Unified Security Architecture for enterprise network security

Size: px
Start display at page:

Download "Unified Security Architecture for enterprise network security"

Transcription

1 White Paper Nortel Networks Unified Security Architecture for enterprise network security A conceptual, physical, and procedural framework for high-performance, multi-level, multi-faceted security to protect campus networks, data centers, branch networking, remote access, and IP telephony services. The greater the reach and availability of the network, the greater its vulnerability to threats from within and outside the organization. The new openness of networked communications introduces new ethical, financial, and regulatory pressures to protect networks and enterprises from internal and external threats and attacks. Every IT security professional should be up-to-date on the Top Ten challenges to enterprise security and the latest recommendations to address those challenges.

2 Contents Executive summary Part I. The Top Ten challenges to enterprise network security Enterprise Security Challenge #1 The Internet was designed to share, not to protect Enterprise Security Challenge #2 Security is not optional Enterprise Security Challenge #3 The bad guys have good guns Enterprise Security Challenge #4 Security threats recognize no boundaries Enterprise Security Challenge #5 Security depends on people, process, and technology Enterprise Security Challenge #6 It s not enough to guard the front gate Enterprise Security Challenge #7 There s no stock blueprint Enterprise Security Challenge #8 Frisking everybody and everything takes time Enterprise Security Challenge #9 Grace under fire is a requirement Enterprise Security Challenge #10 Security is a closed-loop process with an open-ended date Part II. The Nortel Networks Unified Security Architecture Multi-layer security across application and network levels Variable-depth security Closed-loop policy management Uniform access management Secure network operations Secure multimedia communications Network survivability under attack The closed-loop policy management reference model A closer look at uniform access management Part III. Network security in the real world Securing the campus network Securing the data center Securing the remote office Securing remote access Securing IP telephony services Part IV. Nortel Networks technology and expertise Design tenets built into the Nortel Networks security portfolio Expanded choice through partnerships Security services Nortel Networks product assurance Nortel Networks and cross-industry security developments Summary Appendix A. Hackers tools of the trade Appendix B. Application and network level threats

3 Executive summary Today s connected enterprise faces a security paradox. The very openness and ubiquity that make the Internet such a powerful business tool also make it a tremendous liability. The Internet was designed to share, not to protect. The ports and portals that welcome remote sites, mobile users, customers, and business partners into the trusted internal network also potentially welcome cyber-thieves, hackers, and others who would misappropriate network resources for personal gain. The only effective network security strategy is one that permeates the end-to-end architecture and enforces corporate policies on multiple levels and multiple network points. Nortel Networks, a global leader in secure data networking, offers proven solutions to satisfy end-to-end network security requirements. Security in the DNA is a key tenet of our strategy for the new enterprise network, a convergence framework we call One Network. A World of Choice. This document presents the security component of that enterprise network strategy. The Unified Security Architecture provides a conceptual, physical, and procedural framework of best recommendations and solutions for enterprise network security. It serves as an important reference guide for IT professionals responsible for designing and implementing secure networks. What are the requirements and vulnerabilities? What technology options and implementation choices are available? How do you protect the network at all levels? This comprehensive strategy addresses those pressing concerns facing IT security specialists, and offers encouraging news about the depth and breadth of options available for securing critical network resources. The Unified Security Architecture is realistic. It assumes that all components of an IT infrastructure are targets... that even internal users could be network threats... attacks are inevitable... network performance cannot be compromised by processingintensive security measures... and IT budgets are constrained. The Unified Security Architecture acknowledges the diversity of networked enterprises. It is not a one-size-fits-all prescription, but rather a framework of functionality that offers multiple implementation choices suitable for closed, extended, and open enterprises in different industries and for diverse application requirements within all enterprise types. The Unified Security Architecture addresses the multi-level complexity of network threats. It provides answers on multiple levels for instance, from a firewall guardian to block intruders at the front gate to encryption to shroud every packet in privacy... from virtual private networks that span the global Internet to virtual LANs that segregate network management traffic from desktop users. The Unified Security Architecture promotes a process, rather than an endpoint. Effective security is not achieved through a one-time initiative. This architecture outlines measures for strong ongoing policy management, reflecting both human and technical factors. Read on for a discussion of the Top Ten challenges facing IT professionals today and how the Nortel Networks Unified Security Architecture addresses the challenges. 3

4 Unified Security Architecture for enterprise network security A conceptual, physical, and procedural framework for high-performance, multi-level, multifaceted security to protect campus networks, data centers, branch networking, remote access, and IP telephony services. Part I. The Top Ten challenges to enterprise network security Every enterprise that relies on network-connected applications and services is subject to 10 key security realities: 1. The Internet was designed to share, not to protect. 2. Security is not optional. 3. The bad guys have good guns. 4. Security threats recognize no boundaries. 5. Security depends on people, process, and technology. 6. It s not enough to guard the front gate. 7. There s no stock blueprint. 8. Frisking everybody and everything takes time. 9. Grace under fire is a requirement. 10. Security is a closed-loop process with an open-ended date. Let s take a closer look at these challenges and what IT security professionals can do about them. Enterprise Security Challenge #1 The Internet was designed to share, not to protect. In six or seven short years, the Internet has evolved from an adjunct contact channel into the backbone of many critical business applications. Enterprises are leveraging their IP-based intranets and the world-wide Internet to bring remote offices, mobile workers, and business partners into their trusted network environments. Many enterprises are capitalizing on the growing reach and reliability of IP data networks to completely redefine the way they deliver and manage approved corporate applications. The Internet enables them to interact more effectively with customers, streamline operations, reduce operating costs, and increase revenues. However, the Internet was designed to share, not to protect. The ports and portals that welcome outside users into the trusted internal network also potentially open the door to serious threats. The level of threat only increases as legacy applications become network-enabled and as network managers open their networks to more new users and applications. How do you manage mission-critical communications on an inherently insecure medium? Managing that flow is somewhat like guarding a revolving door. You can t lock it unless you also close out the traffic you do want. Remote access services that enable traveling employees to dial in for access... remote offices connected via dial-up lines... intranets, and extranets that connect outside parties to the enterprise network... all these business-enabling communications increase the vulnerability of the network. 4

5 Enterprise Security Challenge #2 Security is not optional. Security breaches and unlawful access to confidential data can cost enterprises millions, but the requirement for network security goes beyond financial incentives. The governments of many countries are forcing enterprises to comply with regulations governing network security and privacy. In the U.S., the Federal government regulates the privacy and security of electronic information with such regulations as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Safe Harbor Act, the USA Patriot Act, and the Children s Internet Protection Act (CIPA). More are coming. Similar regulations are being enacted in Europe and elsewhere, such as the Data Protection Act and Computer Misuse Act in the U.K. Failure to comply with these regulations brings civil and criminal penalties, even prison terms. Even if governmental regulations weren t an issue, organizations that suffer security breaches may be sued by customers and damaged by negative publicity. All enterprises that leverage the Internet for remote access have an obligation to protect network integrity and data confidentiality for their own sakes as well as for their customers and business partners. Enterprise Security Challenge #3 The bad guys have good guns. Attackers have a broad repertoire of tools and techniques they can use to compromise a network. With these tools of the trade, they can launch multi-level attacks to access the network creating an access hole to intrude upon the network, and then using secondary attacks to exploit other parts of the network. For example, attackers can take advantage of weak user authentication and authorization tools, improper allocation of hidden space, shared privileges among applications, or even sloppy employee habits to gain unauthorized access to network resources. They can disable a trusted host and assume its identity, a threat known as IP spoofing or session hijacking. Using sophisticated new network sniffers that can decode data from packets across all layers of the OSI model, hackers can steal user names and passwords, and use that information to launch deeper attacks. Denial of Service (DoS) attacks flood a network with illegitimate requests and thereby prevent legitimate users from accessing their service. In bucket brigade attacks, also known as man-in-the-middle assaults, the attacker intercepts messages in a public key exchange between a server and a client, retransmits the messages substituting their public key, and in the process tricks the original entities/users into thinking they are communicating with each other. Back door entries to access network resources can be accidentally or intentionally opened by users and procedural oversights. Masquerading enables a hacker to pose as a valid administrator or engineer to access the network, often to elevate user privileges. For more information about these types of attacks, see Appendix A, Hackers Tools of the Trade. 5

6 Enterprise Security Challenge #4 Security threats recognize no boundaries. The typical enterprise internal trusted network is anything but internal these days. It extends to include supply chain partners, telecommuters, remote access users, Web users, application service providers, disaster recovery providers, and more. Unfortunately, that means that the network also reaches hackers, cyber-thieves, disgruntled employees, and others who would misappropriate network resources for personal gain. In today s business environment, the concept of a network perimeter is disappearing. Boundaries between inside and outside networks are becoming thinner, almost irrelevant. Applications run on top of networks in a layered fashion. The OSI (Open Systems Interconnection) model was built to allow different layers to work without knowledge of each other. Unfortunately, that means that if one layer is hacked, communications are compromised without the other layers being aware of the attack. That means security must address unique considerations at application and network layers and bridge these layers to ward off multi-level threats. Application-layer attacks exploit vulnerabilities in the operating system and applications to gain access to resources. Application-layer attacks can be based on viruses, worms, buffer overflow, and password harvesting, among others. Web services and single sign-on technologies aggravate the problem, since they encourage Web-enabling legacy-based applications that were not designed with Web connectivity and security issues in mind. Network-layer threats expose the network infrastructure to sabotage, vandalism, bad system configuration, denial of service (DoS), snooping, industrial espionage, and theft of service. Attacks may be launched from inside the network by insiders and also from external sources such as hackers. For more information about application-layer and network-layer threats, see Appendix B: Application and network level threats. Enterprise Security Challenge #5 Security depends on people, process, and technology. Vulnerabilities arise both from people and process failures (such as posting their passwords in public view, or slack policy enforcement) and technical aspects (such as rogue programs and Trojan horses) and combinations of all three. The Nimda virus that recently caused havoc in IT environments is a perfect example. At first glance, Nimda was technical in nature: a virus. But on closer inspection, the havoc was caused more by human error than technical devilry. Nimda exploited six previous technical vulnerabilities; it was just a variant of previous vulnerabilities that were documented and communicated many months before Nimda actually spread on the Internet. Organizations should all have known about these vulnerabilities and disseminated that knowledge to the people responsible for protecting IT systems. Nimda was a non-issue for enterprises that had established processes in place for translating knowledge into action tasks, assigning responsibility for those tasks, and auditing successful completion. 6

7 Enterprise Security Challenge #6 It s not enough to guard the front gate. Every component of the IT infrastructure is susceptible to attacks, not just obvious gateways to the Internet. Hosts, applications such as IP telephony, routers, and switches can be attacked by hackers or unauthorized users from inside or outside the enterprise. At the network level, the use of firewalls, proxy servers, and user-to-session filtering can add protection, but hackers seem to get smarter all the time. Using user access control at the network and application level with appropriate authentication and authorization can minimize the risks of unauthorized access. But the sheer diversity of the types of attacks and the multi-level nature of many attacks requires that IT managers understand how security breaches are instigated and be able to assess and recover from any inflicted damage. That means the only effective network security strategy is one that permeates the end-to-end architecture and enforces corporate policies on multiple levels user, application, and network and at multiple network points. Enterprise Security Challenge #7 There s no stock blueprint. Each enterprise has a unique set of business needs and has evolved their networking environment accordingly. That means the right security strategy is more a prescription of functionality and characteristics than a stock blueprint. Security is not a one size fits all situation. Neither is it a static implementation, any more than the network or technology remains static. For general purposes, we can categorize enterprises into three types of security spheres: The closed enterprise uses logical (e.g. frame relay) or physical private lines between sites, with PC dial access provided selectively for employees needing access into the Internet. Web presence is achieved through an Internet data center provided by a service provider (who is responsible for establishing a secure environment). The organization also provides conventional dial access for remote employees (e.g. working from a hotel). The company uses private among employees with no external access. Wireless LANs are also starting to be used. Even the closed enterprise has security concerns, not just from disgruntled internal users, but also because there are a number of backdoor exposures. Users with dial access to the Internet from their desktop PCs, employees surfing the Net from laptops they use at home or on the road, and wireless LANs all introduce Internet-related threats. Perhaps, the greatest risk comes from the specious belief that the closed enterprise is immune to external risks. The extended enterprise is an extension of the closed enterprise. Web presence is still achieved via a service provider. Support for remote employee and office access over IP virtual private networks (VPNs) over the Internet is provided, delivering higher speed, lower cost connectivity. The enterprise provides general-purpose access for all employees into the Internet, allowing them to leverage the abundance of business-related information available on the Internet. Inter-working between the internal system and the rest of world is provided. The open enterprise leverages the Internet by allowing partners, suppliers, and customers to have access to an enterprisemanaged Internet Data Center, even allowing selective access to internal databases and applications (e.g. as part of a supply chain management system). Internal and external users access the enterprise network from home, remote offices, or other networks using wired or mobile devices. 7

8 For the extended enterprise, the diversity of supported services and access mechanisms translates into multiple paths into the enterprise network, and in turn increases the risk. Naturally, that risk increases exponentially with the open enterprise, which has the greatest susceptibility to application-layer and network-layer threats, unauthorized access, and eavesdropping. Infrastructure, applications, and network management systems are equally vulnerable. Figure 1. Generic Enterprise types Closed enterprise Customers Internet ASP Data Center Enterprise network Employees Dedicated WAN PC dial-in access PC Internet dial-out Outsourced Web site Private Extended enterprise Employees Internet Enterprise network Employees Internet Data Center Remote access and office IP-VPNs Employee Internet access Interworked Open enterprise Customers/partners/ employees Customers/ Employees Controlled partner and select customer access Internet Enterprise network Connectivity boundaries lowered 8

9 Enterprise Security Challenge #8 Frisking everybody and everything takes time. Anyone who has traveled by airplane knows that the trade-off for enhanced security is delay. The more closely you inspect bags and travelers, the longer the lines at security. On enterprise networks as well, turning up the full complement of security features can slow Web servers to a crawl as they bog down with processing-intensive encryption, decryption, key management, and more. Bolting IP-VPN capabilities onto legacy routers brings its own brand of performance penalty. Voice applications, such as live Webcasts and Voice over IP, are very sensitive to delay and jitter and are therefore dramatically affected by traditional security mechanisms. Enterprise Security Challenge #9 Grace under fire is a requirement. In the context of security, reliability and survivability have somewhat different meanings. Network reliability ensures that the network continues to operate in spite of incidental failure of software and/or hardware components. Network survivability means the network continues to operate delivering essential services in a timely manner while battling security threats, even if parts of the network are unreachable or disabled due to overt attack. Enterprise Security Challenge #10 Security is a closed-loop process with an open-ended date. Organizations must view security as a steady process and evolving way of thinking about how to protect systems, networks, applications, and resources. Reduce risk by continually and steadily making progress in identifying and addressing vulnerabilities and security policy holes. Corporations and government institutions must be able to determine what is at stake when security measures fail, how to detect security breaches, and what to do about them. This process also entails continual training and awareness, since breaches of security policy are usually caused by human error or carelessness. Employees, managers, and administrators must all be aware of established security policies and best practices. The good news is that enterprise networks can minimize their risks from unauthorized users without sacrificing performance for legitimate users. Part II of this document shows how the Nortel Networks Unified Security Architecture addresses these Top Ten challenges. Figure 2. Enterprises need a security framework to optimally use IT techniques, tools, and methodologies against attackers Possible attacks Authorization threats IP spoofing Network sniffers Denial of service Intrusion Bucket brigade Attacks Back door traps Data modification Masquerading Protected enterprise Anti-virus software Deep packet filtering Digital certificate IPsec and SSL encryption Firewalls Enterprise network Network and host-based Intrusion Detection Systems (IDS) Infrastructure Network sniffers 9

10 Part II. The Nortel Networks Unified Security Architecture What can security IT professionals do about the Top Ten challenges? The Nortel Networks Unified Security Architecture defines a conceptual, physical, and procedural framework of best recommendations for end-to-end enterprise network security addressing all the Top Ten challenges: The Internet was designed to share, not to protect. So the Unified Security Architecture defines virtual private networks, virtual LANs, firewalls, encryption, and other mechanisms that enable enterprises to reduce the risk of being Internet-connected. Security is not optional. The Unified Security Architecture upgrades enterprise security programs and infrastructures to comply with business, ethical, and regulatory mandates to protect data integrity and confidentiality. The bad guys have good guns. The Unified Security Architecture identifies the various tools of the trade, how they operate, and what kinds of protections thwart these attacks. Security threats recognize no boundaries. The Unified Security Architecture addresses threats on multiple functional and architectural layers, enabling enterprises to flexibly define what needs to be protected, from what kinds of threats, implemented how, and at what layers. Security depends on people, process, and technology. The Unified Security Architecture calls for developing and enforcing security policies that address technical considerations and human aspects of security, such as staff training and process. It s not enough to guard the front gate. The Unified Security Architecture begins with perimeter firewall defense and documents security provisions all the way to the individual user and application. There s no stock blueprint. The Unified Security Architecture defines the required functionality and offers enterprises broad choice in which functions to implement, to what degree, using what platforms and protocols. Frisking everybody and everything takes time. The Unified Security Architecture introduces purpose-built security products that use load-balancing, health-checking, and innovative acceleration technologies to minimize latency. Grace under fire is a requirement. The Unified Security Architecture defines ways to segregate critical resources and sustain performance even under attack. Security is a closed-loop process with an open-ended date. The Unified Security Architecture calls for policy management to be a process of continuous feedback and improvement, reflecting the latest industry knowledge and best practices. 10

11 The comprehensive security strategy set forth in this document is based on seven key principles: 1. Multi-layer security that defines security protection functions at application, network-assisted, and network security levels in a layered architecture that can be flexibly defined and implemented. 2. Variable-depth security across the enterprise not just at the edge of the Internet for example, from firewall perimeter defense, to VPNs to protect Internet-traversing traffic, and to VLANs to segregate traffic within a network. 3. Closed-loop policy management, including configuration of edge devices, enforcement of policies in the network, and verification of network functionality as seen by the end user application. 4. Uniform access management, including stringent authentication and roles-based authorization of access to all resources for all users, with granular access policies defined at the application level and managed enterprise-wide. 5. Secure network operations, by physically or logically partitioning network management from user traffic, and applying other recommended security mechanisms to operational activities. 6. Secure multimedia communications, protected by encrypting the data, voice, and video payload without introducing delays that this real-time traffic cannot tolerate. 7. Survival under attack, for instance, by using resilient architectures with no single point of failure, and applying intrusion-detection systems, anti-virus software, content filtering, and ongoing vigilance as attackers continue adopting new weaponry. Figure 3. Principles behind Nortel Networks Unified Security Architecture Unified Security Architecture Layered security Securing network operations Variable-depth security Closed-loop policy management Securing multimedia communications Survivability under attack Uniform access management 11

12 The principles underpinning the Unified Security Architecture offer enterprises a security blueprint to use as they move towards increasingly open environments. Let s take a look at each of the seven key principles of the Unified Security Architecture Multi-layer security across application and network levels Recognizing the multi-layered, interdependent nature of enterprise networks and the critical need for security at more than the application level the Nortel Networks Unified Security Architecture logically organizes security into multiple levels: The Network Security Layer provides security functions at OSI layers 1 to 3 (physical, link, and data levels). The Network-Assisted Security Layer provides security functions at OSI layers 4 to 7 (network to application/ presentation layers) on top of the network level for added security. The Application Security Layer provides security in layer 7 of the OSI model, the application layer, and includes all security built into server and storage platforms. Some functions, such as access lists and VLANs, operate purely at the Network Security Level. Others, such as firewalls, operate at either the Network or Network-Assisted Security Levels, depending on whether they are stateful or not. Others such as SSL (Secure Sockets Layer) can be viewed as network-assisted or application security. The power of the Unified Security Architecture is that industry-defined security functions are leveraged in a structured fashion, tightening security overall. See Part III, Security in the Real World, for examples of these security layers in action for protecting campus and branch networks, data centers, IP telephony services, and remote access. Hardening server operating systems Within the application level of the multi-layer security framework, a key element is hardening the multiple operating systems used in network and user applications, such as OSs for data communications devices, servers, network management systems, IP telephony servers, and more. In an increasingly open, multivendor IT environment, network elements are frequently based on commercially available OSs. For example, Nortel Networks CallPilot unified messaging system, Symposium Contact Centers, and Business Communications Manager use a hardened version of Windows NT with off-the-shelf security software for functions such as anti-virus protection, intrusion-detection, and login audits. Nortel Networks Succession CSE 1000 and Meridian IP-enabled PBX portfolios are built on an embedded real-time OS called VxWorks. The Nortel Networks Succession CSE MX system is built on UNIX. Procedures for hardening the OSs in Nortel Networks products are provided in our documentation. For third-party operating systems where no specific hardening guide exists, consult the OS vendor for the latest OS hardening patches and procedures. Figure 4. Unified Security Architecture Policy Management Network Mgmt. Security Application Security Network-Assisted Security Network Security Secure Access Mgmt. End users Operators Partners Customers 12

13 The remaining elements of the architecture discussed in the sections to follow are inter-related and somewhat orthogonal to these layers. The table below illustrates how common security technologies map to the elements of Nortel Networks Unified Security Architecture. Figure 5. Security functionality mapping to the Unified Security Architecture Security functionality Network Network-assisted Application Security Security Security Policy management functionality L2 NAT Layer 2 VPN, EAP, and port security Network Address Translation Yes Yes Policy Repository Policy Decision Point Policy Enforcement Point AL Access control List Yes Secure access management functionality IPsec SRT IPsec encryption Secure dynamic routing Yes Yes Authentication client Authentication server Authentication database Auth FW Firewalling Yes Yes IDS Intrusion detection Yes Yes Network management security functionality SSL CF VS SSL encryption Yes Yes Content filtering Yes Yes Virus scanning Yes Yes Secure activity logs Network operator authentication Access control/operator authorization Encryption Secure remote access Firewalls Intrusion detection OS hardening Virus free software 2.2. Variable-depth security Defining security policy at multiple network levels produces a security strategy where each security level builds upon the capabilities of the layer below and provides finer grained security the closer you get to resources. VLANs (Virtual LANs) provide basic network compartmentalization and segmentation, enabling business functions to be segregated in their own private local area networks, with cross-traffic from other VLAN segments strictly controlled or prohibited. The use of VLAN tags enables the segregation of traffic into specific groups such as Finance, HR, and Engineering, separating their data without leakage between disparate functions. Perimeter and distributed firewall-filtering capabilities provide another level of protection at strategic points within the network. Firewalls enable the network to be further segmented into smaller areas, and enable secure connections to the public network. Firewalls limit access to inbound and outbound traffic to the protocols and authentication methods that are explicitly configured in the firewall. Firewalls that support Network Address Translation (NAT) enable optimization of IP addressing within the network as specified in RFC 1918 (Address Allocation for Private Internets). Firewalls provide an extra layer of access control that can be customized based on business needs. Distributed firewalls add the benefit of scalability. Personal firewalls can be deployed on end-users systems to protect application integrity. 13

14 Virtual private networks (VPNs) provide an even finer granularity of user access control and personalization enabling secure access at the individual user level from remote sites and business partners, without requiring dedicated pipes. Dynamic routing over secure tunnels across the Internet provides a highly secure, reliable and scalable solution. VPNs, VLANs, and firewalls together allow the network administrator to limit access by a user or user group based on strictly defined policy criteria and business needs. VPNs provide strong assurance of data integrity and confidentiality with strong encryption. VLANs alone may satisfy the security needs of the closed enterprise. Extended and open enterprises will likely require a combination of security level capabilities Closed-loop policy management A properly designed and implemented security policy is an absolute requirement for all types of enterprises and has to be owned by one group. It should be a living document and process, which is enforced, implemented, and updated to reflect the latest changes in the enterprise infrastructure and service requirements. The security policy must clearly identify the resources in the enterprise that are at risk and resulting threat mitigation methodologies. It should define which users or classes of users have access to which resources. The policy must define the use of audit trails to help identify and discover violations and the appropriate responses. Users think of the network in terms of people, applications, locations, time of day, etc. not in technical terms such as firewall stateful inspection or access lists. Security policies should use non-technical vocabulary to the extent possible for user-facing issues, automatically translated by the policy management system into technical security mechanisms for network implementation. Policy management addresses the full realm of security components firewalls, intrusion-detection systems, access lists and filters, authentication techniques, and more along with a system-wide view of network environments, such as data center, remote office, and campus networks. Ultimately, policy operates at a granular level to address pieces of the solution while providing centralized control and accountability. Centralization ensures that security parameters are set consistently across multiple nodes, and that multiple policies for different administrative domains all reflect enterprise-wide policy and inter-domain consistency. Closed-loop policy management is implemented using the reference architecture described in 2.8, and includes configuration management of network devices, enforcement of policies in the network, and verification of network functionality via audit trails. Verification and audit trails close the loop on policy management, and result in updates to the policy to reflect corrective actions Uniform access management Access management refers to authentication and authorization services that control user s access to resources. During authentication, users identify themselves to the network; during authorization, the network determines users level of privileges based on their identity, as defined in policy. Access management is controlled by multiple methods, such as IP source filtering, proxies, and credential-based methods often used in combination, and each with its advantages and limitations. For example, an enterprise may choose to manage access for workstations using IP source filtering, and may choose to use a credential-based scheme for other users. Since users could be employees, network technicians, supply chain partners, inter-organization team members, or even customers, it is important to have robust, centralized access control enforced by the local or remote network device interfacing to the user. 14

15 Several methods can be used to authenticate a user, such as: permanent or one-time passwords, biometric techniques, smart cards, and certificates. Password-based authentication must use strong passwords that are at least eight characters in length with at least one alphabetic, one numeric, and one special character. Where stronger authentication is required, password authentication can be combined with another authentication and authorization process based on protocols such as RADIUS and LDAP to provide authentication, authorization, and accounting (AAA) services. Additionally, key management can be based on Internet Key Exchange (IKE), certificate management on Public Key Infrastructure X.509 (PKIX), Certificate Management Protocol (CMP), Online Certificate Status Protocol (OCSP), and Simple Certificate Validation Protocol (SCVP). In defining access privileges on all ports and devices, the concept of least privilege should be applied, granting access only as needed. Open and extended enterprises face the greatest challenges when designing access management policy. They require finegrained rules that properly interface with identity directories and databases, multiple authentication systems such as RADIUS, and various hosts, applications, and application servers. The system should perform session management per user after the user is authenticated and use flexible configuration and policy enforcement with fine-grained rules, capable of dealing with specific objects. Unique accounts for each administrator should be used, with accountability for actions traceable to individuals, to provide for appropriate monitoring, accounting, and secure audit trails. For more information about authentication and authorization, see section 2.9, A closer look at uniform access management Secure network operations On the one hand, network management is like other data applications, running on servers and workstations, complemented by application-level security and taking advantage of network-level and network-assisted security. On the other hand, network operators are specialized users who should be subject to more stringent authentication and authorization procedures. Because of the greater access authority and functional privilege granted to network management personnel, their access and activities must be carefully secured to protect network configuration, performance, and survivability. The more open the enterprise and the more centralized the network management system, the greater the requirement for stringent security for network management processes. Secure network management requires a holistic approach, rather than a specific security feature set on a network element. Our Unified Security Architecture recommendations address nine critical areas: Secure activity logs Network operator authentication Authorization for network operators Encryption of network management traffic Secure remote access for operators Firewalls and VLANs to partition the network intrusion-detection Hardening operating systems Anti-virus protection 15

16 Secure activity logs provide a verifiable audit trail of user or administrator activities and events generated by network devices. Security activity logs must contain sufficient information to establish individual accountability, reconstruct past events, detect intrusion attempts, and perform after-the-fact analysis of security incidents and long-term trend analysis. Activity log information helps identify the root cause of a security problem and prevent future incidents. For instance, activity logs can be used to reconstruct the sequence of events that led up to a problem, such as an intruder gaining unauthorized access to system resources, or a system malfunction caused by an incorrect configuration or a faulty implementation. Syslog is the most common mechanism used by equipment vendors; Syslog works with all third-party log analyzer systems. Because the information contained in activity logs can be used to compromise a network, this log information itself must be secured. Network operator authentication based on strong centralized administration and enforcement of passwords ensures that only authenticated operators gain access to management systems. Centralized administration of passwords enables enforcement of password strength and removes the need for local storage of passwords on the network elements and EMS (Element Management Systems). RADIUS is the basic mechanism of choice for automating centralized authentication within Nortel Networks products. Authorization for network operators uses authenticated identity to determine the user s access privileges what systems they can access, what functions they can perform. Techniques based on RADIUS servers provide a basic level of access control. An additional LDAP server can provide more fine-grained access control if necessary. Encryption of network management traffic protects the confidentiality and integrity of network management data traffic especially important with the growing use of in-band network management. Encryption provides a high degree of protection from internal and external threats, with the exception of the small group of insiders that have legitimate access to encryption keys. Encryption between network operations center (NOC) clients and Element Management System (EMS) servers and/or Network Elements should be provided. This includes SNMP traffic, because there are known vulnerabilities with SNMP v1 and v2, which are intended to be addressed by SNMP v3. Given the widespread deployment of SNMP v1 and v2, IPsec can be used to secure this traffic. Depending on traffic type, the security protocols to use for these links are IPsec (IP Security), Secure Shell (SSH), and SSL: SSH is an application-level security protocol that can be used in place of IPsec if the traffic consists of Telnet and FTP only, but it cannot normally be used to protect other traffic types. IPsec protocol runs between the network layer (Layer 3) and the transport layer (Layers 4) and is the preferred protocol to protect any type of data traffic, independent of applications and protocols. External IPsec VPN devices, such as Nortel Networks Contivity Secure IP Services Gateways, can be used in various parts of the network to secure management traffic. SSL technology integrated into all standard Web browsers is the de-facto standard security protocol to protect HTTP traffic. Secure remote access for operators: Security must be provided for operators and administrators who manage the network from a remote location over a public network. Providing a secure virtual private network using IPsec is the mandatory solution, as this will provide strong encryption and authentication of all remote operators. An IP-VPN product such as Nortel Networks Contivity Secure IP Services Gateway should be placed at the management system interface and all operators should be equipped with extranet access clients for their laptop or workstations. 16

17 Figure 6. Secure connectivity options for network management traffic Network Operating Center Telnet client Management client Browser client SSL Remote Management client IPsec L2 NOC VLAN IPsec Internet IPsec or SSH SSL IPsec or SSH IPsec or SSH Management Systems VS IDS IPsec IPsec FW Auth AL Enterprise network Network devices Firewalls and VLANs partition the network to segregate management devices and traffic from other, less confidential systems such as public Web servers. The firewall controls the type of traffic (defined by protocol, port number, source and destination address) that can transit the boundary between security domains. Depending on the type of firewall (application versus packet filtering), firewalls can also filter the application content of the data flow. Intrusion-detection systems incorporated into management servers defend against network intrusions by warning administrators of potential security incidents, such as a server compromise or denial-of-service attack. Hardening operating systems used for network management close potential security gaps in general-purpose operating systems and embedded real-time operating systems. OS hardening should use the latest procedures and patches from the OS manufacturer. Anti-virus protection involves scanning all in-house and third-party software packages with virus-detection tools before incorporating the software into a product or network. A rigorous, established process ensures to the extent possible that network management software is virus-free. 17

18 Secure multimedia communications Unified networks can carry voice, data, and video each with their unique performance requirements and security considerations. When and where to encrypt this traffic is a major consideration, and is a key element of any enterprise security policy. This can be done on a per-application basis using SSL, on a client-server basis using SSH (Secure Shell), or for all traffic using IPsec VPN technology. Generally, all traffic over the Internet and wireless LANs and potentially critical information leaving the premises should be secured via strong encryption technology. IP telephony represents a particularly important class of application. As with any applications, a risk assessment of IP telephony needs to be done to assess its intrinsic value, the implications of loss understood, and a security policy formulated. We can start this assessment by making some key observations on telephony and data security in general. First of all, telephony is a critical business function and therefore, like the network itself, the telephony system as a whole must be protected from security attacks. Secondly, we trust the public voice network and live with the inherent vulnerability of eavesdropping of public cell phone systems. Third, we trust PBX networks, the critical components of which are locked away in a telecom room. In addition, IT organizations have spent a lot of effort to minimize toll fraud and misuse of the voice network for personal calls. On the data side, we also rely on physical security to ensure that only employees have access to the internal network, and we trust that information sent over LANs, campus nets, and over private WANs running over physical and virtual private lines are generally secure. Outside of the confines of the enterprise network, most enterprises have established security policies that all internal data transmissions to employees and remote offices over the Internet need to be encrypted and authenticated. Likewise, critical customer interactions over the Web are protected via SSL. From a user perspective, keeping it simple has been the objective. The Nortel Networks Unified Security Architecture for IP telephony follows the guidelines below: Enterprise IP telephony operated within the confines of the enterprise, inter-working with the public network over circuitswitched connections. End-to-end VoIP connectivity between public phones and phones within the enterprise is not considered in this version of the document. The IP networking infrastructure that supports IP telephony must be secure from a data perspective and engineered to meet the stringent latency and reliability requirements of telephony. IP telephony communications servers are business-critical and must be physically secure and protected from internal and external attack. Secure authentication of VoIP clients must be provided. While data users may expect to log in with multiple userids and passwords, they won t tolerate that authentication requirement for every phone call. Generally, telephony users have only been required to authenticate themselves for off-net access using a feature set called Direct Inward System Access (DISA). Encryption of voice is only a requirement when traversing a shared media LAN or the Internet. Security must be holistic and span the entire telephony environment, including VoIP clients and servers, application servers (such as for unified messaging and contact centers), and traditional PBXs. Encryption can be achieved with VPN techniques using IPSec, with Authentication Header (AH) and Encapsulating Security Payload (ESP), tunneling through the use of Layer 2 Tunneling Protocol (L2TP), key management based on Internet Key Exchange (IKE), and certificate management based on Public Key Infrastructure X.509 (PKIX), Certificate Management Protocol (CMP), Online Certificate Status Protocol (OCSP), and Simple Certificate Validation Protocol (SCVP). SSL and Transport Layer Security (TLS) protect communications at the application layer. Standards-based encryption algorithms and hashes such as DES, 3DES, AES, RSA and DSA. MD5 and SHA-1 should be used for message integrity, and Diffie-Hellman and RSA for key exchange. The Wired Equivalent Privacy (WEP) as defined in the standard defines a technique to protect over-the-air transmission between wireless LAN (WLAN) access points and network interface cards (NICs). This protocol has been shown to be insecure. IEEE is working on standardizing encryption improvements for WLANs. Therefore, added measures of protection such as IPsec must be used to secure WLAN traffic over WEP.

19 2.7. Network survivability under attack The typical enterprise network supports mission-critical operations and is essential for conducting business. That means the network must continue to operate delivering essential services in a timely manner while battling security threats, even if parts of the network are unreachable or disabled due to overt attack. This kind of survivability starts by logically organizing network services into at least two categories essential services and nonessential services and defining strategies that enable these services to resist, address, and recover from attacks. The most effective approaches combine multiple resistance, identification, and recovery strategies in an adaptable manner that responds to changing network conditions. For example, the network can re-route traffic from one server to another if an intrusion or an attack is detected on the first server. That means an effective survivability plan is holistic; it spans management systems, hosts, applications, routers, and switches across the network. Naturally, the first line of resistance to attacks is strong access control through authentication and encryption. Keep intruders out at the first point of entry, if possible. Message and packet filtering and network and server segmentation provide strong secondary defenses. Intrusion-detection systems identify attacks in progress. Faithful attention to backup techniques enables rapid system and network recovery after a successful system breach. This includes high availability through redundancy of critical security functions, such as through the use of application switches, which provide redundancy between intrusion-detection servers. Additional techniques include the encryption of all mission-critical traffic, multi-link trunking (MLT), virtual router redundancy protocol (VRRP), dual/mirroring of disk drives, backup CPUs, backup power supplies, and hot-swappable components. These mechanisms provide a higher level of confidence in the survivability of critical applications (such as IP telephony) The closed-loop policy management reference model The Nortel Networks Unified Security Architecture is based on the IETF architectural framework for policy management (RFC 2753). In this model, policy management is implemented across the network and at all levels (application, networkassisted, network), and applicable to all types of user and applications. Figure 7. Policy management within the Unified Security Architecture Policy repository LDAP Policy management console LDAP Policy server Policy Decision Point (PDP) COP-PR, SNMP, CLI Network devices Policy Enforcement Point (PEP) L2 NAT Auth AL FW CF 19

20 The IETF policy management model uses these key elements and protocols: Policy Decision Points (PDPs) or policy servers abstract network policies into specific device control messages, which are then passed to policy enforcement points. These policy servers are often standalone systems running Unix or Windows NT/2000, controlling switches and routers within an administrative domain; they communicate with these devices using a control protocol (e.g., COPS, SNMP Set commands, Telnet, or the device s specific Command Line Interface CLI). A Policy Enforcement Point (PEP) is a network or security device that accepts a policy (configuration rules) from the Policy Decision Point and enforces that policy against network traffic traversing that device. This enforcement leverages network and network-assisted security mechanisms as appropriate. Common Open Policy Service (COPS) is a simple query-and-response, stateful, TCP-based protocol that exchanges policy information between a Policy Decision Point (PDP) and its clients Policy Enforcement Points (PEPs). It is specified in RFC COPS relies on the PEP to establish connections to a primary PDP (and a secondary PDP when the primary is unreachable) at all times. Alternatively, a COPS proxy device can be used to translate COPS messages originating from a policy server into SNMP or CLI commands understood by network and security devices. The COPS protocol supports two different extension models for policy control: a dynamic outsourcing model COPS-RSVP, specified in RFC 2749, and a configuration or Provisioning model COPS-PR, specified in RFC Provisioning extensions to the COPS protocol allow policies to be installed on the PEP up front by the PDP, thus allowing the PEP to make policy decisions for data packets based on this pre-provisioned information. Further communication between the PDP and PEP is necessary to keep policies provisioned in the data repository (i.e. the directory) in sync with those sent to the PEP. The Policy Repository stores all policy information in a network directory. It describes network users, applications, computers, and services (i.e., objects and attributes), and the relationships between these entities. There is tight integration between IP address and the end user (via Dynamic Host Control Protocol - DHCP and a Domain Name System - DNS). This policy repository is usually implemented on a special-purpose database machine running Unix or Windows NT/2000 accessed by policy servers via LDAP. The Policy Repository stores relatively static information about the network (such as device configurations), whereas policy servers store more dynamic network state information (such as bandwidth allocation or information about established connections). The policy server retrieves policy information from the directory and deploys it to the appropriate network elements. There is no established standard to describe the structure of the directory database, i.e., how network objects and their attributes are defined and represented. A common directory schema is needed if multiple vendor applications are to share the same directory information; for example, all vendors need a common way to interpret and store configuration information about routers. The forthcoming Directory-Enabled Networking (DEN) standard, now being developed by the DMTF (Desktop Management Task Force), addresses this need. DEN includes an information model that provides an abstraction of profiles and policies, devices, protocols, and services. This provides a unified model for integrating users, applications, and networking services, and an extensible service-oriented framework. The Lightweight Directory Access Protocol (LDAP version 3) is specified in RFC LDAP is a client-server protocol for accessing a directory service. The LDAP information model is based on the entry, which contains information about some object (e.g., a person), and is composed of attributes, which have a type and one or more values. Each attribute has a syntax that determines what kinds of values are allowed in the attribute and how those values behave during directory operations. The last element is the policy management console generally running on a personal computer or workstation that provides the human interface to the policy management system. A Web browser can be used to provide manager access from virtually anywhere, with policy object-level security used to limit which policies can be modified by a specific individual. The console provides a graphical user interface and the tools to define network policies as business rules. It may also give the operator access to lower-level security configurations in individual switches and routers. 20

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

2. From a control perspective, the PRIMARY objective of classifying information assets is to: MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

More information

Recommended IP Telephony Architecture

Recommended IP Telephony Architecture Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings

More information

SonicWALL PCI 1.1 Implementation Guide

SonicWALL PCI 1.1 Implementation Guide Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard

More information

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005 State of New Mexico Statewide Architectural Configuration Requirements Title: Network Security Standard S-STD005.001 Effective Date: April 7, 2005 1. Authority The Department of Information Technology

More information

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK With organizations rushing to adopt Voice over IP (VoIP) technology to cut costs and integrate applications designed to serve customers better,

More information

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network WP 1004HE Part 5 1. Cyber Security White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network Table of Contents 1. Cyber Security... 1 1.1 What

More information

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security? 7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk

More information

Securing SIP Trunks APPLICATION NOTE. www.sipera.com

Securing SIP Trunks APPLICATION NOTE. www.sipera.com APPLICATION NOTE Securing SIP Trunks SIP Trunks are offered by Internet Telephony Service Providers (ITSPs) to connect an enterprise s IP PBX to the traditional Public Switched Telephone Network (PSTN)

More information

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc. Considerations In Developing Firewall Selection Criteria Adeptech Systems, Inc. Table of Contents Introduction... 1 Firewall s Function...1 Firewall Selection Considerations... 1 Firewall Types... 2 Packet

More information

Deploying Firewalls Throughout Your Organization

Deploying Firewalls Throughout Your Organization Deploying Firewalls Throughout Your Organization Avoiding break-ins requires firewall filtering at multiple external and internal network perimeters. Firewalls have long provided the first line of defense

More information

VOICE OVER IP SECURITY

VOICE OVER IP SECURITY VOICE OVER IP SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

Attachment Q5. Voice over Internet Protocol (VoIP)

Attachment Q5. Voice over Internet Protocol (VoIP) DHS 4300A Sensitive Systems Handbook Attachment Q5 To Handbook v. 11.0 Voice over Internet Protocol (VoIP) Version 11.0 December 22, 2014 Protecting the Information that Secures the Homeland This page

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

DATA SECURITY 1/12. Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0

DATA SECURITY 1/12. Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0 DATA SECURITY 1/12 Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0 Contents 1. INTRODUCTION... 3 2. REMOTE ACCESS ARCHITECTURES... 3 2.1 DIAL-UP MODEM ACCESS... 3 2.2 SECURE INTERNET ACCESS

More information

Firewall Security. Presented by: Daminda Perera

Firewall Security. Presented by: Daminda Perera Firewall Security Presented by: Daminda Perera 1 Firewalls Improve network security Cannot completely eliminate threats and a=acks Responsible for screening traffic entering and/or leaving a computer network

More information

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

Cconducted at the Cisco facility and Miercom lab. Specific areas examined Lab Testing Summary Report July 2009 Report 090708 Product Category: Unified Communications Vendor Tested: Key findings and conclusions: Cisco Unified Communications solution uses multilayered security

More information

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements I n t r o d u c t i o n The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2004 by the PCI Security Standards

More information

Cisco Advanced Services for Network Security

Cisco Advanced Services for Network Security Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs

More information

>THIS IS. Executive summary

>THIS IS. Executive summary >THIS IS THE WAY NORTEL PROVIDES ENTERPRISES A BLUEPRINT FOR SECURING IT INFRASTRUCTURE >THIS IS Position Paper Unified Security Framework for corporate and government security The greater the reach and

More information

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes Category Question Name Question Text C 1.1 Do all users and administrators have a unique ID and password? C 1.1.1 Passwords are required to have ( # of ) characters: 5 or less 6-7 8-9 Answer 10 or more

More information

Solution Brief. Secure and Assured Networking for Financial Services

Solution Brief. Secure and Assured Networking for Financial Services Solution Brief Secure and Assured Networking for Financial Services Financial Services Solutions Page Introduction To increase competitiveness, financial institutions rely heavily on their networks to

More information

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann

More information

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA

More information

Protecting the Extended Enterprise Network Security Strategies and Solutions from ProCurve Networking

Protecting the Extended Enterprise Network Security Strategies and Solutions from ProCurve Networking ProCurve Networking by HP Protecting the Extended Enterprise Network Security Strategies and Solutions from ProCurve Networking Introduction... 2 Today s Network Security Landscape... 2 Accessibility...

More information

INTRUSION DETECTION SYSTEMS and Network Security

INTRUSION DETECTION SYSTEMS and Network Security INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS

More information

Executive Summary and Purpose

Executive Summary and Purpose ver,1.0 Hardening and Securing Opengear Devices Copyright Opengear Inc. 2013. All Rights Reserved. Information in this document is subject to change without notice and does not represent a commitment on

More information

Network Access Security. Lesson 10

Network Access Security. Lesson 10 Network Access Security Lesson 10 Objectives Exam Objective Matrix Technology Skill Covered Exam Objective Exam Objective Number Firewalls Given a scenario, install and configure routers and switches.

More information

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall

More information

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting Network Security: 30 Questions Every Manager Should Ask Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting Network Security: 30 Questions Every Manager/Executive Must Answer in Order

More information

Enterprise K12 Network Security Policy

Enterprise K12 Network Security Policy Enterprise K12 Network Security Policy I. Introduction The K12 State Wide Network was established by MDE and ITS to provide a private network infrastructure for the public K12 educational community. Therefore,

More information

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline Course Number: SEC 150 Course Title: Security Concepts Hours: 2 Lab Hours: 2 Credit Hours: 3 Course Description: This course provides an overview of current technologies used to provide secure transport

More information

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall? What is a Firewall? Computer Security Firewalls fire wall 1 : a wall constructed to prevent the spread of fire 2 usually firewall : a computer or computer software that prevents unauthorized access to

More information

Securing Unified Communications for Healthcare

Securing Unified Communications for Healthcare Securing Unified Communications for Healthcare Table of Contents Securing UC A Unique Process... 2 Fundamental Components of a Healthcare UC Security Architecture... 3 Making Unified Communications Secure

More information

Network Security: Introduction

Network Security: Introduction Network Security: Introduction 1. Network security models 2. Vulnerabilities, threats and attacks 3. Basic types of attacks 4. Managing network security 1. Network security models Security Security has

More information

Permeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions

Permeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions Permeo Technologies WHITE PAPER HIPAA Compliancy and Secure Remote Access: Challenges and Solutions 1 Introduction The Healthcare Insurance Portability and Accountability Act (HIPAA) of 1996 has had an

More information

Gigabit SSL VPN Security Router

Gigabit SSL VPN Security Router As Internet becomes essential for business, the crucial solution to prevent your Internet connection from failure is to have more than one connection. PLANET is the ideal to help the SMBs increase the

More information

Avaya G700 Media Gateway Security - Issue 1.0

Avaya G700 Media Gateway Security - Issue 1.0 Avaya G700 Media Gateway Security - Issue 1.0 Avaya G700 Media Gateway Security With the Avaya G700 Media Gateway controlled by the Avaya S8300 or S8700 Media Servers, many of the traditional Enterprise

More information

Total Cost of Ownership: Benefits of Comprehensive, Real-Time Gateway Security

Total Cost of Ownership: Benefits of Comprehensive, Real-Time Gateway Security Total Cost of Ownership: Benefits of Comprehensive, Real-Time Gateway Security White Paper September 2003 Abstract The network security landscape has changed dramatically over the past several years. Until

More information

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN) MIS5206 Week 12 Your Name Date 1. Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)? a) User from within could send a file

More information

642 552 Securing Cisco Network Devices (SND)

642 552 Securing Cisco Network Devices (SND) 642 552 Securing Cisco Network Devices (SND) Course Number: 642 552 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional, Cisco Firewall Specialist,

More information

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0 ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0 Module 1: Vulnerabilities, Threats, and Attacks 1.1 Fundamental Principles of a Secure Network

More information

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1 Industrial Network Security for SCADA, Automation, Process Control and PLC Systems Contents 1 An Introduction to Industrial Network Security 1 1.1 Course overview 1 1.2 The evolution of networking 1 1.3

More information

Cisco Security Services

Cisco Security Services Cisco Security Services Cisco Security Services help you defend your business from evolving security threats, enhance the efficiency of your internal staff and processes, and increase the return on your

More information

Networking: EC Council Network Security Administrator NSA

Networking: EC Council Network Security Administrator NSA coursemonster.com/uk Networking: EC Council Network Security Administrator NSA View training dates» Overview The EC-Council's NSA certification looks at network security from a defensive view. The NSA

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such

More information

NETWORK TO NETWORK INTERFACE PLAN

NETWORK TO NETWORK INTERFACE PLAN AT&T will provide interconnect points at both the Network Security Operations Center (NSOC) and the Sam Houston Building (SHB), the prescribed DIR locations via AT&T s VPN (AVPN) service. The standards-based

More information

Avaya TM G700 Media Gateway Security. White Paper

Avaya TM G700 Media Gateway Security. White Paper Avaya TM G700 Media Gateway Security White Paper March 2002 G700 Media Gateway Security Summary With the Avaya G700 Media Gateway controlled by the Avaya S8300 or S8700 Media Servers, many of the traditional

More information

Basics of Internet Security

Basics of Internet Security Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational

More information

Developing Network Security Strategies

Developing Network Security Strategies NETE-4635 Computer Network Analysis and Design Developing Network Security Strategies NETE4635 - Computer Network Analysis and Design Slide 1 Network Security Design The 12 Step Program 1. Identify network

More information

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method. A Brief Overview of VoIP Security By John McCarron Voice of Internet Protocol is the next generation telecommunications method. It allows to phone calls to be route over a data network thus saving money

More information

Did you know your security solution can help with PCI compliance too?

Did you know your security solution can help with PCI compliance too? Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

ITU-T X.1205. Overview of cybersecurity. SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Telecommunication security

ITU-T X.1205. Overview of cybersecurity. SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Telecommunication security International Telecommunication Union ITU-T X.1205 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (04/2008) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Telecommunication security

More information

CISCO IOS NETWORK SECURITY (IINS)

CISCO IOS NETWORK SECURITY (IINS) CISCO IOS NETWORK SECURITY (IINS) SEVENMENTOR TRAINING PVT.LTD [Type text] Exam Description The 640-553 Implementing Cisco IOS Network Security (IINS) exam is associated with the CCNA Security certification.

More information

Best Practices for Outdoor Wireless Security

Best Practices for Outdoor Wireless Security Best Practices for Outdoor Wireless Security This paper describes security best practices for deploying an outdoor wireless LAN. This is standard body copy, style used is Body. Customers are encouraged

More information

CS5008: Internet Computing

CS5008: Internet Computing CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is

More information

ICANWK406A Install, configure and test network security

ICANWK406A Install, configure and test network security ICANWK406A Install, configure and test network security Release: 1 ICANWK406A Install, configure and test network security Modification History Release Release 1 Comments This Unit first released with

More information

Information Technology Security Standards. Effective Date: November 20, 2000 OFM Guidelines for Economic Feasibility Revision Date: January 10, 2008

Information Technology Security Standards. Effective Date: November 20, 2000 OFM Guidelines for Economic Feasibility Revision Date: January 10, 2008 Information Technology Security Standards Adopted by the Information Services Board (ISB) on November 20, 2000 Policy No: Also see: 400-P2, 402-G1 Supersedes No: 401-S2 Auditor's Audit Standards Effective

More information

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human

More information

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com What What is PCI A global forum launched in September 2006 for ongoing enhancement

More information

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia ivk@cisco.com. 2006 Cisco Systems, Inc. All rights reserved.

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia ivk@cisco.com. 2006 Cisco Systems, Inc. All rights reserved. Cisco Secure ACS Overview By Igor Koudashev, Systems Engineer, Cisco Systems Australia ivk@cisco.com 2006 Cisco Systems, Inc. All rights reserved. 1 Cisco Secure Access Control System Policy Control and

More information

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation www.lumeta.

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation www.lumeta. Why Leaks Matter Leak Detection and Mitigation as a Critical Element of Network Assurance A publication of Lumeta Corporation www.lumeta.com Table of Contents Executive Summary Defining a Leak How Leaks

More information

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

More information

Security Technology: Firewalls and VPNs

Security Technology: Firewalls and VPNs Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up

More information

By David G. Holmberg, Ph.D., Member ASHRAE

By David G. Holmberg, Ph.D., Member ASHRAE The following article was published in ASHRAE Journal, November 2003. Copyright 2003 American Society of Heating, Refrigerating and Air-Conditioning Engineers, Inc. It is presented for educational purposes

More information

Network Security Guidelines. e-governance

Network Security Guidelines. e-governance Network Security Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type

More information

This chapter covers the following topics:

This chapter covers the following topics: This chapter covers the following topics: Components of SAFE Small Network Design Corporate Internet Module Campus Module Branch Versus Headend/Standalone Considerations for Small Networks C H A P T E

More information

Information Technology Security Procedures

Information Technology Security Procedures Information Technology Security Procedures Prepared By: Paul Athaide Date Prepared: Dec 1, 2010 Revised By: Paul Athaide Date Revised: September 20, 2012 Version 1.2 Contents 1. Policy Procedures... 3

More information

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA

More information

Using Ranch Networks for Internal LAN Security

Using Ranch Networks for Internal LAN Security Using Ranch Networks for Internal LAN Security The Need for Internal LAN Security Many companies have secured the perimeter of their network with Firewall and VPN devices. However many studies have shown

More information

Internet Services & Protocols

Internet Services & Protocols Department of Computer Science Institute for System Architecture, Chair for Computer Networks Internet Services & Protocols Internet (In)Security Dr.-Ing. Stephan Groß Room: INF 3099 E-Mail: stephan.gross@tu-dresden.de

More information

Endpoint Based Policy Management: The Road Ahead

Endpoint Based Policy Management: The Road Ahead Endpoint Based Policy Management: The Road Ahead Introduction In a rapidly growing and crowded security solutions market, organizations need to deploy the most effective technologies taking into consideration

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls. Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls. 1 Information systems in corporations,government agencies,and other organizations

More information

Network Security Administrator

Network Security Administrator Network Security Administrator Course ID ECC600 Course Description This course looks at the network security in defensive view. The ENSA program is designed to provide fundamental skills needed to analyze

More information

Achieving PCI-Compliance through Cyberoam

Achieving PCI-Compliance through Cyberoam White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit

More information

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc. Securing Modern Substations With an Open Standard Network Security Solution Kevin Leech Schweitzer Engineering Laboratories, Inc. Copyright SEL 2009 What Makes a Cyberattack Unique? While the resources

More information

HANDBOOK 8 NETWORK SECURITY Version 1.0

HANDBOOK 8 NETWORK SECURITY Version 1.0 Australian Communications-Electronic Security Instruction 33 (ACSI 33) Point of Contact: Customer Services Team Phone: 02 6265 0197 Email: assist@dsd.gov.au HANDBOOK 8 NETWORK SECURITY Version 1.0 Objectives

More information

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013 CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewalls and VPNs. Principles of Information Security, 5th Edition 1 Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches

More information

Achieving PCI Compliance Using F5 Products

Achieving PCI Compliance Using F5 Products Achieving PCI Compliance Using F5 Products Overview In April 2000, Visa launched its Cardholder Information Security Program (CISP) -- a set of mandates designed to protect its cardholders from identity

More information

Securing an IP SAN. Application Brief

Securing an IP SAN. Application Brief Securing an IP SAN Application Brief All trademark names are the property of their respective companies. This publication contains opinions of StoneFly, Inc., which are subject to change from time to time.

More information

Cisco Security Optimization Service

Cisco Security Optimization Service Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless

More information

IP-VPN Architecture and Implementation O. Satty Joshua 13 December 2001. Abstract

IP-VPN Architecture and Implementation O. Satty Joshua 13 December 2001. Abstract Abstract Virtual Private Networks (VPNs) are today becoming the most universal method for remote access. They enable Service Provider to take advantage of the power of the Internet by providing a private

More information

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2 Table of Contents 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2 2 Features and Benefits 2-1 Key Features 2-1 Support for the Browser/Server Resource Access Model 2-1 Support for Client/Server

More information

Chapter 20. Firewalls

Chapter 20. Firewalls Chapter 20. Firewalls [Page 621] 20.1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations 20.2 Trusted Systems Data Access Control The Concept of Trusted Systems

More information

Secure SCADA Network Technology and Methods

Secure SCADA Network Technology and Methods Secure SCADA Network Technology and Methods FARKHOD ALSIHEROV, TAIHOON KIM Dept. Multimedia Engineering Hannam University Daejeon, South Korea sntdvl@yahoo.com, taihoonn@paran.com Abstract: The overall

More information

DeltaV Cyber Security Solutions

DeltaV Cyber Security Solutions TM DeltaV Cyber Security Solutions A Guide to Securing Your Process A long history of cyber security In pioneering the use of commercial off-the-shelf technology in process control, the DeltaV digital

More information

Network Security Policy De Montfort University January 2006

Network Security Policy De Montfort University January 2006 Network Security Policy De Montfort University January 2006 Page 1 of 18 Contents 1 INTRODUCTION 1.1 Background... 1.2 Purpose and Scope... 1.3 Validity... 1.4 Assumptions... 1.5 Definitions... 1.6 References..

More information

Remote Access Security

Remote Access Security Glen Doss Towson University Center for Applied Information Technology Remote Access Security I. Introduction Providing remote access to a network over the Internet has added an entirely new dimension to

More information

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0 EUCIP - IT Administrator Module 5 IT Security Version 2.0 Module 5 Goals Module 5 Module 5, IT Security, requires the candidate to be familiar with the various ways of protecting data both in a single

More information

March 2012 www.tufin.com

March 2012 www.tufin.com SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...

More information

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses Professional Integrated Appliance for Small and Medium-sized businesses Benefits Clientless Secure Remote Access Seamless Integration behind the Existing Firewall Infrastructure UTM Security Integration

More information

SSL VPN Technical Primer

SSL VPN Technical Primer 4500 Great America Parkway Santa Clara, CA 95054 USA 1-888-NETGEAR (638-4327) E-mail: info@netgear.com www.netgear.com SSL VPN Technical Primer Q U I C K G U I D E Today, small- and mid-sized businesses

More information

Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP

Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP Connecting MPLS Voice VPNs Enabling the secure interconnection of Inter-Enterprise VoIP Executive Summary: MPLS Virtual

More information

White Paper. avaya.com 1. Table of Contents. Starting Points

White Paper. avaya.com 1. Table of Contents. Starting Points White Paper Session Initiation Protocol Trunking - enabling new collaboration and helping keep the network safe with an Enterprise Session Border Controller Table of Contents Executive Summary...1 Starting

More information