Security Platforms/Tools

Ciena Joins the Optical Encryption Club

Ciena has joined the growing list of transport equipment vendors that have developed network security features that can protect "in-flight" data traffic on metro and long-haul optical connections.

According to the vendor, its WaveLogic Encryption technology can encrypt any traffic coming into a network, including Ethernet, Fibre Channel, OTN, IP, SONET and SDH, and transport it securely over 10GBit/s, 100Gbit/s and 200Gbit/s links with "virtually no added latency."

The key factor here is that the security functions can be provisioned and activated without the need to deploy any additional boxes, as the encryption capabilities are embedded in a Ciena Corp. (NYSE: CIEN) WaveLogic 3 Extreme transponder card.

And the vendor's timing looks good. A recent Heavy Reading report, "The Lower the Better: Encrypting the Optical Layer," authored by Dan O'Shea, noted that optical layer encryption looks set to become a major talking point in 2016. (See Optical Encryption's Value Shouldn't Be a Secret.)

Among that report's key findings are that the current method of encrypting traffic at higher network layers is "costly, difficult to manage and has detrimental effects on bandwidth and latency," while "encrypting traffic at Layer 1 provides practical solutions" to such problems.

Although Ciena's new functionality is not yet generally available (that will happen this quarter), Ciena already has a carrier reference as WaveLogic Encryption has already been put through its paces by Telstra Corp. Ltd. (ASX: TLS; NZK: TLS). The Australian operator, working with Ciena and its partner Ericsson AB (Nasdaq: ERIC), demonstrated the WaveLogic Encryption solution over a 200Gbit/s link on its Inter-capital Melbourne-Canberra-Sydney route.

The Telstra team regards this as a significant breakthrough and extolled the virtue of optical layer encryption, and Ciena's technology, in a blog by Andrew Leong, General Manager of Transport Engineering at Telstra Operations.

Telstra's Leong isn't the only one who's impressed.

"This is a big deal and part of the overall network security push that is happening across the whole communications infrastructure market," notes Heavy Reading senior analyst Sterling Perrin. "A handful of companies are offering optical layer encryption now... but this is something that any company in the data center interconnect market would need to be doing," adds Perrin.

There's no doubt that this is an important development, but the big question now is how much this will resonate with operators' real world plans, notes the analyst. "There are undoubtedly benefits to encrypting the optical layer, as it then secures everything that's running on top," he adds. But what happens when the traffic is handed off to local networks? Operators need to devise a security strategy that is end-to-end and that's something the optical equipment vendors can't offer by themselves. As a result, propositions such as WaveLogic Encryption really only start to come into play when network operators have figured out a full network strategy, notes Perrin.

Operators are certainly thinking about how to implement end-to-end encryption to meet the increasingly strict requirements of enterprise customers and Telstra's clearly some way down that path, but the majority are still figuring it out. "They also need to figure out how to fund it," adds the Heavy Reading man.

Ultimately, optical layer encryption is something that will become a standard feature from all the vendors, but "they may not be able to charge extra for it," he notes.

Need to know more about network security developments? Then check out our dedicated security content channel here on Light Reading.

Ciena joins the likes of ADVA Optical Networking , Cisco Systems Inc. (Nasdaq: CSCO), ECI Telecom Ltd. and Nokia Corp. (NYSE: NOK) (via the former Alcatel-Lucent optical group), while according to O'Shea's Heavy Reading report, Coriant and Infinera Corp. (Nasdaq: INFN) are among the other vendors due to announce Layer 1 metro and/or long-haul encryption capabilities in 2016. (See ADVA Touts Encryption for 100G Metro Optical Networks and ECI Unveils Its SDN Framework.)

Ciena shores up its WaveLogic tech base
In a related development, Ciena has acquired high-speed photonics components (HSPC) assets from supplier TeraXion Inc. for about US$32 million. Those assets include high-speed indium phosphide and silicon photonics technologies (and related intellectual property) that are at the heart of Ciena's WaveLogic coherent chipsets.

— Ray Le Maistre, Circle me on Google+ Follow me on TwitterVisit my LinkedIn profile, Editor-in-Chief, Light Reading

jcadler 2/3/2016 | 9:23:02 AM
Key in the Keys It's a clever solution, in particular the key management solution.  Because the keys can be managed (and stored) by the enterprise, the carrier can be absolved of any request for legal or national security requests for access.  They simply transport the encrypted data with no access to the dynamic keys.  This same provenance issue also applies to cloud-storage. 
Sterling Perrin 1/27/2016 | 10:23:00 AM
Re: Service provider perspectives Keebler, very insightful post. I think your point is valid that layer 1 encryption can't change the standards in place for classified or other types of traffic that was already required to be secure. A user can't simply swap content encryption with transmission encryption because transmission alone is not end-to-end, as you point out.

I do see value in operators using layer 1 encryption as a type of insurance policy - if they encrypt all traffic, they will never be in the headlines as the source of a breach. For a time, that can serve as a differentiator but as you also indicate it could quickly move to standard practice and, thus, a free feature from equipment suppliers. (Supplers will disagree.)

The other big issue, of course, is when network operators cooperate with governments to expose information. An operator can encrypt all traffic at layer 1 but then provide keys to govt.'s. This is not an issue that technology will resolve.

Keebler 1/26/2016 | 8:00:25 PM
Re: Service provider perspectives I think there actually is some doubt, but it's gotten so buried in marketing at this point that it may no longer matter.

It's been a few years since I worked with secure areas of the government, so they may have changed their policies, but at the time I worked with them the requirement was that any equipment involved in encryption was only considered secure if it was inside a secure area. This was always an issue, because you needed staff with appropriate security clearance AND expertise in managing the equipment to work in those areas. As a result, they had very clear guidelines on what should be encrypted and where. The conclusion was that the content should be encrypted, not the transmission. That allowed transmission equipment (Layer 1, 2, and 3) to be outside the secure area.

This seems like a reasonable idea. Encrypt the content at the source rather than relying on any intermediate equipment - that could potentially be compromised - to be a part of the security scheme. Unfortunately, the NSA scandal and other breaches along with powerful marketing from those with Layer 1 encryption means that there is no longer a reasonable debate. EVeryone's going to have to do it now. For all customers. For free. Which is really not all that 'good and useful'.
Mitch Wagner 1/26/2016 | 4:33:33 PM
Decryption Will this encryption meet demans by government agencies in the US and UK that they be able to decrypt traffic on demand?
[email protected] 1/26/2016 | 2:13:07 PM
Service provider perspectives I don't think there's any doubt that optical layer encryption is a 'good' and useful thing - but what will be interesting is to see 'how' it is used. 

Will it be on links from data center to data center only (in the first instance)?
Sign In