Networking optimize

Protect your network against fiber hacks


Copper cable has been known as the easily tapped physical transmission medium for years. Conscientious network and security managers either provided tight physical security for cabling or used fiber as an alternative. Many network managers considered fiber relatively safe due to the perceived challenges associated with tapping into an optical cable run. However, fiber is no safer than copper.

For less than $1,000, an attacker can purchase the hardware necessary to tap into a fiber run.  The tap consists of bending the fiber to the point that it leaks light. Figure A offers an example of how this might be accomplished.


Figure A (Sandra Kay Miller, Information Security Magazine, November 2006)

The fiber cable to be tapped is placed into a micro-bend clamping device (1). The light pulses leaking from the cable are detected by the optical photo detector (2) and sent to an optical-electrical converter (3). The converter changes the light pulses to electrical information that is placed on an Ethernet cable attached to an attacker's laptop. The laptop, running sniffer software, provides the attacker with a view into the data traveling through the tapped fiber cable. Figure B is a photograph of actual tap hardware.


Figure B ("Fiber Optic Intrusion Detection Systems," NetworkIntegrity Systems, 2005)


The most obvious way to protect your fiber cables from this type of attack is to prevent physical access to them. But what happens if all your efforts fail to prevent a bent cable tap?

When cable taps present a higher than acceptable risk, consider encrypting all sensitive data in transit. Another possible solution is a fiber intrusion detection device. These devices can detect subtle changes in the characteristics of the light traveling over monitored fiber. These changes are most prevalent when preparing fiber for a tap. Security personnel monitoring this information can analyze it for possible attacks against the network.

In summary, there is no cable type that is safe from tapping. It is the responsibility of security and network management personnel to take the steps necessary to protect data as they move across internal copper and fiber media. These steps include both physical and technical solutions.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

9 comments
mailranjithr
mailranjithr

This is possible for a single fiber. But what if data to be tapped is transmitted in the fiber which is in the middle of an OFC bundle. Then this method fails, isn't?

david_wall
david_wall

On the copper side, there is at least one product that has security built-in. Siemon introduced a shielded copper cabling system named "TERA" back in 1999 that has more recently been validated for TEMPEST high-security government applications. While it does not use the typical RJ-45 form factor, the TERA interface and cable are standards approved for ISO/IEC category 7/class FA specifications. The standards at this level call for 1,000 MHz frequency bandwidth - ideal for 10GBASE-T and broadband CATV applications.

rgreco
rgreco

Tom, Nice post, simple but full of information. I work for a company that secures the access points that you talked about. It baffles me how many companies are overlooking this security hole. Almost as if they think it won't happen to them. Ray Greco

inetco
inetco

Recently, there are several Tap devices in the market and they are servicing instead of copy ports in traffic monitoring. Many famous company such as NetOptics and ..... have variety of products suit for single mode, Multimode and .... fibers. It is not a new topic to discuss.

mmexus
mmexus

...seems to be the only answer at the moment to secure any high speed data stream. Let's all hope that Quantum key distribution like Alice and Bob will do, what they promise! ;)

crob235
crob235

For many reasons Quantum Cryptography is not the solution to the problem in question (when properly implemented QC is realy only applicable to crypto key distrubution etc due to it's many inherant limitations). One problem with practical Quantum Crytpo systems is that to get it to work over any sizable distance at a reasonable bit rate you end up sending more than a single photon per bit... So this tap may well work against Quantum Crypto if it is put close to the emitter (there is also one hell of a lot of other things you would have to do as well but hey it's enough to hang your hat on and get down to work). Also very slowly bending the QC cable in a tight cure to increase the "line loss" is a way by which you can get somebody to change their threshold on quantum crypto systems. Although quantum crypto is a nice idea real world implementations have to take into account a whole host of other issues (not least the same laws of physics by which it works,) that for practical purposes make QC (effectivly) a theoretical system only.