Data is sent to computers or sent among computers by electromagnetic transmission through the air (e.g., laser or Wi-Fi), or is sent through wires (typically copper or aluminum), or is sent by fiber optic cables. The transmitted data must be protected in order to guard against intruders intercepting data as it is transmitted. The transmitted data may be encrypted, but encryption impedes potential use of the data and does not restrain the interception of the data in the first place. Encryption also requires time and equipment to encrypt the data, and to decrypt the data, thus increasing expense and causing delays in transmitting and using the data. Since data transmitted over the airways is subject to interception, data transmission over wires or optical cables provides improved resistance to interception.
There is thus a need for an improved way to monitor data transmission between computers or to computers. The U.S. Government need for security and the related development of SIPRNET, JWICS and other secure networks reflects this need for improved ways to prevent data interception or to monitor data to give an alarm when attempts are being made to intercept the transmitted data.
Protective distribution systems are used to deter, detect and/or make difficult the physical access to the communication lines carrying data, especially national security information. Approval authority, standards, and guidance for the design, installation, and maintenance for protective distribution system are stated in NSTISSI 7003. The requirements of this publication apply to U.S. government departments and agencies and further apply to contractors and vendors of these government departments and agencies. Hardened distribution protective distribution systems provide significant physical protection and are typically be implemented in three forms: Hardened Carrier protective distribution systems, alarmed carrier protective distribution systems and Continuously Viewed Carrier protective distribution systems.
In a hardened carrier protective distribution system the data cables are installed in a carrier constructed of electrical metallic tubing (electrical metallic tubing), ferrous conduit or pipe, or ridged sheet steel ducting. All of the connections of the tubing, conduit etc. in a hardened carrier system are permanently sealed around all surfaces with welds, epoxy or other such sealants. If the hardened carrier is buried under ground, to secure cables running between buildings for example, the carrier containing the cables is encased in concrete. The only way to access the data transmission lines is to break through the enclosing physical barrier, and doing so leaves signs of the intrusion which can be detected.
With a hardened carrier system, detection of attempts to intercept the transmitted data is accomplished by human inspections that are required to be performed periodically. Visual inspection requires that hardened carriers be installed below ceilings or above flooring so the physical structure enclosing the data transmission lines can be visually inspected to ensure that no intrusions have occurred. These periodic visual inspections (passive visual inspections) occur at a frequency dependent upon the level of threat to the environment, the security classification of the data being transmitted, and the access control to the area being inspected. Such inspections are costly, subject to inspection error which fails to detect intrusions, and limits the location of the data carrier.
Legacy alarmed carrier systems monitor the carrier containing the data transmission cables being protected. More advanced systems monitor the fibers within the carrier, or are made intrinsic to the carrier, with the cables being protected by turning those cables into sensors, which sensors detect intrusion attempts. But again, such systems are expensive to install, especially if the wire cables serve the dual purpose of acting as intrusion sensors while others transmit data.
Depending on the government organization, using an alarmed carrier protective distribution system in conjunction with suitable protection at cable junctions may, in some cases, allow for the elimination of the carrier systems altogether. In these instances, the cables being protected can be installed in existing conveyance mechanisms (wire basket, ladder rack) or installed in existing suspended cabling (on D-rings, J-Hooks, etc.).
A Continuously Viewed Carrier protective distribution system is one that is under continuous observation, 24 hours per day (including when operational). Viewing circuits may be grouped together to show several sections of the distribution system simultaneously, but should be separated from all non-continuously viewed circuits in order to ensure an open field of view of the needed areas. Standing orders typically include the requirement to investigate any viewed attempt to disturb the protective distribution system. Usually, appropriate security personnel are required to investigate the area of attempted penetration within 15 minutes of discovery. This type of hardened carrier is not used for Top Secret or special category information for non-U.S. Continuously viewing the data distribution system is costly and subject to human error.
Simple protective distribution systems are afforded a reduced level of physical security protection as compared to a Hardened Distribution protective distribution system. They use a simple carrier system (SCS) and the following means are acceptable under NSTISSI 7003: (1) the data cables should be installed in a carrier; (2) The carrier can be constructed of any material (e.g., wood, PVT, electrical metallic tubing, ferrous conduit); (3) the joints and access points should be secured and be controlled by personnel cleared to the highest level of data handled by the protective distribution system; and (4) the carrier is to be inspected in accordance with the requirements of NSTISSI 7003. But this approach also requires high costs, inspections, and manual inspections.
Increasing bandwidth and security demands in Local Area Networks (LAN) are leading to a shift form copper to fiber optic materials to carry the transmitted data. This increased bandwidth will also require Fiber-to-the-Desk (FTTD) as part of the required local area network. The term fiber-to-the-desk is used to describe the (usually) horizontal orientated cabling in the areas of data transmissions and telecommunication, which leads from the floor distributor to the outlets at the workplace on that floor, providing fiber-optic cable transmission to each desktop computer. In the standards ISO/IEC 11801 and EN 50173 this is the tertiary level.
In a secure fiber optic network application Tactical Local Area Network Encryption TACLANE) is a network encryption device developed by the National Security Agency (NSA) to provide network communications security on Internet Protocol (IP) and Asynchronous Transfer Mode (ATM) networks for the individual user or for enclaves of users at the same security level. Tactical local area network encryption allows users to communicate securely over legacy networks such as the Mobile Subscriber Equipment (MSE) packet network, Non-Secure Internet Protocol Router Network (NIPRINet), Secret Internet Protocol Router Network (SIPRNet), and emerging asynchronous transfer mode networks. The tactical local area network encryption limits the bandwidth of a secure fiber optic network to 1 to 10 Gb/s depending on the type network. Providing a secure alarmed protective fiber distribution system enables removing the tactical local area network encryption thereby allowing for 40 Gb/s network systems with that higher data rate provided directly to each desktop.
Approval authority, standards, and guidance for the design, installation, and maintenance for protective distribution system are provided by NSTISSI 7003 to U.S. government departments and agencies and their contractors.
The present invention uses a Protective Distribution System (PDS) solution that can provide Secure Physical Network Security Infrastructure Solution for Secure Passive Optical Network (SPUN), Gigabit Passive Optical Network (GPON), and Fiber to the Desk (FTD) in Intrusion Detection of Optical Communication Systems (IDOCS) applications. The present invention can be customized to each application. The disclosed method and apparatus provide an end to end solution for Secure Passive Optical Networks (SPON), for Gigabit Passive Optical Network (GPON), and Fiber to the Desk (FTTD) is provided for Intrusion Detection of Optical Communication Systems (IDOCS) applications. This method and apparatus improves the deployment, management and protection of defense critical networks and C4ISR Facilities where open storage areas become a challenge.
While allowing the customization of Intrusion Detection of Optical Communication Systems (IDOCS)), the present method and apparatus uses fiber optic data transfer which provides improved technology over copper data transmission mechanisms where data protection is imperative and data speed necessary.
An alarmed carrier protective distribution system provides a desirable alternative to conducting human visual inspections and may be constructed to automate the inspection process through electronic monitoring with an alarm system. In an alarmed carrier protective distribution system, the carrier system is “alarmed” with specialized optical fibers deployed within the conduit for the purpose of sensing acoustic vibrations that usually occur when an intrusion is being attempted on the conduit in order to gain access to the cables. But such alarmed systems have been previously used only in main data transfer conduits between buildings or within computer centers. The present system significantly refines the application of the fiber optic alarms and applies the alarmed lines to junction boxes and user lock boxes.
An alarmed carrier protective distribution system offers several advantages over hardened carrier protective distribution system, including (1) providing continuous monitoring, day and night, throughout the year; (2) eliminating the requirement for periodic visual inspections; (3) allowing the carrier to be placed above the ceiling or below the floor or in other difficult to access locations, since passive visual inspections are not required; (4) eliminating the requirement for concrete encasement outdoors; (5) eliminating the need to lock down manhole covers; and (6) enabling rapid redeployment or modification for evolving network arrangements. While offering numerous advantages, such systems are expensive to install.