W H I T E P A P E R. Security Features of the 7705 Service Aggregation Router

W H I T E P A P E R Security Features of the 7705 Service Aggregation Router NOV, 2009

Table of Contents 1 Executive Summary... 3 2 ITU-T x.805 Security Architecture... 4 3 7705 SAR Security Feature Summary... 6 4 7705 SAR Security Best Practices... 7 4.1 Common Network Security Threats... 7 4.2 Providing Management Plane Security... 8 4.3 Providing Control Plane Security... 910 4.4 Providing Data Plane Security... 11 4.5 Security Threat Mitigation... 1112 5 Conclusion... 1314 References... 1415 Glossary of Terms... 1516 Alcatel-Lucent Proprietary and Confidential. 2009/2010 All Rights Reserved. 2

1 Executive Summary Security is a top priority for service providers and enterprises alike. It is the responsibility of the operations organizations to make sure that their systems are secure from malicious behavior protecting both the end users and the network infrastructure. Failure to properly seal the network will result in network outages, service downtime and potentially lost revenue. Simultaneously, the level of protection must reflect the level of exposure to potential threats. Operators must analyze their networks within their operational context and assess potential risk, weighing this against the cost of implementing the specific security measures. This document will describe the security features available on the 7705 SAR family (SAR-F and SAR-8, collectively referenced as SAR). Applying the specific features in order to prevent malicious behavior will be described for some specific situations. Alcatel-Lucent recommends operators review their specific network threats with security experts in order to apply the best level of security within the network while taking advantage of features on the products being used. Alcatel-Lucent Proprietary and Confidential. 2009/2010 All Rights Reserved. 3

2 ITU-T x.805 Security Architecture The ITU-T x.805 Security Architecture is used as the baseline reference to bring structure to the analysis and discussion of how the 7705 SAR can apply security to the network. The remainder of this section is a summary of the ITU-T x.805 security architecture. For further information the reader is encouraged to read the ITU-T recommendations. The X.805 Security Architecture (Figure 1 - ITU-T X.805 Security ArchitectureFigure 1 - ITU-T X.805 Security Architecture) provides a methodical, organized way of addressing the threats to telecommunications networks and the class of actions to address these threats. Those threats are identified in ITU-T Recommendation X.805 as follows: Formatted: Font: Georgia, (Asian) Chinese (PRC) Destruction of information and/or other resources. Corruption or modification of information. Removal, theft, or loss of information and/or other resources. Disclosure of information. Interruption of services. ture Attacks The management, control or user plane of network equipments may be exposed to different types of threats and attacks. Due to the complexity and the large number of different type of equipments in today s communication network, the X.805 standard defines three separate Security Layers: The Infrastructure Security Layer consists of the basic building blocks used to build telecommunications networks, services and applications, and consists of individual Fig ure 1 - IT U- T X. 80 5 Sec uri ty Ar chi tec Alcatel-Lucent Proprietary and Confidential. 2009/2010 All Rights Reserved. 4

transmission links and network elements including their underlying hardware and software platforms. The Services Security Layer consists of services that customers/end-users receive from networks The Applications Security Layer focuses on network-based applications that are accessed by customers/end-users. These applications are enabled by network services and consist of basic applications such as file transport (e.g., FTP), web browsing applications, etc These Security Layers provide comprehensive, end-to-end security solutions and identify where security must be addressed in products and solutions because each layer may be exposed to different types of threats and attacks. The eight Security Dimensions contained in recommendation X.805 represent classes of actions that can be taken, or technologies that can be deployed, to counter the unique threats and potential attacks present at each Security Layer and Plane: Access Control is concerned with providing authorized access to network resources. Authentication is concerned with confirming the identity of communicating parties. Non-repudiation is concerned with maintaining an audit trail, so that the origin of data or the cause of an event or action cannot be denied. Data Confidentiality is concerned with protecting data from unauthorized disclosure. Communication Security is concerned with ensuring that information only flows between authorized end-points without being diverted or intercepted. Data Integrity is concerned with maintaining the correctness or accuracy of data and protecting against unauthorized modification, deletion, creation, and replication. Availability is concerned with ensuring that there is no denial of authorized access to network elements, stored information, information flows, services, and applications. Privacy is concerned with protecting information that might be derived from the observation of network activities. Alcatel-Lucent Proprietary and Confidential. 2009/2010 All Rights Reserved. 5

3 7705 SAR Security Feature Summary The 7705 SAR is deployed for transport of services for end to end communications using IP/MPLS as the principal transport infrastructure protocol. Therefore, the 7705 SAR must address both the infrastructure and service layers as described in the X.805 architecture. 7705 SAR Security Features Authentication Authorization Access Filter Event Logging Configuration Security Availability Local 7705 SAR Implemented Functionalities RADIUS TACACS+ Local RADIUS TACACS+ ACL Security Log Change Log Configuration Authorization Configuration Change Logging Security Logging Configuration Backup SNMPv3 Control Switching Module (CSM) Queuing CSM Filter & CSM Traffic Management Dedicated Management Routing Instance Non Stop Routing (NSR) Non Stop Forwarding (NSF) Non Stop Signaling (NSS) Graceful Re-start (Helper) Routing Protocol Authentication Equal Cost Multi-Path (ECMP) Fast Re-route (FRR) X.805 Security Dimension Access Control Authentication Non-repudiation Access Control Non-repudiation Availability Access Control, Authentication Availability Infrastructure Layer Security Mgnt Plane Ctrl Plane Data Plane Mgnt Plane Service Layer Security Ctrl Plane Data Plane Bi-direction Detection (BFD) Other Security Features MD5 Authentication (OSPF, RSVP-TE) SSH Login-Control Password Communication Security Access Control MPLS L2 VPN Technology Communication Security, Privacy Alcatel-Lucent Proprietary and Confidential. 2009/2010 All Rights Reserved. 6

4 7705 SAR Security Best Practices The primary focus of a service provider is to deliver a cost effective, high quality and uninterrupted service to the end customer. In order to provide such a service one must prevent unauthorized access to the network which could compromise the end user information, the network traffic and the network infrastructure. 4.1 Common Network Security Threats During the process of normal operation the network can offer potential attack points. Most of these are manageable and can easily be mitigated by configuration changes. The current threats to the systems include: Spoofing IP Addresses This attack leverages software that is capable of packet crafting to mimic that of a valid system. The attacker hopes that by disguising his/her IP address they will gain access to the management system. Sniffing Passwords Sniffers are tools used to capture network traffic to perform traffic analysis. However, as they capture all traffic that traverses the network the potential to capture a password is real. Session Hijacking Tools exist which allows a users to inject themselves into a current TCP session. This will result in traffic destined for a remote host to be redirected to a rogue user. Authentication, Accounting and Authorization Attacks User accounts and authentication mechanisms can be attacked by using brute force methods where multiple passwords are attempted against a known or assumed user account. This could potentially result in the disabling of a user account due to failed logon attempts. Likewise, if a 3rd party authentication server is being used, such as RADIUS or TACACS+, an attack could be aimed at these servers with the intent of modifying the database to gain access to the network elements. Denial of Service Attacks (DoS) Sending a very large stream of packets at a network element on a management or service port is aimed at creating Denial of Service (DoS) conditions. This is achieved by the malicious packet stream occupying nodal or network resources (such as processor cycles, link bandwidth and memory) that would otherwise be applied to the delivery of legitimate user services. Keep in mind that this packet stream will have to be large in magnitude to accomplish this and probably require amplifier nodes as a single node might not be able to create the packet rates necessary (Distributed DoS or DDoS). Alcatel-Lucent Proprietary and Confidential. 2009/2010 All Rights Reserved. 7

Physical Security One aspect of security that needs consideration is that of physical security. It permits for a certain amount of assurance that device tampering is eliminated or at least kept to a minimum. Typically Corporate Security policies will dictate the policy and guidelines for ensuring secure facilities. 4.2 Providing Management Plane Security The management plane deals primarily with the Operations, Administration, Maintenance and Provisioning (OAM&P) of individual network elements such as the 7705 SAR. Securing the access to the network elements for specific network management entities as well as individual users is the key to protecting the network. 7705 SAR uses CSM Filters in order to manage the traffic which has access to the control and management plane. By provisioning the filters to reject traffic which is not part of the closed user group can dramatically enhance the ability to protect the system from failure. The closed user group should only contain the network management servers who require access to this network element as well as the set of individual users who require direct CLI access. CSM Filters can use the following information to allow or deny access to the Management and Control plane: DSCP name - matching DiffServ Code Point (DSCP) names Destination IP address and mask - matching destination IP address and mask values Destination port/range - matching TCP or UDP values Fragmentation - matching fragmentation state of packets ICMP code - matching ICMP code in the ICMP header ICMP type - matching ICMP type in the ICMP header IP option - matching option or range of options in the IP header Multiple IP options - matching state of multiple option fields in the IP header Option present - matching state of the option field in the IP header Source IP address and mask - matching source IP address and mask values Address ranges are configured by specifying mask values, the 32-bit combination used to describe the address portion that refers to the subnet and the portion that refers to the host. The mask length is expressed as an integer. Source port/range - matching TCP or UDP port and range values TCP ACK - matching state of the ACK bit set in the control bits of the TCP header of an IP packet TCP SYN - matching state of the SYN bit set in the control bits of the TCP header of an IP packet Alcatel-Lucent Proprietary and Confidential. 2009/2010 All Rights Reserved. 8

The 7705 SAR also has management traffic queues which allow the user to separate the traffic based priority and application in order to protect the control plane against malicious attacks. All network management configuration activities should use SNMPv3 with security enabled in order to prevent unauthorized users from accessing the information which is being transmitted between the network element and the network managers. If users are connecting directly to the network elements for CLI configuration purposes then SSH2 should be used. SSH2 uses an enhanced networking implementation and is considered a more secure, efficient, and portable version of SSH that includes Secure FTP (SFTP). For authentication and authorization purposes the provider should start by changing the default login of the network element. This will help to prevent users from accessing the platform with basic password retry attempts. This will also help to prevent access by using the consol port if physical network element access is not secured (ie. a customer premise equipment which is not in a locked cabinet). Using RADIUS or TACACS+ is recommended over local database use as a method of managing the authentication and authorization. A provider should decide on the various user types and the required access for each, making sure that specific users have access to areas of the network elements which allow them to do their work but restrict access to configuration items which could effect the network operations. In the event that the 7705 SAR management plan is engaged in a dictionary attack, the system provides an exponential back-off mechanism for the consol port and will terminate SSH and Telenet sessions after four failed login attempts. In addition to the above functions which are used to provide security it is also important to log activities on the node. The two primary logging events which should be monitored are the Security Events and Change Events. Security Events - The security event source is all events that affect attempts to breach system security, such as failed login attempts, attempts to access MIB tables to which the user is not granted access, or attempts to enter a branch of the CLI to which access has not been granted. Change Events - The change activity event source is all events that directly affect the configuration or operation of the node. 4.3 Providing Control Plane Security The control plane represents the protocols and infrastructure required to create the network topology. The 7705 SAR uses routing as the foundation to create the MPLS LSP topology which is used as the foundation for services. Both static and dynamic routing is supported as well as Alcatel-Lucent Proprietary and Confidential. 2009/2010 All Rights Reserved. 9

static and dynamic LSPs. The dynamic protocols send messages between network elements in order to communicate topology information. To help secure the control plane against malicious behavior it is recommended that MD5 authentication of the signaling protocol information between network elements is enabled. This will inhibit an intruder from being able to easily view the messages going between the network elements and make it very difficult to spoof or replay protocol information in order to gain access to the network topology. IP Filters can also be used to limit who can send signaling traffic to the network element. This will help to prevent DoS attacks and protect the control infrastructure from manipulation. IP Filters are applied to the network ports on the 7705 SAR. It should be noted that inband OAM and management traffic may be coming from a network port and thus the filters must account for allowing this traffic into the system. The CSM filters are in addition to the IP Filters which are configured on network ports. The following IP Filter information can be configured: Protocol identifier - a decimal value representing the IP protocol to be used as an IP filter match criterion. Common protocol numbers include ICMP(1), TCP(6), and UDP(17). DSCP name - matching DiffServ Code Point (DSCP) names Destination IP address and mask - matching destination IP address and mask values Destination port/range - matching TCP or UDP values Fragmentation - matching fragmentation state of packets ICMP code - matching ICMP code in the ICMP header ICMP type - matching ICMP type in the ICMP header IP option - matching option or range of options in the IP header Multiple IP options - matching state of multiple option fields in the IP header Option present - matching state of the option field in the IP header Source IP address and mask - matching source IP address and mask values Address ranges are configured by specifying mask values, the 32-bit combination used to describe the address portion that refers to the subnet and the portion that refers to the host. The mask length is expressed as an integer. Source port/range - matching TCP or UDP port and range values TCP ACK - matching state of the ACK bit set in the control bits of the TCP header of an IP packet TCP SYN - matching state of the SYN bit set in the control bits of the TCP header of an IP packet Alcatel-Lucent Proprietary and Confidential. 2009/2010 All Rights Reserved. 10

4.4 Providing Data Plane Security The services which are available on the 7705 SAR are Virtual Leased Line (VLL) services. These are point to point transport services which use the MPLS infrastructure to setup the end-to-end connectivity. The Label Switched Paths (LSPs) allow for a service to be carried between two Provider Edge nodes (PE) across the MPLS network. MPLS provides levels of abstraction between the service provided and the network infrastructure in place. Therefore, many technologies can use the same underlying topology, agnostic to the physical infrastructure. The type of VLL services which are supported are epipe (Ethernet VLL), ipipe (IP VLL), apipe (ATM VLL) and cpipe (Circuit Emulation VLL SAToP and CESoP). epipe services do not learn MAC addresses from the connected network. All traffic arriving on a port will be transported to the far end PE node. Using MAC flooding or IP layer DoS attacks will have no effect on the network element as there are no resources depleted while using this service. Additionally, traffic will not be sent to the CSM from this service access point, thus there are no possible threats to the Control and Management plane. ACL filters can be applied to the access interface in order to limit access to the service and network. ipipe services transparently forward all packets received to the far end PE node. No native IP routing of customer packets occurs. This also means there is no route learning and no protocol traffic running between the CE and PE nodes. Both ends of the ipipe service are configured with host IP addresses (/32). Any ARP requests that are received for IP addresses other then those configured are silently dropped. The MAC address is only learned for the configured IP addresses. No traffic from these service access points are forwarded to the CSM for processing thus protecting the Control and Management plane. ACL filters can be applied to the access interface in order to limit access to the service and network. apipe services transparently forward ATM traffic to the far end PE node. No MAC learning or IP information is required and no traffic from these service access points are forwarded to the CSM for processing. cpipe services transparently forward TDM (circuit emulation) traffic to the far end PE node. No MAC learning or IP information is required and no traffic from these service access points are forwarded to the CSM for processing. 4.5 Security Threat Mitigation The table below is mapping security threats to proposed mitigation tactics within the network on the 7705 SAR. Alcatel-Lucent Proprietary and Confidential. 2009/2010 All Rights Reserved. 11

Security Threat Mitigation Comment Spoofing IP Addresses Sniffing Passwords Session Hijacking Authentication, Accounting & Authorization Attacks Denial of Service Attacks (DoS) Physical Security Access Control Lists MD5 Authentication SNMPv3 Security Secure Shell (SSH) Access Control Lists MD5 Authentication SNMPv3 Security and Secure Shell Exponential Back-off CSM Filters Access Control Lists, CSM Filters. Disable all unused Ethernet ports on the system. Strong management port password configuration. Using ACL features can limit the data flow between known entities within the network on a per SAP basis. Signaling protocols can use MD5 authentication in order to mitigate the risk of external users getting access to IP topology information. SNMPv3 security helps limit the risk by providing confidentiality and integrity features. Use SSH to provide encryption of passwords and configurations. Using ACL features to limit where and to whom traffic can flow. Using MD5 to protect against signaling session hijacking. Use hashing and encryption to help prevent access to the network device. Helps to prevent against dictionary attacks. Restrict access to the device by creating an Access Control List specifically for the CSM. ACL or CSM Filters can be configured to reject SYN messages for users with IP addresses outside the closed user group. The 7705 SAR uses the concept of SAP (service access point) and Service associations. Without initial configuration there is no access to the system. The management port and console port requires password authentication. It is recommended that the default password be changed prior to or during initial configuration and commissioning. Alcatel-Lucent Proprietary and Confidential. 2009/2010 All Rights Reserved. 12

5 Conclusion Using the ITU-T x.805 Security Architecture has provided a systematic overview which allows for the review of the feature functionality of the 7705 SAR within the end-to-end network. The features available on the system address the threats that are possible at the management plane, control plane and data plane for infrastructure and services. Proper analysis of the provider network in conjunction with the configuration of the available 7705 SAR security features can greatly reduce the threats presented by malicious users. Network operators must maintain their ongoing monitoring of the systems in place and look for weaknesses in their security implementation and methods to prevent exposure to ongoing threats. Alcatel-Lucent Proprietary and Confidential. 2009/2010 All Rights Reserved. 13

References 1. ITU-T X.805, Security Architecture for System Providing End-to-End Communications, Oct. 2003. 2. Alcatel-Lucent Application Note, Alcatel-Lucent 7750 Service Router and 7450 Ethernet Service Switch Security Features, Network Design Engineering, March 2007. 3. Alcatel-Lucent White Paper, SR-OS Security Best Practices, SR-OS PLM Group & Security Competence Center. Alcatel-Lucent Proprietary and Confidential. 2009/2010 All Rights Reserved. 14

Glossary of Terms ACL Access Control List It is filter policy and can be applied on ingress or egress to a service SAP on an interface to control the traffic access apipe Another term for ATM VLL service. ATM BFD CCITT Asynchronous Transfer Mode Bidirectional Forward Detection Comité Consultatif IInternational Téléphonique et Télégraphique A lightweight low-overhead protocol for short-duration detection of failures in the path between two systems. Now known as the ITU. CE Customer Edge CEs are the routers in customer s network that connect to PEs. CLI Command Line Interface A text based user interface to configure a 7x50 node. CPE Customer Premise Equipment Equipment that is installed in customer premises by a service provider to connect to a specific service. cpipe Another term for a circuit emulation VLL service. CSM Control and Switching Module Central processing card for the 7750 SAR chassis. DoS (or DDos) (Distributed) Denial of Service An attempt to make a computer resource unavailable to its intended users by sending large amounts of data. In order to achieve the large volume of traffic required a person may use many sources of traffic called a Distributed Denial of Service. DSCP Diffserv Code Point A field in the header of IP packets for packet classification purposes. ECMP Equal Cost Multipath A next-hop packet forwarding mechanism which forwards packets to a single destination over multiple equally classified paths through the network. epipe Another term for Ethernet VLL service. FRR Fast Reroute A mechanism which allows for MPLS paths to change their direction based on failures in the network. The decision to change the route is normally done at the point in the network where the failure occurs which also for detection and protection to occur very quickly. FTP File Transfer Protocol A protocol which allows for the transmission and manipulation of files between two systems on an IP network. ICMP Internet Control Message Protocol Used between two systems to send control information such as error messages. IP Internet Protocol A network layer protocol underlying the Internet, which provides an unreliable, connectionless, packet delivery service to users. IP allows large, geographically-diverse networks of computers to communicate with each other quickly and economically over a variety of physical links. ipipe Another term for an IP VLL service. ITU-T International Telecommunication Union Telecommunications A telecommunications standards body for intergovernmental public and private activities. Formatted: Font: (Default) Times New Roman, 10 pt, French (France) Formatted: French (France) Alcatel-Lucent Proprietary and Confidential. 2009/2010 All Rights Reserved. 15

LSP Label Switched Path A sequence of hops in which a packet travels by label switching. LSR Label Switch Router A node capable of forwarding datagrams based on a label. MAC Media Access Control A media-specific access control protocol within IEEE802 specifications. The protocol is for medium sharing, packet formatting, addressing, and error detection. MD5 Message Digest 5 MD5 authentication uses the password as an encryption key. Routers in the same routing domain must be configured with the same key. When the MD5 hashing algorithm is used for authentication, MD5 is used to verify data integrity by creating a 128-bit message digest from the data input that is included in each packet. The packet is transmitted to the router neighbor and can only be decrypted if the neighbor has the correct password. MIB MPLS Management Information Base Multi-Protocol Label Switching A type of database used to manage devices in a communications network. MPLS technology supports the delivery of highly scalable, differentiated, end-to-end IP and VPN services. The technology allows core network routers to operate at higher speeds without examining each packet in detail, and allows differentiated services. NSF Non-Stop Forwarding The ability to keep the forwarding plane in operation even while the control plane is not functioning properly NSR Non-Stop Routing The ability to keep the routing information base in sync when an activity switch occurs on a CSM and activity is transferred to the standby CSM. OSPF Open Shortest Path First A link state protocol used to communicate routing topology information through an internal network. P Provider A network element used to carry traffic between PE nodes. PE Provider Edge PEs are the routers in service provider s network which connect to CEs. RADIUS RSVP-TE Remote Authentication Dial- In User Service Reservation Protocol Traffic Engineering A client/server security protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize access to the requested system or service. An MPLS protocol used to distribute label information for the creation of LSP paths. SAP Service Access Point A SAP identifies the customer interface point for a service on a 7x50. SAR Service Access Router SFTP Secure FTP Uses SSH mechanisms for securing the FTP transmission. SNMP Simple Network Management Protocol A protocol which allows for the Operation, Administration and Management of a network element. SSH Secure Shell S network protocol that allows data to be exchanged using a secure channel between two networked devices. TCP Transmission Control Protocol TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent. Alcatel-Lucent Proprietary and Confidential. 2009/2010 All Rights Reserved. 16

TACACS+ Terminal Access Controller Access Control System Plus An authentication protocol that allows a remote access server to forward a user's logon password to an authentication server to determine whether access can be allowed to a given system. UDP User Datagram Protocol A simple protocol used to transmit data between two networked devices. VLL Virtual Leased Line A VLL provides a point to point connection between two nodes in a routed network. 01 2008 Alcatel-Lucent. All rights reserved. Alcatel-Lucent Proprietary and Confidential. 2009/2010 All Rights Reserved. 17