Google Translate

Worldwide | Middle East

Government Levels of Security Enhanced with TERA Cabling System

It is no newsflash that IT security issues are a hot topic. While security has always been in the back of the IT manager's mind, the recent flood of information, regulation and product pertaining to network security is fairly new in the private sector. Not so in government and military networks. These critical networks have long put security at the top of the list and this focus has resulted in extremely robust security parameters and processes.

In the private sector, information security typically relies on such measures as firewalls, passwords, biometrics and access cards. Government information, which may include department of defense information, health and human services data or municipality infrastructure information, is often protected by similar systems. The levels of security are dictated by the nature of the data, and in more secure/classified government networks, the physical layer cabling plant is included in security measures.

There are several steps in the implementation of physical layer security. First and foremost, the physical layer should be documented and labeled. It is important to understand every point of ingress and egress on a network. Without that information, any additional steps may fail to address a potential network breach point. This physical layer documentation can be achieved via intelligent patching, manual methods or a combination of both. These steps are easily employed by the private sector and are increasingly a part of network management in non-governmental enterprise.

Once the network infrastructure is properly documented, the next step towards physical security is an examination of pathways and spaces. The goal is to ensure that the cable is inaccessible to unauthorized personnel. Beyond limiting physical accessibility, the cabling plant's radiated signals must be controlled.

Radiated signals or emissions occur in every piece of computer equipment. In the US, the FCC controls the amount of allowable emissions and international counterparts exist (IEC CISPR documents). The unwanted variety of signal emissions are known as compromising emissions. Compromising emissions can be transmitted through power lines, data cabling, or simply radiating a signal into the air. When a compromising emission is received or intercepted, secure information is compromised. In short, every piece of data processing equipment including microchips, diodes and transistors, is a potential source of compromising emissions.

The control and/or elimination of all compromising emission sources are critical for Government communications that require a high level of security, such as homeland security. This falls under what the government terms EMSEC, INFOSEC, and TEMPEST. These programs/ratings work to assure that the normal radiated signals are shielded in some way from unscrupulous listeners that would use this captured information for unauthorized means.

TEMPEST is a U.S. government code word which defines the counter-intelligence standards developed to protect secure data transmissions from electronic espionage. Although actual requirements are classified, it is widely known that TEMPEST sets out strict limits on signal radiation from data-handling electronic equipment. While the scope of published TEMPEST information focuses on physical equipment such as monitors, printers and devices containing microchips, the term is commonly used to describe efforts throughout the field of Emissions Security (EMSEC). EMSEC is defined as "the protection resulting from all measures designed to deny unauthorized persons information that might be derived from intercept and analysis of compromising emanations from other than crypto-equipment and telecommunications systems," according to the ATIS Committee TIAI.

TEMPEST began many years ago when it was determined that transmissions could be detected through the open air from a significant distance through listening to the emissions from a cable. In 1918, Herbert Yardley and his staff of the Black Chamber were engaged by the US Army to develop methods to detect, intercept and exploit combat telephones and covert radio transmitters. However the codeword TEMPEST was not used until the 60's and 70's. There are several definitions for the acronym including "Telecommunications Electronics Material Protected From Emanating Spurious Transmissions" and " Transient Electromagnetic Pulse Emanation Standard," However, these acronyms are somewhat speculative, as the official title, along with its recent requirements, are classified. In short, TEMPEST is the means to protect transmissions and covers media, communications devices and other protective measures. Basic TEMPEST requirements and protocols were declassified in 1995 as NSTISSAM TEMPEST. Although these documents illustrated some TEMPEST methodology, actual emission limits and test parameters were redacted and remain classified. Even without more complete parameters, it is known that TEMPEST served as a model for many other governments' equivalent programs. The NATO equivalent is AMSG 720B. In Germany, even the names of the standards supplied by the government remain classified, but it is known that the National Telecom Board administers their equivalent to the TEMPEST rating program. In the UK, Government Communications Headquarters (GCHQ), the equivalent of the NSA (National Security Administration), administers their program.

In the US, three levels of approval categorize equipment meeting TEMPEST standards. Approval Type 1 is acceptable for use in classified or controlled cryptographic equipment and may refer to assemblies, components or other items endorsed by the NSA for securing telecommunications and automated systems for the protection of classified or sensitive US Government information and its contractors. This equipment is subject to restrictions in accordance with the International Traffic in Arms Regulations. Type 2 approval is for equipment, assemblies and components used to transmit non-classified but sensitive information. Type 3 implements an unclassified algorithm registered to the National Institute of Standards and Technology (NIST) for use in protecting unclassified sensitive or commercial information. While there is individually approved equipment, the US TEMPEST certification applies to a complete system. In a network environment, this includes all components, including the cabling plant. Changing one single component can compromise the security of the entire system. In secure communications, the medium used to transmit the data (i.e.: the cabling) is part of the TEMPEST or EMSEC system. TEMPEST emission controls standards for cabling, combined with data encryption and other security systems allow for INFOSEC, Information Security. Because of these stringent requirements, the government had few options for physical layer security.

One option was the use of fiber optic networks. Fiber cabling radiates only heat emissions. This provided added protection due to the fact that the fiber would have to be tapped or touched with heat detection equipment in order snoop the communications. Fiber network equipment, however is more costly than copper.

Copper networks were possible, but required very specific installation practices. According to TEMPEST standards, in high security government networks, potential emanations are generally addressed by placing all cables in ferrous conduit. In addition to conduit, TEMPEST standards created the RED/BLACK separation guidelines. In RED/BLACK, the cable plant and work areas are divided into RED zones and BLACK zones. The RED zones carry classified information and are isolated and shielded from the BLACK zones carrying non-classified information. The zones are then restricted by their location to external access as well as proximity to other potential signal radiators. Other equipment that could listen to or carry emanations such as cell phones and radios are forbidden in RED areas. Shielded copper cable provided an additional layer of security, limiting some emissions, however, single overall shielded (FTP) cables did not eliminate the need for conduit and RED/BLACK separation in high-security environments. The separation distance is lower with shielded cables decreasing the cost for pathways and spaces.

Recent testing, however, provides an additional copper option for connections to TEMPEST equipment. Siemon's TERA, a Category 7/ Class F system is the first copper cabling system to pass TEMPEST emissions testing by an independent, NSA certified lab, Dayton T. Brown Inc. TERA utilizes S/FTP cable and fully shielded connectivity. In S/FTP cable, each pair is individually shielded and an overall braid shield surrounds all conductors as shown in the figure below. Additional shielding is integrated into the outlets and plugs, eliminating a potential emission source.

For the TEMPEST test, a four-connector, 100 meter TERA channel was deployed in a shielded anechoic chamber as shown in the diagram below. The channel was energized with full duplex Gigabit Ethernet (1000 Mb/s) traffic using a Spirent Smarbits multiport analysis system. Emissions from the cabling system where then monitored and compared to the TEMPEST requirements.

According to the independent test report, the TERA is suitable for applications, such as TEMPEST, where radiated and compromising emissions are a concern. The remainder of the test report is classified.

Shielded Learning Centre
Case Studies - See how Siemon is connecting the world to a higher standard
Find Partners

» Find Siemon Authorized Distributors

» Find Certified Installers & Consultants

Ask Siemon
Have you questions about cabling?
» Ask Siemon
Cisco and Siemon

Cisco Technology Developer Partner

See Siemon in Cisco Marketplace:

Category 7 Cabling?
Cat 7 for the real world Articles and case studies 48 pages
» Learn more