1 Encrypting ATM Firewall Abstract This paper explores the mechanics and policies that are necessary to protect information transmitted over an untrusted high speed wide area ATM network. The network model assumes a set of local area networks that are physically secure, interconnected by an untrusted wide area network. The threat model assumes an outsider threat such that security demands strong encryption of the data as well as access control between the untrusted wide area network and trusted local area networks. This paper details the security assumptions and requirements for this type of network. The paper then presents a set of reference networks and discusses the cryptographic requirements necessary to achieve a high level of information privacy, provide access control, scale efficiently as the network grows in size and speed, and operate transparently to the end user. Introduction Motivation The commercialization of the Internet and the advent of broadband networking technologies have ushered in the Information Revolution. As with all advances in information exchange, the benefits of rapid communication also carry the liability associated with security for both the information and the information infrastructure. With the emergence of broadband services such as Asynchronous Transfer Mode (ATM), the same network can be used for voice, video, data, transaction processing, and a host of other integrated services. These network services provide the means for information exchange. For businesses, this information often represents intellectual property, the family jewels, which must be protected. This paper details a cost effective mechanism for protecting information on high speed ATM networks. It starts with the assumption that information privacy and network access control are the most important elements to security of intellectual property. The second assumption is that the inclusion of security into a network needs to be completely transparent to the end user and compatible with existing switched network services. This means that the addition of privacy and access control must be a seamless overlay on the existing network. For these reasons, any approach that requires private lines, fixed pointto-point connections, manual intervention, or any other changes to the existing network infrastructure is unacceptable
2 Encrypting ATM Firewall 2 Scope The concept of network security means a lot of different things to different people; thus it is important to define the terms associated with security. For our purposes, network security specifically refers to the means to assure privacy of data and to control access from untrusted networks. The term privacy means that data transmitted on an untrusted network provides as little information as possible to unauthorized third parties. Privacy is achieved by encryption of data. Access control refers to the policy of allowing communication between certain entities and disallowing communication between other entities. This means that access control can be used to prohibit network access between untrusted networks and trusted networks. One of the issues associated with access control is identification of the entities that are providing privacy and access control services. These entities are referred to as cryptographic units. Access control is achieved by requiring that connections between hosts over an untrusted network always go through the cryptographic units. The cryptographic units are responsible for establishing a trusted, secure connection for the hosts. This concept of a trusted connection over an untrusted network is referred to as a security context. This paper does not address issues such as denial-of-service attacks, malicious attacks by an adversary designed to disrupt service. This paper also does not address the issues of physical security. It is assumed that the cryptographic unit is in a physically secure location. Finally, it is outside the scope of this paper to address the issues associated with insider threats. Assumptions Before one designs, builds, and deploys a network security system, it is essential to answer the following questions: What information are we trying to protect? From whom are we seeking protection? Deciding what is important to protect and why is the first step in defining a security perimeter. Security can be thought of as the concentration of trust. The more people and things that have access to sensitive material, the more difficult it is to secure these materials. Thus, an essential aspect of a security system is defining both the people and equipment that can be trusted with sensitive material. Deciding what constitutes a security threat is the second part of the equation. The method one uses to protect sensitive material is very dependent on the capabilities and intentions of the adversary. One uses different methods for protection depending on Where is the risk perceived? Is the risk internal or external to an organization? What is the technical capability of the adversary? What is the determination of the adversary, i.e., how much cost and effort is the adversary willing to spend to defeat security measures? This section discusses a threat model and defines the security perimeter for broadband networks. The threat model and the security perimeter concepts are tightly coupled, so a definition of one of these concepts helps to define the other.
3 Encrypting ATM Firewall 3 Threat Model The basic assumption of this paper is that the threat to networking security is an outsider threat. In other words, any security breach will occur outside the security perimeter. This outside threat is technically sophisticated with access to the best commercially available technology, and is tenacious enough to break weak security procedures. A corporate espionage operation is an example of such a threat. For network communication there are two major types of security breaches that are applicable for this paper, wire tapping and information mis-routing. Both of these concerns involve a third party gaining access, either accidentally or maliciously, to sensitive information. In terms of technology and tenacity it is assumed that the adversary: can physically access and monitor information passing through the untrusted network, can store and analyze the information passing through the untrusted network, can communicate on the untrusted network and attempt to gain access to the trusted network via standard network protocols, has the means, desire, and resources to break weakly secured communication, and can isolate specific or sensitive information from other information. Security Perimeter In terms of networking security, it is important to decide whom can be trusted with what type of information and what should be the access control strategy. The security perimeter is the boundary between those people and equipment that can be trusted and the rest of the world. An encrypting firewall between the trusted network and the untrusted network is one approach to providing this security perimeter. In general, the smaller the security perimeter, the more expensive it is to achieve security per user since it requires an encrypting firewall for each security perimeter. However, the information security for the overall network is improved. The larger the security perimeter, the lower the cost per user, but at the liability of needing to trust a larger number of people and equipment. This paper presents a set of examples to illustrate methods to define the security perimeter for various network configurations and security requirements using the encrypting firewall security model. The basic model assumes that groups sharing common infrastructure such as a LAN or a building constitute a trusted set of users. This basic model attempts to balance risk against cost and complexity. Requirements for an Encrypting ATM Firewall Before discussing how to deploy security within a network, it makes sense to define the requirements for an Encrypting ATM Firewall (referred to as a cryptographic unit). The following items compose the functions necessary for a cryptographic unit to operate as an encrypting firewall: Ensure privacy of the data. Provide access control to the trusted network. Be transparent to the network and users. Communicate with a certificate authority for credential and policy information. Provide Operations, Administrations, Maintenance, and Provisioning (OAMP) functions.
4 Encrypting ATM Firewall 4 Privacy The most important function for an encrypting security device is to provide privacy for the data in transit over the untrusted network. This means that the data must be scrambled with a sufficiently robust cryptographic algorithm, such that no information is available to a potential adversary other than the existence of a message and possibly its length. This means that the payload of every cell transiting the untrusted network must be encrypted with a strong cryptographic algorithm. Furthermore, the algorithm should ensure that patterns in the plain text do not show up as patterns in the encrypted text, also referred to as cipher text. Another aspect of privacy is the generation and distribution of session keys. Each active VC must have a unique encryption key (or set of keys). This ensures that a compromise of one session does not affect the security of any other active session. Encryption keys should be established between the cryptographic units during call setup. This ensures that each call has a unique security context with a limited lifetime. Additionally, the encryption keys must be easily changeable during the lifetime of the call. Changing of the keys is necessary for certain types of encryption feedback modes, and ensures that an encryption key has a limited lifetime and is used to protect only a limited amount of data. Finally, a cryptographic unit must be able to support a large number of unique virtual circuits concurrently. This is necessary to meet the transparency requirement for access to the switched public network. Access Control The second major function of an encrypting firewall is to provide access control between the trusted network and the untrusted network. The amount of access control is a policy issue dictated by the security administrator. The most restrictive (and secure) access control policy is to allow connections between trusted networks via the untrusted network only if that connection is part of an authenticated security context. One method to administer access control is to require the establishment of a security context on a per-virtual Circuit (VC) basis is during call setup. When a host-to-host connection request is first made across the untrusted network, the cryptographic units must first set up a security context before the connection is allowed to be completed between the hosts. The security context establishes the identity of the cryptographic units and sets up the necessary session keys for encrypting the particular VC. This approach also permits security for Point-to-Multipoint (PMP) connection. Transparency The third major requirement for a cryptographic firewall is transparency, with respect to the end-user and the network. In short, for users within trusted networks the existence of the cryptographic firewall should not be visible. The cryptographic firewall must be compatible with the ATM standards with respect to user cells and signaling channels. For user cells, only the payload of the cell is encrypted. This means the ATM header information remains in the clear and thus the encryption does not affect transit of the cell through the untrusted network. For signaling channels, the cryptographic firewall is responsible for intercepting call setup messages from the trusted network to the untrusted network. The cryptographic firewall must then comply with the signaling standards in order to interoperate seamlessly between the trusted network and the untrusted network. Certificate Authority A Certificate Authority is generally used to vouch for the authenticity of a public key and its association with other identifying information. In the context of a network security system, it can also play a critical role in vouching for the identity of cryptographic units and other
5 Encrypting ATM Firewall 5 entities. As part of establishing a security context, cryptographic units need to exchange certificates signed by a trusted certificate authority. A security context between cryptographic units is only valid if both cryptographic units can validate the credentials of the other cryptographic unit. Security Policies It is anticipated that security policies will be administered through existing network management protocols. The certificate authority may also play a role in authenticating management agents, policy changes, and so forth. Some of policy issues that are relevant to a network security system include: time limits on session keys, revocation of certificates, certificate lifetimes, distribution of public keys associated with a cryptographic unit, access between hosts on trusted networks and hosts on untrusted networks, audits and response to unusual events, and policies concerning establishment of Permanent Virtual Circuits (PVCs) and Permanent Virtual Paths (PVPs). Reference Network Architecture This section illustrates the mechanism of defining a security perimeter for networks. These networks are referred to as reference networks and represent typical configurations for deploying security. As part of defining these reference networks it is necessary to discuss the particular components that make up the security system and how each of these components fits into a network based security system. Components of the security system The basic components of a network based security system are the cryptographic unit and the certificate authority. The cryptographic unit performs the following functions Encryption and decryption of ATM cell payload on a per-cell basis; Access control based on call setup within a switched virtual circuit network; Enforcement of policies and confirmation of credentials for each secure session. The certificate authority is responsible for providing proof of credentials and distribution of certain security policies (such as revocation lists and certificate lifetimes). ATM traffic generally consists of a large number of virtual circuits (VCs) that traverse the same physical link at high rates of speed. For security purposes each virtual circuit is dynamically assigned its own unique encryption key during the call setup procedure. When a cell arrives at the cryptographic unit, the unit must associate the cell VC with its unique encryption key. That key is then used to encrypt the payload of the cell; the header is left in the clear. None of the network architecture issues discussed in this paper are dependent on the algorithm chosen. Whatever algorithm is to be used must be cryptographically strong, computationally fast, and provide recovery from errors. An example of an encryption algorithm that meets the requirements for data privacy is triple-des. However, single DES is not strong enough to allow for good privacy. It is also necessary to provide some type of
6 Encrypting ATM Firewall 6 chaining in order to effectively hide patterns in the clear text. For this reason, Electronic Code Book (ECB) encryption is not recommended. Both Cipher Block Chaining (CBC) and Counter Mode encryption provide the necessary chaining to meet the privacy requirements. If Counter Mode is chosen a mechanism must be established to recover from lost cells, since Counter Mode is not a self-recovering encryption mode (a loss of data causes all subsequent data to be corrupted). The ATM Forum Security Working Group has established a set of recommendations for the use of Counter Mode, including recovery from lost cells. A basic requirement of a security firewall is that it fit seamlessly into a switched virtual circuit network. The mechanism used to provide access control and establish privacy in an SVC network is based on establishing a security context during call setup. The reference network shown in Figure 1 is used to illustrate steps for call setup and key exchange. Untrusted Switched Virtual Circuit Network A Cryptographic Unit A Cryptographic Unit B B Certificate Authority Figure 1. Reference Network According to the criteria for trusted networks, the security overlay must be transparent. In order to talk to B across the untrusted network, A simply attempts to establish a call using standard ATM signaling. The cryptographic units transparently establish a security context through the untrusted network according to the following steps. 1) A sends a call setup message to the network to establish a call with B. Cryptographic Unit A intercepts the call setup message. 2) Cryptographic Unit A then forwards the a call setup message to B, where it is intercepted by Cryptographic Unit B. As part of establishing a security context, Cryptographic Unit A may alter the original call setup message to include additional security information or to ensure that policies are enforced. Cryptographic Unit B then completes the connection with Cryptographic Unit A to establish a virtual circuit across the untrusted network. 3) After a connection is established between Cryptographic Unit A and Cryptographic Unit B, session keys for the particular connection between A and B are exchanged. These keys are encrypted and signed by the cryptographic units, and the credentials of the cryptographic units are exchanged. These credentials are ultimately provided by a Certificate Authority. (NOTE: The mechanism for the exchange of cryptographic unit credentials is implementation dependent and may not need to occur on a per-call basis.)
7 Encrypting ATM Firewall 7 4) Once a security context has been established between the two cryptographic units, the connection between the A and Cryptographic Unit A, and B and Cryptographic Unit B respectively is allowed to complete. 5) Once the call setup is complete, a virtual circuit is established between A and B via the two cryptographic units. The cell payload of each cell is encrypted as it passes through the local cryptographic unit and decrypted on the other side of the network. Since the cryptographic units are part of the call setup procedure, they also act as access control firewalls. According to policies, the cryptographic units can deny access from the network for any call that does not have a security context that is signed, authenticated, and ultimately verifiable by a Certificate Authority. A signed and authenticated security context means that each cryptographic unit has independently verified the identity of the other unit based on information supplied as part of the call setup message. Part of this information includes a certificate provided by a trusted certificate authority. Trusted LAN Reference Network The basic deployment of a security firewall as a network overlay calls for a trusted Local Area Network connected to an untrusted Wide Area Network by means of a high speed ATM link. The security perimeter is then at the Point-of-Presence (POP) between the untrusted wide area network and the trusted local area network. This section presents two basic configurations for a trusted local area network interconnection to the wide area network. Trusted ATM Security ATM Links Local ATM Local ATM ATM over SONET or PDH Links Crypto graphic Unit ATM over SONET or PDH Links Untrusted Wide Area Figure 2. Trusted Local Area ATM Network connected to an Untrusted Wide Area ATM Network The first configuration, shown in Figure 2, assumes a local ATM environment where all endusers are interconnected locally via ATM switches. The security perimeter is between the local root ATM switch and the untrusted wide area network. This configuration assumes that the local network is trusted and the wide area network is untrusted. All local traffic in this configuration would remain in the clear. Traffic entering or leaving the security perimeter would be subject to encryption and access control policies. This configuration represents both a cost effective and security effective solution that scales well with the requirements of the local area network.
8 Encrypting ATM Firewall 8 This configuration is security effective because typically the local area network would represent a building or campus environment that is trusted. Therefore, the security perimeter encompasses the entire building or local campus. Security of the local area network is accomplished by physical security of the networking equipment and cryptographic units. This configuration is cost effective since only the links from the trusted network to the untrusted network require encryption devices. We assume that the wide area network links are procured from the public carriers and that users will seek to minimize this expense. The cryptographic unit can be matched to the performance of this external link without impacting internal network performance. Finally, this approach scales well since the local area trusted network can grow in nodes without a significant impact on the need for access to the untrusted wide area network. This model assumes that much of the traffic is local and only a small fraction of the total traffic is external. As the local network grows the requirements for access to the untrusted wide area network will also grow but at a much slower rate. Trusted Legacy Network Ethernet Security Trusted ATM Network Untrusted Wide Area IP Router with ATM capability ATM over SONET or PDH Links Crypto graphic Unit ATM over SONET or PDH Links FDDI Figure 3. Trusted Local Area Legacy Network connected to an Untrusted Wide Area ATM Network The second configuration, shown in Figure 3, is very similar to the first configuration but allows for backward compatibility with existing legacy networks. In the case, the trusted local network is IP-based, supporting many different network types. (Note that this is strictly a private IP network which is not connected to the Internet.) The IP router with ATM capability provides the interface between IP traffic on the legacy networks and the ATM network. The ATM link between the IP router and the wide area network contains the cryptographic unit that provides encryption of the ATM cell payload (and therefore IP datagrams). This configuration is cost effective, security effective, and scalable in the same manner as the first configuration.
9 Encrypting ATM Firewall 9 Trusted LANs within an Untrusted WAN The two configurations illustrated in the previous section represent building blocks for developing security within a Wide Area Network. The basic idea for security over a wide area network is that security perimeters are established at the interface between local area networks and the wide area network according to Figures 2 and 3. These local area networks then become trusted islands. The assumption is that there is no requirement for trust within the untrusted network. Thus, even if the untrusted network is compromised, there is no compromise to the privacy of the data nor can there be unauthorized access to the trusted ATM networks. This is because all data between the trusted islands is encrypted and access control is accomplished at the point-of-presence to the wide area network. From the perspective of the user within a trusted island, there is no difference in security between communication within a trusted island and communication between trusted islands. Essentially, the cryptographic units have connected each of the distinct islands into one trusted virtual network. The following diagram illustrates the physical interconnection between the trusted islands and the wide area network. Trusted ATM Network ATM Switch Crypto Unit Security Perimeter Telco POP SONET or PDH Add/Drop Mux Untrusted Wide Area Network Local Telco Central Office IEC Central Office Trusted ATM Network Trusted ATM Network Trusted ATM Network ATM Switch Crypto Unit Telco POP SONET or PDH Add/Drop Mux Local Telco Central Office IEC Central Office Trusted ATM Network Certificate Authority Security Perimeter Figure 4. Interconnection between Trusted ATM networks and an Untrusted Wide Area Network The point-of-presence of the untrusted wide area network is typically an Add/Drop multiplexor that connects the local area network to a high bandwidth local loop that goes to the central office of the local carrier. Within the untrusted wide area network, traffic will be switched through a hierarchy of switches starting with the local central office and then (possibly) through the Inter-exchange Carriers (IEC). A customer has no control over the switching or security of switched traffic within the untrusted network. Therefore, it is on the trusted network side of the point-of-presence that a security firewall must be installed. With cryptographic firewalls on both sides of each connection, all communication between the trusted networks is encrypted prior to entering the untrusted network. All communication from the untrusted network to the trusted network is controlled by means of access control at the cryptographic firewall. Depending on the policy, this may mean that only connections between trusted networks are permitted. The decision to accept connections from the outside world are made at the boundary of the trusted ATM network. In the network pictured above, there must exist at least one certificate authority. In general the certificate authority is attached to the public (untrusted) network. As part of installation, cryptographic units must be registered with each certificate authority. This registration process provides both routing and identification information such that the cryptographic units may contact the certificate authority.
10 Encrypting ATM Firewall 10 Conclusion This paper explored the mechanisms and policies that are necessary to protect information transmitted over an untrusted high speed wide area ATM network. One basic assumption for establishing a trusted network is the development of a threat model. The model chosen is an outsider threat, technically capable and properly motivated such that strong encryption and access control are necessary to protect the security of the data. The second basic assumption is that the local area network is physically secure and trusted. Thus, it makes sense from a security as well as economic standpoint to provide encryption and access control at the point-of-presence to the untrusted wide area network. The requirements for the cryptographic units include the need to operate at very high rates of speed, support large number of simultaneous virtual circuits, seamlessly interconnect to a switched wide area network and provide strong access control. To ensure privacy of the data the use of counter mode triple DES for encryption has been advocated. To ensure access control, a security context between cryptographic units is established at call setup time for each VC. This security context provides strong authentication of cryptographic units based on credentials supplied by a certificate authority as well as dynamic session keys for encryption. To ensure transparency, the requirements call for the cryptographic units to support a large number of simultaneous virtual circuits. Transparency also requires the support of ATM signaling standards to establish a security context as part of call setup for each VC. The reference networks illustrate the interconnection between trusted local area networks via the untrusted wide area network. The idea is to develop a trusted virtual network by interconnecting trusted network islands. The use of switched virtual circuits within the wide area network ensures transparency and interoperability with the local and inter-exchange carriers. Bibliography  Scott Lane and Data Deluca. "Proposed Encryption Algorithm and Mode of Operation," ATM Forum/ , February  Lyndon Pierson and Mohammad Peyravian. "Mode of Operation for User Plane Data Confidentiality," ATM Forum/ , April  Phase I ATM Security Specification (Draft), ATM Forum/ R3, June  ITU-T Recommendation I.610, B-ISDN Operation and Maintenance Principles and Functions, April  ATM User-Network Interface (UNI) Signaling Specification, Version 4.0, ATM Forum, January  Bruce Schneier. Applied Cryptography, 2nd edition,  National Bureau of Standards. Data Encryption Standard, Federal Information Processing Standards Publication (FIPS PUB) 46, January  Hans Erbele. A High-speed DES Implementation for Network Applications, CRYPTO 92, Santa Barbara, CA, August  Daniel Stevenson, Nathan Hillery, and Greg Byrd. Secure Communications in ATM Networks, Communications of the ACM, February  Daniel Stevenson, Nathan Hillery, Greg Byrd, Fengmin Gong, and Dan Winkelstein. Design of a Key Agile Cryptographic System for OC-12c Rate ATM, Symposium on Network and Distributed System Security, February 1995.
11 Encrypting ATM Firewall 11 About SafeNet, Inc. SafeNet, Inc. (Nasdaq: SFNT), a leading provider of private and public network security solutions, has set the industry standard for VPN technology and secure business communications and offers the only encryption platform for both WAN and VPN networks. With more than 20 years experience in developing, deploying, and managing network security systems for the most security-conscious government, financial institutions, and large enterprise organizations around the world, SafeNet's proven technology has emerged as the de facto industry standard for VPNs. SafeNet is the singlesource vendor for WAN and VPN security solutions teamed with an easy and low-cost migration path to a broad range of VPN products. SafeNet security solutions, based on SecureIP Technology, and part of the CGX Security Platform, have become the products of choice for leading Internet infrastructure manufacturers, service providers, and security vendors. Corporate Headquarters Phone USA and Canada (800) Phone Other Countries (410) Fax (410) Website SafeNet, Inc. This document contains information that is proprietary to SafeNet, Inc. No part of this document may be reproduced in any form without prior written approval by SafeNet. SafeNet shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretation thereof. The opinions expressed herein are subject to change without notice.
Best Practices: The Key Things You Need to Know Now About Secure Networking Layer 1 (SONET), Layer 2 (ATM), and Layer 3 (IP) Encryption Technologies Reaching a Balance Between Communications and Security
SafeEnterprise SSL igate Managing Central Access to Resources with VPX Technology Introduction SSL is a well-established, high performing and secure technology for Internet transactions. The strength of
Draft ITU-T Recommendation X.805 (Formerly X.css), architecture for systems providing end-to-end communications Summary This Recommendation defines the general security-related architectural elements that
CONNECT PROTECT Communication, Networking and Security Solutions for Defense Engage Communication provides Defense, Homeland Security and Intelligence Communities with innovative and cost effective solutions
HughesNet Broadband VPN End-to-End Security Using the Cisco 87x HughesNet Managed Broadband Services includes a high level of end-to-end security features based on a robust architecture designed to meet
WHITE PAPER TrustNet CryptoFlow Group Encryption Table of Contents Executive Summary...1 The Challenges of Securing Any-to- Any Networks with a Point-to-Point Solution...2 A Smarter Approach to Network
Technical Report TR-010 Requirements & Reference Models for ADSL Access Networks: The SNAG Document June 1998 Abstract: This document outlines architectural requirements and reference models for ADSL services
ethernet services for multi-site connectivity security, performance, ip transparency INTRODUCTION Interconnecting three or more sites across a metro or wide area network has traditionally been accomplished
Securing Modern Substations With an Open Standard Network Security Solution Kevin Leech Schweitzer Engineering Laboratories, Inc. Copyright SEL 2009 What Makes a Cyberattack Unique? While the resources
Technical Report TR-018 References and Requirements for CPE Architectures for Data Access March 1999 '1999 Asymmetric Digital Subscriber Line Forum. All Rights Reserved. ADSL Forum technical reports may
Converged TDM and IP- Based Broadband Solutions White Paper OnSite -10 Multi-Service over SDH Provisioning Copyright Copyright 2009, Patton Electronics Company. All rights reserved. Printed in the USA.
HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper Rev 1.0 HIPAA Security Considerations for Broadband Fixed Wireless Access Systems This white paper will investigate
Addressing Inter Provider Connections With MPLS-ICI Introduction Why migrate to packet switched MPLS? The migration away from traditional multiple packet overlay networks towards a converged packet-switched
Report to WIPO SCIT Plenary Trilateral Secure Virtual Private Network Primer February 3, 1999 Frame Relay Frame Relay is an international standard for high-speed access to public wide area data networks
Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP Connecting MPLS Voice VPNs Enabling the secure interconnection of Inter-Enterprise VoIP Executive Summary: MPLS Virtual
> Business Continuity and Disaster Recovery Solutions in Government Protecting Critical Data Flow for Uninterrupted Services WHITE PAPER January 2010 J. Asenjo, CISSP www.thalesgroup.com/iss Information
VPN Date: 4/15/2004 By: Heena Patel Email:firstname.lastname@example.org What is VPN? A VPN (virtual private network) is a private data network that uses public telecommunicating infrastructure (Internet), maintaining
VOLUME 1, SECTION 9: TECHNICAL NARRATIVE TO AMPLIFY TECHNICAL NARRATIVE TABLES In Section 9.0 each of the technical volume narrative requirements for mandatory services and optional services proposed by
Network Security Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type
MovieLabs Specification for Enhanced Content Protection Version 1.0 Introduction Digital content distribution technologies are evolving and advancing at a rapid pace. Content creators are using these technologies
Network+ Guide to Networks, Fourth Edition Chapter 7 WANs, Internet Access, and Remote Connectivity Objectives Identify a variety of uses for WANs Explain different WAN topologies, including their advantages
White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA
Assessing Telehealth Operational and Technology Security Risks to Privacy Prepared by the Center for Telehealth University of New Mexico Health Sciences Center July 2003 INTRODUCTION The purpose of this
How Proactive Business Continuity Can Protect and Grow Your Business For most companies, business continuity planning is instantly equated with disaster recovery the reactive ability of a business to continue
Internet Security Cornerstones of Security Authenticity the sender (either client or server) of a message is who he, she or it claims to be Privacy the contents of a message are secret and only known to
Securing an IP SAN Application Brief All trademark names are the property of their respective companies. This publication contains opinions of StoneFly, Inc., which are subject to change from time to time.
Introduction Computer Network. Interconnected collection of autonomous computers that are able to exchange information No master/slave relationship between the computers in the network Data Communications.
2011 BlackRidge Technology Transport Access Control: Overview 1 Introduction Enterprises and government agencies are under repeated cyber attack. Attacks range in scope from distributed denial of service
MPLS L2VPN (VLL) Technology White Paper Issue 1.0 Date 2012-10-30 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any
Building integrated services intranets A White Paper from Inalp Networks Inc Meriedweg 7 CH-3172 Niederwangen Switzerland http://www.inalp.com CONTENTS CONTENTS...2 1 EXECUTIVE SUMMARY...3 2 INTRODUCTION...4
Network Security Topologies Chapter 11 Learning Objectives Explain network perimeter s importance to an organization s security policies Identify place and role of the demilitarized zone in the network
Best practices for protecting network data A company s value at risk The biggest risk to network security is underestimating the threat to network security. Recent security breaches have proven that much
Video Conferencing and Security Using the Open Internet and Encryption for Secure Video Communications & Guidelines for Selecting the Right Level of Security for Your Organization 1 Table of Contents 1.
Technical Report TR-012 Broadband Service Architecture for Access to Legacy Data s over ADSL Issue 1 June 1998 Abstract: This Technical Report specifies an interoperable end-to-end architecture to support
Amethyst Cryptographic Services Ltd Managed Encryption Service An Overview Chris Greengrass March 2011 Encryption and Cryptography The use of encryption/decryption is as old as the art of communication.
Lecture Computer Networks Prof. Dr. Hans Peter Großmann mit M. Rabel sowie H. Hutschenreiter und T. Nau Sommersemester 2012 Institut für Organisation und Management von Informationssystemen Asynchronous
CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such
CTS2134 Introduction to Networking Module 07: Wide Area Networks WAN cloud Central Office (CO) Local loop WAN components Demarcation point (demarc) Consumer Premises Equipment (CPE) Channel Service Unit/Data
ericsson White paper Uen 284 23-3244 January 2015 Cloud security architecture from process to deployment The Trust Engine concept and logical cloud security architecture presented in this paper provide
Performance Management for Next- Generation Networks Definition Performance management for next-generation networks consists of two components. The first is a set of functions that evaluates and reports
Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings
COMBATANT COMMAND () NEXT-GENERATION SECURITY ARCHITECTURE USING NSA SUITE B TABLE OF CONTENTS COMBATANT COMMAND () NEXT-GENERATION SECURITY ARCHITECTURE USING NSA SUITE B NSA COMMERCIAL SOLUTION FOR CLASSIFIED
Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches
over IP The Challenge Legacy services such as are still in use worldwide for a range of applications. Over the years, many customers have made significant investments in equipment and processes that depend
Site to Site Virtual Private Networks Programme NPFIT DOCUMENT RECORD ID KEY Sub-Prog / Project Information Governance NPFIT-FNT-TO-IG-GPG-0002.01 Prog. Director Mark Ferrar Owner Tim Davis Version 1.0
SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz 08.05.2014, ICSG 2014 Table of Contents Introduction AMI Communication Architecture Security Threats Security
MPLS: Key Factors to Consider When Selecting Your MPLS Provider Whitepaper 2006-20011 EarthLink Business Page 1 EXECUTIVE SUMMARY Multiprotocol Label Switching (MPLS), once the sole domain of major corporations
White Paper Secure VoIP for optimal business communication Learn how to create a secure environment for real-time audio, video and data communication over IP based networks. Andreas Åsander Manager, Product
Hitachi Review Vol. 48 (1999), No. 4 203 GR2000: a Gigabit Router for a Guaranteed Network Kazuo Sugai Yoshihito Sako Takeshi Aimoto OVERVIEW: Driven by the progress of the information society, corporate
Truffle Broadband Bonding Network Appliance Reliable high throughput data connections with low-cost & diverse transport technologies PART I Truffle in standalone installation for a single office. Executive
Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH White Paper February 2010 www.alvandsolutions.com Overview Today s increasing security threats and regulatory
WAN Data Link Protocols In addition to Physical layer devices, WANs require Data Link layer protocols to establish the link across the communication line from the sending to the receiving device. 1 Data
NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X
Department of Computer Science Institute for System Architecture, Chair for Computer Networks Internet Services & Protocols Internet (In)Security Dr.-Ing. Stephan Groß Room: INF 3099 E-Mail: email@example.com
CHAPTER 2 Case Study for Layer 3 Authentication and Encryption This chapter explains the basic tasks for configuring a multi-service, extranet Virtual Private Network (VPN) between a Cisco Secure VPN Client
Deploying Secure Enterprise Wide IP Videoconferencing Across Virtual Private Networks Document Overview This document provides an overview of how to effectively and securely provide IP-based videoconferencing
Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress Alan Davy and Lei Shi Telecommunication Software&Systems Group, Waterford Institute of Technology, Ireland adavy,firstname.lastname@example.org
IPSWITCH FILE TRANSFER WHITE PAPER Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer www.ipswitchft.com Adherence to United States government security standards can be complex to plan
SIP Trunking Guide: Get More For Your Money 07/17/2014 WHITE PAPER Overview SIP trunking is the most affordable and flexible way to connect an IP PBX to the Public Switched Telephone Network (PSTN). SIP
INF3510 Information Security University of Oslo Spring 2011 Lecture 9 Communication Security Audun Jøsang Outline Network security concepts Communication security Perimeter security Protocol architecture
TrustNet Group Encryption Executive Summary Protecting data in motion has become a high priority for a growing number of companies. As more companies face the real and growing threat of data theft, along
Broadband Bonding Network Appliance TRUFFLE BBNA6401 White Paper In this brief White Paper we describe how the TRUFFLE BBNA6401 can provide an SMB with faster and more reliable Internet access at an affordable
Question: 1 Which network security strategy element refers to the deployment of products that identify a potential intruder who makes several failed logon attempts? A. test the system B. secure the network
Security and the Mitel Teleworker Solution White Paper July 2007 Copyright Copyright 2007 Mitel Networks Corporation. This document is unpublished and the following notice is affixed to protect Mitel Networks
WHITEPAPER MPLS: Key Factors to Consider When Selecting Your MPLS Provider INTRODUCTION Multiprotocol Label Switching (MPLS), once the sole domain of major corporations and telecom carriers, has gone mainstream
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
Network Security Chapter 9 Integrating Security Services into Communication Architectures Network Security (WS 00): 09 Integration of Security Services Motivation: What to do where?! Analogous to the methodology
SONET/SDH SONET/SDH! SONET (Synchronous Optical Network) is the current standard for high speed carrier infrastructure in North America.! SDH (Synchronous Digital Hierarchy) is the European counterpart
THE DATA PROTECTIO TIO N COMPANY Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption whitepaper Executive Summary Long an important security measure, encryption has
Abstract Virtual Private Networks (VPNs) are today becoming the most universal method for remote access. They enable Service Provider to take advantage of the power of the Internet by providing a private
SIP Security Controllers Product Overview Document Version: V1.1 Date: October 2008 1. Introduction UM Labs have developed a range of perimeter security gateways for VoIP and other applications running
Lecture 10: Virtual LANs (VLAN) and Virtual Private Networks (VPN) Prof. Shervin Shirmohammadi SITE, University of Ottawa Prof. Shervin Shirmohammadi CEG 4185 10-1 Virtual LANs Description: Group of devices
Basic Security Requirements and Techniques Confidentiality The property that stored or transmitted information cannot be read or altered by an unauthorized party Integrity The property that any alteration
Chair for Network Architectures and Services Prof. Carle Department for Computer Science TU München Master Course Computer Networks IN2097 Prof. Dr.-Ing. Georg Carle Christian Grothoff, Ph.D. Chair for
PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute
State of Texas TEX-AN Next Generation NNI Plan Table of Contents 1. INTRODUCTION... 1 1.1. Purpose... 1 2. NNI APPROACH... 2 2.1. Proposed Interconnection Capacity... 2 2.2. Collocation Equipment Requirements...
# 129 TECHNOLOGY WHITE PAPER Page: 1 of 5 MPLS and IPSec A Misunderstood Relationship Jon Ranger, Riverstone Networks ABSTRACT A large quantity of misinformation and misunderstanding exists about the place
High Performance VPN Solutions Over Satellite Networks Enhanced Packet Handling Both Accelerates And Encrypts High-Delay Satellite Circuits Characteristics of Satellite Networks? Satellite Networks have
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
WHITE PAPER Gaining Total Visibility for Lawful Interception www.ixiacom.com 915-6910-01 Rev. A, July 2014 2 Table of Contents The Purposes of Lawful Interception... 4 Wiretapping in the Digital Age...
MPLS and MPLS VPNs: Basics for Beginners Christopher Brandon Johnson Abstract Multi Protocol Label Switching (MPLS) is a core networking technology that operates essentially in between Layers 2 and 3 of
Chapter 2 - The TCP/IP and OSI Networking Models TCP/IP : Transmission Control Protocol/Internet Protocol OSI : Open System Interconnection RFC Request for Comments TCP/IP Architecture Layers Application