Unified Security Architecture for enterprise network security

White Paper Nortel Networks Unified Security Architecture for enterprise network security A conceptual, physical, and procedural framework for high-performance, multi-level, multi-faceted security to protect campus networks, data centers, branch networking, remote access, and IP telephony services. The greater the reach and availability of the network, the greater its vulnerability to threats from within and outside the organization. The new openness of networked communications introduces new ethical, financial, and regulatory pressures to protect networks and enterprises from internal and external threats and attacks. Every IT security professional should be up-to-date on the Top Ten challenges to enterprise security and the latest recommendations to address those challenges.

Contents Executive summary.................................................................... 3 Part I. The Top Ten challenges to enterprise network security..................................... 4 Enterprise Security Challenge #1 The Internet was designed to share, not to protect................. 4 Enterprise Security Challenge #2 Security is not optional.......................................5 Enterprise Security Challenge #3 The bad guys have good guns..................................5 Enterprise Security Challenge #4 Security threats recognize no boundaries..........................6 Enterprise Security Challenge #5 Security depends on people, process, and technology.................6 Enterprise Security Challenge #6 It s not enough to guard the front gate............................7 Enterprise Security Challenge #7 There s no stock blueprint.....................................7 Enterprise Security Challenge #8 Frisking everybody and everything takes time......................9 Enterprise Security Challenge #9 Grace under fire is a requirement...............................9 Enterprise Security Challenge #10 Security is a closed-loop process with an open-ended date............9 Part II. The Nortel Networks Unified Security Architecture...................................... 10 2.1. Multi-layer security across application and network levels..................................12 2.2. Variable-depth security...........................................................13 2.3. Closed-loop policy management....................................................14 2.4. Uniform access management.......................................................14 2.5. Secure network operations.........................................................15 2.6. Secure multimedia communications..................................................18 2.7. Network survivability under attack..................................................19 2.8. The closed-loop policy management reference model.....................................19 2.9. A closer look at uniform access management...........................................21 Part III. Network security in the real world.................................................. 25 3.1. Securing the campus network......................................................25 3.2. Securing the data center..........................................................28 3.3. Securing the remote office.........................................................31 3.4. Securing remote access...........................................................35 3.5. Securing IP telephony services......................................................37 Part IV. Nortel Networks technology and expertise............................................ 42 4.1. Design tenets built into the Nortel Networks security portfolio..............................42 4.2. Expanded choice through partnerships................................................43 4.3. Security services................................................................44 4.4. Nortel Networks product assurance..................................................44 4.5. Nortel Networks and cross-industry security developments.................................45 Summary........................................................................... 46 Appendix A. Hackers tools of the trade.................................................... 47 Appendix B. Application and network level threats........................................... 49

Executive summary Today s connected enterprise faces a security paradox. The very openness and ubiquity that make the Internet such a powerful business tool also make it a tremendous liability. The Internet was designed to share, not to protect. The ports and portals that welcome remote sites, mobile users, customers, and business partners into the trusted internal network also potentially welcome cyber-thieves, hackers, and others who would misappropriate network resources for personal gain. The only effective network security strategy is one that permeates the end-to-end architecture and enforces corporate policies on multiple levels and multiple network points. Nortel Networks, a global leader in secure data networking, offers proven solutions to satisfy end-to-end network security requirements. Security in the DNA is a key tenet of our strategy for the new enterprise network, a convergence framework we call One Network. A World of Choice. This document presents the security component of that enterprise network strategy. The Unified Security Architecture provides a conceptual, physical, and procedural framework of best recommendations and solutions for enterprise network security. It serves as an important reference guide for IT professionals responsible for designing and implementing secure networks. What are the requirements and vulnerabilities? What technology options and implementation choices are available? How do you protect the network at all levels? This comprehensive strategy addresses those pressing concerns facing IT security specialists, and offers encouraging news about the depth and breadth of options available for securing critical network resources. The Unified Security Architecture is realistic. It assumes that all components of an IT infrastructure are targets... that even internal users could be network threats... attacks are inevitable... network performance cannot be compromised by processingintensive security measures... and IT budgets are constrained. The Unified Security Architecture acknowledges the diversity of networked enterprises. It is not a one-size-fits-all prescription, but rather a framework of functionality that offers multiple implementation choices suitable for closed, extended, and open enterprises in different industries and for diverse application requirements within all enterprise types. The Unified Security Architecture addresses the multi-level complexity of network threats. It provides answers on multiple levels for instance, from a firewall guardian to block intruders at the front gate to encryption to shroud every packet in privacy... from virtual private networks that span the global Internet to virtual LANs that segregate network management traffic from desktop users. The Unified Security Architecture promotes a process, rather than an endpoint. Effective security is not achieved through a one-time initiative. This architecture outlines measures for strong ongoing policy management, reflecting both human and technical factors. Read on for a discussion of the Top Ten challenges facing IT professionals today and how the Nortel Networks Unified Security Architecture addresses the challenges. 3

Unified Security Architecture for enterprise network security A conceptual, physical, and procedural framework for high-performance, multi-level, multifaceted security to protect campus networks, data centers, branch networking, remote access, and IP telephony services. Part I. The Top Ten challenges to enterprise network security Every enterprise that relies on network-connected applications and services is subject to 10 key security realities: 1. The Internet was designed to share, not to protect. 2. Security is not optional. 3. The bad guys have good guns. 4. Security threats recognize no boundaries. 5. Security depends on people, process, and technology. 6. It s not enough to guard the front gate. 7. There s no stock blueprint. 8. Frisking everybody and everything takes time. 9. Grace under fire is a requirement. 10. Security is a closed-loop process with an open-ended date. Let s take a closer look at these challenges and what IT security professionals can do about them. Enterprise Security Challenge #1 The Internet was designed to share, not to protect. In six or seven short years, the Internet has evolved from an adjunct contact channel into the backbone of many critical business applications. Enterprises are leveraging their IP-based intranets and the world-wide Internet to bring remote offices, mobile workers, and business partners into their trusted network environments. Many enterprises are capitalizing on the growing reach and reliability of IP data networks to completely redefine the way they deliver and manage approved corporate applications. The Internet enables them to interact more effectively with customers, streamline operations, reduce operating costs, and increase revenues. However, the Internet was designed to share, not to protect. The ports and portals that welcome outside users into the trusted internal network also potentially open the door to serious threats. The level of threat only increases as legacy applications become network-enabled and as network managers open their networks to more new users and applications. How do you manage mission-critical communications on an inherently insecure medium? Managing that flow is somewhat like guarding a revolving door. You can t lock it unless you also close out the traffic you do want. Remote access services that enable traveling employees to dial in for e-mail access... remote offices connected via dial-up lines... intranets, and extranets that connect outside parties to the enterprise network... all these business-enabling communications increase the vulnerability of the network. 4

Enterprise Security Challenge #2 Security is not optional. Security breaches and unlawful access to confidential data can cost enterprises millions, but the requirement for network security goes beyond financial incentives. The governments of many countries are forcing enterprises to comply with regulations governing network security and privacy. In the U.S., the Federal government regulates the privacy and security of electronic information with such regulations as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Safe Harbor Act, the USA Patriot Act, and the Children s Internet Protection Act (CIPA). More are coming. Similar regulations are being enacted in Europe and elsewhere, such as the Data Protection Act and Computer Misuse Act in the U.K. Failure to comply with these regulations brings civil and criminal penalties, even prison terms. Even if governmental regulations weren t an issue, organizations that suffer security breaches may be sued by customers and damaged by negative publicity. All enterprises that leverage the Internet for remote access have an obligation to protect network integrity and data confidentiality for their own sakes as well as for their customers and business partners. Enterprise Security Challenge #3 The bad guys have good guns. Attackers have a broad repertoire of tools and techniques they can use to compromise a network. With these tools of the trade, they can launch multi-level attacks to access the network creating an access hole to intrude upon the network, and then using secondary attacks to exploit other parts of the network. For example, attackers can take advantage of weak user authentication and authorization tools, improper allocation of hidden space, shared privileges among applications, or even sloppy employee habits to gain unauthorized access to network resources. They can disable a trusted host and assume its identity, a threat known as IP spoofing or session hijacking. Using sophisticated new network sniffers that can decode data from packets across all layers of the OSI model, hackers can steal user names and passwords, and use that information to launch deeper attacks. Denial of Service (DoS) attacks flood a network with illegitimate requests and thereby prevent legitimate users from accessing their service. In bucket brigade attacks, also known as man-in-the-middle assaults, the attacker intercepts messages in a public key exchange between a server and a client, retransmits the messages substituting their public key, and in the process tricks the original entities/users into thinking they are communicating with each other. Back door entries to access network resources can be accidentally or intentionally opened by users and procedural oversights. Masquerading enables a hacker to pose as a valid administrator or engineer to access the network, often to elevate user privileges. For more information about these types of attacks, see Appendix A, Hackers Tools of the Trade. 5

Enterprise Security Challenge #4 Security threats recognize no boundaries. The typical enterprise internal trusted network is anything but internal these days. It extends to include supply chain partners, telecommuters, remote access users, Web users, application service providers, disaster recovery providers, and more. Unfortunately, that means that the network also reaches hackers, cyber-thieves, disgruntled employees, and others who would misappropriate network resources for personal gain. In today s business environment, the concept of a network perimeter is disappearing. Boundaries between inside and outside networks are becoming thinner, almost irrelevant. Applications run on top of networks in a layered fashion. The OSI (Open Systems Interconnection) model was built to allow different layers to work without knowledge of each other. Unfortunately, that means that if one layer is hacked, communications are compromised without the other layers being aware of the attack. That means security must address unique considerations at application and network layers and bridge these layers to ward off multi-level threats. Application-layer attacks exploit vulnerabilities in the operating system and applications to gain access to resources. Application-layer attacks can be based on viruses, worms, buffer overflow, and password harvesting, among others. Web services and single sign-on technologies aggravate the problem, since they encourage Web-enabling legacy-based applications that were not designed with Web connectivity and security issues in mind. Network-layer threats expose the network infrastructure to sabotage, vandalism, bad system configuration, denial of service (DoS), snooping, industrial espionage, and theft of service. Attacks may be launched from inside the network by insiders and also from external sources such as hackers. For more information about application-layer and network-layer threats, see Appendix B: Application and network level threats. Enterprise Security Challenge #5 Security depends on people, process, and technology. Vulnerabilities arise both from people and process failures (such as posting their passwords in public view, or slack policy enforcement) and technical aspects (such as rogue programs and Trojan horses) and combinations of all three. The Nimda virus that recently caused havoc in IT environments is a perfect example. At first glance, Nimda was technical in nature: a virus. But on closer inspection, the havoc was caused more by human error than technical devilry. Nimda exploited six previous technical vulnerabilities; it was just a variant of previous vulnerabilities that were documented and communicated many months before Nimda actually spread on the Internet. Organizations should all have known about these vulnerabilities and disseminated that knowledge to the people responsible for protecting IT systems. Nimda was a non-issue for enterprises that had established processes in place for translating knowledge into action tasks, assigning responsibility for those tasks, and auditing successful completion. 6

Enterprise Security Challenge #6 It s not enough to guard the front gate. Every component of the IT infrastructure is susceptible to attacks, not just obvious gateways to the Internet. Hosts, applications such as IP telephony, routers, and switches can be attacked by hackers or unauthorized users from inside or outside the enterprise. At the network level, the use of firewalls, proxy servers, and user-to-session filtering can add protection, but hackers seem to get smarter all the time. Using user access control at the network and application level with appropriate authentication and authorization can minimize the risks of unauthorized access. But the sheer diversity of the types of attacks and the multi-level nature of many attacks requires that IT managers understand how security breaches are instigated and be able to assess and recover from any inflicted damage. That means the only effective network security strategy is one that permeates the end-to-end architecture and enforces corporate policies on multiple levels user, application, and network and at multiple network points. Enterprise Security Challenge #7 There s no stock blueprint. Each enterprise has a unique set of business needs and has evolved their networking environment accordingly. That means the right security strategy is more a prescription of functionality and characteristics than a stock blueprint. Security is not a one size fits all situation. Neither is it a static implementation, any more than the network or technology remains static. For general purposes, we can categorize enterprises into three types of security spheres: The closed enterprise uses logical (e.g. frame relay) or physical private lines between sites, with PC dial access provided selectively for employees needing access into the Internet. Web presence is achieved through an Internet data center provided by a service provider (who is responsible for establishing a secure environment). The organization also provides conventional dial access for remote employees (e.g. working from a hotel). The company uses private e-mail among employees with no external access. Wireless LANs are also starting to be used. Even the closed enterprise has security concerns, not just from disgruntled internal users, but also because there are a number of backdoor exposures. Users with dial access to the Internet from their desktop PCs, employees surfing the Net from laptops they use at home or on the road, and wireless LANs all introduce Internet-related threats. Perhaps, the greatest risk comes from the specious belief that the closed enterprise is immune to external risks. The extended enterprise is an extension of the closed enterprise. Web presence is still achieved via a service provider. Support for remote employee and office access over IP virtual private networks (VPNs) over the Internet is provided, delivering higher speed, lower cost connectivity. The enterprise provides general-purpose access for all employees into the Internet, allowing them to leverage the abundance of business-related information available on the Internet. Inter-working between the internal e-mail system and the rest of world is provided. The open enterprise leverages the Internet by allowing partners, suppliers, and customers to have access to an enterprisemanaged Internet Data Center, even allowing selective access to internal databases and applications (e.g. as part of a supply chain management system). Internal and external users access the enterprise network from home, remote offices, or other networks using wired or mobile devices. 7

For the extended enterprise, the diversity of supported services and access mechanisms translates into multiple paths into the enterprise network, and in turn increases the risk. Naturally, that risk increases exponentially with the open enterprise, which has the greatest susceptibility to application-layer and network-layer threats, unauthorized access, and eavesdropping. Infrastructure, applications, and network management systems are equally vulnerable. Figure 1. Generic Enterprise types Closed enterprise Customers Internet ASP Data Center Enterprise network Employees Dedicated WAN PC dial-in access PC Internet dial-out Outsourced Web site Private e-mail Extended enterprise Employees Internet Enterprise network Employees Internet Data Center Remote access and office IP-VPNs Employee Internet access Interworked e-mail Open enterprise Customers/partners/ employees Customers/ Employees Controlled partner and select customer access Internet Enterprise network Connectivity boundaries lowered 8

Enterprise Security Challenge #8 Frisking everybody and everything takes time. Anyone who has traveled by airplane knows that the trade-off for enhanced security is delay. The more closely you inspect bags and travelers, the longer the lines at security. On enterprise networks as well, turning up the full complement of security features can slow Web servers to a crawl as they bog down with processing-intensive encryption, decryption, key management, and more. Bolting IP-VPN capabilities onto legacy routers brings its own brand of performance penalty. Voice applications, such as live Webcasts and Voice over IP, are very sensitive to delay and jitter and are therefore dramatically affected by traditional security mechanisms. Enterprise Security Challenge #9 Grace under fire is a requirement. In the context of security, reliability and survivability have somewhat different meanings. Network reliability ensures that the network continues to operate in spite of incidental failure of software and/or hardware components. Network survivability means the network continues to operate delivering essential services in a timely manner while battling security threats, even if parts of the network are unreachable or disabled due to overt attack. Enterprise Security Challenge #10 Security is a closed-loop process with an open-ended date. Organizations must view security as a steady process and evolving way of thinking about how to protect systems, networks, applications, and resources. Reduce risk by continually and steadily making progress in identifying and addressing vulnerabilities and security policy holes. Corporations and government institutions must be able to determine what is at stake when security measures fail, how to detect security breaches, and what to do about them. This process also entails continual training and awareness, since breaches of security policy are usually caused by human error or carelessness. Employees, managers, and administrators must all be aware of established security policies and best practices. The good news is that enterprise networks can minimize their risks from unauthorized users without sacrificing performance for legitimate users. Part II of this document shows how the Nortel Networks Unified Security Architecture addresses these Top Ten challenges. Figure 2. Enterprises need a security framework to optimally use IT techniques, tools, and methodologies against attackers Possible attacks Authorization threats IP spoofing Network sniffers Denial of service Intrusion Bucket brigade Attacks Back door traps Data modification Masquerading Protected enterprise Anti-virus software Deep packet filtering Digital certificate IPsec and SSL encryption Firewalls Enterprise network Network and host-based Intrusion Detection Systems (IDS) Infrastructure Network sniffers 9

Part II. The Nortel Networks Unified Security Architecture What can security IT professionals do about the Top Ten challenges? The Nortel Networks Unified Security Architecture defines a conceptual, physical, and procedural framework of best recommendations for end-to-end enterprise network security addressing all the Top Ten challenges: The Internet was designed to share, not to protect. So the Unified Security Architecture defines virtual private networks, virtual LANs, firewalls, encryption, and other mechanisms that enable enterprises to reduce the risk of being Internet-connected. Security is not optional. The Unified Security Architecture upgrades enterprise security programs and infrastructures to comply with business, ethical, and regulatory mandates to protect data integrity and confidentiality. The bad guys have good guns. The Unified Security Architecture identifies the various tools of the trade, how they operate, and what kinds of protections thwart these attacks. Security threats recognize no boundaries. The Unified Security Architecture addresses threats on multiple functional and architectural layers, enabling enterprises to flexibly define what needs to be protected, from what kinds of threats, implemented how, and at what layers. Security depends on people, process, and technology. The Unified Security Architecture calls for developing and enforcing security policies that address technical considerations and human aspects of security, such as staff training and process. It s not enough to guard the front gate. The Unified Security Architecture begins with perimeter firewall defense and documents security provisions all the way to the individual user and application. There s no stock blueprint. The Unified Security Architecture defines the required functionality and offers enterprises broad choice in which functions to implement, to what degree, using what platforms and protocols. Frisking everybody and everything takes time. The Unified Security Architecture introduces purpose-built security products that use load-balancing, health-checking, and innovative acceleration technologies to minimize latency. Grace under fire is a requirement. The Unified Security Architecture defines ways to segregate critical resources and sustain performance even under attack. Security is a closed-loop process with an open-ended date. The Unified Security Architecture calls for policy management to be a process of continuous feedback and improvement, reflecting the latest industry knowledge and best practices. 10

The comprehensive security strategy set forth in this document is based on seven key principles: 1. Multi-layer security that defines security protection functions at application, network-assisted, and network security levels in a layered architecture that can be flexibly defined and implemented. 2. Variable-depth security across the enterprise not just at the edge of the Internet for example, from firewall perimeter defense, to VPNs to protect Internet-traversing traffic, and to VLANs to segregate traffic within a network. 3. Closed-loop policy management, including configuration of edge devices, enforcement of policies in the network, and verification of network functionality as seen by the end user application. 4. Uniform access management, including stringent authentication and roles-based authorization of access to all resources for all users, with granular access policies defined at the application level and managed enterprise-wide. 5. Secure network operations, by physically or logically partitioning network management from user traffic, and applying other recommended security mechanisms to operational activities. 6. Secure multimedia communications, protected by encrypting the data, voice, and video payload without introducing delays that this real-time traffic cannot tolerate. 7. Survival under attack, for instance, by using resilient architectures with no single point of failure, and applying intrusion-detection systems, anti-virus software, content filtering, and ongoing vigilance as attackers continue adopting new weaponry. Figure 3. Principles behind Nortel Networks Unified Security Architecture Unified Security Architecture Layered security Securing network operations Variable-depth security Closed-loop policy management Securing multimedia communications Survivability under attack Uniform access management 11

The principles underpinning the Unified Security Architecture offer enterprises a security blueprint to use as they move towards increasingly open environments. Let s take a look at each of the seven key principles of the Unified Security Architecture. 2.1. Multi-layer security across application and network levels Recognizing the multi-layered, interdependent nature of enterprise networks and the critical need for security at more than the application level the Nortel Networks Unified Security Architecture logically organizes security into multiple levels: The Network Security Layer provides security functions at OSI layers 1 to 3 (physical, link, and data levels). The Network-Assisted Security Layer provides security functions at OSI layers 4 to 7 (network to application/ presentation layers) on top of the network level for added security. The Application Security Layer provides security in layer 7 of the OSI model, the application layer, and includes all security built into server and storage platforms. Some functions, such as access lists and VLANs, operate purely at the Network Security Level. Others, such as firewalls, operate at either the Network or Network-Assisted Security Levels, depending on whether they are stateful or not. Others such as SSL (Secure Sockets Layer) can be viewed as network-assisted or application security. The power of the Unified Security Architecture is that industry-defined security functions are leveraged in a structured fashion, tightening security overall. See Part III, Security in the Real World, for examples of these security layers in action for protecting campus and branch networks, data centers, IP telephony services, and remote access. Hardening server operating systems Within the application level of the multi-layer security framework, a key element is hardening the multiple operating systems used in network and user applications, such as OSs for data communications devices, servers, network management systems, IP telephony servers, and more. In an increasingly open, multivendor IT environment, network elements are frequently based on commercially available OSs. For example, Nortel Networks CallPilot unified messaging system, Symposium Contact Centers, and Business Communications Manager use a hardened version of Windows NT with off-the-shelf security software for functions such as anti-virus protection, intrusion-detection, and login audits. Nortel Networks Succession CSE 1000 and Meridian IP-enabled PBX portfolios are built on an embedded real-time OS called VxWorks. The Nortel Networks Succession CSE MX system is built on UNIX. Procedures for hardening the OSs in Nortel Networks products are provided in our documentation. For third-party operating systems where no specific hardening guide exists, consult the OS vendor for the latest OS hardening patches and procedures. Figure 4. Unified Security Architecture Policy Management Network Mgmt. Security Application Security Network-Assisted Security Network Security Secure Access Mgmt. End users Operators Partners Customers 12

The remaining elements of the architecture discussed in the sections to follow are inter-related and somewhat orthogonal to these layers. The table below illustrates how common security technologies map to the elements of Nortel Networks Unified Security Architecture. Figure 5. Security functionality mapping to the Unified Security Architecture Security functionality Network Network-assisted Application Security Security Security Policy management functionality L2 NAT Layer 2 VPN, EAP, and port security Network Address Translation Yes Yes Policy Repository Policy Decision Point Policy Enforcement Point AL Access control List Yes Secure access management functionality IPsec SRT IPsec encryption Secure dynamic routing Yes Yes Authentication client Authentication server Authentication database Auth FW Firewalling Yes Yes IDS Intrusion detection Yes Yes Network management security functionality SSL CF VS SSL encryption Yes Yes Content filtering Yes Yes Virus scanning Yes Yes Secure activity logs Network operator authentication Access control/operator authorization Encryption Secure remote access Firewalls Intrusion detection OS hardening Virus free software 2.2. Variable-depth security Defining security policy at multiple network levels produces a security strategy where each security level builds upon the capabilities of the layer below and provides finer grained security the closer you get to resources. VLANs (Virtual LANs) provide basic network compartmentalization and segmentation, enabling business functions to be segregated in their own private local area networks, with cross-traffic from other VLAN segments strictly controlled or prohibited. The use of VLAN tags enables the segregation of traffic into specific groups such as Finance, HR, and Engineering, separating their data without leakage between disparate functions. Perimeter and distributed firewall-filtering capabilities provide another level of protection at strategic points within the network. Firewalls enable the network to be further segmented into smaller areas, and enable secure connections to the public network. Firewalls limit access to inbound and outbound traffic to the protocols and authentication methods that are explicitly configured in the firewall. Firewalls that support Network Address Translation (NAT) enable optimization of IP addressing within the network as specified in RFC 1918 (Address Allocation for Private Internets). Firewalls provide an extra layer of access control that can be customized based on business needs. Distributed firewalls add the benefit of scalability. Personal firewalls can be deployed on end-users systems to protect application integrity. 13

Virtual private networks (VPNs) provide an even finer granularity of user access control and personalization enabling secure access at the individual user level from remote sites and business partners, without requiring dedicated pipes. Dynamic routing over secure tunnels across the Internet provides a highly secure, reliable and scalable solution. VPNs, VLANs, and firewalls together allow the network administrator to limit access by a user or user group based on strictly defined policy criteria and business needs. VPNs provide strong assurance of data integrity and confidentiality with strong encryption. VLANs alone may satisfy the security needs of the closed enterprise. Extended and open enterprises will likely require a combination of security level capabilities. 2.3. Closed-loop policy management A properly designed and implemented security policy is an absolute requirement for all types of enterprises and has to be owned by one group. It should be a living document and process, which is enforced, implemented, and updated to reflect the latest changes in the enterprise infrastructure and service requirements. The security policy must clearly identify the resources in the enterprise that are at risk and resulting threat mitigation methodologies. It should define which users or classes of users have access to which resources. The policy must define the use of audit trails to help identify and discover violations and the appropriate responses. Users think of the network in terms of people, applications, locations, time of day, etc. not in technical terms such as firewall stateful inspection or access lists. Security policies should use non-technical vocabulary to the extent possible for user-facing issues, automatically translated by the policy management system into technical security mechanisms for network implementation. Policy management addresses the full realm of security components firewalls, intrusion-detection systems, access lists and filters, authentication techniques, and more along with a system-wide view of network environments, such as data center, remote office, and campus networks. Ultimately, policy operates at a granular level to address pieces of the solution while providing centralized control and accountability. Centralization ensures that security parameters are set consistently across multiple nodes, and that multiple policies for different administrative domains all reflect enterprise-wide policy and inter-domain consistency. Closed-loop policy management is implemented using the reference architecture described in 2.8, and includes configuration management of network devices, enforcement of policies in the network, and verification of network functionality via audit trails. Verification and audit trails close the loop on policy management, and result in updates to the policy to reflect corrective actions. 2.4. Uniform access management Access management refers to authentication and authorization services that control user s access to resources. During authentication, users identify themselves to the network; during authorization, the network determines users level of privileges based on their identity, as defined in policy. Access management is controlled by multiple methods, such as IP source filtering, proxies, and credential-based methods often used in combination, and each with its advantages and limitations. For example, an enterprise may choose to manage access for workstations using IP source filtering, and may choose to use a credential-based scheme for other users. Since users could be employees, network technicians, supply chain partners, inter-organization team members, or even customers, it is important to have robust, centralized access control enforced by the local or remote network device interfacing to the user. 14

Several methods can be used to authenticate a user, such as: permanent or one-time passwords, biometric techniques, smart cards, and certificates. Password-based authentication must use strong passwords that are at least eight characters in length with at least one alphabetic, one numeric, and one special character. Where stronger authentication is required, password authentication can be combined with another authentication and authorization process based on protocols such as RADIUS and LDAP to provide authentication, authorization, and accounting (AAA) services. Additionally, key management can be based on Internet Key Exchange (IKE), certificate management on Public Key Infrastructure X.509 (PKIX), Certificate Management Protocol (CMP), Online Certificate Status Protocol (OCSP), and Simple Certificate Validation Protocol (SCVP). In defining access privileges on all ports and devices, the concept of least privilege should be applied, granting access only as needed. Open and extended enterprises face the greatest challenges when designing access management policy. They require finegrained rules that properly interface with identity directories and databases, multiple authentication systems such as RADIUS, and various hosts, applications, and application servers. The system should perform session management per user after the user is authenticated and use flexible configuration and policy enforcement with fine-grained rules, capable of dealing with specific objects. Unique accounts for each administrator should be used, with accountability for actions traceable to individuals, to provide for appropriate monitoring, accounting, and secure audit trails. For more information about authentication and authorization, see section 2.9, A closer look at uniform access management. 2.5. Secure network operations On the one hand, network management is like other data applications, running on servers and workstations, complemented by application-level security and taking advantage of network-level and network-assisted security. On the other hand, network operators are specialized users who should be subject to more stringent authentication and authorization procedures. Because of the greater access authority and functional privilege granted to network management personnel, their access and activities must be carefully secured to protect network configuration, performance, and survivability. The more open the enterprise and the more centralized the network management system, the greater the requirement for stringent security for network management processes. Secure network management requires a holistic approach, rather than a specific security feature set on a network element. Our Unified Security Architecture recommendations address nine critical areas: Secure activity logs Network operator authentication Authorization for network operators Encryption of network management traffic Secure remote access for operators Firewalls and VLANs to partition the network intrusion-detection Hardening operating systems Anti-virus protection 15

Secure activity logs provide a verifiable audit trail of user or administrator activities and events generated by network devices. Security activity logs must contain sufficient information to establish individual accountability, reconstruct past events, detect intrusion attempts, and perform after-the-fact analysis of security incidents and long-term trend analysis. Activity log information helps identify the root cause of a security problem and prevent future incidents. For instance, activity logs can be used to reconstruct the sequence of events that led up to a problem, such as an intruder gaining unauthorized access to system resources, or a system malfunction caused by an incorrect configuration or a faulty implementation. Syslog is the most common mechanism used by equipment vendors; Syslog works with all third-party log analyzer systems. Because the information contained in activity logs can be used to compromise a network, this log information itself must be secured. Network operator authentication based on strong centralized administration and enforcement of passwords ensures that only authenticated operators gain access to management systems. Centralized administration of passwords enables enforcement of password strength and removes the need for local storage of passwords on the network elements and EMS (Element Management Systems). RADIUS is the basic mechanism of choice for automating centralized authentication within Nortel Networks products. Authorization for network operators uses authenticated identity to determine the user s access privileges what systems they can access, what functions they can perform. Techniques based on RADIUS servers provide a basic level of access control. An additional LDAP server can provide more fine-grained access control if necessary. Encryption of network management traffic protects the confidentiality and integrity of network management data traffic especially important with the growing use of in-band network management. Encryption provides a high degree of protection from internal and external threats, with the exception of the small group of insiders that have legitimate access to encryption keys. Encryption between network operations center (NOC) clients and Element Management System (EMS) servers and/or Network Elements should be provided. This includes SNMP traffic, because there are known vulnerabilities with SNMP v1 and v2, which are intended to be addressed by SNMP v3. Given the widespread deployment of SNMP v1 and v2, IPsec can be used to secure this traffic. Depending on traffic type, the security protocols to use for these links are IPsec (IP Security), Secure Shell (SSH), and SSL: SSH is an application-level security protocol that can be used in place of IPsec if the traffic consists of Telnet and FTP only, but it cannot normally be used to protect other traffic types. IPsec protocol runs between the network layer (Layer 3) and the transport layer (Layers 4) and is the preferred protocol to protect any type of data traffic, independent of applications and protocols. External IPsec VPN devices, such as Nortel Networks Contivity Secure IP Services Gateways, can be used in various parts of the network to secure management traffic. SSL technology integrated into all standard Web browsers is the de-facto standard security protocol to protect HTTP traffic. Secure remote access for operators: Security must be provided for operators and administrators who manage the network from a remote location over a public network. Providing a secure virtual private network using IPsec is the mandatory solution, as this will provide strong encryption and authentication of all remote operators. An IP-VPN product such as Nortel Networks Contivity Secure IP Services Gateway should be placed at the management system interface and all operators should be equipped with extranet access clients for their laptop or workstations. 16

Figure 6. Secure connectivity options for network management traffic Network Operating Center Telnet client Management client Browser client SSL Remote Management client IPsec L2 NOC VLAN IPsec Internet IPsec or SSH SSL IPsec or SSH IPsec or SSH Management Systems VS IDS IPsec IPsec FW Auth AL Enterprise network Network devices Firewalls and VLANs partition the network to segregate management devices and traffic from other, less confidential systems such as public Web servers. The firewall controls the type of traffic (defined by protocol, port number, source and destination address) that can transit the boundary between security domains. Depending on the type of firewall (application versus packet filtering), firewalls can also filter the application content of the data flow. Intrusion-detection systems incorporated into management servers defend against network intrusions by warning administrators of potential security incidents, such as a server compromise or denial-of-service attack. Hardening operating systems used for network management close potential security gaps in general-purpose operating systems and embedded real-time operating systems. OS hardening should use the latest procedures and patches from the OS manufacturer. Anti-virus protection involves scanning all in-house and third-party software packages with virus-detection tools before incorporating the software into a product or network. A rigorous, established process ensures to the extent possible that network management software is virus-free. 17

18 2.6. Secure multimedia communications Unified networks can carry voice, data, and video each with their unique performance requirements and security considerations. When and where to encrypt this traffic is a major consideration, and is a key element of any enterprise security policy. This can be done on a per-application basis using SSL, on a client-server basis using SSH (Secure Shell), or for all traffic using IPsec VPN technology. Generally, all traffic over the Internet and wireless LANs and potentially critical information leaving the premises should be secured via strong encryption technology. IP telephony represents a particularly important class of application. As with any applications, a risk assessment of IP telephony needs to be done to assess its intrinsic value, the implications of loss understood, and a security policy formulated. We can start this assessment by making some key observations on telephony and data security in general. First of all, telephony is a critical business function and therefore, like the network itself, the telephony system as a whole must be protected from security attacks. Secondly, we trust the public voice network and live with the inherent vulnerability of eavesdropping of public cell phone systems. Third, we trust PBX networks, the critical components of which are locked away in a telecom room. In addition, IT organizations have spent a lot of effort to minimize toll fraud and misuse of the voice network for personal calls. On the data side, we also rely on physical security to ensure that only employees have access to the internal network, and we trust that information sent over LANs, campus nets, and over private WANs running over physical and virtual private lines are generally secure. Outside of the confines of the enterprise network, most enterprises have established security policies that all internal data transmissions to employees and remote offices over the Internet need to be encrypted and authenticated. Likewise, critical customer interactions over the Web are protected via SSL. From a user perspective, keeping it simple has been the objective. The Nortel Networks Unified Security Architecture for IP telephony follows the guidelines below: Enterprise IP telephony operated within the confines of the enterprise, inter-working with the public network over circuitswitched connections. End-to-end VoIP connectivity between public phones and phones within the enterprise is not considered in this version of the document. The IP networking infrastructure that supports IP telephony must be secure from a data perspective and engineered to meet the stringent latency and reliability requirements of telephony. IP telephony communications servers are business-critical and must be physically secure and protected from internal and external attack. Secure authentication of VoIP clients must be provided. While data users may expect to log in with multiple userids and passwords, they won t tolerate that authentication requirement for every phone call. Generally, telephony users have only been required to authenticate themselves for off-net access using a feature set called Direct Inward System Access (DISA). Encryption of voice is only a requirement when traversing a shared media LAN or the Internet. Security must be holistic and span the entire telephony environment, including VoIP clients and servers, application servers (such as for unified messaging and contact centers), and traditional PBXs. Encryption can be achieved with VPN techniques using IPSec, with Authentication Header (AH) and Encapsulating Security Payload (ESP), tunneling through the use of Layer 2 Tunneling Protocol (L2TP), key management based on Internet Key Exchange (IKE), and certificate management based on Public Key Infrastructure X.509 (PKIX), Certificate Management Protocol (CMP), Online Certificate Status Protocol (OCSP), and Simple Certificate Validation Protocol (SCVP). SSL and Transport Layer Security (TLS) protect communications at the application layer. Standards-based encryption algorithms and hashes such as DES, 3DES, AES, RSA and DSA. MD5 and SHA-1 should be used for message integrity, and Diffie-Hellman and RSA for key exchange. The Wired Equivalent Privacy (WEP) as defined in the 802.11 standard defines a technique to protect over-the-air transmission between wireless LAN (WLAN) access points and network interface cards (NICs). This protocol has been shown to be insecure. IEEE 802.11 is working on standardizing encryption improvements for WLANs. Therefore, added measures of protection such as IPsec must be used to secure WLAN traffic over WEP.

2.7. Network survivability under attack The typical enterprise network supports mission-critical operations and is essential for conducting business. That means the network must continue to operate delivering essential services in a timely manner while battling security threats, even if parts of the network are unreachable or disabled due to overt attack. This kind of survivability starts by logically organizing network services into at least two categories essential services and nonessential services and defining strategies that enable these services to resist, address, and recover from attacks. The most effective approaches combine multiple resistance, identification, and recovery strategies in an adaptable manner that responds to changing network conditions. For example, the network can re-route traffic from one server to another if an intrusion or an attack is detected on the first server. That means an effective survivability plan is holistic; it spans management systems, hosts, applications, routers, and switches across the network. Naturally, the first line of resistance to attacks is strong access control through authentication and encryption. Keep intruders out at the first point of entry, if possible. Message and packet filtering and network and server segmentation provide strong secondary defenses. Intrusion-detection systems identify attacks in progress. Faithful attention to backup techniques enables rapid system and network recovery after a successful system breach. This includes high availability through redundancy of critical security functions, such as through the use of application switches, which provide redundancy between intrusion-detection servers. Additional techniques include the encryption of all mission-critical traffic, multi-link trunking (MLT), virtual router redundancy protocol (VRRP), dual/mirroring of disk drives, backup CPUs, backup power supplies, and hot-swappable components. These mechanisms provide a higher level of confidence in the survivability of critical applications (such as IP telephony). 2.8. The closed-loop policy management reference model The Nortel Networks Unified Security Architecture is based on the IETF architectural framework for policy management (RFC 2753). In this model, policy management is implemented across the network and at all levels (application, networkassisted, network), and applicable to all types of user and applications. Figure 7. Policy management within the Unified Security Architecture Policy repository LDAP Policy management console LDAP Policy server Policy Decision Point (PDP) COP-PR, SNMP, CLI Network devices Policy Enforcement Point (PEP) L2 NAT Auth AL FW CF 19

The IETF policy management model uses these key elements and protocols: Policy Decision Points (PDPs) or policy servers abstract network policies into specific device control messages, which are then passed to policy enforcement points. These policy servers are often standalone systems running Unix or Windows NT/2000, controlling switches and routers within an administrative domain; they communicate with these devices using a control protocol (e.g., COPS, SNMP Set commands, Telnet, or the device s specific Command Line Interface CLI). A Policy Enforcement Point (PEP) is a network or security device that accepts a policy (configuration rules) from the Policy Decision Point and enforces that policy against network traffic traversing that device. This enforcement leverages network and network-assisted security mechanisms as appropriate. Common Open Policy Service (COPS) is a simple query-and-response, stateful, TCP-based protocol that exchanges policy information between a Policy Decision Point (PDP) and its clients Policy Enforcement Points (PEPs). It is specified in RFC 2748. COPS relies on the PEP to establish connections to a primary PDP (and a secondary PDP when the primary is unreachable) at all times. Alternatively, a COPS proxy device can be used to translate COPS messages originating from a policy server into SNMP or CLI commands understood by network and security devices. The COPS protocol supports two different extension models for policy control: a dynamic outsourcing model COPS-RSVP, specified in RFC 2749, and a configuration or Provisioning model COPS-PR, specified in RFC 3084. Provisioning extensions to the COPS protocol allow policies to be installed on the PEP up front by the PDP, thus allowing the PEP to make policy decisions for data packets based on this pre-provisioned information. Further communication between the PDP and PEP is necessary to keep policies provisioned in the data repository (i.e. the directory) in sync with those sent to the PEP. The Policy Repository stores all policy information in a network directory. It describes network users, applications, computers, and services (i.e., objects and attributes), and the relationships between these entities. There is tight integration between IP address and the end user (via Dynamic Host Control Protocol - DHCP and a Domain Name System - DNS). This policy repository is usually implemented on a special-purpose database machine running Unix or Windows NT/2000 accessed by policy servers via LDAP. The Policy Repository stores relatively static information about the network (such as device configurations), whereas policy servers store more dynamic network state information (such as bandwidth allocation or information about established connections). The policy server retrieves policy information from the directory and deploys it to the appropriate network elements. There is no established standard to describe the structure of the directory database, i.e., how network objects and their attributes are defined and represented. A common directory schema is needed if multiple vendor applications are to share the same directory information; for example, all vendors need a common way to interpret and store configuration information about routers. The forthcoming Directory-Enabled Networking (DEN) standard, now being developed by the DMTF (Desktop Management Task Force), addresses this need. DEN includes an information model that provides an abstraction of profiles and policies, devices, protocols, and services. This provides a unified model for integrating users, applications, and networking services, and an extensible service-oriented framework. The Lightweight Directory Access Protocol (LDAP version 3) is specified in RFC 2251. LDAP is a client-server protocol for accessing a directory service. The LDAP information model is based on the entry, which contains information about some object (e.g., a person), and is composed of attributes, which have a type and one or more values. Each attribute has a syntax that determines what kinds of values are allowed in the attribute and how those values behave during directory operations. The last element is the policy management console generally running on a personal computer or workstation that provides the human interface to the policy management system. A Web browser can be used to provide manager access from virtually anywhere, with policy object-level security used to limit which policies can be modified by a specific individual. The console provides a graphical user interface and the tools to define network policies as business rules. It may also give the operator access to lower-level security configurations in individual switches and routers. 20

These elements of the IETF policy management reference model interoperate to deliver closed-loop policy management. This includes configuration of edge devices, enforcement of policies in the network, and verification of network functionality as seen by the end-user application. Enforcement of policies in the network includes admission controls of applications or users vying for access to network resources. Sound policy management based on this model simplifies the configuration management environment inside enterprises and minimizes the chance of human error. Policy Management through Nortel Networks Optivity Policy Services Nortel Networks is leading the way in delivering policy-enabled networking to enterprise customers. For example, Nortel Networks Optivity Policy Services (OPS) is a system-level software application that manages security parameters and traffic prioritization. Optivity Policy Services enables a proactive approach to bandwidth management, security, and prioritization of business-critical traffic flows across the enterprise. Rather than applying policies to control traffic on a per-device basis, OPS takes a centralized systems approach to policy configuration and deployment that ensures consistency across the network while lowering total cost of ownership. Based on the IETF policy architecture, Optivity Policy Services supports the major IETF policy management standards, including COPS-PR, LDAP, Diffserv, and IEEE 802.1p. OPS uses COPS-PR to pre-provision routers and switches with policy information based on Roles reported in from the PEP. Roles are a logical abstraction of the device s interfaces for policy management purposes. With the ability to manage up to 1,000 devices per server and 20,000 devices per system, OPS reliably delivers QoS and security policies in large networks. Moreover, OPS uses LDAPv3 to support redundant data storage, preserving valuable policy information. As the number of denial-of-service attacks on networks increases, a centralized mechanism to limit potentially dangerous traffic flows is important. OPS makes it easy to set policies for metering traffic. For example, many denial-of-service attacks occur when too many packets of a certain protocol type (such as ICMP) flood a device. OPS policies can control that flow of traffic. With its Advanced Security Provisioning capabilities, OPS can protect valuable network and application assets by enabling the application of consistent, reliable, and robust security policies. OPS complements existing firewall implementations (e.g. Alteon) and IP-VPN devices (e.g. Contivity) by adding an extra layer of protection to network resources. OPS features enable the creation of policies to restrict traffic through a particular policy enforcement point or to deny all traffic on a particular device. OPS enables control of traffic flows through a device by simply creating admission control policies through a central JAVA-based management console. 2.9. A closer look at uniform access management Secure access management is created through a combination of authentication, authorization, and accounting services, often called AAA. Authentication, initiated by an authentication client in a PC or gateway device, positively verifies the identity of a user as a prerequisite to allowing access. Authorization determines which system resources are appropriate for that authenticated user to access. Accounting capabilities rely on audit logs or records of security-related events for future examination. This section takes a closer look at authentication and authorization. Authentication Authentication systems can be categorized according to the number of identification factors required to ascertain identity. Single-factor authentication uses userid/password combinations to prove identity. Two-factor authentication requires two components, usually a combination of something the user knows (such as a password) and something the user possesses (such as a physical token SecureID card). Three-factor authentication adds a biometric, a measurement of a human body characteristic. 21

The more authentication factors used, the more secure the process. However, the more factors you add, the more you add complexity, cost, and management overhead. Every scenario will offer a different break-even point in the trade-off between simplicity and security. Single-factor authentication with userid and password is the most common authentication system today. It s easy to administer, familiar to users, and can provide a high level of security if strong password procedures are enforced. Legacy password systems have had some challenges, however, since multiple strong passwords are very hard for users to remember. The recommendations in this section will show how this problem can be minimized with a Single Strong Password system. Tokens such as smartcards and SecureID cards are added as a second factor in many authentication systems requiring that the user have physical possession of the token. An attacker would similarly have to have possession of the user s token in order to gain system access. The higher level of authentication comes with additional system cost, however, due to the necessary tokens and token readers. In addition, tokens can be easily lost, which can present a high administration overhead for reissuing. Biometric factors for authentication measure characteristics of the user s body such as fingerprint, handprint, retina, iris, or voice characteristics. Biometric measurements are a useful additional factor and add an even higher level of authentication security. A biometric authentication system entails a measurement proving whom the person actually is, rather than proving they have something such as a token or proving that they know something such as a password. Unfortunately, biometric measurements are not 100 percent effective; with the present state of the technology, it is possible to register false positives and false negatives. Biometric authentication systems also require biometric readers at system access points, adding new system costs. Strong cryptographically-based authentication can be provided through the use of digital certificates issued to users and stored on tokens or within the user s computer memory. Cryptographic algorithms are used to ensure that a particular certificate has been legitimately issued to the user. A Public Key Infrastructure is used to enable the issuance and maintenance of digital certificates. Strong cryptographically-based systems provide very stringent authentication. However, these systems are expensive and incur additional management overhead. Therefore, they are currently being adopted only in very secure environments. Authorization Once authenticated, authorization mechanisms control user access to appropriate system resources. Authorization can be categorized according to the granularity of control; that is, according to how detailed a division is made between system resources. Fine-grained authorization refers generically to a system where access is controlled to very fine increments, such as to individual applications or services. Authorization is often role based whereby access to system resources is based on a person s assigned role in an organization. The System Administrator role may have highly privileged access to all system resources whereas the General User role would only have access to a subset of these resources. Finer grained authorization can be applied to define other roles, such as a Human Resources Administrators role that has exclusive access to confidential HR databases, and an Accounting role that has exclusive access to accounting systems. Authorization may also be rules based whereby access to system resources is based on specific rules associated with each user, independent of their role in the organization. For example, rules may be set up to allow Read Only access or Read/Write access all or certain files within a system, or access only during certain times or from certain devices. Authentication and authorization protocols Several protocols have been commonly adopted for authentication services. The RADIUS protocol (Remote Authentication Dial In User Service IETF RFC2865) is widely used to centralize password authentication services. Originally designed to authenticate remote dial-in users, the RADIUS protocol has been adopted for general user authentication services. Recently, the LDAP (lightweight directory access protocol IETF RFC2251) has been finding extensive use in authentication and authorization systems. LDAP provides a convenient method for storing user authentication and authorization credentials. 22

RADIUS authentication servers are often coupled with credential storage in LDAP directories to provide centralized authentication and authorization. When a user attempts to access a particular application on such a system, the application queries the user for authentication credentials and forwards them to the centralized system. The RADIUS server then checks the presented credentials against those stored in the LDAP database, and also queries the LDAP database for authorization rule information. The authentication results (pass or fail) are returned to the application along with authorization rule information for the particular user. Authorization rules are then enforced at the application to allow the user to access particular data or services. From an end-user perspective, these authentication and authorization systems should be automatic and easy to use. Authentication and authorization recommendations Nortel Networks recommends the following general principles to be followed when implementing enterprise authentication and authorization systems: Use a uniform access management system for end users, network operators, partners and customers, with the appropriate level of authentication and resource access authorization to meet business needs. Use a centralized authentication mechanism to facilitate administration and remove the need for locally stored passwords, which tend to be static and weak. Use a centralized authorization system, tightly coupled with authentication system, with appropriate granularity for the enterprise. Enforce strong, complex rules for all passwords. Securely store all passwords in one-way encrypted (hashed) format. Maintain simplicity to the extent appropriate, for maximum ease of use, ease of administration, and compliance. Securely log authentication and authorization events for audit purposes. Figure 8. Secure authentication and authorization reference model DHCP server DNS server Remote IP-VPN office Remote IP-VPN user WLAN IP-VPN user Auth Local wired PC access Enterprise network Centralized Authenticaton Server (RADIUS based) Internet Remote Access Secure IP Services Gateway Level 1 Password Authentication Database FW IPsec SRT Auth Auth Level 3 Biometric Authentication Database Level 2 Token Authentication Database Application server with Centralized Authentication 23

A Case example: Single Strong Password in the Nortel Networks corporate network Nortel Networks uses a Single Strong Password approach in its own worldwide network to authenticate internal and external users, from employees and contractors to joint venture representatives and even customers. The user has one very strong password that is maintained on a centralized password system and synchronized with applications and systems across the enterprise. Users only have to remember one password, making the system simple to use and not likely to be bypassed. Dedicated password servers on several continents manage the system and provide Web-based password management for users and security administrators. These password servers communicate directly with RADIUS authentication servers. The system automatically synchronizes passwords across multiple systems and platforms, such as Windows networking, remote access, UNIX, purchasing, and niche business applications. The system enables fine-grained authorization at the application level. An internally developed tool enables applications to access the Single Strong Password system, and a list of users allowed to access each application is stored in the authorization database. When an application is accessed, the Single Strong Password system authenticates the user and returns authorization information. The system logs attempted violations of authorization rules and multiple simultaneous logins to geographically dispersed systems, to detect and prevent misuse. The Single Strong Password system enforces strict password rules. For example, passwords must contain at least eight characters, both upper and lowercase letters, and at least one number or symbol. Additionally, passwords must not contain dictionary words of four characters or longer, a previously used password, a password that matches an account name, contain a date or year, keyboard patterns, or repeating characters. Users are required to change passwords at predefined intervals. After years of real-world use, Nortel Networks has seen the following advantages of this system: Single consistent method for setting passwords Single consistent method for authentication and authorization Single method for registering and terminating user accounts Enforcement of corporate password strength guidelines Consistency across applications, so employees know what to do Standardization that makes the system easy to support and adopt Fast, seamless performance through standard interface and APIs Lower costs, fewer help desk calls Figure 9. Single password access management in Nortel Networks corporate network RADIUS server Local, remote, wired, wireless Employees Technicians Contractors Partners Customers Single password access management Enterprise network Password Authentication Database 24 RADIUS-enabled enterprise applications: CRM, SCM, ERP, unified messaging, self-serve benefits, expense system...

Part III. Network security in the real world The previous section outlined key principles and practices of the Nortel Networks Unified Security Architecture. This section demonstrates this multi-level security framework in action for several real-world scenarios: Securing the campus network Securing the data center Securing the remote office Securing remote access Securing IP telephony services 3.1. Securing the campus network In this context, the term campus describes a corporate headquarters or large regional office where the network uses a mix of technologies, products, and applications, and serves a large user population. The campus network presents a challenging security picture because of the diversity of elements to protect: Servers, including departmental servers for user access and file sharing, central application servers such as finance and databases, and Web servers for either public Web or Intranet applications. Operating systems, typically multiple versions of multiple operating systems running on servers and clients. Network devices, including routers, Layer 4-7 load-balancing switches, Layer 3 core switches, Layer 2 distribution switches, and wireless LAN access points. Security devices, such as firewalls, VPN gateways, intrusion-detection and anti-virus servers, SSL accelerators, authentication servers, and content filtering servers. Securing the campus network at the network security level Layer 2 switching security. VLANs based on IEEE 802.1Q standard and Ethernet switches segregate traffic for greater security and manageability. When port-based VLANs are configured, each VLAN is completely separated from others particularly those in the broadcast domain. In order to limit network access, numbers of Ethernet switches provide port security that ties a MAC address list to specific switches or even ports of those switches and prevents unknown workstations to get access. This list may be built either by auto-discovery or by manual update. With the general availability of the 802.1x authentication standard, Ethernet switches offer embedded capabilities to apply security at every node in the network, providing an effective framework for authenticating and controlling user traffic to a protected network. 802.1x ties a protocol called EAP (Extensible Authentication Protocol, originally developed for PPP) to LAN media and supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, and public key authentication. It enables enforcement of client authorization on corporate authentication servers like RADIUS. EAP not only controls Layer 2 port connectivity, but can be extended (as being done by Nortel Networks) along with secure access management to customize the security (and QoS) end-user profiles of the port for a particular authenticated user. When a host attempts to log onto the network, the host and an authentication service exchange data via EAP. Under an end-user profile architecture, the EAP protocol enables the policy server to leverage information in a third-party authentication service to validate users and assign appropriate network access and QoS (Quality of Service) capabilities. Layer 2 wireless LAN security. Wireless LANs offer a flexible alternative to regular Ethernet connectivity, but they suffer from known vulnerabilities. For one, it s hard to control who is really accessing the system. Second, the current Wired Equivalent Privacy (WEP) 802.11 encryption method is weak. 25

Figure 10. Securing the campus network Engineering L2 Virus screening server VS Load-balanced IDS servers IDS Human resources Backbone Layer 2-7 Routing Switch with Web Switching NAT CF FW Enterprise L2 Distribution Layer 2-7 Routing Switch L2 Switched Firewall AL High capacity router Finance IP PBX SSL IP-VPN Services Gateway Auth IPsec SRT FW Internet L2 SSL WLAN PC PSTN Campus servers For both reasons, it is recommended to use VPN technology for wireless LANs and run an IP-VPN client, such as Nortel Networks Contivity Client, on the wireless device. VPN-based wireless security is platform and radio technology agnostic that is, the client system establishes a connection to the network via 802.11b, 802.11a, or even Bluetooth, and the VPN takes over from there. Most of the authentication takes place independently of the wireless network, keeping access point maintenance simple. The VPN can treat the wireless LAN just as the corporate backbone with wireless access points. Users trying to access the network via the wireless LAN would then be authenticated, their information encrypted, and all communication logged by the VPN system. Alternatively, with some WLAN IP phones, encryption and authentication is built in. For example, Nortel Networks has a strategic partnership with Symbol, whose WLAN IP phones support 128-bit WEP encryption between the client and the wireless access point, and Kerberos authentication. Combining those approaches provides robust user authentication and encryption required for WLAN environments. Layer 3 switching and routing security. Network address translation (NAT) enables an organization to present a public IP address to the world and hide internal addresses from public view. Processing NAT in hardware with a switch is an innovative strategy for converting internal addresses into public addresses (and vice versa), making routing and firewall solutions highly efficient. 26

Proper design and use of routing and Layer 3 switching enhance the survivability of the campus network. Access control lists, IP segmentation and sub-netting, redundancy protocols such as Virtual Router Redundancy Protocol (VRRP), and fast convergence routing using OSPF (Open Shortest Path First) all contribute to a more survivable infrastructure. Routers and routing switches secure the data path using IP filters that drop undesirable packets. Routing can be further secure by implementing route policies, encryption and authentication of OSPF and BGP route updates with MD5, and broadcast/multicast rate limiting. Last but not least is the innovative Secure Routing Technology (SRT), which enables dynamic routing over secure IPsec tunnels for RIP and OSPF. Contivity Secure IP Services Gateways implement this dynamic secure routing approach, which is described later in this document in the Securing Remote Access scenario. Securing remote communication via IPsec VPNs and SSL extranets. Typically, the campus network also supports VPNs to connect with branch offices and remote users carrying private network traffic within a secure, encrypted tunnel carried over a public network. Robust and secure central site solutions that support both remote access and remote office IP-VPNs and firewalls are key elements of the campus network. For more information, see Securing the Remote Office and Securing Remote Access, later in this section. Securing the campus network at the network-assisted security level Perimeter control via firewalls and intrusion-detection servers. The enterprise network often provides employees with connection to the Internet from the corporate headquarters campus. It is usually centralized in order to more easily protect a single interface to the public world. That s exactly where perimeter control solution such as firewalls and intrusion-detection systems (IDSs) are generally deployed to prevent malicious intrusion of unauthorized persons. It is highly recommended that firewalls be implemented at every site within an enterprise to secure internal and external traffic, and at every point of interconnection with the Internet (e.g. even a remote PC). In some cases, it is appropriate to integrate this functionality with secure IP services gateways used also for remote office and remote access IP-VPNs. Firewalls provide a perimeter defense against unauthorized access an essential first step when planning for Internet access. Firewalls come in various sizes and capabilities, fitting many specific network requirements depending on their point of use. An emerging trend is to use new, multi-gigabit firewalls to interconnect segments of the campus LAN, which keeps departments separate and enables communication only through firewall security policies. An IDS monitors the network to identify unauthorized users or suspicious patterns of utilization. Most IDS applications compare network traffic and host log entries to match data signatures and host address profiles indicative of hackers. Intrusion-detection software identifies traffic patterns that indicate the presence of unauthorized users. Suspicious activities trigger administrator alarms and other configurable responses. Nortel Networks partners with best-of-breed companies such as Internet Security Systems (ISS) to offer specialty software solutions for intrusion-detection. Content inspection via content filtering and anti-virus systems. These tools provide essential protections for remote and local computing, and are discussed in more detail in Part III under Securing the Data Center. Layer 4 to 7 switching and filtering security. Layer 4 to 7 switches provide control services to application, management, and traffic to improve resource utilization and performance, ensure security with high performance, provide network scalability, and provide failsafe network assurance. They are usually deployed near security devices and in server farms. Integrated security filtering offloads firewall processing of NAT, monitors network activity, protects against denial-of-service attacks and some virus types such as Code Red / Blue, and protects data without compromising throughput. Nortel Networks Passport 8600 and Nortel Neworks Alteon Web switches offer extensive Layer 4 to 7 capabilities. 27

These solutions are more generally implemented in the data center, but have value in front of campus servers: Load-balancing. Firewalls and VPNs are compute-intensive applications and can become bottlenecks to network performance. Load-balancing using an application switch mitigates this problem by distributing traffic among multiple active devices, enabling many firewalls/vpns to operate in parallel. Port mirroring. Similarly, IDS functions are extremely compute-intensive and can slow network performance. Port mirroring on an application switch duplicates the data and sends it to one or more intrusion-detection servers (which can be load-balanced) for packet inspection at the same time the original data flow is being forwarded without delay. In small campus networks, these capabilities can be provided by Alteon Web switches. In large campus networks, a Nortel Networks Passport 8600 system with integrated Alteon Web Switching Module provides the required scalability. 3.2. Securing the data center The typical enterprise data center supports mission-critical applications and houses a high concentration of capital-intensive resources and confidential data all connected to the inherently insecure Internet as well as internal users. That means securing the data center presents some unique requirements for failsafe security without compromising performance and availability for users. The need increases as enterprises discover new ways to exploit high-performance, Internet-empowered data centers: Ensure business continuity. Massive processing throughput and transport bandwidth now make it feasible to store primary and duplicate sets of critical data in multiple data centers, in real time to extend business continuity services, real-time storage mirroring, and live backup across service provider networks. Support critical business applications. Enterprises use data centers to host business applications, implement firewalls or virtual private networks, provide storage services and content delivery of static and streaming media, and more. Produce economies of scale on infrastructure. Enterprises can consolidate or outsource data center functions, to centralize critical computing resources, create virtual data centers that span multiple locations, and reduce operational costs without the performance penalty or security concerns typically associated with remote access. The closed enterprise may outsource its Web presence to a third party, but extended and open enterprises are exposed to the Internet for customer access, business-to-business connectivity, and interworking with application service providers, disaster recovery providers, and more. There s a big survival risk for companies that don t Web-connect with extended communities yet there s a big security risk for those that do. A comprehensive data center security strategy requires multiple, inter-working technologies, protocols, and procedures with partitioning among these functions provided by VLANs and firewalls. Securing the data center at the network security level Virtual Private Networks. It is highly recommended that firewalls be implemented at every site within an enterprise to secure internal and external traffic, and at every point of interconnection with the Internet (e.g. even a remote PC). In some cases, it is appropriate to integrate this functionality with Secure IP Services Gateways used also for remote office and remote access IP-VPNs enable enterprises to enjoy secure connectivity with branch offices, business partners, and remote users. For employee access, the central site VPN solution can be implemented at the campus edge; for partner and business-to-business connectivity, the VPN can be implemented in the data center, or the two can be integrated. The ideal VPN gateway should provide an all-in-one solution for routing, bandwidth management, authentication, encryption, network address translation, data integrity, logging, and firewall capabilities. Nortel Networks market-leading Contivity Secure IP Services Gateways (built on Secure Routing Technology SRT) meets these requirements. Network address translation (NAT) enables the enterprise data center to present a public IP address to the world and hide internal server addresses from public view. Converting external to internal addresses (and vice versa) can be performed in switch hardware, thereby enhancing the efficiency of routing, switching, and firewall functions. 28

Figure 11. Securing the data center Mission-critical enterprise applications DMZ SSL Virus screening server VS Web servers L2 Backbone Layer 2-7 Routing Switch with Web Switching NAT CF FW Enterprise SSL Other enterprise applications L2 L2 Switched Firewall AL High capacity router Internet SSL Management domain IP-VPN Services Gateway Auth SRT LDAP IPsec FW RADIUS DNS L2 IDS Load-balanced IDS servers Securing the data center at the network-assisted security level Switched firewalls can now provide multi-gigabit throughput and state-of-the-art filtering to secure and safeguard data center servers without the performance degradation that typically occurs with deep packet inspection. Switched firewalling introduced the same level of performance improvements to perimeter security as Layer 3 switching brought to LAN routing. Therefore, a switch-based firewall is recommended for perimeter security in transaction-oriented environments. The Nortel Networks Alteon Switched Firewall combines Layer 4-7 cut-through switching with firewall software processing to deliver more than 4 Gbps throughput. Logical demilitarized zones can be created through the use of VLANs. Secure Sockets Layer (SSL) protocol built into most browsers and Web servers is widely used to protect communications to and from Web applications. Unfortunately, SSL processing is very compute-intensive and significantly reduces server performance. This results in increased cost and operational complexity when it comes time to scale secure transaction processing. SSL Accelerators such as Nortel Networks Alteon solution offload SSL processing from local servers without imposing delays on other traffic in the same data path, and offer a simpler way to deploy and maintain the Public Key Infrastructure (PKI) required for electronic transactions. 29

intrusion-detection, anti-virus, and content filtering tools provide essential protections for online commerce and remote computing in general. IDS software identifies traffic patterns that indicate the presence of unauthorized users. Anti-virus software detects and defuses potential cyber attacks. Content filtering software restricts the type of data that can be accessed or distributed. IDSs can be broadly categorized according to the following criteria: Incident detection timeframe real-time or off-line, depending on whether system logs and network traffic are analyzed as events take place or in batch mode during off hours. Type of installation network-based or host-based. A network-based IDS typically involves multiple monitors (often pre-configured appliances) installed at choke points on the network (where all traffic between two points can be monitored). A host-based IDS requires that software be installed directly on the servers to be protected, and monitors the network connections and user activity on those servers. Type of reaction to incidents whether the IDS actively intervenes to head off attacks (such as by modifying firewall rules or router filters) or simply notifies staff or other network systems of the problem. Most commercial IDS products provide a combination of network- and host-based monitoring capabilities, with a central management host to receive reports from the various monitors and alert network support staff. A network-based IDS is recommended for most installations. Anti-virus solutions continuously monitor applications to ensure that no virus damages the system. It detects malicious viruses, worms, and Trojan horses in all major file types, including mobile code and compressed file formats. Content filtering software restricts the type of data that can be accessed or distributed to expose employees and partners only to correct and appropriate content. Content filtering can identify inappropriate Web surfing and stem productivity losses due to prolonged Internet use. Content filtering also helps minimize the spread of viruses from Web servers. The Alteon Content Cache (ACC) supports hundreds of URL filters providing customers with the ability to protect themselves from well-known URL server attacks. ACC also stops many viruses like NIMDA and Code Red, and can be used to control which sites are accessible. Together, these measures enable networks to be open and accessible for legitimate uses, but not wide open for inappropriate or malicious uses. Layer 4 to 7 application switching provides high-availability traffic management by filtering and switching traffic based on application and content information, without compromising throughput. To increase protection against denial-of-service (DoS) attacks and Syn Attack Alarms, routing switches such as Nortel Networks Passport 8600 enable network administrators to set a threshold for new half-open sessions and have the Layer 4-7 Switch trigger a trap to notify the administrator when the threshold is exceeded. A protection from application abuse feature limits the rate of new TCP connections on a per-client basis. Administrators can limit users to a particular connection rate and limit the number of sessions for users accessing a specific domain or application within the domain. Benefits include protection from application abuse, increased application availability, and increased control of user access to applications. Layer 7 Deny Filters allow network administrators to create filters and assign URLs to those filters to deny certain traffic. This is particularly useful for added anti-virus protection for preventing access to disallowed Web content. Alteon Web switches and Passport 8600 systems equipped with an Alteon Web Switching Module both offer high-performance Layer 2-7 filtering. These systems also perform load balancing to eliminate data center performance bottlenecks, including VPN, firewall, IDS, DNS, and IDS systems. 30

Securing data center storage When enterprises were organized into business silos each running their own applications and databases direct attached storage (DAS) was sufficient. Storage devices were dedicated and physically attached to each server; securing them was relatively simple. With the emergence of storage area networks (SANs) to support global applications more cost-effectively, the security picture becomes more complex. SANs connect a number of storage devices and application servers across a dedicated network running protocols such as Fibre Channel, ESCON, and FICON at speeds up to 2 Gbps. Optical systems such as Nortel Networks OPTera Coarse/Dense Wave Division Multiplexing (CWDM/DWDM) system have enabled massively scalable SANs that span the MAN and WAN. As SANs are extended globally, storage security becomes a significant concern. Within the data center, storage access is protected within the SAN by creating zones of trust. As storage is extended on CWDM/DWDM optics, carrier-grade connectivity and security is required (and provided by Nortel Networks solutions). Optical connectivity solutions are inherently secure since the sniffing of an optical signal is not possible and the network elements do not operate in the IP data plane. The optical storage data is a completely private and secure optical signal. Within the network core, carrier-grade network elements are required that are IP hacker-proof. The management plane of the optical network elements that are used by enterprises (and form the core of service provider and carrier networks) for transporting storage, video, voice and data are secured through the application of techniques for securing management described in this document. In contrast, using the enterprise IP for storage networking (such as with iscsi) opens up this critical enterprise resource to a broad range of vulnerabilities. 3.3 Securing the remote office In this context, the term remote office refers to any remote workplace that requires persistent, two-way communication with the enterprise for locations as diverse as a telecommuter s home office or a major regional office. Connecting remote offices is a significant network cost in many industries, such as retail banking, health care, and government. Traditionally, remote offices were connected to the enterprise network using various LAN technologies and multi-protocol routers, working into frame relay networks with ISDN circuit-switched backup. VSAT satellite terminals have also been widely deployed for instance, for credit card validation in the retail industry. Four major developments are transforming the remoteoffice networking scenario: (1) the convergence on Ethernet as the LAN standard, (2) universal acceptance of IP as the protocol of choice, (3) the Internet, and (4) a growing list of Layer 2 and 3 VPN services. However, these developments also introduce a variety of security challenges, particularly for extended and open enterprises. WAN (wide area network) edge requirements at the branch office level include routing between VLANs locally and into the network, QoS and bandwidth management, and scalable interfacing into the WAN. This includes supporting the required encapsulation scheme over the WAN and whatever level of reliability is appropriate. Cost effective security over the Internet (and even over frame relay) is a key requirement. Managing the transition from legacy (relatively secure) WAN technologies to IP-VPNs is also a challenge. Some enterprises want to have direct Internet access from every remote office, opening up the need for remote firewalls. Others want highly reliable, dynamically routed connectivity between branches and the enterprise backbone, with centralized firewalls into the Internet, in some cases using frame relay as the primary path and the Internet as a backup or moving towards IP-VPNs as a primary configuration. Dynamic routing enhances scalability and reliability by automatically learning network topology and end-user addresses, and adapting to changes in network topology. However, security in routed networks has been an afterthought. For example, there has been no effective way to run dynamic routing over VPN-encrypted tunnels, which themselves have been difficult to manage. These limitations have led enterprises to buy, install, maintain, and manage multiple security and networking devices for remote office and branch networks, resulting in a complex and costly architecture. 31

Dynamic routing vulnerabilities Although dynamic exchange of routing information among enterprise sites eases the administrative tasks of managing network traffic flows and can enhance reliability, it can also introduce security issues if not configured and managed properly. One key issue is the handling of default routes, which determine where traffic with unknown destination addresses will be sent. Typically, the default route points to the Internet. In this case, if routing information for some site in the enterprise is lost (perhaps due to equipment failure, but possibly due to a security attack), then traffic meant for that site may be sent into the Internet, without security protection. If the missing route is actually reachable through the Internet (e.g., if it is advertised by an Internet gateway at the remote office), then full bi-directional communication might be established, with traffic flowing unprotected across the Internet all unknown to the systems involved in the communication. Another issue with dynamic routing is the problem of misleading routing information. If one routing system is hijacked, or if a workstation in the network is configured to send false routing messages, an attacker could redirect traffic to a point where it can be compromised. Likewise, a misconfigured router at a remote office can advertise incorrect routing information and disrupt communications, even if no malicious intent or traffic interception is involved. An example is when one remote office routing system is configured with a static route for another site, then advertises this route as if it were located at that site. This can disrupt traffic actually intended for the other site. The solution for these routing issues is to ensure that gateway systems for remote offices contain effective route filtering capabilities, so they will not simply blindly exchange any routing information they receive from the internal network, but will apply intelligent rules to it. This strategy enables the enterprise network to benefit from the manageability of dynamic routing without exposing the network to dynamic routing vulnerabilities. Clearly, routing information received from the Internet should be carefully filtered, and internal enterprise routes should never be accepted from the Internet. With the move to IP-VPNs over the Internet, a complete set of security requirements have to be met as cost-effectively as possible at multiple network levels: Network security level functions include IP routing over secure tunnels and VPNs Network-assisted security level functions include encryption and stateful firewall inspection Application security level functions must be provided if data servers and/or IP telephony are deployed at the remote office Access management provisions include remote-office authentication and directory services that enable users to have a unique security profile that stays within them whether they log in locally over the intranet or from home across the Internet Network management security provisions must be extended to the remote office, without back doors that might compromise network security Traditional solutions for secure remote office connections Traditional solutions have proven problematic for meeting remote office security requirements. Many enterprises considered turning on the requisite security functionality on their routers, only to find that adding security may not be possible on low-end routers, or it may impact router performance and require an expensive upgrade that may represent up to 50 percent of the cost of the original router. Even if a router can be upgraded to support filtering, firewalls, and VPNs, treating security as an application on top of monolithic routing code introduces other problems. One example is in routing over IPsec tunnels, required to manage redundant paths, route around failed nodes, and perform load balancing and on-the-fly route selection based on link utilization. Today, these functions are done by double encapsulating IP packets via Generic Routing Encapsulation (GRE) on top of IPsec tunnels, resulting in extra processing, memory, and transmission overheads in fact, an additional 24 bytes per packet and requiring manual configuration of each end user. GRE also presents recognized packet fragmentation issues. If this is unacceptable to the customer, then the only practical option is manually configured static routes, which are clearly labor intensive, provide ineffective load balancing at best and awkward for managing changes. 32

Figure 12. Securing the remote office Internet Legacy branch Converged branch Token, PKI Auth RADIUS server FW IPsec PBX PSTN Token, PKI Layer 2 switch and IP telephony system Secure IP Services Gateway L2 Auth IPsec SRT FW L2 RADIUS server IP telephones A new architecture for securing the remote office Adding security to routers (see Traditional Solutions sidebar) is a sub-optimal solution that doesn t measure up to the mission-critical service delivery requirements of branch networks. Multi-box solutions raise total cost of ownership, a problem that multiplies with the hundreds or thousands of sites that may need to be served. A new approach uses secure IP services gateways, which are purpose-built devices that deliver security and security-related IP services in a single, integrated platform designed for remote offices. A single hardware device provides bandwidth management over a range of WAN services, dynamic IP routing over encrypted tunnels, IP-VPN support, and a range of security features, including stateful firewall inspection, encryption, and authentication all operating under directory and policy services. Targeted at the enterprise edge the intersection of an enterprise s private and public IP networks secure IP services gateways provide secure communications over an inherently insecure medium, the Internet. The Nortel Networks Contivity Secure IP Services Gateway is a new class of device in this area, and a key component of our Unified Security Architecture. Contivity Secure IP Services Gateways: Run over ISDN, frame relay, IP-VPN and emerging Layer 2 VPN services (such as Optical Ethernet) Deliver encryption/authentication/firewall performance at wire-speed Operate under a unified security policy management architecture that covers remote users and sites across the enterprise Support dynamic end-to-end routing for a mix of frame relay virtual circuits, Layer 2 Virtual Private Ethernets, and IPsec tunnels the latter achieved by making tunnels visible to the routing code and by encapsulating routing messages directly in IPsec (bypassing the GRE layer of today s solutions) Centralize provisioning of critical IP services with tightly integrated security Interoperate with existing routing, authentication/directory, and security services 33

Figure 13. Remote office dynamic routing for increased reliability and scalability Redundant Secure IP Services Gateways at central site FW IPsec SRT FW IPsec SRT Remote access clients Internet Static and dynamic routing over secure FR or secure tunnels Frame Relay FW IPsec SRT Auth FW IPsec SRT Auth Branch Secure IP Services Gateways Branch Secure IP Services Gateways Secure Routing Technology (SRT) features in Contivity systems Secure IP services applications decoupled from the hardware Software-configurable IP service deployment Designed for secure management, secure policy, secure access, and secure routing Compatible with existing Contivity VPN switches and Succession IP telephony Policy Management Applied to frame relay, PPP connections, and secure tunnels Secure Access Management Strong user authentication (PKI) services, and LDAP, RADIUS, digital certificates, smart cards, and user name/password Network Security Dynamic routing of IP packets over encrypted tunnels NAT, PPP over Ethernet, DHCP server and client, DNS with VPN, and DNS Proxy Network-assisted Security Full stateful firewall with 100 application gateways Management Security Remotely managed using strong encryption (IPsec) Secure base configuration, denying all Internet and providing DoS protection Logging and protection against hacker attacks 34

3.4 Securing remote access Remote access enables extended and open enterprises to make efficient use of people and resources wherever they are located at home, on the road, using public PCs, or drop-in business centers in hotels. However, opening the network to access from anywhere introduces security concerns. One of the most prevalent security threats is a remarkably low-tech issue theft of personal computers that can lead to more serious issues, i.e., using the stolen PC to steal locally stored data or to masquerade as a legitimate user to access the enterprise network. For that reason, sensitive information on systems used for remote access should be encrypted using a system that integrates seamlessly into normal application use. Encryption systems are currently available that enable the user to operate normally, not requiring manual or individual encryption/decryption of files. For example, entire file systems or folders can be stored in encrypted form, with decryption being integrated in normal file system access. Another threat occurs when the remote-access user is operating on an easily hacked wireless LAN, perhaps at home or in a hotel. For wireless access, the user s access device should be equipped with anti-virus software and an up-to-date personal firewall that prevents unauthorized users from hacking into the user s PC during an open communication session. Figure 14. Securing the remote access Home office Central site Redundant Secure IP Services Gateways FW VS IPsec IDS FW IPsec SRT Auth SSL VPN Gateway Internet Hotel SSL Auth FW IPsec VS IDS SSL Customer site SSL Payphone with data jack Airport FW IPsec VS IDS Securing dial-up access. Remote access over dial-up connections such as ISDN switched access or a modem call over standard telephone lines must be protected with stringent access authentication and authorization procedures. Encryption adds another level of security for confidential communications, but this method is inherently insecure because it can be used to circumvent firewalls and other IP-enabled security techniques. Direct switched access widely used in the 1980s and early 1990s is rapidly being replaced by Internet-based remote access VPNs. 35

36 Remote access VPNs. Internet-based remote access provides tremendous flexibility and high bandwidth. Two approaches are common: VPNs based on IPsec, with IPsec client software loaded on the user s access device. SSL extranets based on SSL, that uses the SSL capability built into standard Web browsers and requires no other client software. We chose not to use the term VPN when describing SSL implementations, since SSL only gives access to an application, not the full network. Let s take a closer look at these popular VPN strategies. IPsec-based VPNs IPsec is a network-layer approach that can be used across applications. For example, an IPsec-based VPN connection can be used to access e-mail, HR self-serve applications on the intranet, and browse the network. An IPsec client (the user-interface software), such as Nortel Networks Contivity Multi-OS Client, must be installed on the access device PC, PDA, handheld computer, etc. The access device should also be loaded with anti-virus detection software. Whether based on dial access to an ISP point of presence (POP) or on wired or wireless direct access, the VPN client authenticates the user, verifies the integrity of the user s computer system, and establishes a secure link ( tunnel ) to the enterprise. The VPN client ensures that the remote system is secure even during session setup, where exchange of authentication information is encrypted. Remote access VPNs must be able to detect and, if possible, bypass common Internet obstacles such as NAT and outbound firewalls, such as when linking to the enterprise network from within another firewall-protected network. At minimum, the VPN must tell the remote user the nature of obstacles encountered. An important feature of Nortel Networks Contivity client is the support of split tunneling, with simultaneous secure access to the enterprise and clear access to the public Internet. Remote access connections from the Internet are handled by an IPsec gateway system at the enterprise edge. Multiple gateways with multiple paths to the Internet provide essential redundancy in case of the failure of any one path or device. Larger enterprises or those with critical confidentiality requirements should consider separation of gateways as well. The effective IP services gateway should provide: simple client configuration; the ability to pass connections through to the internal enterprise network as opposed to session termination; a stateful firewall functionality to preclude the need for a separate firewall; support for multiple authentication methods such as RADIUS, PKI and LDAP, directory-based userid and password systems such as Microsoft Active Directory and Novell Directory Services; and smart card or token-card authentication on users laptop. Support for L2TP and PPTP be beneficial. SSL extranets SSL is session-layer approach, which means that every application has to support SSL and have its own user authentication approach. For example, when you go to Amazon.com, the SSL session is set up before you enter your userid or credit number. User authentication could include going to an authentication server. Firewall traversal and NAT is easily supported with SSL. SSL is built into standard Web browsers such as Microsoft Internet Explorer, so no special client software is required. This feature makes SSL extranets particularly attractive for scenarios where the enterprise doesn t own or control the remote access devices, or where users need access from public PCs. Web browsers are common targets of hackers, but the benefits outweigh the risks and can be mitigated by using personal firewalls and intrusion-detection systems on the access device. The application-agnostic SSL protocol is considered robust enough that it is used extensively for consumer access to online shopping Web sites. However, Web browsers support SSL only for Web-enabled (HTML) applications. As a result, if an enterprise wants to use SSL extranets for access to, say, its legacy supply chain management application, then either the application has to have an

HTML/SSL front end or an external application-specific gateway. Several vendors offer external gateways for common applications, but every application will need to have a unique front-end acquired or developed. In addition to this trade-off, there are also potential incompatibilities among browsers and browser versions. For example, some versions of SSL will actually allow a fallback to very weak 40-bit encryption if 128-bit encryption is not present. In conclusion: SSL extranets operate at the transport layer, are good for Web applications and extranets and limited application access, and don t require any special client software. However, SSL extranets open up a large security hole when used from uncontrolled PCs such as public PCs in kiosks which may lack personal firewalls and/or be infected. IPsec VPNs operate at the network layer, are application agnostic, and require a PC client. IPsec VPNs provide complete control over the security environment. Nortel Networks offers both types of VPNs. Contivity Secure IP Services Gateways lead the market in IPsec-based remote access and remote office VPNs, with more than half a million VPN clients in service. Nortel Networks has recently extended its Alteon portfolio to implement SSL extranets. 3.5. Securing IP telephony services Enterprises are starting to roll-out IP telephony solutions to reap the benefits of convergence in the LAN and the WAN, and of converged applications. Every VoIP system is a hardware/software solution that comprises four logical functions: IP telephones and PC soft clients Communications servers (also called call management servers or gatekeepers) Media gateways that provide flexible network access, for example, via traditional PBXs and the public switched telephone network (PSTN) and the public wireless network Application servers for such purposes as unified messaging, conferencing, and collaborative applications enabled by Session Initiation Protocol (SIP) These functions and related application servers such as contact center systems are distributed across a telephony- or business-grade IP network that delivers the required levels of reliability, voice quality, and congestion management. Extended reach and mobility are provided over wireless LANs and over the Internet via IP-VPNs. IP telephony is very time-sensitive and critical to the business, and just like other data applications, subject to a variety of attacks. For example: Attacks on the router can bring down both voice and data services Denial of Service can overload an IP telephony communications server or client Ping of Death can disrupt VoIP operations by sending multiple pings to VoIP devices Port scanning can find vulnerabilities in VoIP clients and servers Packet sniffing can record and/or intercept conversations IP spoofing can misrepresent the source or destination of the media or signaling stream Viruses, worms, Trojan horses, and time-triggered bombs can attack servers and clients There have already been cases of hackers taking over IP clients due to lack of administration passwords in one case (i.e. PingTel), and due to vulnerabilities associated with running XML in another (Cisco). However, while these could be very disruptive, they are primarily a threat when running VoIP natively across the Internet and a relatively lesser threat when run within the enterprise or over tunneled Internet connections. We are a few years away from seeing VoIP used end-to-end between employees and the outside world; the security architecture for VoIP will be extended when standards, public services, and interoperability have reached greater maturity. 37

IP-enabled PBX FW IPsec VS IDS Management VLAN L2 IP Multimedia Unified Telephony Application Messaging Server Server Server IDS IDS IDS VS VS VS Digital Telephony-grade IP Network SRT NAT FW IDS IPsec AL Auth 1 2 3 4 5 6 7 8 9 * 0 # * 0 # FW IPsec # PC 802.11 VS IDS IP sets Contact Center IDS VS IPsec SIP enabled Toll fraud prevention Toll fraud theft of service occurs when a PBX and its communications facilities are accessed and used illegally by unauthorized users internal or external. Just like a computer hacker, PBX hackers look for weak spots in the PBX and use an array of complex hacking tools ranging from password-stealing software to automatic dialers. Often, hackers are difficult to detect until the damage is already done. With so many different internal and vendor or system integrator technicians accessing the PBX as part of routine maintenance, PBX hackers are often discovered only after they ve had days or even weeks to access facilities and rack up hundreds or thousands of dollars on the enterprise phone bill. This complex problem requires sophisticated countermeasures, even in a world where the cost of an individual phone call is measured in pennies. IP telephony solutions must offer toll fraud prevention and other features that work with both VoIP and traditional telephony. PBXs such as Nortel Networks Meridian 1 and state-of-the-art IP telephony systems such as Nortel Networks Succession CSE 1000 support toll-fraud prevention mechanisms. These mechanisms are founded on Telephony Class of Service, which defines on each user s accessibility to making state, national, and international long distance calls. The user can be denied all access, or allowed to make certain types of on-net/internal and off-net/external long distance calls. The default for new phones is restricted calling. These rules can be applied on a time-of-day basis and be overridden with an authorization code. Indirect access to long-distance calling is also controlled, including potential access via speed call lists, call forwarding, voicemail call answering through dial, and DISA access for employees dialing into the enterprise network remotely. Figure 15. Securing IP telephony Management VLAN L2 IP-enabled PBX IP Telephony Server IDS Multimedia Application Server IDS Unified Messaging Server IDS Contact Center IDS VS VS VS VS Telephony-grade IP network SRT NAT FW IDS IPsec AL Auth FW VS IPsec IDS Digital 1 2 3 4 5 6 7 8 9 * 0 # * 0 # # 802.11 FW VS IPsec IDS PC IP sets IPsec SIP enabled 38

Securing IP telephony requires a coordinated approach across all aspects of the Unified Security Architecture. Policy management and secure access management authenticate users and authorize the use of features and calling capabilities. Management security secures management of VoIP devices such as communications servers and media gateways. Security mechanisms that have been implemented for IP data can be extended to cover IP telephony for example, using IPsec and IP-VPNs for secure remote access and branch connectivity for VoIP and data, and for wireless LAN access. Stateful inspection firewalls and network address translation can be applied to VoIP services. Policies governing data and VoIP should be integrated under policy management. Application-level security is provided through such methods as OS hardening, PC-based virus protection, and personal firewalls. Securing IP telephony at the application security level Securing application and IP telephony communications servers. The heart of the IP telephony system is the communications server which can be a standalone server, such as the Nortel Networks Succession CSE 1000/2000 server, or integrated with other components, such as Nortel Networks IP-enabled Meridian system and Business Communications Manager. Equally important are application servers delivering contact center services (such as Nortel Networks Symposium), multimedia applications (such as Nortel Networks CSE Multimedia Xchange), unified messaging (such as Nortel Networks CallPilot), and self-serve interactive voice response systems. Securing these servers starts with hardening of the operating systems. Securing VoIP clients. VoIP solutions support a broad range of clients and access configurations, including IP wired and wireless telephones (e.g. Nortel Networks i2002 and i2004, and Symbol s wireless LAN IP phone) and PC-based soft clients (e.g. Nortel Networks i2050 and SIP clients). When connected to an IP network, these clients are vulnerable to attack. There are a number of different telephony signaling protocols such as SIP, H.323, UniStim used by Nortel Networks IP telephones, and Meridian Customer Defined Networking for network-wide feature operation. In the future, the ability to secure signaling traffic at the VoIP client will be generally available. In IP telephony systems, the voice signal is packetized using a standard such as G.729 (at 8 kbps) and a speech activity detection algorithm, and uses the Real-Time Protocol (RTP) protocol with UDP at the transport level. Encryption of the voice at source will emerge as an option, as required by special sectors such as the military community. The process is different for securing IP telephones and PC-based soft telephony clients: IP telephones, such as Nortel Networks i2004/2002, are custom-built appliances for telephony only. There is no storage or asset on the phone itself to protect other than its presence on the network as a trusted device. The identification of the caller and the call itself are the only assets to be protected. These telephony appliances most commonly use a proprietary thin client protocol that relies on the communications server for feature/functionality and security. Approaches that rely on XML in the VoIP set for feature operation are open to greater vulnerability. VoIP soft-clients on users PCs co-exist with other applications and assets, and run widely available operating systems. That means a successful attack can be damaging to several valued assets, and these devices should be protected with personal firewalls, anti-virus detection, and IP-VPN clients the same mechanisms used for data security on that access device. Securing IP telephony at the network security level Securing VoIP in the wiring closet and across the campus. IP devices are wired into a campus network using either shared media or, more commonly, dedicated switched Ethernet connections. Wireless LANs are being widely adopted, especially in education and healthcare environments. VoIP soft clients and dedicated VoIP appliances should be connected to switched Ethernet environments right to the desktop, for the following reasons: VoIP latency variation is minimized by eliminating CSMA/CD operation of shared media Ethernet operation Other devices are prohibited from eavesdropping on VoIP calls Enterprises may also chose to logically group VoIP telephones in their own VLANs to enhance security and manageability. 39

Special considerations apply when using wireless LANs (WLANs) to extend IP telephony services within the enterprise; for example, from the desktop to conference rooms, classrooms, or shop floor personnel. Because wireless LANs are relatively insecure, both the signaling and voice planes need added security over the wireless segment of the call path. One method is to configure soft clients co-resident with an IP-VPN client on the access device. Alternatively, some WLAN IP phones have builtin encryption and authentication. Nortel Networks has a strategic partnership with Symbol, whose WLAN IP phones support 128-bit WEP encryption between the client and the wireless access point, plus Kerberos authentication. Securing branches for IP telephony. Several approaches are available for securing remote office VoIP solutions. For example, an enterprise could: Support VoIP telephones and soft clients from an office-in-a-box system that integrates IP telephony capabilities and VPN security, such as Nortel Networks Business Communications Manager with integrated Contivity IP-VPN client. Leverage the distributed nature of VoIP by deploying clients off a centralized server such as a Nortel Networks IP-enabled Meridian platform, CSE 1000 server, and CSE MX server, and running this traffic over an IP-VPN. Support a Nortel Networks Remote Office 9150 VoIP telephone off a central site IP-enabled Meridian PBX, which supports Meridian digital telephones over an IP-VPN infrastructure while supporting a fully featured back-up path by tunneling over the PSTN. This approach is unique to Nortel Networks. Nortel Networks Contivity IP-VPN solution is unique for its Secure Routing Technology, which minimizes latency for VoIP calls through meshed connectivity of secure tunnels over the Internet. This same solution can provide security for voice and data traffic traversing frame relay networks. Figure 16. Securing remote networking for IP telephony Remote office IDS VS IP telephony soft client IP sets IDS VS 802.11 SIP soft client Secure IP Services Gateway FW SRT IPsec 1 2 3 4 5 6 7 8 9 * 0 # * 0 # # SIP soft client IP telephony soft client Central site Secure IP Services Gateways Internet Hotel FW IPsec SRT Auth FW IPsec VS IDS SIP data soft client SSL Airport SSL FW IPsec VS IDS Customer site Payphone with data jack 40

Securing remote access for IP telephony. At home, in a hotel, or on the road, remote users can benefit from the convenience, control, and productivity of IP telephony. To secure this kind of telephony access, VoIP soft clients would be co-resident with an IP-VPN client on a laptop and ultimately on a suitably equipped PDA for mobile employees. This same configuration is used to take advantage of WLAN access points in hotels, airports, and convention centers. VoIP telephones for telecommuters and remote contact center agents could be secured with a home office IP-VPN, such as a Contivity 1000 Secure IP Services Gateway. Network management security for IP telephony. Management of IP telephony services should be protected with the same level of network management security accorded to the network and security infrastructure in general. A physically dedicated Ethernet port should be configured for VoIP management functions part of a management VLAN that blocks all non-management traffic at the routing level via access lists and perimeter security, and has all unused ports turned off. Only authorized application software should be run on the servers in this VLAN. Multi-level security should be applied with various levels of privileges (monitor, configure, control) for authenticated operational personnel. User passwords must be securely stored and password formatting and change management strictly controlled. Management traffic (such as billing information) can be optionally encrypted, even for internal transmission through IP-VPN technology. Off-net access for suppliers, system integrators, and/or VARs can be provided via IP-VPNs. Securing Web-enabled contact centers for IP telephony Web-enabled contact centers are a key platform for offering engaged customer services that seamlessly integrate Web and telephony interfaces with the organization. Using IP telephony in contact centers makes it cost-effective to widely distribute agents, without compromising features and functionality. However, because of the inherent security exposures of the Web interface and the critical nature of telephony services, special security considerations apply. Securing servers at the application and OS levels is based on hardened OS architectures and off-the-shelf security packages. Securing server management is based on partitioned operations using VLAN and remote access via IP-VPNs. IP-VPNs are also used to secure remote VoIP agents operating over the public network. 41

Part IV. Nortel Networks technology and expertise Nortel Networks has defined a new strategy for the enterprise network, known as One Network. A World of Choice. One Network because it supports infrastructure convergence and eliminates boundaries. A World of Choice because it delivers options on how enterprises build the optimal networks to suit their needs. The vision is of a single, converged network that answers the critical business realities that strain and constrain today s networks. Absolutely central to this vision is the principle that security is inherent in all applications and services intrinsic to the very DNA of the network. The Unified Security Architecture outlined in this document represents the Nortel Networks blueprint for that new enterprise network. Within this One Network. A World of Choice. strategy, security provisions are in place to: Make enterprise networking products secure from a management perspective. Address network and voice/multimedia application security needs. Evolve from a perimeter-based security model towards a distributed and layered network security architecture with centralized administration. Deliver reliable high-performance security solutions, including VoIP and wireless. Provide choices to enterprises in meeting their security requirements, driven by their business needs. Leverage industry-leading technologies and solutions across enterprise and service provider markets. 4.1. Design tenets built into the Nortel Networks security portfolio Nortel Networks enterprise networking products including security products and solutions have been designed and built to adhere to the following tenets: Security in the DNA means Nortel Networks security products such as Alteon Switched Firewall, Alteon SSL Accelerator, and Contivity Secure IP Service Gateways are designed from the ground up with security in mind. Failsafe business continuity relies on network resilience from the physical layer to the application layer for mission-critical applications and data, using session persistence, load balancing, acceleration methods, and optical technologies. For example, the Alteon Security Cluster provides a comprehensive security framework that delivers multi-gigabit acceleration and integrates firewalls, SSL offload, intrusion-detection, and anti-virus protection into a scalable, easy-to-manage architecture. Scalability by design extends and protects network investments and lowers operational costs. The Alteon Switched Firewall, delivering the highest capacity in the industry at 3 Gbps, demonstrates this tenet in practice. Application-optimized network components such as the Alteon SSL Accelerator combine network-assisted security with network intelligence to add a layer of security across multiple applications while optimizing server performance. Communications convergence ensures that IP telephony and multimedia applications such as Nortel Networks Succession products can securely operate within both the enterprise environment and across the Internet. Engaged applications deliver timely, context-sensitive, user-aware content to users as quickly, efficiently, and securely as possible across multiple service delivery channels. Comprehensive management ensures that security policies are effectively and consistently implemented throughout the network. For example, Optivity Policy Services complements other Optivity management solutions to secure the management system and enhance survivability. 42

Figure 17. Design tenets behind Nortel Networks products Security in the DNA Scalability by design Fail-safe business continuity Communications convergence Comprehensive management Application-optimized network Engaged applications These design tenets apply to the entire Nortel Networks portfolio, including for example: Alteon switches that provide firewall/ids/ip-vpn load balancing and content filtering Passport 8600 routing switches that provide extensive filtering and access list controls, as well as firewall/ids/ip-vpn load balancing when equipped with an Alteon Web Switching Module. The Passport 8600 is a 256 Gbps platform so robust that it is used in service provider central offices Ethernet hubs and switches from the BayStack portfolio that support VLANs and user authentication via EAP Security is also a key element of Nortel Networks applications for IP telephony and multimedia, contact centers, unified messaging, and more. Integration with solutions from our business partners delivers important capabilities such as intrusiondetection, anti-virus, content filtering, and authentication. Whether offered as intrinsic features in multi-purpose products or purpose-built security devices Nortel Networks security solutions protect the network and applications with high performance and low cost of ownership. 4.2. Expanded choice through partnerships Nortel Networks partners with service providers to enable them to offer best-in-class secure managed service solutions. For example, our Contivity systems have been deployed by the majority of the world s leading service providers for their managed IP-VPN services. Nortel Networks Shasta Broadband Service Node (which uses the same VPN client as Contivity) is the foundation for many providers network-based IP services including VPNs, firewalls, and other security services. Nortel Networks also partners with best-of-breed security application vendors for two types of collaboration: Working with select security application vendors to achieve full code integration with the Alteon Open Security Architecture for the purposes of accelerating existing security technologies. Ensuring seamless interoperability with third-party security methods for authentication (RADIUS, digital certificate/pki, hardware/software tokens, and smart card), intrusion-detection, anti-virus, content filtering, firewall reporting, and more. 43

4.3. Security services With new data privacy legislation pending and enacted, a constantly changing scene of network threats and vulnerabilities, and IT security teams operating on limited budgets and manpower, many enterprises turn some or all of their security functions to certified security specialists. Security consulting services can help the enterprise move forward with confidence to: Achieve and maintain compliance with Gramm-Leach-Bliley, HIPAA, and other legislation. Obtain objective third-party validation of their security implementation, policy, and practices. Establish security baseline information from thorough vulnerability analysis of the network, overall site surveys of wireless nodes added to the wired network, and other security services. Organizations in the health care, financial, and insurance industries would be particularly interested in any or all of the following services related to recent Federal legislation: Assessing and analyzing the current network and environment for compliance with new industry regulations Developing plans to address noncompliant areas Implementing policies, procedures, processes, and the technology to meet the new standards Certifying that the enterprise organization complies with regulations and legislation Monitoring to assure continued compliance Nortel Networks partners with security services vendors (e.g. Olympus Security Group) with CISSP-certified personnel to provide security deployment assistance, security training, security assessments, and regular security audits to ensure new products and/or practices have not defeated security policies. 4.4. Nortel Networks product assurance Nortel Networks product assurance initiatives ensure that security functions perform to industry-accepted standards and specifications, where they exist. Firewalls. Nortel Networks firewalls are or are being certified by the International Computer Security Association (ICSA), an internationally recognized, independent organization that enforces strict standards of certification for security products. Encryption. Nortel Networks Contivity and Alteon SSL Accelerator products have achieved compliance with U.S. Federal Information Processing Standard (FIPS) 140. To earn this status, cryptographic modules are tested by accredited laboratories and assigned a rating from 1 to 4 (lowest to highest) in 11 key design and implementation areas. The overall testing program is overseen by the U.S. National Institute of Standards and Technology (NIST) and the Communications Security Establishment (CSE) of the Government of Canada. Common Criteria international certification. Responding to the newly established and globally accepted Common Criteria evaluation program, Nortel Networks has begun work to obtain this certification for key products, first for Alteon Switched Firewall and Contivity Secure IP Services Gateways. 44

A closer look at Common Criteria An international effort to develop international IT security criteria, the Common Criteria initiative is designed as a taxonomy of security requirements specified either as Protection Profiles or as a Security Target. Protection Profiles are customer- or community of interest-generated sets of security requirements that are made publicly available before, during, or after certification as reusable by any organization or group with similar needs. These profiles can be established as standards for a particular application area such as electronic commerce, a government-authored list of requirements for a particular type of product such as a firewall, a particular market place vertical such as healthcare, or a customer s own list of requirements. Security Targets are the security objectives of a specific product or system, known as the Target of Evaluation (TOE). The Target can conform to one or more Protection Profiles as part of its evaluation. The document International Common Criteria for Information Technology Security Evaluation specifies security functionality and evaluation methods, based on: the original United States government Orange Book or Trusted Computer System Evaluation Criteria (TCSEC), Canada s Trusted Computer Product Evaluation Criteria (CTCPEC), and Europe s Information Technology Security Evaluation Criteria (ITSEC) (which combines work from the Netherlands, French criteria, German criteria, and UK Confidence Levels) security criteria. To date, the Common Criteria have been formally recognized by 23 countries. Common Criteria (CC) v2.1 was released in 1998 and has been adopted by the International Organization for Standardization (ISO) as standard 15408. For more information, see the Nortel Networks Common Criteria datasheet. 4.5. Nortel Networks and cross-industry security developments Nortel Networks participates actively in ongoing security standards development within the Internet Engineering Task Force (IETF), the International Telecommunications Union (ITU), the European Telecommunications Standards Institute (ETSI), for IPsec, NAT, PKI, SYSLOG, etc., as well as the following international private and public sector organizations, which work to find solutions for the growing number of security vulnerabilities on a worldwide basis: Internet Security Alliance. Nortel Networks is a founding sponsor of this organization, created to share information and lead thought on information security issues. It is a collaborative effort between the Carnegie Mellon University Software Engineering Institute (SEI)*, the Carnegie Mellon CERT Coordination Center (CERT/CC), and the Electronic Industries Alliance (EIA), a federation of trade associations. The Internet Security Alliance represents industrys interest before legislators and regulators, and creates a collaborative environment to identify and standardize best practices and solutions. National Reliability and Interoperability Council (NRIC). Part of the Homeland Security Working Group, the NRIC works to ensure the optimal reliability, interoperability, accessibility, and interconnectivity of public telecommunications networks. The Telecommunications Information Sharing and Analysis Center (Telecom-ISAC). Nortel Networks cooperates with this subgroup of the National Coordinating Center for Telecommunications (NCC), which facilitates voluntary collaboration and information sharing among government and industry ISAC members. The NCC gathers information on threats, outages, intrusions, and anomalies; analyzes and sanitizes the information; disseminates the information in accord with sharing agreements; and alerts others in near real time. National Security Telecom Advisory Committee (NSTAC). Nortel Networks participates in the Network Security Information Exchange (NSIE) subcommittee of this group, driving the establishment of a common security baseline for enterprises and carriers to reduce customer operating expense and vendor R&D expense. Joint Group on Network and Information Security (NIS). This is a new European initiative formed by ETSI and the European Committee for Standardization. NIS helps coordinate effective use of security standards to establish trust on the Internet. Nortel Networks chairs NIS. 45

Nortel Networks maintains an internal cross-functional team the Security Advisory Task Force (SATF) which reports to the Chief Technology Officer and addresses security vulnerabilities that could impact Nortel Networks products, as soon as these vulnerabilities are discovered. This internal task force has established relationships with key security vulnerability agencies in the industry such as CERT, SANS, and ISA to ensure rapid awareness of new vulnerabilities. A process has been established to determine the level of risk of each potential vulnerability to Nortel Networks customers, along with a risk mitigation plan, where required. Where appropriate, the vulnerability status of Nortel Networks portfolio is communicated in Vendor Statements on the corresponding CERT Web page and through action bulletins created with internal product teams that specify a risk analysis, vulnerability status, mitigation plan, and planned patch release dates. These bulletins are made available to customers, customer support teams, and account teams. Finally, the team follows up on all issues until closure. Summary The typical enterprise internal trusted network is anything but internal these days. It extends to include supply chain partners, telecommuters, remote access users, Web users, application service providers, disaster recovery providers, and more. Unfortunately, that means that the network also reaches hackers, cyber-thieves, disgruntled employees, and others who would misappropriate network resources for personal gain. Whether or not they leverage the inherently insecure Internet for business applications, all enterprises have an obligation to protect network integrity and data confidentiality for their own sakes as well as for their customers and business partners. The good news is that enterprises can minimize their risks from unauthorized users without sacrificing performance for legitimate users. The Nortel Networks Unified Security Architecture defines a conceptual, physical, and procedural framework of best recommendations for end-to-end enterprise network security. Addressing the Top Ten security challenges with flexible implementation choices, this comprehensive security strategy is based on these key principles: 1. Multi-layer security that defines security protection functions at application, network-assisted, and network security levels 2. Variable-depth security across the enterprise, not just at the edge of the Internet 3. Closed-loop policy management that entails continuous evolution of policy to address changing business requirements, network conditions, and industry knowledge 4. Uniform access management via stringent authentication and authorization at a granular level, defined and managed centrally for the entire enterprise 5. Secure network operations, by physically or logically partitioning network management from user traffic, and applying security best practices to suit critical operational activities 6. Secure multimedia communications, protected by high-performance encryption and tunneling 7. Survival under attack, ensuring that the network continues to deliver critical services even as it detects and wards off malicious activities The principles underpinning the Unified Security Architecture offer enterprises a blueprint for implementing security solutions to ensure information integrity and confidentiality across a full range of network applications and architectures, including protection from external attacks, application abuse, viruses, unauthorized access, interception, or manipulation of data en route. With Nortel Networks Security Solutions, enterprises can protect business critical resources, and confidently and confidentially use the Internet as an extension of their trusted internal network. For more information about security products, terms, standards, organizations, legislation, and certification, visit our security solutions Web site at http://www.nortelnetworks.com/solutions/security/related.html. 46

Appendix A. Hackers tools of the trade Unauthorized access to network resources is usually the result of improper system configuration and usage flaws. Attackers can take advantage of weak user authentication and authorization tools, improper allocation of hidden space, shared privileges among applications, or even sloppy employee habits, such as posting their secret passwords on the side of their computers. Attackers can obtain illegal access by guessing user names and passwords using a dictionary of common strings, by deriving passwords by algorithmic means, or capturing them in transit if they are sent unencrypted. After guessing or intercepting a user name and associated password, the attacker gains a dangerous level of access to internal resources. How much access depends on the privileges assigned to the compromised account, naturally. But in reality, the potential for damage depends more on the hacker s intent. Usually the hacker s mission is to use the compromised account to install a backdoor entry to the enterprise. Protocols for remote access to e-mail such as IMAP, POP3, and POP2 use simple user name and password authentication techniques. These protocols can be used to facilitate brute force attacks. In fact, there are published methods that allow attackers to remotely exploit the services of these protocols. There are even more sophisticated ways of gaining unauthorized access. Worms can be used to perform system-spoofing attacks whereby one system component masquerades as another. For example, worms can exploit flows in the debug option of sendmail and in.rhosts (e.g used in UNIX) due to weak authentication. The debug option of sendmail can be turned off. Leaving the option on is an example of usage flaw. IP spoofing or session hijacking is a complex attack that exploits trust relationships. The attacker assumes the identity of a trusted host in order to sabotage the security of the target host. As far as the target host knows, it is carrying on a conversation with a trusted host. In this assault, the attacker first identifies a trusted host whose identity will be assumed, perhaps by first determining the patterns of trust for the host that is, the range of IP addresses that the host trusts. The next step involves the disabling of the host (such as by TCP SYN flooding attacks), since the attacker will assume its identity. IP spoofing attacks succeed because it is easy to forge IP addresses and network-based address authentication techniques are limited. The IP spoofing attack is blind, since the attacker may not have access to the responses from the target host. However, the attacker can obtain two-way communication if routing tables are manipulated to use the spoofed source IP address. IP spoofing attacks are often used as a first step for other assaults such as Denial of Service (DoS) and flooding attacks. Network sniffers were originally designed to enable network managers to diagnose problems, perform analysis, or improve the performance of their networks. Network sniffers work in a network segment that is not switched, such as segments connected through a hub. In this way, the sniffer can see all traffic on that segment. Older sniffers read packet headers of the network traffic and focused on identifying low-level packet characteristics such as source and destination address. However, current sniffers can decode data from packets across all layers of the OSI model. Attackers can use sniffers to view user information and passwords from packets across public or private networks. By using sniffers, attackers can obtain valuable information about user names and passwords in particular from applications such as FTP, telnet, and others that send passwords in the clear. Protocols for remote access to e-mail such as IMAP, POP3, and POP2 use simple user name and password authentication techniques and are especially susceptible to sniffer attacks. Since users tend to reuse passwords across multiple applications and platforms, attackers can use the acquired information to obtain access to various resources on the network, where their confidentiality could be compromised. Moreover, these resources could also be used as launch pads for other attacks. 47

In general, attackers can use network sniffers by compromising the physical security of the corporation say, walking into the office and plugging a laptop into the network. With the growing use of wireless networks, someone in the parking lot with a wireless device can access the enterprise s local network. Gaining access to the core packet network enables the attacker to determine configurations and modes of operation for further exploitation. Denial of Service (DoS) attacks flood a network with illegitimate requests and thereby prevent legitimate users from accessing their service. DoS attacks are easy to implement and can cause significant damage, disrupting the operation of the enterprise and effectively disconnecting it from the rest of the world. DoS attacks can take various forms and target a variety of services. DoS attacks focus on exhausting network, servers, host, and application resources and on disrupting network connectivity. For example, the SYN flooding attack uses bogus half-open TCP connection requests that exhaust memory capacity of the targeted resource. These types of attacks can prevent legitimate users from accessing hosts, Web applications, and other network resources. Distributed DoS attacks use the resources of more than one machine to launch synchronized DoS attacks on a resource. DoS attacks exploit weaknesses in the architecture of the system that is under attack. In some cases, it exploits the weakness of many common Internet protocols, such as the Internet Control Message Protocol (ICMP). For example, some DoS attacks send large number of ICMP echo (ping) packets to an IP broadcast address. The packets use a spoofed IP address of a potential target. The replies coming back to the target can cripple it. These types of attacks are called Smurf attacks. Another form of attack uses UDP packets but works on the same concept. Bucket brigade attacks are also known as man-in-the-middle attacks. In this kind of assault the attacker intercepts messages in a public key exchange between a server and a client. The attacker retransmits the messages, substituting their public key for the requested one. The original parties will think that they are communicating with each other. The attacker may just have access to the messages or may modify them. Network sniffers can be used to launch such attacks. Back door entries to access network resources can be accidentally or intentionally opened by users and procedural oversights, such as these: Deliberately placed by system developers to allow quick access during development and not turned off upon delivery Placed by employees to facilitate performance of their duties Part of standard operating system installs that have not been eliminated by OS hardening, such as retaining default user logon ID and password combinations Placed by disgruntled employees to allow access after termination Created by the execution of malicious code, such as viruses Masquerading or elevation of privilege enables a hacker to pose as a valid administrator or engineer to access the network. Masquerading as a user with administrative privileges, the intruder can modify accounts, configuration data, network signaling, and billing and usage data. Eavesdropping takes advantage of the promiscuous mode of off-the-shelf Ethernet adaptors that are sold in the market. This mode enables an attacker to capture every packet on the network to listen and record data communications on the enterprise LAN. There are plenty of free network sniffers on the Web today that an attacker can use for eavesdropping. Eavesdropping is an insidious problem because it is difficult to detect. 48

Appendix B. Application and network level threats Application threats Application-layer attacks exploit vulnerabilities in the operating system and applications to gain access to resources. For example, since Web hosts are accessible by the public at known port addresses specified by protocols (such as port 80 for HTTP traffic), hackers can use this knowledge to launch attacks that can bypass firewalls. Improper configuration and authorization can lead to security holes. For example, a Web server host should freely distribute Web pages but restrict shell command access to authorized administrators as specified in the security policy. Account harvesting targets the authentication process when an application requests the user s logon ID and password. Applications that generate different error messages for wrong user logon ID and wrong password are vulnerable to this type of attack. Based on the type of error message, an intruder can customize an attack that first determines a valid user logon ID and then uses other forms of password cracking techniques to get the password. Application-layer attacks can be based on viruses, worms, buffer overflow, and password harvesting among others. Some application-layer attacks are aimed at just dismantling the Web site. Other attacks poison a Web site s cookies to gain illegitimate information about a particular server. Applications in general do not check the validity of cookies and can fall victim to malicious code hidden in the cookies. Known vulnerabilities in current Web browsers allow such cookies-based attacks. An attacker may also use cross-site scripting technique to insert malicious code in the form of a script tag that is added to a URL and executed when an unsuspecting user clicks on the URL. SSL can solve some of these application-layer security problems but doesn t fully protect Web applications. Attacks such as account harvesting and password cracking can still be launched even if SSL is used. Network threats Internet-connected enterprises expose their network infrastructure to serious security threats such as sabotage, vandalism, bad system configuration, denial of service (DoS), snooping, industrial espionage, and theft of service. Attacks may be launched from inside the network by insiders and also from external sources such as hackers. Recent developments in hacker technology such as mobile terminal-based port scanners demonstrate that attacks on network infrastructure can originate from the mobile terminal as well. How do you protect switches, routers, access points, remote access servers, wireless access points, hosts, and other resources from these threats? The typical IP packet infrastructure demonstrates a wide array of vulnerabilities: It commonly uses protocols with known security vulnerabilities, such as ICMP, TELNET, SNMPv1 and v2, DHCP, TFTP, RIPv1, NTP, DNS, and HTTP. Other common protocols (e.g., FTP, IMAP, SMTP) may also have vulnerabilities. It uses weak, locally managed, static passwords based on short, common dictionary words that are easy to guess. Some administrators may use one password across network elements, which may be shared and would be known by all administrators. It leaves security information unprotected for instance by not encrypting password files, improperly setting firewall rules, or using weak encryption methods for transmitting passwords. It supports unauthenticated software loads and configuration files that are intentionally or maliciously incorrect, resulting in erroneous device configurations, poor performance, loss of service, and open invitations for Trojan horses or other malicious code. It uses non-hardened network elements and operating systems that still use factory default settings, which may run unnecessary services and have default accounts and passwords still enabled. It unnecessarily exposes management ports and interfaces to the public network, or allows unauthorized management actions over dial-up, ISDN, or other connections. 49

In the United States: Nortel Networks 35 Davis Drive Research Triangle Park, NC 27709 USA In Canada: Nortel Networks 8200 Dixie Road, Suite 100 Brampton, Ontario L6T 5P6 Canada In Caribbean and Latin America: Nortel Networks 1500 Concorde Terrace Sunrise, FL 33323 USA In Europe: Nortel Networks Maidenhead Office Park Westacott Way Maidenhead Berkshire SL6 3QH UK In Asia: Nortel Networks Asia 6/F Cityplaza 4, Taikooshing, 12 Taikoo Wan Road, Hong Kong Nortel Networks is an industry leader and innovator focused on transforming how the world communicates and exchanges information. The company is supplying its service provider and enterprise customers with communications technology and infrastructure to enable value-added IP data, voice and multimedia services spanning Metro and Enterprise Networks, Wireless Networks, and Optical Long Haul Networks. As a global company, Nortel Networks does business in more than 150 countries. More information about Nortel Networks can be found on the web at: www.nortelnetworks.com/security For more information, contact your Nortel Networks representative, or call 1-800-4 NORTEL or 1-800-466-7835 from anywhere in North America. *Nortel Networks, the Nortel Networks logo, and the globemark design are trademarks of Nortel Networks. All other trademarks are the property of their owners Copyright 2002 Nortel Networks. All rights reserved. Information in this document is subject to change without notice. Nortel Networks assumes no responsibility for any errors that may appear in this document. NN102060-0902