Considering the improvements in technology and its ability to provide a cost-effective way to bring people together, it’s no secret that video teleconferencing use is growing. But while analyst firm IDC predicts enterprise videoconferencing revenue to experience double-digit growth through 2014, government agencies and contractors may be slow to adopt this technology due to security restraints.
In network communications, whether the discussion is about cloud computing or shared bandwidth for Internet access, the grouping and sharing of resources is a proven economic model. However, in applications that must support different security clearance levels, this model can be a bit more complicated. Current video teleconferencing solutions for the intelligence community (IC) and the U.S. Department of Defense (DoD) can be very costly and require an extensive amount of redundant equipment to support multi-domain video teleconferencing applications where as few as two or as many as five networks, each operating on a different security level, may be required at every conference room and desktop. In this environment, the network and video equipment must be duplicated for each domain in order to prevent any amount of data from being transferred from one domain to another, which would constitute a breach of security.
In most cases, three network domains are required, one for top-secret content, one for secret content and one for unclassified content. To ensure security compliance, traditional video teleconferencing solutions require the following dedicated resources at a conference room or desktop, one of each for each domain: fibers, CODECs, Ethernet distribution switch, Ethernet core switch and content server for audio/video/data storage and playback. As a result of this redundant infrastructure, video teleconferencing becomes a very complex and cost-prohibitive solution for today’s government agencies and contractors who are already facing limited budget and resources.
The problem with multi-domain video teleconferencing is that residual data can be left in the system. If government agencies and contractors had access to a solution that ensured the data was completely flushed when switching to a different security level, a more cost effective system could be implemented. Fortunately, the arrival of photonic switching to interconnect video conferencing systems has enabled two different configurations that drastically decreasing the capital expenses associated with multi-domain video teleconferencing applications. Photonic switching enables a fiber-optic network that is switched entirely photonically, so that there are no electrical buffers that can retain videoconferencing data. This network technology is inherently high bandwidth and agnostic to both bit rate and data protocol. Photonic switches offer dramatically lower power draw as well as lower cost, smaller size and lower heat than competing solutions. There are two ways that photonic switching can be used in a video teleconferencing application, either via a single CODEC or a cloud-based CODEC farm.
Secure multi-domain video teleconferencing network architecture
One solution combines an enterprise-domain CODEC with a cross-domain photonic switch, allowing IC and DoD customers to support three or more network domains per conference room or desktop with all three domains to share the same video teleconferencing systems without compromising security. Coupled together, this solution marks the industry’s first enterprise secure multi-domain video teleconferencing solution that can be scaled cost effectively and reliably to meet even the most demanding applications.
With this solution, a multi-domain video network switch allows a single CODEC to be used for multiple security levels. When a user wishes to switch to a different security level, control software in the switch flushes the CODEC returning it to its original state free of any residual data. Then, the CODEC is rebooted. The same control software interfaces with the multi-domain photonic switch to establish a lightpath to the desired security domain. The multi-domain photonic switch uses 3D micro-electro-mechanical systems (MEMS) to control tiny mirrors that switch a lightpath from one fiber to another. The switch is transparent to data-rate, protocols and wavelengths. A point-to-point path is dedicated through the switch for each connection, and since there is no physical or logical path between the management plane and the lightpath, security is assured.
End-users must be clear on what can and cannot be certified
Gary Hall, Chief Technology Architect, Cisco Systems, Federal Intel Area, says that Cisco is working with customers and partners to find the best video-centric collaboration solutions for the Intelligence Community and DoD.
"In some cases this means physical switching of networks using secure video switches," Hall explains. In other cases it means moving the security of communications data up to logical protection of the data itself. This means developing true role/personae based identity and access management systems that interface with the video infrastructure and endpoint devices.
Hall continues, "We are exploring applying multilevel secure (MLS) capabilities to voice and video data that have been proven and accredited for virtual desktop applications. Any government end user that is evaluating options for multi-domain video capabilities should carefully investigate their compliance, budget, and operational requirements."
On the compliance side, the end-user needs to be very clear about what has been (or can be) certified and accredited for use on their secure networks. They also need to understand any other regulations and certifications that apply to the technology including, but not limited to, Joint Interoperability Test Command (JITC) and Federal Information Processing Standards (FIPS) certifications.
Hall says that on the budget side, they should weigh the additional infrastructure costs of multi-domain switches against alternate means to achieve the same communications requirements including the use of control systems and multiple codecs. The combination of virtualization with the rapidly declining cost of hardware based codecs and the improvement of software based codecs is creating flexible options for deploying secure video. Government AV Technology Managers should also be very clear on their operational requirements and the impact of secure video switching devices on their ability to maintain centralized management, address books, presence capabilities, and other managerial and operational needs and features. At the end of the day, any technology is only as valuable as its ability to provide solutions to agencies’ problems and to support their mission. Multi-domain video switches may be a part of a solution, but they must be carefully evaluated and considered as part of an enterprise communications architecture.
Cloud networking model
A second solution adopts an enterprise cloud-networking model to group CODECs (CODEC farm) for each security domain and connect them to a photonic switch. With this type of solution, fiber cables are run to each room to accommodate audio, video and data connections. Photonic switches sit between the video teleconferencing rooms and the CODECs and between the CODECs and video content servers. While this is duplicated for each security domain, all the video teleconferencing rooms are not expected to be in use simultaneously thus this model cuts down on equipment and networking costs. Furthermore, it is unlikely that the rooms that are in use simultaneously are all on the same domain.
As a result, the optical switch can be used to connect the video teleconferencing rooms to the appropriate and available resources when needed. This reduces the amount of equipment needed for a video teleconferencing solution, and eliminates the need to have technicians constantly patching and re-patching connections.
While it is expected that a separate photonic switch will be used for each domain, the switch could be used simultaneously for one or more domains further reducing the cost of the network. This is possible because, unlike most networking devices, there is no data path between the optical ports and the management ports. This eliminates the possibility of an outside attack taking control of the device from an optical port. Furthermore, each optical path through the switch is dedicated for each connection eliminating the possibility of data inadvertently crossing domains through the switch. This behavior is vastly different than switches with electrical backplanes, which are generally architected as a high-speed bus preventing them from being considered in a multi-domain or cross-domain environment.
CODEC farms can be built to reduce the number of expensive CODECs used in large video teleconferencing applications. Instead of placing the CODEC in a video teleconferencing room it is located centrally with other networking equipment. Since it is unlikely that all or even the majority of the video teleconferencing rooms would require conferencing at the same time, resources are pooled together to form the cloud. The photonic switch has a connection to all resources and rooms, and with scheduling software, connections can be set up on an as needed basis. This works particularly well in a secure environment because the photonic switch has no data awareness. As a result, connections can easily be reused on the same or even different security levels without threat of having a security breach.
Video teleconferencing can be an excellent, low cost solution for bringing employees, contractors and others together to get work done. If government agencies and contractors can overcome the security issues. Whether combining an enterprise-domain CODEC with a cross-domain photonic switch or building CODEC farms within security domains and connecting them to a photonic switch, it is clear that photonic switching plays a key role in the future of video teleconferencing for government agencies.
Oracle: http://www.oracle.com/technetwork/server-storage/solaris/overview/trusted-extensions-jsp-137356.html or http://en.wikipedia.org/wiki/Solaris_Trusted_Extensions
FYI: CIS, Criticom, and Freeport offer secure video network switching. For MLS capabilities, explore TCS (now part of Raytheon), Integrity, and Oracle. Solaris was a Sun product, and Sun is now a part of Oracle.
OJ Johnston, Global Solutions, CALIENT Technologies, can be reached at firstname.lastname@example.org.