Passive optical networks (PON) have been in use by service providers for decades now. Whether a Fibre to the Home (FTTH) or Business (FTTB) application, these networks are now the de facto standard for broadband access solutions. In recent years however, the application of a PON network in the Local Area Network (LAN) environment has garnered attention by enterprise customers. This application is known as a Passive Optical LAN or POL and offers significant capital and operational savings. One additional advantage associated with a POL is the security it provides in the LAN segment of an enterprise network.
This paper provides some background and looks at issues focused on security when considering the implementation of a Passive Optical LAN.
Passive Optical LAN Connectivity
Fibre is inherently secure
The benefits of fibre optic cabling are well known in the IT industry. In addition to the advantages of increased network throughput, lower cost, and longer life-span, fibre optic cabling presents a compelling case for increased security due to its physical properties and the way active electronics make use of the fibre connection.
One of the first security topics that comes to mind with fibre networks is the increased complexity of a network intrusion by accessing the physical cable or “tapping in”. To be sure, it is most certainly possible to tap fibre optic cable. But within the context of a POL, it is a very complex operation to introduce a device which is capable of intercepting both the upstream and downstream optical signal while not disrupting the traffic to other ONT devices. As we will describe further in this document the ITU standards used in most POL solution requires 128 bit encryption for traffic presented to end users. After taking into consideration the development and application of such a complex device, the insider threat would likely be relegated to a focus on the end user host devices rather than the transport of end user data traffic. In addition, a POL presents fewer access points where an intruder can gain access to a fibre cable necessary to insert a tap. An active tap would need to be inserted in the upstream aggregate (or feeder fibre) to collect any upstream traffic from other ONTs. This feeder fibre is almost always located above ceiling spaces or locked in equipment rooms where such an intrusion would be quite visible or difficult to access.
Authentication of the ONT
Unlike a managed switch, an ONT within a POL is not capable of being a stand-alone device. In order for an ONT to begin switching traffic, it must first be connected to the optical signal and authenticate to the OLT to receive its assigned channel and VLAN assignments. This authentication process is achieved when the ONT is first discovered on the network using the process defined in the ITU standard G.984.3. The ONT uses a unique on board serial number to authenticate via the OLT. In the same way that a MAC address is unique to a device, these ONT
serial numbers are manufacturer-specific and the OLT can be configured to only allow specific serial numbers on a PON network. For example, an ONT may be recognized initially with the model number and serial number and the management system could be
configured to place the ONT into service immediately. Optionally however, the administrator may configure the system to disallow any ONT to be placed into service without an administrator manually configuring it. The OLT either acknowledges the ONT (via semantically correct matching serial numbers) and allows network connectivity or, depending on the serial number validation check, can refuse access for any given ONT. This process ensures that only known ONT devices are allowed access to the POL network and prevents a rogue ONT from registering.
POL offers encryption for LAN traffic
The GPON protocol uses a point-to-multipoint architecture downstream (to the user) and a point-to-point architecture upstream. The downstream traffic therefore would be subject to interception by anyone connected to downstream fibre interfaces. To counter this threat AES 128 encryption is used on traffic transmitted downstream over the GPON network and therefore only the ONT which as exchanged the key information with the upstream OLT will be able to decrypt the traffic and switch it to the proper Ethernet interface. It would be a rare occurrence to find an enterprise LAN where encryption is employed on end user traffic. Nevertheless, encryption is part of the ITU standard for PON networks and therefore network administrators can benefit by this additional layer of security in their network. In addition to this encryption the physical architecture of a POL does not support the connectivity of other mid-span active components which could pose a potential intrusion point into the network hierarchy. All endpoints must be known and acknowledged ONT devices.
The OLT allows for the use of a feature called Secure Forwarding. When Secure Forwarding is enabled for a VLAN, the service becomes IP session aware and snoops the DHCP offer messages to the ONTs and caches the allocated DHCP IP address information. Any DHCP offer will be translated from broadcast traffic to unicast traffic and only forwarded to the intended user. The OLT will then only allow the flow of traffic from end user ports if the source address is of the same address that was previously learned from the specific ONT user port. If the traffic does not originate from the correct address, the traffic is discarded. Also for devices attached with static IP addresses, a static
entry is required on the ONT port when secure forwarding is enabled so the OLT can compare the configured IP address to the source address of the statically configured device in the data frame. If they do not match, the traffic is discarded. Therefore, a more secure capability is achieved preventing a user connecting to the ONT port and attempting to perform a hopping or spoofing attack. This feature can be enabled on any VLAN in the system.
Malicious use of MAC Addresses for Traffic Manipulation
The ONT and the OLT maintain MAC address tables populated by the traffic forwarded on the network. There exists a possibility that an end user can inject traffic from many (spoofed) MAC sources in an attempt to overwhelm the OLT Forwarding Database (MAC) tables. This could result in undesirable behaviour within the OLT denying service availability until the attack has subsided. As a mitigation the OLT is configured to implement a limit on the number of MAC addresses that can be learned from the ONT, provisionally this is set at a limit of 4, 16 or 64 MAC addresses per ONT port depending on the service type. These limits can be further tailored by the administrator as desired.
The VLAN itself can also be set to limit MACs learned across the entire broadcast domain. These are set to 4000 per service nominally to prevent a MAC storm/DoS
attack affecting all services. These limits can be increased or decreased as desired. If the solution is deployed where the customer does not believe there is a threat to the network facing FDB table, this artificial limit can be removed.
In service provider networks, a default behaviour is to block MAC Movement within the OLT as a security measure to prevent spoofing and theft of service threats. In a POL environment however, there will be a need to configure services to allow this movement such as devices using WiFi services and moving between two different WAP’s that are hosted via 2 different PON cards. The MAC movement feature therefore is implemented to facilitate this requirement for POL applications. The administrator may optionally implement the default behaviour as required for 3rd party network services, contractors, or public facing networks in which MAC movement is not desired.
Access Control List
It is possible to configure access control lists (ACL) which filter network traffic based on MAC or IP address information. These filters are then applied to the various VLAN services configured for on the OLT.
IP filter policies match criteria associated with traffic ingressing or egressing a service. Matching criteria to drop or forward IP traffic include:
- Source IP address and mask
- Destination IP address and mask
- Protocol (such as TCP, UDP, etc.)
- IPv6 Protocol
- Source port/range
- Destination port/range.
- DSCP marking
- ICMP code
- ICMP type
- IPv4 Fragmentation
- TCP-ACK/SYN flags
- Option present
MAC filter policies match criteria that associate traffic with an ingress or egress SAP. Matching criteria to drop or forward MAC traffic include:
- Source MAC address and mask
- Destination MAC address and mask
- Dot1p and mask
- Encapsulation type (802dot2-llc, 802dot2-snap, ethernet_II and any)
The 802.1X capabilities of POL solution complies with both the IEEE 802.1X and the CCSA specification. Each 802.1X-enabled ONT user port is by default in a closed status and successful authentication is needed to open the port. Packets from unauthenticated users are dropped until an 802.1x session is successful after authentication by an external RADIUS or server. Passwords, RADIUS secrets, and other authentication data are encrypted in such a way in the system database that the plain form cannot be derived from the system database when this is not required for normal operation (for example, passwords for PAP local authentication). In cases where it is necessary to retrieve the plain text form, encryption (MD5) is used to avoid unauthorized retrieval. This applies for authentication on all the management interfaces and on all the user interfaces.
PON Card Security
Each PON card can provide storm-control features which protect against broadcast storms and unknown multicast and unicast traffic attacks. The system also supports IP and MAC address binding as well as the following safety functions which throttle traffic on the Ethernet services when a set threshold is crossed:
- IP/MAC anti-spoofing
- anti-DOS attack
- anti-ARP attack
- anti-ICMP attack
- anti-BPDU attack
- CPU overload protection
Management Server Security
Our POL Command Center (PCC) is the network management server used in our POL portfolio. It is based on a Redhat Linux Enterprise x86 platform that can optionally run on
a virtual machine. The PCC server provides network administrators with an SSL secured, browser-based GUI for performing installation, maintenance, troubleshooting, and monitoring of the POL network. The Redhat server affords the enterprise organization with a feature rich suite of applications and options for hardening the management interface of the network. First, the management network itself can be configured out-of-band with the end user traffic. This ensures that only network administrators who have
access to the core network (via an entirely separate network segment or VPN connection) may access the management functions of the POL network. PCC also supports the use of the built-in firewall provided by the RedHat OS (iptables), password aging and locking parameters, port security, system control file changes to guard against SYN flood attacks, IP forwarding, and route filters. The administrator can additionally administer a variety of management and security policies for the OLT including:
- RADIUS Authentication
- SNMP (v2 and v3)
- Authorization protocols (MDA5 and SHA)
- Encryption protocols (DES, AES128, AES192, AES256)
- Configurable SNMP trap destinations
- Support for SYSLOG
The Software for both the OLT and ONTs is stored on the management server for upgrade and newly discovered ONTs. There is no port or procedure by which an end user on an ONT could access these files and manipulate their own hardware and firmware combination. The connection between the OLT and management server for these software transfers supports the SFTP protocol and any non-secure protocols such as FTP and TFTP can be optionally disabled. The management traffic between PCC and the OLT can also be further secured with SSHv3 and the use of a dedicated management VLAN which can utilize access control lists to further constrain the number of devices which can access this service.
Enterprise organizations must deploy standardized and robust security policies to defend not only against external threats but also those network attacks that can occur in the LAN segment. The choice to migrate an enterprise LAN to a POL cannot be made without careful consideration of the impact of existing security mechanisms and processes. Fortunately, nearly all the features a network administrator would need to deploy in the LAN environment are already incorporated in our POL solution. By coupling these strategies with the inherent security of fibre infrastructures and PON management systems, a truly secure and future proof network can be realized.
KVM over IP is still the best way to connect to Servers and other IT Devices in your Server Room / Data Centre / Laboratory
KVM over IP is still alive – in fact, sales have picked up…
KVM over IP has in the past suffered a huge loss of market share to Service Processors such as HP iLO, Dell DRAC, RSA, ALOM, IPMI etc. A large contributing factor is the trend of Server Manufacturers to bundle the Service Processor with the base price of the Hardware.
However, of late, we see a turnaround.
This has come about because:
- Advanced Service Processors features require a licence which are standard on KVM-over-IP switches.
- Service Processors require an additional LAN port for out-of-band access.
- Difficult to manage 100’s of Service Processors.
- KVM over IP is more secure that Service Processors.
- Recent research has highlighted shocking vulnerabilities:
- Possible to login with no authentication, cleartext passwords, etc.
- US Department of Homeland Security issued CERT Alert (TA13-207A)
- KVM over IP offers far better performance – with a seamless user experience.
- With each Service Processor requiring an IP address, it becomes difficult to manage, especially in multi-vendor environments.
Not all KVM Switches are the same…
Users lack remote access and management for high performance applications for several reasons:
- Traditional KVM switches lack the required video performance and features for these applications.
- Users must be co-located with these applications & cannot get remote IP access to these systems.
- IT admins and lab managers cannot provide effective remote management for these high-performance systems.
High performance KVM over IP features include:
BIOS-level Access – Virtual Media – Dual Power, Dual LAN, 8 to 64 port switches – 1 to 40 remote concurrent sessions – iPhone/iPad access – Centralized Management – 1920×1200 resolution – 30 Frames Per Second – 24 Bit Colour – Digital Audio – Dual Monitors – Dual Video Cards – DVI – HDMI – DisplayPort
In a nutshell, KVM over IP reduces travel time, increases productivity, and gives you high performance remote access and control for any application.
- Powerful tool for remote server management and access.
- Increased productivity, security, quality, and collaboration.
- Avoid trips to lab, data centre, and server room.
- Many use cases and applications across multiple industries.
- Access all your servers and IT devices from a single IP address.
- Integrate Power Control: Check Power Consumption, Power Status, execute a “Hard Reboot” and view the boot-up sequence.
Although most KVM switches are good enough to handle those traditional needs, many applications utilizing video streaming, audio, and high-resolution graphics, require a KVM-over-IP solution that can deal with high performance demands.
Our aim is to assist our customers in becoming more efficient, productive and save money with a wide range of Remote Server Access Solution to fit their needs.
LanAccess, a division of Technology Access Group, has been focusing on Advanced KVM over IP since 2003. Considered experts on this Technology, LanAccess, and DCAccess (the Data Centre Division) can guide you to make the most of your Remote Access requirements. With advanced KVM, accessing your servers will be a dream.
IT professionals love KVM switches because they provide anytime anywhere BIOS-level access, emergency access, and feature “virtual media” for loading software, running diagnostics, or rebooting.
Passive Optical LAN Technical Overview – Technical Advantages
Passive Optical LAN is a new application of a proven access network solution. It is a better way to structure a LAN, because:
- It flattens the Local Area Network
- It simplifies network moves, adds, and changes
- Is not limited by the distance and bandwidth constraints of twisted pair networks
- Is secure by design, based on optical fiber and built-in encryption
Passive Optical LAN provides substantial savings in CapEx and OpEx compared to legacy LAN designs.
- Can eliminate wiring closets
- Eliminates the need for midspan electronics, power, and cooling infrastructure
- Uses smaller, lighter, less expensive cables to reduce pathway and space requirements
- Virtually eliminates the need to refresh cabling infrastructures
- As technology evolves, only the active endpoints need a refresh
Recent research shows that the prospects of having wireless communication are quite good. Two strong contenders for this future communication technologies include free space optical communication and 60 GHz radio frequency. This paper published in IEEE Communications Surveys and Tutorials provide a comprehensive survey on the current research activities and prospects for wireless communication in data centers.