Documente Academic
Documente Profesional
Documente Cultură
Nortel Networks
Contents
Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Part I. The Top Ten challenges to enterprise network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Enterprise Security Challenge #1The Internet was designed to share, not to protect . . . . . . . . . . . . . . . . . 4
Enterprise Security Challenge #2Security is not optional. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Enterprise Security Challenge #3The bad guys have good guns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Enterprise Security Challenge #4Security threats recognize no boundaries. . . . . . . . . . . . . . . . . . . . . . . . . .6
Enterprise Security Challenge #5Security depends on people, process, and technology. . . . . . . . . . . . . . . . .6
Enterprise Security Challenge #6Its not enough to guard the front gate. . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Enterprise Security Challenge #7Theres no stock blueprint. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Enterprise Security Challenge #8Frisking everybody and everything takes time. . . . . . . . . . . . . . . . . . . . . .9
Enterprise Security Challenge #9Grace under fire is a requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Enterprise Security Challenge #10Security is a closed-loop process with an open-ended date. . . . . . . . . . . .9
Part II. The Nortel Networks Unified Security Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.1.
2.2.
2.3.
2.4.
2.5.
2.6.
2.7.
2.8.
2.9.
3.1.
3.2.
3.3.
3.4.
3.5.
4.1.
4.2.
4.3.
4.4.
4.5.
Design tenets built into the Nortel Networks security portfolio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Expanded choice through partnerships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Security services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Nortel Networks product assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Nortel Networks and cross-industry security developments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Appendix A. Hackers tools of the trade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Appendix B. Application and network level threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Executive summary
Todays connected enterprise faces a security paradox. The very openness and ubiquity that make the
Internet such a powerful business tool also make it a tremendous liability. The Internet was designed to
share, not to protect. The ports and portals that welcome remote sites, mobile users, customers, and business partners into the trusted internal network also potentially welcome cyber-thieves, hackers, and others
who would misappropriate network resources for personal gain.
The only effective network security strategy is one that permeates the end-to-end architecture and enforces
corporate policies on multiple levels and multiple network points.
Nortel Networks, a global leader in secure data networking, offers proven solutions to satisfy end-to-end
network security requirements. Security in the DNA is a key tenet of our strategy for the new enterprise
network, a convergence framework we call One Network. A World of Choice.
This document presents the security component of that enterprise network strategy. The Unified Security
Architecture provides a conceptual, physical, and procedural framework of best recommendations and
solutions for enterprise network security. It serves as an important reference guide for IT professionals
responsible for designing and implementing secure networks.
What are the requirements and vulnerabilities? What technology options and implementation choices are
available? How do you protect the network at all levels? This comprehensive strategy addresses those
pressing concerns facing IT security specialists, and offers encouraging news about the depth and breadth
of options available for securing critical network resources.
The Unified Security Architecture is realistic.
It assumes that all components of an IT infrastructure are targets... that even internal users could be
network threats... attacks are inevitable... network performance cannot be compromised by processingintensive security measures... and IT budgets are constrained.
The Unified Security Architecture acknowledges the diversity of networked enterprises.
It is not a one-size-fits-all prescription, but rather a framework of functionality that offers multiple
implementation choices suitable for closed, extended, and open enterprises in different industries
and for diverse application requirements within all enterprise types.
The Unified Security Architecture addresses the multi-level complexity of network threats.
It provides answers on multiple levelsfor instance, from a firewall guardian to block intruders at the
front gate to encryption to shroud every packet in privacy... from virtual private networks that span
the global Internet to virtual LANs that segregate network management traffic from desktop users.
The Unified Security Architecture promotes a process, rather than an endpoint.
Effective security is not achieved through a one-time initiative. This architecture outlines measures
for strong ongoing policy management, reflecting both human and technical factors.
Read on for a discussion of the Top Ten challenges facing IT professionals today and how the
Nortel Networks Unified Security Architecture addresses the challenges.
For the extended enterprise, the diversity of supported services and access mechanisms translates into multiple paths into the
enterprise network, and in turn increases the risk. Naturally, that risk increases exponentially with the open enterprise, which
has the greatest susceptibility to application-layer and network-layer threats, unauthorized access, and eavesdropping.
Infrastructure, applications, and network management systems are equally vulnerable.
Closed enterprise
ASP Data Center
Customers
Employees
Dedicated WAN
PC dial-in access
PC Internet dial-out
Internet
Enterprise
network
Private e-mail
Extended enterprise
Employees
Employees
Internet Data Center
Remote access and office IP-VPNs
Employee Internet access
Internet
Enterprise
network
Interworked e-mail
Open enterprise
Customers/partners/
employees
Customers/
Employees
Controlled partner and select
customer access
Internet
Enterprise
network
Possible attacks
Authorization threats
IP spoofing
Network sniffers
Denial of service
Intrusion
Bucket brigade
Attacks
Protected enterprise
Anti-virus software
Deep packet filtering
Digital certificate
IPsec and SSL encryption
Firewalls
Enterprise
network
10
The comprehensive security strategy set forth in this document is based on seven key principles:
1. Multi-layer security that defines security protection functions at application, network-assisted, and network security
levelsin a layered architecture that can be flexibly defined and implemented.
2. Variable-depth security across the enterprisenot just at the edge of the Internetfor example, from firewall
perimeter defense, to VPNs to protect Internet-traversing traffic, and to VLANs to segregate traffic within a network.
3. Closed-loop policy management, including configuration of edge devices, enforcement of policies in the network,
and verification of network functionality as seen by the end user application.
4. Uniform access management, including stringent authentication and roles-based authorization of access to all
resources for all users, with granular access policies defined at the application level and managed enterprise-wide.
5. Secure network operations, by physically or logically partitioning network management from user traffic, and
applying other recommended security mechanisms to operational activities.
6. Secure multimedia communications, protected by encrypting the data, voice, and video payload without introducing
delays that this real-time traffic cannot tolerate.
7. Survival under attack, for instance, by using resilient architectures with no single point of failure, and applying
intrusion-detection systems, anti-virus software, content filtering, and ongoing vigilance as attackers continue adopting
new weaponry.
ni
fie
ec
d Se
c u r i ty A r c h i t
tu
Layered security
Variable-depth security
Securing multimedia
communications
11
The principles underpinning the Unified Security Architecture offer enterprises a security blueprint to use as they move
towards increasingly open environments. Lets take a look at each of the seven key principles of the Unified Security
Architecture.
2.1. Multi-layer security across application and network levels
Recognizing the multi-layered, interdependent nature of enterprise networksand the critical need for security at more than
the application levelthe Nortel Networks Unified Security Architecture logically organizes security into multiple levels:
The Network Security Layer provides security functions at OSI layers 1 to 3 (physical, link, and data levels).
The Network-Assisted Security Layer provides security functions at OSI layers 4 to 7 (network to application/
presentation layers) on top of the network level for added security.
The Application Security Layer provides security in layer 7 of the OSI model, the application layer, and includes all
security built into server and storage platforms.
Some functions, such as access lists and VLANs, operate purely at the Network Security Level. Others, such as firewalls,
operate at either the Network or Network-Assisted Security Levels, depending on whether they are stateful or not. Others such
as SSL (Secure Sockets Layer) can be viewed as network-assisted or application security. The power of the Unified Security
Architecture is that industry-defined security functions are leveraged in a structured fashion, tightening security overall.
See Part III, Security in the Real World, for examples of these security layers in action for protecting campus and branch
networks, data centers, IP telephony services, and remote access.
Hardening server operating systems
Within the application level of the multi-layer security framework, a key element is hardening the multiple
operating systems used in network and user applications, such as OSs for data communications devices, servers,
network management systems, IP telephony servers, and more.
In an increasingly open, multivendor IT environment, network elements are frequently based on commercially available OSs. For example, Nortel Networks CallPilot unified messaging system, Symposium Contact Centers, and
Business Communications Manager use a hardened version of Windows NT with off-the-shelf security software for
functions such as anti-virus protection, intrusion-detection, and login audits. Nortel Networks Succession CSE 1000
and Meridian IP-enabled PBX portfolios are built on an embedded real-time OS called VxWorks. The Nortel
Networks Succession CSE MX system is built on UNIX.
Procedures for hardening the OSs in Nortel Networks products are provided in our documentation. For third-party
operating systems where no specific hardening guide exists, consult the OS vendor for the latest OS hardening patches
and procedures.
Figure 4. Unified Security Architecture
12
Application Security
Network-Assisted Security
Network Security
Secure
Access Mgmt.
Network Mgmt.
Security
Policy Management
End users
Operators
Partners
Customers
The remaining elements of the architecturediscussed in the sections to followare inter-related and somewhat orthogonal to
these layers. The table below illustrates how common security technologies map to the elements of Nortel Networks Unified
Security Architecture.
Figure 5. Security functionality mapping to the Unified Security Architecture
Security functionality
Network
Security
Network-assisted
Security
Application
Security
Yes
Yes
Yes
IPsec encryption
Yes
SRT
Yes
FW
Firewalling
Yes
IDS
Intrusion detection
Yes
Yes
SSL
SSL encryption
Yes
Yes
CF
Content filtering
Yes
Yes
VS
Virus scanning
Yes
Yes
L2
NAT
AL
IPsec
Auth
Yes
Virtual private networks (VPNs) provide an even finer granularity of user access control and personalizationenabling
secure access at the individual user level from remote sites and business partners, without requiring dedicated pipes.
Dynamic routing over secure tunnels across the Internet provides a highly secure, reliable and scalable solution. VPNs, VLANs,
and firewalls together allow the network administrator to limit access by a user or user group based on strictly defined policy
criteria and business needs. VPNs provide strong assurance of data integrity and confidentiality with strong encryption.
VLANs alone may satisfy the security needs of the closed enterprise. Extended and open enterprises will likely require a
combination of security level capabilities.
2.3. Closed-loop policy management
A properly designed and implemented security policy is an absolute requirement for all types of enterprises and has to be
owned by one group. It should be a living document and process, which is enforced, implemented, and updated to reflect the
latest changes in the enterprise infrastructure and service requirements.
The security policy must clearly identify the resources in the enterprise that are at risk and resulting threat mitigation methodologies. It should define which users or classes of users have access to which resources. The policy must define the use of audit
trails to help identify and discover violations and the appropriate responses.
Users think of the network in terms of people, applications, locations, time of day, etc.not in technical terms such as
firewall stateful inspection or access lists. Security policies should use non-technical vocabulary to the extent possible for
user-facing issues, automatically translated by the policy management system into technical security mechanisms for network
implementation.
Policy management addresses the full realm of security componentsfirewalls, intrusion-detection systems, access lists and
filters, authentication techniques, and morealong with a system-wide view of network environments, such as data center,
remote office, and campus networks.
Ultimately, policy operates at a granular level to address pieces of the solution while providing centralized control and accountability. Centralization ensures that security parameters are set consistently across multiple nodes, and that multiple policies for
different administrative domains all reflect enterprise-wide policy and inter-domain consistency.
Closed-loop policy management is implemented using the reference architecture described in 2.8, and includes configuration
management of network devices, enforcement of policies in the network, and verification of network functionality via audit
trails. Verification and audit trails close the loop on policy management, and result in updates to the policy to reflect corrective
actions.
2.4. Uniform access management
Access management refers to authentication and authorization services that control users access to resources. During authentication, users identify themselves to the network; during authorization, the network determines users level of privileges based
on their identity, as defined in policy.
Access management is controlled by multiple methods, such as IP source filtering, proxies, and credential-based methods
often used in combination, and each with its advantages and limitations. For example, an enterprise may choose to manage
access for workstations using IP source filtering, and may choose to use a credential-based scheme for other users.
Since users could be employees, network technicians, supply chain partners, inter-organization team members, or even
customers, it is important to have robust, centralized access control enforced by the local or remote network device interfacing
to the user.
14
Several methods can be used to authenticate a user, such as: permanent or one-time passwords, biometric techniques, smart
cards, and certificates. Password-based authentication must use strong passwords that are at least eight characters in length with
at least one alphabetic, one numeric, and one special character.
Where stronger authentication is required, password authentication can be combined with another authentication and authorization process based on protocols such as RADIUS and LDAP to provide authentication, authorization, and accounting (AAA)
services. Additionally, key management can be based on Internet Key Exchange (IKE), certificate management on Public Key
Infrastructure X.509 (PKIX), Certificate Management Protocol (CMP), Online Certificate Status Protocol (OCSP), and
Simple Certificate Validation Protocol (SCVP).
In defining access privileges on all ports and devices, the concept of least privilege should be applied, granting access only as
needed.
Open and extended enterprises face the greatest challenges when designing access management policy. They require finegrained rules that properly interface with identity directories and databases, multiple authentication systems such as RADIUS,
and various hosts, applications, and application servers.
The system should perform session management per user after the user is authenticatedand use flexible configuration and
policy enforcement with fine-grained rules, capable of dealing with specific objects. Unique accounts for each administrator
should be used, with accountability for actions traceable to individuals, to provide for appropriate monitoring, accounting, and
secure audit trails.
For more information about authentication and authorization, see section 2.9, A closer look at uniform access management.
2.5. Secure network operations
On the one hand, network management is like other data applications, running on servers and workstations, complemented by
application-level security and taking advantage of network-level and network-assisted security. On the other hand, network
operators are specialized users who should be subject to more stringent authentication and authorization procedures.
Because of the greater access authority and functional privilege granted to network management personnel, their access and
activities must be carefully secured to protect network configuration, performance, and survivability. The more open the enterprise and the more centralized the network management system, the greater the requirement for stringent security for network
management processes.
Secure network management requires a holistic approach, rather than a specific security feature set on a network element.
Our Unified Security Architecture recommendations address nine critical areas:
Secure activity logs
Network operator authentication
Authorization for network operators
Encryption of network management traffic
Secure remote access for operators
Firewalls and VLANs to partition the network
intrusion-detection
Hardening operating systems
Anti-virus protection
15
Secure activity logs provide a verifiable audit trail of user or administrator activities and events generated by network devices.
Security activity logs must contain sufficient information to establish individual accountability, reconstruct past events, detect
intrusion attempts, and perform after-the-fact analysis of security incidents and long-term trend analysis. Activity log information helps identify the root cause of a security problem and prevent future incidents. For instance, activity logs can be used to
reconstruct the sequence of events that led up to a problem, such as an intruder gaining unauthorized access to system
resources, or a system malfunction caused by an incorrect configuration or a faulty implementation. Syslog is the most
common mechanism used by equipment vendors; Syslog works with all third-party log analyzer systems. Because the information contained in activity logs can be used to compromise a network, this log information itself must be secured.
Network operator authentication based on strong centralized administration and enforcement of passwords ensures that only
authenticated operators gain access to management systems. Centralized administration of passwords enables enforcement of
password strength and removes the need for local storage of passwords on the network elements and EMS (Element
Management Systems). RADIUS is the basic mechanism of choice for automating centralized authentication within Nortel
Networks products.
Authorization for network operators uses authenticated identity to determine the users access privilegeswhat systems they
can access, what functions they can perform. Techniques based on RADIUS servers provide a basic level of access control. An
additional LDAP server can provide more fine-grained access control if necessary.
Encryption of network management traffic protects the confidentiality and integrity of network management data traffic
especially important with the growing use of in-band network management. Encryption provides a high degree of protection
from internal and external threats, with the exception of the small group of insiders that have legitimate access to encryption
keys.
Encryption between network operations center (NOC) clients and Element Management System (EMS) servers and/or
Network Elements should be provided. This includes SNMP traffic, because there are known vulnerabilities with SNMP v1
and v2, which are intended to be addressed by SNMP v3. Given the widespread deployment of SNMP v1 and v2, IPsec
can be used to secure this traffic.
Depending on traffic type, the security protocols to use for these links are IPsec (IP Security), Secure Shell (SSH), and SSL:
SSH is an application-level security protocol that can be used in place of IPsec if the traffic consists of Telnet and FTP
only, but it cannot normally be used to protect other traffic types.
IPsec protocol runs between the network layer (Layer 3) and the transport layer (Layers 4) and is the preferred protocol
to protect any type of data traffic, independent of applications and protocols. External IPsec VPN devices, such as
Nortel Networks Contivity Secure IP Services Gateways, can be used in various parts of the network to secure
management traffic.
SSL technologyintegrated into all standard Web browsersis the de-facto standard security protocol to protect
HTTP traffic.
Secure remote access for operators: Security must be provided for operators and administrators who manage the network
from a remote location over a public network. Providing a secure virtual private network using IPsec is the mandatory solution,
as this will provide strong encryption and authentication of all remote operators. An IP-VPN product such as Nortel Networks
Contivity Secure IP Services Gateway should be placed at the management system interface and all operators should be
equipped with extranet access clients for their laptop or workstations.
16
Browser
client
Management
client
Management
client
Remote
SSL
IPsec
L2
IPsec
Internet
NOC
VLAN
SSL
IPsec or SSH
IPsec or SSH
Management
Systems
IPsec or SSH
VS
IDS
IPsec
FW
Auth
IPsec
AL
Enterprise network
Network devices
Firewalls and VLANs partition the network to segregate management devices and traffic from other, less confidential systems
such as public Web servers. The firewall controls the type of traffic (defined by protocol, port number, source and destination
address) that can transit the boundary between security domains. Depending on the type of firewall (application versus packet
filtering), firewalls can also filter the application content of the data flow.
Intrusion-detection systems incorporated into management servers defend against network intrusions by warning
administrators of potential security incidents, such as a server compromise or denial-of-service attack.
Hardening operating systems used for network management close potential security gaps in general-purpose operating
systems and embedded real-time operating systems. OS hardening should use the latest procedures and patches from the
OS manufacturer.
Anti-virus protection involves scanning all in-house and third-party software packages with virus-detection tools before
incorporating the software into a product or network. A rigorous, established process ensuresto the extent possible
that network management software is virus-free.
17
Policy
repository
LDAP
Policy management
console
LDAP
Policy server
Policy Decision Point
(PDP)
COP-PR, SNMP, CLI
Network devices
Policy Enforcement
Point (PEP)
L2
NAT
Auth
AL
FW
CF
19
The IETF policy management model uses these key elements and protocols:
Policy Decision Points (PDPs) or policy servers abstract network policies into specific device control messages, which are
then passed to policy enforcement points. These policy servers are often standalone systems running Unix or Windows
NT/2000, controlling switches and routers within an administrative domain; they communicate with these devices using a
control protocol (e.g., COPS, SNMP Set commands, Telnet, or the devices specific Command Line InterfaceCLI).
A Policy Enforcement Point (PEP) is a network or security device that accepts a policy (configuration rules) from the Policy
Decision Point and enforces that policy against network traffic traversing that device. This enforcement leverages network and
network-assisted security mechanisms as appropriate.
Common Open Policy Service (COPS) is a simple query-and-response, stateful, TCP-based protocol that exchanges policy
information between a Policy Decision Point (PDP) and its clientsPolicy Enforcement Points (PEPs). It is specified in
RFC 2748. COPS relies on the PEP to establish connections to a primary PDP (and a secondary PDP when the primary
is unreachable) at all times. Alternatively, a COPS proxy device can be used to translate COPS messages originating from a
policy server into SNMP or CLI commands understood by network and security devices.
The COPS protocol supports two different extension models for policy control: a dynamic outsourcing model COPS-RSVP,
specified in RFC 2749, and a configuration or Provisioning model COPS-PR, specified in RFC 3084. Provisioning extensions
to the COPS protocol allow policies to be installed on the PEP up front by the PDP, thus allowing the PEP to make policy
decisions for data packets based on this pre-provisioned information. Further communication between the PDP and PEP is
necessary to keep policies provisioned in the data repository (i.e. the directory) in sync with those sent to the PEP.
The Policy Repository stores all policy information in a network directory. It describes network users, applications, computers,
and services (i.e., objects and attributes), and the relationships between these entities. There is tight integration between IP
address and the end user (via Dynamic Host Control Protocol - DHCP and a Domain Name System - DNS). This policy
repository is usually implemented on a special-purpose database machine running Unix or Windows NT/2000 accessed by
policy servers via LDAP.
The Policy Repository stores relatively static information about the network (such as device configurations), whereas policy
servers store more dynamic network state information (such as bandwidth allocation or information about established connections). The policy server retrieves policy information from the directory and deploys it to the appropriate network elements.
There is no established standard to describe the structure of the directory database, i.e., how network objects and their attributes are defined and represented. A common directory schema is needed if multiple vendor applications are to share the same
directory information; for example, all vendors need a common way to interpret and store configuration information about
routers. The forthcoming Directory-Enabled Networking (DEN) standard, now being developed by the DMTF (Desktop
Management Task Force), addresses this need. DEN includes an information model that provides an abstraction of profiles and
policies, devices, protocols, and services. This provides a unified model for integrating users, applications, and networking services, and an extensible service-oriented framework.
The Lightweight Directory Access Protocol (LDAP version 3) is specified in RFC 2251. LDAP is a client-server protocol for
accessing a directory service. The LDAP information model is based on the entry, which contains information about some
object (e.g., a person), and is composed of attributes, which have a type and one or more values. Each attribute has a syntax
that determines what kinds of values are allowed in the attribute and how those values behave during directory operations.
The last element is the policy management consolegenerally running on a personal computer or workstationthat provides
the human interface to the policy management system. A Web browser can be used to provide manager access from virtually
anywhere, with policy object-level security used to limit which policies can be modified by a specific individual. The console
provides a graphical user interface and the tools to define network policies as business rules. It may also give the operator
access to lower-level security configurations in individual switches and routers.
20
These elements of the IETF policy management reference model interoperate to deliver closed-loop policy management. This
includes configuration of edge devices, enforcement of policies in the network, and verification of network functionality as seen
by the end-user application. Enforcement of policies in the network includes admission controls of applications or users vying
for access to network resources. Sound policy management based on this model simplifies the configuration management environment inside enterprises and minimizes the chance of human error.
Policy Management through Nortel Networks Optivity Policy Services
Nortel Networks is leading the way in delivering policy-enabled networking to enterprise customers. For example, Nortel
Networks Optivity Policy Services (OPS) is a system-level software application that manages security parameters and traffic
prioritization. Optivity Policy Services enables a proactive approach to bandwidth management, security, and prioritization of
business-critical traffic flows across the enterprise. Rather than applying policies to control traffic on a per-device basis, OPS
takes a centralized systems approach to policy configuration and deployment that ensures consistency across the network while
lowering total cost of ownership.
Based on the IETF policy architecture, Optivity Policy Services supports the major IETF policy management standards,
including COPS-PR, LDAP, Diffserv, and IEEE 802.1p. OPS uses COPS-PR to pre-provision routers and switches with policy
information based on Roles reported in from the PEP. Roles are a logical abstraction of the devices interfaces for policy
management purposes. With the ability to manage up to 1,000 devices per server and 20,000 devices per system, OPS reliably
delivers QoS and security policies in large networks. Moreover, OPS uses LDAPv3 to support redundant data storage,
preserving valuable policy information.
As the number of denial-of-service attacks on networks increases, a centralized mechanism to limit potentially dangerous traffic
flows is important. OPS makes it easy to set policies for metering traffic. For example, many denial-of-service attacks occur
when too many packets of a certain protocol type (such as ICMP) flood a device. OPS policies can control that flow of traffic.
With its Advanced Security Provisioning capabilities, OPS can protect valuable network and application assets by enabling the
application of consistent, reliable, and robust security policies. OPS complements existing firewall implementations (e.g.
Alteon) and IP-VPN devices (e.g. Contivity) by adding an extra layer of protection to network resources. OPS features enable
the creation of policies to restrict traffic through a particular policy enforcement point or to deny all traffic on a particular
device. OPS enables control of traffic flows through a device by simply creating admission control policies through a central
JAVA-based management console.
2.9. A closer look at uniform access management
Secure access management is created through a combination of authentication, authorization, and accounting services,
often called AAA.
Authentication, initiated by an authentication client in a PC or gateway device, positively verifies the identity of a user
as a prerequisite to allowing access.
Authorization determines which system resources are appropriate for that authenticated user to access.
Accounting capabilities rely on audit logs or records of security-related events for future examination.
This section takes a closer look at authentication and authorization.
Authentication
Authentication systems can be categorized according to the number of identification factors required to ascertain identity.
Single-factor authentication uses userID/password combinations to prove identity.
Two-factor authentication requires two components, usually a combination of something the user knows
(such as a password) and something the user possesses (such as a physical token SecureID card).
Three-factor authentication adds a biometric, a measurement of a human body characteristic.
21
The more authentication factors used, the more secure the process. However, the more factors you add, the more you add
complexity, cost, and management overhead. Every scenario will offer a different break-even point in the trade-off between
simplicity and security.
Single-factor authentication with userID and password is the most common authentication system today. Its easy to administer, familiar to users, and can provide a high level of security if strong password procedures are enforced. Legacy password
systems have had some challenges, however, since multiple strong passwords are very hard for users to remember. The recommendations in this section will show how this problem can be minimized with a Single Strong Password system.
Tokens such as smartcards and SecureID cards are added as a second factor in many authentication systemsrequiring that the
user have physical possession of the token. An attacker would similarly have to have possession of the users token in order to
gain system access. The higher level of authentication comes with additional system cost, however, due to the necessary tokens
and token readers. In addition, tokens can be easily lost, which can present a high administration overhead for reissuing.
Biometric factors for authentication measure characteristics of the users body such as fingerprint, handprint, retina, iris, or
voice characteristics. Biometric measurements are a useful additional factor and add an even higher level of authentication security. A biometric authentication system entails a measurement proving whom the person actually is, rather than proving they
have something such as a token or proving that they know something such as a password. Unfortunately, biometric measurements are not 100 percent effective; with the present state of the technology, it is possible to register false positives and false
negatives. Biometric authentication systems also require biometric readers at system access points, adding new system costs.
Strong cryptographically-based authentication can be provided through the use of digital certificates issued to users and stored
on tokens or within the users computer memory. Cryptographic algorithms are used to ensure that a particular certificate has
been legitimately issued to the user. A Public Key Infrastructure is used to enable the issuance and maintenance of digital
certificates. Strong cryptographically-based systems provide very stringent authentication. However, these systems are expensive
and incur additional management overhead. Therefore, they are currently being adopted only in very secure environments.
Authorization
Once authenticated, authorization mechanisms control user access to appropriate system resources. Authorization can be categorized according to the granularity of control; that is, according to how detailed a division is made between system resources.
Fine-grained authorization refers generically to a system where access is controlled to very fine increments, such as to individual
applications or services.
Authorization is often role based whereby access to system resources is based on a persons assigned role in an organization.
The System Administrator role may have highly privileged access to all system resources whereas the General User role would
only have access to a subset of these resources. Finer grained authorization can be applied to define other roles, such as a
Human Resources Administrators role that has exclusive access to confidential HR databases, and an Accounting role that has
exclusive access to accounting systems.
Authorization may also be rules based whereby access to system resources is based on specific rules associated with each user,
independent of their role in the organization. For example, rules may be set up to allow Read Only access or Read/Write access
all or certain files within a system, or access only during certain times or from certain devices.
Authentication and authorization protocols
Several protocols have been commonly adopted for authentication services. The RADIUS protocol (Remote Authentication
Dial In User Service IETF RFC2865) is widely used to centralize password authentication services. Originally designed to
authenticate remote dial-in users, the RADIUS protocol has been adopted for general user authentication services. Recently,
the LDAP (lightweight directory access protocol IETF RFC2251) has been finding extensive use in authentication and
authorization systems. LDAP provides a convenient method for storing user authentication and authorization credentials.
22
RADIUS authentication servers are often coupled with credential storage in LDAP directories to provide centralized authentication and authorization. When a user attempts to access a particular application on such a system, the application queries the
user for authentication credentials and forwards them to the centralized system. The RADIUS server then checks the presented
credentials against those stored in the LDAP database, and also queries the LDAP database for authorization rule information.
The authentication results (pass or fail) are returned to the application along with authorization rule information for the particular user. Authorization rules are then enforced at the application to allow the user to access particular data or services. From
an end-user perspective, these authentication and authorization systems should be automatic and easy to use.
Authentication and authorization recommendations
Nortel Networks recommends the following general principles to be followed when implementing enterprise authentication
and authorization systems:
Use a uniform access management system for end users, network operators, partners and customers, with the appropriate
level of authentication and resource access authorization to meet business needs.
Use a centralized authentication mechanism to facilitate administration and remove the need for locally stored passwords,
which tend to be static and weak.
Use a centralized authorization system, tightly coupled with authentication system, with appropriate granularity for the
enterprise.
Enforce strong, complex rules for all passwords.
Securely store all passwords in one-way encrypted (hashed) format.
Maintain simplicity to the extent appropriate, for maximum ease of use, ease of administration, and compliance.
Securely log authentication and authorization events for audit purposes.
DNS server
Local wired
PC access
Centralized
Authenticaton
Server
(RADIUS based)
Auth
Enterprise network
Secure IP
Services Gateway
Level 1 Password
Authentication
Database
Internet
Remote Access
FW
IPsec
SRT
Auth
Auth
Level 3 Biometric
Authentication
Database
Level 2 Token
Authentication
Database
Application server
with Centralized
Authentication
23
A Case example: Single Strong Password in the Nortel Networks corporate network
Nortel Networks uses a Single Strong Password approach in its own worldwide network to authenticate internal and external
users, from employees and contractors to joint venture representatives and even customers. The user has one very strong password that is maintained on a centralized password system and synchronized with applications and systems across the enterprise.
Users only have to remember one password, making the system simple to use and not likely to be bypassed.
Dedicated password servers on several continents manage the system and provide Web-based password management for users
and security administrators. These password servers communicate directly with RADIUS authentication servers. The system
automatically synchronizes passwords across multiple systems and platforms, such as Windows networking, remote access,
UNIX, purchasing, and niche business applications.
The system enables fine-grained authorization at the application level. An internally developed tool enables applications to
access the Single Strong Password system, and a list of users allowed to access each application is stored in the authorization
database. When an application is accessed, the Single Strong Password system authenticates the user and returns authorization
information. The system logs attempted violations of authorization rules and multiple simultaneous logins to geographically
dispersed systems, to detect and prevent misuse.
The Single Strong Password system enforces strict password rules. For example, passwords must contain at least eight characters, both upper and lowercase letters, and at least one number or symbol. Additionally, passwords must not contain dictionary
words of four characters or longer, a previously used password, a password that matches an account name, contain a date or
year, keyboard patterns, or repeating characters. Users are required to change passwords at predefined intervals.
After years of real-world use, Nortel Networks has seen the following advantages of this system:
Single consistent method for setting passwords
Single consistent method for authentication and authorization
Single method for registering and terminating user accounts
Enforcement of corporate password strength guidelines
Consistency across applications, so employees know what to do
Standardization that makes the system easy to support and adopt
Fast, seamless performance through standard interface and APIs
Lower costs, fewer help desk calls
Figure 9. Single password access management in Nortel Networks corporate network
RADIUS server
Local, remote,
wired, wireless
Employees
Password
Authentication
Database
Single
password
access
management
Technicians
Contractors
Partners
Enterprise network
Customers
24
25
L2
VS
Load-balanced
IDS servers
IDS
CF
Backbone
Layer 2-7
Routing Switch
with Web
Switching
Human resources
L2
Distribution
Layer 2-7
Routing
Switch
Enterprise
NAT
L2
FW
AL
Switched
Firewall
High
capacity
router
Internet
IP-VPN
Services
Gateway
SSL
Finance
Auth
SRT
IPsec
FW
IP PBX
L2
SSL
WLAN PC
PSTN
Campus servers
For both reasons, it is recommended to use VPN technology for wireless LANs and run an IP-VPN client, such as Nortel
Networks Contivity Client, on the wireless device. VPN-based wireless security is platform and radio technology agnostic
that is, the client system establishes a connection to the network via 802.11b, 802.11a, or even Bluetooth, and the VPN takes
over from there. Most of the authentication takes place independently of the wireless network, keeping access point maintenance simple. The VPN can treat the wireless LAN just as the corporate backbone with wireless access points. Users trying to
access the network via the wireless LAN would then be authenticated, their information encrypted, and all communication
logged by the VPN system.
Alternatively, with some WLAN IP phones, encryption and authentication is built in. For example, Nortel Networks has a
strategic partnership with Symbol, whose WLAN IP phones support 128-bit WEP encryption between the client and the
wireless access point, and Kerberos authentication. Combining those approaches provides robust user authentication and
encryption required for WLAN environments.
Layer 3 switching and routing security. Network address translation (NAT) enables an organization to present a public IP
address to the world and hide internal addresses from public view. Processing NAT in hardware with a switch is an innovative
strategy for converting internal addresses into public addresses (and vice versa), making routing and firewall solutions highly
efficient.
26
Proper design and use of routing and Layer 3 switching enhance the survivability of the campus network. Access control lists,
IP segmentation and sub-netting, redundancy protocols such as Virtual Router Redundancy Protocol (VRRP), and fast convergence routing using OSPF (Open Shortest Path First) all contribute to a more survivable infrastructure.
Routers and routing switches secure the data path using IP filters that drop undesirable packets. Routing can be further
secure by implementing route policies, encryption and authentication of OSPF and BGP route updates with MD5, and
broadcast/multicast rate limiting.
Last but not least is the innovative Secure Routing Technology (SRT), which enables dynamic routing over secure IPsec tunnels
for RIP and OSPF. Contivity Secure IP Services Gateways implement this dynamic secure routing approach, which is
described later in this document in the Securing Remote Access scenario.
Securing remote communication via IPsec VPNs and SSL extranets. Typically, the campus network also supports VPNs to
connect with branch offices and remote userscarrying private network traffic within a secure, encrypted tunnel carried over
a public network. Robust and secure central site solutions that support both remote access and remote office IP-VPNs and firewalls are key elements of the campus network. For more information, see Securing the Remote Office and Securing Remote
Access, later in this section.
Securing the campus network at the network-assisted security level
Perimeter control via firewalls and intrusion-detection servers. The enterprise network often provides employees with
connection to the Internet from the corporate headquarters campus. It is usually centralized in order to more easily protect a
single interface to the public world. Thats exactly where perimeter control solution such as firewalls and intrusion-detection
systems (IDSs) are generally deployed to prevent malicious intrusion of unauthorized persons.
It is highly recommended that firewalls be implemented at every site within an enterprise to secure internal and external traffic,
and at every point of interconnection with the Internet (e.g. even a remote PC). In some cases, it is appropriate to integrate
this functionality with secure IP services gateways used also for remote office and remote access IP-VPNs.
Firewalls provide a perimeter defense against unauthorized accessan essential first step when planning for Internet access.
Firewalls come in various sizes and capabilities, fitting many specific network requirements depending on their point of use.
An emerging trend is to use new, multi-gigabit firewalls to interconnect segments of the campus LAN, which keeps departments separate and enables communication only through firewall security policies.
An IDS monitors the network to identify unauthorized users or suspicious patterns of utilization. Most IDS applications
compare network traffic and host log entries to match data signatures and host address profiles indicative of hackers.
Intrusion-detection software identifies traffic patterns that indicate the presence of unauthorized users. Suspicious activities
trigger administrator alarms and other configurable responses. Nortel Networks partners with best-of-breed companies such
as Internet Security Systems (ISS) to offer specialty software solutions for intrusion-detection.
Content inspection via content filtering and anti-virus systems. These tools provide essential protections for remote and
local computing, and are discussed in more detail in Part III under Securing the Data Center.
Layer 4 to 7 switching and filtering security. Layer 4 to 7 switches provide control services to application, management,
and traffic to improve resource utilization and performance, ensure security with high performance, provide network scalability,
and provide failsafe network assurance. They are usually deployed near security devices and in server farms. Integrated security
filtering offloads firewall processing of NAT, monitors network activity, protects against denial-of-service attacks and some virus
types such as Code Red / Blue, and protects data without compromising throughput. Nortel Networks Passport 8600 and
Nortel Neworks Alteon Web switches offer extensive Layer 4 to 7 capabilities.
27
These solutions are more generally implemented in the data center, but have value in front of campus servers:
Load-balancing. Firewalls and VPNs are compute-intensive applications and can become bottlenecks to network performance. Load-balancing using an application switch mitigates this problem by distributing traffic among multiple active
devices, enabling many firewalls/VPNs to operate in parallel.
Port mirroring. Similarly, IDS functions are extremely compute-intensive and can slow network performance. Port
mirroring on an application switch duplicates the data and sends it to one or more intrusion-detection servers (which
can be load-balanced) for packet inspection at the same time the original data flow is being forwarded without delay.
In small campus networks, these capabilities can be provided by Alteon Web switches. In large campus networks, a
Nortel Networks Passport 8600 system with integrated Alteon Web Switching Module provides the required scalability.
3.2. Securing the data center
The typical enterprise data center supports mission-critical applications and houses a high concentration of capital-intensive
resources and confidential dataall connected to the inherently insecure Internet as well as internal users. That means securing
the data center presents some unique requirements for failsafe security without compromising performance and availability for
users. The need increases as enterprises discover new ways to exploit high-performance, Internet-empowered data centers:
Ensure business continuity. Massive processing throughput and transport bandwidth now make it feasible to store
primary and duplicate sets of critical data in multiple data centers, in real timeto extend business continuity services,
real-time storage mirroring, and live backup across service provider networks.
Support critical business applications. Enterprises use data centers to host business applications, implement firewalls or
virtual private networks, provide storage services and content delivery of static and streaming media, and more.
Produce economies of scale on infrastructure. Enterprises can consolidate or outsource data center functions, to
centralize critical computing resources, create virtual data centers that span multiple locations, and reduce operational costs
without the performance penalty or security concerns typically associated with remote access.
The closed enterprise may outsource its Web presence to a third party, but extended and open enterprises are exposed to
the Internet for customer access, business-to-business connectivity, and interworking with application service providers, disaster
recovery providers, and more. Theres a big survival risk for companies that dont Web-connect with extended communities
yet theres a big security risk for those that do.
A comprehensive data center security strategy requires multiple, inter-working technologies, protocols, and procedures
with partitioning among these functions provided by VLANs and firewalls.
Securing the data center at the network security level
Virtual Private Networks. It is highly recommended that firewalls be implemented at every site within an enterprise to secure
internal and external traffic, and at every point of interconnection with the Internet (e.g. even a remote PC). In some cases,
it is appropriate to integrate this functionality with Secure IP Services Gateways used also for remote office and remote access
IP-VPNs enable enterprises to enjoy secure connectivity with branch offices, business partners, and remote users. For employee
access, the central site VPN solution can be implemented at the campus edge; for partner and business-to-business connectivity, the VPN can be implemented in the data center, or the two can be integrated. The ideal VPN gateway should provide
an all-in-one solution for routing, bandwidth management, authentication, encryption, network address translation, data
integrity, logging, and firewall capabilities. Nortel Networks market-leading Contivity Secure IP Services Gateways (built on
Secure Routing TechnologySRT) meets these requirements.
Network address translation (NAT) enables the enterprise data center to present a public IP address to the world and hide
internal server addresses from public view. Converting external to internal addresses (and vice versa) can be performed in
switch hardware, thereby enhancing the efficiency of routing, switching, and firewall functions.
28
Mission-critical
enterprise applications
DMZ
SSL
Web
servers
VS
Virus
screening
server
L2
CF
Backbone
Layer 2-7 Routing
Switch with
Web Switching
SSL
Enterprise
NAT
FW
AL
L2
High
capacity
router
Switched
Firewall
L2
Internet
SSL
IP-VPN
Services
Gateway
Management domain
Auth
SRT
IPsec
FW
LDAP
L2
IDS
RADIUS
DNS
Load-balanced
IDS servers
29
intrusion-detection, anti-virus, and content filtering tools provide essential protections for online commerce and remote
computing in general. IDS software identifies traffic patterns that indicate the presence of unauthorized users. Anti-virus
software detects and defuses potential cyber attacks. Content filtering software restricts the type of data that can be accessed
or distributed.
IDSs can be broadly categorized according to the following criteria:
Incident detection timeframereal-time or off-line, depending on whether system logs and network traffic are analyzed
as events take place or in batch mode during off hours.
Type of installationnetwork-based or host-based. A network-based IDS typically involves multiple monitors
(often pre-configured appliances) installed at choke points on the network (where all traffic between two points can be
monitored). A host-based IDS requires that software be installed directly on the servers to be protected, and monitors
the network connections and user activity on those servers.
Type of reaction to incidentswhether the IDS actively intervenes to head off attacks (such as by modifying firewall
rules or router filters) or simply notifies staff or other network systems of the problem.
Most commercial IDS products provide a combination of network- and host-based monitoring capabilities, with a central
management host to receive reports from the various monitors and alert network support staff. A network-based IDS is
recommended for most installations.
Anti-virus solutions continuously monitor applications to ensure that no virus damages the system. It detects malicious
viruses, worms, and Trojan horses in all major file types, including mobile code and compressed file formats.
Content filtering software restricts the type of data that can be accessed or distributed to expose employees and partners only
to correct and appropriate content. Content filtering can identify inappropriate Web surfing and stem productivity losses due
to prolonged Internet use. Content filtering also helps minimize the spread of viruses from Web servers. The Alteon Content
Cache (ACC) supports hundreds of URL filters providing customers with the ability to protect themselves from well-known
URL server attacks. ACC also stops many viruses like NIMDA and Code Red, and can be used to control which sites are
accessible.
Together, these measures enable networks to be open and accessible for legitimate uses, but not wide open for inappropriate
or malicious uses.
Layer 4 to 7 application switching provides high-availability traffic management by filtering and switching traffic based on
application and content information, without compromising throughput. To increase protection against denial-of-service
(DoS) attacks and Syn Attack Alarms, routing switches such as Nortel Networks Passport 8600 enable network administrators
to set a threshold for new half-open sessions and have the Layer 4-7 Switch trigger a trap to notify the administrator when the
threshold is exceeded.
A protection from application abuse feature limits the rate of new TCP connections on a per-client basis. Administrators can
limit users to a particular connection rate and limit the number of sessions for users accessing a specific domain or application
within the domain. Benefits include protection from application abuse, increased application availability, and increased control
of user access to applications. Layer 7 Deny Filters allow network administrators to create filters and assign URLs to those
filters to deny certain traffic. This is particularly useful for added anti-virus protection for preventing access to disallowed
Web content.
Alteon Web switches and Passport 8600 systems equipped with an Alteon Web Switching Module both offer high-performance
Layer 2-7 filtering. These systems also perform load balancing to eliminate data center performance bottlenecks, including
VPN, firewall, IDS, DNS, and IDS systems.
30
31
Internet
Legacy branch
Converged branch
Secure IP
Services Gateway
Token,
PKI
Token, PKI
FW
Auth
SRT
IPsec
FW
L2
Auth
IPsec
Layer 2 switch
and IP telephony
system
PBX
PSTN
RADIUS
server
L2
RADIUS
server
IP telephones
33
Figure 13. Remote office dynamic routing for increased reliability and scalability
Remote
access
clients
IPsec
IPsec
SRT
FW
IPsec
Internet
FW
SRT
Auth
SRT
Frame Relay
FW
IPsec
SRT
Auth
34
Central site
Redundant Secure
IP Services Gateways
FW
IPsec
SRT
IPsec
VS
IDS
Auth
Internet
FW
Hotel
Auth
FW
IPsec
VS
IDS
SSL
Airport
SSL
Customer site
FW
IPsec
VS
IDS
Payphone
with data jack
Securing dial-up access. Remote access over dial-up connectionssuch as ISDN switched access or a modem call over standard telephone linesmust be protected with stringent access authentication and authorization procedures. Encryption adds
another level of security for confidential communications, but this method is inherently insecure because it can be used to
circumvent firewalls and other IP-enabled security techniques. Direct switched accesswidely used in the 1980s and early
1990s is rapidly being replaced by Internet-based remote access VPNs.
35
Remote access VPNs. Internet-based remote access provides tremendous flexibility and high bandwidth.
Two approaches are common:
VPNs based on IPsec, with IPsec client software loaded on the users access device.
SSL extranets based on SSL, that uses the SSL capability built into standard Web browsers and requires no other client
software. We chose not to use the term VPN when describing SSL implementations, since SSL only gives access to an
application, not the full network.
Lets take a closer look at these popular VPN strategies.
IPsec-based VPNs
IPsec is a network-layer approach that can be used across applications. For example, an IPsec-based VPN connection can be
used to access e-mail, HR self-serve applications on the intranet, and browse the network. An IPsec client (the user-interface
software), such as Nortel Networks Contivity Multi-OS Client, must be installed on the access devicePC, PDA, handheld
computer, etc. The access device should also be loaded with anti-virus detection software.
Whether based on dial access to an ISP point of presence (POP) or on wired or wireless direct access, the VPN client authenticates the user, verifies the integrity of the users computer system, and establishes a secure link ( tunnel) to the enterprise. The
VPN client ensures that the remote system is secure even during session setup, where exchange of authentication information is
encrypted.
Remote access VPNs must be able to detect and, if possible, bypass common Internet obstacles such as NAT and outbound
firewalls, such as when linking to the enterprise network from within another firewall-protected network. At minimum, the
VPN must tell the remote user the nature of obstacles encountered. An important feature of Nortel Networks Contivity client
is the support of split tunneling, with simultaneous secure access to the enterprise and clear access to the public Internet.
Remote access connections from the Internet are handled by an IPsec gateway system at the enterprise edge. Multiple gateways
with multiple paths to the Internet provide essential redundancy in case of the failure of any one path or device. Larger enterprises or those with critical confidentiality requirements should consider separation of gateways as well.
The effective IP services gateway should provide: simple client configuration; the ability to pass connections through to the
internal enterprise network as opposed to session termination; a stateful firewall functionality to preclude the need for a separate firewall; support for multiple authentication methods such as RADIUS, PKI and LDAP, directory-based userID and password systems such as Microsoft Active Directory and Novell Directory Services; and smart card or token-card authentication
on users laptop. Support for L2TP and PPTP be beneficial.
SSL extranets
SSL is session-layer approach, which means that every application has to support SSL and have its own user authentication
approach. For example, when you go to Amazon.com, the SSL session is set up before you enter your userID or credit number.
User authentication could include going to an authentication server. Firewall traversal and NAT is easily supported with SSL.
SSL is built into standard Web browsers such as Microsoft Internet Explorer, so no special client software is required. This
feature makes SSL extranets particularly attractive for scenarios where the enterprise doesnt own or control the remote access
devices, or where users need access from public PCs.
Web browsers are common targets of hackers, but the benefits outweigh the risks and can be mitigated by using personal firewalls and intrusion-detection systems on the access device. The application-agnostic SSL protocol is considered robust enough
that it is used extensively for consumer access to online shopping Web sites.
However, Web browsers support SSL only for Web-enabled (HTML) applications. As a result, if an enterprise wants to use
SSL extranets for access to, say, its legacy supply chain management application, then either the application has to have an
36
HTML/SSL front end or an external application-specific gateway. Several vendors offer external gateways for common applications, but every application will need to have a unique front-end acquired or developed. In addition to this trade-off, there are
also potential incompatibilities among browsers and browser versions. For example, some versions of SSL will actually allow a
fallback to very weak 40-bit encryption if 128-bit encryption is not present.
In conclusion:
SSL extranets operate at the transport layer, are good for Web applications and extranets and limited application access,
and dont require any special client software. However, SSL extranets open up a large security hole when used from uncontrolled PCssuch as public PCs in kioskswhich may lack personal firewalls and/or be infected.
IPsec VPNs operate at the network layer, are application agnostic, and require a PC client. IPsec VPNs provide complete
control over the security environment.
Nortel Networks offers both types of VPNs. Contivity Secure IP Services Gateways lead the market in IPsec-based remote
access and remote office VPNs, with more than half a million VPN clients in service. Nortel Networks has recently extended
its Alteon portfolio to implement SSL extranets.
3.5. Securing IP telephony services
Enterprises are starting to roll-out IP telephony solutions to reap the benefits of convergence in the LAN and the WAN,
and of converged applications. Every VoIP system is a hardware/software solution that comprises four logical functions:
IP telephones and PC soft clients
Communications servers (also called call management servers or gatekeepers)
Media gateways that provide flexible network access, for example, via traditional PBXs and the public switched telephone
network (PSTN) and the public wireless network
Application servers for such purposes as unified messaging, conferencing, and collaborative applications enabled by
Session Initiation Protocol (SIP)
These functions and related application serverssuch as contact center systemsare distributed across a telephony- or
business-grade IP network that delivers the required levels of reliability, voice quality, and congestion management.
Extended reach and mobility are provided over wireless LANs and over the Internet via IP-VPNs.
IP telephony is very time-sensitive and critical to the business, and just like other data applications, subject to a variety
of attacks. For example:
Attacks on the router can bring down both voice and data services
Denial of Service can overload an IP telephony communications server or client
Ping of Death can disrupt VoIP operations by sending multiple pings to VoIP devices
Port scanning can find vulnerabilities in VoIP clients and servers
Packet sniffing can record and/or intercept conversations
IP spoofing can misrepresent the source or destination of the media or signaling stream
Viruses, worms, Trojan horses, and time-triggered bombs can attack servers and clients
There have already been cases of hackers taking over IP clientsdue to lack of administration passwords in one case (i.e.
PingTel), and due to vulnerabilities associated with running XML in another (Cisco). However, while these could be very
disruptive, they are primarily a threat when running VoIP natively across the Internet and a relatively lesser threat when run
within the enterprise or over tunneled Internet connections. We are a few years away from seeing VoIP used end-to-end
between employees and the outside world; the security architecture for VoIP will be extended when standards, public services,
and interoperability have reached greater maturity.
37
Management VLAN
L2
IP-enabled
PBX
Multimedia
Application
Server
IP
Telephony
Server
IDS
Unified
Messaging
Server
IDS
VS
Contact
Center
IDS
VS
IDS
VS
VS
Telephony-grade IP Network
SRT
FW
IPsec
VS
IDS
NAT
FW
1
4
7
*
*
2
5
8
0
0
3
6
9
#
#
#
Digital
802.11
IDS
IPsec
AL
Auth
IPsec
FW
IPsec
VS
IDS
PC
IP sets
SIP enabled
Management VLAN
L2
IP-enabled
PBX
IP
Telephony
Server
Multimedia
Application
Server
Unified
Messaging
Server
Contact
Center
IDS
IDS
IDS
IDS
VS
VS
VS
VS
Telephony-grade IP network
SRT
FW
IPsec
VS
IDS
NAT
FW
1
4
7
*
*
2
5
8
0
0
3
6
9
#
#
#
38
Digital
802.11
IDS
IPsec
AL
Auth
IPsec
FW
IPsec
VS
IDS
PC
IP sets
SIP enabled
Securing IP telephony requires a coordinated approach across all aspects of the Unified Security Architecture. Policy management and secure access management authenticate users and authorize the use of features and calling capabilities. Management
security secures management of VoIP devices such as communications servers and media gateways.
Security mechanisms that have been implemented for IP data can be extended to cover IP telephonyfor example, using
IPsec and IP-VPNs for secure remote access and branch connectivity for VoIP and data, and for wireless LAN access. Stateful
inspection firewalls and network address translation can be applied to VoIP services. Policies governing data and VoIP should
be integrated under policy management. Application-level security is provided through such methods as OS hardening,
PC-based virus protection, and personal firewalls.
Securing IP telephony at the application security level
Securing application and IP telephony communications servers. The heart of the IP telephony system is the communications serverwhich can be a standalone server, such as the Nortel Networks Succession CSE 1000/2000 server, or integrated
with other components, such as Nortel Networks IP-enabled Meridian system and Business Communications Manager.
Equally important are application servers delivering contact center services (such as Nortel Networks Symposium), multimedia
applications (such as Nortel Networks CSE Multimedia Xchange), unified messaging (such as Nortel Networks CallPilot),
and self-serve interactive voice response systems. Securing these servers starts with hardening of the operating systems.
Securing VoIP clients. VoIP solutions support a broad range of clients and access configurations, including IP wired and
wireless telephones (e.g. Nortel Networks i2002 and i2004, and Symbols wireless LAN IP phone) and PC-based soft clients
(e.g. Nortel Networks i2050 and SIP clients). When connected to an IP network, these clients are vulnerable to attack.
There are a number of different telephony signaling protocols such as SIP, H.323, UniStim used by Nortel Networks IP
telephones, and Meridian Customer Defined Networking for network-wide feature operation. In the future, the ability to
secure signaling traffic at the VoIP client will be generally available. In IP telephony systems, the voice signal is packetized
using a standard such as G.729 (at 8 kbps) and a speech activity detection algorithm, and uses the Real-Time Protocol (RTP)
protocol with UDP at the transport level. Encryption of the voice at source will emerge as an option, as required by special
sectors such as the military community.
The process is different for securing IP telephones and PC-based soft telephony clients:
IP telephones, such as Nortel Networks i2004/2002, are custom-built appliances for telephony only. There is no storage
or asset on the phone itself to protect other than its presence on the network as a trusted device. The identification of the
caller and the call itself are the only assets to be protected. These telephony appliances most commonly use a proprietary
thin client protocol that relies on the communications server for feature/functionality and security. Approaches that rely
on XML in the VoIP set for feature operation are open to greater vulnerability.
VoIP soft-clients on users PCs co-exist with other applications and assets, and run widely available operating systems. That
means a successful attack can be damaging to several valued assets, and these devices should be protected with personal
firewalls, anti-virus detection, and IP-VPN clientsthe same mechanisms used for data security on that access device.
Securing IP telephony at the network security level
Securing VoIP in the wiring closet and across the campus. IP devices are wired into a campus network using either shared
media or, more commonly, dedicated switched Ethernet connections. Wireless LANs are being widely adopted, especially in
education and healthcare environments.
VoIP soft clients and dedicated VoIP appliances should be connected to switched Ethernet environments right to the desktop,
for the following reasons:
VoIP latency variation is minimized by eliminating CSMA/CD operation of shared media Ethernet operation
Other devices are prohibited from eavesdropping on VoIP calls
Enterprises may also chose to logically group VoIP telephones in their own VLANs to enhance security and manageability.
39
Special considerations apply when using wireless LANs (WLANs) to extend IP telephony services within the enterprise; for
example, from the desktop to conference rooms, classrooms, or shop floor personnel. Because wireless LANs are relatively insecure, both the signaling and voice planes need added security over the wireless segment of the call path. One method is to
configure soft clients co-resident with an IP-VPN client on the access device. Alternatively, some WLAN IP phones have builtin encryption and authentication. Nortel Networks has a strategic partnership with Symbol, whose WLAN IP phones support
128-bit WEP encryption between the client and the wireless access point, plus Kerberos authentication.
Securing branches for IP telephony. Several approaches are available for securing remote office VoIP solutions. For example,
an enterprise could:
Support VoIP telephones and soft clients from an office-in-a-box system that integrates IP telephony capabilities and
VPN security, such as Nortel Networks Business Communications Manager with integrated Contivity IP-VPN client.
Leverage the distributed nature of VoIP by deploying clients off a centralized server such as a Nortel Networks IP-enabled
Meridian platform, CSE 1000 server, and CSE MX server, and running this traffic over an IP-VPN.
Support a Nortel Networks Remote Office 9150 VoIP telephone off a central site IP-enabled Meridian PBX, which
supports Meridian digital telephones over an IP-VPN infrastructure while supporting a fully featured back-up path by
tunneling over the PSTN. This approach is unique to Nortel Networks.
Nortel Networks Contivity IP-VPN solution is unique for its Secure Routing Technology, which minimizes latency for VoIP
calls through meshed connectivity of secure tunnels over the Internet. This same solution can provide security for voice and
data traffic traversing frame relay networks.
Figure 16. Securing remote networking for IP telephony
Remote office
IDS
IP sets
IP telephony
soft client
VS
IDS
VS
802.11
IPsec
FW
Secure IP
Services Gateway
1
4
7
*
*
2
5
8
0
0
3
6
9
#
#
#
SRT
Central site
Secure IP Services Gateways
Internet
FW
IPsec
SRT
Hotel
Auth
FW
IPsec
VS
IDS
SIP data
soft client
SSL
Airport
SSL
Customer site
40
FW
Payphone
with data jack
IPsec
VS
IDS
Securing remote access for IP telephony. At home, in a hotel, or on the road, remote users can benefit from the convenience,
control, and productivity of IP telephony. To secure this kind of telephony access, VoIP soft clients would be co-resident with
an IP-VPN client on a laptopand ultimately on a suitably equipped PDAfor mobile employees. This same configuration
is used to take advantage of WLAN access points in hotels, airports, and convention centers. VoIP telephones for telecommuters and remote contact center agents could be secured with a home office IP-VPN, such as a Contivity 1000 Secure IP
Services Gateway.
Network management security for IP telephony. Management of IP telephony services should be protected with the same
level of network management security accorded to the network and security infrastructure in general.
A physically dedicated Ethernet port should be configured for VoIP management functionspart of a management VLAN
that blocks all non-management traffic at the routing level via access lists and perimeter security, and has all unused ports
turned off. Only authorized application software should be run on the servers in this VLAN. Multi-level security should be
applied with various levels of privileges (monitor, configure, control) for authenticated operational personnel. User passwords
must be securely stored and password formatting and change management strictly controlled. Management traffic (such as
billing information) can be optionally encrypted, even for internal transmission through IP-VPN technology. Off-net access for
suppliers, system integrators, and/or VARs can be provided via IP-VPNs.
41
42
Communications convergence
Comprehensive management
Application-optimized network
Engaged applications
These design tenets apply to the entire Nortel Networks portfolio, including for example:
Alteon switches that provide firewall/IDS/IP-VPN load balancing and content filtering
Passport 8600 routing switches that provide extensive filtering and access list controls, as well as firewall/IDS/IP-VPN
load balancing when equipped with an Alteon Web Switching Module. The Passport 8600 is a 256 Gbps platform so
robust that it is used in service provider central offices
Ethernet hubs and switches from the BayStack portfolio that support VLANs and user authentication via EAP
Security is also a key element of Nortel Networks applications for IP telephony and multimedia, contact centers, unified
messaging, and more. Integration with solutions from our business partners delivers important capabilities such as intrusiondetection, anti-virus, content filtering, and authentication. Whether offered as intrinsic features in multi-purpose products
or purpose-built security devicesNortel Networks security solutions protect the network and applications with high
performance and low cost of ownership.
4.2. Expanded choice through partnerships
Nortel Networks partners with service providers to enable them to offer best-in-class secure managed service solutions.
For example, our Contivity systems have been deployed by the majority of the worlds leading service providers for their
managed IP-VPN services. Nortel Networks Shasta Broadband Service Node (which uses the same VPN client as Contivity)
is the foundation for many providers network-based IP servicesincluding VPNs, firewalls, and other security services.
Nortel Networks also partners with best-of-breed security application vendors for two types of collaboration:
Working with select security application vendors to achieve full code integration with the Alteon Open Security
Architecture for the purposes of accelerating existing security technologies.
Ensuring seamless interoperability with third-party security methods for authentication (RADIUS, digital certificate/PKI,
hardware/software tokens, and smart card), intrusion-detection, anti-virus, content filtering, firewall reporting, and more.
43
44
45
Nortel Networks maintains an internal cross-functional teamthe Security Advisory Task Force (SATF)which reports to the
Chief Technology Officer and addresses security vulnerabilities that could impact Nortel Networks products, as soon as these
vulnerabilities are discovered.
This internal task force has established relationships with key security vulnerability agencies in the industry such as CERT,
SANS, and ISA to ensure rapid awareness of new vulnerabilities. A process has been established to determine the level of risk
of each potential vulnerability to Nortel Networks customers, along with a risk mitigation plan, where required.
Where appropriate, the vulnerability status of Nortel Networks portfolio is communicated in Vendor Statements on the
corresponding CERT Web page and through action bulletins created with internal product teams that specify a risk analysis,
vulnerability status, mitigation plan, and planned patch release dates. These bulletins are made available to customers,
customer support teams, and account teams. Finally, the team follows up on all issues until closure.
Summary
The typical enterprise internal trusted network is anything but internal these days. It extends to include supply chain
partners, telecommuters, remote access users, Web users, application service providers, disaster recovery providers, and more.
Unfortunately, that means that the network also reaches hackers, cyber-thieves, disgruntled employees, and others who would
misappropriate network resources for personal gain.
Whether or not they leverage the inherently insecure Internet for business applications, all enterprises have an obligation to
protect network integrity and data confidentialityfor their own sakes as well as for their customers and business partners.
The good news is that enterprises can minimize their risks from unauthorized users without sacrificing performance for legitimate users. The Nortel Networks Unified Security Architecture defines a conceptual, physical, and procedural framework of
best recommendations for end-to-end enterprise network security. Addressing the Top Ten security challenges with flexible
implementation choices, this comprehensive security strategy is based on these key principles:
1. Multi-layer security that defines security protection functions at application, network-assisted, and network security
levels
2. Variable-depth security across the enterprise, not just at the edge of the Internet
3. Closed-loop policy management that entails continuous evolution of policy to address changing business requirements,
network conditions, and industry knowledge
4. Uniform access management via stringent authentication and authorization at a granular level, defined and managed
centrally for the entire enterprise
5. Secure network operations, by physically or logically partitioning network management from user traffic, and applying
security best practices to suit critical operational activities
6. Secure multimedia communications, protected by high-performance encryption and tunneling
7. Survival under attack, ensuring that the network continues to deliver critical services even as it detects and wards off
malicious activities
The principles underpinning the Unified Security Architecture offer enterprises a blueprint for implementing security solutions
to ensure information integrity and confidentiality across a full range of network applications and architectures, including
protection from external attacks, application abuse, viruses, unauthorized access, interception, or manipulation of data en route.
With Nortel Networks Security Solutions, enterprises can protect business critical resources, and confidently and confidentially
use the Internet as an extension of their trusted internal network.
For more information about security products, terms, standards, organizations, legislation, and certification, visit our security
solutions Web site at http://www.nortelnetworks.com/solutions/security/related.html.
46
47
In general, attackers can use network sniffers by compromising the physical security of the corporationsay, walking into
the office and plugging a laptop into the network. With the growing use of wireless networks, someone in the parking lot with
a wireless device can access the enterprises local network. Gaining access to the core packet network enables the attacker to
determine configurations and modes of operation for further exploitation.
Denial of Service (DoS) attacks flood a network with illegitimate requests and thereby prevent legitimate users from accessing
their service. DoS attacks are easy to implement and can cause significant damage, disrupting the operation of the enterprise
and effectively disconnecting it from the rest of the world.
DoS attacks can take various forms and target a variety of services. DoS attacks focus on exhausting network, servers, host, and
application resources and on disrupting network connectivity. For example, the SYN flooding attack uses bogus half-open TCP
connection requests that exhaust memory capacity of the targeted resource. These types of attacks can prevent legitimate users
from accessing hosts, Web applications, and other network resources. Distributed DoS attacks use the resources of more than
one machine to launch synchronized DoS attacks on a resource.
DoS attacks exploit weaknesses in the architecture of the system that is under attack. In some cases, it exploits the weakness of
many common Internet protocols, such as the Internet Control Message Protocol (ICMP). For example, some DoS attacks
send large number of ICMP echo (ping) packets to an IP broadcast address. The packets use a spoofed IP address of a potential
target. The replies coming back to the target can cripple it. These types of attacks are called Smurf attacks. Another form of
attack uses UDP packets but works on the same concept.
Bucket brigade attacks are also known as man-in-the-middle attacks. In this kind of assault the attacker intercepts messages
in a public key exchange between a server and a client. The attacker retransmits the messages, substituting their public key for
the requested one. The original parties will think that they are communicating with each other. The attacker may just have
access to the messages or may modify them. Network sniffers can be used to launch such attacks.
Back door entries to access network resources can be accidentally or intentionally opened by users and procedural oversights,
such as these:
Deliberately placed by system developers to allow quick access during development and not turned off upon delivery
Placed by employees to facilitate performance of their duties
Part of standard operating system installs that have not been eliminated by OS hardening, such as retaining default
user logon ID and password combinations
Placed by disgruntled employees to allow access after termination
Created by the execution of malicious code, such as viruses
Masquerading or elevation of privilege enables a hacker to pose as a valid administrator or engineer to access the network.
Masquerading as a user with administrative privileges, the intruder can modify accounts, configuration data, network signaling,
and billing and usage data.
Eavesdropping takes advantage of the promiscuous mode of off-the-shelf Ethernet adaptors that are sold in the market.
This mode enables an attacker to capture every packet on the network to listen and record data communications on the
enterprise LAN. There are plenty of free network sniffers on the Web today that an attacker can use for eavesdropping.
Eavesdropping is an insidious problem because it is difficult to detect.
48
In Canada:
Nortel Networks
8200 Dixie Road,
Suite 100
Brampton, Ontario L6T 5P6
Canada
In Europe:
Nortel Networks
Maidenhead Office Park
Westacott Way
Maidenhead Berkshire SL6 3QH
UK
In Asia:
Nortel Networks Asia
6/F Cityplaza 4,
Taikooshing,
12 Taikoo Wan Road,
Hong Kong
Nortel Networks is an industry leader and innovator focused on transforming how the world
communicates and exchanges information. The company is supplying its service provider and
enterprise customers with communications technology and infrastructure to enable value-added
IP data, voice and multimedia services spanning Metro and Enterprise Networks, Wireless Networks,
and Optical Long Haul Networks. As a global company, Nortel Networks does business in more than
150 countries. More information about Nortel Networks can be found on the web at:
www.nortelnetworks.com/security
For more information, contact your Nortel Networks representative, or
call 1-800-4 NORTEL or 1-800-466-7835 from anywhere in North America.
*Nortel Networks, the Nortel Networks logo, and the globemark design are trademarks of Nortel Networks.
All other trademarks are the property of their owners
Copyright 2002 Nortel Networks. All rights reserved. Information in this document is subject to change without notice.
Nortel Networks assumes no responsibility for any errors that may appear in this document.
NN102060-0902