Protect your network against fiber hacks

Copper cable has been known as the easily tapped physical transmission medium for years. Conscientious network and security managers either provided tight physical security for cabling or used fiber as an alternative. Many network managers considered fiber relatively safe due to the perceived challenges associated with tapping into an optical cable run. However, fiber is no safer than copper.

For less than $1,000, an attacker can purchase the hardware necessary to tap into a fiber run.  The tap consists of bending the fiber to the point that it leaks light. Figure A offers an example of how this might be accomplished.

Figure A (Sandra Kay Miller, Information Security Magazine, November 2006)

The fiber cable to be tapped is placed into a micro-bend clamping device (1). The light pulses leaking from the cable are detected by the optical photo detector (2) and sent to an optical-electrical converter (3). The converter changes the light pulses to electrical information that is placed on an Ethernet cable attached to an attacker's laptop. The laptop, running sniffer software, provides the attacker with a view into the data traveling through the tapped fiber cable. Figure B is a photograph of actual tap hardware.

Figure B ("Fiber Optic Intrusion Detection Systems," NetworkIntegrity Systems, 2005)

The most obvious way to protect your fiber cables from this type of attack is to prevent physical access to them. But what happens if all your efforts fail to prevent a bent cable tap?

When cable taps present a higher than acceptable risk, consider encrypting all sensitive data in transit. Another possible solution is a fiber intrusion detection device. These devices can detect subtle changes in the characteristics of the light traveling over monitored fiber. These changes are most prevalent when preparing fiber for a tap. Security personnel monitoring this information can analyze it for possible attacks against the network.

In summary, there is no cable type that is safe from tapping. It is the responsibility of security and network management personnel to take the steps necessary to protect data as they move across internal copper and fiber media. These steps include both physical and technical solutions.