Download - Security Unified Architecture
-
8/7/2019 Security Unified Architecture
1/50
The greater the reach and availability of the network, the greater its vulnerability
to threats from within and outside the organization.
The new openness of networked communications introduces new ethical,
financial, and regulatory pressures to protect networks and enterprises from
internal and external threats and attacks.
Every IT security professional should be up-to-date on the Top Ten challenges to
enterprise securityand the latest recommendations to address those challenges.
White Pape
Nortel Networks
Unified Security Architecturefor enterprise network securityA conceptual, physical, and procedural framework
for high-performance, multi-level, multi-faceted security
to protect campus networks, data centers, branch networking,
remote access, and IP telephony services.
-
8/7/2019 Security Unified Architecture
2/50
Contents
Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Part I. The Top Ten challenges to enterprise network security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Enterprise Security Challenge #1The Internet was designed to share, not to protect . . . . . . . . . . . . . . . . .
Enterprise Security Challenge #2Security is not optional. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Enterprise Security Challenge #3The bad guys have good guns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Enterprise Security Challenge #4Security threats recognize no boundaries. . . . . . . . . . . . . . . . . . . . . . . . . .
Enterprise Security Challenge #5Security depends on people, process, and technology. . . . . . . . . . . . . . . . .
Enterprise Security Challenge #6Its not enough to guard the front gate. . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Enterprise Security Challenge #7Theres no stock blueprint. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Enterprise Security Challenge #8Frisking everybody and everything takes time. . . . . . . . . . . . . . . . . . . . . .
Enterprise Security Challenge #9Grace under fire is a requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Enterprise Security Challenge #10Security is a closed-loop process with an open-ended date. . . . . . . . . . . .
Part II. The Nortel Networks Unified Security Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.1. Multi-layer security across application and network levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.2. Variable-depth security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3. Closed-loop policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4. Uniform access management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.5. Secure network operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
2.6. Secure multimedia communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
2.7. Network survivability under attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.8. The closed-loop policy management reference model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.9. A closer look at uniform access management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Part III. Network security in the real world. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.1. Securing the campus network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2. Securing the data center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.3. Securing the remote office . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
3.4. Securing remote access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5. Securing IP telephony services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Part IV. Nortel Networks technology and expertise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.1. Design tenets built into the Nortel Networks security portfolio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
4.2. Expanded choice through partnerships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
4.3. Security services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.4. Nortel Networks product assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.5. Nortel Networks and cross-industry security developments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Appendix A. Hackers tools of the trade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Appendix B. Application and network level threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
-
8/7/2019 Security Unified Architecture
3/50
Executive summaryTodays connected enterprise faces a security paradox. The very openness and ubiquity that make the
Internet such a powerful business tool also make it a tremendous liability. The Internet was designed to
share, not to protect. The ports and portals that welcome remote sites, mobile users, customers, and busi-
ness partners into the trusted internal network also potentially welcome cyber-thieves, hackers, and others
who would misappropriate network resources for personal gain.
The only effective network security strategy is one that permeates the end-to-end architecture and enforces
corporate policies on multiple levels and multiple network points.
Nortel Networks, a global leader in secure data networking, offers proven solutions to satisfy end-to-end
network security requirements. Security in the DNA is a key tenet of our strategy for the new enterprise
network, a convergence framework we call One Network. A World of Choice.
This document presents the security component of that enterprise network strategy. The Unified Security
Architecture provides a conceptual, physical, and procedural framework of best recommendations and
solutions for enterprise network security. It serves as an important reference guide for IT professionals
responsible for designing and implementing secure networks.
What are the requirements and vulnerabilities? What technology options and implementation choices are
available? How do you protect the network at all levels? This comprehensive strategy addresses those
pressing concerns facing IT security specialists, and offers encouraging news about the depth and breadth
of options available for securing critical network resources.
The Unified Security Architecture is realistic.
It assumes that all components of an IT infrastructure are targets... that even internal users could be
network threats... attacks are inevitable... network performance cannot be compromised by processing-
intensive security measures... and IT budgets are constrained.
The Unified Security Architecture acknowledges the diversity of networked enterprises.
It is not a one-size-fits-all prescription, but rather a framework of functionality that offers multiple
implementation choices suitable for closed, extended, and open enterprises in different industries
and for diverse application requirements within all enterprise types.
The Unified Security Architecture addresses the multi-level complexity of network threats.
It provides answers on multiple levelsfor instance, from a firewall guardian to block intruders at the
front gate to encryption to shroud every packet in privacy... from virtual private networks that span
the global Internet to virtual LANs that segregate network management traffic from desktop users.
The Unified Security Architecture promotes a process, rather than an endpoint.
Effective security is not achieved through a one-time initiative. This architecture outlines measuresfor strong ongoing policy management, reflecting both human and technical factors.
Read on for a discussion of the Top Ten challenges facing IT professionals today and how the
Nortel Networks Unified Security Architecture addresses the challenges.
-
8/7/2019 Security Unified Architecture
4/50
Unified Security Architecturefor enterprise network securityA conceptual, physical, and procedural framework for high-performance, multi-level, multi-
faceted security to protect campus networks, data centers, branch networking, remote access,and IP telephony services.
Part I. The Top Ten challenges to enterprise network security
Every enterprise that relies on network-connected applications and services is subject to 10 key security realities:
1. The Internet was designed to share, not to protect.
2. Security is not optional.
3. The bad guys have good guns.
4. Security threats recognize no boundaries.
5. Security depends on people, process, and technology.
6. Its not enough to guard the front gate.
7. Theres no stock blueprint.
8. Frisking everybody and everything takes time.
9. Grace under fire is a requirement.
10. Security is a closed-loop process with an open-ended date.
Lets take a closer look at these challengesand what IT security professionals can do about them.
Enterprise Security Challenge #1The Internet was designed to share, not to protect.
In six or seven short years, the Internet has evolved from an adjunct contact channel into the backbone of many critical
business applications. Enterprises are leveraging their IP-based intranets and the world-wide Internet to bring remote offices,
mobile workers, and business partners into their trusted network environments. Many enterprises are capitalizing on the
growing reach and reliability of IP data networks to completely redefine the way they deliver and manage approved corporate
applications.
The Internet enables them to interact more effectively with customers, streamline operations, reduce operating costs, and
increase revenues. However, the Internet was designed to share, not to protect. The ports and portals that welcome outsideusers into the trusted internal network also potentially open the door to serious threats. The level of threat only increases as
legacy applications become network-enabled and as network managers open their networks to more new users and applica-
tions.
How do you manage mission-critical communications on an inherently insecure medium? Managing that flow is somewhat
like guarding a revolving door. You cant lock it unless you also close out the traffic you do want.
Remote access services that enable traveling employees to dial in for e-mail access... remote offices connected via dial-up lines...
intranets, and extranets that connect outside parties to the enterprise network... all these business-enabling communications
increase the vulnerability of the network.
4
-
8/7/2019 Security Unified Architecture
5/50
Enterprise Security Challenge #2Security is not optional.
Security breaches and unlawful access to confidential data can cost enterprises millions, but the requirement for network secu-
rity goes beyond financial incentives. The governments of many countries are forcing enterprises to comply with regulations
governing network security and privacy.
In the U.S., the Federal government regulates the privacy and security of electronic information with such regulations as the
Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Safe Harbor Act, the USA
Patriot Act, and the Childrens Internet Protection Act (CIPA). More are coming.
Similar regulations are being enacted in Europe and elsewhere, such as the Data Protection Act and Computer Misuse Act in
the U.K. Failure to comply with these regulations brings civil and criminal penalties, even prison terms.
Even if governmental regulations werent an issue, organizations that suffer security breaches may be sued by customers and
damaged by negative publicity. All enterprises that leverage the Internet for remote access have an obligation to protect network
integrity and data confidentialityfor their own sakes as well as for their customers and business partners.
Enterprise Security Challenge #3The bad guys have good guns.
Attackers have a broad repertoire of tools and techniques they can use to compromise a network. With these tools of the trade,
they can launch multi-level attacks to access the networkcreating an access hole to intrude upon the network, and then using
secondary attacks to exploit other parts of the network.
For example, attackers can take advantage of weak user authentication and authorization tools, improper allocation of hidden
space, shared privileges among applications, or even sloppy employee habits to gain unauthorized access to network resources.
They can disable a trusted host and assume its identity, a threat known as IP spoofingor session hijacking.
Using sophisticated newnetwork sniffers that can decode data from packets across all layers of the OSI model, hackers can
steal user names and passwords, and use that information to launch deeper attacks.
Denial of Service (DoS) attacks flood a network with illegitimate requests and thereby prevent legitimate users from accessing
their service.
In bucket brigade attacks, also known as man-in-the-middle assaults, the attacker intercepts messages in a public key
exchange between a server and a client, retransmits the messages substituting their public key, and in the process tricks the
original entities/users into thinking they are communicating with each other.
Back door entries to access network resources can be accidentally or intentionally opened by users and procedural oversights.
Masqueradingenables a hacker to pose as a valid administrator or engineer to access the network, often to elevate user privileges.
For more information about these types of attacks, see Appendix A, Hackers Tools of the Trade.
-
8/7/2019 Security Unified Architecture
6/50
6
Enterprise Security Challenge #4Security threats recognize no boundaries.
The typical enterprise internal trusted network is anything but internal these days. It extends to include supply chain part-
ners, telecommuters, remote access users, Web users, application service providers, disaster recovery providers, and more.
Unfortunately, that means that the network also reaches hackers, cyber-thieves, disgruntled employees, and others who would
misappropriate network resources for personal gain.
In todays business environment, the concept of a network perimeter is disappearing. Boundaries between inside and outside
networks are becoming thinner, almost irrelevant. Applications run on top of networks in a layered fashion.
The OSI (Open Systems Interconnection) model was built to allow different layers to work without knowledge of each other.
Unfortunately, that means that if one layer is hacked, communications are compromised without the other layers being aware
of the attack. That means security must address unique considerations at application and network layersand bridge these
layers to ward off multi-level threats.
Application-layer attacks exploit vulnerabilities in the operating system and applications to gain access to resources.
Application-layer attacks can be based on viruses, worms, buffer overflow, and password harvesting, among others. Web serv-
ices and single sign-on technologies aggravate the problem, since they encourage Web-enabling legacy-based applications that
were not designed with Web connectivity and security issues in mind.
Network-layer threats expose the network infrastructure to sabotage, vandalism, bad system configuration, denial of service
(DoS), snooping, industrial espionage, and theft of service. Attacks may be launched from inside the network by insiders and
also from external sources such as hackers.
For more information about application-layer and network-layer threats, see Appendix B: Application and network level threats.
Enterprise Security Challenge #5Security depends on people, process, and technology.
Vulnerabilities arise both from people and process failures (such as posting their passwords in public view, or slack policy
enforcement) and technical aspects (such as rogue programs and Trojan horses)and combinations of all three.
The Nimda virus that recently caused havoc in IT environments is a perfect example. At first glance, Nimda was technical in
nature: a virus. But on closer inspection, the havoc was caused more by human error than technical devilry. Nimda exploited
six previous technical vulnerabilities; it was just a variant of previous vulnerabilities that were documented and communicated
many months before Nimda actually spread on the Internet.
Organizations should all have known about these vulnerabilities and disseminated that knowledge to the people responsible for
protecting IT systems. Nimda was a non-issue for enterprises that had established processes in place for translating knowledge
into action tasks, assigning responsibility for those tasks, and auditing successful completion.
-
8/7/2019 Security Unified Architecture
7/50
Enterprise Security Challenge #6Its not enough to guard the front gate.
Every component of the IT infrastructure is susceptible to attacks, not just obvious gateways to the Internet. Hosts, applications
such as IP telephony, routers, and switches can be attacked by hackers or unauthorized users from inside or outside the enterprise
At the network level, the use of firewalls, proxy servers, and user-to-session filtering can add protection, but hackers seem to get
smarter all the time. Using user access control at the network and application level with appropriate authentication and authoriza-
tion can minimize the risks of unauthorized access.
But the sheer diversity of the types of attacksand the multi-level nature of many attacksrequires that IT managers understand
how security breaches are instigated and be able to assess and recover from any inflicted damage. That means the only effective
network security strategy is one that permeates the end-to-end architecture and enforces corporate policies on multiple levelsuse
application, and networkand at multiple network points.
Enterprise Security Challenge #7Theres no stock blueprint.
Each enterprise has a unique set of business needs and has evolved their networking environment accordingly. That means the
right security strategy is more a prescription of functionality and characteristics than a stock blueprint. Security is not a one size
fits all situation. Neither is it a static implementation, any more than the network or technology remains static.
For general purposes, we can categorize enterprises into three types of security spheres:
The closed enterprise uses logical (e.g. frame relay) or physical private lines between sites, with PC dial access provided selec-
tively for employees needing access into the Internet. Web presence is achieved through an Internet data center provided by a
service provider (who is responsible for establishing a secure environment). The organization also provides conventional dial acces
for remote employees (e.g. working from a hotel). The company uses private e-mail among employees with no external access.
Wireless LANs are also starting to be used.
Even the closed enterprise has security concerns, not just from disgruntled internal users, but also because there are a number of
backdoor exposures. Users with dial access to the Internet from their desktop PCs, employees surfing the Net from laptops they
use at home or on the road, and wireless LANs all introduce Internet-related threats. Perhaps, the greatest risk comes from the
specious belief that the closed enterprise is immune to external risks.
The extended enterprise is an extension of the closed enterprise. Web presence is still achieved via a service provider. Support
for remote employee and office access over IP virtual private networks (VPNs) over the Internet is provided, delivering higher
speed, lower cost connectivity. The enterprise provides general-purpose access for all employees into the Internet, allowing them to
leverage the abundance of business-related information available on the Internet. Inter-working between the internal e-mail system
and the rest of world is provided.
The open enterprise leverages the Internet by allowing partners, suppliers, and customers to have access to an enterprise-managed Internet Data Center, even allowing selective access to internal databases and applications (e.g. as part of a supply chain
management system). Internal and external users access the enterprise network from home, remote offices, or other networks usin
wired or mobile devices.
-
8/7/2019 Security Unified Architecture
8/50
For the extended enterprise, the diversity of supported services and access mechanisms translates into multiple paths into the
enterprise network, and in turn increases the risk. Naturally, that risk increases exponentially with the open enterprise, which
has the greatest susceptibility to application-layer and network-layer threats, unauthorized access, and eavesdropping.
Infrastructure, applications, and network management systems are equally vulnerable.
8
Enterprisenetwork
Customers Employees
Internet
ASP Data Center
C l o s e d e n t e r p r i s e
Enterprisenetwork
Employees Employees
Internet
E x t e n d e d e n t e r p r i s e
Customers/partners/employees
Customers/Employees
Internet
O p e n e n t e r p r i s e
Enterprisenetwork
Dedicated WAN
PC dial-in access
PC Internet dial-out
Outsourced Web site
Private e-mail
Internet Data Center
Remote access and office IP-VPNs
Employee Internet access
Interworked e-mail
Controlled partner and select
customer access
Connectivity boundaries lowered
Figure 1. Generic Enterprise types
-
8/7/2019 Security Unified Architecture
9/50
Enterprise Security Challenge #8Frisking everybody and everything takes time.
Anyone who has traveled by airplane knows that the trade-off for enhanced security is delay. The more closely you inspect bags
and travelers, the longer the lines at security.
On enterprise networks as well, turning up the full complement of security features can slow Web servers to a crawl as they bogdown with processing-intensive encryption, decryption, key management, and more. Bolting IP-VPN capabilities onto legacy
routers brings its own brand of performance penalty. Voice applications, such as live Webcasts and Voice over IP, are very sensi-
tive to delay and jitter and are therefore dramatically affected by traditional security mechanisms.
Enterprise Security Challenge #9Grace under fire is a requirement.
In the context of security, reliability and survivability have somewhat different meanings. Network reliability ensures that
the network continues to operate in spite of incidental failure of software and/or hardware components. Network survivability
means the network continues to operatedelivering essential services in a timely mannerwhile battling security threats, even
if parts of the network are unreachable or disabled due to overt attack.
Enterprise Security Challenge #10Security is a closed-loop process with an open-ended date.
Organizations must view security as a steady process and evolving way of thinking about how to protect systems, networks,
applications, and resources. Reduce risk by continually and steadily making progress in identifying and addressing vulnerabili-
ties and security policy holes. Corporations and government institutions must be able to determine what is at stake when secu-
rity measures fail, how to detect security breaches, and what to do about them.
This process also entails continual training and awareness, since breaches of security policy are usually caused by human error
or carelessness. Employees, managers, and administrators must all be aware of established security policies and best practices.
The good news is that enterprise networks can minimize their risks from unauthorized users without sacrificing performance
for legitimate users. Part II of this document shows how the Nortel Networks Unified Security Architecture addresses these
Top Ten challenges.
Enterprisenetwork
P r o t e c t e d e n t e r p r i s eP o s s i b l e a t t a c k s
Authorization threats
IP spoofing
Network sniffers
Denial of service
Intrusion
Bucket brigade
Attacks
Back door traps
Data modification
Masquerading
Anti-virus software Deep packet filtering
Digital certificate IPsec and SSL encryption Firewalls
Network and host-basedIntrusion Detection Systems (IDS)
Infrastructure Network sniffers
Figure 2. Enterprises need a security framework to optimally use IT techniques, tools, and methodologies against attackers
-
8/7/2019 Security Unified Architecture
10/50
Part II. The Nortel NetworksUnified Security Architecture
What can security IT professionals do about the Top Ten challenges?
The Nortel Networks Unified Security Architecture defines a conceptual, physical, and procedural framework of best recom-mendations for end-to-end enterprise network securityaddressing all the Top Ten challenges:
The Internet was designed to share, not to protect.So the Unified Security Architecture defines virtual private networks, virtual LANs, firewalls, encryption, and other
mechanisms that enable enterprises to reduce the risk of being Internet-connected.
Security is not optional.The Unified Security Architecture upgrades enterprise security programs and infrastructures to comply with business,
ethical, and regulatory mandates to protect data integrity and confidentiality.
The bad guys have good guns.The Unified Security Architecture identifies the various tools of the trade, how they operate, and what kinds of protec-
tions thwart these attacks.
Security threats recognize no boundaries.The Unified Security Architecture addresses threats on multiple functional and architectural layers, enabling enterprises
to flexibly define what needs to be protected, from what kinds of threats, implemented how, and at what layers.
Security depends on people, process, and technology.The Unified Security Architecture calls for developing and enforcing security policies that address technical considera-
tions and human aspects of security, such as staff training and process.
Its not enough to guard the front gate.The Unified Security Architecture begins with perimeter firewall defense and documents security provisions all the way
to the individual user and application.
Theres no stock blueprint.
The Unified Security Architecture defines the required functionality and offers enterprises broad choice in which func-
tions to implement, to what degree, using what platforms and protocols.
Frisking everybody and everything takes time.The Unified Security Architecture introduces purpose-built security products that use load-balancing, health-checking,
and innovative acceleration technologies to minimize latency.
Grace under fire is a requirement.The Unified Security Architecture defines ways to segregate critical resources and sustain performance even under attack.
Security is a closed-loop process with an open-ended date.
The Unified Security Architecture calls for policy management to be a process of continuous feedback and improve-ment, reflecting the latest industry knowledge and best practices.
10
-
8/7/2019 Security Unified Architecture
11/50
The comprehensive security strategy set forth in this document is based on seven key principles:
1. Multi-layer securitythat defines security protection functions at application, network-assisted, and network security
levelsin a layered architecture that can be flexibly defined and implemented.
2. Variable-depth securityacross the enterprisenot just at the edge of the Internetfor example, from firewall
perimeter defense, to VPNs to protect Internet-traversing traffic, and to VLANs to segregate traffic within a network.
3. Closed-loop policy management, including configuration of edge devices, enforcement of policies in the network,
and verification of network functionality as seen by the end user application.
4. Uniform access management, including stringent authentication and roles-based authorization of access to all
resources for all users, with granular access policies defined at the application level and managed enterprise-wide.
5. Secure network operations, by physically or logically partitioning network management from user traffic, and
applying other recommended security mechanisms to operational activities.
6. Secure multimedia communications, protected by encrypting the data, voice, and video payload without introducing
delays that this real-time traffic cannot tolerate.
7. Survival under attack, for instance, by using resilient architectures with no single point of failure, and applyingintrusion-detection systems, anti-virus software, content filtering, and ongoing vigilance as attackers continue adopting
new weaponry.
Securing network operations
Securing multimediacommunications
Survivability under attack
Layered security
Variable-depth security
Closed-loop policy management
Uniform access management
UnifiedSecurity Arch
itecture
Figure 3. Principles behind Nortel Networks Unified Security Architecture
-
8/7/2019 Security Unified Architecture
12/50
12
The principles underpinning the Unified Security Architecture offer enterprises a security blueprint to use as they move
towards increasingly open environments. Lets take a look at each of the seven key principles of the Unified Security
Architecture.
2.1. Multi-layer security across application and network levels
Recognizing the multi-layered, interdependent nature of enterprise networksand the critical need for security at more than
the application levelthe Nortel Networks Unified Security Architecture logically organizes security into multiple levels:
The Network Security Layer provides security functions at OSI layers 1 to 3 (physical, link, and data levels).
The Network-Assisted Security Layer provides security functions at OSI layers 4 to 7 (network to application/presentation layers) on top of the network level for added security.
The Application Security Layer provides security in layer 7 of the OSI model, the application layer, and includes allsecurity built into server and storage platforms.
Some functions, such as access lists and VLANs, operate purely at the Network Security Level. Others, such as firewalls,
operate at either the Network or Network-Assisted Security Levels, depending on whether they are stateful or not. Others such
as SSL (Secure Sockets Layer) can be viewed as network-assisted or application security. The power of the Unified SecurityArchitecture is that industry-defined security functions are leveraged in a structured fashion, tightening security overall.
See Part III, Security in the Real World, for examples of these security layers in action for protecting campus and branch
networks, data centers, IP telephony services, and remote access.
Hardening server operating systems
Within the application level of the multi-layer security framework, a key element is hardening the multiple
operating systems used in network and user applications, such as OSs for data communications devices, servers,
network management systems, IP telephony servers, and more.
In an increasingly open, multivendor IT environment, network elements are frequently based on commercially avail-able OSs. For example, Nortel Networks CallPilot unified messaging system, Symposium Contact Centers, and
Business Communications Manager use a hardened version of Windows NT with off-the-shelf security software for
functions such as anti-virus protection, intrusion-detection, and login audits. Nortel Networks Succession CSE 1000
and Meridian IP-enabled PBX portfolios are built on an embedded real-time OS called VxWorks. The Nortel
Networks Succession CSE MX system is built on UNIX.
Procedures for hardening the OSs in Nortel Networks products are provided in our documentation. For third-party
operating systems where no specific hardening guide exists, consult the OS vendor for the latest OS hardening patches
and procedures.
Application Security
Network Security
Network-Assisted Security
NetworkMgmt.
Security
Secure
AccessMgmt.
Policy Management
End users
Operators
Partners
Customers
Figure 4. Unified Security Architecture
-
8/7/2019 Security Unified Architecture
13/50
The remaining elements of the architecturediscussed in the sections to followare inter-related and somewhat orthogonal to
these layers. The table below illustrates how common security technologies map to the elements of Nortel Networks Unified
Security Architecture.
2.2. Variable-depth security
Defining security policy at multiple network levels produces a security strategy where each security level builds upon the
capabilities of the layer below and provides finer grained security the closer you get to resources.
VLANs (Virtual LANs) provide basic network compartmentalization and segmentation, enabling business functions to
be segregated in their own private local area networks, with cross-traffic from other VLAN segments strictly controlled
or prohibited. The use of VLAN tags enables the segregation of traffic into specific groups such as Finance, HR, and
Engineering, separating their data without leakage between disparate functions.
Perimeter and distributed firewall-filtering capabilities provide another level of protection at strategic points within the
network. Firewalls enable the network to be further segmented into smaller areas, and enable secure connections to the public
network. Firewalls limit access to inbound and outbound traffic to the protocols and authentication methods that are explicitly
configured in the firewall. Firewalls that support Network Address Translation (NAT) enable optimization of IP addressing
within the network as specified in RFC 1918 (Address Allocation for Private Internets).
Firewalls provide an extra layer of access control that can be customized based on business needs. Distributed firewalls add the
benefit of scalability. Personal firewalls can be deployed on end-users systems to protect application integrity.
NAT
L2
IPsec
AL
FW
SRT
SS L
ID S
VS
CF
Layer 2 VPN, EAP, and port security Yes
Network Address Translation Yes
Access control List Yes
IPsec encryption Yes
Secure dynamic routing Yes
Firewalling Yes Yes
Intrusion detection Yes Yes
SSL encryption Yes Yes
Content filtering Yes Yes
Virus scanning Yes Yes
Security functionality Network Network-assisted ApplicationSecurity Security Security
Policy Repository
Policy Decision Point
Policy Enforcement Point
Policy management functionality
Authentication client
Authentication server
Authentication database
Secure access management functionality
Secure activity logs
Network operator authentication
Access control/operator authorization
Encryption
Secure remote access
Firewalls
Intrusion detection
OS hardening
Virus free software
Auth
Network management securityfunctionality
Figure 5. Security functionality mapping to the Unified Security Architecture
-
8/7/2019 Security Unified Architecture
14/50
-
8/7/2019 Security Unified Architecture
15/50
Several methods can be used to authenticate a user, such as: permanent or one-time passwords, biometric techniques, smart
cards, and certificates. Password-based authentication must use strong passwords that are at least eight characters in length with
at least one alphabetic, one numeric, and one special character.
Where stronger authentication is required, password authentication can be combined with another authentication and authori-
zation process based on protocols such as RADIUS and LDAP to provide authentication, authorization, and accounting (AAA)
services. Additionally, key management can be based on Internet Key Exchange (IKE), certificate management on Public KeyInfrastructure X.509 (PKIX), Certificate Management Protocol (CMP), Online Certificate Status Protocol (OCSP), and
Simple Certificate Validation Protocol (SCVP).
In defining access privileges on all ports and devices, the concept of least privilege should be applied, granting access only as
needed.
Open and extended enterprises face the greatest challenges when designing access management policy. They require fine-
grained rules that properly interface with identity directories and databases, multiple authentication systems such as RADIUS,
and various hosts, applications, and application servers.
The system should perform session management per user after the user is authenticatedand use flexible configuration and
policy enforcement with fine-grained rules, capable of dealing with specific objects. Unique accounts for each administratorshould be used, with accountability for actions traceable to individuals, to provide for appropriate monitoring, accounting, and
secure audit trails.
For more information about authentication and authorization, see section 2.9, A closer look at uniform access management.
2.5. Secure network operations
On the one hand, network management is like other data applications, running on servers and workstations, complemented by
application-level security and taking advantage of network-level and network-assisted security. On the other hand, network
operators are specialized users who should be subject to more stringent authentication and authorization procedures.
Because of the greater access authority and functional privilege granted to network management personnel, their access and
activities must be carefully secured to protect network configuration, performance, and survivability. The more open the enter-
prise and the more centralized the network management system, the greater the requirement for stringent security for network
management processes.
Secure network management requires a holistic approach, rather than a specific security feature set on a network element.
Our Unified Security Architecture recommendations address nine critical areas:
Secure activity logs
Network operator authentication
Authorization for network operators
Encryption of network management traffic
Secure remote access for operators
Firewalls and VLANs to partition the network
intrusion-detection
Hardening operating systems
Anti-virus protection
-
8/7/2019 Security Unified Architecture
16/50
Secure activity logs provide a verifiable audit trail of user or administrator activities and events generated by network devices.
Security activity logs must contain sufficient information to establish individual accountability, reconstruct past events, detect
intrusion attempts, and perform after-the-fact analysis of security incidents and long-term trend analysis. Activity log informa-
tion helps identify the root cause of a security problem and prevent future incidents. For instance, activity logs can be used to
reconstruct the sequence of events that led up to a problem, such as an intruder gaining unauthorized access to system
resources, or a system malfunction caused by an incorrect configuration or a faulty implementation. Syslog is the mostcommon mechanism used by equipment vendors; Syslog works with all third-party log analyzer systems. Because the informa-
tion contained in activity logs can be used to compromise a network, this log information itself must be secured.
Network operator authentication based on strong centralized administration and enforcement of passwords ensures that only
authenticated operators gain access to management systems. Centralized administration of passwords enables enforcement of
password strength and removes the need for local storage of passwords on the network elements and EMS (Element
Management Systems). RADIUS is the basic mechanism of choice for automating centralized authentication within Nortel
Networks products.
Authorization for network operators uses authenticated identity to determine the users access privilegeswhat systems they
can access, what functions they can perform. Techniques based on RADIUS servers provide a basic level of access control. An
additional LDAP server can provide more fine-grained access control if necessary.
Encryption of network management traffic protects the confidentiality and integrity of network management data traffic
especially important with the growing use of in-band network management. Encryption provides a high degree of protection
from internal and external threats, with the exception of the small group of insiders that have legitimate access to encryption
keys.
Encryption between network operations center (NOC) clients and Element Management System (EMS) servers and/or
Network Elements should be provided. This includes SNMP traffic, because there are known vulnerabilities with SNMP v1
and v2, which are intended to be addressed by SNMP v3. Given the widespread deployment of SNMP v1 and v2, IPsec
can be used to secure this traffic.
Depending on traffic type, the security protocols to use for these links are IPsec (IP Security), Secure Shell (SSH), and SSL:
SSH is an application-level security protocol that can be used in place of IPsec if the traffic consists of Telnet and FTPonly, but it cannot normally be used to protect other traffic types.
IPsec protocol runs between the network layer (Layer 3) and the transport layer (Layers 4) and is the preferred protocolto protect any type of data traffic, independent of applications and protocols. External IPsec VPN devices, such as
Nortel Networks Contivity Secure IP Services Gateways, can be used in various parts of the network to secure
management traffic.
SSL technologyintegrated into all standard Web browsersis the de-facto standard security protocol to protectHTTP traffic.
Secure remote access for operators: Security must be provided for operators and administrators who manage the network
from a remote location over a public network. Providing a secure virtual private network using IPsec is the mandatory solution,
as this will provide strong encryption and authentication of all remote operators. An IP-VPN product such as Nortel Networks
Contivity Secure IP Services Gateway should be placed at the management system interface and all operators should be
equipped with extranet access clients for their laptop or workstations.
16
-
8/7/2019 Security Unified Architecture
17/50
Firewalls and VLANs partition the network to segregate management devices and traffic from other, less confidential systems
such as public Web servers. The firewall controls the type of traffic (defined by protocol, port number, source and destination
address) that can transit the boundary between security domains. Depending on the type of firewall (application versus packet
filtering), firewalls can also filter the application content of the data flow.
Intrusion-detection systems incorporated into management servers defend against network intrusions by warning
administrators of potential security incidents, such as a server compromise or denial-of-service attack.
Hardening operating systems used for network management close potential security gaps in general-purpose operating
systems and embedded real-time operating systems. OS hardening should use the latest procedures and patches from the
OS manufacturer.
Anti-virus protection involves scanning all in-house and third-party software packages with virus-detection tools before
incorporating the software into a product or network. A rigorous, established process ensuresto the extent possible
that network management software is virus-free.
NOCVLAN
Network devices
IPsec
ManagementSystems
L2
IPsec
Internet
Managementclient
SSL IPsec or SSH
Enterprise network
ALFW Auth
IPsec or SSH
IPsec or SSH
Network Operating Center
IPsecIPsec
Browserclient
RemoteManagement
clientTelnetclient
SS L
IDS
VS
Figure 6. Secure connectivity options for network management traffic
-
8/7/2019 Security Unified Architecture
18/50
2.6. Secure multimedia communications
Unified networks can carry voice, data, and videoeach with their unique performance requirements and security considera-
tions. When and where to encrypt this traffic is a major consideration, and is a key element of any enterprise security policy.
This can be done on a per-application basis using SSL, on a client-server basis using SSH (Secure Shell), or for all traffic using
IPsec VPN technology. Generally, all traffic over the Internet and wireless LANs and potentially critical information leaving the
premises should be secured via strong encryption technology.
IP telephony represents a particularly important class of application. As with any applications, a risk assessment of IP telephony
needs to be done to assess its intrinsic value, the implications of loss understood, and a security policy formulated. We can start
this assessment by making some key observations on telephony and data security in general. First of all, telephony is a critical
business function and therefore, like the network itself, the telephony system as a whole must be protected from security
attacks. Secondly, we trust the public voice network and live with the inherent vulnerability of eavesdropping of public cell
phone systems. Third, we trust PBX networks, the critical components of which are locked away in a telecom room. In addi-
tion, IT organizations have spent a lot of effort to minimize toll fraud and misuse of the voice network for personal calls.
On the data side, we also rely on physical security to ensure that only employees have access to the internal network, and we
trust that information sent over LANs, campus nets, and over private WANs running over physical and virtual private lines aregenerally secure. Outside of the confines of the enterprise network, most enterprises have established security policies that all
internal data transmissions to employees and remote offices over the Internet need to be encrypted and authenticated.
Likewise, critical customer interactions over the Web are protected via SSL. From a user perspective, keeping it simple has been
the objective.
The Nortel Networks Unified Security Architecture for IP telephony follows the guidelines below:
Enterprise IP telephony operated within the confines of the enterprise, inter-working with the public network over circuit-switched connections. End-to-end VoIP connectivity between public phones and phones within the enterprise is notconsidered in this version of the document.
The IP networking infrastructure that supports IP telephony must be secure from a data perspective and engineered tomeet the stringent latency and reliability requirements of telephony.
IP telephony communications servers are business-critical and must be physically secure and protected from internal andexternal attack.
Secure authentication of VoIP clients must be provided. While data users may expect to log in with multiple userIDs andpasswords, they wont tolerate that authentication requirement for every phone call. Generally, telephony users have onlybeen required to authenticate themselves for off-net access using a feature set called Direct Inward System Access (DISA).
Encryption of voice is only a requirement when traversing a shared media LAN or the Internet.
Security must be holistic and span the entire telephony environment, including VoIP clients and servers, applicationservers (such as for unified messaging and contact centers), and traditional PBXs.
Encryption can be achieved with VPN techniques using IPSec, with Authentication Header (AH) and Encapsulating Security
Payload (ESP), tunneling through the use of Layer 2 Tunneling Protocol (L2TP), key management based on Internet Key
Exchange (IKE), and certificate management based on Public Key Infrastructure X.509 (PKIX), Certificate ManagementProtocol (CMP), Online Certificate Status Protocol (OCSP), and Simple Certificate Validation Protocol (SCVP). SSL and
Transport Layer Security (TLS) protect communications at the application layer.
Standards-based encryption algorithms and hashes such as DES, 3DES, AES, RSA and DSA. MD5 and SHA-1 should be used
for message integrity, and Diffie-Hellman and RSA for key exchange.
The Wired Equivalent Privacy (WEP) as defined in the 802.11 standard defines a technique to protect over-the-air transmis-
sion between wireless LAN (WLAN) access points and network interface cards (NICs). This protocol has been shown to be
insecure. IEEE 802.11 is working on standardizing encryption improvements for WLANs. Therefore, added measures of
protection such as IPsec must be used to secure WLAN traffic over WEP.
18
-
8/7/2019 Security Unified Architecture
19/50
2.7. Network survivability under attack
The typical enterprise network supports mission-critical operations and is essential for conducting business. That means the
network must continue to operatedelivering essential services in a timely mannerwhile battling security threats, even if
parts of the network are unreachable or disabled due to overt attack.
This kind of survivability starts by logically organizing network services into at least two categoriesessential services and non-essential servicesand defining strategies that enable these services to resist, address, and recover from attacks. The most effec-
tive approaches combine multiple resistance, identification, and recovery strategies in an adaptable manner that responds to
changing network conditions. For example, the network can re-route traffic from one server to another if an intrusion or an
attack is detected on the first server. That means an effective survivability plan is holistic; it spans management systems, hosts,
applications, routers, and switches across the network.
Naturally, the first line of resistance to attacks is strong access control through authentication and encryption. Keep intruders
out at the first point of entry, if possible. Message and packet filtering and network and server segmentation provide strong
secondary defenses. Intrusion-detection systems identify attacks in progress. Faithful attention to backup techniques enables
rapid system and network recovery after a successful system breach.
This includes high availability through redundancy of critical security functions, such as through the use of application
switches, which provide redundancy between intrusion-detection servers. Additional techniques include the encryption of all
mission-critical traffic, multi-link trunking (MLT), virtual router redundancy protocol (VRRP), dual/mirroring of disk drives,
backup CPUs, backup power supplies, and hot-swappable components. These mechanisms provide a higher level of confidence
in the survivability of critical applications (such as IP telephony).
2.8. The closed-loop policy management reference model
The Nortel Networks Unified Security Architecture is based on the IETF architectural framework for policy management
(RFC 2753). In this model, policy management is implemented across the network and at all levels (application, network-
assisted, network), and applicable to all types of user and applications.
Network devices
Policy Enforcement
Point (PEP)
Policy serverPolicy Decision Point(PDP)
LDAP
LDAP
AuthNAT CFFWALL2
Policy managementconsole
Policyrepository
COP-PR, SNMP, CLI
Figure 7. Policy management within the Unified Security Architecture
-
8/7/2019 Security Unified Architecture
20/50
20
The IETF policy management model uses these key elements and protocols:
Policy Decision Points (PDPs) or policy servers abstract network policies into specific device control messages, which are
then passed to policy enforcement points. These policy servers are often standalone systems running Unix or Windows
NT/2000, controlling switches and routers within an administrative domain; they communicate with these devices using a
control protocol (e.g., COPS, SNMP Set commands, Telnet, or the devices specific Command Line InterfaceCLI).
A Policy Enforcement Point (PEP) is a network or security device that accepts a policy (configuration rules) from the Policy
Decision Point and enforces that policy against network traffic traversing that device. This enforcement leverages network and
network-assisted security mechanisms as appropriate.
Common Open Policy Service (COPS) is a simple query-and-response, stateful, TCP-based protocol that exchanges policy
information between a Policy Decision Point (PDP) and its clientsPolicy Enforcement Points (PEPs). It is specified in
RFC 2748. COPS relies on the PEP to establish connections to a primary PDP (and a secondary PDP when the primary
is unreachable) at all times. Alternatively, a COPS proxy device can be used to translate COPS messages originating from a
policy server into SNMP or CLI commands understood by network and security devices.
The COPS protocol supports two different extension models for policy control: a dynamic outsourcing model COPS-RSVP,
specified in RFC 2749, and a configuration or Provisioning model COPS-PR, specified in RFC 3084. Provisioning extensionsto the COPS protocol allow policies to be installed on the PEP up front by the PDP, thus allowing the PEP to make policy
decisions for data packets based on this pre-provisioned information. Further communication between the PDP and PEP is
necessary to keep policies provisioned in the data repository (i.e. the directory) in sync with those sent to the PEP.
The Policy Repository stores all policy information in a network directory. It describes network users, applications, computers,
and services (i.e., objects and attributes), and the relationships between these entities. There is tight integration between IP
address and the end user (via Dynamic Host Control Protocol - DHCP and a Domain Name System - DNS). This policy
repository is usually implemented on a special-purpose database machine running Unix or Windows NT/2000 accessed by
policy servers via LDAP.
The Policy Repository stores relatively static information about the network (such as device configurations), whereas policyservers store more dynamic network state information (such as bandwidth allocation or information about established connec-
tions). The policy server retrieves policy information from the directory and deploys it to the appropriate network elements.
There is no established standard to describe the structure of the directory database, i.e., how network objects and their attrib-
utes are defined and represented. A common directory schema is needed if multiple vendor applications are to share the same
directory information; for example, all vendors need a common way to interpret and store configuration information about
routers. The forthcoming Directory-Enabled Networking (DEN) standard, now being developed by the DMTF (Desktop
Management Task Force), addresses this need. DEN includes an information model that provides an abstraction of profiles and
policies, devices, protocols, and services. This provides a unified model for integrating users, applications, and networking serv-
ices, and an extensible service-oriented framework.
The Lightweight Directory Access Protocol (LDAP version 3) is specified in RFC 2251. LDAP is a client-server protocol foraccessing a directory service. The LDAP information model is based on the entry, which contains information about some
object (e.g., a person), and is composed of attributes, which have a type and one or more values. Each attribute has a syntax
that determines what kinds of values are allowed in the attribute and how those values behave during directory operations.
The last element is the policy management consolegenerally running on a personal computer or workstationthat provides
the human interface to the policy management system. A Web browser can be used to provide manager access from virtually
anywhere, with policy object-level security used to limit which policies can be modified by a specific individual. The console
provides a graphical user interface and the tools to define network policies as business rules. It may also give the operator
access to lower-level security configurations in individual switches and routers.
-
8/7/2019 Security Unified Architecture
21/50
These elements of the IETF policy management reference model interoperate to deliver closed-loop policy management. This
includes configuration of edge devices, enforcement of policies in the network, and verification of network functionality as seen
by the end-user application. Enforcement of policies in the network includes admission controls of applications or users vying
for access to network resources. Sound policy management based on this model simplifies the configuration management envi-
ronment inside enterprises and minimizes the chance of human error.
Policy Management through Nortel Networks Optivity Policy Services
Nortel Networks is leading the way in delivering policy-enabled networking to enterprise customers. For example, Nortel
Networks Optivity Policy Services (OPS) is a system-level software application that manages security parameters and traffic
prioritization. Optivity Policy Services enables a proactive approach to bandwidth management, security, and prioritization of
business-critical traffic flows across the enterprise. Rather than applying policies to control traffic on a per-device basis, OPS
takes a centralized systems approach to policy configuration and deployment that ensures consistency across the network while
lowering total cost of ownership.
Based on the IETF policy architecture, Optivity Policy Services supports the major IETF policy management standards,
including COPS-PR, LDAP, Diffserv, and IEEE 802.1p. OPS uses COPS-PR to pre-provision routers and switches with policy
information based on Roles reported in from the PEP. Roles are a logical abstraction of the devices interfaces for policymanagement purposes. With the ability to manage up to 1,000 devices per server and 20,000 devices per system, OPS reliably
delivers QoS and security policies in large networks. Moreover, OPS uses LDAPv3 to support redundant data storage,
preserving valuable policy information.
As the number of denial-of-service attacks on networks increases, a centralized mechanism to limit potentially dangerous traffic
flows is important. OPS makes it easy to set policies for metering traffic. For example, many denial-of-service attacks occur
when too many packets of a certain protocol type (such as ICMP) flood a device. OPS policies can control that flow of traffic.
With its Advanced Security Provisioning capabilities, OPS can protect valuable network and application assets by enabling the
application of consistent, reliable, and robust security policies. OPS complements existing firewall implementations (e.g.
Alteon) and IP-VPN devices (e.g. Contivity) by adding an extra layer of protection to network resources. OPS features enable
the creation of policies to restrict traffic through a particular policy enforcement point or to deny all traffic on a particular
device. OPS enables control of traffic flows through a device by simply creating admission control policies through a central
JAVA-based management console.
2.9. A closer look at uniform access management
Secure access management is created through a combination of authentication, authorization, and accounting services,often called AAA.
Authentication, initiated by an authentication client in a PC or gateway device, positively verifies the identity of a useras a prerequisite to allowing access.
Authorization determines which system resources are appropriate for that authenticated user to access.
Accounting capabilities rely on audit logs or records of security-related events for future examination.
This section takes a closer look at authentication and authorization.
Authentication
Authentication systems can be categorized according to the number of identification factors required to ascertain identity.
Single-factor authentication uses userID/password combinations to prove identity.
Two-factor authentication requires two components, usually a combination of something the user knows(such as a password) and something the user possesses (such as a physical token SecureID card).
Three-factor authentication adds a biometric, a measurement of a human body characteristic.
-
8/7/2019 Security Unified Architecture
22/50
22
The more authentication factors used, the more secure the process. However, the more factors you add, the more you add
complexity, cost, and management overhead. Every scenario will offer a different break-even point in the trade-off between
simplicity and security.
Single-factor authentication with userID and password is the most common authentication system today. Its easy to admin-
ister, familiar to users, and can provide a high level of security if strong password procedures are enforced. Legacy password
systems have had some challenges, however, since multiple strong passwords are very hard for users to remember. The recom-mendations in this section will show how this problem can be minimized with a Single Strong Password system.
Tokens such as smartcards and SecureID cards are added as a second factor in many authentication systemsrequiring that the
user have physical possession of the token. An attacker would similarly have to have possession of the users token in order to
gain system access. The higher level of authentication comes with additional system cost, however, due to the necessary tokens
and token readers. In addition, tokens can be easily lost, which can present a high administration overhead for reissuing.
Biometric factors for authentication measure characteristics of the users body such as fingerprint, handprint, retina, iris, or
voice characteristics. Biometric measurements are a useful additional factor and add an even higher level of authentication secu-
rity. A biometric authentication system entails a measurement proving whom the person actually is, rather than proving they
have something such as a token or proving that they know something such as a password. Unfortunately, biometric measure-ments are not 100 percent effective; with the present state of the technology, it is possible to register false positives and false
negatives. Biometric authentication systems also require biometric readers at system access points, adding new system costs.
Strong cryptographically-based authentication can be provided through the use of digital certificates issued to users and stored
on tokens or within the users computer memory. Cryptographic algorithms are used to ensure that a particular certificate has
been legitimately issued to the user. A Public Key Infrastructure is used to enable the issuance and maintenance of digital
certificates. Strong cryptographically-based systems provide very stringent authentication. However, these systems are expensive
and incur additional management overhead. Therefore, they are currently being adopted only in very secure environments.
Authorization
Once authenticated, authorization mechanisms control user access to appropriate system resources. Authorization can be cate-gorized according to the granularity of control; that is, according to how detailed a division is made between system resources.
Fine-grained authorization refers generically to a system where access is controlled to very fine increments, such as to individual
applications or services.
Authorization is often role based whereby access to system resources is based on a persons assigned role in an organization.
The System Administrator role may have highly privileged access to all system resources whereas the General User role would
only have access to a subset of these resources. Finer grained authorization can be applied to define other roles, such as a
Human Resources Administrators role that has exclusive access to confidential HR databases, and an Accounting role that has
exclusive access to accounting systems.
Authorization may also be rules based whereby access to system resources is based on specific rules associated with each user,
independent of their role in the organization. For example, rules may be set up to allow Read Only access or Read/Write accessall or certain files within a system, or access only during certain times or from certain devices.
Authentication and authorization protocols
Several protocols have been commonly adopted for authentication services. The RADIUS protocol (Remote Authentication
Dial In User Service IETF RFC2865) is widely used to centralize password authentication services. Originally designed to
authenticate remote dial-in users, the RADIUS protocol has been adopted for general user authentication services. Recently,
the LDAP (lightweight directory access protocol IETF RFC2251) has been finding extensive use in authentication and
authorization systems. LDAP provides a convenient method for storing user authentication and authorization credentials.
-
8/7/2019 Security Unified Architecture
23/50
RADIUS authentication servers are often coupled with credential storage in LDAP directories to provide centralized authenti-
cation and authorization. When a user attempts to access a particular application on such a system, the application queries the
user for authentication credentials and forwards them to the centralized system. The RADIUS server then checks the presented
credentials against those stored in the LDAP database, and also queries the LDAP database for authorization rule information.
The authentication results (pass or fail) are returned to the application along with authorization rule information for the partic-
ular user. Authorization rules are then enforced at the application to allow the user to access particular data or services. Froman end-user perspective, these authentication and authorization systems should be automatic and easy to use.
Authentication and authorization recommendations
Nortel Networks recommends the following general principles to be followed when implementing enterprise authentication
and authorization systems:
Use a uniform access management system for end users, network operators, partners and customers, with the appropriatelevel of authentication and resource access authorization to meet business needs.
Use a centralized authentication mechanism to facilitate administration and remove the need for locally stored passwords,which tend to be static and weak.
Use a centralized authorization system, tightly coupled with authentication system, with appropriate granularity for theenterprise.
Enforce strong, complex rules for all passwords.
Securely store all passwords in one-way encrypted (hashed) format.
Maintain simplicity to the extent appropriate, for maximum ease of use, ease of administration, and compliance.
Securely log authentication and authorization events for audit purposes.
Enterprise network
Local wiredPC access
Auth
IPsecFW AuthSR T
Internet
Remote Access
Auth
Secure IPServices Gateway
Application serverwith CentralizedAuthentication
Remote IP-VPN office
Remote IP-VPN user
WLAN IP-VPN user
Level 3 BiometricAuthentication
Database
Level 2 TokenAuthentication
Database
Level 1 PasswordAuthentication
Database
CentralizedAuthenticaton
Server(RADIUS based)
DNS serverDHCP server
Figure 8. Secure authentication and authorization reference model
-
8/7/2019 Security Unified Architecture
24/50
24
A Case example: Single Strong Password in the Nortel Networks corporate network
Nortel Networks uses a Single Strong Password approach in its own worldwide network to authenticate internal and external
users, from employees and contractors to joint venture representatives and even customers. The user has one very strong pass-
word that is maintained on a centralized password system and synchronized with applications and systems across the enterprise.
Users only have to remember one password, making the system simple to use and not likely to be bypassed.
Dedicated password servers on several continents manage the system and provide Web-based password management for users
and security administrators. These password servers communicate directly with RADIUS authentication servers. The system
automatically synchronizes passwords across multiple systems and platforms, such as Windows networking, remote access,
UNIX, purchasing, and niche business applications.
The system enables fine-grained authorization at the application level. An internally developed tool enables applications to
access the Single Strong Password system, and a list of users allowed to access each application is stored in the authorization
database. When an application is accessed, the Single Strong Password system authenticates the user and returns authorization
information. The system logs attempted violations of authorization rules and multiple simultaneous logins to geographically
dispersed systems, to detect and prevent misuse.
The Single Strong Password system enforces strict password rules. For example, passwords must contain at least eight charac-ters, both upper and lowercase letters, and at least one number or symbol. Additionally, passwords must not contain dictionary
words of four characters or longer, a previously used password, a password that matches an account name, contain a date or
year, keyboard patterns, or repeating characters. Users are required to change passwords at predefined intervals.
After years of real-world use, Nortel Networks has seen the following advantages of this system:
Single consistent method for setting passwords
Single consistent method for authentication and authorization
Single method for registering and terminating user accounts
Enforcement of corporate password strength guidelines
Consistency across applications, so employees know what to do Standardization that makes the system easy to support and adopt
Fast, seamless performance through standard interface and APIs
Lower costs, fewer help desk calls
Figure 9. Single password access management in Nortel Networks corporate network
Enterprise network
RADIUS-enabled enterprise applications:CRM, SCM, ERP, unified messaging,self-serve benefits, expense system ...
RADIUS server
Employees
Technicians
Contractors
Partners
Customers
Single
passwordaccessmanagement
Local, remote,
wired, wireless
PasswordAuthentication
Database
-
8/7/2019 Security Unified Architecture
25/50
Part III. Network security in the real worldThe previous section outlined key principles and practices of the Nortel Networks Unified Security Architecture.
This section demonstrates this multi-level security framework in action for several real-world scenarios:
Securing the campus network
Securing the data center
Securing the remote office
Securing remote access
Securing IP telephony services
3.1. Securing the campus network
In this context, the term campus describes a corporate headquarters or large regional office where the network uses a mix
of technologies, products, and applications, and serves a large user population. The campus network presents a challenging
security picture because of the diversity of elements to protect:
Servers, including departmental servers for user access and file sharing, central application servers such as finance anddatabases, and Web servers for either public Web or Intranet applications.
Operating systems, typically multiple versions of multiple operating systems running on servers and clients.
Network devices, including routers, Layer 4-7 load-balancing switches, Layer 3 core switches, Layer 2 distributionswitches, and wireless LAN access points.
Security devices, such as firewalls, VPN gateways, intrusion-detection and anti-virus servers, SSL accelerators,authentication servers, and content filtering servers.
Securing the campus network at the network security level
Layer 2 switching security. VLANs based on IEEE 802.1Q standard and Ethernet switches segregate traffic for greater secu-
rity and manageability. When port-based VLANs are configured, each VLAN is completely separated from othersparticularlythose in the broadcast domain. In order to limit network access, numbers of Ethernet switches provide port security that ties a
MAC address list to specific switches or even ports of those switches and prevents unknown workstations to get access. This
list may be built either by auto-discovery or by manual update.
With the general availability of the 802.1x authentication standard, Ethernet switches offer embedded capabilities to apply
security at every node in the network, providing an effective framework for authenticating and controlling user traffic to a
protected network. 802.1x ties a protocol called EAP (Extensible Authentication Protocol, originally developed for PPP) to
LAN media and supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates,
and public key authentication. It enables enforcement of client authorization on corporate authentication servers like RADIUS.
EAP not only controls Layer 2 port connectivity, but can be extended (as being done by Nortel Networks) along with secureaccess management to customize the security (and QoS) end-user profiles of the port for a particular authenticated user. When
a host attempts to log onto the network, the host and an authentication service exchange data via EAP. Under an end-user
profile architecture, the EAP protocol enables the policy server to leverage information in a third-party authentication service
to validate users and assign appropriate network access and QoS (Quality of Service) capabilities.
Layer 2 wireless LAN security. Wireless LANs offer a flexible alternative to regular Ethernet connectivity, but they suffer from
known vulnerabilities. For one, its hard to control who is really accessing the system. Second, the current Wired Equivalent
Privacy (WEP) 802.11 encryption method is weak.
-
8/7/2019 Security Unified Architecture
26/50
26
For both reasons, it is recommended to use VPN technology for wireless LANs and run an IP-VPN client, such as Nortel
Networks Contivity Client, on the wireless device. VPN-based wireless security is platform and radio technology agnostic
that is, the client system establishes a connection to the network via 802.11b, 802.11a, or even Bluetooth, and the VPN takes
over from there. Most of the authentication takes place independently of the wireless network, keeping access point mainte-
nance simple. The VPN can treat the wireless LAN just as the corporate backbone with wireless access points. Users trying to
access the network via the wireless LAN would then be authenticated, their information encrypted, and all communication
logged by the VPN system.
Alternatively, with some WLAN IP phones, encryption and authentication is built in. For example, Nortel Networks has a
strategic partnership with Symbol, whose WLAN IP phones support 128-bit WEP encryption between the client and the
wireless access point, and Kerberos authentication. Combining those approaches provides robust user authentication and
encryption required for WLAN environments.
Layer 3 switching and routing security. Network address translation (NAT) enables an organization to present a public IP
address to the world and hide internal addresses from public view. Processing NAT in hardware with a switch is an innovative
strategy for converting internal addresses into public addresses (and vice versa), making routing and firewall solutions highly
efficient.
Campus servers
Load-balancedIDS servers
Enterprise
Internet
Engineering
Human resources
Finance
SwitchedFirewall
IP-VPNServicesGateway
IP PBX
PSTN
WLAN PC
DistributionLayer 2-7RoutingSwitch
BackboneLayer 2-7Routing Switchwith WebSwitching
Auth
FWIPsec
SRT
AL
CF
FW
L2
SS L
SSL
L2
L2
L2
VS
ID S
Virusscreening
server
Highcapac
route
NAT
Figure 10. Securing the campus network
-
8/7/2019 Security Unified Architecture
27/50
Proper design and use of routing and Layer 3 switching enhance the survivability of the campus network. Access control lists,
IP segmentation and sub-netting, redundancy protocols such as Virtual Router Redundancy Protocol (VRRP), and fast conver-
gence routing using OSPF (Open Shortest Path First) all contribute to a more survivable infrastructure.
Routers and routing switches secure the data path using IP filters that drop undesirable packets. Routing can be further
secure by implementing route policies, encryption and authentication of OSPF and BGP route updates with MD5, and
broadcast/multicast rate limiting.
Last but not least is the innovative Secure Routing Technology (SRT), which enables dynamic routing over secure IPsec tunnels
for RIP and OSPF. Contivity Secure IP Services Gateways implement this dynamic secure routing approach, which is
described later in this document in the Securing Remote Access scenario.
Securing remote communication via IPsec VPNs and SSL extranets. Typically, the campus network also supports VPNs to
connect with branch offices and remote userscarrying private network traffic within a secure, encrypted tunnel carried over
a public network. Robust and secure central site solutions that support both remote access and remote office IP-VPNs and fire-
walls are key elements of the campus network. For more information, see Securing the Remote Office and Securing Remote
Access, later in this section.
Securing the campus network at the network-assisted security level
Perimeter control via firewalls and intrusion-detection servers. The enterprise network often provides employees with
connection to the Internet from the corporate headquarters campus. It is usually centralized in order to more easily protect a
single interface to the public world. Thats exactly where perimeter control solution such as firewalls and intrusion-detection
systems (IDSs) are generally deployed to prevent malicious intrusion of unauthorized persons.
It is highly recommended that firewalls be implemented at every site within an enterprise to secure internal and external traffic,
and at every point of interconnection with the Internet (e.g. even a remote PC). In some cases, it is appropriate to integrate
this functionality with secure IP services gateways used also for remote office and remote access IP-VPNs.
Firewalls provide a perimeter defense against unauthorized accessan essential first step when planning for Internet access.
Firewalls come in various sizes and capabilities, fitting many specific network requirements depending on their point of use.An emerging trend is to use new, multi-gigabit firewalls to interconnect segments of the campus LAN, which keeps depart-
ments separate and enables communication only through firewall security policies.
An IDS monitors the network to identify unauthorized users or suspicious patterns of utilization. Most IDS applications
compare network traffic and host log entries to match data signatures and host address profiles indicative of hackers.
Intrusion-detection software identifies traffic patterns that indicate the presence of unauthorized users. Suspicious activities
trigger administrator alarms and other configurable responses. Nortel Networks partners with best-of-breed companies such
as Internet Security Systems (ISS) to offer specialty software solutions for intrusion-detection.
Content inspection via content filtering and anti-virus systems. These tools provide essential protections for remote and
local computing, and are discussed in more detail in Part III under Securing the Data Center.Layer 4 to 7 switching and filtering security. Layer 4 to 7 switches provide control services to application, management,
and traffic to improve resource utilization and performance, ensure security with high performance, provide network scalability,
and provide failsafe network assurance. They are usually deployed near security devices and in server farms. Integrated security
filtering offloads firewall processing of NAT, monitors network activity, protects against denial-of-service attacks and some virus
types such as Code Red / Blue, and protects data without compromising throughput. Nortel Networks Passport 8600 and
Nortel Neworks Alteon Web switches offer extensive Layer 4 to 7 capabilities.
-
8/7/2019 Security Unified Architecture
28/50
-
8/7/2019 Security Unified Architecture
29/50
Securing the data center at the network-assisted security level
Switched firewalls can now provide multi-gigabit throughput and state-of-the-art filtering to secure and safeguard data center
servers without the performance degradation that typically occurs with deep packet inspection. Switched firewalling introduced
the same level of performance improvements to perimeter security as Layer 3 switching brought to LAN routing. Therefore,
a switch-based firewall is recommended for perimeter security in transaction-oriented environments. The Nortel Networks
Alteon Switched Firewall combines Layer 4-7 cut-through switching with firewall software processing to deliver more than
4 Gbps throughput. Logical demilitarized zones can be created through the use of VLANs.
Secure Sockets Layer (SSL) protocolbuilt into most browsers and Web serversis widely used to protect communications
to and from Web applications. Unfortunately, SSL processing is very compute-intensive and significantly reduces server
performance. This results in increased cost and operational complexity when it comes time to scale secure transaction
processing. SSL Acceleratorssuch as Nortel Networks Alteon solutionoffload SSL processing from local servers without
imposing delays on other traffic in the same data path, and offer a simpler way to deploy and maintain the Public Key
Infrastructure (PKI) required for electronic transactions.
Figure 11. Securing the data center
Webservers
Enterprise
Internet
Mission-criticalenterprise applications
Other enterprise applications
SwitchedFirewall
IP-VPNServicesGateway
BackboneLayer 2-7 RoutingSwitch withWeb Switching
Auth
FWIPsec
SRT
AL
CF
VS
DMZ
Load-balanced
IDS servers
FW
L2
L2High
capacityrouter
NAT
SS L
SSL
SSL
Management domain
LDAP
RADIUS
DNS
L2
L2
ID S
Virusscreening
server
-
8/7/2019 Security Unified Architecture
30/50
30
intrusion-detection, anti-virus, and content filteringtools provide essential protections for online commerce and remote
computing in general. IDS software identifies traffic patterns that indicate the presence of unauthorized users. Anti-virus
software detects and defuses potential cyber attacks. Content filtering software restricts the type of data that can be accessed
or distributed.
IDSs can be broadly categorized according to the following criteria:
Incident detection timeframereal-time or off-line, depending on whether system logs and network traffic are analyzedas e