Core CS & Core PS Network High-Level Security Requirements
|
|
- Norah Gray
- 3 years ago
- Views:
From this document you will learn the answers to the following questions:
What infrastructure has a permanent physical connection to the Syslog server?
What is one example of a routing adjacencies?
What type of domain control plane are IPSec security associations used?
Transcription
1 Core CS & Core PS Network High-Level Security Requirements
2 Document Properties Title Mobile Network Security/CSPS/Telecom Core Network High-Level Security Requirements Version 1 Owner Author Reviewers Approved By Jamie Fisher Jamie Fisher Removed Jamie Fisher Pages Total number of pages : 163 Classification Public Version control Version Date Author Description 0.1 June 25, 2006 Jamie Fisher Draft 0.2 July 11, 2006 Jamie Fisher Updated 0.3 July 17, 2006 Jamie Fisher Updated 0.4 July 18, 2006 Jamie Fisher Release Release control Version Date Release Group Action August, 2006 Removed Information CLASSIFICATION: Public
3 File Properties Filename Last Printed Last Saved Creation Date Mobile High-Level Security Requirements.v.4 (1).doc 1/12/2007 1:04:00 AM 15/12/ :47:00 AM 7/26/ :00:00 PM CLASSIFICATION: Public
4 Index 1. Introduction General Protection at the network layer Security for native IP based protocols Security Domains Security domains and interfaces Security Gateways Key Management and Distribution Architecture for IP Networks Security services afforded to the protocols Security Association (SA) Security Policy Database (SPD) Security Association Database (SAD) Profiling of IPSec Support of ESP Support of AH Support of tunnel mode Support of ESP encryption transforms Profiling of IKE Security policy granularity Network Domain Security Key Management and Distribution Architecture for Native IP Based Protocols Network domain security architecture outline Interface description Filtering routers and firewalls Firewall controls CLASSIFICATION: Public
5 9.2. DMZ controls Audit controls Network controls IDS/IPS Deployment for GTP and IP Networks DNS Security Generic Requirements Internal DNS Security (DNSi) External DNS Security (DNSx) Core CS and Core PS Network Infrastructure Layer 2 and Layer 3 Security Requirements Scope (example) Release References Technical Requirements Hardening the Core Removal of Services Cisco Routers Removal of unrequired interface services Cisco routers Receive Access Control Lists (racls) Selective Packet Discard Hardening Core network protocols IS-IS IBGP EBGP HSRP LDP VTP Spanning Tree CLASSIFICATION: Public
6 13.8. CLI Transport Null Cisco Discovery Protocol Remote Management Security User accounts Securing Access to the Core Infrastructure Port Security Access to the CLI Core AAA System Audit Logging Core Syslog System Security Monitoring SNMP NTP SFTP Miscellaneous Warning (Login) Banners Traceroute across the Core Network ACL Processing Optimisation Global Routing RADIUS RADIUS Requirement RADIUS Basics RADIUS Packets RADIUS Deployment RADIUS Shared Secret CLASSIFICATION: Public
7 15.6. RADIUS Billing Border Gateway Border Gateway (GRX) Security Security of Gom, Gn, Gch, Gi and Gp GGSN Board categories Gn Application board (GnA) Gn Router board (GnR) Node internal networks Node internal IP subnetwork Internal Gn network (IGn) Traffic over the Gn, Gp and Gom interfaces GTP DNS NTP HTTP SFTP TELNET SSH IPSec IP Addresses IGn network OM VIP GnR IGn IP addresses GTP VIP(s) Gn IPSec IP address GnR external IP addresses The GPRS Tunnelling Protocol (GTP) CLASSIFICATION: Public
8 The Signalling Plane Path Management messages Tunnel Management messages Location Management messages Mobility Management messages Transmission Plane Routing Protocol Security ROUTING PROTOCOLS DNS IPSec Security IP Packet Filters GTP Security MPLS BackBone About Mobile Network Security Conclusion Appendix CLASSIFICATION: Public
9 1. Introduction The scope of this document is to outline cellular network operator requirements on basic principles for Core network security architecture and to provide security requirements for core network elements. A central concept introduced in this specification is the notion of a security domain. The security domains are networks that are managed by a single administrative authority. Within a security domain the same level of security and usage of security services will be typical. Typically, security domains are be identified by resources that are required access various network elements. These resources are then segregated into security zones enforced by access control lists, authentication, firewall rules, operating systems or Network Elements (NEs) and security protocols General This document was produced as an action taken from a meeting with a telecommunication vendor where high level security issues were being discussed. The outcome of that meeting produced this document. This document therefore states generic security requirements for core network elements within GSM and 3G networks. 1.2 through 8.2 are taken from various RFC, ETSI and 3GPP documents. The content of Appendix 1 is directly taken from Protection at the network layer For IP based protocols, security shall be provided at the network layer. The security protocols to be used at the network layer are the IETF defined IPSec security protocols as specified in RFC CLASSIFICATION: Public
10 1.3. Security for native IP based protocols The network domain control plane of an IP-network is sectioned into security domains and typically these coincide with compartmentalized zones. The zone between the security domains is protected by Security Gateways. These can be proxies, firewalls, routers or circuit level gateways. The Security Gateways are responsible for enforcing the security policy of a security domain towards other Security Gateways in the destination security domain. A Security Gateway may be defined for interaction towards all reachable security domain destinations or it may be defined for only a subset of the reachable destinations. The network domain security of an IP-network does not extend to the user plane (Over the Air Interfaces) but does extend as far as the BSS. This does however cover off the Gi VPN up to and including the Internet gateway of the PE firewall. A chained-tunnel/hub-and-spoke approach is used which facilitates hop-by-hop based security protection. All IP traffic shall pass through a Security Gateway before entering or leaving the security domain. 2. Security Domains 2.1. Security domains and interfaces The network domain of an IP-network shall be logically and physically divided into security domains. These control plane security domains may closely correspond to the Core Packet switched network up to and including the IP backbone (IPBB) and MPLS backbone (MPLSBB) and shall be logically separated by means of VPNs and compartmentalized by means of security gateways CLASSIFICATION: Public
11 3. Security Gateways Security Gateways are entities on the borders of the IP security domains and are used for securing native IP based protocols. The Security Gateways are defined to handle communication over various interfaces. All IP traffic shall pass through a Security Gateway before entering or leaving the security domain. Each security domain can have one or more Security Gateways. Each Security Gateway will be defined to handle IP traffic in or out of the security domain towards a well-defined set of reachable IP security domains. The number of Security Gateways in a security domain will depend on the need to differentiate between the externally reachable destinations, the need to balance the traffic load and to avoid single points of failure. The security gateways shall be responsible for enforcing security policies for interworking between networks. The security may include filtering policies and firewall functionality, access control lists appended to routers and switches, internode authentication and network and transport layer encryption. Security Gateways are responsible for all IP network operations (and therefore implicitly require security) and shall be physically secured. 4. Key Management and Distribution Architecture for IP Networks 4.1. Security services afforded to the protocols IPSec offers a set of security services, which is determined by the negotiated IPSec security associations (SA). That is, the IPSec SA defines which security protocol to be used, the mode and the endpoints of the SA. For IP networks the IPSec security protocol shall always be encapsulation (ESP) and authentication headers (AH). For IP-networks it is further mandated that integrity protection/message authentication together with anti-replay protection shall always be used CLASSIFICATION: Public
12 The security services provided to the IP network shall be: Data integrity Data origin authentication Anti-replay protection Confidentiality Limited protection against traffic flow analysis when confidentiality is applied 4.2. Security Association (SA) For IP-networks the key management and distribution between Security Gateways shall be handled by the protocol Internet Key Exchange (IKE) (RFC-2407, RFC-2408 and RFC-2409). The main purpose of IKE is to negotiate, establish and maintain Security Associations between parties that are to establish secure connections. The concept of a Security Association is central to IPSec and IKE. To secure typical, bi-directional or uni-directional communication between two or more hosts, or between two security gateways an ISAKMP (Internet Security Association Key Management Protocol) Security Associations and two IPSec Security Associations (one in each direction) are required. IPSec Security associations are uniquely defined by the following parameters: A Security Parameter Index (SPI) An IP Destination Address (this is the address of the ESP and AH SA endpoint) A security protocol identifier (this will always be the ESP protocol in IP) CLASSIFICATION: Public
13 With regard to the use of IPSec security associations in the network domain control plane of IP-networks the following is noted: IP only requires support for tunnel mode IPSec SA IP only requires support for ESP and AH SA There is no need to be able to negotiate IPSec SA bundles since a single ESP and AH SA is sufficient to set up to protect traffic between the nodes The specification of IPSec SAs can be found in RFC ISAKMP Security associations are uniquely defined by the following parameters: Initiator's cookie Responder's cookie With regard to the use of ISAKMP security associations in the network domain control plane of IP-networks the following is noted: IP only requires support for ISAKMP SAs with pre-shared keys The specification of ISAKMP SAs can be found in RFC NOTE: The shortened key negotiation possibility known as "Aggressive Mode" should be disabled to avoid Private Secret Key (PSK) bruteforce attacks. "Aggressive Mode" is usually only used for IP enabled low bandwidth devices but is considered a security threat CLASSIFICATION: Public
14 4.3. Security Policy Database (SPD) The Security Policy Database (SPD) is a policy instrument to decide which security services are to be offered and in what fashion - in the Microsoft world, Active Directory is used as a mechanism to control access to network resources and stands to reason that SPD shall do the same. The SPD shall be consulted during processing of both inbound and outbound traffic. This also includes traffic that shall not/need not be protected by IPSec. In order to achieve this the SPD must have unique entries for both inbound and outbound traffic such that the SPD can discriminate among traffic that shall be protected by IPSec, that shall bypass IPSec or that shall be discarded by IPSec. The SPD plays a central role when defining security policies, both within the internal security domain and towards external security domains. The security policy towards external security domains will be subject to roaming agreements Security Association Database (SAD) The Security Association Database (SAD) contains parameters that are associated with the active security associations. Every SA must have an entry in the SAD. For outbound processing, a lookup in the SPD will point to an entry in the SAD. If an SPD entry does not point to an SA that is appropriate for the packet, a pseudotemporary SA shall be automatically created. The pseudo-temporary SA shall enforce the same security as other security associations. 5. Profiling of IPSec This section gives an overview of the features of IPSec that are used by IP. The overview given here defines a minimum set of features that must be supported. In particular, this minimum set of features is required for interworking purposes and constitutes a well-defined set of simplifications. The accumulated effect of the simplifications is quite significant in terms of reduced complexity. This is achieved without sacrificing security in any way. It shall be noted explicitly that the simplifications are specified for IP and that they may not necessarily be valid for other network constellations and usages CLASSIFICATION: Public
15 5.1. Support of ESP When IP is applied, only the ESP (RFC-2406) security protocol shall be used for all IP inter-domain control plane traffic Support of AH When IP is applied, only the AH (RFC-2402) security protocol shall be used for all IP inter-domain control plane traffic Support of tunnel mode Given that security gateways are an integral part of the IP architecture, tunnel mode shall be supported. For IP inter-domain communication, security gateways shall be used and consequently only tunnel mode (RFC-2401) is applicable for this case Support of ESP encryption transforms IPSec offers a fairly wide set of confidentiality transforms. The transforms that compliant IPSec implementations are required to support are the ESP_NULL and the ESP_DES transforms. However, the Data Encryption Standard (DES) transform is no longer considered to be sufficiently strong in terms of cryptographic strength. This is also noted by IESG in a note in RFC-2407 to the effect that the ESP_DES transform is likely to be deprecated as a mandatory transform in the near future. It is therefore explicitly noted that for use in IP, the ESP_DES transform shall not be used and instead it shall be mandatory to support the ESP_3DES transform. Support for the AES-CBC cipher algorithm (RFC-3602) is mandatory. It is noted that the AES- CBC key length for use with this specification shall be 128 bits CLASSIFICATION: Public
16 5.5 Support of ESP authentication transforms The transforms that compliant IPSec implementation is required to support are the ESP_NULL, the ESP_HMAC_MD5 and the ESP_HMAC_SHA-1 transforms. For IP traffic ESP shall always be used to provide integrity, data origin authentication, and anti-replay services, thus the ESP_NULL authentication algorithm is explicitly not allowed for use. ESP shall support ESP_HMAC_SHA-1 algorithm in IP. 5.6 Requirements on the construction of the above The following strengthening of the requirements on how to construct the above shall take precedence over the description given in the implementation note in RFC-2405 section 5, the description given in RFC-2451 section 3 and all other descriptions for the above. The above field shall be the same size as the block size of the cipher algorithm being used. The field shall be chosen at random, and shall be unpredictable to any party other than the originator. It is explicitly not allowed to construct the field from the encrypted data of the preceding encryption process. The common practice of constructing the field from the encrypted data of the preceding encryption process means that the field is disclosed before it is used. A predictable field exposes IPSec to certain attacks irrespective of the strength of the underlying cipher algorithm. The second bullet point forbids this practice in the context of IP. These requirements imply that the network elements must have a capability to generate random data. RFC-1750 gives guidelines for hardware and software pseudorandom number generators CLASSIFICATION: Public
17 6. Profiling of IKE The Internet Key Exchange protocol shall be used for negotiation of IPSec SAs. The following additional requirement on IKE is made mandatory for inter-security domain SA negotiations over interfaces. For IKE phase-1 (ISAKMP SA): The use of pre-shared secrets for authentication shall be supported Only Main Mode shall be used IP addresses and Fully Qualified Domain Names (FQDN) shall be supported for identification Support of 3DES in CBC mode shall be mandatory for confidentiality Support of AES in CBC mode (RFC-3602) shall be mandatory for confidentiality Support of SHA-1 shall be mandatory for integrity/message authentication Support of Diffie-Hellman group 2 shall be mandatory for Diffie-Hellman exchange. Phase-1 IKE SAs shall be persistent with respect to the IPSec SAs is derived from it. That is, IKE SAs shall have a lifetime for at least the same duration as does the derived IPSec SAs. The IPSec SAs should be re-keyed proactively, i.e. a new SA should be established before the old SA expires. The elapsed time between the new SA establishment and the cancellation of the old SA shall be sufficient to avoid losing any data being transmitted within the old SA. For IKE phase-2 (IPSec SA): CLASSIFICATION: Public
18 Perfect Forward Secrecy is optional Only IP addresses or subnet identity types shall be mandatory address types Support of Notifications shall be mandatory Support of Diffie-Hellman group 2 shall be mandatory for Diffie-Hellman exchange Key Length and support of AES transform: Since the AES-CBC allows variable key lengths, the Key Length attribute must be specified in both a Phase 1 exchange and a Phase 2 exchange. It is noted that the key length for use with this specification shall be Security policy granularity The policy control granularity afforded by IP is determined by the degree of control with respect to the ESP Security Association between the Network elements (NE) or Security Gateways. The normal mode of operation is that only one ESP and one AH Security Association is used between any two NEs or Security Gateways, and therefore the security policy will be identical to all secured traffic passing between the NEs. This is consistent with the overall IP concept of security domains, which should have the same security policy in force for all traffic within the security domain. IPSec security policy enforcement for inter-security domain communication is a matter for the Security Gateways of the communicating security domains CLASSIFICATION: Public
19 8. Network Domain Security Key Management and Distribution Architecture for Native IP Based Protocols 8.1. Network domain security architecture outline The IP key management and distribution architecture is based on the IPSec IKE (RFC-2401, RFC-2407, RFC-2408 and RFC-2409) protocol. As described in the previous section a number of options available in the full IETF IPSec protocol suite have been considered to be unnecessary for IP. Furthermore, some features that are optional in IETF IPSec have been mandated for IP and lastly a few required features in IETF IPSec have been deprecated for use within IP scope. The compound effect of the design choices in how IPSec is utilised within the IP scope is that the IP key management and distribution architecture is quite simple and straightforward. The basic idea to the IP architecture is to provide hop-by-hop security. This is in accordance with the chained-tunnels or hub-and-spoke models of operation. The use of hop-by-hop security also makes it easy to operate separate security policies internally and towards other external security domains. The Security Gateways shall engage in direct communication with entities in other security domains for IP traffic. The Security Gateways will then establish and maintain IPSec secured ESP and AH Security Association in tunnel mode between security domains. Security Gateways shall maintain at least one IPSec tunnel available at all times to a particular peer Security Gateway. The Security Gateway will maintain logically separate SAD and SPD databases for each interface. The NE shall establish and maintain ESP and AH Security Associations as needed towards a Security Gateway or other NE within the same security domain CLASSIFICATION: Public
20 All IP traffic from a NE in one security domain towards a NE in a different security domain will be routed via a Security Gateway and will be afforded hop-by-hop security protection towards the final destination. A diagram describing how this is achieved is presented in reference 1. Ref CLASSIFICATION: Public
21 8.2. Interface description The following interfaces are defined for protection of native IP based protocols: Security Gateway to Security Gateway (SGSG). The SGSG interface covers all IP traffic between security domains. On the SGSG interface, authentication and integrity protection is mandatory. ESP and AH shall be used for providing authentication, encryption and integrity protection. The Security Gateways shall use IKE to negotiate, establish and maintain a secure ESP tunnel between them. The tunnel is subsequently used for forwarding IP traffic between security domain A and security domain B. Inter-Security Gateway tunnels can be available at all times, but they can also be established as needed. The Security Gateway of security zone A (as represented above as SEG A) can be dedicated to only serve a certain subset of security domains that security domain A needs to communicate with. This will limit the number of SAs and tunnels that need to be maintained from an operational perspective. All security domains compliant with this specification shall operate on the SGSG-interface. The NESG interface is located between Security Gateways and NEs and between NEs within the same security domain. ESP AH and IKE shall implement. On the NESG interface, ESP and AH shall always be used with authentication, encryption and integrity protection. The ESP Security Association shall be used for all control plane traffic that needs security protection. The Security Association is subsequently used for exchange of IP traffic between the NEs. 9. Filtering routers and firewalls In order to strengthen the security for IP based networks, border gateways and access routers would normally use packet filtering strategies to prevent certain types of traffic to pass in or out of the network. Similarly, firewalls are used as an additional measure to prevent certain types of accesses towards the network. Simple filtering may be needed before the Security Gateway functionality. The filtering policy must allow key protocols to allow DNS and NTP etc to pass. This will include traffic over the SEG interface from IKE and IPSec ESP and AH in tunnel mode. Unsolicited traffic shall be rejected CLASSIFICATION: Public
22 This section of the document is separated into a number of sections covering off; Firewall controls, DMZ controls, Business continuity and planning, Audit controls and Network controls Firewall controls Configurations, policies and rules for firewalls must be documented. It must include what their purpose or function is. Policies, rules and the reason for firewall configurations must be known. In the event of failure, downtime may be increased as a result of the confusion. In addition, a change to a rule may adversely affect a business application. Only authorised administrative staff must be allowed access to firewall and management systems and logs. All users must have at least a login and password. Changes to firewalls by unskilled and unauthorised staff may result in corruption and extended downtime. Firewall authenticated sessions on the firewall must timeout (if supported) after a certain time. Users may leave their workstation unattended and unauthorised access could be gained if no timeout is used. Security patches or fixes for known weaknesses with firewall hardware, software and operating systems must be tested and installed as soon as they are available, proven and agreed by a change management process. Failure to implement security patches on a timely basis may increase the likelihood of the network being compromised. Any protocol, binary program, network service or rc script that is not necessary for the purpose of operation must be disabled on the firewall device and any platform in the DMZ, e.g., TFTP, Chargen, Echo and Finger, etc. This control ensures that all devices and platforms are security hardened to prevent illegal access CLASSIFICATION: Public
23 Connections initiated externally to an external facing firewall must be limited to Web (HTTP and HTTPS), Mail (SMTP) DNS lookups and zone transfer. This traffic must go to specific destination addresses, i.e., Web, Mail, etc, within a DMZ. All other ports must be blocked by default, i.e., a cleanup rule. A number of standard protocols have vulnerabilities that can be exploited to grab files, gain information or gain illegal access to systems. Hackers will port scan externally facing firewalls to identify ports to exploit. NO DNS based firewall objects or any other DNS reliant options can be used in the firewall configuration. Connections initiated internally to an internal facing firewall must be limited to allowed traffic only. This traffic must go to specific destination addresses, i.e., Gi, Gn, etc, within a specified VLAN. All other ports must be blocked by default. Connections initiated internally within the core network must be restricted to authorised traffic types. All traffic types which are restricted in-bound must also be restricted out-bound unless there is a good business reason for not doing so. Although traffic is uni-directional it may be configured to explicitly deny all outbound traffic unless specified. For example, if there is a rule restricting in-bound telnet then there should be an equivalent rule restricting out-bound telnet. Trojans may download a payload the gives an attacker access to the various systems within the core by exploiting outgoing connects, e.g., it may be possible to establish a covert channel over a port that allows outbound traffic. A cellular network operator should protect itself against possible litigation from the internal core network(s), backbone networks, radio network, VAS network, public Internet or corporate network CLASSIFICATION: Public
24 Internal IP addresses must be hidden from the outside world, e.g., DNS zone transfers and DNS UDP queries that would leak internal ip addresses must be prevented. Network Address translation must by used on the firewall or border router. Information about the network topology must not be leaked to third parties as it can be used for attacks, e.g., IP spoofing. If there are no users being authenticated on the firewall, only control connections from the firewall management station must be accepted. All other connections to firewall modules must be prevented by adding a stealth rule within the security policy. Packets must be dropped under this rule. A stealth rule should be placed as early as possible in the firewall policy. First defining all access that is allowed to/from the firewall and then denying (and logging) all traffic to/from firewall. The firewall must drop internal broadcast traffic on the core network by default and allow by defining the rules to allow. Allow rules must be created to permit internal broadcast traffic where required. In doing this, it shall reduce the amount of unrequired entries in the firewall logs and help to prevent overload. ICMP and UDP packets must not be accepted by Internet facing firewalls or at PE and CE routers and Border Gateways. ICMP is used by a utility called traceroute. Traceroute can be used by hackers to find Network Elements thus, exposing internal network elements. ICMP and UDP packets can be used for a number of Denial of Services (DoS) exploits and firewalls should be configured to disallow such attacks be default. CAUTION: Although dropping all incoming ICMP packets if not needed is a security best practice, it could however have a production impact on infrastructure. TCP based protocols that are sensitive to timeouts such as HTTP and SMTP need to be able to timeout properly to avoid problems such as sluggish web server responses, slow proxy and reverse proxy responses, to name a few CLASSIFICATION: Public
25 The following ICMP types and codes are the minimum courtesy of the proper functioning of TCP: ICMP type 3 Code 1 - Host Unreachable ICMP type 3 Code 3 Port Unreachable ICMP type 4 Source Quench ICMP type 11 Code 0 Time to Live Exceeded These should be allowed only with proper connection control on the amount of packets per timeframe coming from a specific source address. The firewall must prevent IP Spoofing across all internal and external interfaces. Spoofing is a method of making packets appear as if they originate from a communicating IP addresses. For example, a packet originating on the Internet and going to an internal network may be disguised as a local packet. Anti-spoofing features of a firewall ensure that ip addresses entering a system are valid. The firewall, router and intrusion detection system must prevent SYN flooding. A SYN flood initiated by an attacker can disable the target system. The firewall, router and intrusion detection system must prevent GTP attacks. A SYN flood initiated by an attacker can disable the target system. Simple Network Management system protocol (SNMP) must not be set to Any Community, Guessable Community or Public Community name on any firewalls or devices that are located on a vulnerable network or DMZ. The firewall must disallow SNMP requests to NEs that do not require SNMP traffic with a deny rule. SNMP must not be available from external networks to the core network, i.e., external to internal CLASSIFICATION: Public
26 In addition, NEs must support SNMP version 3 as encryption of the data is achieved. SNMP can be used by an attacker to obtain valuable information about the machine, such as information on network devices and current open connections, when SNMP uses default words, such as public or private, for the community name. If no community is specified, then the SNMP server responds to queries from any host DMZ controls Any servers or devices that are located on a DMZ implicit trust network must not use a predictable TCP sequence. If the TCP sequence is predictable, an attacker can send packets that are forged to appear to come from a trusted machine. Services such as telnet, ftp, rsh and rlogin may be compromised. The server or device can be security hardened by using an improved sequential generation with random variance in increment script. NFS must not be used on any servers or devices that are located on a DMZ or implicit trust network. NFS is the UNIX networking protocol that allows resources to be shared across the network. If it is mis-configured, attackers may be able to gain access to other network resources such as files. NIS must not be used on any servers or devices that are located on a DMZ implicit trust network. NIS is a naming service that allows resources to be easily added, deleted or relocated. An attacker who possesses the NIS domain name (often set up as a derivative of the public domain name, can steal information helpful in guessing passwords and gain unauthorised access. RPC must not be used on any servers or devices that are located on a DMZ implicit trust network. RPC allows one program to use the services of another program on a remote machine. If exploited, an intruder may be able to execute commands on a vulnerable system CLASSIFICATION: Public
27 Applications on hosts connected to the core network must not use the same ports as backdoor and remote control programs. These ports cannot be opened on the firewall as they are major security risk. Procedures detailing methods of recovery of the Firewalls must exist and be proven. This is an issue of integrity and availability. Detailed procedures help prevent failures due to incorrect methods being used. This is especially important where actions are required which are specific to a given Network element which may not be commonly known. System files on the firewall that contain policy, rule base, key, licence, object, user and configuration information must be documented and backed up. If the firewall is corrupted users must be able to re-install to the same patch level and security policy that was running before the event. If these files were lost there may be considerable downtime whilst the firewall is re-built. Firewalls that route transaction data must be clustered or mirrored to provide high availability. In the event of hardware failure there shall be no loss of service as traffic will seamlessly cutover over to the other firewall through stateful fail over technology Audit controls All users or groups of users that authenticate, at or via the firewall, to gain access to the Core Packet Switched network must have their access authorised. Authorised users should be granted access through the use of One Time Passwords (OTP) preferably integrated with Single Sign On (SSO). An account with a fixed password should be kept (in a sealed envelope in fire proof safe with limited human access) for in case the technology that facilitates remote user authentication fails CLASSIFICATION: Public
28 All accesses through a firewall to the Core Packet Switched network should be authorised by an independent, trusted party. Typically, access would be requested by the initiator. If automated, a ticketing system might manage the process for the initiator, with involvement from operations, management, an audit function and possibly other areas of an organisation. This information must be logged in a central repository that can easily be accessed by IT and Telecoms Operations teams, Security Operation Centres (SOCs), Security teams, management and Human Resources in line with relevant business policy. The information gathered by this process allows Security and Network Operations teams the ability to identify valid authorised users and it helps to ensure that the access permission allowed is removed when it is no longer required. Apart from transaction and broadcast traffic, all dropped and accepted connections must be logged. Connection attempts from unauthorised IP addresses must be rejected. The logging of this type of event is necessary so that it is possible to identify unauthorised attempts to connect or users having problems connecting. It would prove time consuming and meaningless for an Administrator to wade through sorting through volumes of irrelevant log files CLASSIFICATION: Public
29 The telecommunication operator s network must have a mechanism for detecting malicious or suspicious events and intrusions on the firewalls and the Core Packet Switched network. At a minimum this must include the following: Port scanning Successive multiple connections Syn and land attacks IP address spoofing Login failures Successive alerts Signature files for known vulnerabilities Consideration may also be given to marrying the IDS and IPS logs with a Fraud Management System. Information from suspicious activity can be used for investigation and firewall policy tuning. Configuring the firewall with these controls assists in hardening the network against attack and ensuring rules are accurate. Changes to production firewalls, including amendments or additions to security policies, must go through a change management procedure. To ensure that changes are authorised, tested and do not impact on any other systems CLASSIFICATION: Public
30 9.4. Network controls With the appropriate level of additional security (physical, environmental, procedural, technical), Virtual Private Networks can be used to guarantee data confidentiality, integrity and availability. VPNs or encrypted tunnels should not transverse the Core Packet Switched firewalls but VPN termination on the firewall. Virtual Private Networks (VPNs) allow a secure tunnel to be set-up for communicating with a host/application. Their use must be limited to where the data or transactions being transferred contain sensitive or value transactions. VPNs or encrypted tunnel functionality may be abused to tunnel unauthorised protocols or even viruses. Where the firewall software is installed on a host (rather than a hardware firewall), e.g., SunScreen, the operating system must be sufficiently hardened to such an extent to allow only requisite services. An attacker may be able to exploit services being run on the operating system, thus compromising the firewall. * Detailed Information on how to security harden a Cisco firewall is documented in Appendix 1 Configuration of Cisco PIX firewall CLASSIFICATION: Public
31 10. IDS/IPS Deployment for GTP and IP Networks Consideration should be given to GTP aware IDS/IPS. Operators must determine whether GTP aware IDS/IPS can be installed and configured to correctly identify erroneous, irregular, fraudulent, malicious or other data contained within the GTP and encapsulated payload. In preparing this document and reviewing available technology, Mobile Network Security have not identified any one vendor with a satisfactory IPS/IDS solution for GTP. While vendors claim to have real-time IDS/IPS capabilities, Mobile Network Security have not seen evidence of this. It would be Mobile Network Security s recommendation for any cellular network operator to discuss in depth, and trail vendor products to determine their level of maturity and suitability for deployment into a GTP environment. Consideration should be given to deep packet inspection engines or firewalls with GTP processing capabilities. To help with host based integrity, an IDS must be used on all network elements to guard against unauthorised changes, unauthorised access and potentially erroneous or malicious known attack signatures. Similarly, a Unix security standard might instruct that all Unix Operating Systems have Tripwire installed before they are moved into production. While outside the heading of IDS/IPS Deployment for GTP and IP Networks, Mobile Network Security recommend GTP and in fact any telecommunication protocol is tested rigorously by security experts using fault injection, analysis, and security testing tools to determine the level of risk when engineering a cellular network with enhanced Packet Switched options CLASSIFICATION: Public
32 11. DNS Security The DNS plays a critical role in supporting the IP infrastructure by providing a distributed and fairly robust mechanism that resolves Internet host names into IP addresses and IP addresses back into host names. The DNS also supports other Internet directory-like lookup capabilities to retrieve information pertaining to DNS Name Servers, Canonical Names, Mail Exchangers, etc. Unfortunately many security weaknesses surround IP and the protocols carried by IP. The DNS is not immune to these security weaknesses. The accuracy of the information contained within the DNS is vital to many aspects of IP based communications. The threats that surround the DNS are due in part to the lack of authenticity and integrity checking of the data held within the DNS and in part to other protocols that use host names as an access control mechanism. Therefore, the following are documented as security requirements for DNS within core PS networks. Typically, security policy might include the following characteristics: Generic Requirements The DNSi infrastructure has no Internet communication by means of internal DNS servers. The DNSx infrastructure has external Internet communication by means of external DNS servers. The Telecommunication core network should utilise split DNS functionality as an internal DNS root and namespace, where all authority for DNS zones is internal CLASSIFICATION: Public
33 DNS servers that are configured with forwarders use internal DNS server IP addresses only. All DNS servers limit zone transfers to specified IP addresses. DNS servers are configured to listen on specified IP addresses. Secure cache against pollution is enabled on all DNS servers. Internal DNS servers are configured with root hints that point to the internal DNS servers hosting the root zone for internal namespace. Secure dynamic update is configured for all DNS zones except for the top-level and root zones, which do not allow dynamic updates at all. An access control list (ACL) is configured on the DNS Server service to allow only authorised users of the Gom to perform administrative tasks on DNS servers. An ACL is configured to allow only specific individuals to create, delete, or modify DNS zones. ACLs are configured on DNS resource records to allow only specific individuals to create, delete, or modify DNS data Internal DNS Security (DNSi) A requirement exists to eliminate any single point of failure. It should be noted that DNS redundancy cannot help if internal routing fails to access network services. DNS must be located in the same logical zone as the GGSN for security purposes. It is not best practice to allow DNS requests from network elements that are outside of a certain zone CLASSIFICATION: Public
34 All unauthorized access to DNS servers must be disallowed either through ACLs, VPN/VRF or by way of other restrictive measure. A secure dynamic update of zones and a list of DNS servers that are allowed to obtain a zone transfer must be limited to those that require DNS. All DNS events must be logged both remotely and locally. Monitoring DNS logs can help in detecting unauthorised modifications to DNS server or zone files External DNS Security (DNSx) The DNSx server must be logically placed on a separate zone than the zone identified for the DNSi server. Split DNS must be used. This reduces the risk of exposing private namespace, which can expose sensitive names and IP addresses to public Internet-based users and subscribers. It also increases performance because it decreases the number of resource records on the DNS server. In separate zones, i.e., London, Birmingham, etc., all GGSNs must resolve to their own DNSx server rather than relying on a central DNSx. This reduces the likelihood of GGSNs being subject to DNS based exploits. Common DNS exploits such as denial-of-service attacks would render the GGSN external resolution service useless in the event of a Denial of Service (or any other form of IP based attack). It would be possible for a GGSN to fail-over to a separate GGSN for DNS resolution purposes however this would require exceptional loading on the various GGSN interfaces. Where an outage occurs, a DNSx resolution may resolve to another DNSx in a logically separate zone. This is largely dependent upon operator policy and telecommunication vendor technology CLASSIFICATION: Public
35 All DNSx zone replication traffic must be secured through use of virtual private network (VPN) tunnels to hide the names and IP addresses from Internet-based users. Should the operator require and should sufficient hardware exist, the operator may request that Internet Protocol security (IPSec), rather than VPNs are used for DNSx zone replications. Configure firewalls to enforce packet filtering for UDP and TCP, port 53. Restrict the list of DNS servers that are allowed to initiate a zone transfer on the DNSx server. This must be configured for every DNSx in the Core network. All DNSx events must be logged both remotely and locally. Monitoring DNSx logs can help in detecting unauthorised modifications to DNSx server or zone files. Refer to your policy on DNS logging. The following diagram represents how Mobile Network Security believe DNS should be deployed in the Core PS network: CLASSIFICATION: Public
36 Further information on DNS Security can be found at the following: Mobile Network Security recommend the following resources where practical information on DNS and DNS security can be found: RFC 4033, DNS Security Introduction and Requirements RFC 4034, Resource Records for the DNS Security Extensions RFC 4035, Personnel Modifications for the DNS Security Extensions: RFC 3833, Threat Analysis of the Domain Name System (DNS): RFC 2845, Secret Key Transaction Authentication for DNS (TSIG): RFC 3007, Secure Domain Name System (DNS) Dynamic Update: RFC 1035, Domain Names - Implementation and Specification: RFC 2136, Dynamic Updates in the Domain Name System (DNS UPDATE): RFC 1034, Domain Names - Concepts and Facilities: RFC 2104, HMAC: Keyed-Hashing for Message Authentication: FIPS 198, The Keyed-Hash Message Authentication Code (HMAC): RFC 4034, Resource Records for the DNS Security Extensions: RFC 1912, Common DNS Operational and Configuration Errors for more information: Bind: CLASSIFICATION: Public
37 12. Core CS and Core PS Network Infrastructure Layer 2 and Layer 3 Security Requirements The purpose of this section is to list technical requirements that are security-related to the Core Circuit Switched (CS) and Core Packet Switched (PS) - referred to as the Core - in order to define router and switch configurations during low level design. This document is not intended to offer high level information such as a policy. This section is based on manufacturer s current best-practice taken from the normative references section Scope (example) The scope of this section covers typical network elements that form Core infrastructure. It is important to note that not every telecommunication vendor equipment is the same. Not all core networks within the cellular operator s network would necessarily require Cisco infrastructure. Mobile Network Security have worked on many core networks where Juniper products have been in use. Similarly, Mobile Network Security have seen instances where routing between core network islands is managed by servers rather than routers. However, for the purpose of this document, Mobile Network Security have used Cisco infrastructure as the example and example core network elements can be found in point format below: Cisco 7609 routers Cisco routers Core Provider Edge (PE) routers in core routing infrastructure Core Provider (P) routers in core routing infrastructure Cisco IP MPLS BackBone (IPMPLSBB) Layer 2 (L2) switching infrastructure CLASSIFICATION: Public
38 E1 infrastructure Cisco PIX Firewalls Should you wish to learn more about securing other core network vendor technologies, please contact Mobile Network Security and we will be happy to talk through your requirements. Note: It is not the intention of this document to list security requirements for existing LANs or WANs under any transmission plane Release This version covers the requirements for the Core, principally the configuration of the routing infrastructure, firewalling operations and Operating System configuration. Security requirements for the connectivity of client networks should be listed in an update to this document when that information is made available by the telecommunication vendor References ISP ESS Cisco ISP Essentials, version 2.9 Cisco. Ref: L3 VPN L3 MPLS/VPN Security Considerations, version 1.0, Cisco Ref: CISCO SECURITY Cisco Improving Security on Cisco Routers, Cisco Ref: SAFE LAYER2 Cisco SAFE Enterprise Layer 2 Addendum, Cisco Ref: VLAN BEST PRACTICE Cisco Virtual LAN Security Best Practices Cisco Ref: Technical Requirements CLASSIFICATION: Public
39 Unless stated specifically in the text, the configuration described in this document shall be applied to all Core infrastructure. By default, routing configurations are disabled, however the services offered by Cisco devices should be explicitly disabled given the default settings can change across different IOS versions/trains. In reference to Operating System configuration, out of the box configuration is by default highly insecure and therefore adherence to the security standards and guidelines for Unix Operating Systems must be strictly followed Hardening the Core These requirements describe features enabled/disabled in order for the Core infrastructure to maintain a consistently secure operation. One of the prime requirements of the Core is that it is available and able to provide a transport for services that are dependent upon the Core for delivery. Providing security for the networks that are responsible for delivering those services via the Core is out of scope Removal of Services Cisco Routers Following the general security principle that unrequired protocols and services shall be disabled, the following shall be globally disabled throughout the Core: Finger daemon service no service finger Chargen daemon service no service udp-small-servers Echo daemon service no service udp-small-servers HTTP Server service no ip http server BOOTP Server service no ip bootp server CLASSIFICATION: Public
ARIB STD-T63-33.210 V5.5.0. 3G Security; Network Domain Security; IP network layer security (Release 5)
ARIB STD-T63-33.210 V5.5.0 3G Security; Network Domain Security; IP network layer security (Release 5) Refer to "Industrial Property Rights (IPR)" in the preface of ARIB STD-T63 for Related Industrial
More informationARIB STD-T63-33.210 V6.6.0. 3G Security; Network Domain Security; IP network layer security (Release 6)
ARIB STD-T63-33.210 V6.6.0 3G Security; Network Domain Security; IP network layer security (Release 6) Refer to "Industrial Property Rights (IPR)" in the preface of ARIB STD-T63 for Related Industrial
More informationIPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region
IPv6 SECURITY May 2011 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express
More informationAPNIC elearning: IPSec Basics. Contact: training@apnic.net. esec03_v1.0
APNIC elearning: IPSec Basics Contact: training@apnic.net esec03_v1.0 Overview Virtual Private Networks What is IPsec? Benefits of IPsec Tunnel and Transport Mode IPsec Architecture Security Associations
More informationChapter 4 Firewall Protection and Content Filtering
Chapter 4 Firewall Protection and Content Filtering The ProSafe VPN Firewall 50 provides you with Web content filtering options such as Block Sites and Keyword Blocking. Parents and network administrators
More informationAbout Firewall Protection
1. This guide describes how to configure basic firewall rules in the UTM to protect your network. The firewall then can provide secure, encrypted communications between your local network and a remote
More informationTECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK
TECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK 2002 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation to the Centre
More informationFirewalls. Chapter 3
Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border
More information7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?
7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk
More informationA host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.
A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based
More informationVirtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN
Virtual private network Network security protocols COMP347 2006 Len Hamey Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Public internet Security protocol encrypts
More informationSecurity Technology: Firewalls and VPNs
Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up
More informationSite to Site Virtual Private Networks (VPNs):
Site to Site Virtual Private Networks Programme NPFIT DOCUMENT RECORD ID KEY Sub-Prog / Project Information Governance NPFIT-FNT-TO-IG-GPG-0002.01 Prog. Director Mark Ferrar Owner Tim Davis Version 1.0
More informationChapter 4 Firewall Protection and Content Filtering
Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN to protect your network.
More informationETSI TS 133 210 V12.2.0 (2014-10)
TS 133 210 V12.2.0 (2014-10) TECHNICAL SPECIFICATION Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); LTE; 3G security; Network Domain Security
More informationSecurity vulnerabilities in the Internet and possible solutions
Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in
More informationHögskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :
Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh Written Exam in Network Security ANSWERS May 28, 2009. Allowed aid: Writing material. Name (in block letters)
More informationSonicOS 5.9 / 6.0.5 / 6.2 Log Events Reference Guide with Enhanced Logging
SonicOS 5.9 / 6.0.5 / 6.2 Log Events Reference Guide with Enhanced Logging 1 Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your system. CAUTION:
More informationThe Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series
Cisco IOS Firewall Feature Set Feature Summary The Cisco IOS Firewall feature set is available in Cisco IOS Release 12.0. This document includes information that is new in Cisco IOS Release 12.0(1)T, including
More informationOverview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationRecommended IP Telephony Architecture
Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings
More informationRemote Connectivity for mysap.com Solutions over the Internet Technical Specification
Remote Connectivity for mysap.com Solutions over the Technical Specification June 2009 Remote Connectivity for mysap.com Solutions over the page 2 1 Introduction SAP has embarked on a project to enable
More informationAPNIC elearning: Network Security Fundamentals. 20 March 2013 10:30 pm Brisbane Time (GMT+10)
APNIC elearning: Network Security Fundamentals 20 March 2013 10:30 pm Brisbane Time (GMT+10) Introduction Presenter/s Nurul Islam Roman Senior Training Specialist nurul@apnic.net Specialties: Routing &
More informationCS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module
CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human
More informationHughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R
HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R HughesNet Managed Broadband Network Services include a high level of end-toend security utilizing a robust architecture designed by
More informationFirewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles
Firewalls Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations
More informationImplementing Secured Converged Wide Area Networks (ISCW) Version 1.0
COURSE OVERVIEW Implementing Secure Converged Wide Area Networks (ISCW) v1.0 is an advanced instructor-led course that introduces techniques and features that enable or enhance WAN and remote access solutions.
More informationCisco Certified Security Professional (CCSP)
529 Hahn Ave. Suite 101 Glendale CA 91203-1052 Tel 818.550.0770 Fax 818.550.8293 www.brandcollege.edu Cisco Certified Security Professional (CCSP) Program Summary This instructor- led program with a combination
More informationINF3510 Information Security University of Oslo Spring 2011. Lecture 9 Communication Security. Audun Jøsang
INF3510 Information Security University of Oslo Spring 2011 Lecture 9 Communication Security Audun Jøsang Outline Network security concepts Communication security Perimeter security Protocol architecture
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network
More informationChapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall
Figure 5-1: Border s Chapter 5 Revised March 2004 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Border 1. (Not Trusted) Attacker 1 1. Corporate Network (Trusted) 2 Figure
More informationLecture 17 - Network Security
Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Idea Why donʼt we just integrate some of these neat
More informationCase Study for Layer 3 Authentication and Encryption
CHAPTER 2 Case Study for Layer 3 Authentication and Encryption This chapter explains the basic tasks for configuring a multi-service, extranet Virtual Private Network (VPN) between a Cisco Secure VPN Client
More informationNetwork Security Fundamentals
APNIC elearning: Network Security Fundamentals 27 November 2013 04:30 pm Brisbane Time (GMT+10) Introduction Presenter Sheryl Hermoso Training Officer sheryl@apnic.net Specialties: Network Security IPv6
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More information- Basic Router Security -
1 Enable Passwords - Basic Router Security - The enable password protects a router s Privileged mode. This password can be set or changed from Global Configuration mode: Router(config)# enable password
More informationFirewalls. Ahmad Almulhem March 10, 2012
Firewalls Ahmad Almulhem March 10, 2012 1 Outline Firewalls The Need for Firewalls Firewall Characteristics Types of Firewalls Firewall Basing Firewall Configurations Firewall Policies and Anomalies 2
More information642 552 Securing Cisco Network Devices (SND)
642 552 Securing Cisco Network Devices (SND) Course Number: 642 552 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional, Cisco Firewall Specialist,
More informationThe BANDIT Products in Virtual Private Networks
encor! enetworks TM Version A.1, March 2010 2010 Encore Networks, Inc. All rights reserved. The BANDIT Products in Virtual Private Networks One of the principal features of the BANDIT products is their
More informationCISCO IOS NETWORK SECURITY (IINS)
CISCO IOS NETWORK SECURITY (IINS) SEVENMENTOR TRAINING PVT.LTD [Type text] Exam Description The 640-553 Implementing Cisco IOS Network Security (IINS) exam is associated with the CCNA Security certification.
More informationTABLE OF CONTENTS NETWORK SECURITY 2...1
Network Security 2 This document is the exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and exclusive use by instructors
More informationCisco CCNP 642 825 Implementing Secure Converged Wide Area Networks (ISCW)
Cisco CCNP 642 825 Implementing Secure Converged Wide Area Networks (ISCW) Course Number: 642 825 Length: 5 Day(s) Certification Exam This course will help you prepare for the following exam: Cisco CCNP
More informationGeneral Network Security
4 CHAPTER FOUR General Network Security Objectives This chapter covers the following Cisco-specific objectives for the Identify security threats to a network and describe general methods to mitigate those
More informationCommon Remote Service Platform (crsp) Security Concept
Siemens Remote Support Services Common Remote Service Platform (crsp) Security Concept White Paper April 2013 1 Contents Siemens AG, Sector Industry, Industry Automation, Automation Systems This entry
More informationComputer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1
Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton
More informationChapter 4 Security and Firewall Protection
Chapter 4 Security and Firewall Protection This chapter describes how to use the Security features of the ProSafe Wireless ADSL Modem VPN Firewall Router to protect your network. These features can be
More informationWhat is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services
Firewalls What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services only authorized traffic is allowed Auditing and
More informationDeveloping Network Security Strategies
NETE-4635 Computer Network Analysis and Design Developing Network Security Strategies NETE4635 - Computer Network Analysis and Design Slide 1 Network Security Design The 12 Step Program 1. Identify network
More informationNetwork Access Security. Lesson 10
Network Access Security Lesson 10 Objectives Exam Objective Matrix Technology Skill Covered Exam Objective Exam Objective Number Firewalls Given a scenario, install and configure routers and switches.
More informationChapter 4: Security of the architecture, and lower layer security (network security) 1
Chapter 4: Security of the architecture, and lower layer security (network security) 1 Outline Security of the architecture Access control Lower layer security Data link layer VPN access Wireless access
More information1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained
home Network Vulnerabilities Detail Report Grouped by Vulnerability Report Generated by: Symantec NetRecon 3.5 Licensed to: X Serial Number: 0182037567 Machine Scanned from: ZEUS (192.168.1.100) Scan Date:
More informationCMPT 471 Networking II
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
More informationathenahealth Interface Connectivity SSH Implementation Guide
athenahealth Interface Connectivity SSH Implementation Guide 1. OVERVIEW... 2 2. INTERFACE LOGICAL SCHEMATIC... 3 3. INTERFACE PHYSICAL SCHEMATIC... 4 4. SECURE SHELL... 5 5. NETWORK CONFIGURATION... 6
More informationPacketCable IMS Delta Specifications. 3G Security; Network Domain Security; IP network layer security Specification 3GPP TS 33.210
PacketCable IMS Delta Specifications 3G Security; Network Domain Security; 3GPP TS 33.210 ISSUED Notice This PacketCable specification is a cooperative effort undertaken at the direction of Cable Television
More informationHow To Protect Your Network From Attack From Outside From Inside And Outside
IT 4823 Information Security Administration Firewalls and Intrusion Prevention October 7 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles
More informationSonicWALL PCI 1.1 Implementation Guide
Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard
More informationFirewalls and VPNs. Principles of Information Security, 5th Edition 1
Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches
More informationThe Trivial Cisco IP Phones Compromise
Security analysis of the implications of deploying Cisco Systems SIP-based IP Phones model 7960 Ofir Arkin Founder The Sys-Security Group ofir@sys-security.com http://www.sys-security.com September 2002
More informationFirewalls, Tunnels, and Network Intrusion Detection. Firewalls
Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
More informationCCIE Security Written Exam (350-018) version 4.0
CCIE Security Written Exam (350-018) version 4.0 Exam Description: The Cisco CCIE Security Written Exam (350-018) version 4.0 is a 2-hour test with 90 110 questions. This exam tests the skills and competencies
More informationNetwork Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion
Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann
More informationSecuring an IP SAN. Application Brief
Securing an IP SAN Application Brief All trademark names are the property of their respective companies. This publication contains opinions of StoneFly, Inc., which are subject to change from time to time.
More informationWhat is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?
What is a Firewall? Computer Security Firewalls fire wall 1 : a wall constructed to prevent the spread of fire 2 usually firewall : a computer or computer software that prevents unauthorized access to
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
More informationChapter 4 Virtual Private Networking
Chapter 4 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FVL328 Firewall. VPN tunnels provide secure, encrypted communications between
More informationJK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA
JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA To purchase Full version of Practice exam click below; http://www.certshome.com/jk0-022-practice-test.html FOR CompTIA JK0-022 Exam Candidates
More informationInternet Protocol: IP packet headers. vendredi 18 octobre 13
Internet Protocol: IP packet headers 1 IPv4 header V L TOS Total Length Identification F Frag TTL Proto Checksum Options Source address Destination address Data (payload) Padding V: Version (IPv4 ; IPv6)
More information1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network
WP 1004HE Part 5 1. Cyber Security White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network Table of Contents 1. Cyber Security... 1 1.1 What
More informationSecurizarea Calculatoarelor și a Rețelelor 13. Implementarea tehnologiei firewall CBAC pentru protejarea rețelei
Platformă de e-learning și curriculă e-content pentru învățământul superior tehnic Securizarea Calculatoarelor și a Rețelelor 13. Implementarea tehnologiei firewall CBAC pentru protejarea rețelei Firewall
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationBasics of Internet Security
Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational
More informationHow NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements
How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements I n t r o d u c t i o n The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2004 by the PCI Security Standards
More informationA43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006
IBM TRAINING A43 Modern Hacking Techniques and IP Security By Shawn Mullen Las Vegas, NV 2005 CSI/FBI US Computer Crime and Computer Security Survey 9 out of 10 experienced computer security incident in
More informationLecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.
Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls. 1 Information systems in corporations,government agencies,and other organizations
More informationBorderWare Firewall Server 7.1. Release Notes
BorderWare Firewall Server 7.1 Release Notes BorderWare Technologies is pleased to announce the release of version 7.1 of the BorderWare Firewall Server. This release includes following new features and
More informationEtherFast Cable/DSL VPN Router with 4-Port Switch
USER GUIDE EtherFast Cable/DSL VPN Router with 4-Port Switch Model: BEFVP41 About This Guide About This Guide Icon Descriptions While reading through the User Guide you may see various icons that call
More informationFirewalls and Intrusion Detection
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
More informationFinal exam review, Fall 2005 FSU (CIS-5357) Network Security
Final exam review, Fall 2005 FSU (CIS-5357) Network Security Instructor: Breno de Medeiros 1. What is an insertion attack against a NIDS? Answer: An insertion attack against a network intrusion detection
More informationGuidance Regarding Skype and Other P2P VoIP Solutions
Guidance Regarding Skype and Other P2P VoIP Solutions Ver. 1.1 June 2012 Guidance Regarding Skype and Other P2P VoIP Solutions Scope This paper relates to the use of peer-to-peer (P2P) VoIP protocols,
More information2. From a control perspective, the PRIMARY objective of classifying information assets is to:
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
More informationGPRS / 3G Services: VPN solutions supported
GPRS / 3G Services: VPN solutions supported GPRS / 3G VPN soluti An O2 White Paper An O2 White Paper Contents Page No. 3 4-6 4 5 6 6 7-10 7-8 9 9 9 10 11-14 11-12 13 13 13 14 15 16 Chapter No. 1. Executive
More informationPROFESSIONAL SECURITY SYSTEMS
PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security
More informationSecuring IP Networks with Implementation of IPv6
Securing IP Networks with Implementation of IPv6 R.M.Agarwal DDG(SA), TEC Security Threats in IP Networks Packet sniffing IP Spoofing Connection Hijacking Denial of Service (DoS) Attacks Man in the Middle
More informationUsing IPSec in Windows 2000 and XP, Part 2
Page 1 of 8 Using IPSec in Windows 2000 and XP, Part 2 Chris Weber 2001-12-20 This is the second part of a three-part series devoted to discussing the technical details of using Internet Protocol Security
More informationNetwork Security: From Firewalls to Internet Critters Some Issues for Discussion
Network Security: From Firewalls to Internet Critters Some Issues for Discussion Slide 1 Presentation Contents!Firewalls!Viruses!Worms and Trojan Horses!Securing Information Servers Slide 2 Section 1:
More informationLinux Network Security
Linux Network Security Course ID SEC220 Course Description This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Host Security course. Protocols
More informationFirewall Introduction Several Types of Firewall. Cisco PIX Firewall
Firewall Introduction Several Types of Firewall. Cisco PIX Firewall What is a Firewall? Non-computer industries: a wall that controls the spreading of a fire. Networks: a designed device that controls
More informationWe will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall
Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,
More informationSecurity in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity
Basic Security Requirements and Techniques Confidentiality The property that stored or transmitted information cannot be read or altered by an unauthorized party Integrity The property that any alteration
More informationNetwork Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting
Network Security: 30 Questions Every Manager Should Ask Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting Network Security: 30 Questions Every Manager/Executive Must Answer in Order
More informationAppendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003
http://technet.microsoft.com/en-us/library/cc757501(ws.10).aspx Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 Updated: October 7, 2005 Applies To: Windows Server 2003 with
More informationICSA Labs Network Protection Devices Test Specification Version 1.3
Network Protection Devices Test Specification Version 1.3 August 19, 2011 www.icsalabs.com Change Log Version 1.3 August 19, 2011 added general configuration note to default configuration in Firewall section
More informationFirewalls. Network Security. Firewalls Defined. Firewalls
Network Security Firewalls Firewalls Types of Firewalls Screening router firewalls Computer-based firewalls Firewall appliances Host firewalls (firewalls on clients and servers) Inspection Methods Firewall
More informationUsing a Firewall General Configuration Guide
Using a Firewall General Configuration Guide Page 1 1 Contents There are no satellite-specific configuration issues that need to be addressed when installing a firewall and so this document looks instead
More informationFirewall Firewall August, 2003
Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also
More informationState of Texas. TEX-AN Next Generation. NNI Plan
State of Texas TEX-AN Next Generation NNI Plan Table of Contents 1. INTRODUCTION... 1 1.1. Purpose... 1 2. NNI APPROACH... 2 2.1. Proposed Interconnection Capacity... 2 2.2. Collocation Equipment Requirements...
More informationNetwork Defense Tools
Network Defense Tools Prepared by Vanjara Ravikant Thakkarbhai Engineering College, Godhra-Tuwa +91-94291-77234 www.cebirds.in, www.facebook.com/cebirds ravikantvanjara@gmail.com What is Firewall? A firewall
More informationCSCI 454/554 Computer and Network Security. Topic 8.1 IPsec
CSCI 454/554 Computer and Network Security Topic 8.1 IPsec Outline IPsec Objectives IPsec architecture & concepts IPsec authentication header IPsec encapsulating security payload 2 IPsec Objectives Why
More information