security unified architecture

8/7/2019 Security Unified Architecture

1/50

The greater the reach and availability of the network, the greater its vulnerability

to threats from within and outside the organization.

The new openness of networked communications introduces new ethical,

financial, and regulatory pressures to protect networks and enterprises from

internal and external threats and attacks.

Every IT security professional should be up-to-date on the Top Ten challenges to

enterprise securityand the latest recommendations to address those challenges.

White Pape

Nortel Networks

Unified Security Architecturefor enterprise network securityA conceptual, physical, and procedural framework

for high-performance, multi-level, multi-faceted security

to protect campus networks, data centers, branch networking,

remote access, and IP telephony services.


2/50

Contents

Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Part I. The Top Ten challenges to enterprise network security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Enterprise Security Challenge #1The Internet was designed to share, not to protect . . . . . . . . . . . . . . . . .

Enterprise Security Challenge #2Security is not optional. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Enterprise Security Challenge #3The bad guys have good guns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Enterprise Security Challenge #4Security threats recognize no boundaries. . . . . . . . . . . . . . . . . . . . . . . . . .

Enterprise Security Challenge #5Security depends on people, process, and technology. . . . . . . . . . . . . . . . .

Enterprise Security Challenge #6Its not enough to guard the front gate. . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Enterprise Security Challenge #7Theres no stock blueprint. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Enterprise Security Challenge #8Frisking everybody and everything takes time. . . . . . . . . . . . . . . . . . . . . .

Enterprise Security Challenge #9Grace under fire is a requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Enterprise Security Challenge #10Security is a closed-loop process with an open-ended date. . . . . . . . . . . .

Part II. The Nortel Networks Unified Security Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.1. Multi-layer security across application and network levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.2. Variable-depth security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.3. Closed-loop policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4. Uniform access management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.5. Secure network operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

2.6. Secure multimedia communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

2.7. Network survivability under attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.8. The closed-loop policy management reference model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.9. A closer look at uniform access management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Part III. Network security in the real world. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.1. Securing the campus network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3.2. Securing the data center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3.3. Securing the remote office . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

3.4. Securing remote access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5. Securing IP telephony services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Part IV. Nortel Networks technology and expertise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

4.1. Design tenets built into the Nortel Networks security portfolio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

4.2. Expanded choice through partnerships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

4.3. Security services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4.4. Nortel Networks product assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4.5. Nortel Networks and cross-industry security developments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Appendix A. Hackers tools of the trade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Appendix B. Application and network level threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49


3/50

Executive summaryTodays connected enterprise faces a security paradox. The very openness and ubiquity that make the

Internet such a powerful business tool also make it a tremendous liability. The Internet was designed to

share, not to protect. The ports and portals that welcome remote sites, mobile users, customers, and busi-

ness partners into the trusted internal network also potentially welcome cyber-thieves, hackers, and others

who would misappropriate network resources for personal gain.

The only effective network security strategy is one that permeates the end-to-end architecture and enforces

corporate policies on multiple levels and multiple network points.

Nortel Networks, a global leader in secure data networking, offers proven solutions to satisfy end-to-end

network security requirements. Security in the DNA is a key tenet of our strategy for the new enterprise

network, a convergence framework we call One Network. A World of Choice.

This document presents the security component of that enterprise network strategy. The Unified Security

Architecture provides a conceptual, physical, and procedural framework of best recommendations and

solutions for enterprise network security. It serves as an important reference guide for IT professionals

responsible for designing and implementing secure networks.

What are the requirements and vulnerabilities? What technology options and implementation choices are

available? How do you protect the network at all levels? This comprehensive strategy addresses those

pressing concerns facing IT security specialists, and offers encouraging news about the depth and breadth

of options available for securing critical network resources.

The Unified Security Architecture is realistic.

It assumes that all components of an IT infrastructure are targets... that even internal users could be

network threats... attacks are inevitable... network performance cannot be compromised by processing-

intensive security measures... and IT budgets are constrained.

The Unified Security Architecture acknowledges the diversity of networked enterprises.

It is not a one-size-fits-all prescription, but rather a framework of functionality that offers multiple

implementation choices suitable for closed, extended, and open enterprises in different industries

and for diverse application requirements within all enterprise types.

The Unified Security Architecture addresses the multi-level complexity of network threats.

It provides answers on multiple levelsfor instance, from a firewall guardian to block intruders at the

front gate to encryption to shroud every packet in privacy... from virtual private networks that span

the global Internet to virtual LANs that segregate network management traffic from desktop users.

The Unified Security Architecture promotes a process, rather than an endpoint.

Effective security is not achieved through a one-time initiative. This architecture outlines measuresfor strong ongoing policy management, reflecting both human and technical factors.

Read on for a discussion of the Top Ten challenges facing IT professionals today and how the

Nortel Networks Unified Security Architecture addresses the challenges.


4/50

Unified Security Architecturefor enterprise network securityA conceptual, physical, and procedural framework for high-performance, multi-level, multi-

faceted security to protect campus networks, data centers, branch networking, remote access,and IP telephony services.

Part I. The Top Ten challenges to enterprise network security

Every enterprise that relies on network-connected applications and services is subject to 10 key security realities:

1. The Internet was designed to share, not to protect.

2. Security is not optional.

3. The bad guys have good guns.

4. Security threats recognize no boundaries.

5. Security depends on people, process, and technology.

6. Its not enough to guard the front gate.

7. Theres no stock blueprint.

8. Frisking everybody and everything takes time.

9. Grace under fire is a requirement.

10. Security is a closed-loop process with an open-ended date.

Lets take a closer look at these challengesand what IT security professionals can do about them.

Enterprise Security Challenge #1The Internet was designed to share, not to protect.

In six or seven short years, the Internet has evolved from an adjunct contact channel into the backbone of many critical

business applications. Enterprises are leveraging their IP-based intranets and the world-wide Internet to bring remote offices,

mobile workers, and business partners into their trusted network environments. Many enterprises are capitalizing on the

growing reach and reliability of IP data networks to completely redefine the way they deliver and manage approved corporate

applications.

The Internet enables them to interact more effectively with customers, streamline operations, reduce operating costs, and

increase revenues. However, the Internet was designed to share, not to protect. The ports and portals that welcome outsideusers into the trusted internal network also potentially open the door to serious threats. The level of threat only increases as

legacy applications become network-enabled and as network managers open their networks to more new users and applica-

tions.

How do you manage mission-critical communications on an inherently insecure medium? Managing that flow is somewhat

like guarding a revolving door. You cant lock it unless you also close out the traffic you do want.

Remote access services that enable traveling employees to dial in for e-mail access... remote offices connected via dial-up lines...

intranets, and extranets that connect outside parties to the enterprise network... all these business-enabling communications

increase the vulnerability of the network.

4


5/50

Enterprise Security Challenge #2Security is not optional.

Security breaches and unlawful access to confidential data can cost enterprises millions, but the requirement for network secu-

rity goes beyond financial incentives. The governments of many countries are forcing enterprises to comply with regulations

governing network security and privacy.

In the U.S., the Federal government regulates the privacy and security of electronic information with such regulations as the

Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Safe Harbor Act, the USA

Patriot Act, and the Childrens Internet Protection Act (CIPA). More are coming.

Similar regulations are being enacted in Europe and elsewhere, such as the Data Protection Act and Computer Misuse Act in

the U.K. Failure to comply with these regulations brings civil and criminal penalties, even prison terms.

Even if governmental regulations werent an issue, organizations that suffer security breaches may be sued by customers and

damaged by negative publicity. All enterprises that leverage the Internet for remote access have an obligation to protect network

integrity and data confidentialityfor their own sakes as well as for their customers and business partners.

Enterprise Security Challenge #3The bad guys have good guns.

Attackers have a broad repertoire of tools and techniques they can use to compromise a network. With these tools of the trade,

they can launch multi-level attacks to access the networkcreating an access hole to intrude upon the network, and then using

secondary attacks to exploit other parts of the network.

For example, attackers can take advantage of weak user authentication and authorization tools, improper allocation of hidden

space, shared privileges among applications, or even sloppy employee habits to gain unauthorized access to network resources.

They can disable a trusted host and assume its identity, a threat known as IP spoofingor session hijacking.

Using sophisticated newnetwork sniffers that can decode data from packets across all layers of the OSI model, hackers can

steal user names and passwords, and use that information to launch deeper attacks.

Denial of Service (DoS) attacks flood a network with illegitimate requests and thereby prevent legitimate users from accessing

their service.

In bucket brigade attacks, also known as man-in-the-middle assaults, the attacker intercepts messages in a public key

exchange between a server and a client, retransmits the messages substituting their public key, and in the process tricks the

original entities/users into thinking they are communicating with each other.

Back door entries to access network resources can be accidentally or intentionally opened by users and procedural oversights.

Masqueradingenables a hacker to pose as a valid administrator or engineer to access the network, often to elevate user privileges.

For more information about these types of attacks, see Appendix A, Hackers Tools of the Trade.


6/50

6

Enterprise Security Challenge #4Security threats recognize no boundaries.

The typical enterprise internal trusted network is anything but internal these days. It extends to include supply chain part-

ners, telecommuters, remote access users, Web users, application service providers, disaster recovery providers, and more.

Unfortunately, that means that the network also reaches hackers, cyber-thieves, disgruntled employees, and others who would

misappropriate network resources for personal gain.

In todays business environment, the concept of a network perimeter is disappearing. Boundaries between inside and outside

networks are becoming thinner, almost irrelevant. Applications run on top of networks in a layered fashion.

The OSI (Open Systems Interconnection) model was built to allow different layers to work without knowledge of each other.

Unfortunately, that means that if one layer is hacked, communications are compromised without the other layers being aware

of the attack. That means security must address unique considerations at application and network layersand bridge these

layers to ward off multi-level threats.

Application-layer attacks exploit vulnerabilities in the operating system and applications to gain access to resources.

Application-layer attacks can be based on viruses, worms, buffer overflow, and password harvesting, among others. Web serv-

ices and single sign-on technologies aggravate the problem, since they encourage Web-enabling legacy-based applications that

were not designed with Web connectivity and security issues in mind.

Network-layer threats expose the network infrastructure to sabotage, vandalism, bad system configuration, denial of service

(DoS), snooping, industrial espionage, and theft of service. Attacks may be launched from inside the network by insiders and

also from external sources such as hackers.

For more information about application-layer and network-layer threats, see Appendix B: Application and network level threats.

Enterprise Security Challenge #5Security depends on people, process, and technology.

Vulnerabilities arise both from people and process failures (such as posting their passwords in public view, or slack policy

enforcement) and technical aspects (such as rogue programs and Trojan horses)and combinations of all three.

The Nimda virus that recently caused havoc in IT environments is a perfect example. At first glance, Nimda was technical in

nature: a virus. But on closer inspection, the havoc was caused more by human error than technical devilry. Nimda exploited

six previous technical vulnerabilities; it was just a variant of previous vulnerabilities that were documented and communicated

many months before Nimda actually spread on the Internet.

Organizations should all have known about these vulnerabilities and disseminated that knowledge to the people responsible for

protecting IT systems. Nimda was a non-issue for enterprises that had established processes in place for translating knowledge

into action tasks, assigning responsibility for those tasks, and auditing successful completion.


7/50

Enterprise Security Challenge #6Its not enough to guard the front gate.

Every component of the IT infrastructure is susceptible to attacks, not just obvious gateways to the Internet. Hosts, applications

such as IP telephony, routers, and switches can be attacked by hackers or unauthorized users from inside or outside the enterprise

At the network level, the use of firewalls, proxy servers, and user-to-session filtering can add protection, but hackers seem to get

smarter all the time. Using user access control at the network and application level with appropriate authentication and authoriza-

tion can minimize the risks of unauthorized access.

But the sheer diversity of the types of attacksand the multi-level nature of many attacksrequires that IT managers understand

how security breaches are instigated and be able to assess and recover from any inflicted damage. That means the only effective

network security strategy is one that permeates the end-to-end architecture and enforces corporate policies on multiple levelsuse

application, and networkand at multiple network points.

Enterprise Security Challenge #7Theres no stock blueprint.

Each enterprise has a unique set of business needs and has evolved their networking environment accordingly. That means the

right security strategy is more a prescription of functionality and characteristics than a stock blueprint. Security is not a one size

fits all situation. Neither is it a static implementation, any more than the network or technology remains static.

For general purposes, we can categorize enterprises into three types of security spheres:

The closed enterprise uses logical (e.g. frame relay) or physical private lines between sites, with PC dial access provided selec-

tively for employees needing access into the Internet. Web presence is achieved through an Internet data center provided by a

service provider (who is responsible for establishing a secure environment). The organization also provides conventional dial acces

for remote employees (e.g. working from a hotel). The company uses private e-mail among employees with no external access.

Wireless LANs are also starting to be used.

Even the closed enterprise has security concerns, not just from disgruntled internal users, but also because there are a number of

backdoor exposures. Users with dial access to the Internet from their desktop PCs, employees surfing the Net from laptops they

use at home or on the road, and wireless LANs all introduce Internet-related threats. Perhaps, the greatest risk comes from the

specious belief that the closed enterprise is immune to external risks.

The extended enterprise is an extension of the closed enterprise. Web presence is still achieved via a service provider. Support

for remote employee and office access over IP virtual private networks (VPNs) over the Internet is provided, delivering higher

speed, lower cost connectivity. The enterprise provides general-purpose access for all employees into the Internet, allowing them to

leverage the abundance of business-related information available on the Internet. Inter-working between the internal e-mail system

and the rest of world is provided.

The open enterprise leverages the Internet by allowing partners, suppliers, and customers to have access to an enterprise-managed Internet Data Center, even allowing selective access to internal databases and applications (e.g. as part of a supply chain

management system). Internal and external users access the enterprise network from home, remote offices, or other networks usin

wired or mobile devices.


8/50

For the extended enterprise, the diversity of supported services and access mechanisms translates into multiple paths into the

enterprise network, and in turn increases the risk. Naturally, that risk increases exponentially with the open enterprise, which

has the greatest susceptibility to application-layer and network-layer threats, unauthorized access, and eavesdropping.

Infrastructure, applications, and network management systems are equally vulnerable.

8

Enterprisenetwork

Customers Employees

Internet

ASP Data Center

C l o s e d e n t e r p r i s e

Enterprisenetwork

Employees Employees

Internet

E x t e n d e d e n t e r p r i s e

Customers/partners/employees

Customers/Employees

Internet

O p e n e n t e r p r i s e

Enterprisenetwork

Dedicated WAN

PC dial-in access

PC Internet dial-out

Outsourced Web site

Private e-mail

Internet Data Center

Remote access and office IP-VPNs

Employee Internet access

Interworked e-mail

Controlled partner and select

customer access

Connectivity boundaries lowered

Figure 1. Generic Enterprise types


9/50

Enterprise Security Challenge #8Frisking everybody and everything takes time.

Anyone who has traveled by airplane knows that the trade-off for enhanced security is delay. The more closely you inspect bags

and travelers, the longer the lines at security.

On enterprise networks as well, turning up the full complement of security features can slow Web servers to a crawl as they bogdown with processing-intensive encryption, decryption, key management, and more. Bolting IP-VPN capabilities onto legacy

routers brings its own brand of performance penalty. Voice applications, such as live Webcasts and Voice over IP, are very sensi-

tive to delay and jitter and are therefore dramatically affected by traditional security mechanisms.

Enterprise Security Challenge #9Grace under fire is a requirement.

In the context of security, reliability and survivability have somewhat different meanings. Network reliability ensures that

the network continues to operate in spite of incidental failure of software and/or hardware components. Network survivability

means the network continues to operatedelivering essential services in a timely mannerwhile battling security threats, even

if parts of the network are unreachable or disabled due to overt attack.

Enterprise Security Challenge #10Security is a closed-loop process with an open-ended date.

Organizations must view security as a steady process and evolving way of thinking about how to protect systems, networks,

applications, and resources. Reduce risk by continually and steadily making progress in identifying and addressing vulnerabili-

ties and security policy holes. Corporations and government institutions must be able to determine what is at stake when secu-

rity measures fail, how to detect security breaches, and what to do about them.

This process also entails continual training and awareness, since breaches of security policy are usually caused by human error

or carelessness. Employees, managers, and administrators must all be aware of established security policies and best practices.

The good news is that enterprise networks can minimize their risks from unauthorized users without sacrificing performance

for legitimate users. Part II of this document shows how the Nortel Networks Unified Security Architecture addresses these

Top Ten challenges.

Enterprisenetwork

P r o t e c t e d e n t e r p r i s eP o s s i b l e a t t a c k s

Authorization threats

IP spoofing

Network sniffers

Denial of service

Intrusion

Bucket brigade

Attacks

Back door traps

Data modification

Masquerading

Anti-virus software Deep packet filtering

Digital certificate IPsec and SSL encryption Firewalls

Network and host-basedIntrusion Detection Systems (IDS)

Infrastructure Network sniffers

Figure 2. Enterprises need a security framework to optimally use IT techniques, tools, and methodologies against attackers


10/50

Part II. The Nortel NetworksUnified Security Architecture

What can security IT professionals do about the Top Ten challenges?

The Nortel Networks Unified Security Architecture defines a conceptual, physical, and procedural framework of best recom-mendations for end-to-end enterprise network securityaddressing all the Top Ten challenges:

The Internet was designed to share, not to protect.So the Unified Security Architecture defines virtual private networks, virtual LANs, firewalls, encryption, and other

mechanisms that enable enterprises to reduce the risk of being Internet-connected.

Security is not optional.The Unified Security Architecture upgrades enterprise security programs and infrastructures to comply with business,

ethical, and regulatory mandates to protect data integrity and confidentiality.

The bad guys have good guns.The Unified Security Architecture identifies the various tools of the trade, how they operate, and what kinds of protec-

tions thwart these attacks.

Security threats recognize no boundaries.The Unified Security Architecture addresses threats on multiple functional and architectural layers, enabling enterprises

to flexibly define what needs to be protected, from what kinds of threats, implemented how, and at what layers.

Security depends on people, process, and technology.The Unified Security Architecture calls for developing and enforcing security policies that address technical considera-

tions and human aspects of security, such as staff training and process.

Its not enough to guard the front gate.The Unified Security Architecture begins with perimeter firewall defense and documents security provisions all the way

to the individual user and application.

Theres no stock blueprint.

The Unified Security Architecture defines the required functionality and offers enterprises broad choice in which func-

tions to implement, to what degree, using what platforms and protocols.

Frisking everybody and everything takes time.The Unified Security Architecture introduces purpose-built security products that use load-balancing, health-checking,

and innovative acceleration technologies to minimize latency.

Grace under fire is a requirement.The Unified Security Architecture defines ways to segregate critical resources and sustain performance even under attack.

Security is a closed-loop process with an open-ended date.

The Unified Security Architecture calls for policy management to be a process of continuous feedback and improve-ment, reflecting the latest industry knowledge and best practices.

10


11/50

The comprehensive security strategy set forth in this document is based on seven key principles:

1. Multi-layer securitythat defines security protection functions at application, network-assisted, and network security

levelsin a layered architecture that can be flexibly defined and implemented.

2. Variable-depth securityacross the enterprisenot just at the edge of the Internetfor example, from firewall

perimeter defense, to VPNs to protect Internet-traversing traffic, and to VLANs to segregate traffic within a network.

3. Closed-loop policy management, including configuration of edge devices, enforcement of policies in the network,

and verification of network functionality as seen by the end user application.

4. Uniform access management, including stringent authentication and roles-based authorization of access to all

resources for all users, with granular access policies defined at the application level and managed enterprise-wide.

5. Secure network operations, by physically or logically partitioning network management from user traffic, and

applying other recommended security mechanisms to operational activities.

6. Secure multimedia communications, protected by encrypting the data, voice, and video payload without introducing

delays that this real-time traffic cannot tolerate.

7. Survival under attack, for instance, by using resilient architectures with no single point of failure, and applyingintrusion-detection systems, anti-virus software, content filtering, and ongoing vigilance as attackers continue adopting

new weaponry.

Securing network operations

Securing multimediacommunications

Survivability under attack

Layered security

Variable-depth security

Closed-loop policy management

Uniform access management

UnifiedSecurity Arch

itecture

Figure 3. Principles behind Nortel Networks Unified Security Architecture


12/50

12

The principles underpinning the Unified Security Architecture offer enterprises a security blueprint to use as they move

towards increasingly open environments. Lets take a look at each of the seven key principles of the Unified Security

Architecture.

2.1. Multi-layer security across application and network levels

Recognizing the multi-layered, interdependent nature of enterprise networksand the critical need for security at more than

the application levelthe Nortel Networks Unified Security Architecture logically organizes security into multiple levels:

The Network Security Layer provides security functions at OSI layers 1 to 3 (physical, link, and data levels).

The Network-Assisted Security Layer provides security functions at OSI layers 4 to 7 (network to application/presentation layers) on top of the network level for added security.

The Application Security Layer provides security in layer 7 of the OSI model, the application layer, and includes allsecurity built into server and storage platforms.

Some functions, such as access lists and VLANs, operate purely at the Network Security Level. Others, such as firewalls,

operate at either the Network or Network-Assisted Security Levels, depending on whether they are stateful or not. Others such

as SSL (Secure Sockets Layer) can be viewed as network-assisted or application security. The power of the Unified SecurityArchitecture is that industry-defined security functions are leveraged in a structured fashion, tightening security overall.

See Part III, Security in the Real World, for examples of these security layers in action for protecting campus and branch

networks, data centers, IP telephony services, and remote access.

Hardening server operating systems

Within the application level of the multi-layer security framework, a key element is hardening the multiple

operating systems used in network and user applications, such as OSs for data communications devices, servers,

network management systems, IP telephony servers, and more.

In an increasingly open, multivendor IT environment, network elements are frequently based on commercially avail-able OSs. For example, Nortel Networks CallPilot unified messaging system, Symposium Contact Centers, and

Business Communications Manager use a hardened version of Windows NT with off-the-shelf security software for

functions such as anti-virus protection, intrusion-detection, and login audits. Nortel Networks Succession CSE 1000

and Meridian IP-enabled PBX portfolios are built on an embedded real-time OS called VxWorks. The Nortel

Networks Succession CSE MX system is built on UNIX.

Procedures for hardening the OSs in Nortel Networks products are provided in our documentation. For third-party

operating systems where no specific hardening guide exists, consult the OS vendor for the latest OS hardening patches

and procedures.

Application Security

Network Security

Network-Assisted Security

NetworkMgmt.

Security

Secure

AccessMgmt.

Policy Management

End users

Operators

Partners

Customers

Figure 4. Unified Security Architecture


13/50

The remaining elements of the architecturediscussed in the sections to followare inter-related and somewhat orthogonal to

these layers. The table below illustrates how common security technologies map to the elements of Nortel Networks Unified

Security Architecture.

2.2. Variable-depth security

Defining security policy at multiple network levels produces a security strategy where each security level builds upon the

capabilities of the layer below and provides finer grained security the closer you get to resources.

VLANs (Virtual LANs) provide basic network compartmentalization and segmentation, enabling business functions to

be segregated in their own private local area networks, with cross-traffic from other VLAN segments strictly controlled

or prohibited. The use of VLAN tags enables the segregation of traffic into specific groups such as Finance, HR, and

Engineering, separating their data without leakage between disparate functions.

Perimeter and distributed firewall-filtering capabilities provide another level of protection at strategic points within the

network. Firewalls enable the network to be further segmented into smaller areas, and enable secure connections to the public

network. Firewalls limit access to inbound and outbound traffic to the protocols and authentication methods that are explicitly

configured in the firewall. Firewalls that support Network Address Translation (NAT) enable optimization of IP addressing

within the network as specified in RFC 1918 (Address Allocation for Private Internets).

Firewalls provide an extra layer of access control that can be customized based on business needs. Distributed firewalls add the

benefit of scalability. Personal firewalls can be deployed on end-users systems to protect application integrity.

NAT

L2

IPsec

AL

FW

SRT

SS L

ID S

VS

CF

Layer 2 VPN, EAP, and port security Yes

Network Address Translation Yes

Access control List Yes

IPsec encryption Yes

Secure dynamic routing Yes

Firewalling Yes Yes

Intrusion detection Yes Yes

SSL encryption Yes Yes

Content filtering Yes Yes

Virus scanning Yes Yes

Security functionality Network Network-assisted ApplicationSecurity Security Security

Policy Repository

Policy Decision Point

Policy Enforcement Point

Policy management functionality

Authentication client

Authentication server

Authentication database

Secure access management functionality

Secure activity logs

Network operator authentication

Access control/operator authorization

Encryption

Secure remote access

Firewalls

Intrusion detection

OS hardening

Virus free software

Auth

Network management securityfunctionality

Figure 5. Security functionality mapping to the Unified Security Architecture


14/50


15/50

Several methods can be used to authenticate a user, such as: permanent or one-time passwords, biometric techniques, smart

cards, and certificates. Password-based authentication must use strong passwords that are at least eight characters in length with

at least one alphabetic, one numeric, and one special character.

Where stronger authentication is required, password authentication can be combined with another authentication and authori-

zation process based on protocols such as RADIUS and LDAP to provide authentication, authorization, and accounting (AAA)

services. Additionally, key management can be based on Internet Key Exchange (IKE), certificate management on Public KeyInfrastructure X.509 (PKIX), Certificate Management Protocol (CMP), Online Certificate Status Protocol (OCSP), and

Simple Certificate Validation Protocol (SCVP).

In defining access privileges on all ports and devices, the concept of least privilege should be applied, granting access only as

needed.

Open and extended enterprises face the greatest challenges when designing access management policy. They require fine-

grained rules that properly interface with identity directories and databases, multiple authentication systems such as RADIUS,

and various hosts, applications, and application servers.

The system should perform session management per user after the user is authenticatedand use flexible configuration and

policy enforcement with fine-grained rules, capable of dealing with specific objects. Unique accounts for each administratorshould be used, with accountability for actions traceable to individuals, to provide for appropriate monitoring, accounting, and

secure audit trails.

For more information about authentication and authorization, see section 2.9, A closer look at uniform access management.

2.5. Secure network operations

On the one hand, network management is like other data applications, running on servers and workstations, complemented by

application-level security and taking advantage of network-level and network-assisted security. On the other hand, network

operators are specialized users who should be subject to more stringent authentication and authorization procedures.

Because of the greater access authority and functional privilege granted to network management personnel, their access and

activities must be carefully secured to protect network configuration, performance, and survivability. The more open the enter-

prise and the more centralized the network management system, the greater the requirement for stringent security for network

management processes.

Secure network management requires a holistic approach, rather than a specific security feature set on a network element.

Our Unified Security Architecture recommendations address nine critical areas:

Secure activity logs

Network operator authentication

Authorization for network operators

Encryption of network management traffic

Secure remote access for operators

Firewalls and VLANs to partition the network

intrusion-detection

Hardening operating systems

Anti-virus protection


16/50

Secure activity logs provide a verifiable audit trail of user or administrator activities and events generated by network devices.

Security activity logs must contain sufficient information to establish individual accountability, reconstruct past events, detect

intrusion attempts, and perform after-the-fact analysis of security incidents and long-term trend analysis. Activity log informa-

tion helps identify the root cause of a security problem and prevent future incidents. For instance, activity logs can be used to

reconstruct the sequence of events that led up to a problem, such as an intruder gaining unauthorized access to system

resources, or a system malfunction caused by an incorrect configuration or a faulty implementation. Syslog is the mostcommon mechanism used by equipment vendors; Syslog works with all third-party log analyzer systems. Because the informa-

tion contained in activity logs can be used to compromise a network, this log information itself must be secured.

Network operator authentication based on strong centralized administration and enforcement of passwords ensures that only

authenticated operators gain access to management systems. Centralized administration of passwords enables enforcement of

password strength and removes the need for local storage of passwords on the network elements and EMS (Element

Management Systems). RADIUS is the basic mechanism of choice for automating centralized authentication within Nortel

Networks products.

Authorization for network operators uses authenticated identity to determine the users access privilegeswhat systems they

can access, what functions they can perform. Techniques based on RADIUS servers provide a basic level of access control. An

additional LDAP server can provide more fine-grained access control if necessary.

Encryption of network management traffic protects the confidentiality and integrity of network management data traffic

especially important with the growing use of in-band network management. Encryption provides a high degree of protection

from internal and external threats, with the exception of the small group of insiders that have legitimate access to encryption

keys.

Encryption between network operations center (NOC) clients and Element Management System (EMS) servers and/or

Network Elements should be provided. This includes SNMP traffic, because there are known vulnerabilities with SNMP v1

and v2, which are intended to be addressed by SNMP v3. Given the widespread deployment of SNMP v1 and v2, IPsec

can be used to secure this traffic.

Depending on traffic type, the security protocols to use for these links are IPsec (IP Security), Secure Shell (SSH), and SSL:

SSH is an application-level security protocol that can be used in place of IPsec if the traffic consists of Telnet and FTPonly, but it cannot normally be used to protect other traffic types.

IPsec protocol runs between the network layer (Layer 3) and the transport layer (Layers 4) and is the preferred protocolto protect any type of data traffic, independent of applications and protocols. External IPsec VPN devices, such as

Nortel Networks Contivity Secure IP Services Gateways, can be used in various parts of the network to secure

management traffic.

SSL technologyintegrated into all standard Web browsersis the de-facto standard security protocol to protectHTTP traffic.

Secure remote access for operators: Security must be provided for operators and administrators who manage the network

from a remote location over a public network. Providing a secure virtual private network using IPsec is the mandatory solution,

as this will provide strong encryption and authentication of all remote operators. An IP-VPN product such as Nortel Networks

Contivity Secure IP Services Gateway should be placed at the management system interface and all operators should be

equipped with extranet access clients for their laptop or workstations.

16


17/50

Firewalls and VLANs partition the network to segregate management devices and traffic from other, less confidential systems

such as public Web servers. The firewall controls the type of traffic (defined by protocol, port number, source and destination

address) that can transit the boundary between security domains. Depending on the type of firewall (application versus packet

filtering), firewalls can also filter the application content of the data flow.

Intrusion-detection systems incorporated into management servers defend against network intrusions by warning

administrators of potential security incidents, such as a server compromise or denial-of-service attack.

Hardening operating systems used for network management close potential security gaps in general-purpose operating

systems and embedded real-time operating systems. OS hardening should use the latest procedures and patches from the

OS manufacturer.

Anti-virus protection involves scanning all in-house and third-party software packages with virus-detection tools before

incorporating the software into a product or network. A rigorous, established process ensuresto the extent possible

that network management software is virus-free.

NOCVLAN

Network devices

IPsec

ManagementSystems

L2

IPsec

Internet

Managementclient

SSL IPsec or SSH

Enterprise network

ALFW Auth

IPsec or SSH

IPsec or SSH

Network Operating Center

IPsecIPsec

Browserclient

RemoteManagement

clientTelnetclient

SS L

IDS

VS

Figure 6. Secure connectivity options for network management traffic


18/50

2.6. Secure multimedia communications

Unified networks can carry voice, data, and videoeach with their unique performance requirements and security considera-

tions. When and where to encrypt this traffic is a major consideration, and is a key element of any enterprise security policy.

This can be done on a per-application basis using SSL, on a client-server basis using SSH (Secure Shell), or for all traffic using

IPsec VPN technology. Generally, all traffic over the Internet and wireless LANs and potentially critical information leaving the

premises should be secured via strong encryption technology.

IP telephony represents a particularly important class of application. As with any applications, a risk assessment of IP telephony

needs to be done to assess its intrinsic value, the implications of loss understood, and a security policy formulated. We can start

this assessment by making some key observations on telephony and data security in general. First of all, telephony is a critical

business function and therefore, like the network itself, the telephony system as a whole must be protected from security

attacks. Secondly, we trust the public voice network and live with the inherent vulnerability of eavesdropping of public cell

phone systems. Third, we trust PBX networks, the critical components of which are locked away in a telecom room. In addi-

tion, IT organizations have spent a lot of effort to minimize toll fraud and misuse of the voice network for personal calls.

On the data side, we also rely on physical security to ensure that only employees have access to the internal network, and we

trust that information sent over LANs, campus nets, and over private WANs running over physical and virtual private lines aregenerally secure. Outside of the confines of the enterprise network, most enterprises have established security policies that all

internal data transmissions to employees and remote offices over the Internet need to be encrypted and authenticated.

Likewise, critical customer interactions over the Web are protected via SSL. From a user perspective, keeping it simple has been

the objective.

The Nortel Networks Unified Security Architecture for IP telephony follows the guidelines below:

Enterprise IP telephony operated within the confines of the enterprise, inter-working with the public network over circuit-switched connections. End-to-end VoIP connectivity between public phones and phones within the enterprise is notconsidered in this version of the document.

The IP networking infrastructure that supports IP telephony must be secure from a data perspective and engineered tomeet the stringent latency and reliability requirements of telephony.

IP telephony communications servers are business-critical and must be physically secure and protected from internal andexternal attack.

Secure authentication of VoIP clients must be provided. While data users may expect to log in with multiple userIDs andpasswords, they wont tolerate that authentication requirement for every phone call. Generally, telephony users have onlybeen required to authenticate themselves for off-net access using a feature set called Direct Inward System Access (DISA).

Encryption of voice is only a requirement when traversing a shared media LAN or the Internet.

Security must be holistic and span the entire telephony environment, including VoIP clients and servers, applicationservers (such as for unified messaging and contact centers), and traditional PBXs.

Encryption can be achieved with VPN techniques using IPSec, with Authentication Header (AH) and Encapsulating Security

Payload (ESP), tunneling through the use of Layer 2 Tunneling Protocol (L2TP), key management based on Internet Key

Exchange (IKE), and certificate management based on Public Key Infrastructure X.509 (PKIX), Certificate ManagementProtocol (CMP), Online Certificate Status Protocol (OCSP), and Simple Certificate Validation Protocol (SCVP). SSL and

Transport Layer Security (TLS) protect communications at the application layer.

Standards-based encryption algorithms and hashes such as DES, 3DES, AES, RSA and DSA. MD5 and SHA-1 should be used

for message integrity, and Diffie-Hellman and RSA for key exchange.

The Wired Equivalent Privacy (WEP) as defined in the 802.11 standard defines a technique to protect over-the-air transmis-

sion between wireless LAN (WLAN) access points and network interface cards (NICs). This protocol has been shown to be

insecure. IEEE 802.11 is working on standardizing encryption improvements for WLANs. Therefore, added measures of

protection such as IPsec must be used to secure WLAN traffic over WEP.

18


19/50

2.7. Network survivability under attack

The typical enterprise network supports mission-critical operations and is essential for conducting business. That means the

network must continue to operatedelivering essential services in a timely mannerwhile battling security threats, even if

parts of the network are unreachable or disabled due to overt attack.

This kind of survivability starts by logically organizing network services into at least two categoriesessential services and non-essential servicesand defining strategies that enable these services to resist, address, and recover from attacks. The most effec-

tive approaches combine multiple resistance, identification, and recovery strategies in an adaptable manner that responds to

changing network conditions. For example, the network can re-route traffic from one server to another if an intrusion or an

attack is detected on the first server. That means an effective survivability plan is holistic; it spans management systems, hosts,

applications, routers, and switches across the network.

Naturally, the first line of resistance to attacks is strong access control through authentication and encryption. Keep intruders

out at the first point of entry, if possible. Message and packet filtering and network and server segmentation provide strong

secondary defenses. Intrusion-detection systems identify attacks in progress. Faithful attention to backup techniques enables

rapid system and network recovery after a successful system breach.

This includes high availability through redundancy of critical security functions, such as through the use of application

switches, which provide redundancy between intrusion-detection servers. Additional techniques include the encryption of all

mission-critical traffic, multi-link trunking (MLT), virtual router redundancy protocol (VRRP), dual/mirroring of disk drives,

backup CPUs, backup power supplies, and hot-swappable components. These mechanisms provide a higher level of confidence

in the survivability of critical applications (such as IP telephony).

2.8. The closed-loop policy management reference model

The Nortel Networks Unified Security Architecture is based on the IETF architectural framework for policy management

(RFC 2753). In this model, policy management is implemented across the network and at all levels (application, network-

assisted, network), and applicable to all types of user and applications.

Network devices

Policy Enforcement

Point (PEP)

Policy serverPolicy Decision Point(PDP)

LDAP

LDAP

AuthNAT CFFWALL2

Policy managementconsole

Policyrepository

COP-PR, SNMP, CLI

Figure 7. Policy management within the Unified Security Architecture


20/50

20

The IETF policy management model uses these key elements and protocols:

Policy Decision Points (PDPs) or policy servers abstract network policies into specific device control messages, which are

then passed to policy enforcement points. These policy servers are often standalone systems running Unix or Windows

NT/2000, controlling switches and routers within an administrative domain; they communicate with these devices using a

control protocol (e.g., COPS, SNMP Set commands, Telnet, or the devices specific Command Line InterfaceCLI).

A Policy Enforcement Point (PEP) is a network or security device that accepts a policy (configuration rules) from the Policy

Decision Point and enforces that policy against network traffic traversing that device. This enforcement leverages network and

network-assisted security mechanisms as appropriate.

Common Open Policy Service (COPS) is a simple query-and-response, stateful, TCP-based protocol that exchanges policy

information between a Policy Decision Point (PDP) and its clientsPolicy Enforcement Points (PEPs). It is specified in

RFC 2748. COPS relies on the PEP to establish connections to a primary PDP (and a secondary PDP when the primary

is unreachable) at all times. Alternatively, a COPS proxy device can be used to translate COPS messages originating from a

policy server into SNMP or CLI commands understood by network and security devices.

The COPS protocol supports two different extension models for policy control: a dynamic outsourcing model COPS-RSVP,

specified in RFC 2749, and a configuration or Provisioning model COPS-PR, specified in RFC 3084. Provisioning extensionsto the COPS protocol allow policies to be installed on the PEP up front by the PDP, thus allowing the PEP to make policy

decisions for data packets based on this pre-provisioned information. Further communication between the PDP and PEP is

necessary to keep policies provisioned in the data repository (i.e. the directory) in sync with those sent to the PEP.

The Policy Repository stores all policy information in a network directory. It describes network users, applications, computers,

and services (i.e., objects and attributes), and the relationships between these entities. There is tight integration between IP

address and the end user (via Dynamic Host Control Protocol - DHCP and a Domain Name System - DNS). This policy

repository is usually implemented on a special-purpose database machine running Unix or Windows NT/2000 accessed by

policy servers via LDAP.

The Policy Repository stores relatively static information about the network (such as device configurations), whereas policyservers store more dynamic network state information (such as bandwidth allocation or information about established connec-

tions). The policy server retrieves policy information from the directory and deploys it to the appropriate network elements.

There is no established standard to describe the structure of the directory database, i.e., how network objects and their attrib-

utes are defined and represented. A common directory schema is needed if multiple vendor applications are to share the same

directory information; for example, all vendors need a common way to interpret and store configuration information about

routers. The forthcoming Directory-Enabled Networking (DEN) standard, now being developed by the DMTF (Desktop

Management Task Force), addresses this need. DEN includes an information model that provides an abstraction of profiles and

policies, devices, protocols, and services. This provides a unified model for integrating users, applications, and networking serv-

ices, and an extensible service-oriented framework.

The Lightweight Directory Access Protocol (LDAP version 3) is specified in RFC 2251. LDAP is a client-server protocol foraccessing a directory service. The LDAP information model is based on the entry, which contains information about some

object (e.g., a person), and is composed of attributes, which have a type and one or more values. Each attribute has a syntax

that determines what kinds of values are allowed in the attribute and how those values behave during directory operations.

The last element is the policy management consolegenerally running on a personal computer or workstationthat provides

the human interface to the policy management system. A Web browser can be used to provide manager access from virtually

anywhere, with policy object-level security used to limit which policies can be modified by a specific individual. The console

provides a graphical user interface and the tools to define network policies as business rules. It may also give the operator

access to lower-level security configurations in individual switches and routers.


21/50

These elements of the IETF policy management reference model interoperate to deliver closed-loop policy management. This

includes configuration of edge devices, enforcement of policies in the network, and verification of network functionality as seen

by the end-user application. Enforcement of policies in the network includes admission controls of applications or users vying

for access to network resources. Sound policy management based on this model simplifies the configuration management envi-

ronment inside enterprises and minimizes the chance of human error.

Policy Management through Nortel Networks Optivity Policy Services

Nortel Networks is leading the way in delivering policy-enabled networking to enterprise customers. For example, Nortel

Networks Optivity Policy Services (OPS) is a system-level software application that manages security parameters and traffic

prioritization. Optivity Policy Services enables a proactive approach to bandwidth management, security, and prioritization of

business-critical traffic flows across the enterprise. Rather than applying policies to control traffic on a per-device basis, OPS

takes a centralized systems approach to policy configuration and deployment that ensures consistency across the network while

lowering total cost of ownership.

Based on the IETF policy architecture, Optivity Policy Services supports the major IETF policy management standards,

including COPS-PR, LDAP, Diffserv, and IEEE 802.1p. OPS uses COPS-PR to pre-provision routers and switches with policy

information based on Roles reported in from the PEP. Roles are a logical abstraction of the devices interfaces for policymanagement purposes. With the ability to manage up to 1,000 devices per server and 20,000 devices per system, OPS reliably

delivers QoS and security policies in large networks. Moreover, OPS uses LDAPv3 to support redundant data storage,

preserving valuable policy information.

As the number of denial-of-service attacks on networks increases, a centralized mechanism to limit potentially dangerous traffic

flows is important. OPS makes it easy to set policies for metering traffic. For example, many denial-of-service attacks occur

when too many packets of a certain protocol type (such as ICMP) flood a device. OPS policies can control that flow of traffic.

With its Advanced Security Provisioning capabilities, OPS can protect valuable network and application assets by enabling the

application of consistent, reliable, and robust security policies. OPS complements existing firewall implementations (e.g.

Alteon) and IP-VPN devices (e.g. Contivity) by adding an extra layer of protection to network resources. OPS features enable

the creation of policies to restrict traffic through a particular policy enforcement point or to deny all traffic on a particular

device. OPS enables control of traffic flows through a device by simply creating admission control policies through a central

JAVA-based management console.

2.9. A closer look at uniform access management

Secure access management is created through a combination of authentication, authorization, and accounting services,often called AAA.

Authentication, initiated by an authentication client in a PC or gateway device, positively verifies the identity of a useras a prerequisite to allowing access.

Authorization determines which system resources are appropriate for that authenticated user to access.

Accounting capabilities rely on audit logs or records of security-related events for future examination.

This section takes a closer look at authentication and authorization.

Authentication

Authentication systems can be categorized according to the number of identification factors required to ascertain identity.

Single-factor authentication uses userID/password combinations to prove identity.

Two-factor authentication requires two components, usually a combination of something the user knows(such as a password) and something the user possesses (such as a physical token SecureID card).

Three-factor authentication adds a biometric, a measurement of a human body characteristic.


22/50

22

The more authentication factors used, the more secure the process. However, the more factors you add, the more you add

complexity, cost, and management overhead. Every scenario will offer a different break-even point in the trade-off between

simplicity and security.

Single-factor authentication with userID and password is the most common authentication system today. Its easy to admin-

ister, familiar to users, and can provide a high level of security if strong password procedures are enforced. Legacy password

systems have had some challenges, however, since multiple strong passwords are very hard for users to remember. The recom-mendations in this section will show how this problem can be minimized with a Single Strong Password system.

Tokens such as smartcards and SecureID cards are added as a second factor in many authentication systemsrequiring that the

user have physical possession of the token. An attacker would similarly have to have possession of the users token in order to

gain system access. The higher level of authentication comes with additional system cost, however, due to the necessary tokens

and token readers. In addition, tokens can be easily lost, which can present a high administration overhead for reissuing.

Biometric factors for authentication measure characteristics of the users body such as fingerprint, handprint, retina, iris, or

voice characteristics. Biometric measurements are a useful additional factor and add an even higher level of authentication secu-

rity. A biometric authentication system entails a measurement proving whom the person actually is, rather than proving they

have something such as a token or proving that they know something such as a password. Unfortunately, biometric measure-ments are not 100 percent effective; with the present state of the technology, it is possible to register false positives and false

negatives. Biometric authentication systems also require biometric readers at system access points, adding new system costs.

Strong cryptographically-based authentication can be provided through the use of digital certificates issued to users and stored

on tokens or within the users computer memory. Cryptographic algorithms are used to ensure that a particular certificate has

been legitimately issued to the user. A Public Key Infrastructure is used to enable the issuance and maintenance of digital

certificates. Strong cryptographically-based systems provide very stringent authentication. However, these systems are expensive

and incur additional management overhead. Therefore, they are currently being adopted only in very secure environments.

Authorization

Once authenticated, authorization mechanisms control user access to appropriate system resources. Authorization can be cate-gorized according to the granularity of control; that is, according to how detailed a division is made between system resources.

Fine-grained authorization refers generically to a system where access is controlled to very fine increments, such as to individual

applications or services.

Authorization is often role based whereby access to system resources is based on a persons assigned role in an organization.

The System Administrator role may have highly privileged access to all system resources whereas the General User role would

only have access to a subset of these resources. Finer grained authorization can be applied to define other roles, such as a

Human Resources Administrators role that has exclusive access to confidential HR databases, and an Accounting role that has

exclusive access to accounting systems.

Authorization may also be rules based whereby access to system resources is based on specific rules associated with each user,

independent of their role in the organization. For example, rules may be set up to allow Read Only access or Read/Write accessall or certain files within a system, or access only during certain times or from certain devices.

Authentication and authorization protocols

Several protocols have been commonly adopted for authentication services. The RADIUS protocol (Remote Authentication

Dial In User Service IETF RFC2865) is widely used to centralize password authentication services. Originally designed to

authenticate remote dial-in users, the RADIUS protocol has been adopted for general user authentication services. Recently,

the LDAP (lightweight directory access protocol IETF RFC2251) has been finding extensive use in authentication and

authorization systems. LDAP provides a convenient method for storing user authentication and authorization credentials.


23/50

RADIUS authentication servers are often coupled with credential storage in LDAP directories to provide centralized authenti-

cation and authorization. When a user attempts to access a particular application on such a system, the application queries the

user for authentication credentials and forwards them to the centralized system. The RADIUS server then checks the presented

credentials against those stored in the LDAP database, and also queries the LDAP database for authorization rule information.

The authentication results (pass or fail) are returned to the application along with authorization rule information for the partic-

ular user. Authorization rules are then enforced at the application to allow the user to access particular data or services. Froman end-user perspective, these authentication and authorization systems should be automatic and easy to use.

Authentication and authorization recommendations

Nortel Networks recommends the following general principles to be followed when implementing enterprise authentication

and authorization systems:

Use a uniform access management system for end users, network operators, partners and customers, with the appropriatelevel of authentication and resource access authorization to meet business needs.

Use a centralized authentication mechanism to facilitate administration and remove the need for locally stored passwords,which tend to be static and weak.

Use a centralized authorization system, tightly coupled with authentication system, with appropriate granularity for theenterprise.

Enforce strong, complex rules for all passwords.

Securely store all passwords in one-way encrypted (hashed) format.

Maintain simplicity to the extent appropriate, for maximum ease of use, ease of administration, and compliance.

Securely log authentication and authorization events for audit purposes.

Enterprise network

Local wiredPC access

Auth

IPsecFW AuthSR T

Internet

Remote Access

Auth

Secure IPServices Gateway

Application serverwith CentralizedAuthentication

Remote IP-VPN office

Remote IP-VPN user

WLAN IP-VPN user

Level 3 BiometricAuthentication

Database

Level 2 TokenAuthentication

Database

Level 1 PasswordAuthentication

Database

CentralizedAuthenticaton

Server(RADIUS based)

DNS serverDHCP server

Figure 8. Secure authentication and authorization reference model


24/50

24

A Case example: Single Strong Password in the Nortel Networks corporate network

Nortel Networks uses a Single Strong Password approach in its own worldwide network to authenticate internal and external

users, from employees and contractors to joint venture representatives and even customers. The user has one very strong pass-

word that is maintained on a centralized password system and synchronized with applications and systems across the enterprise.

Users only have to remember one password, making the system simple to use and not likely to be bypassed.

Dedicated password servers on several continents manage the system and provide Web-based password management for users

and security administrators. These password servers communicate directly with RADIUS authentication servers. The system

automatically synchronizes passwords across multiple systems and platforms, such as Windows networking, remote access,

UNIX, purchasing, and niche business applications.

The system enables fine-grained authorization at the application level. An internally developed tool enables applications to

access the Single Strong Password system, and a list of users allowed to access each application is stored in the authorization

database. When an application is accessed, the Single Strong Password system authenticates the user and returns authorization

information. The system logs attempted violations of authorization rules and multiple simultaneous logins to geographically

dispersed systems, to detect and prevent misuse.

The Single Strong Password system enforces strict password rules. For example, passwords must contain at least eight charac-ters, both upper and lowercase letters, and at least one number or symbol. Additionally, passwords must not contain dictionary

words of four characters or longer, a previously used password, a password that matches an account name, contain a date or

year, keyboard patterns, or repeating characters. Users are required to change passwords at predefined intervals.

After years of real-world use, Nortel Networks has seen the following advantages of this system:

Single consistent method for setting passwords

Single consistent method for authentication and authorization

Single method for registering and terminating user accounts

Enforcement of corporate password strength guidelines

Consistency across applications, so employees know what to do Standardization that makes the system easy to support and adopt

Fast, seamless performance through standard interface and APIs

Lower costs, fewer help desk calls

Figure 9. Single password access management in Nortel Networks corporate network

Enterprise network

RADIUS-enabled enterprise applications:CRM, SCM, ERP, unified messaging,self-serve benefits, expense system ...

RADIUS server

Employees

Technicians

Contractors

Partners

Customers

Single

passwordaccessmanagement

Local, remote,

wired, wireless

PasswordAuthentication

Database


25/50

Part III. Network security in the real worldThe previous section outlined key principles and practices of the Nortel Networks Unified Security Architecture.

This section demonstrates this multi-level security framework in action for several real-world scenarios:

Securing the campus network

Securing the data center

Securing the remote office

Securing remote access

Securing IP telephony services

3.1. Securing the campus network

In this context, the term campus describes a corporate headquarters or large regional office where the network uses a mix

of technologies, products, and applications, and serves a large user population. The campus network presents a challenging

security picture because of the diversity of elements to protect:

Servers, including departmental servers for user access and file sharing, central application servers such as finance anddatabases, and Web servers for either public Web or Intranet applications.

Operating systems, typically multiple versions of multiple operating systems running on servers and clients.

Network devices, including routers, Layer 4-7 load-balancing switches, Layer 3 core switches, Layer 2 distributionswitches, and wireless LAN access points.

Security devices, such as firewalls, VPN gateways, intrusion-detection and anti-virus servers, SSL accelerators,authentication servers, and content filtering servers.

Securing the campus network at the network security level

Layer 2 switching security. VLANs based on IEEE 802.1Q standard and Ethernet switches segregate traffic for greater secu-

rity and manageability. When port-based VLANs are configured, each VLAN is completely separated from othersparticularlythose in the broadcast domain. In order to limit network access, numbers of Ethernet switches provide port security that ties a

MAC address list to specific switches or even ports of those switches and prevents unknown workstations to get access. This

list may be built either by auto-discovery or by manual update.

With the general availability of the 802.1x authentication standard, Ethernet switches offer embedded capabilities to apply

security at every node in the network, providing an effective framework for authenticating and controlling user traffic to a

protected network. 802.1x ties a protocol called EAP (Extensible Authentication Protocol, originally developed for PPP) to

LAN media and supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates,

and public key authentication. It enables enforcement of client authorization on corporate authentication servers like RADIUS.

EAP not only controls Layer 2 port connectivity, but can be extended (as being done by Nortel Networks) along with secureaccess management to customize the security (and QoS) end-user profiles of the port for a particular authenticated user. When

a host attempts to log onto the network, the host and an authentication service exchange data via EAP. Under an end-user

profile architecture, the EAP protocol enables the policy server to leverage information in a third-party authentication service

to validate users and assign appropriate network access and QoS (Quality of Service) capabilities.

Layer 2 wireless LAN security. Wireless LANs offer a flexible alternative to regular Ethernet connectivity, but they suffer from

known vulnerabilities. For one, its hard to control who is really accessing the system. Second, the current Wired Equivalent

Privacy (WEP) 802.11 encryption method is weak.


26/50

26

For both reasons, it is recommended to use VPN technology for wireless LANs and run an IP-VPN client, such as Nortel

Networks Contivity Client, on the wireless device. VPN-based wireless security is platform and radio technology agnostic

that is, the client system establishes a connection to the network via 802.11b, 802.11a, or even Bluetooth, and the VPN takes

over from there. Most of the authentication takes place independently of the wireless network, keeping access point mainte-

nance simple. The VPN can treat the wireless LAN just as the corporate backbone with wireless access points. Users trying to

access the network via the wireless LAN would then be authenticated, their information encrypted, and all communication

logged by the VPN system.

Alternatively, with some WLAN IP phones, encryption and authentication is built in. For example, Nortel Networks has a

strategic partnership with Symbol, whose WLAN IP phones support 128-bit WEP encryption between the client and the

wireless access point, and Kerberos authentication. Combining those approaches provides robust user authentication and

encryption required for WLAN environments.

Layer 3 switching and routing security. Network address translation (NAT) enables an organization to present a public IP

address to the world and hide internal addresses from public view. Processing NAT in hardware with a switch is an innovative

strategy for converting internal addresses into public addresses (and vice versa), making routing and firewall solutions highly

efficient.

Campus servers

Load-balancedIDS servers

Enterprise

Internet

Engineering

Human resources

Finance

SwitchedFirewall

IP-VPNServicesGateway

IP PBX

PSTN

WLAN PC

DistributionLayer 2-7RoutingSwitch

BackboneLayer 2-7Routing Switchwith WebSwitching

Auth

FWIPsec

SRT

AL

CF

FW

L2

SS L

SSL

L2

L2

L2

VS

ID S

Virusscreening

server

Highcapac

route

NAT

Figure 10. Securing the campus network


27/50

Proper design and use of routing and Layer 3 switching enhance the survivability of the campus network. Access control lists,

IP segmentation and sub-netting, redundancy protocols such as Virtual Router Redundancy Protocol (VRRP), and fast conver-

gence routing using OSPF (Open Shortest Path First) all contribute to a more survivable infrastructure.

Routers and routing switches secure the data path using IP filters that drop undesirable packets. Routing can be further

secure by implementing route policies, encryption and authentication of OSPF and BGP route updates with MD5, and

broadcast/multicast rate limiting.

Last but not least is the innovative Secure Routing Technology (SRT), which enables dynamic routing over secure IPsec tunnels

for RIP and OSPF. Contivity Secure IP Services Gateways implement this dynamic secure routing approach, which is

described later in this document in the Securing Remote Access scenario.

Securing remote communication via IPsec VPNs and SSL extranets. Typically, the campus network also supports VPNs to

connect with branch offices and remote userscarrying private network traffic within a secure, encrypted tunnel carried over

a public network. Robust and secure central site solutions that support both remote access and remote office IP-VPNs and fire-

walls are key elements of the campus network. For more information, see Securing the Remote Office and Securing Remote

Access, later in this section.

Securing the campus network at the network-assisted security level

Perimeter control via firewalls and intrusion-detection servers. The enterprise network often provides employees with

connection to the Internet from the corporate headquarters campus. It is usually centralized in order to more easily protect a

single interface to the public world. Thats exactly where perimeter control solution such as firewalls and intrusion-detection

systems (IDSs) are generally deployed to prevent malicious intrusion of unauthorized persons.

It is highly recommended that firewalls be implemented at every site within an enterprise to secure internal and external traffic,

and at every point of interconnection with the Internet (e.g. even a remote PC). In some cases, it is appropriate to integrate

this functionality with secure IP services gateways used also for remote office and remote access IP-VPNs.

Firewalls provide a perimeter defense against unauthorized accessan essential first step when planning for Internet access.

Firewalls come in various sizes and capabilities, fitting many specific network requirements depending on their point of use.An emerging trend is to use new, multi-gigabit firewalls to interconnect segments of the campus LAN, which keeps depart-

ments separate and enables communication only through firewall security policies.

An IDS monitors the network to identify unauthorized users or suspicious patterns of utilization. Most IDS applications

compare network traffic and host log entries to match data signatures and host address profiles indicative of hackers.

Intrusion-detection software identifies traffic patterns that indicate the presence of unauthorized users. Suspicious activities

trigger administrator alarms and other configurable responses. Nortel Networks partners with best-of-breed companies such

as Internet Security Systems (ISS) to offer specialty software solutions for intrusion-detection.

Content inspection via content filtering and anti-virus systems. These tools provide essential protections for remote and

local computing, and are discussed in more detail in Part III under Securing the Data Center.Layer 4 to 7 switching and filtering security. Layer 4 to 7 switches provide control services to application, management,

and traffic to improve resource utilization and performance, ensure security with high performance, provide network scalability,

and provide failsafe network assurance. They are usually deployed near security devices and in server farms. Integrated security

filtering offloads firewall processing of NAT, monitors network activity, protects against denial-of-service attacks and some virus

types such as Code Red / Blue, and protects data without compromising throughput. Nortel Networks Passport 8600 and

Nortel Neworks Alteon Web switches offer extensive Layer 4 to 7 capabilities.


28/50


29/50

Securing the data center at the network-assisted security level

Switched firewalls can now provide multi-gigabit throughput and state-of-the-art filtering to secure and safeguard data center

servers without the performance degradation that typically occurs with deep packet inspection. Switched firewalling introduced

the same level of performance improvements to perimeter security as Layer 3 switching brought to LAN routing. Therefore,

a switch-based firewall is recommended for perimeter security in transaction-oriented environments. The Nortel Networks

Alteon Switched Firewall combines Layer 4-7 cut-through switching with firewall software processing to deliver more than

4 Gbps throughput. Logical demilitarized zones can be created through the use of VLANs.

Secure Sockets Layer (SSL) protocolbuilt into most browsers and Web serversis widely used to protect communications

to and from Web applications. Unfortunately, SSL processing is very compute-intensive and significantly reduces server

performance. This results in increased cost and operational complexity when it comes time to scale secure transaction

processing. SSL Acceleratorssuch as Nortel Networks Alteon solutionoffload SSL processing from local servers without

imposing delays on other traffic in the same data path, and offer a simpler way to deploy and maintain the Public Key

Infrastructure (PKI) required for electronic transactions.

Figure 11. Securing the data center

Webservers

Enterprise

Internet

Mission-criticalenterprise applications

Other enterprise applications

SwitchedFirewall

IP-VPNServicesGateway

BackboneLayer 2-7 RoutingSwitch withWeb Switching

Auth

FWIPsec

SRT

AL

CF

VS

DMZ

Load-balanced

IDS servers

FW

L2

L2High

capacityrouter

NAT

SS L

SSL

SSL

Management domain

LDAP

RADIUS

DNS

L2

L2

ID S

Virusscreening

server


30/50

30

intrusion-detection, anti-virus, and content filteringtools provide essential protections for online commerce and remote

computing in general. IDS software identifies traffic patterns that indicate the presence of unauthorized users. Anti-virus

software detects and defuses potential cyber attacks. Content filtering software restricts the type of data that can be accessed

or distributed.

IDSs can be broadly categorized according to the following criteria:

Incident detection timeframereal-time or off-line, depending on whether system logs and network traffic are analyzedas e

security unified architecture

Documents