By: Jesse Price

Today’s networks are under attack. Whether the target is a commercial network such as Equifax or the networks for the U.S. elections, cyber-attacks are capable of penetrating the most sophisticated security architectures without detection. Operators and government agencies are increasingly seeking out ways to identify threat trends and patterns by using real-time data derived from advanced network monitoring applications. However, these cyber intelligence tools often miss the critical information that can be gathered from the optical transport network. Modern cyber intelligence missions require comprehensive optical network analytics to pair with their current cyber security tools in order to maximize their success rate. 

Optical networks complicate standard threat detection applications. Today’s long-haul and regional optical networks are rapidly evolving in order to handle the growing bandwidth demands and required high-speed access. As new technology emerges, network service providers are adopting new transport mechanisms including SD-WAN, DWDM, OTN, and 100G+ coherent technologies in order to make the most efficient use of the deployed fiber network. In many cases, despite the growing presence of new signaling methods, legacy communications protocols can also live in the optical network for many years and this presents a unique challenge for the service providers as they are tasked with managing many different protocols within their networks. Carrying different technologies deeply tunneled within the fiber network creates large multi-layered networks that complicate threat detection. It is now common for optical networks to carry anywhere from up to 5 to 10 different signaling technologies on a single fiber, as shown in Figure 1.  

Figure 1: Optical networks support a complex mix of framing and transport technologies.

Global Optical Transport Networks Are Evolving Rapidly Global network bandwidth demands doubling every 2-3 years. Ethernet standards have evolved from 10GbE to 40GbE to 100GbE and 25/50GbE variants have emerged for datacenter applications. Data Center Interconnect (DCI) is driving technology road-map for 200GbE, 400GbE, and 800GbE. 100G coherent deployments (use of a single DWDM wavelength to deliver 100Gbps) exploded in 2017 while multiple vendors have made recent technology announcements touting the arrival of 400G coherent capable platforms. Large carriers have adopted OTN for large-scale optical network transport and transitioned away from SONET/SDH creating a new layer of transport protocols

Complex optical networks and layers of WAN protocols present network access obstacles for monitoring applications responsible for identifying possible threats and intrusions. Traditionally, cyber intelligence has focused on extracting IP packets off the transport network and performing focused analysis of the IP traffic and the payload carried within. As a result, the transport protocols used in layered optical networks were removed and monitoring applications funneled IP packets to tools responsible for Deep Packet Inspection (DPI) and Distributed Denial of Service (DDoS) detection. Any details regarding how the traffic was transported over the fiber optic network was lost and not accounted for in the traditional cyber threat detection process.

Today, cyber intelligence missions often require monitoring access to long-haul and regional optical networks. Modern surveillance architectures already require a deep understanding of the network infrastructure in order to decode the optical transport mechanism and remove the layers of WAN protocols. But is potentially valuable information being dropped as these network layers are removed? Despite the complexity of the evolving optical transport network, there is valuable metadata that can be extracted from the optical transport signaling protocols that may provide information critical to the success of the cyber intelligence mission.