ASSURED NETWORKING: CYBER

STRATEGIES FOR THE PROTECTION

OF TRANSPORT INFRASTRUCTURE
Traditionally, cyber initiatives have focused on the upper levels
of the OSI stack, with particular emphasis on non-technology
defenses to human-targeted weaknesses. While exploitation
of the user is the simplest and most prevalent type of attack,
defenses against a sophisticated enemy require protection
of the entire network. This paper will focus on an often-
overlooked portion of the network, the transport layer. The
threat envelope will be described, along with a suggested set
of response actions, mitigations, and counter-measures to
keep the network safe. In addition, this paper will explore the
possibility of active defense mechanisms, for preventative/
predictive manipulation of the transport layer.
Threat
A sophisticated adversary is likely to develop capabilities to
attack a network on as many levels as possible. These attacks
can have varied mission objectives, including denial of
communications, disruption of operations, and information
gathering. The varied focus of potential attacks means a
number of different aspects of the network will be threatened.
Not all threats can be mitigated in a technically feasible or
economic manner; knowledge of potential vulnerabilities can
enable efficient resource utilization for additional monitoring
and active defense.
Motivation
Network operators are required by policy (DHS Blueprint
for a Secure Cyber Future, the Cybersecurity Strategy for the
Homeland Security Enterprise, Nov. 2011) to analyze their
networks for potential vulnerabilities and either correct them,
if feasible, or devise a mitigation plan to minimize the effects
of any attack against the vulnerability. It is important for
network operators to examine the entire network, from the
user to the network appliance edge, through the Layer 3
infrastructure, including the supporting transport layers.

Assured Networking: ISO Layers > Threats and Mitigations

Advanced Services and Robust User Experience

Authentication
Phishing, Spam Applications Network forensics
Social Engineering Attacks Provision, maintain, monitor User Training

IPSEC and encryption

M
DOS attacks Layer 3 IP/MPLS Firewalls
I
Routing Table compromise Protocol-specific communications Intrusion detection,
T T
Network forensics
H I
R G
E Layer 2 Carrier Ethernet A Network VPN
MAC Flooding
A Configure, Route, Protect T Data and Control encryption
T I
S O Path Redundancy
Fiber Cuts Layer 1 SONET/OTN N
Traffic Monitoring Payload Encryption
Data/payload transmission S Control Plane Encryption

IDS: Raleigh Scattering

Fiber tapping Physical Fiber
and Coherent Rx

Trusted Infrastructure
Security of supply, regulatory compliance, certifications

Figure 1. Network layers and mitigations

W Whitepaper
The transport layer is fertile ground for a variety of attacks.
Normally considered safe because of the high level of
sophistication required to successfully attack transport
equipment, the transport layer is also usually left undefended.
This means a sophisticated adversary can deny
communications capabilities, disrupt information operations,
and gather information from the transport layer. Transport layer
protocols (SONET, SDH, Optical Transport Network [OTN],
Ethernet) lie below the IP layer and are therefore potentially
more secure, because the protocols are not IP-based and not
vulnerable to IP-centric threat vectors. However, the transport
layer also can be more vulnerable, since the myriad cyber
defense technologies have been developed mostly for IP, not
for the transport layer. In addition, although the data plane is
not IP-based, it still relies on the IP protocol suite for network
management and control planes. Therefore, transport layer
management and control planes remain highly vulnerable to
IP-centric threats.
Intelligent Control Planes
The control plane is the heart of transport system equipment,
as it is the mechanism network elements use to communicate
with each other to control component settings, build
provisionable routes, allow the incorporation of new network
elements into the network, and build and revert protection
paths. As networks get ever more sophisticated, incorporating
colorless and directionless Reconfigurable Optical Add-drop
Multiplexers (ROADMs), intelligent packet routing, and true
mesh protection, the control plane will affect more critical
parts of the network.
To a first order, the control plane consists of messages that
are passed either in and out of band wavelength or in packet
headers, with logic in the network element that acts on the
contents of the message. It is important to protect both
elements of the control plane, since disruption of either the
messages or the logic that acts on these messages can cause
erratic operation of the transport system, disruption in content
delivery and accuracy, or expose the network architecture and
operational details to unauthorized entities.
The primary tool for protecting data in flight is encryption—
also the best solution for protecting the control plane. Since
the message transmit and receive functions generally are
buried deep in the logic controllers of transport devices, it is
important to have transport equipment vendors incorporate
a Federal Information Processing Standards (FIPS)-compliant

OSS

TMF MTOSI

EMS/NMS Ciena Planning

Tools
Design
FCAPS SLM PCE
DB DB (Offline)
ML Policy

Multi-layer
DCN Multi-domain

Correlated Topology Remote Remote PCE

Alarms, and Resource Software “Single Touch” Online/Offline
Failures DB Sync. Configuration Provisioning Hierarchy

Distributed multi-layer control plane

L2 Ethernet
Real Time PCE
L1 OTN
Execution (Online)
L0 DWDM DB

Network is SCN
the Database Discovery Topology Exchange Path Installation

Figure 2. Management information flow in the network

2
 DROP Side ADD Side control lists to control network topology so unauthorized
Express to 2 Functionally network elements cannot appear on the network and be
Degree 1 Identical to
Express to 3 discovered by valid neighbors. The combination of an alien
WSS Drop
DEGREE 1 network element combined with hijacked code can be
devastating to network security, as the network element
can act against the interests of the network operator without
Express to 1
Degree 2 any visibility to the network management system.
Express to 3
WSS
DEGREE 2
ROADM Evolution: Colorless and Directionless Transport
Express
to 1 The ROADM is one of the key building blocks of a meshed
Degree 3
Express transport architecture. During normal operation, the ROADM
WSS to 2
DEGREE 3 allows network paths to be reconfigured so a wavelength can
traverse a different path to its destination. This is particularly
useful during network disruptions and network surge events.

The future of ROADM technology is moving toward colorless

Coupler Coupler and directionless technology; this means data that originates
RX RX RX RX
on a given wavelength may arrive at its destination on a
Traffic Grooming and different wavelength. This will most commonly occur when
Electrical Cross-Connect there is a network disruption that requires traffic rerouting,
and the new path already has traffic that uses the wavelength
Figure 3. ROADM architecture utilized by the data. In older versions of the technology, this
new path is considered blocked because the wavelength
encryption engine into all control plane information channels. originally used by the data is not available. In colorless/
To protect the logic side, it is important to consider locking directionless technology, if there is bandwidth available on
down the firmware and software in the transport devices so a path (such as unused wavelengths), the data can be shifted
they are only factory upgradeable. This security measure does from its original wavelength to a new wavelength to complete
significantly increase the operational cost of upgrades, but it the path. This dramatically reduces blocking in the network
is the most secure way to prevent the logic code from being and opens up the possibility of a much richer set of protection
hijacked. A final important security feature is the use of access paths to enhance network availability.

Node 1 Tb/s Transponder Node 2

DS-CCMD DS-CCMD
Add/Drop λ5 (Tb/s) Add/Drop
50/50
Next- coupler λ2 λ10 λ14 λ29 Next-
Generation Generation
Photonic Photonic
Switching λ5 (40 Gb/s) Switching

Color-less Direction- Color-less Direction-

less λ3 λ18 λ40 λ44 less

Contention- Grid-less Contention-

less Tb/s Transponder less

Figure 4. Network element functions

3
 Coherent Transmission System
X-pol I
X-pol Q
Polarization
Phaze Shift Analog to
Beam
Splitter X-pol I
Phaze Shift Converter
X-pol Q
Figure 5. Coherent receiver block diagram
A critical technology that enables these new transport
solutions is the coherent receiver, which uses a local oscillator
to tune to specific frequencies instead of fixed filters, enabling
true wavelength agility in the optical network. While this
provides tremendous flexibility and allows efficient network
architectures to be constructed, it also means that the full
range of Dense Wavelength Division Multiplexing (DWDM)
wavelengths could be available at any port on the ROADM
node. In other words, any receiver can tune into any channel
on the path. For this reason, line rate encryption of the data
should be used at all times.
IP over DWDM (IPoDWDM)
Another interesting transport technology evolution is IP
directly over DWDM, with no intervening protocols like SONET
or OTN in between. This technology has been advocated by a
number of vendors and is another way to collapse the network
and try to make it more efficient. Active research exists on
Network 1
Encryption
Encryption
Network 3
Figure 6. Layer 2 Encrypted network architecture
4
Digital Clock and
Digital Signal Data
Processing Recovery
extensions to the IP protocol to make flow controllers
Layer 1-aware, which could allow bandwidth expansion or
contraction to reduce congestion and make the routed
network much more efficient.
The most common argument for IPoDWDM is efficiency, with
fewer components and less space and power needed to run
the network. While this may make short-term sense, it is an
unwise architecture from a network security perspective. IP
architectures work as well as they do because they rely on a
reliable, stable, and predicable transport infrastructure that
compensates for many small network disruptions on a much
faster time scale than the round-trip packet time of an IP
transaction. If every fiber cut, card failure, or maintenance
action were to be addressed by the routing engines, this has
the potential to increase congestion and reduce stability in
the network. Furthermore, once problems do develop, there
are no underlying protocols to limit the spread of trouble
and assist with diagnosis and repair.
Network 2
Encryption
Network 1
Encryption
Encryption
Network 3
Encryption
Network 2
As an alternative to IPoWDM, an architecture that uses
Carrier Ethernet as a support infrastructure to optimize the
performance of the routed network has substantial advantages.
Beyond network firewalls, gateways, and other mechanisms
aimed at defending the borders of a network, security also
can be enhanced by incorporating protection into the network
architecture itself. The core structures of the Ethernet
extensions built into the frameworks by the Metro Ethernet
Forum (MEF) let the Ethernet standard scale to larger networks,
allowing robust security architectures to be built in the campus
environment. Layer 2 Virtual Private Networks (VPNs) can be
used to segregate traffic, limit the potential for contention
and congestion to affect critical traffic, and ensure traffic
prioritization decisions remain private.
Secure services are defined in the Ethernet standards of the
MEF by appending VPN tags, which differentiate the VPN
service type and priority, to an expanded Ethernet frame.
This service can be scaled by consecutively adding layers of
VPN tags to create network VPNs that are logically isolated
from edge VPNs.
The ability to stack VPN tags was crafted by IEEE 802.1ah to
enable both the customer and the network operator to set
up VPNs independently, with no possibility of mixing between
the domains. This technique, also known as MAC-in-MAC,
can be added as a security element in the Ethernet network.
By establishing a customer VPN inside a particular security
zone or sub-network and then using Provider Backbone
Bridging (PBB) in the network, details of the internal topology
of the sub-network can be isolated from other elements of
the network. PBB is an extension of the Ethernet standard
developed by the MEF to allow carriers to forward packets
based on internal network MAC addresses while ignoring the
proliferation of MAC addresses at the edge, thereby limiting
the number of MAC addresses that need to be accounted for
in the core of the network. From a security perspective, PBB
allows a demarcation between network packet forwarding
and edge packet forwarding, to permit the development of
segmentation inside the network.
Ciena has implemented a patented technology, virtual
switching, into its Active Ethernet products. Virtual switching
logically partitions a physical Ethernet switch into separate
switching domains. Each virtual switch forwards traffic
independently of the others with completely separate address
spaces, providing a unique mechanism for the isolation of user
traffic that is superior to other available techniques.
5
Traditional multiple Virtual Ciena’s Virtualized
Bridging Instance Architecture
Figure 7. Ciena’s virtual switching
These core elements of the Ethernet standard, when used
in conjunction with Layer 2 encryption, provide powerful tools
to enable operators to build assured security architectures
into their networks. Internal network addressing, traffic
prioritization, Quality of Service (QoS) targets, and the data
itself are best kept private for mission-critical applications.
The judicious application of encryption, along with VPN tag
stacking, provides these key assured networking benefits.
Ciena Ethernet products have undergone extensive
interoperability testing with the SAFENET Layer 2 encryptor
and can support all of these security features.
A variety of encapsulation mechanisms are available to create
isolation between domains for Ethernet traffic, including PBB
and Multi-Protocol Label Switching-TP (MPLS-TP). In each
case, user traffic is separated, and there is a clear segregation
between end-user traffic and core network traffic. The selection
of encapsulation mechanism depends on a number of factors,
including the need to interact with Layer 3 infrastructure, the
extent of the security requirements, and the need for robust
segregation in the network.
This scenario demonstrates that, with Active Ethernet, we
can build a network architecture that retains the benefits of a
segregated network while being implemented on common
infrastructure, thus maintaining security principles at the
lowest cost possible.
Intrusions
Intrusions into a transport system usually are equated with the
tapping of optical fibers. While this is a valid concern, there
are a number of possible intrusion points into the transport
network that should be considered. One interesting example is
that most optical line amplifiers have a mid-stage access point
that allows technicians to attach an optical spectrum analyzer
and diagnose network problems without disrupting traffic.
Unused ports on the DWDM or OTN switching equipment are detected. In addition, there may be a number of access points
also potential vulnerabilities. for maintenance that are accessible to anyone with physical
access to the device. These ports should be locked down,
The use of coherent receiver technology in current-generation and enabled only during authorized maintenance intervals.
transport systems does not mitigate the threat of intrusions,
Baselines
but it does significantly increase the difficulty and level and
One of the most powerful tools for tracing anomalies in the
sophistication required to snoop. The real-time digital signal
network is a current baseline that network operators can use
processing capability that removes impairments from
to determine the expected behavior of the network. This
chromatic dispersion and polarization mode dispersion
concept applies to attributes of the physical fiber, power
must be replicated by the intruder. Next-generation optical
levels, wavelength plans, and traffic flow density and utilization.
transport technology—which shares the digital signal
Baselines should be established on a regular basis and after
processing load between the transmitter and the receiver,
any significant change. Baseline data should be scrutinized
with a communication channel required between transmitter
by network architects to ensure that the baseline behavior
and receiver—will make detecting useable information from
conforms to operator expectations.
within the transport system extraordinarily difficult.
Logs and monitoring
In addition to the inherent security advantage of requiring Transport equipment produces an enormous amount of
sophisticated digital signal processing algorithms to restore log-able data that is routinely monitored by network operators.
the information content of the signal inside the system, the Comparing this data to baseline data is an outstanding tool
coherent receiver also takes sensitive measurements of the for detecting anomalous behavior on the network. It is
physical fiber characteristics of the transmission path. Older, recommended that this data be archived to assist in forensic
slower networks were based on direct detection technology analysis after an event.
that measured the optical power of the incoming signal. A
Deterministic packet flow architectures
coherent receiver measures the actual electric field, so all
Modern control plane architectures are designed to be as
information about the phase, polarization, and intensity of the
flexible and efficient as possible. While this provides the most
incoming pulse is preserved. These physical attributes of the
cost-effective network, it also introduces a level of complexity
incoming light pulse can be analyzed to determine changes
for network security, as the network state normally changes in
in the transmission path. These measurements then can be
response to traffic and environmental factors. One option is to
monitored and compared against baseline data to detect
introduce as much deterministic behavior into the transport
changes to the transmission path due to tampering or other
architecture as possible. Deterministic behavior is easier to
causes. This analysis can be used to construct an intrusion
monitor and detect anomalies. One potential tradeoff is to use
detection system that is not an added component but an
deterministic paths for working paths and dynamic restoration
inherent part of the network technology.
for protection. This leaves the network static most of the time
without significantly reducing network resilience in response to
Defense Strategies
events, at the expense of a more complex provisioning process.
Physical Security
Information Security
Transport layer optical networking equipment is designed for
The use of encryption to safeguard data in flight is a well-
rapid turn-up of new services, with plug-and-play card turn-up
established technique for protecting information. The same
and a number of maintenance ports that are easily accessible.
level of confidentiality can be extended to protect network
Furthermore, this equipment allows considerable ability to
infrastructure when encryption is used on the management,
configure and adjust the physical parameters of the equipment
control, and data planes as part of a complete defensive
from the craft interfaces. For these reasons, it is important to
strategy. Other benefits include the ability to mask enclave
limit physical access to the equipment to only authorized
details from the body of the network and limit the potential
technicians.
to derive intelligence via monitoring of network usage.
Port Security
Supply Chain
As noted above, ports on transport equipment are designed
The supply chain for components, subsystems, and software
to discover new services automatically and integrate seam-
in the modern technology arena is global in nature. Malicious
lessly into the network. It is important to monitor any ports
tampering and intentional or unintentional withholding of
that are intentionally unused to ensure unauthorized activity is
critical parts are all part of supply chain vulnerabilities.

6
 Transport Control Plane support to Cyber Operations

> Existing Sensor Array

Sensors Event > Event Detection
Event Event > Signaling to NMS

TRB TRANSPORT RESOURCE BROKER (TRB)

> Dynamic Provisioning

Transport Via Transport Network
NMS and Control Plan
Planning Tools > Access to Network
Planning Simulation Tool

Transport
Network
Infrastructure

Figure 8. Dynamic network in response to events

There are, however, some key supply chain initiatives that can Conclusion
keep the supply chain risk as low as possible. It is important that
The transport layers are key parts of the overall network and
vendors’ supply chain plans include an approved supplier list
are vulnerable to cyber attacks from sophisticated adversaries.
as well as a periodic assessment of supplier performance. For
To create a truly assured network, one must provide protection
example, a performance assessment of supply chain disruption
at all levels of the network architecture to ensure the network
can evaluate vendors’ performance during recent natural disasters
can meet demanding network requirements, is reliable in the
such as the tsunami in Japan or the flooding in Thailand.
face of a variety of failure and attack scenarios, and is secure
against both direct and indirect cyber attacks. Although
Outstanding vendors will conduct a vulnerability assessment of
transport layer attacks are much rarer than other types of
their supply chain that measures not only the surety of supply
attacks that require less sophistication, network architects must
but the country of origin of critical control-related components.
assess the potential cyber vulnerabilities of their transport
Robust testing programs with internal security controls can
equipment. In many cases, it is possible to work with transport
prove that logic chips are manufactured as designed and
vendors to add a technical mitigation to the vulnerability.
overall designs are consistent with intended performance.
Today’s transport technologies have mitigations at the physical
layer through the use of coherent receiver and ROADM
Active Defense
technologies, at the OTN layer through robust and dynamic
In addition to passive techniques for addressing threats to
control planes, and at the Ethernet layer through the use of
network infrastructure, emerging technologies enable active
virtual tunnel technology to isolate packet flows. In cases
reactions and mitigations. In response to network sensors
where a technical solution is not practically or economically
and threat information, networks will be able to reconfigure
feasible, oversight resources can be concentrated on the
dynamically to isolate problem areas and maintain mission
largest vulnerabilities that remain, further securing the network.
effectiveness.

Ciena may from time to time make changes to the products or specifications contained herein without notice.
Copyright © 2014 Ciena® Corporation. All rights reserved. WP097 5.2014

Networks that advance

every mission.
http://www.ciena.com/industries/government