Presentation is loading. Please wait.

Presentation is loading. Please wait.

EKINOPS Encryption Solution in high-speed Optical Networks

Published byEugenia McKenzie Modified over 5 years ago

Similar presentations

Presentation on theme: "EKINOPS Encryption Solution in high-speed Optical Networks"— Presentation transcript:

1 EKINOPS Encryption Solution in high-speed Optical Networks
Fast & Easy Network Security & GDPR Compliance For Your Network over Any Span Jaroslaw Kucio – Technical Sales Manager 24/08/2019

2 DO YOU KNOW WHERE YOUR DATA IS?
14.7 billion records lost, stolen or compromised 164% increase in stolen, lost or compromised records 1H’17 vs 2H’16 Gemalto’s 2018 First half Review Breach Level Index1 reported the number of data records compromised in publicly disclosed data breaches in 1H’18 surpassed 3.3 billion, more than for all 12 months of 2017 18,525,816 compromised every day—2.6X the rate in 2017 771,909 compromised every hour 944 separate breaches—18.8% fewer than 1H’17—only 21 (2.2%) where encryption was used 1

3 67% of enterprises globally have ever experienced a data breach
YOUR DATA IS AT RISK Breached Ever Digital transformation driven by Cloud, Big Data, IoT, 5G mobility etc. requires higher bit rates over longer distances 94% of midsize to large enterprises use digital transformation technologies with sensitive data 99%+ use one or more Cloud services 61% use more than one 67% of enterprises globally have ever experienced a data breach 36% of enterprises globally have experienced a data breach in the past year 36% 26% 21% Breached Past 12 Mos. Source: THALES Data Threat Report Global Edition

4 DATA RATES ARE FAST AND GETTING FASTER
More data at any point in the network at any point in time Coherent technology has shortened development cycles Physical tap provides access to >100,000 services on a single wavelength Data security at L2/L3 too expensive and difficult to scale and impacts performance Encrypts every packet 60% increase in the required data rate Adds significant latency across the networks 800G 80X INCREASE! 600G 400G 200G 100G 10G 2000 2010 2014 2016 2017 2019 2020

5 2018 EXAMPLE DATA BREACHES 2018—top 21 breaches. 2.6B records

6 BARRIERS TO CLOUD ADOPTION BY ENTERPRISES
Security is a top concern in the era of digital transformation IT infrastructure and underlying software are no longer under enterprise control Attacks on the service provider are the #1 security concern among global enterprises In-flight data at risk Source: THALES Data Threat Report Global Edition

7 EKINOPS PROTECTS DATA IN ITS MOST VULNERABLE STATE
In Use At Rest Single location Full enterprise control Restricted access Enterprise Server Farm Data Storage Pool Multi-location Service provider control Physical access possible at any point In-Flight Data Center A Data Center B

8 REGULATORY ENVIRONMENT
Australian Privacy Act (Notifiable Data Breaches; 2017) Establishes requirements for entities in responding to data breaches Entities have data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach Applies to Australian Government agencies, businesses and not-for-profit organizations with an annual turnover of AU$3 million or more, credit reporting bodies and health service providers among others European General Data Protection Regulation (GDPR; 2018) Established to provide a uniform code for data protection for private citizens “Privacy by Design” mandates building privacy into the design, operation and management of any system, business process or design specification Scope has global impact with effects that extend beyond just the EU Significantly increases both the burden and financial consequences not only of non- compliance, but also of any security breach in a compliant network Up to 20% of annual sales or €20M, whichever is greater …other countries/regions to follow soon with similar legislation

9 EKINOPS SOLUTION

10 Ekinops 360: for Metro, Regional, and Long-Haul applications
Long Haul / Ultra-Long Haul Terrestrial and submarine Agile networking Efficient transport Metro Transport & Enterprise Networks Alien Wavelength Data Center Interconnection Mobile Fronthaul & Backhaul Extended Temperature Range Multi-protocol aggregation Single Fibre Working

11 Innovation for Optical Transport
Coherent Technology Huge R&D investment since 2012 on 100G/200G and now 400G/600G coherent technology Capacity to lead the market evolution from long haul to metro and access 200G Coherent product available since 2015 400G Flexrate end 2018 These evolutions are not possible without mastering technology Coherent DSP IQ modulator Tx ICR Rx Advanced silicon that enables new features to be added without new hardware Reduces R&D for new configurations Reduces lead times Increases availability Low power and space requirements Almost unlimited flexibility in provisioning and bandwidth management Enables for improved performance FLEXRATE LINE INTERFACE Relying on pluggable optics (CFP,CFP2s) limits the feature evolution and delays the availability of new technologies (400G not before end of 2019 if development based on DCO CFP2) Cost effectiveness comes from our development skills to deliver efficient design Tchip recent implementations: Encryption, support of CPRI protocols, support of 8GFC/10GFC/16GFC/40Gbe support on the same modules, OTN compatibility mapping…

12 PM CRYPTO—HARDWARE BASED DATA SECURITY ENGINE
Advanced cryptography engine uses field- proven, industry standard methods Strongest possible AES-GCM 256 based encryption Protects data in-flight Uses a hardware based algorithm that fully encrypts the payload User configurable key exchange frequency up to several times per minute Prevents keys from being decoded by brute force computing methods

13 BULK ENCRYPTION FOR HIGH SPEED TRANSPORT
Wire speed Hitless performance Zero additional latency PM 200FRS02 (-SF) 1 x QSFP28 100GbE 10 x SFP+ 8G FC 10G FC 16G FC 10GbE 40GbE OTU4

14 PM_CRYPTO ENCRYPTION METHOD
Diffie Hellman Key Exchange: Asymmetric cryptography Dedicated secured chip on each PM_CRYPTO autonomously generates a private local key (Kl) with an internal high quality FIPS Random Number Generator and calculates the public key (Kp) on each module The PM_CRYPTO module sends out its public key to the PM_CRYPTO on the far end Simultaneously receives the public key from the far end to put it in the secured chip for session key calculation Elliptic-curve Diffie-Hellman algorithm is then used on both modules to agree on a shared secret key (K1) This first K1 key exchange process is automatically done by the modules of each side of the link without any action of the user Authentication A user action is only needed on both PM_CRYPTO modules on each side by entering the SAME 256-bit long authentication key (K2) K1 and K2 are hashed together to give a secured shared secret that is used for AES GCM-256 Encryption/Decryption process

15 DIFFIE-HELLMAN PRINCIPLE
Legend: Kl—Local (private) key Kp—Public key DIFFIE-HELLMAN PRINCIPLE PUBLIC Fiber Link BOB (PM_CRYPTO in Site B) ALICE (PM_CRYPTO in Site A) Kp_Alice Kl_Alice Kp_Alice Kp_Bob Kl_Bob Shared Secret K1 Kp_Bob Shared Secret K1 Kp_Bob Kp_Alice EVE ? Kl_Alice Kl_Bob Automatic process done autonomously by the PM_CRYPTO modules on each site Diffie Hellman Key Exchange: Asymmetric cryptography Dedicated secured chip on each PM_CRYPTO autonomously generates a private local key (Kl) with an internal high quality FIPS Random Number Generator and calculates the public key (Kp) on each module The PM_CRYPTO module sends out its public key to the PM_CRYPTO on the far end Simultaneously receives the public key from the far end to put it in the secured chip for session key calculation Elliptic-curve Diffie-Hellman algorithm is then used on both modules to agree on a shared secret key (K1) This first K1 key exchange process is automatically done by the modules of each side of the link without any action of the user Authentication A user action is only needed on both PM_CRYPTO modules on each side by entering the SAME 256-bit long authentication key (K2) K1 and K2 are hashed together to give a secured shared secret that is used for AES GCM-256 Encryption/Decryption process

16 AUTHENTICATION Since it is automatic, DH can be tricked if EVE is able to act as a valid interlocutor using Ekinops hardware (“Man-in-the-Middle” Attack) Solution is to use Authentication, a symmetric cryptography mechanism where a password is entered by the customer on each side of the link (ALICE and BOB) “Man-in-the-Middle” attack not possible without knowing the authentication password User Defined User Defined Act as BOB EVE Act as ALICE ALICE BOB Shared Secret K1 Shared Secret K1bis + + Authentication password K2 Authentication password K2 AES GCM-256 KEY AES GCM-256 KEY

17 ENCRYPTION MANAGEMENT
Craft Interface Local Craft interface sees the module and all alarms for “Encryption failed” status CLI Interface Management of the keys can be done via CLI Two levels of access—crypto_officer and crypto_user— each with specific password and rights Celestis® NMS-based key management CRYPTO_Officer login CRYPTO_User login Set the authentification key on a per encrypted key basis Both end PM_CRYPTO will receive the same authentication key via an NMS secured link

18 INSTANT ENCRYPTION Pluggable solution for both the 2RU C200HC chassis and 7RU C600HC Quickly and easily integrated into any existing or greenfield network Fastest way to bring networks into regulatory compliance Least cost possible Strongest available encryption capabilities Provides Layer 1 bulk encryption without the penalties imposed by a higher layer solution such as IPSec Layer 2/3 solutions encrypt every packet 60% increase in the required data rate Adds significant latency across the network

19 ALWAYS SECURE OPERATION
Bulk encryption encrypts all data on the line port “Always secure” encryption can’t be turned off on a port-by-port basis Eliminates the possibility of data being sent in the clear Minimizes security risks caused by human error

20 SERVICE FLEXIBILITY Multiprotocol support allows service providers to encrypt any service type 10GbE/40GbE 8G/10G/16G Fibre Channel OC-192/STM-64 and OTU2/OTU2e 100GbE Need only a single module for all transport encryption needs Helps reduce sparing costs and minimize staff training requirements. Makes it easy to offer encryption services with ironclad SLAs and assured regulatory compliance Creates ability to create new premium revenue streams

21 Scale encrypted and unencrypted services at the same time
SCALABILITY Highly scalable optical transport encryption Encryption engine resides on the T-Chip® Competitor solutions the encryption engine resides on the same DSP that performs the coherent modulation and detection New services can be more easily added on a port-by- port basis without having to deploy a new line card each time Option of creating a 200G link using the second QSFP28 port Interface to another PM CRYPTO, or to a non-encrypted client The two client ports operate independently from one another Adding non-encrypted services to the aggregated 200G link has no effect on the integrity of the encrypted signal PM CRYPTO 200G PM 100G-AGG

22 USE CASE #1 ADDING ENCRYPTION TO AN EKINOPS NETWORK
PM CRYPTO pairs with PM 200FRS02 FlexRate 100G/200G line module Either 100GbE service or up to ten different 10G services PM 200FRS02 delivers the encrypted channel over a coherent wavelength to an optical multiplexer Optical mux combines it with other DWDM channels, encrypted and non-encrypted alike.

23 USE CASE #2 ADDING ENCRYPTION AS AN ALIEN WAVELENGTH
PM CRYPTO can be deployed over a 3rd party existing line system PM 200FRS02 can be directly interconnected with a third-party optical multiplexer Complete functional separation of alien wavelength operation and management from the existing wavelengths Encrypted link cannot be accessed from the third party management system Maintain compliance with GDPR and other regulations Managed by Ekinops Celestis® NMS network manager Manages Ekinops wavelength (alarms, power levels) Manages cryptographic process (key generation, exchange, rotation, authentication)

24 USE CASE #3 OTN NETWORK CLIENT ENCRYPTION ADD-ON
Encrypted services are transported over any existing network infrastructure without disrupting the existing line system PM CRYPTO acts strictly as a client and passes it’s encrypted OTU4 output to any standards-based OTU4 client input on another network Service provider can use any available port Fastest and most economical way of adding encryption to a network Eliminates the need to deploy a new line card and re-balance the optical power along the amplifier chain Managed Ekinops Celestis® NMS

25 FLEXRATE TUNING FOR OPTIMAL PERFORMANCE
100G-600G Select any line rate from 100G to 600G Single module for any application Reduces sparing Accommodate different spectral widths for higher capacity lines Choose best mode based on distance, spectral width and fiber capacity Modulation DP-QPSK 16QAM 32QAM 64QAM FEC Overhead 21% 22% 23% 26% Supported Client ports 100G 200G 400G 100G-200G 2 X 100G

26 EFFICIENT AGGREGATION OVER HIGH CAPACITY LINES
PM 100G-AGG 10G/16G/40G services can take advantage of next-gen high speed transport Aggregate up to ten services onto a single OTU4 uplink Efficient aggregation to maximize bandwidth utilization PM 100G-AGG PM CRYPTO encryption engine PM 400FRS04 OTU4 10GbE / 40 GbE OTU2/OTU2e 8G/10G/16G Fibre Channel OC-192/STM-64 PM 200FRS02 OTU4 PM CRYPTO

27 SUMMARY Flexrate solution offer lots of new opportunities for system upgrades or new high capacity optical transport networks Engineering rules define the best mode for each type of application All application covered by a single reference: operation simplification ULH/SUBMARINE 100G/200G LONG HAUL 200G-400G Dual Carrier REGIONAL 300G/400G METRO 400G/500G DCI 600G

28 SUMMARY Non-compliance with GDPR and other regulations is not an option Even for non-European companies Service providers are responsible for protecting all of the data that flows across their networks PM CRYPTO makes it possible to add GDPR-compliant encryption capability to your network Delivers the industry’s highest level of encryption technology, impossible to break Highly scalable on a port-by-port basis “Always secure” operation prevents client data from running unencrypted across the network Functionally separate management for wavelength and encryption Low latency with hardware-based functionality and wire-speed processing Unprecedented deployment flexibility and service support Capable of encrypting both 100G and 10G services on single module with multiprotocol support Combine encrypted and unencrypted services on a single wavelength Multiple deployment options as either a native or alien wavelength Deployable over any existing line system, even those from third-party vendors

29 Ekinops Mission Deliver open and interoperable Layer 1, 2, 3 solutions
Provide programmable and scalable solutions from 100Mbps to 600Gbps Ensure a seamless migration to network virtualization Provide value to our customers with advanced technology supporting also their business economics Access Metro Long Haul Layer 1 Layer 2 Layer 3+ Ekinops Confidential

30 Ekinops Group at a Glance
Market Leadership Supplying 15 of the Top 30 (1) Service Providers #3 access brand in EMEA(2), +2m units shipped worldwide 40% of Optical Transport sales in USA A Public Company Traded on Euronext Paris Exchange Global Presence Over 400 staff, half in R&D 5 R&D Centers Worldwide Facilities in North America, Europe and Asia Strategic Vision for NFV/SDN Validated by multiple Tier 1 CSPs (1) Total Telecom Top 100 operators Business Analysis Oct ‘15 (2) Branch Office Routers: Enterprise Routers Market tracker IHS Q1 2018 Ekinops Confidential

31

32

Download ppt "EKINOPS Encryption Solution in high-speed Optical Networks"

Similar presentations

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Paweł Pilewski Pre-Sales Engineer MICROSENS GmbH & Co. KG

Paweł Pilewski Pre-Sales Engineer MICROSENS GmbH & Co. KG
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.

Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.
Virtual Private Network

Virtual Private Network
Intorduction to Lumentis

Intorduction to Lumentis
 Cloud computing is the use of computing resources (hardware and software) that are delivered as a service over a network (typically the Internet). 

 Cloud computing is the use of computing resources (hardware and software) that are delivered as a service over a network (typically the Internet). 
Cloud Computing Project By:Jessica, Fadiah, and Bill.

Cloud Computing Project By:Jessica, Fadiah, and Bill.
Alliance Key Manager for Windows Azure Puts Encryption Key Management and Data Breach Security at Your Fingertips COMPANY PROFILE: TOWNSEND SECURITY Townsend.

Alliance Key Manager for Windows Azure Puts Encryption Key Management and Data Breach Security at Your Fingertips COMPANY PROFILE: TOWNSEND SECURITY Townsend.
3/12/2013Computer Engg, IIT(BHU)1 CLOUD COMPUTING-1.

3/12/2013Computer Engg, IIT(BHU)1 CLOUD COMPUTING-1.
Flight is a SaaS Solution that Accelerates the Secure Transfer of Large Files and Data Sets Into and Out of Microsoft Azure Blob Storage MICROSOFT AZURE.

Flight is a SaaS Solution that Accelerates the Secure Transfer of Large Files and Data Sets Into and Out of Microsoft Azure Blob Storage MICROSOFT AZURE.
Rob Adams, VP Product Marketing/Product Line Management From Infrastructure to Equipment to Ongoing Operations Reducing the Cost of Optical Networking.

Rob Adams, VP Product Marketing/Product Line Management From Infrastructure to Equipment to Ongoing Operations Reducing the Cost of Optical Networking.
Taking your Business Technology Further. First Communications: At A Glance Technology Provider since 1998, serving thousands of Businesses throughout.

Taking your Business Technology Further. First Communications: At A Glance Technology Provider since 1998, serving thousands of Businesses throughout.
SDN & NFV Driving Additional Value into Managed Services.

SDN & NFV Driving Additional Value into Managed Services.
Extreme Scale Infrastructure

Extreme Scale Infrastructure
Wireless Access Point Product Overview

Wireless Access Point Product Overview
Key management issues in PGP

Key management issues in PGP
Virtual Private Networks

Virtual Private Networks
AuraPortal Cloud Helps Empower Organizations to Organize and Control Their Business Processes via Applications on the Microsoft Azure Cloud Platform MICROSOFT.

AuraPortal Cloud Helps Empower Organizations to Organize and Control Their Business Processes via Applications on the Microsoft Azure Cloud Platform MICROSOFT.
Chapter 6: Securing the Cloud

Chapter 6: Securing the Cloud

Similar presentations

Ads by Google