Unified Security Architecture for enterprise network security

Transcription

1 White Paper Nortel Networks Unified Security Architecture for enterprise network security A conceptual, physical, and procedural framework for high-performance, multi-level, multi-faceted security to protect campus networks, data centers, branch networking, remote access, and IP telephony services. The greater the reach and availability of the network, the greater its vulnerability to threats from within and outside the organization. The new openness of networked communications introduces new ethical, financial, and regulatory pressures to protect networks and enterprises from internal and external threats and attacks. Every IT security professional should be up-to-date on the Top Ten challenges to enterprise security and the latest recommendations to address those challenges.

2 Contents Executive summary Part I. The Top Ten challenges to enterprise network security Enterprise Security Challenge #1 The Internet was designed to share, not to protect Enterprise Security Challenge #2 Security is not optional Enterprise Security Challenge #3 The bad guys have good guns Enterprise Security Challenge #4 Security threats recognize no boundaries Enterprise Security Challenge #5 Security depends on people, process, and technology Enterprise Security Challenge #6 It s not enough to guard the front gate Enterprise Security Challenge #7 There s no stock blueprint Enterprise Security Challenge #8 Frisking everybody and everything takes time Enterprise Security Challenge #9 Grace under fire is a requirement Enterprise Security Challenge #10 Security is a closed-loop process with an open-ended date Part II. The Nortel Networks Unified Security Architecture Multi-layer security across application and network levels Variable-depth security Closed-loop policy management Uniform access management Secure network operations Secure multimedia communications Network survivability under attack The closed-loop policy management reference model A closer look at uniform access management Part III. Network security in the real world Securing the campus network Securing the data center Securing the remote office Securing remote access Securing IP telephony services Part IV. Nortel Networks technology and expertise Design tenets built into the Nortel Networks security portfolio Expanded choice through partnerships Security services Nortel Networks product assurance Nortel Networks and cross-industry security developments Summary Appendix A. Hackers tools of the trade Appendix B. Application and network level threats

3 Executive summary Today s connected enterprise faces a security paradox. The very openness and ubiquity that make the Internet such a powerful business tool also make it a tremendous liability. The Internet was designed to share, not to protect. The ports and portals that welcome remote sites, mobile users, customers, and business partners into the trusted internal network also potentially welcome cyber-thieves, hackers, and others who would misappropriate network resources for personal gain. The only effective network security strategy is one that permeates the end-to-end architecture and enforces corporate policies on multiple levels and multiple network points. Nortel Networks, a global leader in secure data networking, offers proven solutions to satisfy end-to-end network security requirements. Security in the DNA is a key tenet of our strategy for the new enterprise network, a convergence framework we call One Network. A World of Choice. This document presents the security component of that enterprise network strategy. The Unified Security Architecture provides a conceptual, physical, and procedural framework of best recommendations and solutions for enterprise network security. It serves as an important reference guide for IT professionals responsible for designing and implementing secure networks. What are the requirements and vulnerabilities? What technology options and implementation choices are available? How do you protect the network at all levels? This comprehensive strategy addresses those pressing concerns facing IT security specialists, and offers encouraging news about the depth and breadth of options available for securing critical network resources. The Unified Security Architecture is realistic. It assumes that all components of an IT infrastructure are targets... that even internal users could be network threats... attacks are inevitable... network performance cannot be compromised by processingintensive security measures... and IT budgets are constrained. The Unified Security Architecture acknowledges the diversity of networked enterprises. It is not a one-size-fits-all prescription, but rather a framework of functionality that offers multiple implementation choices suitable for closed, extended, and open enterprises in different industries and for diverse application requirements within all enterprise types. The Unified Security Architecture addresses the multi-level complexity of network threats. It provides answers on multiple levels for instance, from a firewall guardian to block intruders at the front gate to encryption to shroud every packet in privacy... from virtual private networks that span the global Internet to virtual LANs that segregate network management traffic from desktop users. The Unified Security Architecture promotes a process, rather than an endpoint. Effective security is not achieved through a one-time initiative. This architecture outlines measures for strong ongoing policy management, reflecting both human and technical factors. Read on for a discussion of the Top Ten challenges facing IT professionals today and how the Nortel Networks Unified Security Architecture addresses the challenges. 3

4 Unified Security Architecture for enterprise network security A conceptual, physical, and procedural framework for high-performance, multi-level, multifaceted security to protect campus networks, data centers, branch networking, remote access, and IP telephony services. Part I. The Top Ten challenges to enterprise network security Every enterprise that relies on network-connected applications and services is subject to 10 key security realities: 1. The Internet was designed to share, not to protect. 2. Security is not optional. 3. The bad guys have good guns. 4. Security threats recognize no boundaries. 5. Security depends on people, process, and technology. 6. It s not enough to guard the front gate. 7. There s no stock blueprint. 8. Frisking everybody and everything takes time. 9. Grace under fire is a requirement. 10. Security is a closed-loop process with an open-ended date. Let s take a closer look at these challenges and what IT security professionals can do about them. Enterprise Security Challenge #1 The Internet was designed to share, not to protect. In six or seven short years, the Internet has evolved from an adjunct contact channel into the backbone of many critical business applications. Enterprises are leveraging their IP-based intranets and the world-wide Internet to bring remote offices, mobile workers, and business partners into their trusted network environments. Many enterprises are capitalizing on the growing reach and reliability of IP data networks to completely redefine the way they deliver and manage approved corporate applications. The Internet enables them to interact more effectively with customers, streamline operations, reduce operating costs, and increase revenues. However, the Internet was designed to share, not to protect. The ports and portals that welcome outside users into the trusted internal network also potentially open the door to serious threats. The level of threat only increases as legacy applications become network-enabled and as network managers open their networks to more new users and applications. How do you manage mission-critical communications on an inherently insecure medium? Managing that flow is somewhat like guarding a revolving door. You can t lock it unless you also close out the traffic you do want. Remote access services that enable traveling employees to dial in for access... remote offices connected via dial-up lines... intranets, and extranets that connect outside parties to the enterprise network... all these business-enabling communications increase the vulnerability of the network. 4

5 Enterprise Security Challenge #2 Security is not optional. Security breaches and unlawful access to confidential data can cost enterprises millions, but the requirement for network security goes beyond financial incentives. The governments of many countries are forcing enterprises to comply with regulations governing network security and privacy. In the U.S., the Federal government regulates the privacy and security of electronic information with such regulations as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Safe Harbor Act, the USA Patriot Act, and the Children s Internet Protection Act (CIPA). More are coming. Similar regulations are being enacted in Europe and elsewhere, such as the Data Protection Act and Computer Misuse Act in the U.K. Failure to comply with these regulations brings civil and criminal penalties, even prison terms. Even if governmental regulations weren t an issue, organizations that suffer security breaches may be sued by customers and damaged by negative publicity. All enterprises that leverage the Internet for remote access have an obligation to protect network integrity and data confidentiality for their own sakes as well as for their customers and business partners. Enterprise Security Challenge #3 The bad guys have good guns. Attackers have a broad repertoire of tools and techniques they can use to compromise a network. With these tools of the trade, they can launch multi-level attacks to access the network creating an access hole to intrude upon the network, and then using secondary attacks to exploit other parts of the network. For example, attackers can take advantage of weak user authentication and authorization tools, improper allocation of hidden space, shared privileges among applications, or even sloppy employee habits to gain unauthorized access to network resources. They can disable a trusted host and assume its identity, a threat known as IP spoofing or session hijacking. Using sophisticated new network sniffers that can decode data from packets across all layers of the OSI model, hackers can steal user names and passwords, and use that information to launch deeper attacks. Denial of Service (DoS) attacks flood a network with illegitimate requests and thereby prevent legitimate users from accessing their service. In bucket brigade attacks, also known as man-in-the-middle assaults, the attacker intercepts messages in a public key exchange between a server and a client, retransmits the messages substituting their public key, and in the process tricks the original entities/users into thinking they are communicating with each other. Back door entries to access network resources can be accidentally or intentionally opened by users and procedural oversights. Masquerading enables a hacker to pose as a valid administrator or engineer to access the network, often to elevate user privileges. For more information about these types of attacks, see Appendix A, Hackers Tools of the Trade. 5

6 Enterprise Security Challenge #4 Security threats recognize no boundaries. The typical enterprise internal trusted network is anything but internal these days. It extends to include supply chain partners, telecommuters, remote access users, Web users, application service providers, disaster recovery providers, and more. Unfortunately, that means that the network also reaches hackers, cyber-thieves, disgruntled employees, and others who would misappropriate network resources for personal gain. In today s business environment, the concept of a network perimeter is disappearing. Boundaries between inside and outside networks are becoming thinner, almost irrelevant. Applications run on top of networks in a layered fashion. The OSI (Open Systems Interconnection) model was built to allow different layers to work without knowledge of each other. Unfortunately, that means that if one layer is hacked, communications are compromised without the other layers being aware of the attack. That means security must address unique considerations at application and network layers and bridge these layers to ward off multi-level threats. Application-layer attacks exploit vulnerabilities in the operating system and applications to gain access to resources. Application-layer attacks can be based on viruses, worms, buffer overflow, and password harvesting, among others. Web services and single sign-on technologies aggravate the problem, since they encourage Web-enabling legacy-based applications that were not designed with Web connectivity and security issues in mind. Network-layer threats expose the network infrastructure to sabotage, vandalism, bad system configuration, denial of service (DoS), snooping, industrial espionage, and theft of service. Attacks may be launched from inside the network by insiders and also from external sources such as hackers. For more information about application-layer and network-layer threats, see Appendix B: Application and network level threats. Enterprise Security Challenge #5 Security depends on people, process, and technology. Vulnerabilities arise both from people and process failures (such as posting their passwords in public view, or slack policy enforcement) and technical aspects (such as rogue programs and Trojan horses) and combinations of all three. The Nimda virus that recently caused havoc in IT environments is a perfect example. At first glance, Nimda was technical in nature: a virus. But on closer inspection, the havoc was caused more by human error than technical devilry. Nimda exploited six previous technical vulnerabilities; it was just a variant of previous vulnerabilities that were documented and communicated many months before Nimda actually spread on the Internet. Organizations should all have known about these vulnerabilities and disseminated that knowledge to the people responsible for protecting IT systems. Nimda was a non-issue for enterprises that had established processes in place for translating knowledge into action tasks, assigning responsibility for those tasks, and auditing successful completion. 6

7 Enterprise Security Challenge #6 It s not enough to guard the front gate. Every component of the IT infrastructure is susceptible to attacks, not just obvious gateways to the Internet. Hosts, applications such as IP telephony, routers, and switches can be attacked by hackers or unauthorized users from inside or outside the enterprise. At the network level, the use of firewalls, proxy servers, and user-to-session filtering can add protection, but hackers seem to get smarter all the time. Using user access control at the network and application level with appropriate authentication and authorization can minimize the risks of unauthorized access. But the sheer diversity of the types of attacks and the multi-level nature of many attacks requires that IT managers understand how security breaches are instigated and be able to assess and recover from any inflicted damage. That means the only effective network security strategy is one that permeates the end-to-end architecture and enforces corporate policies on multiple levels user, application, and network and at multiple network points. Enterprise Security Challenge #7 There s no stock blueprint. Each enterprise has a unique set of business needs and has evolved their networking environment accordingly. That means the right security strategy is more a prescription of functionality and characteristics than a stock blueprint. Security is not a one size fits all situation. Neither is it a static implementation, any more than the network or technology remains static. For general purposes, we can categorize enterprises into three types of security spheres: The closed enterprise uses logical (e.g. frame relay) or physical private lines between sites, with PC dial access provided selectively for employees needing access into the Internet. Web presence is achieved through an Internet data center provided by a service provider (who is responsible for establishing a secure environment). The organization also provides conventional dial access for remote employees (e.g. working from a hotel). The company uses private among employees with no external access. Wireless LANs are also starting to be used. Even the closed enterprise has security concerns, not just from disgruntled internal users, but also because there are a number of backdoor exposures. Users with dial access to the Internet from their desktop PCs, employees surfing the Net from laptops they use at home or on the road, and wireless LANs all introduce Internet-related threats. Perhaps, the greatest risk comes from the specious belief that the closed enterprise is immune to external risks. The extended enterprise is an extension of the closed enterprise. Web presence is still achieved via a service provider. Support for remote employee and office access over IP virtual private networks (VPNs) over the Internet is provided, delivering higher speed, lower cost connectivity. The enterprise provides general-purpose access for all employees into the Internet, allowing them to leverage the abundance of business-related information available on the Internet. Inter-working between the internal system and the rest of world is provided. The open enterprise leverages the Internet by allowing partners, suppliers, and customers to have access to an enterprisemanaged Internet Data Center, even allowing selective access to internal databases and applications (e.g. as part of a supply chain management system). Internal and external users access the enterprise network from home, remote offices, or other networks using wired or mobile devices. 7

8 For the extended enterprise, the diversity of supported services and access mechanisms translates into multiple paths into the enterprise network, and in turn increases the risk. Naturally, that risk increases exponentially with the open enterprise, which has the greatest susceptibility to application-layer and network-layer threats, unauthorized access, and eavesdropping. Infrastructure, applications, and network management systems are equally vulnerable. Figure 1. Generic Enterprise types Closed enterprise Customers Internet ASP Data Center Enterprise network Employees Dedicated WAN PC dial-in access PC Internet dial-out Outsourced Web site Private Extended enterprise Employees Internet Enterprise network Employees Internet Data Center Remote access and office IP-VPNs Employee Internet access Interworked Open enterprise Customers/partners/ employees Customers/ Employees Controlled partner and select customer access Internet Enterprise network Connectivity boundaries lowered 8

9 Enterprise Security Challenge #8 Frisking everybody and everything takes time. Anyone who has traveled by airplane knows that the trade-off for enhanced security is delay. The more closely you inspect bags and travelers, the longer the lines at security. On enterprise networks as well, turning up the full complement of security features can slow Web servers to a crawl as they bog down with processing-intensive encryption, decryption, key management, and more. Bolting IP-VPN capabilities onto legacy routers brings its own brand of performance penalty. Voice applications, such as live Webcasts and Voice over IP, are very sensitive to delay and jitter and are therefore dramatically affected by traditional security mechanisms. Enterprise Security Challenge #9 Grace under fire is a requirement. In the context of security, reliability and survivability have somewhat different meanings. Network reliability ensures that the network continues to operate in spite of incidental failure of software and/or hardware components. Network survivability means the network continues to operate delivering essential services in a timely manner while battling security threats, even if parts of the network are unreachable or disabled due to overt attack. Enterprise Security Challenge #10 Security is a closed-loop process with an open-ended date. Organizations must view security as a steady process and evolving way of thinking about how to protect systems, networks, applications, and resources. Reduce risk by continually and steadily making progress in identifying and addressing vulnerabilities and security policy holes. Corporations and government institutions must be able to determine what is at stake when security measures fail, how to detect security breaches, and what to do about them. This process also entails continual training and awareness, since breaches of security policy are usually caused by human error or carelessness. Employees, managers, and administrators must all be aware of established security policies and best practices. The good news is that enterprise networks can minimize their risks from unauthorized users without sacrificing performance for legitimate users. Part II of this document shows how the Nortel Networks Unified Security Architecture addresses these Top Ten challenges. Figure 2. Enterprises need a security framework to optimally use IT techniques, tools, and methodologies against attackers Possible attacks Authorization threats IP spoofing Network sniffers Denial of service Intrusion Bucket brigade Attacks Back door traps Data modification Masquerading Protected enterprise Anti-virus software Deep packet filtering Digital certificate IPsec and SSL encryption Firewalls Enterprise network Network and host-based Intrusion Detection Systems (IDS) Infrastructure Network sniffers 9

10 Part II. The Nortel Networks Unified Security Architecture What can security IT professionals do about the Top Ten challenges? The Nortel Networks Unified Security Architecture defines a conceptual, physical, and procedural framework of best recommendations for end-to-end enterprise network security addressing all the Top Ten challenges: The Internet was designed to share, not to protect. So the Unified Security Architecture defines virtual private networks, virtual LANs, firewalls, encryption, and other mechanisms that enable enterprises to reduce the risk of being Internet-connected. Security is not optional. The Unified Security Architecture upgrades enterprise security programs and infrastructures to comply with business, ethical, and regulatory mandates to protect data integrity and confidentiality. The bad guys have good guns. The Unified Security Architecture identifies the various tools of the trade, how they operate, and what kinds of protections thwart these attacks. Security threats recognize no boundaries. The Unified Security Architecture addresses threats on multiple functional and architectural layers, enabling enterprises to flexibly define what needs to be protected, from what kinds of threats, implemented how, and at what layers. Security depends on people, process, and technology. The Unified Security Architecture calls for developing and enforcing security policies that address technical considerations and human aspects of security, such as staff training and process. It s not enough to guard the front gate. The Unified Security Architecture begins with perimeter firewall defense and documents security provisions all the way to the individual user and application. There s no stock blueprint. The Unified Security Architecture defines the required functionality and offers enterprises broad choice in which functions to implement, to what degree, using what platforms and protocols. Frisking everybody and everything takes time. The Unified Security Architecture introduces purpose-built security products that use load-balancing, health-checking, and innovative acceleration technologies to minimize latency. Grace under fire is a requirement. The Unified Security Architecture defines ways to segregate critical resources and sustain performance even under attack. Security is a closed-loop process with an open-ended date. The Unified Security Architecture calls for policy management to be a process of continuous feedback and improvement, reflecting the latest industry knowledge and best practices. 10

11 The comprehensive security strategy set forth in this document is based on seven key principles: 1. Multi-layer security that defines security protection functions at application, network-assisted, and network security levels in a layered architecture that can be flexibly defined and implemented. 2. Variable-depth security across the enterprise not just at the edge of the Internet for example, from firewall perimeter defense, to VPNs to protect Internet-traversing traffic, and to VLANs to segregate traffic within a network. 3. Closed-loop policy management, including configuration of edge devices, enforcement of policies in the network, and verification of network functionality as seen by the end user application. 4. Uniform access management, including stringent authentication and roles-based authorization of access to all resources for all users, with granular access policies defined at the application level and managed enterprise-wide. 5. Secure network operations, by physically or logically partitioning network management from user traffic, and applying other recommended security mechanisms to operational activities. 6. Secure multimedia communications, protected by encrypting the data, voice, and video payload without introducing delays that this real-time traffic cannot tolerate. 7. Survival under attack, for instance, by using resilient architectures with no single point of failure, and applying intrusion-detection systems, anti-virus software, content filtering, and ongoing vigilance as attackers continue adopting new weaponry. Figure 3. Principles behind Nortel Networks Unified Security Architecture Unified Security Architecture Layered security Securing network operations Variable-depth security Closed-loop policy management Securing multimedia communications Survivability under attack Uniform access management 11

12 The principles underpinning the Unified Security Architecture offer enterprises a security blueprint to use as they move towards increasingly open environments. Let s take a look at each of the seven key principles of the Unified Security Architecture Multi-layer security across application and network levels Recognizing the multi-layered, interdependent nature of enterprise networks and the critical need for security at more than the application level the Nortel Networks Unified Security Architecture logically organizes security into multiple levels: The Network Security Layer provides security functions at OSI layers 1 to 3 (physical, link, and data levels). The Network-Assisted Security Layer provides security functions at OSI layers 4 to 7 (network to application/ presentation layers) on top of the network level for added security. The Application Security Layer provides security in layer 7 of the OSI model, the application layer, and includes all security built into server and storage platforms. Some functions, such as access lists and VLANs, operate purely at the Network Security Level. Others, such as firewalls, operate at either the Network or Network-Assisted Security Levels, depending on whether they are stateful or not. Others such as SSL (Secure Sockets Layer) can be viewed as network-assisted or application security. The power of the Unified Security Architecture is that industry-defined security functions are leveraged in a structured fashion, tightening security overall. See Part III, Security in the Real World, for examples of these security layers in action for protecting campus and branch networks, data centers, IP telephony services, and remote access. Hardening server operating systems Within the application level of the multi-layer security framework, a key element is hardening the multiple operating systems used in network and user applications, such as OSs for data communications devices, servers, network management systems, IP telephony servers, and more. In an increasingly open, multivendor IT environment, network elements are frequently based on commercially available OSs. For example, Nortel Networks CallPilot unified messaging system, Symposium Contact Centers, and Business Communications Manager use a hardened version of Windows NT with off-the-shelf security software for functions such as anti-virus protection, intrusion-detection, and login audits. Nortel Networks Succession CSE 1000 and Meridian IP-enabled PBX portfolios are built on an embedded real-time OS called VxWorks. The Nortel Networks Succession CSE MX system is built on UNIX. Procedures for hardening the OSs in Nortel Networks products are provided in our documentation. For third-party operating systems where no specific hardening guide exists, consult the OS vendor for the latest OS hardening patches and procedures. Figure 4. Unified Security Architecture Policy Management Network Mgmt. Security Application Security Network-Assisted Security Network Security Secure Access Mgmt. End users Operators Partners Customers 12

13 The remaining elements of the architecture discussed in the sections to follow are inter-related and somewhat orthogonal to these layers. The table below illustrates how common security technologies map to the elements of Nortel Networks Unified Security Architecture. Figure 5. Security functionality mapping to the Unified Security Architecture Security functionality Network Network-assisted Application Security Security Security Policy management functionality L2 NAT Layer 2 VPN, EAP, and port security Network Address Translation Yes Yes Policy Repository Policy Decision Point Policy Enforcement Point AL Access control List Yes Secure access management functionality IPsec SRT IPsec encryption Secure dynamic routing Yes Yes Authentication client Authentication server Authentication database Auth FW Firewalling Yes Yes IDS Intrusion detection Yes Yes Network management security functionality SSL CF VS SSL encryption Yes Yes Content filtering Yes Yes Virus scanning Yes Yes Secure activity logs Network operator authentication Access control/operator authorization Encryption Secure remote access Firewalls Intrusion detection OS hardening Virus free software 2.2. Variable-depth security Defining security policy at multiple network levels produces a security strategy where each security level builds upon the capabilities of the layer below and provides finer grained security the closer you get to resources. VLANs (Virtual LANs) provide basic network compartmentalization and segmentation, enabling business functions to be segregated in their own private local area networks, with cross-traffic from other VLAN segments strictly controlled or prohibited. The use of VLAN tags enables the segregation of traffic into specific groups such as Finance, HR, and Engineering, separating their data without leakage between disparate functions. Perimeter and distributed firewall-filtering capabilities provide another level of protection at strategic points within the network. Firewalls enable the network to be further segmented into smaller areas, and enable secure connections to the public network. Firewalls limit access to inbound and outbound traffic to the protocols and authentication methods that are explicitly configured in the firewall. Firewalls that support Network Address Translation (NAT) enable optimization of IP addressing within the network as specified in RFC 1918 (Address Allocation for Private Internets). Firewalls provide an extra layer of access control that can be customized based on business needs. Distributed firewalls add the benefit of scalability. Personal firewalls can be deployed on end-users systems to protect application integrity. 13

14 Virtual private networks (VPNs) provide an even finer granularity of user access control and personalization enabling secure access at the individual user level from remote sites and business partners, without requiring dedicated pipes. Dynamic routing over secure tunnels across the Internet provides a highly secure, reliable and scalable solution. VPNs, VLANs, and firewalls together allow the network administrator to limit access by a user or user group based on strictly defined policy criteria and business needs. VPNs provide strong assurance of data integrity and confidentiality with strong encryption. VLANs alone may satisfy the security needs of the closed enterprise. Extended and open enterprises will likely require a combination of security level capabilities Closed-loop policy management A properly designed and implemented security policy is an absolute requirement for all types of enterprises and has to be owned by one group. It should be a living document and process, which is enforced, implemented, and updated to reflect the latest changes in the enterprise infrastructure and service requirements. The security policy must clearly identify the resources in the enterprise that are at risk and resulting threat mitigation methodologies. It should define which users or classes of users have access to which resources. The policy must define the use of audit trails to help identify and discover violations and the appropriate responses. Users think of the network in terms of people, applications, locations, time of day, etc. not in technical terms such as firewall stateful inspection or access lists. Security policies should use non-technical vocabulary to the extent possible for user-facing issues, automatically translated by the policy management system into technical security mechanisms for network implementation. Policy management addresses the full realm of security components firewalls, intrusion-detection systems, access lists and filters, authentication techniques, and more along with a system-wide view of network environments, such as data center, remote office, and campus networks. Ultimately, policy operates at a granular level to address pieces of the solution while providing centralized control and accountability. Centralization ensures that security parameters are set consistently across multiple nodes, and that multiple policies for different administrative domains all reflect enterprise-wide policy and inter-domain consistency. Closed-loop policy management is implemented using the reference architecture described in 2.8, and includes configuration management of network devices, enforcement of policies in the network, and verification of network functionality via audit trails. Verification and audit trails close the loop on policy management, and result in updates to the policy to reflect corrective actions Uniform access management Access management refers to authentication and authorization services that control user s access to resources. During authentication, users identify themselves to the network; during authorization, the network determines users level of privileges based on their identity, as defined in policy. Access management is controlled by multiple methods, such as IP source filtering, proxies, and credential-based methods often used in combination, and each with its advantages and limitations. For example, an enterprise may choose to manage access for workstations using IP source filtering, and may choose to use a credential-based scheme for other users. Since users could be employees, network technicians, supply chain partners, inter-organization team members, or even customers, it is important to have robust, centralized access control enforced by the local or remote network device interfacing to the user. 14

15 Several methods can be used to authenticate a user, such as: permanent or one-time passwords, biometric techniques, smart cards, and certificates. Password-based authentication must use strong passwords that are at least eight characters in length with at least one alphabetic, one numeric, and one special character. Where stronger authentication is required, password authentication can be combined with another authentication and authorization process based on protocols such as RADIUS and LDAP to provide authentication, authorization, and accounting (AAA) services. Additionally, key management can be based on Internet Key Exchange (IKE), certificate management on Public Key Infrastructure X.509 (PKIX), Certificate Management Protocol (CMP), Online Certificate Status Protocol (OCSP), and Simple Certificate Validation Protocol (SCVP). In defining access privileges on all ports and devices, the concept of least privilege should be applied, granting access only as needed. Open and extended enterprises face the greatest challenges when designing access management policy. They require finegrained rules that properly interface with identity directories and databases, multiple authentication systems such as RADIUS, and various hosts, applications, and application servers. The system should perform session management per user after the user is authenticated and use flexible configuration and policy enforcement with fine-grained rules, capable of dealing with specific objects. Unique accounts for each administrator should be used, with accountability for actions traceable to individuals, to provide for appropriate monitoring, accounting, and secure audit trails. For more information about authentication and authorization, see section 2.9, A closer look at uniform access management Secure network operations On the one hand, network management is like other data applications, running on servers and workstations, complemented by application-level security and taking advantage of network-level and network-assisted security. On the other hand, network operators are specialized users who should be subject to more stringent authentication and authorization procedures. Because of the greater access authority and functional privilege granted to network management personnel, their access and activities must be carefully secured to protect network configuration, performance, and survivability. The more open the enterprise and the more centralized the network management system, the greater the requirement for stringent security for network management processes. Secure network management requires a holistic approach, rather than a specific security feature set on a network element. Our Unified Security Architecture recommendations address nine critical areas: Secure activity logs Network operator authentication Authorization for network operators Encryption of network management traffic Secure remote access for operators Firewalls and VLANs to partition the network intrusion-detection Hardening operating systems Anti-virus protection 15

16 Secure activity logs provide a verifiable audit trail of user or administrator activities and events generated by network devices. Security activity logs must contain sufficient information to establish individual accountability, reconstruct past events, detect intrusion attempts, and perform after-the-fact analysis of security incidents and long-term trend analysis. Activity log information helps identify the root cause of a security problem and prevent future incidents. For instance, activity logs can be used to reconstruct the sequence of events that led up to a problem, such as an intruder gaining unauthorized access to system resources, or a system malfunction caused by an incorrect configuration or a faulty implementation. Syslog is the most common mechanism used by equipment vendors; Syslog works with all third-party log analyzer systems. Because the information contained in activity logs can be used to compromise a network, this log information itself must be secured. Network operator authentication based on strong centralized administration and enforcement of passwords ensures that only authenticated operators gain access to management systems. Centralized administration of passwords enables enforcement of password strength and removes the need for local storage of passwords on the network elements and EMS (Element Management Systems). RADIUS is the basic mechanism of choice for automating centralized authentication within Nortel Networks products. Authorization for network operators uses authenticated identity to determine the user s access privileges what systems they can access, what functions they can perform. Techniques based on RADIUS servers provide a basic level of access control. An additional LDAP server can provide more fine-grained access control if necessary. Encryption of network management traffic protects the confidentiality and integrity of network management data traffic especially important with the growing use of in-band network management. Encryption provides a high degree of protection from internal and external threats, with the exception of the small group of insiders that have legitimate access to encryption keys. Encryption between network operations center (NOC) clients and Element Management System (EMS) servers and/or Network Elements should be provided. This includes SNMP traffic, because there are known vulnerabilities with SNMP v1 and v2, which are intended to be addressed by SNMP v3. Given the widespread deployment of SNMP v1 and v2, IPsec can be used to secure this traffic. Depending on traffic type, the security protocols to use for these links are IPsec (IP Security), Secure Shell (SSH), and SSL: SSH is an application-level security protocol that can be used in place of IPsec if the traffic consists of Telnet and FTP only, but it cannot normally be used to protect other traffic types. IPsec protocol runs between the network layer (Layer 3) and the transport layer (Layers 4) and is the preferred protocol to protect any type of data traffic, independent of applications and protocols. External IPsec VPN devices, such as Nortel Networks Contivity Secure IP Services Gateways, can be used in various parts of the network to secure management traffic. SSL technology integrated into all standard Web browsers is the de-facto standard security protocol to protect HTTP traffic. Secure remote access for operators: Security must be provided for operators and administrators who manage the network from a remote location over a public network. Providing a secure virtual private network using IPsec is the mandatory solution, as this will provide strong encryption and authentication of all remote operators. An IP-VPN product such as Nortel Networks Contivity Secure IP Services Gateway should be placed at the management system interface and all operators should be equipped with extranet access clients for their laptop or workstations. 16

17 Figure 6. Secure connectivity options for network management traffic Network Operating Center Telnet client Management client Browser client SSL Remote Management client IPsec L2 NOC VLAN IPsec Internet IPsec or SSH SSL IPsec or SSH IPsec or SSH Management Systems VS IDS IPsec IPsec FW Auth AL Enterprise network Network devices Firewalls and VLANs partition the network to segregate management devices and traffic from other, less confidential systems such as public Web servers. The firewall controls the type of traffic (defined by protocol, port number, source and destination address) that can transit the boundary between security domains. Depending on the type of firewall (application versus packet filtering), firewalls can also filter the application content of the data flow. Intrusion-detection systems incorporated into management servers defend against network intrusions by warning administrators of potential security incidents, such as a server compromise or denial-of-service attack. Hardening operating systems used for network management close potential security gaps in general-purpose operating systems and embedded real-time operating systems. OS hardening should use the latest procedures and patches from the OS manufacturer. Anti-virus protection involves scanning all in-house and third-party software packages with virus-detection tools before incorporating the software into a product or network. A rigorous, established process ensures to the extent possible that network management software is virus-free. 17

18 Secure multimedia communications Unified networks can carry voice, data, and video each with their unique performance requirements and security considerations. When and where to encrypt this traffic is a major consideration, and is a key element of any enterprise security policy. This can be done on a per-application basis using SSL, on a client-server basis using SSH (Secure Shell), or for all traffic using IPsec VPN technology. Generally, all traffic over the Internet and wireless LANs and potentially critical information leaving the premises should be secured via strong encryption technology. IP telephony represents a particularly important class of application. As with any applications, a risk assessment of IP telephony needs to be done to assess its intrinsic value, the implications of loss understood, and a security policy formulated. We can start this assessment by making some key observations on telephony and data security in general. First of all, telephony is a critical business function and therefore, like the network itself, the telephony system as a whole must be protected from security attacks. Secondly, we trust the public voice network and live with the inherent vulnerability of eavesdropping of public cell phone systems. Third, we trust PBX networks, the critical components of which are locked away in a telecom room. In addition, IT organizations have spent a lot of effort to minimize toll fraud and misuse of the voice network for personal calls. On the data side, we also rely on physical security to ensure that only employees have access to the internal network, and we trust that information sent over LANs, campus nets, and over private WANs running over physical and virtual private lines are generally secure. Outside of the confines of the enterprise network, most enterprises have established security policies that all internal data transmissions to employees and remote offices over the Internet need to be encrypted and authenticated. Likewise, critical customer interactions over the Web are protected via SSL. From a user perspective, keeping it simple has been the objective. The Nortel Networks Unified Security Architecture for IP telephony follows the guidelines below: Enterprise IP telephony operated within the confines of the enterprise, inter-working with the public network over circuitswitched connections. End-to-end VoIP connectivity between public phones and phones within the enterprise is not considered in this version of the document. The IP networking infrastructure that supports IP telephony must be secure from a data perspective and engineered to meet the stringent latency and reliability requirements of telephony. IP telephony communications servers are business-critical and must be physically secure and protected from internal and external attack. Secure authentication of VoIP clients must be provided. While data users may expect to log in with multiple userids and passwords, they won t tolerate that authentication requirement for every phone call. Generally, telephony users have only been required to authenticate themselves for off-net access using a feature set called Direct Inward System Access (DISA). Encryption of voice is only a requirement when traversing a shared media LAN or the Internet. Security must be holistic and span the entire telephony environment, including VoIP clients and servers, application servers (such as for unified messaging and contact centers), and traditional PBXs. Encryption can be achieved with VPN techniques using IPSec, with Authentication Header (AH) and Encapsulating Security Payload (ESP), tunneling through the use of Layer 2 Tunneling Protocol (L2TP), key management based on Internet Key Exchange (IKE), and certificate management based on Public Key Infrastructure X.509 (PKIX), Certificate Management Protocol (CMP), Online Certificate Status Protocol (OCSP), and Simple Certificate Validation Protocol (SCVP). SSL and Transport Layer Security (TLS) protect communications at the application layer. Standards-based encryption algorithms and hashes such as DES, 3DES, AES, RSA and DSA. MD5 and SHA-1 should be used for message integrity, and Diffie-Hellman and RSA for key exchange. The Wired Equivalent Privacy (WEP) as defined in the standard defines a technique to protect over-the-air transmission between wireless LAN (WLAN) access points and network interface cards (NICs). This protocol has been shown to be insecure. IEEE is working on standardizing encryption improvements for WLANs. Therefore, added measures of protection such as IPsec must be used to secure WLAN traffic over WEP.

19 2.7. Network survivability under attack The typical enterprise network supports mission-critical operations and is essential for conducting business. That means the network must continue to operate delivering essential services in a timely manner while battling security threats, even if parts of the network are unreachable or disabled due to overt attack. This kind of survivability starts by logically organizing network services into at least two categories essential services and nonessential services and defining strategies that enable these services to resist, address, and recover from attacks. The most effective approaches combine multiple resistance, identification, and recovery strategies in an adaptable manner that responds to changing network conditions. For example, the network can re-route traffic from one server to another if an intrusion or an attack is detected on the first server. That means an effective survivability plan is holistic; it spans management systems, hosts, applications, routers, and switches across the network. Naturally, the first line of resistance to attacks is strong access control through authentication and encryption. Keep intruders out at the first point of entry, if possible. Message and packet filtering and network and server segmentation provide strong secondary defenses. Intrusion-detection systems identify attacks in progress. Faithful attention to backup techniques enables rapid system and network recovery after a successful system breach. This includes high availability through redundancy of critical security functions, such as through the use of application switches, which provide redundancy between intrusion-detection servers. Additional techniques include the encryption of all mission-critical traffic, multi-link trunking (MLT), virtual router redundancy protocol (VRRP), dual/mirroring of disk drives, backup CPUs, backup power supplies, and hot-swappable components. These mechanisms provide a higher level of confidence in the survivability of critical applications (such as IP telephony) The closed-loop policy management reference model The Nortel Networks Unified Security Architecture is based on the IETF architectural framework for policy management (RFC 2753). In this model, policy management is implemented across the network and at all levels (application, networkassisted, network), and applicable to all types of user and applications. Figure 7. Policy management within the Unified Security Architecture Policy repository LDAP Policy management console LDAP Policy server Policy Decision Point (PDP) COP-PR, SNMP, CLI Network devices Policy Enforcement Point (PEP) L2 NAT Auth AL FW CF 19

20 The IETF policy management model uses these key elements and protocols: Policy Decision Points (PDPs) or policy servers abstract network policies into specific device control messages, which are then passed to policy enforcement points. These policy servers are often standalone systems running Unix or Windows NT/2000, controlling switches and routers within an administrative domain; they communicate with these devices using a control protocol (e.g., COPS, SNMP Set commands, Telnet, or the device s specific Command Line Interface CLI). A Policy Enforcement Point (PEP) is a network or security device that accepts a policy (configuration rules) from the Policy Decision Point and enforces that policy against network traffic traversing that device. This enforcement leverages network and network-assisted security mechanisms as appropriate. Common Open Policy Service (COPS) is a simple query-and-response, stateful, TCP-based protocol that exchanges policy information between a Policy Decision Point (PDP) and its clients Policy Enforcement Points (PEPs). It is specified in RFC COPS relies on the PEP to establish connections to a primary PDP (and a secondary PDP when the primary is unreachable) at all times. Alternatively, a COPS proxy device can be used to translate COPS messages originating from a policy server into SNMP or CLI commands understood by network and security devices. The COPS protocol supports two different extension models for policy control: a dynamic outsourcing model COPS-RSVP, specified in RFC 2749, and a configuration or Provisioning model COPS-PR, specified in RFC Provisioning extensions to the COPS protocol allow policies to be installed on the PEP up front by the PDP, thus allowing the PEP to make policy decisions for data packets based on this pre-provisioned information. Further communication between the PDP and PEP is necessary to keep policies provisioned in the data repository (i.e. the directory) in sync with those sent to the PEP. The Policy Repository stores all policy information in a network directory. It describes network users, applications, computers, and services (i.e., objects and attributes), and the relationships between these entities. There is tight integration between IP address and the end user (via Dynamic Host Control Protocol - DHCP and a Domain Name System - DNS). This policy repository is usually implemented on a special-purpose database machine running Unix or Windows NT/2000 accessed by policy servers via LDAP. The Policy Repository stores relatively static information about the network (such as device configurations), whereas policy servers store more dynamic network state information (such as bandwidth allocation or information about established connections). The policy server retrieves policy information from the directory and deploys it to the appropriate network elements. There is no established standard to describe the structure of the directory database, i.e., how network objects and their attributes are defined and represented. A common directory schema is needed if multiple vendor applications are to share the same directory information; for example, all vendors need a common way to interpret and store configuration information about routers. The forthcoming Directory-Enabled Networking (DEN) standard, now being developed by the DMTF (Desktop Management Task Force), addresses this need. DEN includes an information model that provides an abstraction of profiles and policies, devices, protocols, and services. This provides a unified model for integrating users, applications, and networking services, and an extensible service-oriented framework. The Lightweight Directory Access Protocol (LDAP version 3) is specified in RFC LDAP is a client-server protocol for accessing a directory service. The LDAP information model is based on the entry, which contains information about some object (e.g., a person), and is composed of attributes, which have a type and one or more values. Each attribute has a syntax that determines what kinds of values are allowed in the attribute and how those values behave during directory operations. The last element is the policy management console generally running on a personal computer or workstation that provides the human interface to the policy management system. A Web browser can be used to provide manager access from virtually anywhere, with policy object-level security used to limit which policies can be modified by a specific individual. The console provides a graphical user interface and the tools to define network policies as business rules. It may also give the operator access to lower-level security configurations in individual switches and routers. 20