LUCENT S ENTRY INTO NETWORK SECURITY and Distributed System Security Symposium March 12, 1998 H. M. Gittleson Director, Internet Security Products Group 1
Traffic Growth In Voice And Data Services 250 Data Traffic Growth 300% CAGR Relative Capacity 200 150 100 50 Voice Traffic Growth 5% CAGR 0 1996 1997 1998 1999 2000 2001 Source: Vint Cerf, MCI 2
Changing Traffic Types Traffic Mix by Protocol US WANs 100% 80% 60% 40% Others IPX SNA TCP/IP 20% 0% 1994 1996 1998 2000 2002 Source: Gartner Group, The Changing Protocol Mix in Enterprise s 4/1/97... and the traffic mix will be dominated by TCP/IP 3
Standards-Based Data Communications Architecture Target Architecture for Data Communications Business Applications Messaging Collaboration Information Publishing Transactions Systems/Application Integration (New and Legacy) Example Services Fax email Universal Video Groupware Screenshare DB Host Intranet Push Web Host Transaction Process Electronic Fulfill Virtual Private Data Resource Management (Configuration, QOS, BW allocation) Management, SNMP (e.g., OpenView) Security, (authentication, privacy, access control) Data transport (IP and legacy - IPX, SNA, DECNet) Infrastructure Broadband Access and Wide-area infrastructure 4
Value-Added Service Offerings Value-added Services Demand Service Implications Quality of Service Guaranteed Bandwidth Redundancy Security Authorization Authentication Encryption User Privilege End-to-End Management Fault Management Configuration Management Billing Usage Based Services Based on QOS and Security 3500 3000 2500 2000 1500 1000 500 0 ISP Security Services Revenue 1996 1997 1998 1999 2000 Source: IDC QOS Security * Multiple Price Levels Per Service Price Price There Is a Demand for a Number of Value-Added IP Services That Current ILEC Data s Don t Support 5
Lessons Learned In Designing The Next Generation Firewall Hardening a Flawed OS Is Just Delaying Disaster NT and UNIX Do Not Provide Secure Foundations for Firewall Design Firewalls Should Be Invisible to the Firewalls Are Chokepoints by Design Thus They Must Be Fast and Reliable Security Needs To Be Distributed Separate Management and Security Functions Must Be Part of the Initial Design Capability to Share a Firewall Is Needed Important for Service Providers and Intranets Management Server Should Be Platform Independent and Easy to Use 6
Next Generation Firewall We Took the Best of What is Out There - Stateful Packet Filtering Proxy Application Gateway Bridge Level Firewall T3+ Throughput Performance Central Administration of Multiple Firewalls Address Translation Virtual Private ing Based on IPSEC Standards 7
Next Generation Firewall And Made It Much Better - Created a Separate Firewall Appliance Built it on a Real-Time, Secure OS (Inferno) Added Support For Multiple Security Policy Zones * Supported Secure Multimedia Applications Without Proxies * Added Advanced Web-based Administration Separated Administration From Policy Management Provided a Central Audit Facility With Dynamic Alarms and Reports Provided Future Expansion With Support of Remote Proxies * * Patents pending 8
Multiple Policies On A Single Firewall Internet Security Policy #1 ( Public ) Public Web Servers Extranet Security Policy #2 (Corporate Intranet) Corporate Backbone Security Management Server One Firewall Can Support More Than One Security Policy* Control of Each Policy Is Restricted to a Unique Security Administrator * Patent Pending for Bell Labs Technology 9
Single Policy On Multiple Firewalls Region #1 Region #2 Region #1 Sales Single Sales Security Policy Region #2 Sales Policies Are Defined Logically, Not Physically or Geographically Internet The Same Security Policy Can Be Applied to Multiple Firewalls Region #1 Human Resources Region #2 Human Resources Single H.R. Security Policy 10
Enterprise Security Model Public Policy NOC Policy Public Web Servers Operations Extranet R Shipping Policy Internet R Corporate Backbone R Intranet Policy Shipping The Enterprise Is Segmented Into Internet, Extranet and Intranet Zones Security is an enabler that increases overall productivity--both within and outside the company Payroll/Accounting Systems Finance Finance Policy Trading Partners can access information to meet their specific needs 11
Service Provider Model Customer #1 Security Zone Customer #1 Customer #2 Security Zone R CSU/ DSU ISP s Operations Service Providers/ISPs Can Easily Offer Firewall Management Service Value-Add with Lower Total Cost of Ownership=Increased Profits Customer #2 Customer #N Security Zone Customer #N R R CSU/ DSU CSU/ DSU ISP s Backbone Increase Customer Loyalty, Reduce Churn Understand Customer Needs for New Services ISP s CPE 12