MANAGING NETWORK SECURITY

284 23-3075 Ue Rev A MANAGING NETWORK SECURITY Ocber 2006 Whe Paper Newrk secury eeds be addressed usg a chere apprach.

Ces 1 Execuve summary...3 2 Wha causes prblems elecm ewrks...4 3 Srucured apprach secury...5 3.1 Idefyg eeded secury servces ad fucs...5 3.2 Newrk Secury Archecure Referece Mdel...6 4 Maagg Secury...8 4.1 Irduc...8 4.2 Cmm Prcples...8 4.3 The Secury Wheel...9 4.4 Secury A cuus prcess...10 4.5 Busess Cuy Maageme...11 4.6 Newrk Secury Desg...12 4.7 Newrk Cfgura / Iegra...13 4.8 Newrk Secury Auds...13 4.9 Newrk Secury Implemea...13 5 Cclus...14 6 Acryms...15 7 Refereces...16 284 23-3075 Ue Rev A Ercss AB 2006 Publc 2 (16)

1 Execuve summary As ew ed-user servces are rduced day s cverged mul-servce ewrks, elecm ewrk secury becmes mre f a ssue fr perars ad a demad frm publc users, eerprses ad gverme ageces. If gve he apprprae ae, he echlges ha delver hese servces may acually degrade he secury f he ewrk ver whch he servce s delvered. Secury breaches, wheher hey dsrup servces r cmprmse frma, cause facal lsses. Examples are facal peales fr falg maa perfrmace agreemes, ls reveue caused by ewrk dsrups, ls csumer lyaly, ll wll, lawsus, ad dusral espage. Mrever, dvdual publc users, ageces ad crpras are demadg hghly secure cecs elecm ewrks; servce prvders wh ramg agreemes wa secure erfaces wh her ramg parers ad surace prvders, always cscus f rsk, are ssg up srge secury. Telecm Newrk Secury awareess ad acg pracvely ca, apar frm reducg rsk, als reduce peraal cs. The perar eeds a ruswrhy secury sry f hey are be ake serusly he markeplace. The Ercss apprach s address secury a a early sage a srucured maer; frm prcedural, persel, physcal ad echcal ps f vew. I hs way a secure, cs effecve secury slu ca be esablshed ad maaed prec sesve frma ad ewrk perar busess. 284 23-3075 Ue Rev A Ercss AB 2006 Publc 3 (16)

2 Wha causes prblems elecm ewrks Tradally, elecm ewrks refer he frasrucure requred esablsh a ed--ed rasfer f aalgue r dgal frma. Ths cmprsed he rasmss ad swchg frasrucure. Tday, he frasrucure s dvded layers rder acheve a hgher level f servce egra. The ew frasrucure supprs fxed ad wreless ewrk servces. Telecm ewrks dsgush bewee raffc (e.g., vce, daa ad mulmeda) ad crl (sgalg). A dffere layer, called cecvy ewrk, s defed fr raffc, ad aher layer, called crl layer, s defed fr sgalg. As mre applcas ad servces appeared, aher layer was rduced, he servce layer. Operas & Maeace (O&M) ewrks requre hgh secury, ad ha leads aher sublayer wh he cre ewrk. Wh all he advaages ha we ca me abu he egraed layered archecure f elecm ewrks, we shuld verlk he creasg umber f secury ccers ha apply all ypes f servces ad all levels f he elecm ewrk. Access ewrks are subjec deal-f-servce aacks ad varus uauhrzed-access aacks. Fxed ewrks suffer frm clp- access ad asscaed fraud, as well as vla f prvacy. Wreless ewrks d requre physcal access, ad are eve mre expsed. Mbly adds her vulerables ad hreas, cludg SIM card clg, subscrp frauds, ma--he-mddle aacks ad s. Cre ewrks have a mulude f ercec ps, whch mea dffere secury requremes ad pssble expsure a wde rage f hreas ad vulerables. Aacks he cre wuld lead larger mpacs he dffere servces ad sakehlders, such as ed users, servce ad applca prvders, ad he perar self. Sealg passwrds ad accessg he maageme prs, aackg he sgalg layer, argeg daabases f subscrbers, HLRs, OSSs, ewrk elemes, gaeways, ad applca servers culd lead secury vlas, fraud ad servce errup. As ewrks grw ad becme creasgly cmplex, he rsk f hles secury due cfgura ad/r desg msakes creases. As creasgly mre busesscrcal applcas rely he avalably f he ewrks, he expsure lss s als becmg drascally hgher. Users expec relably all rasacs, depede f access, ad guaraeed cec qualy. Frm a secury p f vew, he user expecs vruses, wrms, fraud, bdy lseg, ad he ably kw wh requess a cmmuca sess. 284 23-3075 Ue Rev A Ercss AB 2006 Publc 4 (16)

3 Srucured apprach secury 3.1 Idefyg eeded secury servces ad fucs Secury slu develpme begs wh hrea-rsk aalyss. I s requred defy asses, hreas ad vulerables, rak he dffere asses he rder f her mprace fr he busess, ad evaluae dffere aleraves hadle he rsk. The rsks are he gruped caegres such as: Mus be mmzed/elmaed Shuld be mmzed/elmaed Accepable. Ths frma eables decs-makers capure requremes ad specfy he mplemea f secury servces ad fucs. 3.1.1 Secury Plcy A secury plcy shuld be a saeme f maageme e, supprg he gals ad prcples f frma secury le wh he busess sraegy ad bjecves. The plcy perfrms several fucs ha help esure he effecveess f whaever secury sraegy he rgaza pursues. Specfcally, : Defes frma secury ad s verall bjecves ad scpe. Defes accepable secury pracces; a framewrk fr seg crl bjecves ad crls, cludg he srucure f rsk assessme ad rsk maageme. Esablshes rles ad respsbles; a def f geeral ad specfc respsbles fr frma-secury maageme, cludg reprg frma-secury cdes. Brefly explas he secury plces, prcples, sadards, ad cmplace requremes f parcular mprace he rgaza, cludg: - Cmplace wh legslave, regulary, ad cracual requremes - Secury educa, rag, ad awareess requremes - Busess cuy maageme. The secury plcy framewrk shuld be he hub arud whch all secury-relaed servces ad fucs evlve. 284 23-3075 Ue Rev A Ercss AB 2006 Publc 5 (16)

3.2 Newrk Secury Archecure Referece Mdel T prvde adequae secury, s mpra be able mdel he mble ewrk ad aalyze he hreas asses. The fllwg hree-plae archecure (based he eraal sadard X.805) prvdes a useful ad smple way f capurg releva frma. Ths mdel csss f fur archecural cmpes: separae secury plaes, secury layers, secury servces, ad secury plces & prcples. Separaed Secury Plaes Secury Dmess Applca Secury Layer New. Servces Secury Layer Ifrasrucure Secury Layer O&M Secury Plae Applca Secury Layer Ed User Secury Plae Applca Secury Layer New. Servces Secury Layer Ifrasrucure Secury Layer Sgalg ad Crl Secury Plae A c c u a b l y A u h e c a A u h r z a A v a l a b l y C f d e a l y I e g r y N - R e p u d a P r v a c y Threas Dsclsure Mdfca Desruc/ lss Ierrup Uauhrzed access Aacks New. Servces Secury Layer Ifrasrucure Secury Layer Secury Plces & Prcples: Defese Deph, Leas Prvlege, Fal Safe Sace, Chke P, Dversy Defece... Fgure 1. Newrk Secury Archecure Mdel 3.2.1 Secury Plaes Newrks shuld be desged such a way ha eves e secury plae are kep ally slaed frm he her secury plaes. The ccep f secury plaes prvdes he ably dffereae ad address secury ccers depedely. The Ed-User Secury Plae addresses secury f access ad use f he servceprvder's ewrk by cusmers. Ths plae als represes acual ed-user daa flws. The Sgalg ad Crl Secury Plae cvers prec f he acves ha eable he effce delvery f frma, servces ad applcas acrss he ewrk. The O&M Secury Plae cvers he prec f pera ad maeace fucs. 284 23-3075 Ue Rev A Ercss AB 2006 Publc 6 (16)

3.2.2 Secury Dmess The secury dmess are sysem aspecs whch ru hrugh all secury slus. Hwever, secury slus ad mechasms are used fr mplemeg he secury dmess. All secury dmess shuld be evaluaed each secury plae/layer ersec p. The ms cmm es are: auheca auhrza accuably avalably cfdealy egry -repuda ad prvacy 3.2.3 Secury plces & prcples T ehace prec f he ewrk, specfc secury prcples ad bes pracces are cmmly used. Prbably he ms mpra e s he defese--deph prcple: emply several secury mechasms ad secury layers prvde prec. If e f he mechasms r layers fals, he her mechasms ad layers are sll place prvde suffce prec. Ths prcple s cmmly used prec he permeer f a se, as depced earler Fgure 1. The leas prvlege s aher fudameal secury prcple. I meas ha a ey shuld ly have he prvleges eeds perfrm s asks. Ths s f ums mprace whe csderg de prec. The servces rug a de shuld have ly he prvleges hey eed prvde he servce ad he de shuld be rug ay uecessary servces. Sysems ad des shuld als mpleme he fal-safe prcple. Ths meas ha whe he sysem r de fals, shuld fal whu harmful sde effecs. Smemes, he dversy-f-defese prcple mgh als be useful. Ths prcple s based usg dffere ypes f sysems prvde a cera kd f prec. If e f he sysems cas vulerably, he her sysems mgh have ha vulerably ad he mpac f he vulerably s hus mgaed. A chke p frces aackers use a arrw chael, whch ca be mred ad crlled. I ewrk secury he prper permeer prec fr he se s such a chke p; aye aackg he se frm he usde wll have g hrugh ha chael, whch shuld be defeded agas such aacks. 284 23-3075 Ue Rev A Ercss AB 2006 Publc 7 (16)

4 Maagg Secury 4.1 Irduc T be able make sud secury judgmes, bh he parcular busess cex ad he ewrkg evrme mus be fully udersd. T suppr he whle elecm sysem lfe cycle, frm ed--ed, he fllwg peras have be uderake: Busess Cuy Maageme Newrk Secury Desg Newrk Cfgura / Iegra Newrk Secury Auds Newrk Secury Implemea Fraud Maageme. 4.2 Cmm Prcples The secury peras address: Rsk Maageme: all ewrk pera mples a cera rsk ha mus be acceped, avded, reduced r rasferred. Busess Cuy: he perar s crcal prcesses ad frma shuld be preced frm dsclsure ad/r dsrup. Lwerg perar css: well hugh-u secury slus prvde a payback erms f reduced perag css, reduced rsk f fraud, a reduced rsk f crcal secury-relaed ewrk uages ad peally less chur. The fllwg chaper descrbes hw he dffere sub-peras cmpleme each her ad f he Secury Wheel ccep, frmg cuus secury maageme. 284 23-3075 Ue Rev A Ercss AB 2006 Publc 8 (16)

4.3 The Secury Wheel Ths dusry-sadard mdel has bee chse llusrae where secury maageme fs, ad hw all secury acves a ewrk mus evlve arud he secury plcy; see fgure chaper 4.4. The ccep sees ewrk secury as a cug prcess bul arud a crprae secury plcy. Ths prcess s dvded he sages: Impleme ewrk secury Mr ewrk ad respd cdes Tes he secury f he ewrk Imprve ewrk secury. Impleme ewrk secury Secury devces such as permeer des, VPN devces, frewalls, Irus Deec/Preve Sysems (IDS/IPS) ad auheca devces are plaed, cfgured ad egraed. The purpse s preve acves ha he plcy has defed as hreas. Mr/Respd The mplemeed secury plcy s valdaed usg rus deec, as well as lg ad her audg echques, wach fr vlas. Tes The effecveess f he plcy shuld be evaluaed a regular ervals hrugh secury auds, vulerably scag ad/r peera ess. Maage/Imprve Ifrma gahered frm prevus seps s aalyzed ad used geher wh develpmes he secury marke mprve he plcy, mvg arud he crcle he frs sep aga. 284 23-3075 Ue Rev A Ercss AB 2006 Publc 9 (16)

4.4 Secury A cuus prcess - Busess Cuy Maageme - Nw Secury Assessme - Nw Secury Aalyss (cl. peera ess) - Nw Secury Desg - Nw Cfgura/Iegra Fgure 2. The Secury Wheel mdel - Nw Maageme - Fraud Maageme - Nw Secury Assessme/Aalyss Secury Plcy Is, geher wh he Rsk Aalyss, he ms fudameal par f ay cmpay s secury/busess cuy prcess. These ca be checked ad/r develped as a par f eher he secury assessme servce r he busess cuy servce. Busess Cuy als cludes such aspecs as, fr example, crss maageme, dsaser recvery, ad rgaza reslecy. Rsk Aalyss ad Readess plag s f ums mprace guaraeeg he safe lauch f a ew servce. Impleme Newrk Secury Newrk Secury Desg esures ha secury s mplemeed accrdg bes elecm pracces, ad he level plaed fr he secury plcy. Als, cfgura ad egra mus be perfrmed he ms secure maer pssble, ad accrdg plas. Mr/Respd Newrk Maageme persel mr lgs, whle Irus Deec Sysem real-me alarms deec ay sgs f aemped plcy vlas. Fraud-maageme prcesses ad slus saly deec malcus ed-user behavr. The ewrk secury rgaza mus be cuusly updaed wh he laes mehdlgy perfrm IDS/IPS ug, lg aalyss ad cmpuer frescs. 284 23-3075 Ue Rev A Ercss AB 2006 Publc 10 (16)

Tes Dealed sysem cfgura aalyss ad ess, cludg peera ess ad vulerably scag mus be perfrmed a regular bass. Ths als cludes exercses arud seleced scears, fr example, a cmpay s dsaser recvery pla. Maage/Imprve A ls f suggesed secury mprvemes always frm par f he upu f a secury Assessme, Aalyss, Fraud r Busess Cuy acvy. They ca be caegrzed as prcedural, physcal, echcal r relae he persel. 4.5 Busess Cuy Maageme Busess Cuy Maageme (BCM) crpraes ly busess cuy plag ad dsaser recvery, bu als he dscples f crss maageme, rsk maageme, facles maageme, healh ad safey, secury, qualy maageme ad supply cha maageme. I ca be see as a super se f secury maageme prcesses. The BCM prcess s dvded sx sages shw Fgure 3 ad explaed belw. Fgure 3: The sx sages f Busess Cuy Maageme Udersadg yur busess: hs phase fcuses defyg he Mss-Crcal Acves (MCAs) f he busess; he uderlyg echlgy, eral ad exeral depedeces ha suppr hese MCAs; ad ay exsg sgle ps f falure. A example s he mpac f a lss f a swch se, HLR, MSC r bllg sysem. 284 23-3075 Ue Rev A Ercss AB 2006 Publc 11 (16)

Busess Cuy Sraeges: he fcus f hs sage cceraes he defca ad selec f alerave recvery slus, s ha he mpac f a lss r dsrup f a MCA s mmzed ad, as far as pssble, raspare he ed user. The chce f recvery slu represes a rade-ff bewee vesme cs ad effecveess. Develp ad Impleme BCM Plas: hs phase s ccered wh srucurg ad dcumeg he Busess Cuy Pla (BCP). Buldg ad embeddg a cuy culure: BCM mus frm a egral par f he rgaza s day--day busess evrme, s awareess f busess cuy mus be creaed ad maaed. Exercse, Maeace ad Aud: exercses prvde he ppruy fe-ue plas, s he BCP ad BCM sraeges are effecve durg a crss. Prgram Maageme: he rles, respsbles, accuables, assurace ad auhry fr BCM eed be clearly defed s here s cued crda ad gverace f all BCM-asscaed acves hrughu he rgaza. 4.6 Newrk Secury Desg Because secury has be a egral par f he sysem frm he sar, ad ca be bled aferwards, s crucal ge he secury desg rgh frm he very begg. The secury plcy saes he rules, respsbles ad prcedures fllw prec he ewrk ad s carred frma. The ewrk desg shuld als apply bes cmm pracce fr elecm ewrk secury. Tw ma pus he desgg f ewrk secury are a hrea/rsk assessme ad he develpme f a secury plcy. The ma pus a hrea/rsk assessme are he verall secury gals ad secury budge esure he plaed level f secury s reached. The ewrk s dvded zes wh clearly defed raffc flws. Ecryp/VPN echlges are appled where ecessary. I s crucal develp a Newrk Pla fr Secury, cmprsg a repr descrbg he prcedures used, hreas mgaed ad scalably/fucaly pahs fllw fuure phases f he develpme f he ewrk. Als shw he Newrk Pla are he lcas f permeer prec des, placeme f IDS/IPS sesrs, frewalls, ad ecryp des. Gudele scrps fr flerg/secury cfgura are als prduced, alg wh pus he de-hardeg prcess. As wh all secury cfguras, he hree aspecs f fucaly ease f use, ad secury level mus be carefully balaced he desg. 284 23-3075 Ue Rev A Ercss AB 2006 Publc 12 (16)

4.7 Newrk Cfgura / Iegra Whe a ed--ed secury archecure ewrk cfgura s carefully plaed, egra f a ew ewrk r a upgrade/ehaceme f a exsg ewrk ca be perfrmed he bes way, helpg guaraee ha he plaed secury levels wll be mplemeed a srucured way. 4.8 Newrk Secury Auds Newrk Secury auds ca be perfrmed w levels: Newrk Secury Assessme Newrk Secury Aalyss Secury Assessme Newrk-cmm ems such as Secury Plces ad Secury Desg, r fucaly areas such as GPRS, O&M, ad bllg, are auded a hgher level. Dcumea ad plas shuld be suded ad cmpared wh dusry pracce s ha, geher wh ervews wh key persel, recmmedas ca be prduced. Secury Aalyss Fucaly areas r specfc des are examed a dealed way. Nde cfgura scrps are checked. Lg aalyss, vulerably scag ad -desrucve peera ca als be perfrmed. 4.9 Newrk Secury Implemea The suggesed secury mprvemes frm ay prevus secury-relaed servce mus be carefully aalyzed rder chse whch es mpleme. Suggess ca be prcedural, physcal, echcal r relae he persel. 284 23-3075 Ue Rev A Ercss AB 2006 Publc 13 (16)

5 Cclus Secury, he cex f elecm ewrks, ccers all pares vlved: he ed user, he servce prvder, he ce prvder, he applcas prvder, ad he perar. The ccers ca be expressed erms f lss f servce, lss f reveue ad mage, lss f cfdealy, msrus, chur, ad pssble legal acs. Secury crls ad safeguards mus be mplemeed reduce such rsks. Ths shuld ake place all levels f he ewrk ad all sages f ewrk develpme. The ewrk shuld be desged wh secury md ad be easy maage. The ewrk shuld be safeguarded agas curre vulerables ad regularly esed fr ew vulerables ad hreas. Rsks shuld be mgaed ad aacks lgged s as prvde fresc evdece. Secury s a sac prcedure ha ca be appled ce ad fr all. I s a lvg prcess ha grws wh he ewrk, users, applcas, echlgy ad ffeders. Secury shuld be addressed wh echcal, admsrave, prcedural ad echcal cuermeasures. The prmary cmpes f a successful secury sraegy are: Plcy: defe secury bjecves, prcples ad cmplace. Audg: hrughly verfy f plces are efrced effecvely. Deec: wach fr vlas ad fraud a regular bass. Prec: mpleme safeguards mmze rsks crcal asses. Tesg: esure pracve secury measures rema effecve. Oly whe a srucured apprach cludg hese cmpes are srcly fllwed, a suffce secury level ca be acheved ad maaed. 284 23-3075 Ue Rev A Ercss AB 2006 Publc 14 (16)

6 Acryms BC BCP BCM CDR GDR GPRS HLR IDS IP IPDR IPS MCA MMS MSC NW O&M OSI Busess Cuy Busess Cuy Pla Busess Cuy Maageme Chargg Daa Recrd Glbal Daa Recrd Geeral Packe Rad Servces Hme Lca Regsry Irus Deec Sysem Iere Prcl IP Daa Recrd Irus Preve Sysem Mss Crcal Acvy Mulmeda Messagg Servces Mble Swchg Cere Newrk Opera & Maeace Ope Sysem Iercec RDBMS Relaal Daabase Maageme Sysem VPN Vrual Prvae Newrk 284 23-3075 Ue Rev A Ercss AB 2006 Publc 15 (16)

7 Refereces Ercss Revew arcle, Issue 02/2004: Secury Archecures fr mble ewrks hp://www.ercss.cm/abu/publcas/revew/2004_02/fles/2004125.pdf Ercss Revew arcle, Issue 02/2006: Mble Plafrm Secury hp://www.ercss.cm/ercss/crpf/publcas/revew/2006_02/fles/mble_ plafrm_secury.pdf Ercss Whe Paper, 284 23-3064 Rev A: C4ISR fr Newrk-Oreed Defese hp://www.ercss.cm/echlgy/whepapers/3064_c4isr_a.pdf Draf ITU-T Recmmeda X.805 (Frmerly X.css): Secury archecure fr sysems prvdg ed--ed cmmucas hps://www.ef.rg/iesg/liaison/u-sg17-ls-x805-ed2edcmmucas.pdf#search=%22%22x.805%22%22 284 23-3075 Ue Rev A Ercss AB 2006 Publc 16 (16)