Data security is a growing concern, particularly where communication networks are to be interconnected at peering points. This also happens to be the point in the network where traffic capacity is extremely high and often the area where ‘high touch’ – close inspection of the optical data - is required to satisfy the requirements for legal intercept, flow classification and performance monitoring. These challenges are highlighted by the development of ultrahigh capacity optical networking where a complete wavelength of traffic could pass across network domains before being broken down into finer grain electronic channels. New optical solutions for optical packet recognition, interrogation and manipulating data streams are then necessary both to protect against malicious acts as well as provide essential network performance monitoring. As optical transmission data rates increase (>40Gb/s) it is increasingly difficult to implement existing security approaches based on current electronic techniques at wirespeed, and it is difficult to see how such approaches are scaleable and cost effective when applied on their own. In addition, within the security domain of a network, there will be nodes where it would be convenient to develop alternative optical techiques to implement some level of packet screening for optical bypass thereby reducing the traffic load on any particular router.
For example, a large percentage of the optical traffic carried between nodes in optical networks is destined for other end nodes and will simply bypass intermediate nodes in future. This means that security authentication protocols cannot necessarily be applied because the data is not converted to the electronic domain at each node. Moreover, without the ability to monitor certain specific bits within packet streams it will be increasingly difficult to protect the users of high capacity networks from denial of service attacks where there is an excessive consumption of resources due to concerted malicious actions that denies normal users from gaining access to the system. This will be especially important for the emerging native high-speed Ethernet networks where there is no framing or overhead information carried with the data packets (such as in SDH or ATM). The ability to directly process high speed optical data at wirespeed would allow simplification of optical networks without compromising security. This can be achieved by using high-level optical flags and optical bit serial pattern recognition techniques to identify which data to filter from the optical pipe for finer grain electronic processing. It will be possible to configure the photonic firewall to recognise particular optical bit patterns in the data. These particular patterns can be used to indicate – through the appropriate security monitoring algorithm – potential threats. When a match is detected, the data can be re-routed at wirespeed. In addition, optical techniques for examining the header and payload data at high transmission speeds (>40Gb/s) are vital to establish information gateways and security domains.
WISDOM is designed to develop new photonic firewall techniques. These will include novel hybrid photonic devices working in conjunction with new algorithms and protocols to extract and process wirespeed security information. The algorithms will combine the (presently limited) functionality of the optical processing with secondary electronic security approaches to introduce new layers of security analysis. The optical processing modules will be placed at the front end of the node firewall to provide the primary optical information filtering, operating at wirespeed. This will include operations such as parity checking, flag status, and header recognition. Secondary processing would then be done electronically as is currently the case, but with the benefit of a reduction in the electronic processing capacity required. This would, as a result, begin to address issues of capacity scaleability of such nodes. In the longer term, as the functionality and complexity of what can be achieved with digital optical processing develops, it may be possible to perform a finer optical sift and examine the packet payload for particular features at wirespeed. A schematic of the network topology and location of the photonic firewalls is shown in figures 2.1(a) & (b).
Figure 2.1 : (a) Network Topology
Figure 2.1 : (b). Location of firewalls