PacketLight PL-2000AD combines OTN transport, Physical Layer security-- good reading--

PacketLight PL-2000AD combines OTN transport, Physical Layer security
October 27, 2016
Lightwave Staff

PacketLight Networks has unveiled the PL-2000AD, a 1RU Optical Transport Network (OTN) transmission system that offers point-to-point Layer 1 encryption for metro and long-haul fiber-optic networks. The Physical Layer security addresses a scenario in which the company asserts that "lesser known but dangerous breaches are increasing exponentially" thanks to advances in hacking technology.

The use of Layer 1 encryption enables the PL-2000AD to provide secure connections with any Layer 2/3 switches or to existing DWDM infrastructure, the company adds.

The system performs GCM-AES-256 Layer 1 encryption for up to 20 multi-rate Ethernet, Fibre Channel, or SONET/SDH services. The encrypted service provides full end-to-end transparency of service data and clock with a minimal latency, PacketLight says. The encryption technique leverages periodical key exchange using the Elliptic Curve Cryptography Cofactor Diffie-Hellman (ECC CDH) algorithm.

The encryption approach is fully compliant with NIST FIPS 140-2 Level 2 and with CNSA Top Secret Suite requirements (formerly NSA Suite B).

"The challenge of protecting the network from hackers is hitting enterprises and service providers hard and fast, while increasingly stringent regulations enforced by government and security managers are making encryption mandatory across organizations and countries," explained Koby Reshef, PacketLight's CEO. "Our customers are now able to comply with these regulations and deliver new types of encryption service without changes to existing infrastructure - making it quicker, less costly, and faster to implement. PL-2000AD offers the most advanced Layer 1 security with minimal integration effort."

The PL-2000AD will support Ethernet, Fibre Channel, SONET/SDH, and OTN transmission. The platform also enables encryption of such client protocols such as 10G/40G/100G LAN, STM-64/OC-192, OTU2/4, and 8G/10G/16G/32G FC. It also supports encryption in data-per-service or per muxponder uplink.

For related articles, visit the Network Design Topic Center.

For more information on high-speed transmission systems and suppliers, visit the Lightwave Buyer's Guide.

I do enjoy reading about encryption but encryption starts at layer 6, but according to this article encryption offers point-to-point Layer 1 encryption for metro and long-haul fiber-optic networks. Sounds like hardware encryption. Well my curiosity and research on this matter guide me to the final answer.
====================================================================================================================================
Which I did got this information from a pdf document,

LAYER 2 ENCRYPTORS
FOR
METRO AND CARRIER ETHERNET
ETHERNET ENCRYPTORS FOR METRO AND CARRIER
ETHERNET
AN INTRODUCTION
Version 6.03, April 26 2016
© 2007-2016 Christoph Jaggi
All rights reserved
www.uebermeister.com
name at domain
ISBN: 978-1-62018-001-3

Networks are unsafe
It is thus not a question if encryption is needed; it is only a question which encryption
approach is the most efficient and the safest.
The lower the layer, the more comprehensive the protocols that can be encrypted and the
more efficient the protection and the processing. For Metro and Carrier Ethernet, the
efficient encryption of all network data requires encrypting at layer 2 or below. The usage
scenario and the business requirements should be the determining factor for the selection
of the encryption layer.

Optical fiber links are unprotected
Optical fiber links are often considered to be “private” links, because the link’s use down
to the physical layer is exclusive to a single customer. But “private” just means exclusive
use and should not be confused with “secure”. Neither fiber nor wavelengths come with
built-in security. It is actually pretty easy to tap optical fiber. Once tapped, the entire traffic
running over the optical fiber is exposed.

Virtual Private Networks are only secure if encrypted
The word “private” isn’t a synonym for “encrypted”, it only means that your virtual network
is not shared with others. In fact your Virtual Private Network still runs on a shared
infrastructure and is not secured. Carriers claim that a Virtual Private Network is as safe as
a leased line, but forget to mention the fact that leased lines are unsecured. It is also a
known fact that Virtual Private Networks run on a transport network that provides the
shared infrastructure and that can be attacked.

Recommended Preventive Measures
The tapping of network data is unpreventable and the tapping of networks is a common
practice. The difference in behavior between state actors, criminal organizations and individual
hackers in that respect is minimal. The goals are used to justify the means. Next to
the simple “passive” tapping of networks there is a multitude of commonly used possibilities
to actively attack networks. Fortunately there are adequate means to minimize the
impact or even completely inhibit such attacks:

(1) Secure enctyption devices,
(2) Secure keys,
(3) Authenticated encryption,
(4) Additional authenticated data, and
(5) Obfuscation of the Network Traffic (Traffic Flow Security).
Different Layer – Different Approach

Layer 1 encryptors are designed to encrypt direct connections at the physical layer, the Optical Transport Network (OTN). They can encrypt different layer 2 protocols such as
Ethernet, FibreChannel and InfiniBand.

Ethernet encryptors work at layer 2 and are designed to encrypt layer 2 and above. They
are optimized for Ethernet and MPLS. Tunneling the original IP packet to encrypt IP
running over Ethernet is unnecessary.The encryption of Metro and Carrier Ethernet connections
Encryption is most efficient if it takes place at the native layer or below.

Layer 3 encryptors are designed for IPSec encryption and to encrypt IP payload. IP-Sec
tunnels the original IP packet, so that it can encrypt the original IP header. If you want to
encrypt an Ethernet frame with IPSec, the encryptor has to lift the Ethernet frame up to
layer 3, so that the Ethernet frame becomes IP payload that then can be encrypted..
Security levels: High assurance, standard assurance and low assurance
Two main factors define the security level that is required: (1) The protection requirements
for the data transmitted over the network, and (2) the protection requirement of
the network in terms of security and continuity. Data that is considered to be somewhat
sensitive causes less harm when stolen or compromised and therefore is subject to much
less stringent protection requirements than data that is considered confidential or even
secret. If an organization is dependent on a frictionless operation of the network, any impairment
can have negative consequences for operations. If there is no such dependency,
then less stringent protection requirements might be sufficient.
Only a dedicated appliance can deliver real high assurance and standard assurance
The lack of a secure encryption device and secure keys compromises the security from the
outset.

Key management is the core piece of network encryption
Unambiguous authentication of the participants, secure keys, frame format and encryption
mode constitute the foundation. Key management takes care of the keys from key
generation over to key assignment over to key exchange and finally over to key revocation.
Key system and key assignment are an important part of key management and significant
for an optimal network functionality.

Security certifications: What are they worth?
Not every product with a FIPS or a Common Criteria certification is secure. Many of
them are not really secure and some of them are not secure at all. Despite this, many vendors
often are using security certifications to pretend more “certified” security than actually
present. For the protection of classified data, more stringent requirements apply. E.g.
the German “Bundesamt für Sicherheit in der Informationstechnik (BSI)” evaluates the
entire source code of software and hardware before admitting a product for government
use for classified data. In the USA also multiple layers of less secure products are used for
lower category classified data. This reduces the efforts needed and the security. Even a
secure encryption device and secure keys can be optional.

I did got this information from a pdf document,