Search This Blog

Wednesday, May 27, 2015

Are Fiber Optic Networks Secure?


Unless you have a private network AND you guard every inch or centimeter of it, fiber-optic networks are still vulnerable to wiretapping and eavesdropping.

Even though there is no electromagnetic radiation or crosstalk from a fiber-optic line and, wiretapping is not as simple as clipping on copper wires, eavesdropping on a fiber-optic network can be achieved with splitter/regenerator devices or with micro-bending clamps, which can capture light off the fiber.

The biggest vulnerability exists at the switching and repeater points where signals are split-out and regenerated.  At these points, off-the-shelf (OTS) splitter/regenerator devices can be used to gain access to all the information. This type of tapping can also be done by splicing the line at any other point, and inserting an OTS splitter/regenerator device.  This requires no sophistication, but it results in a one-time interruption which may be noticed and investigated by an alert technician.

A more subtle approach is to use a micro-bending clamp. This bends the fiber and clamps down on it, so that some of the light leaks through the strand which can be detected by an optical photo detector. The result is that the signal passes through unimpeded, while a copy of it is shunted off.

The techniques above are commercially available, and fairly inexpensive. Once the light is captured, an optical to electrical converter, a laptop and a packet sniffer can then be used to gather valuable information. And since this is not an electrical tap, signal reflection methods for measuring wire length to an impedance inflexion (tap) point cannot be used. Once a tap on a fiber-optic line is in place, it is virtually undetectable.

These and other more sophisticated tapping techniques can be found in the public domain.Also in the public domain, there are well known instances of Fiber Optic Network breaches, including:
 In 2000, when three main trunk lines of Deutsche Telekom were breached at Frankfurt Airport
 In 2003, when a tap was discovered hooked into Verizon's network. It was believed to be financial reporting espionage.

Taps have also been found on police networks in Germany and the Netherlands, and in the networks of pharmaceutical giants in the UK and France.

More information can be found on the Web by searching "fiber optic network security".

To encrypt fiber optic communications, TCC offers an Ethernet solution, the Cipher X 7211 for speeds up to 1 Gb/s, and the DSD 72B-SP SONET/SDH encryption family for up to 622 Mb/s.

The SONET/SDH DSD 72B-SP interoperable encryption family seamlessly overlays on existing networks and has product variations to support military, rugged industrial and industrial environments. Key management is also automated and easily managed with KEYNET Optical Manager. It supports AES 256-bit encryption or a custom algorithm.

The Cipher X 7211 is a 1 Gb/s Ethernet optical encryptor. Its own fiber optic ports, which can be used instead of electrical interfacing, is especially suited for distance. The Cipher X 7211 has been deployed with single mode optics in the WAN port enabling a reach on the order of 10 km. Electrical Ethernet supports about 100 m, multi-mode optics 200 m to 500 m, and Ethernet single mode optics 10 km. Non-standard optics can reach approximately 40 to 70 km. The Cipher X 7211 seamlessly overlays onto existing networks and is easily managed with KEYNET.

Cipher X 7211 Ethernet Fiber Optic Encryption System
Cipher X 7211 Ethernet optical encryption system

DSD 72A-SP (STM) Military SONET/SDH Encryption
DSD 72A-SP (STM) Military SONET/SDH Encryption System 

DSD 72B-SP (I) SONET/SDH Industrial Encryption System
DSD 72B-SP (I) Industrial SONET/SDH Encryption System 

DSD 72B-SP (RI) SONET/SDH Encryption System for Rugged Environments
DSD 72B-SP (RI) SONET/SDH Encryption System

KEYNET Optical Manager key and device management system
KEYNET Optical Manager