Because INTERCEPTOR monitors fibers inside of the cable, the optical cables with interlocking armor can be used in CONUS and many OCONUS location to distribute unencrypted, classified information outside of a CAA. There are even Interlocking armored optical cables that can be used to support multiple classifications in the same cable, therefore, one cable can be installed in the place of the traditional three or four cables, while still maintaining effective separation of red/black communications.

A key benefit of using interlocking armored cable is that it is a COTS product, which makes it easy to install. For ex-ample, it would be unnecessary to cut EMT pipes or custom bend them to conform to a specific hallway or room. Inter-locking armored cables can be bent or twisted to navigate around any potential obstacles and can simply be installed using j-hooks or d-rings. Compared to the cost of installing EMT, which is what was used on legacy alarmed carrier PDS solutions, the interlocking armored cable reduced the labor and installation necessary for a PDS system by upwards of eighty percent, and it also accelerates deployment time by up to eighty percent.

For outside plant deployments between facilities, using armored cables and INTERCEPTOR units with standard duct banks (i.e., without concrete encasement or rebar) is highly dependent upon other compensating layers of security, such as base access control, perimeter defense and detection, and guard presence, among others. Another key criterion for outside plant deployments is the proximity of the proposed alarmed carrier PDS duct bank to the perimeter of the installation, or where an LCA stops and where a UCA begins.

For any outside plant deployment, it is critical to have close interaction with your respective CTTA to ensure that any proposed PDS system–hardened or alarmed–provides the necessary protection for unencrypted, classified national security information based upon your specific deployment.




Physical Location and Installation of the INTERCEPTOR

Key Decision: Where to install the alarmed carrier PDS system—above the ceiling, below a raised floor, or along a hallway.

For deployments inside of facilities, INTERCEPTOR systems can be installed out of view. Many new government and military facilities are being constructed with raised flooring throughout. INTERCEPTOR systems have been incorporated into many of these construction projects specifically because of their ability to run interlocking armored cables below the raised floor up to, and including, JWICS.

Key Decision: How to install interlocking armored fiber optic cable for deployment inside of a facility.

Three primary methods exist by which to install interlocking armored fiber optic cable inside of a facility. They are:

1. Using wire baskets or ladder racks

2. Using j-hooks or d-rings, or

3. Using conduits or innerducts.

Photo 1: J-Hook

One of the greatest advantages of the INTERCEPTOR Optical Network Security System is the recent willingness of the CTTA community to review for approval the use of interlocking armored fiber optic cables in place of rigid metallic conduit. This can easily reduce labor and installation costs for in-building deployments by up to fifty percent.

WARNING: While interlocking armored cables provide the necessary physical protection of the network cabling when combined with INTERCEPTOR, it is still important to ensure that the armored cables are installed in accordance with BICSI standards and are properly secured and supported throughout the facility.




Legacy Copper Applications

While the INTERCEPTOR is predominantly used to protect fiber optic cables, there have been some deployments where it has replaced legacy alarmed carrier equipment, or is being used to extend an existing alarmed carrier PDS system that has copper cables distributed above the ceiling in a rigid metallic conduit. In these scenarios, it is impossible to use INTERCEPTOR’s intrinsic monitoring capabilities. Therefore, an optical zipcord must be installed in the EMT or rigid conduit alongside of the copper cables, thus allowing the INTERCEPTOR to monitor the integrity of the conduit using ex-trinsic monitoring techniques. In this type of application, a basic INTERCEPTOR unit will suffice since the optical zipcord installed throughout the rigid metallic conduit system will be totally dedicated to INTERCEPTOR monitoring.

Extrinsic monitoring applications need to be precisely and specifically engineered in order to provide the protection and security required without creating a high rate of false alarms. One of the inherent advantages of the intrinsic monitoring technology is that it virtually eliminates false alarms. Contact the System Engineers at Network Integrity Systems for expert assistance.


Interceptor Optical Network Security System Design …„¢ Optical Network Security System Design...

Documents

Transcript of Interceptor Optical Network Security System Design …„¢ Optical Network Security System Design...