Network Security. Hard to overstate its importance

Transcription

1 Network Security Hard to overstate its importance

2 2008 Network Security Resume This paper outlines the security aspects of the Nokia Siemens Networks Vision of tomorrow s connected world. It looks ahead to the year 2015 and analyzes security-specific trends as well as their impact on network developments and market requirements. Tomorrows network security offers both challenges and opportunities. A key challenge is to adopt the Internet model for ubiquitous connectivity and five billion people. This must be realized while maintaining a high level of security that ensures smooth operation of communication networks. Another major challenge is the need to balance user requirements for privacy and anonymity with regulatory requirements. On the other hand, tomorrow s network security will provide the basis for many new communications and collaboration applications and secure communication networks will play a pivotal role with regard to public safety. It is therefore hard to overstate their importance to the global economy. Nokia Siemens Networks creates and markets solutions that deliver advanced security features for end users, enable the smooth operation of carrier networks, and protect what has become part of the critical infrastructures of our society. 2

3 Network Security 2008 Table of Contents 1. Introduction General trends that impact network security New threats New Challenges for communications service providers Telecommunication network solutions in industrial and rural sectors Network Equipment in Residential and Public Areas Security of Embedded Systems New Dependencies Between Application Security and Network Security Mobile Network Service Architecture Evolution Selected Technical Trends and Challenges for Network Security Ubiquitous Access Security Advanced Network Management Security Functions Device Integrity Checks Unwanted Traffic Security Equipment Consolidation Additional Security Trends and Challenges Regulatory Framework Overall Challenge: Privacy versus Public Safety Lawful Interception (LI) Internet-related Emergency Services and Public Warning Systems Security Compliance Nokia Siemens Networks Security Approach General Product Security Security Solutions for Communication Service Providers Summary List of Acronyms

4 2008 Network Security 1. Introduction In future we ll rely more and more on the exchange of information via open, IP-based telecommunication networks. This development will place new, sophisticated requirements on these networks, for example: They will carry much larger volumes of information than today. This comes via millions of new customers of Communications Service Providers (CSPs) as well as the new bandwidth-hungry applications such as IPTV and P2P Networks will therefore grow in order to accommodate the additional traffic, and new architectures will be needed to enable ubiquitous connectivity for multiple access types (fixed, wireless, mobile, etc.). In addition, application continuity when transitioning between these access types will be a market requirement These developments will expose carrier networks to more security threats. At the same time, the potential damage caused by successful attacks will increase, as more and more businesses and applications will depend on network services. Tomorrow s networks will therefore become an increasingly attractive target for cyber-crime and cyber-terrorism. In turn this means that the protection of carrier networks against these attacks will become an important success factor for the global economy. In addition to ensuring network availability, maintaining user privacy, confidentiality and the integrity of communication processes will become increasingly complex. And the requisite security solutions must also balance these market requirements against regulatory requirements like law enforcement. This paper details the security challenges and the necessary security functions for tomorrow s communication networks. Chapter 2 analyses general trends, e.g. new types of threats. In chapter 3 we detail selected technical developments in the network security area. Chapter 4 complements this analysis by exploring related regulatory topics. Chapter 5 outlines the way Nokia Siemens Networks approaches this multifaceted topic. Finally, chapter 6 gives an execu- tive summary of this document. 4

5 Network Security General trends that impact network security New threats The increased use of IP combined with ubiquitous connectivity will result in the introduction of a number of new threats. They will include more sophisticated and powerful attack tools and mechanisms (e.g. botnets) and we can expect to see commercial attack products becoming available at low prices. The company s vision of tomorrow s connected world is based on a simple, smart, flat architecture. This approach will result in significant benefits for CSPs and their customers, but since it is based on IP there are attendant risks. This is the case with all IP-centric networks. It is therefore necessary to implement powerful security mechanisms and to update them in line with the emergence of new threats. Network cores will be simpler in future but the edge of the network will be more complex, e.g. due to fixed-mobile convergence, software complexity, new service platforms and systems, new access technologies like Femto, I-HSPA, LTE, and the need for interoperation between new and established access technologies like UTRAN, WLAN and WiMAX number of security vulnerabilities Source: CERT Coordination Carnegie Mellon University This means that the overall communications infrastructure will result in more possible vulnerabilities and the increased likeliness of a wrong configuration, unwanted backdoors in software programs, etc. Taking appropriate measures against these threats and vulnerabilities is becoming more important. Not only are they increasing, but professionals and organized criminals are also mounting them for monetary reasons. Attacks are no longer limited to script kiddies and leisure time hackers. 1H08 Figure 1: Number of catalogued security vulnerabilities in IP networks 5

6 2008 Network Security 4 Bn 3 Bn CSPs security spending 2 Bn 1Bn Figure 2: Security spending of operators worldwide Source: Nokia Siemens Networks Business Intelligence, July New challenges for communications service providers. In addition to the general threats, new security challenges are also emerging specifically to communications service providers, e.g. network operators. For example: Due to new business models, CSPs need to diversify and take on new roles: e.g. network operator vs. service/application provider, and virtual operator. Another factor is the need to differentiate between access and core providers. Therefore new modes of operation and practices have to be developed. Insider threats will increase due to an increasing number of co-operations with subcontractors, collaborators, partners, temporary relationships, etc. CSPs will therefore be implementing new models for inter-operator security assurance as well as sophisticated prevention systems against internal fraud. Solution providers like Nokia Siemens Networks will be requested to support these activities via related security solutions, e.g., in the areas of mutual security co-operation, intrusion detection/prevention, SIEM (see 3.2 below) and fraud management. 2.3 Telecommunication network solutions in industrial and rural sectors. The penetration of telco-like structures and IP technology in industrial areas (factory networks, remote control of manufacturing, plant operation, clinical communication, etc.) will increase. This development will also be extended into rural environments, particularly in the emerging markets. Similar security challenges / threats will therefore emerge in these areas. However, in many cases staff having the requisite knowledge and experience may not be available. An additional challenge in rural areas comes from the fact that the network equipment might be exposed and therefore subject to vandalism and physical damage. Security gaps originating in industrial networks and/or rural networks may also impact core telecommunication networks or even whole economic infrastructures. New threats caused by this potential development will have to be analyzed and taken into account. Security spending of CSPs worldwide has increased strongly in the last years more than 15% growth per year - and this trend is set to continue (see Figure 2). 6

7 Network Security Network equipment in residential and public areas Home networks will be more sophisticated in future. They will go well beyond simple WLAN/home router configurations and may, for example, be based on WiMAX or mobile home technologies based on Femto base stations. Configuring all this advanced communications equipment and enabling a secure environment is an upcoming security challenge. This issue is compounded by market requirements such as the need for remote control, Intelligent Building Technologies, surveillance functions and the fact that vendors cannot expect users to have technical knowledge. One of the research keywords in this area is therefore zeroconfiguration security, ideally accomplished via a plug-andplay solution. Eventually, tomorrow s communication networks will require network elements to be located in residential environments or public areas, e.g. airport hot spots. Therefore possible threats caused by accidental or intended damage to the equipment have to be taken into account. 2.5 Security of embedded systems Network security today often relies on human interfaces such as passwords and smart cards. In the future, more and more autonomous, embedded systems will become players in communication networks, e.g., residential consumer equipment with network interfaces, vending machines, any kind of sensors (machine-to-machine communications), and medical equipment. The latter could involve emergency applications based on telemetric sensors. These systems will have to be cheap and simple, and they may also have limited functionality, which in turn means that new types of network security solutions will be needed. These demanding requirements will be via the development of low-cost chips that enable secure, one-way-authentication and an identity that cannot be forged. 7

8 2008 Network Security 2.6 New dependencies between application security and network security Application security is a huge subject and it goes beyond the scope of this network security paper. However, there are a number of significant dependencies between future application security and network security: IP-TV security and music download will require application security, as indicated by the on-going discussions about digital rights management (DRM), watermarking, and conditional access. For these functions, there will probably be several relationships with the underlying network security functionality. New business models may emerge in this area (e.g. advertising being used to finance free-ip-tv). These models will require additional security protections against abuse and fraud 2.7 Mobile network service architecture evolution In addition to these generic trends, the increasing standardization of mobile networks means that new security functions and models will be required. For example, the so-called next generation mobile networks currently being standardized and characterized by the terms SAE / LTE will specify a new layering of security levels and the enforcement of a clearer separation of control plane security and user plane security. Identity management (which is the subject of a separate Nokia Siemens Networks white paper) will require related network security functions, particularly in the authentication area Mobile browsers will be increasingly used for payments, banking, etc. This is an area where application security must be supported by network security 8

9 Network Security Selected technical trends and challenges for network security While many network security areas will continue to evolve (e.g. firewalls, antivirus software and VPNs), there will be new trends and challenges in the network security area and these may lead to disruptions as well as new business opportunities. The purpose of this chapter is not to give a comprehensive overview on all security functions (cf e.g. ITU-T Rec. X.805), but rather to focus on a number of selected new trends and challenges. 3.1 Ubiquitous access security Future telecommunication networks will be multi-access structures, allowing parallel access to fixed broadband (xdsl, cable, fiber) and mobile wireless networks. In addition there will be flexible, smooth roaming and handover between them. Such Fixed- Mobile-Convergence (FMC) solutions will enable ubiquitous access to a wide range of applications. Users will not like to experience any service disruption when changing from one access type to another, e.g., fixed to mobile access, or from local area to wide area access. These multi-access structures will require related security solutions, e.g. maintaining security associations when changing to a new access network. These associations will include access agnostic security functions, follow-me security, session continuity with security context transfer, handover keying, and security context pre-establishment to prepare handover. 9

10 2008 Network Security 3.2 Advanced network management security functions In addition to the ongoing evolution and improvement of current functions, the security functionality in the network management area will have to react to the new challenges outlined in section 2.2, as well as the growing complexity of future networks outlined in section 2.1. This means that security solutions from the area of Identity Management will also be used for network management purposes, e.g. for implementing centralized authentication of network management staff and authorization solutions across multiple heterogeneous networks. Centralized staff authentication and identity management systems will be further expanded in order to encompass network management of the whole network. A further challenge for the network management security area is the need to handle and structure the information created by various network elements, to identify which information may be security-related, and to define appropriate counter-measures. For example, network management systems may create alarm and logging data, firewalls may block traffic and issue related notifications, IDS/IPS systems may identify and re-act to possible intrusions, etc. The challenge for a CSP is to handle and structure all this information in order to identify real attacks or other security issues, to distinguish them from the large amount of noise (false positives) as well as cluster notifications, alarms, and logs belonging to the same event. And then the CSP must react accordingly. This area is often referred to as SIEM (Security Information and Event Management). SIEM is considered to be one of the areas with significant market growth. Another aspect of network management is the fact that the configuration of network elements will require even more attention. Tomorrow s network architectures will be be simpler fewer elements but logically they will be more complicated. A careless change in configuration data could cause a severe loss of service or more subtle, hard-to-detect problems that will impact on the quality and reliability of service. Formal verification of configuration data will therefore be needed before data are committed to network elements. Collection & Storage Analysis & Correlation Reports: Compliance & Performance Log data Jun 8 00:00:15] The e3hitemx.pl application was started.; Jun 8 00:00:15] The e3hitemx.pl application was started.; Jun 8 00:00:15] The e3hitemx.pl application was started.; Jun 8 00:00:15] The e3hitemx.pl application was started.; Incident Handling Jun 8 00:00:15] The e3hitemx.pl application was started.; collector Jun 8 00:00:15] The e3hitemx.pl application was started.; Jun 8 00:00:15] The e3hitemx.pl application was started.; Alarms Forensics Figure 3: Security monitoring in the Network Management area 10

11 Network Security Device integrity checks New types of attacks to various devices, e.g., root kits, Modchips (game console), and manipulated firmware (e.g. base stations), will increase the need to check the integrity of these devices before attaching or reattaching them to a communications network. This subject is known as Network Access Control (NAC) and it is currently addressed by the Trusted Network Connect (TNC) initiative, which is part of the standardization activities of the Trusted Computing Group (TCG). TNC helps network administrators protect their networks by allowing them to audit endpoint configurations and impose enterprise security policies before network connectivity is established. Competing proprietary solutions in this area are already on the market: they are normally identified as Network Admission Control or Network Access Protection products. The need for NAC solutions will increase significantly in future. One reason is the fact that the configuration possibilities for devices will increase (perhaps also including remote configuration). This will result in a lower trust level for these devices. Another reason is the usability of devices in different access networks and environments, where some may be less secure than others. Knowing that a certain device is trustworthy (non-malicious, virus-free, etc.) will be very important for future networks and service provision. We can therefore expect that all devices in carrier networks will include mechanisms to allow for some kind of device integrity checking. Nokia Siemens Networks sees this as an important trend and is active in related standardization efforts like that of the TCG, as well as in research projects on trusted computing mechanisms, e.g., on Trusted Platform Modules (TPM). 3.4 Unwanted traffic Unwanted traffic is known from (spam), and in the future is likely to extend to VoIP calls (SPIT = Spam in IP Telephony) and other areas (unwanted advertisements). There are anti-spam and anti-spit mechanisms that are based on blacklists, white lists and keywords, but they may be less successful in future since attackers are likely to hide or spoof their source address information and prepare for these mechanisms. Therefore, more sophisticated mechanisms will have to be created and deployed e.g., enhanced signaling interpretation, behavior or traffic analysis, or human user detection. 3.5 Security equipment consolidation The deployment of security solutions and related equipment in carrier networks has evolved over time, and often there is a zoo of different, dedicated equipment located at different locations. This results in a significant increase in complexity and there is also the possibility of unintended cross-effects between security functions. In turn this introduces difficulties in the management of these solutions. There is therefore a move towards functional consolidation, e.g. based on virtual firewall concepts, blade server solutions or UTM (Unified Threat Management) platforms. In typical security equipment consolidation projects the number of security devices can often be reduced by a factor of 15:1 or even 20:1. UTM is often used as a keyword for these consolidation concepts. UTM employs highperformance security platforms that integrate multiple security functions. These platforms are placed at few strategic locations in the network, thereby substituting multiple existing security devices. An important benefit of these solutions is the ability to add additional security functionality at a later date. Less devices means that security equipment consolidation is also regarded as being part of the new concepts for Green Security, which summarize mechanisms and solutions that reduce the energy consumption needed for security. 11

12 2008 Network Security 3.6 Additional security trends and challenges The scope of this paper does not enable coverage of the whole set of future security trends and challenges in detail, but a number are summarized in the final section of this chapter. Personal authentication can be based on biometric identification such as fingerprints, or on citizen cards / medical cards, which can be combined with one-time tokens or passwords. It can be used for functions like parental control, medical applications, personalized services for individual persons or user groups. Short range communication capabilities such as those based on NFC (near-field communication) or RFID tagging are already deployed in retail / supply chain management. In future, they will be integrated into network security solutions in order to verify that a person or device is physically present at a particular location. Unfortunately there are also still a number of security issues related to the Core Internet. Improved security standards and solutions are expected to be specified, for example: Attacks on DNS servers (e.g. DNS cache poisoning) are particularly dangerous since they can redirect users to malicious locations or pages (e.g., for phishing of confidential data) without the user having to click a link or open an attachment) Secure routing, particularly in the interdomain area (IETF activity SIDR). This deals with the fact that the Border Gateway Protocol (BGP), the most widely deployed inter-domain routing protocol in the Internet, was originally not equipped with enhanced security functions In the mid and long-term, challenges and disruptive developments may also be expected in classical security areas like antivirus systems and encryption: Security experts are currently warning about the possibility of end of signature-based antivirus systems and are demanding new, complementary mechanisms. These could be based on behavior detection, traffic pattern analysis, or video scanning. Many aging mathematical encryption algorithms, which have been used in communication networks for many years, will have to be replaced by stronger algorithms because PC processing power has increased and this enables brute force attacks that can compromise those early algorithms. One example is the A5/1 algorithm used at the GSM air interface, which encrypts traffic after the initial authentication. More modern algorithms will probably replace A5/1 in future. If we look further ahead, quantum computers may be able to solve mathematical problems very quickly and this would challenge current encryption algorithms. However, in return quantum cryptography may also be the basis for new key management solutions that allow two parties to exchange a secret key in a way that no third party can physically eavesdrop on the exchange without the two parties noticing. This type of key exchange could be used in combination with a one-time-pad encryption that would enable totally secure encryption. Secure Timing, in particular consistency of timing information in multi-access structures VoIP encryption / Secure RTP, and related key management Security of NAT traversal and middle boxes 12

13 Network Security Regulatory framework 4.1 Overall challenge: Privacy versus public safety New threats and the possibility of increased impacts on network and economy infrastructures mean that tomorrow s communication networks will face a balancing challenge. On one hand they need to meet user requirements for privacy, anonymity, etc. On the other there are the requirements of society for public safety, protection against terror, and related user surveillance. These are not contradictory requirements. Security solutions can accommodate both privacy and public safety requirements if certain basic conditions are met: 4.2 Lawful Interception (LI) Lawful interception capabilities are present in today s networks. There are minor deviations in the related legal framework from country to country, e.g., differences related to the rules on the signaling information (who communicates with whom) versus the rules on the communication content. In tomorrow s networks some new challenges for LI will emerge (e.g., P2P traffic and encrypted traffic) and corresponding standardization activities have started in the 3GPP SA 3 LI working group. Transparency of the applied security mechanisms rather than security by obfuscation Clear and known roles, responsibilities, privacy levels, authorizations, etc., and their enforcement, rather than silent backdoors Nokia Siemens Networks complies with these principles in order to meet the challenge and find network security solutions that accommodate both requirements. 13

14 2008 Network Security 4.3 Internet-related emergency services and public warning systems For emergency calls, new challenges have emerged in IP-based networks. For example, the link to the location of the emergency caller will no longer be provided automatically as in traditional networks. Instead, the link will be enabled by sophisticated technical solutions based on location detection and location signing. These solutions are needed to securely identify that location. Functionality based on GPS positioning or short-range communication may be applied. However, callers may be panicking, so the user side process for gathering location information has to be very simple. In certain cases, e.g. in case of car accidents calls will be initiated automatically without any user interaction. This will be a mandatory requirement. Questions related to Internet based Emergency Services are discussed in the IETF working group ECRIT, and Internet emergency solutions are expected to be available in a few years. 4.4 Security compliance Current network equipment is typically subject to sophisticated security tests and vulnerability scanning. In future it is foreseen that the testing and security processes will be formally verified and demonstrated, e.g. to comply with transparency and risk assessment requirements originating from the Sarbanes-Oxley act of Rules from the ISO series and / or the EAL-levels of the Common Criteria may be applied to support these compliance requirements. However, the rules have to be complemented by more detailed security process and testing / auditing activities. In general, compliance requirements will be a major driver for stronger deployment of security functions, e.g. related to data loss prevention, SIEM, identity management, business continuity management and information security management systems. In addition to regular emergency services, new regulatory requirements are also expected on the use of telecommunication infrastructures for the rapid dissemination of information to the public. This would typically be used to issue warnings about disasters, terror attacks, flooding, water poisoning, etc. These public warning systems are a research area with many technical challenges, e.g. how to determine the group of receivers. This may depend on their locations, presence, and availability. In addition this function has to be protected against misuse. 14

15 Network Security Nokia Siemens Networks security approach 5.1 General product security Taking into account the trends, challenges and regulatory frameworks outlined earlier, the company has established a number of rules, guidelines, processes and awareness programs for its development units. In particular, a detailed mandatory security process, including both proactive and reactive security measures, is being applied. Proactive measures include: mandatory e2e security concepts for new products/releases security awareness program throughout all business units, including security seminars and trainings with regular updates clear rules on secure software development (e.g., trying to avoid buffer overflows and general application of completeness checks ) sophisticated security testing and independent security auditing A virtual security organization, with a dedicated Security Lead nominated for each product. Reactive measures include: best-in-class security vulnerability monitoring system rapid sales and service information on newly detected vulnerabilities patching capabilities with different priority levels In addition to these measures, vendor / carrier trust relationships have been established. These include lab visits, security test information sharing and security monitoring co-operations. An important cornerstone of the Nokia Siemens Networks security strategy also is the fact that the company carries out its own security research as well as active standardization support. This ensures that state-of-the-art security functionality is incorporated in the company s products. Nokia Siemens Networks further co-operates closely with a number of leading security vendors in order to provide a complete portfolio of security products. These include firewalls, VPN devices, security gateways, secure DNS, Session Border Controllers (SBCs), IDP, and UTM devices. 15

16 2008 Network Security Consulting Architecture and Design Development and Testing Implementation Life-cycle support Security Consulting Turnkey Security Solutions Revenue Assurance & Fraud Management Figure 4: The right solutions for risk minimization and revenue optimization 5.2 Security solutions for communication service providers The company s security portfolio covers the complete lifecycle, from consulting on both process and technical levels through to 24x7 operations and maintenance. The end-to-end approach ensures that all the different aspects of the CSP s organization and network layers are considered. Security Consulting Nokia Siemens Networks supports its customers by designing and implementing security strategies, processes and policies that tie security issues to business requirements. Experienced security consultants support CSPs with the following security core topics: An Information Security Management System (ISMS) that is based on a business risk approach designed to: establish, implement, operate, monitor, review, maintain and improve information security. We have developed a hands-on methodology that is used to define the project stages and activities of an ISMS project that is compliant with ISO Business Continuity Management (BCM) is concerned with managing risks in order to ensure that an organization can continue operating at a pre-determined level at all times. It comprises both risk reduction measures, which lower risks and their impact before an incident, and resumption planning, which ensures adequate response and recovery afterwards At the technical network level, each CSP has its own specific security solution requirements. In order to identify these requirements an analysis of the security threats to the overall system is the first step towards the development of a customized and optimized security solution. Security technology is the first line of defense in today s networks. This line is a combination of security specific devices (Firewalls, Intrusion Detection & Prevention Systems, Anti-Virus, and Anti-Spam) and an inherently secure configuration of core technology like routers, switches, GGSN, network servers, and application servers. To ensure that the requisite defense is in place and effective, Nokia Siemens Networks has developed a set of Network Security Consulting Services. These include: Risk Analysis Technical Audit Vulnerability Scanning, also known as Penetration Testing Security Optimization The Risk Analysis Service covers risk management as defined in ISO/ IEC TR This allows customers to develop customized state-of-the-art security plans with the aid of the company s security specialists. Disaster Recovery Planning defines and documents the procedures and plans required to minimize the impact of potentially disastrous events Develop Security Policies in accordance with corporate governance 16

17 Network Security 2008 The Technical Audit Service covers a thorough examination across major locations, domains and network elements within the CSP s network. Improve the security of your network by breaking into it! Based on this concept, the company has developed the Vulnerability Scanning Service. In this case a security expert uses a similar methodology to that of an attacker or real life hacker in order to try and break into the customer s network and thereby detect security leakages. Security Optimization supports customers by analyzing and redesigning their existing security infrastructure in order to simplify operations and save cost. Revenue Assurance and Fraud Management Nokia Siemens Networks offers a modular, flexible service portfolio and complete turnkey solutions for Revenue Assurance and Fraud Management. They provide consulting and integration services plus fully automated tools that detect, analyze and recover revenue leakage. Operation and Maintenance Services include around-the-clock and hands-on management and monitoring for the security infrastructure and enhanced maintenance for all products. The company can also outsource a CSP s entire security operation. Turnkey Security Solutions In addition to security consulting, the company offers Turnkey Security Solutions that cover CSP-specific issues. They comprise a bundle of pre-integrated, secure network elements (both hardware and software) and a pre-defined set of services at a fixed price. Examples include: Next Generation Network Security Mobile Core Security and FMC/IMS Security Content & Application Security Anti Virus / Anti Spam for SMS-/MMS and data traffic Identity & Access Management Single sign on for applications, role based access Security Management Security Information & Event Management (SIEM), policy and compliance management The security portfolio for CSPs is complemented by best-of-breed security products from suppliers like Check Point, Cisco, Crossbeam, Nokia S&S Security and Juniper/Netscreen. 17

18 2008 Network Security 6.Summary IP based networks will play a crucial role in the way we communicate and collaborate, both as business professionals and consumers. More and more applications will be based on these networks and more and more businesses will depend on their availability and integrity. It is therefore hard to overstate their importance to the global economy. high Economically balanced security level Security investment Networks are growing in line with the need to connect the on-going increase in subscribers and organizations as well as the need to accommodate bandwidth-hungry applications. In addition, the complexity of these networks will be enhanced by the integration of different access technologies and the market requirement for seamless handover between different access networks. Tomorrow s networks will become an attractive target for cyber crime and even cyber terrorism, while at the same time, new technologies and applications will open up new vulnerabilities and the possibility of sophisticated attacks. Protecting their availability and integrity will therefore become more and more important and it will be an ongoing challenge. Protecting networks, maintaining user privacy, confidentiality and the integrity of communication processes will become an increasingly complex task one that must be balanced against regulatory requirements. low none Security level maxi mum Nokia Siemens Networks factors all these considerations into its security strategy and there is a clearly defined and mandatory security process for all products and solutions. Moreover, the company develops security solutions in close co-operation with CSPs, standardization bodies, research institutes and universities, as well as governmental organizations. Nokia Siemens Networks offers the full range of security features and solutions for carrier networks, using own security features and products as well as partnerships with best-inclass 3rd party vendors. The company will continuously evolve its security solutions in order to counter new threats and to fulfill the on-going network security challenges and requirements. Potential loss Figure 5: The economically balanced security level 18

19 Network Security List of Acronyms BCM BGP CERT CSP ddos DNS DRM E2E EAL ECRIT FMC GGSN GPS GSM IDM IDP IDS IETF I-HSPA IP IPS IP-TV ISMS ISO Business Continuity Management Border Gateway Protocol Computer Emergency Response Team. Communication Service Provider Distributed Denial of Service Domain Name System Digital Rights Management End-to-End Evaluation Assurance Level Emergency Context Resolution with Internet Technologies Fixed/Mobile Convergence Gateway GPRS Support Node Global Positioning System Global System for Mobile communications IDentity Management Intrusion Detection & Prevention Intrusion Detection System Internet Engineering Task Force Internet High Speed Packet Access Internet Protocol Intrusion Prevention System Internet-Protocol (-based) Television Information Security Management System (ISMS) International Organization for Standardization ITU-T International Telecomm. Union Telecomm. Standard. Sector LI LTE MMS Lawful Interception Long Term Evolution of UMTS Radio Access Multimedia Messaging Service NAC NAT NFC NTP OAM OEM P2P PON QoS RFID RTP SAE SBC SIDR SIEM SLA SMS SPIT TCG TNC TPM UTM UTRAN VoIP VPN WiMAX WLAN xdsl Network Access Control Network Address Translation Near Field Communication Network Time Protocol Operations, Administration and Maintenance Original Equipment Manufacturer Peer to peer Passive Optical Network Quality of Service Radio-Frequency Identification Real-time Transport Protocol System Architecture Evolution (3GPP) Session Border Controller Secure Inter-Domain Routing Security Information and Event Management Service Level Agreement Short Message Service Spam related to Internet Telephony T puting Group Trusted Network Connect Trusted Platform Module Unified Threat Management UMTS Terrestrial Radio Access Network Voice over Internet Protocol Virtual Private Network Worldwide Interoperability for Microwave Access Wireless Local Area Network Digital Subscriber Line 19

20 Nokia Siemens Networks Corporation P.O. Box 1 FI NOKIA SIEMENS NETWORKS Finland Visiting address: Karaportti 3, ESPOO, Finland Switchboard (Finland) Switchboard (Germany) The contents of this document are copyright 2008 Nokia Siemens Networks. All rights reserved. A license is hereby granted to download and print a copy of this document for personal use only. No other license to any other intellectual property rights is granted herein. Unless expressly permitted herein, reproduction, transfer, distribution or storage of part or all of the contents in any form without the prior written permission of Nokia Siemens Networks is prohibited. The content of this document is provided AS IS, without warranties of any kind with regards its accuracy or reliability, and specifically excluding all implied warranties, for example of merchantability, fitness for purpose, title and non-infringement. In no event shall Nokia Siemens Networks be liable for any special, indirect or consequential damages, or any damages whatsoever resulting form loss of use, data or profits, arising out of or in connection with the use of the document. Nokia Siemens Networks reserves the right to revise the document or withdraw it at any time without prior notice. Nokia Siemens Networks and the Wave-logo are registered trademarks of Nokia Siemens Networks. Nokia Siemens Networks product names are either trademarks or registered trademarks of Nokia Siemens Networks. Other product and company names mentioned herein may be trademarks or trade names of their respective owners. Code: Nokia Siemens Networks 08/2008 Alphabet Consulting