The greater the reach and availability of the network, the greater its vulnerability

to threats from within and outside the organization.

The new openness of networked communications introduces new ethical,

financial, and regulatory pressures to protect networks and enterprises from

internal and external threats and attacks.

Every IT security professional should be up-to-date on the Top Ten challenges to

enterprise security—and the latest recommendations to address those challenges.

White Paper

Nortel Networks

Unified Security Architecturefor enterprise network securityA conceptual, physical, and procedural frameworkfor high-performance, multi-level, multi-faceted securityto protect campus networks, data centers, branch networking,remote access, and IP telephony services.

Contents

Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Part I. The Top Ten challenges to enterprise network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Enterprise Security Challenge #1—The Internet was designed to share, not to protect . . . . . . . . . . . . . . . . . 4Enterprise Security Challenge #2—Security is not optional. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Enterprise Security Challenge #3—The bad guys have good guns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Enterprise Security Challenge #4—Security threats recognize no boundaries. . . . . . . . . . . . . . . . . . . . . . . . . .6Enterprise Security Challenge #5—Security depends on people, process, and technology. . . . . . . . . . . . . . . . .6Enterprise Security Challenge #6—It’s not enough to guard the front gate. . . . . . . . . . . . . . . . . . . . . . . . . . . .7Enterprise Security Challenge #7—There’s no stock blueprint. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Enterprise Security Challenge #8—Frisking everybody and everything takes time. . . . . . . . . . . . . . . . . . . . . .9Enterprise Security Challenge #9—Grace under fire is a requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Enterprise Security Challenge #10—Security is a closed-loop process with an open-ended date. . . . . . . . . . . .9

Part II. The Nortel Networks Unified Security Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.1. Multi-layer security across application and network levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122.2. Variable-depth security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132.3. Closed-loop policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142.4. Uniform access management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142.5. Secure network operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152.6. Secure multimedia communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182.7. Network survivability under attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192.8. The closed-loop policy management reference model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192.9. A closer look at uniform access management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

Part III. Network security in the real world . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.1. Securing the campus network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253.2. Securing the data center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283.3. Securing the remote office . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313.4. Securing remote access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .353.5. Securing IP telephony services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

Part IV. Nortel Networks technology and expertise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

4.1. Design tenets built into the Nortel Networks security portfolio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .424.2. Expanded choice through partnerships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434.3. Security services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444.4. Nortel Networks product assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444.5. Nortel Networks and cross-industry security developments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Appendix A. Hackers’ tools of the trade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Appendix B. Application and network level threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

3

Executive summaryToday’s connected enterprise faces a security paradox. The very openness and ubiquity that make theInternet such a powerful business tool also make it a tremendous liability. The Internet was designed toshare, not to protect. The ports and portals that welcome remote sites, mobile users, customers, and busi-ness partners into the trusted internal network also potentially welcome cyber-thieves, hackers, and otherswho would misappropriate network resources for personal gain.

The only effective network security strategy is one that permeates the end-to-end architecture and enforcescorporate policies on multiple levels and multiple network points.

Nortel Networks, a global leader in secure data networking, offers proven solutions to satisfy end-to-endnetwork security requirements. “Security in the DNA” is a key tenet of our strategy for the new enterprisenetwork, a convergence framework we call “One Network. A World of Choice.”

This document presents the security component of that enterprise network strategy. The “Unified SecurityArchitecture” provides a conceptual, physical, and procedural framework of best recommendations andsolutions for enterprise network security. It serves as an important reference guide for IT professionalsresponsible for designing and implementing secure networks.

What are the requirements and vulnerabilities? What technology options and implementation choices areavailable? How do you protect the network at all levels? This comprehensive strategy addresses thosepressing concerns facing IT security specialists, and offers encouraging news about the depth and breadthof options available for securing critical network resources.

The Unified Security Architecture is realistic. It assumes that all components of an IT infrastructure are targets... that even internal users could benetwork threats... attacks are inevitable... network performance cannot be compromised by processing-intensive security measures... and IT budgets are constrained.

The Unified Security Architecture acknowledges the diversity of networked enterprises.It is not a one-size-fits-all prescription, but rather a framework of functionality that offers multipleimplementation choices suitable for closed, extended, and open enterprises in different industries—and for diverse application requirements within all enterprise types.

The Unified Security Architecture addresses the multi-level complexity of network threats.It provides answers on multiple levels—for instance, from a firewall guardian to block intruders at thefront gate to encryption to shroud every packet in privacy... from virtual private networks that spanthe global Internet to virtual LANs that segregate network management traffic from desktop users.

The Unified Security Architecture promotes a process, rather than an endpoint. Effective security is not achieved through a one-time initiative. This architecture outlines measures for strong ongoing policy management, reflecting both human and technical factors.

Read on for a discussion of the Top Ten challenges facing IT professionals today and how the Nortel Networks Unified Security Architecture addresses the challenges.

“Unified Security Architecture”for enterprise network securityA conceptual, physical, and procedural framework for high-performance, multi-level, multi-

faceted security to protect campus networks, data centers, branch networking, remote access,

and IP telephony services.

Part I. The Top Ten challenges to enterprise network securityEvery enterprise that relies on network-connected applications and services is subject to 10 key security realities:

1. The Internet was designed to share, not to protect.

2. Security is not optional.

3. The bad guys have good guns.

4. Security threats recognize no boundaries.

5. Security depends on people, process, and technology.

6. It’s not enough to guard the front gate.

7. There’s no stock blueprint.

8. Frisking everybody and everything takes time.

9. Grace under fire is a requirement.

10. Security is a closed-loop process with an open-ended date.

Let’s take a closer look at these challenges—and what IT security professionals can do about them.

Enterprise Security Challenge #1The Internet was designed to share, not to protect.

In six or seven short years, the Internet has evolved from an adjunct contact channel into the backbone of many criticalbusiness applications. Enterprises are leveraging their IP-based intranets and the world-wide Internet to bring remote offices,mobile workers, and business partners into their trusted network environments. Many enterprises are capitalizing on thegrowing reach and reliability of IP data networks to completely redefine the way they deliver and manage approved corporateapplications.

The Internet enables them to interact more effectively with customers, streamline operations, reduce operating costs, andincrease revenues. However, the Internet was designed to share, not to protect. The ports and portals that welcome outsideusers into the trusted internal network also potentially open the door to serious threats. The level of threat only increases aslegacy applications become network-enabled and as network managers open their networks to more new users and applica-tions.

How do you manage mission-critical communications on an inherently insecure medium? Managing that flow is somewhatlike guarding a revolving door. You can’t lock it unless you also close out the traffic you do want.

Remote access services that enable traveling employees to dial in for e-mail access... remote offices connected via dial-up lines...intranets, and extranets that connect outside parties to the enterprise network... all these business-enabling communicationsincrease the vulnerability of the network.

4

5

Enterprise Security Challenge #2Security is not optional.

Security breaches and unlawful access to confidential data can cost enterprises millions, but the requirement for network secu-rity goes beyond financial incentives. The governments of many countries are forcing enterprises to comply with regulationsgoverning network security and privacy.

In the U.S., the Federal government regulates the privacy and security of electronic information with such regulations as theHealth Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Safe Harbor Act, the USAPatriot Act, and the Children’s Internet Protection Act (CIPA). More are coming.

Similar regulations are being enacted in Europe and elsewhere, such as the Data Protection Act and Computer Misuse Act inthe U.K. Failure to comply with these regulations brings civil and criminal penalties, even prison terms.

Even if governmental regulations weren’t an issue, organizations that suffer security breaches may be sued by customers anddamaged by negative publicity. All enterprises that leverage the Internet for remote access have an obligation to protect networkintegrity and data confidentiality—for their own sakes as well as for their customers and business partners.

Enterprise Security Challenge #3The bad guys have good guns.

Attackers have a broad repertoire of tools and techniques they can use to compromise a network. With these tools of the trade,they can launch multi-level attacks to access the network—creating an access hole to intrude upon the network, and then usingsecondary attacks to exploit other parts of the network.

For example, attackers can take advantage of weak user authentication and authorization tools, improper allocation of hiddenspace, shared privileges among applications, or even sloppy employee habits to gain unauthorized access to network resources.

They can disable a trusted host and assume its identity, a threat known as IP spoofing or session hijacking.

Using sophisticated new network sniffers that can decode data from packets across all layers of the OSI model, hackers cansteal user names and passwords, and use that information to launch deeper attacks.

Denial of Service (DoS) attacks flood a network with illegitimate requests and thereby prevent legitimate users from accessingtheir service.

In bucket brigade attacks, also known as “man-in-the-middle” assaults, the attacker intercepts messages in a public keyexchange between a server and a client, retransmits the messages substituting their public key, and in the process tricks theoriginal entities/users into thinking they are communicating with each other.

Back door entries to access network resources can be accidentally or intentionally opened by users and procedural oversights.

Masquerading enables a hacker to pose as a valid administrator or engineer to access the network, often to elevate user privileges.

For more information about these types of attacks, see Appendix A, “Hackers’ Tools of the Trade.”

6

Enterprise Security Challenge #4Security threats recognize no boundaries.

The typical enterprise “internal” trusted network is anything but internal these days. It extends to include supply chain part-ners, telecommuters, remote access users, Web users, application service providers, disaster recovery providers, and more.Unfortunately, that means that the network also reaches hackers, cyber-thieves, disgruntled employees, and others who wouldmisappropriate network resources for personal gain.

In today’s business environment, the concept of a network perimeter is disappearing. Boundaries between inside and outsidenetworks are becoming thinner, almost irrelevant. Applications run on top of networks in a layered fashion.

The OSI (Open Systems Interconnection) model was built to allow different layers to work without knowledge of each other.Unfortunately, that means that if one layer is hacked, communications are compromised without the other layers being awareof the attack. That means security must address unique considerations at application and network layers—and bridge theselayers to ward off multi-level threats.

Application-layer attacks exploit vulnerabilities in the operating system and applications to gain access to resources.Application-layer attacks can be based on viruses, worms, buffer overflow, and password harvesting, among others. Web serv-ices and single sign-on technologies aggravate the problem, since they encourage Web-enabling legacy-based applications thatwere not designed with Web connectivity and security issues in mind.

Network-layer threats expose the network infrastructure to sabotage, vandalism, bad system configuration, denial of service(DoS), snooping, industrial espionage, and theft of service. Attacks may be launched from inside the network by insiders andalso from external sources such as hackers.

For more information about application-layer and network-layer threats, see “Appendix B: Application and network level threats.”

Enterprise Security Challenge #5 Security depends on people, process, and technology.

Vulnerabilities arise both from people and process failures (such as posting their passwords in public view, or slack policyenforcement) and technical aspects (such as rogue programs and Trojan horses)—and combinations of all three.

The Nimda virus that recently caused havoc in IT environments is a perfect example. At first glance, Nimda was technical innature: a virus. But on closer inspection, the havoc was caused more by human error than technical devilry. Nimda exploitedsix previous technical vulnerabilities; it was just a variant of previous vulnerabilities that were documented and communicatedmany months before Nimda actually spread on the Internet.

Organizations should all have known about these vulnerabilities and disseminated that knowledge to the people responsible forprotecting IT systems. Nimda was a non-issue for enterprises that had established processes in place for translating knowledge into action tasks, assigning responsibility for those tasks, and auditing successful completion.

7

Enterprise Security Challenge #6It’s not enough to guard the front gate.

Every component of the IT infrastructure is susceptible to attacks, not just obvious gateways to the Internet. Hosts, applicationssuch as IP telephony, routers, and switches can be attacked by hackers or unauthorized users from inside or outside the enterprise.At the network level, the use of firewalls, proxy servers, and user-to-session filtering can add protection, but hackers seem to getsmarter all the time. Using user access control at the network and application level with appropriate authentication and authoriza-tion can minimize the risks of unauthorized access.

But the sheer diversity of the types of attacks—and the multi-level nature of many attacks—requires that IT managers understandhow security breaches are instigated and be able to assess and recover from any inflicted damage. That means the only effectivenetwork security strategy is one that permeates the end-to-end architecture and enforces corporate policies on multiple levels—user,application, and network—and at multiple network points.

Enterprise Security Challenge #7There’s no stock blueprint.

Each enterprise has a unique set of business needs and has evolved their networking environment accordingly. That means the“right” security strategy is more a prescription of functionality and characteristics than a stock blueprint. Security is not a ‘one sizefits all’ situation. Neither is it a static implementation, any more than the network or technology remains static.

For general purposes, we can categorize enterprises into three types of security spheres:

The “closed enterprise” uses logical (e.g. frame relay) or physical private lines between sites, with PC dial access provided selec-tively for employees needing access into the Internet. Web presence is achieved through an Internet data center provided by aservice provider (who is responsible for establishing a secure environment). The organization also provides conventional dial accessfor remote employees (e.g. working from a hotel). The company uses private e-mail among employees with no external access.Wireless LANs are also starting to be used.

Even the closed enterprise has security concerns, not just from disgruntled internal users, but also because there are a number of‘backdoor’ exposures. Users with dial access to the Internet from their desktop PCs, employees surfing the ‘Net from laptops theyuse at home or on the road, and wireless LANs all introduce Internet-related threats. Perhaps, the greatest risk comes from thespecious belief that the closed enterprise is immune to external risks.

The “extended enterprise” is an extension of the ‘closed’ enterprise. Web presence is still achieved via a service provider. Supportfor remote employee and office access over IP virtual private networks (VPNs) over the Internet is provided, delivering higherspeed, lower cost connectivity. The enterprise provides general-purpose access for all employees into the Internet, allowing them toleverage the abundance of business-related information available on the Internet. Inter-working between the internal e-mail systemand the rest of world is provided.

The “open enterprise” leverages the Internet by allowing partners, suppliers, and customers to have access to an enterprise-managed Internet Data Center, even allowing selective access to internal databases and applications (e.g. as part of a supply chainmanagement system). Internal and external users access the enterprise network from home, remote offices, or other networks usingwired or mobile devices.

For the extended enterprise, the diversity of supported services and access mechanisms translates into multiple paths into theenterprise network, and in turn increases the risk. Naturally, that risk increases exponentially with the open enterprise, whichhas the greatest susceptibility to application-layer and network-layer threats, unauthorized access, and eavesdropping.Infrastructure, applications, and network management systems are equally vulnerable.

8

Enterprisenetwork

Customers Employees

Internet

ASP Data Center

C l o s e d e n t e r p r i s e

Enterprisenetwork

Employees Employees

Internet

E x t e n d e d e n t e r p r i s e

Customers/partners/employees

Customers/Employees

Internet

O p e n e n t e r p r i s e

Enterprisenetwork

• Dedicated WAN

• PC dial-in access

• PC Internet dial-out

• Outsourced Web site

• Private e-mail

• Internet Data Center

• Remote access and office IP-VPNs

• Employee Internet access

• Interworked e-mail

• Controlled partner and select

customer access

• Connectivity boundaries lowered

Figure 1. Generic Enterprise types

9

Enterprise Security Challenge #8Frisking everybody and everything takes time.

Anyone who has traveled by airplane knows that the trade-off for enhanced security is delay. The more closely you inspect bagsand travelers, the longer the lines at security.

On enterprise networks as well, turning up the full complement of security features can slow Web servers to a crawl as they bogdown with processing-intensive encryption, decryption, key management, and more. Bolting IP-VPN capabilities onto legacyrouters brings its own brand of performance penalty. Voice applications, such as live Webcasts and Voice over IP, are very sensi-tive to delay and jitter and are therefore dramatically affected by traditional security mechanisms.

Enterprise Security Challenge #9Grace under fire is a requirement.

In the context of security, “reliability” and “survivability” have somewhat different meanings. Network reliability ensures thatthe network continues to operate in spite of incidental failure of software and/or hardware components. Network survivabilitymeans the network continues to operate—delivering essential services in a timely manner—while battling security threats, evenif parts of the network are unreachable or disabled due to overt attack.

Enterprise Security Challenge #10Security is a closed-loop process with an open-ended date.

Organizations must view security as a steady process and evolving way of thinking about how to protect systems, networks,applications, and resources. Reduce risk by continually and steadily making progress in identifying and addressing vulnerabili-ties and security policy holes. Corporations and government institutions must be able to determine what is at stake when secu-rity measures fail, how to detect security breaches, and what to do about them.

This process also entails continual training and awareness, since breaches of security policy are usually caused by human erroror carelessness. Employees, managers, and administrators must all be aware of established security policies and best practices.

The good news is that enterprise networks can minimize their risks from unauthorized users without sacrificing performancefor legitimate users. Part II of this document shows how the Nortel Networks Unified Security Architecture addresses these Top Ten challenges.

Enterprisenetwork

P r o t e c t e d e n t e r p r i s eP o s s i b l e a t t a c k s

• Authorization threats

• IP spoofing

• Network sniffers

• Denial of service

• Intrusion

• Bucket brigade

• Attacks

• Back door traps

• Data modification

• Masquerading

• Anti-virus software• Deep packet filtering• Digital certificate• IPsec and SSL encryption• Firewalls

• Network and host-basedIntrusion Detection Systems (IDS)

• Infrastructure• Network sniffers

Figure 2. Enterprises need a security framework to optimally use IT techniques, tools, and methodologies against attackers

Part II. The Nortel Networks Unified Security Architecture

What can security IT professionals do about the Top Ten challenges?

The Nortel Networks Unified Security Architecture defines a conceptual, physical, and procedural framework of best recom-mendations for end-to-end enterprise network security—addressing all the Top Ten challenges:

• The Internet was designed to share, not to protect.So the Unified Security Architecture defines virtual private networks, virtual LANs, firewalls, encryption, and othermechanisms that enable enterprises to reduce the risk of being Internet-connected.

• Security is not optional.The Unified Security Architecture upgrades enterprise security programs and infrastructures to comply with business,ethical, and regulatory mandates to protect data integrity and confidentiality.

• The bad guys have good guns.The Unified Security Architecture identifies the various tools of the trade, how they operate, and what kinds of protec-tions thwart these attacks.

• Security threats recognize no boundaries.The Unified Security Architecture addresses threats on multiple functional and architectural layers, enabling enterprisesto flexibly define what needs to be protected, from what kinds of threats, implemented how, and at what layers.

• Security depends on people, process, and technology.The Unified Security Architecture calls for developing and enforcing security policies that address technical considera-tions and human aspects of security, such as staff training and process.

• It’s not enough to guard the front gate. The Unified Security Architecture begins with perimeter firewall defense and documents security provisions all the wayto the individual user and application.

• There’s no stock blueprint.The Unified Security Architecture defines the required functionality and offers enterprises broad choice in which func-tions to implement, to what degree, using what platforms and protocols.

• Frisking everybody and everything takes time.The Unified Security Architecture introduces purpose-built security products that use load-balancing, health-checking,and innovative acceleration technologies to minimize latency.

• Grace under fire is a requirement.The Unified Security Architecture defines ways to segregate critical resources and sustain performance even under attack.

• Security is a closed-loop process with an open-ended date.The Unified Security Architecture calls for policy management to be a process of continuous feedback and improve-ment, reflecting the latest industry knowledge and best practices.

10

The comprehensive security strategy set forth in this document is based on seven key principles:

1. Multi-layer security that defines security protection functions at application, network-assisted, and network securitylevels—in a layered architecture that can be flexibly defined and implemented.

2. Variable-depth security across the enterprise—not just at the edge of the Internet—for example, from firewallperimeter defense, to VPNs to protect Internet-traversing traffic, and to VLANs to segregate traffic within a network.

3. Closed-loop policy management, including configuration of edge devices, enforcement of policies in the network, and verification of network functionality as seen by the end user application.

4. Uniform access management, including stringent authentication and roles-based authorization of access to allresources for all users, with granular access policies defined at the application level and managed enterprise-wide.

5. Secure network operations, by physically or logically partitioning network management from user traffic, andapplying other recommended security mechanisms to operational activities.

6. Secure multimedia communications, protected by encrypting the data, voice, and video payload without introducingdelays that this real-time traffic cannot tolerate.

7. Survival under attack, for instance, by using resilient architectures with no single point of failure, and applyingintrusion-detection systems, anti-virus software, content filtering, and ongoing vigilance as attackers continue adoptingnew weaponry.

11

Securing network operations

Securing multimediacommunications

Survivability under attack

Layered security

Variable-depth security

Closed-loop policy management

Uniform access management

Unified Security Architecture

Figure 3. Principles behind Nortel Networks Unified Security Architecture

12

The principles underpinning the Unified Security Architecture offer enterprises a security blueprint to use as they movetowards increasingly open environments. Let’s take a look at each of the seven key principles of the Unified SecurityArchitecture.

2.1. Multi-layer security across application and network levels

Recognizing the multi-layered, interdependent nature of enterprise networks—and the critical need for security at more thanthe application level—the Nortel Networks Unified Security Architecture logically organizes security into multiple levels:

• The Network Security Layer provides security functions at OSI layers 1 to 3 (physical, link, and data levels).

• The Network-Assisted Security Layer provides security functions at OSI layers 4 to 7 (network to application/presentation layers) on top of the network level for added security.

• The Application Security Layer provides security in layer 7 of the OSI model, the application layer, and includes allsecurity built into server and storage platforms.

Some functions, such as access lists and VLANs, operate purely at the Network Security Level. Others, such as firewalls,operate at either the Network or Network-Assisted Security Levels, depending on whether they are stateful or not. Others suchas SSL (Secure Sockets Layer) can be viewed as network-assisted or application security. The power of the Unified SecurityArchitecture is that industry-defined security functions are leveraged in a structured fashion, tightening security overall.

See Part III, “Security in the Real World,” for examples of these security layers in action for protecting campus and branchnetworks, data centers, IP telephony services, and remote access.

Hardening server operating systems

Within the application level of the multi-layer security framework, a key element is “hardening” the multipleoperating systems used in network and user applications, such as OSs for data communications devices, servers,network management systems, IP telephony servers, and more.

In an increasingly open, multivendor IT environment, network elements are frequently based on commercially avail-able OSs. For example, Nortel Networks CallPilot unified messaging system, Symposium Contact Centers, andBusiness Communications Manager use a hardened version of Windows NT with off-the-shelf security software forfunctions such as anti-virus protection, intrusion-detection, and login audits. Nortel Networks Succession CSE 1000and Meridian IP-enabled PBX portfolios are built on an embedded real-time OS called VxWorks. The NortelNetworks Succession CSE MX system is built on UNIX.

Procedures for hardening the OSs in Nortel Networks products are provided in our documentation. For third-partyoperating systems where no specific hardening guide exists, consult the OS vendor for the latest OS hardening patchesand procedures.

Application Security

Network Security

Network-Assisted Security

Net

wor

k M

gmt.

Secu

rity

Secu

reA

cces

s M

gmt.

Policy Management

• End users

• Operators

• Partners

• Customers

Figure 4. Unified Security Architecture

13

The remaining elements of the architecture—discussed in the sections to follow—are inter-related and somewhat orthogonal tothese layers. The table below illustrates how common security technologies map to the elements of Nortel Networks UnifiedSecurity Architecture.

2.2. Variable-depth security

Defining security policy at multiple network levels produces a security strategy where each security level builds upon thecapabilities of the layer below and provides finer grained security the closer you get to resources.

VLANs (Virtual LANs) provide basic network compartmentalization and segmentation, enabling business functions to be segregated in their own private local area networks, with cross-traffic from other VLAN segments strictly controlled or prohibited. The use of VLAN “tags” enables the segregation of traffic into specific groups such as Finance, HR, andEngineering, separating their data without leakage between disparate functions.

Perimeter and distributed firewall-filtering capabilities provide another level of protection at strategic points within thenetwork. Firewalls enable the network to be further segmented into smaller areas, and enable secure connections to the publicnetwork. Firewalls limit access to inbound and outbound traffic to the protocols and authentication methods that are explicitlyconfigured in the firewall. Firewalls that support Network Address Translation (NAT) enable optimization of IP addressingwithin the network as specified in RFC 1918 (Address Allocation for Private Internets).

Firewalls provide an extra layer of access control that can be customized based on business needs. Distributed firewalls add thebenefit of scalability. Personal firewalls can be deployed on end-users’ systems to protect application integrity.

NAT

L2

IPsec

AL

FW

SRT

SSL

IDS

VS

CF

Layer 2 VPN, EAP, and port security Yes

Network Address Translation Yes

Access control List Yes

IPsec encryption Yes

Secure dynamic routing Yes

Firewalling Yes Yes

Intrusion detection Yes Yes

SSL encryption Yes Yes

Content filtering Yes Yes

Virus scanning Yes Yes

Security functionality Network Network-assisted ApplicationSecurity Security Security

• Policy Repository

• Policy Decision Point

• Policy Enforcement Point

Policy management functionality

• Authentication client

• Authentication server

• Authentication database

Secure access management functionality

• Secure activity logs

• Network operator authentication

• Access control/operator authorization

• Encryption

• Secure remote access

• Firewalls

• Intrusion detection

• OS hardening

• Virus free software

Auth

Network management securityfunctionality

Figure 5. Security functionality mapping to the Unified Security Architecture

Virtual private networks (VPNs) provide an even finer granularity of user access control and personalization—enablingsecure access at the individual user level from remote sites and business partners, without requiring dedicated pipes.

Dynamic routing over secure tunnels across the Internet provides a highly secure, reliable and scalable solution. VPNs, VLANs,and firewalls together allow the network administrator to limit access by a user or user group based on strictly defined policycriteria and business needs. VPNs provide strong assurance of data integrity and confidentiality with strong encryption.

VLANs alone may satisfy the security needs of the “closed” enterprise. “Extended” and “open” enterprises will likely require acombination of security level capabilities.

2.3. Closed-loop policy management

A properly designed and implemented security policy is an absolute requirement for all types of enterprises and has to beowned by one group. It should be a living document and process, which is enforced, implemented, and updated to reflect thelatest changes in the enterprise infrastructure and service requirements.

The security policy must clearly identify the resources in the enterprise that are at risk and resulting threat mitigation method-ologies. It should define which users or classes of users have access to which resources. The policy must define the use of audittrails to help identify and discover violations and the appropriate responses.

Users think of the network in terms of people, applications, locations, time of day, etc.—not in technical terms such as “firewall stateful inspection” or “access lists.” Security policies should use non-technical vocabulary to the extent possible foruser-facing issues, automatically translated by the policy management system into technical security mechanisms for networkimplementation.

Policy management addresses the full realm of security components—firewalls, intrusion-detection systems, access lists andfilters, authentication techniques, and more—along with a system-wide view of network environments, such as data center,remote office, and campus networks.

Ultimately, policy operates at a granular level to address pieces of the solution while providing centralized control and account-ability. Centralization ensures that security parameters are set consistently across multiple nodes, and that multiple policies fordifferent administrative domains all reflect enterprise-wide policy and inter-domain consistency.

Closed-loop policy management is implemented using the reference architecture described in 2.8, and includes configurationmanagement of network devices, enforcement of policies in the network, and verification of network functionality via audittrails. Verification and audit trails close the loop on policy management, and result in updates to the policy to reflect correctiveactions.

2.4. Uniform access management

Access management refers to authentication and authorization services that control user’s access to resources. During authenti-cation, users identify themselves to the network; during authorization, the network determines users’ level of privileges basedon their identity, as defined in policy.

Access management is controlled by multiple methods, such as IP source filtering, proxies, and credential-based methods—often used in combination, and each with its advantages and limitations. For example, an enterprise may choose to manageaccess for workstations using IP source filtering, and may choose to use a credential-based scheme for other users.

Since users could be employees, network technicians, supply chain partners, inter-organization team members, or evencustomers, it is important to have robust, centralized access control enforced by the local or remote network device interfacingto the user.

14

15

Several methods can be used to authenticate a user, such as: permanent or one-time passwords, biometric techniques, smartcards, and certificates. Password-based authentication must use strong passwords that are at least eight characters in length withat least one alphabetic, one numeric, and one special character.

Where stronger authentication is required, password authentication can be combined with another authentication and authori-zation process based on protocols such as RADIUS and LDAP to provide authentication, authorization, and accounting (AAA)services. Additionally, key management can be based on Internet Key Exchange (IKE), certificate management on Public KeyInfrastructure X.509 (PKIX), Certificate Management Protocol (CMP), Online Certificate Status Protocol (OCSP), andSimple Certificate Validation Protocol (SCVP).

In defining access privileges on all ports and devices, the concept of “least privilege” should be applied, granting access only asneeded.

“Open” and “extended” enterprises face the greatest challenges when designing access management policy. They require fine-grained rules that properly interface with identity directories and databases, multiple authentication systems such as RADIUS,and various hosts, applications, and application servers.

The system should perform session management per user after the user is authenticated—and use flexible configuration andpolicy enforcement with fine-grained rules, capable of dealing with specific objects. Unique accounts for each administratorshould be used, with accountability for actions traceable to individuals, to provide for appropriate monitoring, accounting, andsecure audit trails.

For more information about authentication and authorization, see section 2.9, “A closer look at uniform access management.”

2.5. Secure network operations

On the one hand, network management is like other data applications, running on servers and workstations, complemented byapplication-level security and taking advantage of network-level and network-assisted security. On the other hand, networkoperators are specialized users who should be subject to more stringent authentication and authorization procedures.

Because of the greater access authority and functional privilege granted to network management personnel, their access andactivities must be carefully secured to protect network configuration, performance, and survivability. The more open the enter-prise and the more centralized the network management system, the greater the requirement for stringent security for networkmanagement processes.

Secure network management requires a holistic approach, rather than a specific security feature set on a network element. Our Unified Security Architecture recommendations address nine critical areas:

• Secure activity logs

• Network operator authentication

• Authorization for network operators

• Encryption of network management traffic

• Secure remote access for operators

• Firewalls and VLANs to partition the network

• intrusion-detection

• Hardening operating systems

• Anti-virus protection

Secure activity logs provide a verifiable audit trail of user or administrator activities and events generated by network devices.Security activity logs must contain sufficient information to establish individual accountability, reconstruct past events, detectintrusion attempts, and perform after-the-fact analysis of security incidents and long-term trend analysis. Activity log informa-tion helps identify the root cause of a security problem and prevent future incidents. For instance, activity logs can be used toreconstruct the sequence of events that led up to a problem, such as an intruder gaining unauthorized access to systemresources, or a system malfunction caused by an incorrect configuration or a faulty implementation. Syslog is the mostcommon mechanism used by equipment vendors; Syslog works with all third-party log analyzer systems. Because the informa-tion contained in activity logs can be used to compromise a network, this log information itself must be secured.

Network operator authentication based on strong centralized administration and enforcement of passwords ensures that onlyauthenticated operators gain access to management systems. Centralized administration of passwords enables enforcement ofpassword strength and removes the need for local storage of passwords on the network elements and EMS (ElementManagement Systems). RADIUS is the basic mechanism of choice for automating centralized authentication within NortelNetworks products.

Authorization for network operators uses authenticated identity to determine the user’s access privileges—what systems theycan access, what functions they can perform. Techniques based on RADIUS servers provide a basic level of access control. Anadditional LDAP server can provide more fine-grained access control if necessary.

Encryption of network management traffic protects the confidentiality and integrity of network management data traffic—especially important with the growing use of in-band network management. Encryption provides a high degree of protectionfrom internal and external threats, with the exception of the small group of insiders that have legitimate access to encryptionkeys.

Encryption between network operations center (NOC) clients and Element Management System (EMS) servers and/orNetwork Elements should be provided. This includes SNMP traffic, because there are known vulnerabilities with SNMP v1and v2, which are intended to be addressed by SNMP v3. Given the widespread deployment of SNMP v1 and v2, IPsec can be used to secure this traffic.

Depending on traffic type, the security protocols to use for these links are IPsec (IP Security), Secure Shell (SSH), and SSL:

• SSH is an application-level security protocol that can be used in place of IPsec if the traffic consists of Telnet and FTPonly, but it cannot normally be used to protect other traffic types.

• IPsec protocol runs between the network layer (Layer 3) and the transport layer (Layers 4) and is the preferred protocol to protect any type of data traffic, independent of applications and protocols. External IPsec VPN devices, such as Nortel Networks Contivity Secure IP Services Gateways, can be used in various parts of the network to securemanagement traffic.

• SSL technology—integrated into all standard Web browsers—is the de-facto standard security protocol to protect HTTP traffic.

Secure remote access for operators: Security must be provided for operators and administrators who manage the networkfrom a remote location over a public network. Providing a secure virtual private network using IPsec is the mandatory solution,as this will provide strong encryption and authentication of all remote operators. An IP-VPN product such as Nortel NetworksContivity Secure IP Services Gateway should be placed at the management system interface and all operators should beequipped with extranet access clients for their laptop or workstations.

16

17

Firewalls and VLANs partition the network to segregate management devices and traffic from other, less confidential systemssuch as public Web servers. The firewall controls the type of traffic (defined by protocol, port number, source and destinationaddress) that can transit the boundary between security domains. Depending on the type of firewall (application versus packetfiltering), firewalls can also filter the application content of the data flow.

Intrusion-detection systems incorporated into management servers defend against network intrusions by warningadministrators of potential security incidents, such as a server compromise or denial-of-service attack.

Hardening operating systems used for network management close potential security gaps in general-purpose operating systems and embedded real-time operating systems. OS hardening should use the latest procedures and patches from the OS manufacturer.

Anti-virus protection involves scanning all in-house and third-party software packages with virus-detection tools beforeincorporating the software into a product or network. A rigorous, established process ensures—to the extent possible—that network management software is virus-free.

NOCVLAN

Network devices

IPsec

ManagementSystems

L2

IPsec

Internet

Managementclient

SSL IPsec or SSH

Enterprise network

ALFW Auth

IPsec or SSH

IPsec or SSH

Network Operating Center

IPsecIPsec

Browserclient

RemoteManagement

clientTelnetclient

SSL

IDS

VS

Figure 6. Secure connectivity options for network management traffic

2.6. Secure multimedia communications

Unified networks can carry voice, data, and video—each with their unique performance requirements and security considera-tions. When and where to encrypt this traffic is a major consideration, and is a key element of any enterprise security policy.This can be done on a per-application basis using SSL, on a client-server basis using SSH (Secure Shell), or for all traffic usingIPsec VPN technology. Generally, all traffic over the Internet and wireless LANs and potentially critical information leaving thepremises should be secured via strong encryption technology.

IP telephony represents a particularly important class of application. As with any applications, a risk assessment of IP telephonyneeds to be done to assess its intrinsic value, the implications of loss understood, and a security policy formulated. We can startthis assessment by making some key observations on telephony and data security in general. First of all, telephony is a criticalbusiness function and therefore, like the network itself, the telephony system as a whole must be protected from securityattacks. Secondly, we trust the public voice network and live with the inherent vulnerability of eavesdropping of public cellphone systems. Third, we trust PBX networks, the critical components of which are locked away in a telecom room. In addi-tion, IT organizations have spent a lot of effort to minimize toll fraud and misuse of the voice network for personal calls.

On the data side, we also rely on physical security to ensure that only employees have access to the internal network, and wetrust that information sent over LANs, campus nets, and over private WANs running over physical and virtual private lines aregenerally secure. Outside of the confines of the enterprise network, most enterprises have established security policies that allinternal data transmissions to employees and remote offices over the Internet need to be encrypted and authenticated.Likewise, critical customer interactions over the Web are protected via SSL. From a user perspective, keeping it simple has beenthe objective.

The Nortel Networks Unified Security Architecture for IP telephony follows the guidelines below:

• Enterprise IP telephony operated within the confines of the enterprise, inter-working with the public network over circuit-switched connections. End-to-end VoIP connectivity between public phones and phones within the enterprise is notconsidered in this version of the document.

• The IP networking infrastructure that supports IP telephony must be secure from a data perspective and engineered tomeet the stringent latency and reliability requirements of telephony.

• IP telephony communications servers are business-critical and must be physically secure and protected from internal andexternal attack.

• Secure authentication of VoIP clients must be provided. While data users may expect to log in with multiple userIDs andpasswords, they won’t tolerate that authentication requirement for every phone call. Generally, telephony users have onlybeen required to authenticate themselves for off-net access using a feature set called Direct Inward System Access (DISA).

• Encryption of voice is only a requirement when traversing a shared media LAN or the Internet.

• Security must be holistic and span the entire telephony environment, including VoIP clients and servers, applicationservers (such as for unified messaging and contact centers), and traditional PBXs.

Encryption can be achieved with VPN techniques using IPSec, with Authentication Header (AH) and Encapsulating SecurityPayload (ESP), tunneling through the use of Layer 2 Tunneling Protocol (L2TP), key management based on Internet KeyExchange (IKE), and certificate management based on Public Key Infrastructure X.509 (PKIX), Certificate ManagementProtocol (CMP), Online Certificate Status Protocol (OCSP), and Simple Certificate Validation Protocol (SCVP). SSL andTransport Layer Security (TLS) protect communications at the application layer.

Standards-based encryption algorithms and hashes such as DES, 3DES, AES, RSA and DSA. MD5 and SHA-1 should be usedfor message integrity, and Diffie-Hellman and RSA for key exchange.

The Wired Equivalent Privacy (WEP) as defined in the 802.11 standard defines a technique to protect over-the-air transmis-sion between wireless LAN (WLAN) access points and network interface cards (NICs). This protocol has been shown to beinsecure. IEEE 802.11 is working on standardizing encryption improvements for WLANs. Therefore, added measures ofprotection such as IPsec must be used to secure WLAN traffic over WEP.

18

19

2.7. Network survivability under attack

The typical enterprise network supports mission-critical operations and is essential for conducting business. That means thenetwork must continue to operate—delivering essential services in a timely manner—while battling security threats, even ifparts of the network are unreachable or disabled due to overt attack.

This kind of survivability starts by logically organizing network services into at least two categories—essential services and non-essential services—and defining strategies that enable these services to resist, address, and recover from attacks. The most effec-tive approaches combine multiple resistance, identification, and recovery strategies in an adaptable manner that responds tochanging network conditions. For example, the network can re-route traffic from one server to another if an intrusion or anattack is detected on the first server. That means an effective survivability plan is holistic; it spans management systems, hosts,applications, routers, and switches across the network.

Naturally, the first line of resistance to attacks is strong access control through authentication and encryption. Keep intrudersout at the first point of entry, if possible. Message and packet filtering and network and server segmentation provide strongsecondary defenses. Intrusion-detection systems identify attacks in progress. Faithful attention to backup techniques enablesrapid system and network recovery after a successful system breach.

This includes high availability through redundancy of critical security functions, such as through the use of applicationswitches, which provide redundancy between intrusion-detection servers. Additional techniques include the encryption of allmission-critical traffic, multi-link trunking (MLT), virtual router redundancy protocol (VRRP), dual/mirroring of disk drives,backup CPUs, backup power supplies, and hot-swappable components. These mechanisms provide a higher level of confidencein the survivability of critical applications (such as IP telephony).

2.8. The closed-loop policy management reference model

The Nortel Networks Unified Security Architecture is based on the IETF architectural framework for policy management(RFC 2753). In this model, policy management is implemented across the network and at all levels (application, network-assisted, network), and applicable to all types of user and applications.

Network devices—Policy Enforcement

Point (PEP)

Policy server—Policy Decision Point(PDP)

LDAP

LDAP

AuthNAT CFFWALL2

Policy managementconsole

Policyrepository

COP-PR, SNMP, CLI

Figure 7. Policy management within the Unified Security Architecture

20

The IETF policy management model uses these key elements and protocols:

Policy Decision Points (PDPs) or policy servers abstract network policies into specific device control messages, which arethen passed to policy enforcement points. These policy servers are often standalone systems running Unix or WindowsNT/2000, controlling switches and routers within an administrative domain; they communicate with these devices using acontrol protocol (e.g., COPS, SNMP Set commands, Telnet, or the device’s specific Command Line Interface—CLI).

A Policy Enforcement Point (PEP) is a network or security device that accepts a policy (configuration rules) from the PolicyDecision Point and enforces that policy against network traffic traversing that device. This enforcement leverages network andnetwork-assisted security mechanisms as appropriate.

Common Open Policy Service (COPS) is a simple query-and-response, stateful, TCP-based protocol that exchanges policyinformation between a Policy Decision Point (PDP) and its clients—Policy Enforcement Points (PEPs). It is specified in RFC 2748. COPS relies on the PEP to establish connections to a primary PDP (and a secondary PDP when the primary is unreachable) at all times. Alternatively, a COPS proxy device can be used to translate COPS messages originating from apolicy server into SNMP or CLI commands understood by network and security devices.

The COPS protocol supports two different extension models for policy control: a dynamic outsourcing model COPS-RSVP,specified in RFC 2749, and a configuration or Provisioning model COPS-PR, specified in RFC 3084. Provisioning extensionsto the COPS protocol allow policies to be installed on the PEP “up front” by the PDP, thus allowing the PEP to make policydecisions for data packets based on this pre-provisioned information. Further communication between the PDP and PEP isnecessary to keep policies provisioned in the data repository (i.e. the directory) in sync with those sent to the PEP.

The Policy Repository stores all policy information in a network directory. It describes network users, applications, computers,and services (i.e., objects and attributes), and the relationships between these entities. There is tight integration between IPaddress and the end user (via Dynamic Host Control Protocol - DHCP and a Domain Name System - DNS). This policyrepository is usually implemented on a special-purpose database machine running Unix or Windows NT/2000 accessed bypolicy servers via LDAP.

The Policy Repository stores relatively static information about the network (such as device configurations), whereas policyservers store more dynamic network state information (such as bandwidth allocation or information about established connec-tions). The policy server retrieves policy information from the directory and deploys it to the appropriate network elements.

There is no established standard to describe the structure of the directory database, i.e., how network objects and their attrib-utes are defined and represented. A common directory schema is needed if multiple vendor applications are to share the samedirectory information; for example, all vendors need a common way to interpret and store configuration information aboutrouters. The forthcoming Directory-Enabled Networking (DEN) standard, now being developed by the DMTF (DesktopManagement Task Force), addresses this need. DEN includes an information model that provides an abstraction of profiles andpolicies, devices, protocols, and services. This provides a unified model for integrating users, applications, and networking serv-ices, and an extensible service-oriented framework.

The Lightweight Directory Access Protocol (LDAP version 3) is specified in RFC 2251. LDAP is a client-server protocol foraccessing a directory service. The LDAP information model is based on the entry, which contains information about someobject (e.g., a person), and is composed of attributes, which have a type and one or more values. Each attribute has a syntaxthat determines what kinds of values are allowed in the attribute and how those values behave during directory operations.

The last element is the policy management console—generally running on a personal computer or workstation—that providesthe human interface to the policy management system. A Web browser can be used to provide manager access from virtuallyanywhere, with policy object-level security used to limit which policies can be modified by a specific individual. The consoleprovides a graphical user interface and the tools to define network policies as business rules. It may also give the operator access to lower-level security configurations in individual switches and routers.

These elements of the IETF policy management reference model interoperate to deliver closed-loop policy management. Thisincludes configuration of edge devices, enforcement of policies in the network, and verification of network functionality as seenby the end-user application. Enforcement of policies in the network includes admission controls of applications or users vyingfor access to network resources. Sound policy management based on this model simplifies the configuration management envi-ronment inside enterprises and minimizes the chance of human error.

Policy Management through Nortel Networks Optivity Policy Services

Nortel Networks is leading the way in delivering policy-enabled networking to enterprise customers. For example, NortelNetworks Optivity Policy Services (OPS) is a system-level software application that manages security parameters and trafficprioritization. Optivity Policy Services enables a proactive approach to bandwidth management, security, and prioritization ofbusiness-critical traffic flows across the enterprise. Rather than applying policies to control traffic on a per-device basis, OPStakes a centralized systems approach to policy configuration and deployment that ensures consistency across the network whilelowering total cost of ownership.

Based on the IETF policy architecture, Optivity Policy Services supports the major IETF policy management standards,including COPS-PR, LDAP, Diffserv, and IEEE 802.1p. OPS uses COPS-PR to pre-provision routers and switches with policyinformation based on Roles reported in from the PEP. Roles are a logical abstraction of the device’s interfaces for policymanagement purposes. With the ability to manage up to 1,000 devices per server and 20,000 devices per system, OPS reliablydelivers QoS and security policies in large networks. Moreover, OPS uses LDAPv3 to support redundant data storage,preserving valuable policy information.

As the number of denial-of-service attacks on networks increases, a centralized mechanism to limit potentially dangerous trafficflows is important. OPS makes it easy to set policies for metering traffic. For example, many denial-of-service attacks occurwhen too many packets of a certain protocol type (such as ICMP) flood a device. OPS policies can control that flow of traffic.With its Advanced Security Provisioning capabilities, OPS can protect valuable network and application assets by enabling theapplication of consistent, reliable, and robust security policies. OPS complements existing firewall implementations (e.g.Alteon) and IP-VPN devices (e.g. Contivity) by adding an extra layer of protection to network resources. OPS features enablethe creation of policies to restrict traffic through a particular policy enforcement point or to deny all traffic on a particulardevice. OPS enables control of traffic flows through a device by simply creating admission control policies through a centralJAVA-based management console.

2.9. A closer look at uniform access management

Secure access management is created through a combination of authentication, authorization, and accounting services, often called “AAA”.

• Authentication, initiated by an authentication client in a PC or gateway device, positively verifies the identity of a user as a prerequisite to allowing access.

• Authorization determines which system resources are appropriate for that authenticated user to access.

• Accounting capabilities rely on audit logs or records of security-related events for future examination.

This section takes a closer look at authentication and authorization.

AuthenticationAuthentication systems can be categorized according to the number of identification factors required to ascertain identity.

• Single-factor authentication uses userID/password combinations to prove identity.

• Two-factor authentication requires two components, usually a combination of something the user knows (such as a password) and something the user possesses (such as a physical token SecureID card).

• Three-factor authentication adds a biometric, a measurement of a human body characteristic.

21

22

The more authentication factors used, the more secure the process. However, the more factors you add, the more you addcomplexity, cost, and management overhead. Every scenario will offer a different break-even point in the trade-off betweensimplicity and security.

Single-factor authentication with userID and password is the most common authentication system today. It’s easy to admin-ister, familiar to users, and can provide a high level of security if strong password procedures are enforced. Legacy passwordsystems have had some challenges, however, since multiple strong passwords are very hard for users to remember. The recom-mendations in this section will show how this problem can be minimized with a “Single Strong Password” system.

Tokens such as smartcards and SecureID cards are added as a second factor in many authentication systems—requiring that theuser have physical possession of the token. An attacker would similarly have to have possession of the user’s token in order togain system access. The higher level of authentication comes with additional system cost, however, due to the necessary tokensand token readers. In addition, tokens can be easily lost, which can present a high administration overhead for reissuing.

Biometric factors for authentication measure characteristics of the user’s body such as fingerprint, handprint, retina, iris, orvoice characteristics. Biometric measurements are a useful additional factor and add an even higher level of authentication secu-rity. A biometric authentication system entails a measurement proving whom the person actually is, rather than proving theyhave something such as a token or proving that they know something such as a password. Unfortunately, biometric measure-ments are not 100 percent effective; with the present state of the technology, it is possible to register false positives and falsenegatives. Biometric authentication systems also require biometric readers at system access points, adding new system costs.

Strong cryptographically-based authentication can be provided through the use of digital certificates issued to users and storedon tokens or within the user’s computer memory. Cryptographic algorithms are used to ensure that a particular certificate hasbeen legitimately issued to the user. A Public Key Infrastructure is used to enable the issuance and maintenance of digitalcertificates. Strong cryptographically-based systems provide very stringent authentication. However, these systems are expensiveand incur additional management overhead. Therefore, they are currently being adopted only in very secure environments.

Authorization

Once authenticated, authorization mechanisms control user access to appropriate system resources. Authorization can be cate-gorized according to the granularity of control; that is, according to how detailed a division is made between system resources.Fine-grained authorization refers generically to a system where access is controlled to very fine increments, such as to individualapplications or services.

Authorization is often “role based” whereby access to system resources is based on a person’s assigned role in an organization.The System Administrator role may have highly privileged access to all system resources whereas the General User role wouldonly have access to a subset of these resources. Finer grained authorization can be applied to define other roles, such as aHuman Resources Administrators role that has exclusive access to confidential HR databases, and an Accounting role that hasexclusive access to accounting systems.

Authorization may also be “rules based” whereby access to system resources is based on specific rules associated with each user,independent of their role in the organization. For example, rules may be set up to allow Read Only access or Read/Write accessall or certain files within a system, or access only during certain times or from certain devices.

Authentication and authorization protocols

Several protocols have been commonly adopted for authentication services. The RADIUS protocol (Remote AuthenticationDial In User Service – IETF RFC2865) is widely used to centralize password authentication services. Originally designed toauthenticate remote dial-in users, the RADIUS protocol has been adopted for general user authentication services. Recently,the LDAP (lightweight directory access protocol – IETF RFC2251) has been finding extensive use in authentication andauthorization systems. LDAP provides a convenient method for storing user authentication and authorization credentials.

23

RADIUS authentication servers are often coupled with credential storage in LDAP directories to provide centralized authenti-cation and authorization. When a user attempts to access a particular application on such a system, the application queries theuser for authentication credentials and forwards them to the centralized system. The RADIUS server then checks the presentedcredentials against those stored in the LDAP database, and also queries the LDAP database for authorization rule information.The authentication results (pass or fail) are returned to the application along with authorization rule information for the partic-ular user. Authorization rules are then enforced at the application to allow the user to access particular data or services. Froman end-user perspective, these authentication and authorization systems should be automatic and easy to use.

Authentication and authorization recommendations

Nortel Networks recommends the following general principles to be followed when implementing enterprise authenticationand authorization systems:

• Use a uniform access management system for end users, network operators, partners and customers, with the appropriatelevel of authentication and resource access authorization to meet business needs.

• Use a centralized authentication mechanism to facilitate administration and remove the need for locally stored passwords,which tend to be static and weak.

• Use a centralized authorization system, tightly coupled with authentication system, with appropriate granularity for theenterprise.

• Enforce strong, complex rules for all passwords.

• Securely store all passwords in one-way encrypted (hashed) format.

• Maintain simplicity to the extent appropriate, for maximum ease of use, ease of administration, and compliance.

• Securely log authentication and authorization events for audit purposes.

Enterprise network

Local wiredPC access

Auth

IPsecFW AuthSRT

InternetRemote Access

Auth

Secure IPServices Gateway

Application serverwith CentralizedAuthentication

Remote IP-VPN office

Remote IP-VPN user

WLAN IP-VPN user

Level 3 BiometricAuthentication

Database

Level 2 TokenAuthentication

Database

Level 1 PasswordAuthentication

Database

CentralizedAuthenticaton

Server(RADIUS based)

DNS serverDHCP server

Figure 8. Secure authentication and authorization reference model

24

A Case example: “Single Strong Password” in the Nortel Networks corporate network

Nortel Networks uses a “Single Strong Password” approach in its own worldwide network to authenticate internal and externalusers, from employees and contractors to joint venture representatives and even customers. The user has one very strong pass-word that is maintained on a centralized password system and synchronized with applications and systems across the enterprise.Users only have to remember one password, making the system simple to use and not likely to be bypassed.

Dedicated password servers on several continents manage the system and provide Web-based password management for usersand security administrators. These password servers communicate directly with RADIUS authentication servers. The systemautomatically synchronizes passwords across multiple systems and platforms, such as Windows networking, remote access,UNIX, purchasing, and niche business applications.

The system enables fine-grained authorization at the application level. An internally developed tool enables applications toaccess the Single Strong Password system, and a list of users allowed to access each application is stored in the authorizationdatabase. When an application is accessed, the Single Strong Password system authenticates the user and returns authorizationinformation. The system logs attempted violations of authorization rules and multiple simultaneous logins to geographicallydispersed systems, to detect and prevent misuse.

The Single Strong Password system enforces strict password rules. For example, passwords must contain at least eight charac-ters, both upper and lowercase letters, and at least one number or symbol. Additionally, passwords must not contain dictionarywords of four characters or longer, a previously used password, a password that matches an account name, contain a date oryear, keyboard patterns, or repeating characters. Users are required to change passwords at predefined intervals.

After years of real-world use, Nortel Networks has seen the following advantages of this system:

• Single consistent method for setting passwords

• Single consistent method for authentication and authorization

• Single method for registering and terminating user accounts

• Enforcement of corporate password strength guidelines

• Consistency across applications, so employees know what to do

• Standardization that makes the system easy to support and adopt

• Fast, seamless performance through standard interface and APIs

• Lower costs, fewer help desk calls

Figure 9. Single password access management in Nortel Networks corporate network

Enterprise network

RADIUS-enabled enterprise applications:CRM, SCM, ERP, unified messaging,self-serve benefits, expense system ...

RADIUS server

• Employees

• Technicians

• Contractors

• Partners

• Customers

Singlepassword

accessmanagement

Local, remote,wired, wireless

PasswordAuthentication

Database

25

Part III. Network security in the real worldThe previous section outlined key principles and practices of the Nortel Networks Unified Security Architecture. This section demonstrates this multi-level security framework in action for several real-world scenarios:

• Securing the campus network

• Securing the data center

• Securing the remote office

• Securing remote access

• Securing IP telephony services

3.1. Securing the campus network

In this context, the term “campus” describes a corporate headquarters or large regional office where the network uses a mix of technologies, products, and applications, and serves a large user population. The campus network presents a challengingsecurity picture because of the diversity of elements to protect:

• Servers, including departmental servers for user access and file sharing, central application servers such as finance anddatabases, and Web servers for either public Web or Intranet applications.

• Operating systems, typically multiple versions of multiple operating systems running on servers and clients.

• Network devices, including routers, Layer 4-7 load-balancing switches, Layer 3 core switches, Layer 2 distributionswitches, and wireless LAN access points.

• Security devices, such as firewalls, VPN gateways, intrusion-detection and anti-virus servers, SSL accelerators,authentication servers, and content filtering servers.

Securing the campus network at the “network security level”

Layer 2 switching security. VLANs based on IEEE 802.1Q standard and Ethernet switches segregate traffic for greater secu-rity and manageability. When port-based VLANs are configured, each VLAN is completely separated from others—particularlythose in the broadcast domain. In order to limit network access, numbers of Ethernet switches provide port security that ties aMAC address list to specific switches or even ports of those switches and prevents “unknown” workstations to get access. Thislist may be built either by auto-discovery or by manual update.

With the general availability of the 802.1x authentication standard, Ethernet switches offer embedded capabilities to applysecurity at every node in the network, providing an effective framework for authenticating and controlling user traffic to aprotected network. 802.1x ties a protocol called EAP (Extensible Authentication Protocol, originally developed for PPP) toLAN media and supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, and public key authentication. It enables enforcement of client authorization on corporate authentication servers like RADIUS.

EAP not only controls Layer 2 port connectivity, but can be extended (as being done by Nortel Networks) along with secureaccess management to customize the security (and QoS) end-user profiles of the port for a particular authenticated user. Whena host attempts to log onto the network, the host and an authentication service exchange data via EAP. Under an end-userprofile architecture, the EAP protocol enables the policy server to leverage information in a third-party authentication serviceto validate users and assign appropriate network access and QoS (Quality of Service) capabilities.

Layer 2 wireless LAN security. Wireless LANs offer a flexible alternative to regular Ethernet connectivity, but they suffer fromknown vulnerabilities. For one, it’s hard to control who is really accessing the system. Second, the current Wired EquivalentPrivacy (WEP) 802.11 encryption method is weak.

26

For both reasons, it is recommended to use VPN technology for wireless LANs and run an IP-VPN client, such as NortelNetworks Contivity Client, on the wireless device. VPN-based wireless security is platform and radio technology agnostic—that is, the client system establishes a connection to the network via 802.11b, 802.11a, or even Bluetooth, and the VPN takesover from there. Most of the authentication takes place independently of the wireless network, keeping access point mainte-nance simple. The VPN can treat the wireless LAN just as the corporate backbone with wireless access points. Users trying toaccess the network via the wireless LAN would then be authenticated, their information encrypted, and all communicationlogged by the VPN system.

Alternatively, with some WLAN IP phones, encryption and authentication is built in. For example, Nortel Networks has astrategic partnership with Symbol, whose WLAN IP phones support 128-bit WEP encryption between the client and thewireless access point, and Kerberos authentication. Combining those approaches provides robust user authentication andencryption required for WLAN environments.

Layer 3 switching and routing security. Network address translation (NAT) enables an organization to present a public IPaddress to the world and hide internal addresses from public view. Processing NAT in hardware with a switch is an innovativestrategy for converting internal addresses into public addresses (and vice versa), making routing and firewall solutions highlyefficient.

Campus servers

Load-balancedIDS servers

Enterprise

Internet

Engineering

Human resources

Finance

SwitchedFirewall

IP-VPNServicesGateway

IP PBX

PSTN

WLAN PC

DistributionLayer 2-7RoutingSwitch

BackboneLayer 2-7Routing Switchwith WebSwitching

Auth

FWIPsec

SRT

AL

CF

FW

L2

SSL

SSL

L2

L2

L2

VS

IDS

Virusscreening

server

Highcapacity

router

NAT

Figure 10. Securing the campus network

Proper design and use of routing and Layer 3 switching enhance the survivability of the campus network. Access control lists, IP segmentation and sub-netting, redundancy protocols such as Virtual Router Redundancy Protocol (VRRP), and fast conver-gence routing using OSPF (Open Shortest Path First) all contribute to a more survivable infrastructure.

Routers and routing switches secure the data path using IP filters that drop undesirable packets. Routing can be further secure by implementing route policies, encryption and authentication of OSPF and BGP route updates with MD5, andbroadcast/multicast rate limiting.

Last but not least is the innovative Secure Routing Technology (SRT), which enables dynamic routing over secure IPsec tunnelsfor RIP and OSPF. Contivity Secure IP Services Gateways implement this dynamic secure routing approach, which isdescribed later in this document in the “Securing Remote Access” scenario.

Securing remote communication via IPsec VPNs and SSL extranets. Typically, the campus network also supports VPNs toconnect with branch offices and remote users—carrying private network traffic within a secure, encrypted “tunnel” carried overa public network. Robust and secure central site solutions that support both remote access and remote office IP-VPNs and fire-walls are key elements of the campus network. For more information, see “Securing the Remote Office” and “Securing RemoteAccess,” later in this section.

Securing the campus network at the “network-assisted security level”

Perimeter control via firewalls and intrusion-detection servers. The enterprise network often provides employees withconnection to the Internet from the corporate headquarters campus. It is usually centralized in order to more easily protect asingle interface to the public world. That’s exactly where perimeter control solution such as firewalls and intrusion-detectionsystems (IDSs) are generally deployed to prevent malicious intrusion of unauthorized persons.

It is highly recommended that firewalls be implemented at every site within an enterprise to secure internal and external traffic,and at every point of interconnection with the Internet (e.g. even a remote PC). In some cases, it is appropriate to integratethis functionality with secure IP services gateways used also for remote office and remote access IP-VPNs.

Firewalls provide a perimeter defense against unauthorized access—an essential first step when planning for Internet access.Firewalls come in various sizes and capabilities, fitting many specific network requirements depending on their point of use. An emerging trend is to use new, multi-gigabit firewalls to interconnect segments of the campus LAN, which keeps depart-ments separate and enables communication only through firewall security policies.

An IDS monitors the network to identify unauthorized users or suspicious patterns of utilization. Most IDS applicationscompare network traffic and host log entries to match data signatures and host address profiles indicative of hackers. Intrusion-detection software identifies traffic patterns that indicate the presence of unauthorized users. Suspicious activitiestrigger administrator alarms and other configurable responses. Nortel Networks partners with best-of-breed companies such as Internet Security Systems (ISS) to offer specialty software solutions for intrusion-detection.

Content inspection via content filtering and anti-virus systems. These tools provide essential protections for remote andlocal computing, and are discussed in more detail in Part III under “Securing the Data Center.”

Layer 4 to 7 switching and filtering security. Layer 4 to 7 switches provide control services to application, management, and traffic to improve resource utilization and performance, ensure security with high performance, provide network scalability,and provide failsafe network assurance. They are usually deployed near security devices and in server farms. Integrated securityfiltering offloads firewall processing of NAT, monitors network activity, protects against denial-of-service attacks and some virustypes such as Code Red / Blue, and protects data without compromising throughput. Nortel Networks Passport 8600 andNortel Neworks Alteon Web switches offer extensive Layer 4 to 7 capabilities.

27

28

These solutions are more generally implemented in the data center, but have value in front of campus servers:

• Load-balancing. Firewalls and VPNs are compute-intensive applications and can become bottlenecks to network perform-ance. Load-balancing using an application switch mitigates this problem by distributing traffic among multiple activedevices, enabling many firewalls/VPNs to operate in parallel.

• Port mirroring. Similarly, IDS functions are extremely compute-intensive and can slow network performance. Portmirroring on an application switch duplicates the data and sends it to one or more intrusion-detection servers (which can be load-balanced) for packet inspection at the same time the original data flow is being forwarded without delay.

In small campus networks, these capabilities can be provided by Alteon Web switches. In large campus networks, a Nortel Networks Passport 8600 system with integrated Alteon Web Switching Module provides the required scalability.

3.2. Securing the data center

The typical enterprise data center supports mission-critical applications and houses a high concentration of capital-intensiveresources and confidential data—all connected to the inherently insecure Internet as well as internal users. That means securingthe data center presents some unique requirements for failsafe security without compromising performance and availability forusers. The need increases as enterprises discover new ways to exploit high-performance, Internet-empowered data centers:

• Ensure business continuity. Massive processing throughput and transport bandwidth now make it feasible to storeprimary and duplicate sets of critical data in multiple data centers, in real time—to extend business continuity services,real-time storage mirroring, and live backup across service provider networks.

• Support critical business applications. Enterprises use data centers to host business applications, implement firewalls orvirtual private networks, provide storage services and content delivery of static and streaming media, and more.

• Produce economies of scale on infrastructure. Enterprises can consolidate or outsource data center functions, tocentralize critical computing resources, create virtual data centers that span multiple locations, and reduce operational costswithout the performance penalty or security concerns typically associated with remote access.

The “closed” enterprise may outsource its Web presence to a third party, but “extended” and “open” enterprises are exposed tothe Internet for customer access, business-to-business connectivity, and interworking with application service providers, disasterrecovery providers, and more. There’s a big survival risk for companies that don’t Web-connect with extended communities—yet there’s a big security risk for those that do.

A comprehensive data center security strategy requires multiple, inter-working technologies, protocols, and procedures—with partitioning among these functions provided by VLANs and firewalls.

Securing the data center at the “network security level”

Virtual Private Networks. It is highly recommended that firewalls be implemented at every site within an enterprise to secureinternal and external traffic, and at every point of interconnection with the Internet (e.g. even a remote PC). In some cases, it is appropriate to integrate this functionality with Secure IP Services Gateways used also for remote office and remote access IP-VPNs enable enterprises to enjoy secure connectivity with branch offices, business partners, and remote users. For employeeaccess, the central site VPN solution can be implemented at the campus edge; for partner and business-to-business connec-tivity, the VPN can be implemented in the data center, or the two can be integrated. The ideal VPN gateway should providean all-in-one solution for routing, bandwidth management, authentication, encryption, network address translation, dataintegrity, logging, and firewall capabilities. Nortel Networks market-leading Contivity Secure IP Services Gateways (built onSecure Routing Technology—SRT) meets these requirements.

Network address translation (NAT) enables the enterprise data center to present a public IP address to the world and hideinternal server addresses from public view. Converting external to internal addresses (and vice versa) can be performed inswitch hardware, thereby enhancing the efficiency of routing, switching, and firewall functions.

29

Securing the data center at the “network-assisted security level”

Switched firewalls can now provide multi-gigabit throughput and state-of-the-art filtering to secure and safeguard data centerservers without the performance degradation that typically occurs with deep packet inspection. Switched firewalling introducedthe same level of performance improvements to perimeter security as Layer 3 switching brought to LAN routing. Therefore, a switch-based firewall is recommended for perimeter security in transaction-oriented environments. The Nortel NetworksAlteon Switched Firewall combines Layer 4-7 cut-through switching with firewall software processing to deliver more than 4 Gbps throughput. Logical “demilitarized zones” can be created through the use of VLANs.

Secure Sockets Layer (SSL) protocol—built into most browsers and Web servers—is widely used to protect communicationsto and from Web applications. Unfortunately, SSL processing is very compute-intensive and significantly reduces serverperformance. This results in increased cost and operational complexity when it comes time to scale secure transactionprocessing. SSL Accelerators—such as Nortel Networks Alteon solution—offload SSL processing from local servers withoutimposing delays on other traffic in the same data path, and offer a simpler way to deploy and maintain the Public KeyInfrastructure (PKI) required for electronic transactions.

Figure 11. Securing the data center

Webservers

Enterprise

Internet

Mission-criticalenterprise applications

Other enterprise applications

SwitchedFirewall

IP-VPNServicesGateway

BackboneLayer 2-7 RoutingSwitch withWeb Switching

Auth

FWIPsec

SRT

AL

CF

VS

DMZ

Load-balancedIDS servers

FW

L2

L2High

capacityrouter

NAT

SSL

SSL

SSL

Management domain

LDAP

RADIUS

DNS

L2

L2

IDS

Virusscreening

server

30

intrusion-detection, anti-virus, and content filtering tools provide essential protections for online commerce and remotecomputing in general. IDS software identifies traffic patterns that indicate the presence of unauthorized users. Anti-virussoftware detects and defuses potential cyber attacks. Content filtering software restricts the type of data that can be accessed or distributed.

IDSs can be broadly categorized according to the following criteria:

• Incident detection timeframe—real-time or off-line, depending on whether system logs and network traffic are analyzedas events take place or in batch mode during off hours.

• Type of installation—network-based or host-based. A network-based IDS typically involves multiple monitors (often pre-configured appliances) installed at choke points on the network (where all traffic between two points can bemonitored). A host-based IDS requires that software be installed directly on the servers to be protected, and monitors the network connections and user activity on those servers.

• Type of reaction to incidents—whether the IDS actively intervenes to head off attacks (such as by modifying firewallrules or router filters) or simply notifies staff or other network systems of the problem.

Most commercial IDS products provide a combination of network- and host-based monitoring capabilities, with a centralmanagement host to receive reports from the various monitors and alert network support staff. A network-based IDS isrecommended for most installations.

Anti-virus solutions continuously monitor applications to ensure that no virus damages the system. It detects maliciousviruses, worms, and Trojan horses in all major file types, including mobile code and compressed file formats.

Content filtering software restricts the type of data that can be accessed or distributed to expose employees and partners only to correct and appropriate content. Content filtering can identify inappropriate Web ‘surfing’ and stem productivity losses dueto prolonged Internet use. Content filtering also helps minimize the spread of viruses from Web servers. The Alteon ContentCache (ACC) supports hundreds of URL filters providing customers with the ability to protect themselves from well-knownURL server attacks. ACC also stops many viruses like NIMDA and Code Red, and can be used to control which sites areaccessible.

Together, these measures enable networks to be open and accessible for legitimate uses, but not wide open for inappropriate or malicious uses.

Layer 4 to 7 application switching provides high-availability traffic management by filtering and switching traffic based onapplication and content information, without compromising throughput. To increase protection against denial-of-service(DoS) attacks and Syn Attack Alarms, routing switches such as Nortel Networks Passport 8600 enable network administrators to set a threshold for new half-open sessions and have the Layer 4-7 Switch trigger a trap to notify the administrator when thethreshold is exceeded.

A “protection from application abuse” feature limits the rate of new TCP connections on a per-client basis. Administrators canlimit users to a particular connection rate and limit the number of sessions for users accessing a specific domain or applicationwithin the domain. Benefits include protection from application abuse, increased application availability, and increased controlof user access to applications. Layer 7 Deny Filters allow network administrators to create filters and assign URLs to thosefilters to deny certain traffic. This is particularly useful for added anti-virus protection for preventing access to disallowed Web content.

Alteon Web switches and Passport 8600 systems equipped with an Alteon Web Switching Module both offer high-performanceLayer 2-7 filtering. These systems also perform load balancing to eliminate data center performance bottlenecks, includingVPN, firewall, IDS, DNS, and IDS systems.

Securing data center storage When enterprises were organized into business silos—each running their own applications and databases—directattached storage (DAS) was sufficient. Storage devices were dedicated and physically attached to each server; securingthem was relatively simple.

With the emergence of storage area networks (SANs) to support global applications more cost-effectively, the securitypicture becomes more complex. SANs connect a number of storage devices and application servers across a dedicatednetwork running protocols such as Fibre Channel, ESCON, and FICON at speeds up to 2 Gbps. Optical systems—such as Nortel Networks OPTera Coarse/Dense Wave Division Multiplexing (CWDM/DWDM) system—haveenabled massively scalable SANs that span the MAN and WAN.

As SANs are extended globally, storage security becomes a significant concern. Within the data center, storage access isprotected within the SAN by creating zones of trust. As storage is extended on CWDM/DWDM optics, carrier-gradeconnectivity and security is required (and provided by Nortel Networks solutions). Optical connectivity solutions areinherently secure since the sniffing of an optical signal is not possible and the network elements do not operate in theIP data plane. The optical storage data is a completely private and secure optical signal.

Within the network core, carrier-grade network elements are required that are “IP hacker-proof.” The managementplane of the optical network elements that are used by enterprises (and form the core of service provider and carriernetworks) for transporting storage, video, voice and data are secured through the application of techniques for securingmanagement described in this document. In contrast, using the enterprise IP for storage networking (such as withiSCSI) opens up this critical enterprise resource to a broad range of vulnerabilities.

3.3 Securing the remote officeIn this context, the term “remote office” refers to any remote workplace that requires persistent, two-way communication withthe enterprise—for locations as diverse as a telecommuter’s home office or a major regional office. Connecting remote offices is a significant network cost in many industries, such as retail banking, health care, and government.

Traditionally, remote offices were connected to the enterprise network using various LAN technologies and multi-protocolrouters, working into frame relay networks with ISDN circuit-switched backup. VSAT satellite terminals have also been widelydeployed—for instance, for credit card validation in the retail industry. Four major developments are transforming the remote-office networking scenario: (1) the convergence on Ethernet as the LAN standard, (2) universal acceptance of IP as theprotocol of choice, (3) the Internet, and (4) a growing list of Layer 2 and 3 VPN services. However, these developments alsointroduce a variety of security challenges, particularly for “extended” and “open” enterprises.

WAN (wide area network) edge requirements at the branch office level include routing between VLANs locally and into thenetwork, QoS and bandwidth management, and scalable interfacing into the WAN. This includes supporting the requiredencapsulation scheme over the WAN and whatever level of reliability is appropriate. Cost effective security over the Internet(and even over frame relay) is a key requirement. Managing the transition from legacy (relatively secure) WAN technologies to IP-VPNs is also a challenge. Some enterprises want to have direct Internet access from every remote office, opening up theneed for remote firewalls.

Others want highly reliable, dynamically routed connectivity between branches and the enterprise backbone, with centralizedfirewalls into the Internet, in some cases using frame relay as the primary path and the Internet as a backup—or movingtowards IP-VPNs as a primary configuration. Dynamic routing enhances scalability and reliability by automatically learningnetwork topology and end-user addresses, and adapting to changes in network topology.

However, security in routed networks has been an afterthought. For example, there has been no effective way to run dynamicrouting over VPN-encrypted tunnels, which themselves have been difficult to manage.

These limitations have led enterprises to buy, install, maintain, and manage multiple security and networking devices forremote office and branch networks, resulting in a complex and costly architecture.

31

32

Dynamic routing vulnerabilitiesAlthough dynamic exchange of routing information among enterprise sites eases the administrative tasks of managingnetwork traffic flows and can enhance reliability, it can also introduce security issues if not configured and managedproperly.

One key issue is the handling of default routes, which determine where traffic with unknown destination addresseswill be sent. Typically, the default route points to the Internet. In this case, if routing information for some site in theenterprise is lost (perhaps due to equipment failure, but possibly due to a security attack), then traffic meant for thatsite may be sent into the Internet, without security protection. If the missing route is actually reachable through theInternet (e.g., if it is advertised by an Internet gateway at the remote office), then full bi-directional communicationmight be established, with traffic flowing unprotected across the Internet—all unknown to the systems involved in thecommunication.

Another issue with dynamic routing is the problem of misleading routing information. If one routing system ishijacked, or if a workstation in the network is configured to send false routing messages, an attacker could redirecttraffic to a point where it can be compromised. Likewise, a misconfigured router at a remote office can advertise incor-rect routing information and disrupt communications, even if no malicious intent or traffic interception is involved.An example is when one remote office routing system is configured with a static route for another site, then advertisesthis route as if it were located at that site. This can disrupt traffic actually intended for the other site.

The solution for these routing issues is to ensure that gateway systems for remote offices contain effective routefiltering capabilities, so they will not simply blindly exchange any routing information they receive from the internalnetwork, but will apply intelligent rules to it. This strategy enables the enterprise network to benefit from the manage-ability of dynamic routing without exposing the network to dynamic routing vulnerabilities. Clearly, routing informa-tion received from the Internet should be carefully filtered, and internal enterprise routes should never be acceptedfrom the Internet.

With the move to IP-VPNs over the Internet, a complete set of security requirements have to be met as cost-effectively aspossible at multiple network levels:

• “Network security level” functions include IP routing over secure tunnels and VPNs

• “Network-assisted security level” functions include encryption and stateful firewall inspection

• “Application security level” functions must be provided if data servers and/or IP telephony are deployed at the remote office

• Access management provisions include remote-office authentication and directory services that enable users to have a uniquesecurity profile that stays within them whether they log in locally over the intranet or from home across the Internet

• Network management security provisions must be extended to the remote office, without back doors that mightcompromise network security

Traditional solutions for secure remote office connectionsTraditional solutions have proven problematic for meeting remote office security requirements. Many enterprisesconsidered turning on the requisite security functionality on their routers, only to find that adding security may not bepossible on low-end routers, or it may impact router performance and require an expensive upgrade that may representup to 50 percent of the cost of the original router.

Even if a router can be upgraded to support filtering, firewalls, and VPNs, treating security as an application on top ofmonolithic routing code introduces other problems. One example is in routing over IPsec tunnels, required to manageredundant paths, route around failed nodes, and perform load balancing and on-the-fly route selection based on linkutilization. Today, these functions are done by double encapsulating IP packets via Generic Routing Encapsulation(GRE) on top of IPsec tunnels, resulting in extra processing, memory, and transmission overheads—in fact, an addi-tional 24 bytes per packet—and requiring manual configuration of each end user. GRE also presents recognized packetfragmentation issues. If this is unacceptable to the customer, then the only practical option is manually configuredstatic routes, which are clearly labor intensive, provide ineffective load balancing at best and awkward for managingchanges.

33

A new architecture for securing the remote office

Adding security to routers (see “Traditional Solutions” sidebar) is a sub-optimal solution that doesn’t measure up to themission-critical service delivery requirements of branch networks. Multi-box solutions raise total cost of ownership, a problemthat multiplies with the hundreds or thousands of sites that may need to be served.

A new approach uses secure IP services gateways, which are purpose-built devices that deliver security and security-related IPservices in a single, integrated platform designed for remote offices. A single hardware device provides bandwidth managementover a range of WAN services, dynamic IP routing over encrypted tunnels, IP-VPN support, and a range of security features,including stateful firewall inspection, encryption, and authentication—all operating under directory and policy services.Targeted at the enterprise edge—the intersection of an enterprise’s private and public IP networks—secure IP services gatewaysprovide secure communications over an inherently insecure medium, the Internet.

The Nortel Networks Contivity Secure IP Services Gateway is a new class of device in this area, and a key component of ourUnified Security Architecture. Contivity Secure IP Services Gateways:

• Run over ISDN, frame relay, IP-VPN and emerging Layer 2 VPN services (such as Optical Ethernet)

• Deliver encryption/authentication/firewall performance at wire-speed

• Operate under a unified security policy management architecture that covers remote users and sites across the enterprise

• Support dynamic end-to-end routing for a mix of frame relay virtual circuits, Layer 2 Virtual Private Ethernets, and IPsectunnels—the latter achieved by making tunnels visible to the routing code and by encapsulating routing messages directlyin IPsec (bypassing the GRE layer of today’s solutions)

• Centralize provisioning of critical IP services with tightly integrated security

• Interoperate with existing routing, authentication/directory, and security services

Internet

Legacy branch

Secure IPServices Gateway

PSTNPBXRADIUSserver

RADIUSserver

Token, PKI Token,PKI

IP telephones

Converged branch

Layer 2 switchand IP telephonysystem

Auth

L2IPsec

SRT

FWAuth

L2

IPsec

FW

Figure 12. Securing the remote office

34

Secure Routing Technology (SRT) features in Contivity systems• Secure IP services applications decoupled from the hardware

• Software-configurable IP service deployment

• Designed for secure management, secure policy, secure access, and secure routing

• Compatible with existing Contivity VPN switches and Succession IP telephony

Policy Management• Applied to frame relay, PPP connections, and secure tunnels

Secure Access Management• Strong user authentication (PKI) services, and LDAP, RADIUS, digital certificates,

smart cards, and user name/password

Network Security • Dynamic routing of IP packets over encrypted tunnels

• NAT, PPP over Ethernet, DHCP server and client, DNS with VPN, and DNS Proxy

Network-assisted Security • Full stateful firewall with 100 application gateways

Management Security• Remotely managed using strong encryption (IPsec)

• Secure base configuration, denying all Internet and providing DoS protection

• Logging and protection against hacker attacks

IPsecFW SRT IPsecFW SRT

Branch Secure IP Services Gateways

AuthIPsecFW SRT AuthIPsecFW SRT

Remote accessclients

Internet Frame RelayStatic and dynamic

routing over secure FRor secure tunnels

Redundant Secure IP Services Gateways at central site

Branch Secure IP Services Gateways

Figure 13. Remote office dynamic routing for increased reliability and scalability

35

3.4 Securing remote access

Remote access enables “extended” and “open” enterprises to make efficient use of people and resources wherever they arelocated—at home, on the road, using public PCs, or drop-in business centers in hotels. However, opening the network toaccess from anywhere introduces security concerns.

One of the most prevalent security threats is a remarkably low-tech issue—theft of personal computers—that can lead to moreserious issues, i.e., using the stolen PC to steal locally stored data or to masquerade as a legitimate user to access the enterprisenetwork.

For that reason, sensitive information on systems used for remote access should be encrypted using a system that integratesseamlessly into normal application use. Encryption systems are currently available that enable the user to operate normally, not requiring manual or individual encryption/decryption of files. For example, entire file systems or “folders” can be stored in encrypted form, with decryption being integrated in normal file system access.

Another threat occurs when the remote-access user is operating on an easily hacked wireless LAN, perhaps at home or in ahotel. For wireless access, the user’s access device should be equipped with anti-virus software and an up-to-date personalfirewall that prevents unauthorized users from hacking into the user’s PC during an open communication session.

Securing dial-up access. Remote access over dial-up connections—such as ISDN switched access or a modem call over stan-dard telephone lines—must be protected with stringent access authentication and authorization procedures. Encryption addsanother level of security for confidential communications, but this method is inherently insecure because it can be used tocircumvent firewalls and other IP-enabled security techniques. Direct switched access—widely used in the 1980s and early1990s is rapidly being replaced by Internet-based remote access VPNs.

Customer site

Redundant SecureIP Services Gateways

AuthIPsecFW SRT

SSL VPN Gateway

SSL

Central site

Auth

Payphonewith data jack

Hotel

Home office

Airport

SSL

SSL

IPsecFW VS IDS

IPsecFW VS IDS

IPsecFW

VS IDS

Internet

Figure 14. Securing the remote access

36

Remote access VPNs. Internet-based remote access provides tremendous flexibility and high bandwidth. Two approaches are common:

• VPNs based on IPsec, with IPsec client software loaded on the user’s access device.

• SSL extranets based on SSL, that uses the SSL capability built into standard Web browsers and requires no other clientsoftware. We chose not to use the term “VPN” when describing SSL implementations, since SSL only gives access to anapplication, not the full network.

Let’s take a closer look at these popular VPN strategies.

IPsec-based VPNs

IPsec is a network-layer approach that can be used across applications. For example, an IPsec-based VPN connection can beused to access e-mail, HR self-serve applications on the intranet, and browse the network. An IPsec “client” (the user-interfacesoftware), such as Nortel Networks Contivity Multi-OS Client, must be installed on the access device—PC, PDA, handheldcomputer, etc. The access device should also be loaded with anti-virus detection software.

Whether based on dial access to an ISP point of presence (POP) or on wired or wireless direct access, the VPN client authenti-cates the user, verifies the integrity of the user’s computer system, and establishes a secure link (“ tunnel”) to the enterprise. TheVPN client ensures that the remote system is secure even during session setup, where exchange of authentication information isencrypted.

Remote access VPNs must be able to detect and, if possible, bypass common Internet obstacles such as NAT and outboundfirewalls, such as when linking to the enterprise network from within another firewall-protected network. At minimum, theVPN must tell the remote user the nature of obstacles encountered. An important feature of Nortel Networks Contivity clientis the support of split tunneling, with simultaneous secure access to the enterprise and clear access to the public Internet.

Remote access connections from the Internet are handled by an IPsec gateway system at the enterprise edge. Multiple gatewayswith multiple paths to the Internet provide essential redundancy in case of the failure of any one path or device. Larger enter-prises or those with critical confidentiality requirements should consider separation of gateways as well.

The effective IP services gateway should provide: simple client configuration; the ability to pass connections through to theinternal enterprise network as opposed to session termination; a stateful firewall functionality to preclude the need for a sepa-rate firewall; support for multiple authentication methods such as RADIUS, PKI and LDAP, directory-based userID and pass-word systems such as Microsoft Active Directory and Novell Directory Services; and smart card or token-card authenticationon users’ laptop. Support for L2TP and PPTP be beneficial.

SSL extranets

SSL is session-layer approach, which means that every application has to support SSL and have its own user authenticationapproach. For example, when you go to Amazon.com, the SSL session is set up before you enter your userID or credit number.User authentication could include going to an authentication server. Firewall traversal and NAT is easily supported with SSL.

SSL is built into standard Web browsers such as Microsoft Internet Explorer, so no special client software is required. Thisfeature makes SSL extranets particularly attractive for scenarios where the enterprise doesn’t own or control the remote accessdevices, or where users need access from public PCs.

Web browsers are common targets of hackers, but the benefits outweigh the risks and can be mitigated by using personal fire-walls and intrusion-detection systems on the access device. The application-agnostic SSL protocol is considered robust enoughthat it is used extensively for consumer access to online shopping Web sites.

However, Web browsers support SSL only for Web-enabled (HTML) applications. As a result, if an enterprise wants to useSSL extranets for access to, say, its legacy supply chain management application, then either the application has to have an

37

HTML/SSL front end or an external application-specific gateway. Several vendors offer external gateways for common applica-tions, but every application will need to have a unique front-end acquired or developed. In addition to this trade-off, there arealso potential incompatibilities among browsers and browser versions. For example, some versions of SSL will actually allow afallback to very weak 40-bit encryption if 128-bit encryption is not present.

In conclusion:

• SSL extranets operate at the transport layer, are good for Web applications and extranets and limited application access,and don’t require any special client software. However, SSL extranets open up a large security hole when used from uncon-trolled PCs—such as public PCs in kiosks—which may lack personal firewalls and/or be infected.

• IPsec VPNs operate at the network layer, are application agnostic, and require a PC client. IPsec VPNs provide completecontrol over the security environment.

Nortel Networks offers both types of VPNs. Contivity Secure IP Services Gateways lead the market in IPsec-based remoteaccess and remote office VPNs, with more than half a million VPN clients in service. Nortel Networks has recently extendedits Alteon portfolio to implement SSL extranets.

3.5. Securing IP telephony services

Enterprises are starting to roll-out IP telephony solutions to reap the benefits of convergence in the LAN and the WAN, and of converged applications. Every VoIP system is a hardware/software solution that comprises four logical functions:

• IP telephones and PC soft clients

• Communications servers (also called call management servers or gatekeepers)

• Media gateways that provide flexible network access, for example, via traditional PBXs and the public switched telephonenetwork (PSTN) and the public wireless network

• Application servers for such purposes as unified messaging, conferencing, and collaborative applications enabled bySession Initiation Protocol (SIP)

These functions and related application servers—such as contact center systems—are distributed across a telephony- orbusiness-grade IP network that delivers the required levels of reliability, voice quality, and congestion management. Extended reach and mobility are provided over wireless LANs and over the Internet via IP-VPNs.

IP telephony is very time-sensitive and critical to the business, and just like other data applications, subject to a variety of attacks. For example:

• Attacks on the router can bring down both voice and data services

• Denial of Service can overload an IP telephony communications server or client

• Ping of Death can disrupt VoIP operations by sending multiple pings to VoIP devices

• Port scanning can find vulnerabilities in VoIP clients and servers

• Packet sniffing can record and/or intercept conversations

• IP spoofing can misrepresent the source or destination of the media or signaling stream

• Viruses, worms, Trojan horses, and time-triggered bombs can attack servers and clients

There have already been cases of hackers taking over IP clients—due to lack of administration passwords in one case (i.e.PingTel), and due to vulnerabilities associated with running XML in another (Cisco). However, while these could be verydisruptive, they are primarily a threat when running VoIP natively across the Internet and a relatively lesser threat when runwithin the enterprise or over tunneled Internet connections. We are a few years away from seeing VoIP used end-to-endbetween employees and the outside world; the security architecture for VoIP will be extended when standards, public services,and interoperability have reached greater maturity.

38

Toll fraud prevention

“Toll fraud” theft of service occurs when a PBX and its communications facilities are accessed and used illegally byunauthorized users—internal or external. Just like a computer hacker, PBX hackers look for weak spots in the PBXand use an array of complex hacking tools ranging from password-stealing software to automatic dialers. Often,hackers are difficult to detect until the damage is already done. With so many different internal and vendor or systemintegrator technicians accessing the PBX as part of routine maintenance, PBX hackers are often discovered only afterthey’ve had days or even weeks to access facilities and rack up hundreds or thousands of dollars on the enterprisephone bill.

This complex problem requires sophisticated countermeasures, even in a world where the cost of an individual phonecall is measured in pennies. IP telephony solutions must offer toll fraud prevention and other features that work withboth VoIP and traditional telephony.

PBXs—such as Nortel Networks Meridian 1 and state-of-the-art IP telephony systems such as Nortel NetworksSuccession CSE 1000—support toll-fraud prevention mechanisms. These mechanisms are founded on TelephonyClass of Service, which defines on each user’s accessibility to making state, national, and international long distancecalls. The user can be denied all access, or allowed to make certain types of on-net/internal and off-net/external longdistance calls. The default for new phones is restricted calling. These rules can be applied on a time-of-day basis and beoverridden with an authorization code. Indirect access to long-distance calling is also controlled, including potentialaccess via speed call lists, call forwarding, voicemail call answering through dial, and DISA access for employees dialinginto the enterprise network remotely.

IPsecFW

VS IDS

IPsec

Digital

Telephony-grade IP network

AuthSRT NAT FW IDS IPsec AL

1 2 3

4 5 6

7 8 9

* 0 #

* 0 #

#

IPsecFW

VS IDS802.11

PC IP setsSIP enabled

IP-enabledPBX

Management VLANL2

IPTelephonyServer

MultimediaApplicationServer

UnifiedMessagingServer

ContactCenter

VS

IDS

VS

IDS

VS

IDS

VS

IDS

IPsecFW

VS IDS

IPsec

Digital

Telephony-grade IP Network

AuthSRT NAT FW IDS IPsec AL

1 2 3

4 5 6

7 8 9

* 0 #

* 0 #

#

IPsecFW

VS IDS802.11

PC IP setsSIP enabled

IP-enabledPBX

Management VLANL2

IPTelephonyServer

MultimediaApplicationServer

UnifiedMessagingServer

ContactCenter

VS

IDS

VS

IDS

VS

IDS

VS

IDS

Figure 15. Securing IP telephony

39

Securing IP telephony requires a coordinated approach across all aspects of the Unified Security Architecture. Policy manage-ment and secure access management authenticate users and authorize the use of features and calling capabilities. Managementsecurity secures management of VoIP devices such as communications servers and media gateways.

Security mechanisms that have been implemented for IP data can be extended to cover IP telephony—for example, using IPsec and IP-VPNs for secure remote access and branch connectivity for VoIP and data, and for wireless LAN access. Statefulinspection firewalls and network address translation can be applied to VoIP services. Policies governing data and VoIP shouldbe integrated under policy management. Application-level security is provided through such methods as OS hardening, PC-based virus protection, and personal firewalls.

Securing IP telephony at the “application security level”

Securing application and IP telephony communications servers. The heart of the IP telephony system is the communica-tions server—which can be a standalone server, such as the Nortel Networks Succession CSE 1000/2000 server, or integratedwith other components, such as Nortel Networks IP-enabled Meridian system and Business Communications Manager.Equally important are application servers delivering contact center services (such as Nortel Networks Symposium), multimediaapplications (such as Nortel Networks CSE Multimedia Xchange), unified messaging (such as Nortel Networks CallPilot), and self-serve interactive voice response systems. Securing these servers starts with hardening of the operating systems.

Securing VoIP clients. VoIP solutions support a broad range of clients and access configurations, including IP wired andwireless telephones (e.g. Nortel Networks i2002 and i2004, and Symbol’s wireless LAN IP phone) and PC-based soft clients(e.g. Nortel Networks i2050 and SIP clients). When connected to an IP network, these clients are vulnerable to attack.

There are a number of different telephony signaling protocols such as SIP, H.323, UniStim used by Nortel Networks IPtelephones, and Meridian Customer Defined Networking for network-wide feature operation. In the future, the ability tosecure signaling traffic at the VoIP client will be generally available. In IP telephony systems, the voice signal is packetizedusing a standard such as G.729 (at 8 kbps) and a speech activity detection algorithm, and uses the Real-Time Protocol (RTP)protocol with UDP at the transport level. Encryption of the voice at source will emerge as an option, as required by specialsectors such as the military community.

The process is different for securing IP telephones and PC-based soft telephony clients:

• IP telephones, such as Nortel Networks i2004/2002, are custom-built appliances for telephony only. There is no storage or asset on the phone itself to protect other than its presence on the network as a trusted device. The identification of thecaller and the call itself are the only assets to be protected. These telephony appliances most commonly use a proprietarythin client protocol that relies on the communications server for feature/functionality and security. Approaches that rely on XML in the VoIP set for feature operation are open to greater vulnerability.

• VoIP soft-clients on users’ PCs co-exist with other applications and assets, and run widely available operating systems. Thatmeans a successful attack can be damaging to several valued assets, and these devices should be protected with personalfirewalls, anti-virus detection, and IP-VPN clients—the same mechanisms used for data security on that access device.

Securing IP telephony at the “network security level”

Securing VoIP in the wiring closet and across the campus. IP devices are wired into a campus network using either sharedmedia or, more commonly, dedicated switched Ethernet connections. Wireless LANs are being widely adopted, especially ineducation and healthcare environments.

VoIP soft clients and dedicated VoIP appliances should be connected to switched Ethernet environments right to the desktop,for the following reasons:

• VoIP latency variation is minimized by eliminating CSMA/CD operation of shared media Ethernet operation

• Other devices are prohibited from eavesdropping on VoIP calls

Enterprises may also chose to logically group VoIP telephones in their own VLANs to enhance security and manageability.

40

Special considerations apply when using wireless LANs (WLANs) to extend IP telephony services within the enterprise; forexample, from the desktop to conference rooms, classrooms, or shop floor personnel. Because wireless LANs are relatively inse-cure, both the signaling and voice planes need added security over the wireless segment of the call path. One method is toconfigure soft clients co-resident with an IP-VPN client on the access device. Alternatively, some WLAN IP phones have built-in encryption and authentication. Nortel Networks has a strategic partnership with Symbol, whose WLAN IP phones support128-bit WEP encryption between the client and the wireless access point, plus Kerberos authentication.

Securing branches for IP telephony. Several approaches are available for securing remote office VoIP solutions. For example,an enterprise could:

• Support VoIP telephones and soft clients from an “office-in-a-box” system that integrates IP telephony capabilities andVPN security, such as Nortel Networks Business Communications Manager with integrated Contivity IP-VPN client.

• Leverage the distributed nature of VoIP by deploying clients off a centralized server such as a Nortel Networks IP-enabledMeridian platform, CSE 1000 server, and CSE MX server, and running this traffic over an IP-VPN.

• Support a Nortel Networks Remote Office 9150 VoIP telephone off a central site IP-enabled Meridian PBX, whichsupports Meridian digital telephones over an IP-VPN infrastructure while supporting a fully featured back-up path bytunneling over the PSTN. This approach is unique to Nortel Networks.

Nortel Networks Contivity IP-VPN solution is unique for its Secure Routing Technology, which minimizes latency for VoIPcalls through meshed connectivity of secure tunnels over the Internet. This same solution can provide security for voice anddata traffic traversing frame relay networks.

Figure 16. Securing remote networking for IP telephony

Customer site

Secure IP Services Gateways

AuthIPsecFW SRT

SIP soft client

Central site

Payphonewith data jack

Hotel

IP sets

Airport

SSL

SSL

IPsecFW VS IDS

IPsecFW VS IDS

Internet

SIP soft clientIP telephony soft client

SIP datasoft client

Remote office

VS

IDS

Secure IPServices Gateway

VS

IDS IP telephonysoft client

802.111 2 3

4 5 6

7 8 9

* 0 #

* 0 #

#

IPsecFW

SRT

41

Securing remote access for IP telephony. At home, in a hotel, or on the road, remote users can benefit from the convenience,control, and productivity of IP telephony. To secure this kind of telephony access, VoIP soft clients would be co-resident withan IP-VPN client on a laptop—and ultimately on a suitably equipped PDA—for mobile employees. This same configurationis used to take advantage of WLAN access points in hotels, airports, and convention centers. VoIP telephones for telecom-muters and remote contact center agents could be secured with a home office IP-VPN, such as a Contivity 1000 Secure IPServices Gateway.

Network management security for IP telephony. Management of IP telephony services should be protected with the samelevel of network management security accorded to the network and security infrastructure in general.

A physically dedicated Ethernet port should be configured for VoIP management functions—part of a management VLANthat blocks all non-management traffic at the routing level via access lists and perimeter security, and has all unused portsturned off. Only authorized application software should be run on the servers in this VLAN. Multi-level security should beapplied with various levels of privileges (monitor, configure, control) for authenticated operational personnel. User passwordsmust be securely stored and password formatting and change management strictly controlled. Management traffic (such asbilling information) can be optionally encrypted, even for internal transmission through IP-VPN technology. Off-net access forsuppliers, system integrators, and/or VARs can be provided via IP-VPNs.

Securing Web-enabled contact centers for IP telephony

Web-enabled contact centers are a key platform for offering “engaged” customer services that seamlessly integrate Weband telephony interfaces with the organization. Using IP telephony in contact centers makes it cost-effective to widelydistribute agents, without compromising features and functionality.

However, because of the inherent security exposures of the Web interface and the critical nature of telephony services,special security considerations apply. Securing servers at the application and OS levels is based on hardened OS archi-tectures and off-the-shelf security packages. Securing server management is based on partitioned operations usingVLAN and remote access via IP-VPNs. IP-VPNs are also used to secure remote VoIP agents operating over the public network.

42

Part IV. Nortel Networks technology and expertiseNortel Networks has defined a new strategy for the enterprise network, known as One Network. A World of Choice. One Network because it supports infrastructure convergence and eliminates boundaries. A World of Choice because it delivers options on how enterprises build the optimal networks to suit their needs. The vision is of a single, convergednetwork that answers the critical business realities that strain and constrain today’s networks.

Absolutely central to this vision is the principle that security is inherent in all applications and services—intrinsic to the veryDNA of the network. The Unified Security Architecture outlined in this document represents the Nortel Networks blueprintfor that new enterprise network.

Within this One Network. A World of Choice. strategy, security provisions are in place to:

• Make enterprise networking products secure from a management perspective.

• Address network and voice/multimedia application security needs.

• Evolve from a perimeter-based security model towards a distributed and layered network security architecture with central-ized administration.

• Deliver reliable high-performance security solutions, including VoIP and wireless.

• Provide choices to enterprises in meeting their security requirements, driven by their business needs.

• Leverage industry-leading technologies and solutions across enterprise and service provider markets.

4.1. Design tenets built into the Nortel Networks security portfolio

Nortel Networks enterprise networking products—including security products and solutions—have been designed and built toadhere to the following tenets:

Security in the DNA means Nortel Networks security products—such as Alteon Switched Firewall, Alteon SSL Accelerator,and Contivity Secure IP Service Gateways—are designed from the ground up with security in mind.

Failsafe business continuity relies on network resilience from the physical layer to the application layer for mission-criticalapplications and data, using ‘session persistence,’ load balancing, acceleration methods, and optical technologies. For example,the Alteon Security Cluster provides a comprehensive security framework that delivers multi-gigabit acceleration and integratesfirewalls, SSL offload, intrusion-detection, and anti-virus protection into a scalable, easy-to-manage architecture.

Scalability by design extends and protects network investments and lowers operational costs. The Alteon Switched Firewall,delivering the highest capacity in the industry at 3 Gbps, demonstrates this tenet in practice.

Application-optimized network components such as the Alteon SSL Accelerator combine “network-assisted” security withnetwork intelligence to add a layer of security across multiple applications while optimizing server performance.

Communications convergence ensures that IP telephony and multimedia applications such as Nortel Networks Successionproducts can securely operate within both the enterprise environment and across the Internet.

Engaged applications deliver timely, context-sensitive, user-aware content to users as quickly, efficiently, and securely aspossible across multiple service delivery channels.

Comprehensive management ensures that security policies are effectively and consistently implemented throughout thenetwork. For example, Optivity Policy Services complements other Optivity management solutions to secure the managementsystem and enhance survivability.

These design tenets apply to the entire Nortel Networks portfolio, including for example:

• Alteon switches that provide firewall/IDS/IP-VPN load balancing and content filtering

• Passport 8600 routing switches that provide extensive filtering and access list controls, as well as firewall/IDS/IP-VPN load balancing when equipped with an Alteon Web Switching Module. The Passport 8600 is a 256 Gbps platform sorobust that it is used in service provider central offices

• Ethernet hubs and switches from the BayStack portfolio that support VLANs and user authentication via EAP

Security is also a key element of Nortel Networks applications for IP telephony and multimedia, contact centers, unifiedmessaging, and more. Integration with solutions from our business partners delivers important capabilities such as intrusion-detection, anti-virus, content filtering, and authentication. Whether offered as intrinsic features in multi-purpose products—or purpose-built security devices—Nortel Networks security solutions protect the network and applications with highperformance and low cost of ownership.

4.2. Expanded choice through partnerships

Nortel Networks partners with service providers to enable them to offer best-in-class secure managed service solutions. For example, our Contivity systems have been deployed by the majority of the world’s leading service providers for theirmanaged IP-VPN services. Nortel Networks Shasta Broadband Service Node (which uses the same VPN client as Contivity) is the foundation for many providers’ network-based IP services—including VPNs, firewalls, and other security services.

Nortel Networks also partners with best-of-breed security application vendors for two types of collaboration:

• Working with select security application vendors to achieve full code integration with the Alteon Open SecurityArchitecture for the purposes of accelerating existing security technologies.

• Ensuring seamless interoperability with third-party security methods for authentication (RADIUS, digital certificate/PKI,hardware/software tokens, and smart card), intrusion-detection, anti-virus, content filtering, firewall reporting, and more.

Figure 17. Design tenets behind Nortel Networks products

Application-optimized network

Scalability by design

Communications convergence

Security in the DNA

Fail-safe business continuity

Comprehensive management

Engaged applications

43

44

4.3. Security services

With new data privacy legislation pending and enacted, a constantly changing scene of network threats and vulnerabilities, and IT security teams operating on limited budgets and manpower, many enterprises turn some or all of their securityfunctions to certified security specialists. Security consulting services can help the enterprise move forward with confidence to:

• Achieve and maintain compliance with Gramm-Leach-Bliley, HIPAA, and other legislation.

• Obtain objective third-party validation of their security implementation, policy, and practices.

• Establish security baseline information from thorough vulnerability analysis of the network, overall site surveys of wirelessnodes added to the wired network, and other security services.

Organizations in the health care, financial, and insurance industries would be particularly interested in any or all of thefollowing services related to recent Federal legislation:

• Assessing and analyzing the current network and environment for compliance with new industry regulations

• Developing plans to address noncompliant areas

• Implementing policies, procedures, processes, and the technology to meet the new standards

• Certifying that the enterprise organization complies with regulations and legislation

• Monitoring to assure continued compliance

Nortel Networks partners with security services vendors (e.g. Olympus Security Group) with CISSP-certified personnel to provide security deployment assistance, security training, security assessments, and regular security audits to ensure newproducts and/or practices have not defeated security policies.

4.4. Nortel Networks product assurance

Nortel Networks product assurance initiatives ensure that security functions perform to industry-accepted standards andspecifications, where they exist.

Firewalls. Nortel Networks firewalls are or are being certified by the International Computer Security Association (ICSA), an internationally recognized, independent organization that enforces strict standards of certification for security products.

Encryption. Nortel Networks Contivity and Alteon SSL Accelerator products have achieved compliance with U.S. FederalInformation Processing Standard (FIPS) 140. To earn this status, cryptographic modules are tested by accredited laboratoriesand assigned a rating from 1 to 4 (lowest to highest) in 11 key design and implementation areas. The overall testing program isoverseen by the U.S. National Institute of Standards and Technology (NIST) and the Communications Security Establishment(CSE) of the Government of Canada.

Common Criteria international certification. Responding to the newly established and globally accepted “Common Criteria”evaluation program, Nortel Networks has begun work to obtain this certification for key products, first for Alteon SwitchedFirewall and Contivity Secure IP Services Gateways.

A closer look at Common Criteria

An international effort to develop international IT security criteria, the Common Criteria initiative is designed as ataxonomy of security requirements specified either as “Protection Profiles” or as a “Security Target.”

“Protection Profiles” are customer- or community of interest-generated sets of security requirements that are madepublicly available before, during, or after certification as reusable by any organization or group with similar needs.These profiles can be established as standards for a particular application area such as electronic commerce, a govern-ment-authored list of requirements for a particular type of product such as a firewall, a particular market place verticalsuch as healthcare, or a customer’s own list of requirements.

“Security Targets” are the security objectives of a specific product or system, known as the Target of Evaluation (TOE).The Target can conform to one or more Protection Profiles as part of its evaluation.

The document—International Common Criteria for Information Technology Security Evaluation—specifies securityfunctionality and evaluation methods, based on: the original United States government Orange Book or TrustedComputer System Evaluation Criteria (TCSEC), Canada’s Trusted Computer Product Evaluation Criteria (CTCPEC),and Europe’s Information Technology Security Evaluation Criteria (ITSEC) (which combines work from theNetherlands, French criteria, German criteria, and UK Confidence Levels) security criteria.

To date, the Common Criteria have been formally recognized by 23 countries. Common Criteria (CC) v2.1 wasreleased in 1998 and has been adopted by the International Organization for Standardization (ISO) as standard15408. For more information, see the Nortel Networks Common Criteria datasheet.

4.5. Nortel Networks and cross-industry security developments

Nortel Networks participates actively in ongoing security standards development within the Internet Engineering Task Force(IETF), the International Telecommunications Union (ITU), the European Telecommunications Standards Institute (ETSI),for IPsec, NAT, PKI, SYSLOG, etc., as well as the following international private and public sector organizations, which workto find solutions for the growing number of security vulnerabilities on a worldwide basis:

• Internet Security Alliance. Nortel Networks is a founding sponsor of this organization, created to share information andlead thought on information security issues. It is a collaborative effort between the Carnegie Mellon University SoftwareEngineering Institute (SEI)*, the Carnegie Mellon CERT® Coordination Center (CERT/CC), and the ElectronicIndustries Alliance (EIA), a federation of trade associations. The Internet Security Alliance represents industrys’ interestbefore legislators and regulators, and creates a collaborative environment to identify and standardize best practices andsolutions.

• National Reliability and Interoperability Council (NRIC). Part of the Homeland Security Working Group, the NRICworks to ensure the optimal reliability, interoperability, accessibility, and interconnectivity of public telecommunicationsnetworks.

• The Telecommunications—Information Sharing and Analysis Center (Telecom-ISAC). Nortel Networks cooperateswith this subgroup of the National Coordinating Center for Telecommunications (NCC), which facilitates voluntarycollaboration and information sharing among government and industry ISAC members. The NCC gathers information onthreats, outages, intrusions, and anomalies; analyzes and sanitizes the information; disseminates the information in accordwith sharing agreements; and alerts others in “near real time.”

• National Security Telecom Advisory Committee (NSTAC). Nortel Networks participates in the Network SecurityInformation Exchange (NSIE) subcommittee of this group, driving the establishment of a common security baseline forenterprises and carriers to reduce customer operating expense and vendor R&D expense.

• Joint Group on Network and Information Security (NIS). This is a new European initiative formed by ETSI and theEuropean Committee for Standardization. NIS helps coordinate effective use of security standards to establish trust on the Internet. Nortel Networks chairs NIS.

45

Nortel Networks maintains an internal cross-functional team—the Security Advisory Task Force (SATF)—which reports to theChief Technology Officer and addresses security vulnerabilities that could impact Nortel Networks products, as soon as thesevulnerabilities are discovered.

This internal task force has established relationships with key security vulnerability agencies in the industry such as CERT,SANS, and ISA to ensure rapid awareness of new vulnerabilities. A process has been established to determine the level of risk of each potential vulnerability to Nortel Networks customers, along with a risk mitigation plan, where required.

Where appropriate, the vulnerability status of Nortel Networks portfolio is communicated in Vendor Statements on thecorresponding CERT Web page and through action bulletins created with internal product teams that specify a risk analysis,vulnerability status, mitigation plan, and planned patch release dates. These bulletins are made available to customers, customer support teams, and account teams. Finally, the team follows up on all issues until closure.

SummaryThe typical enterprise “internal” trusted network is anything but internal these days. It extends to include supply chainpartners, telecommuters, remote access users, Web users, application service providers, disaster recovery providers, and more.Unfortunately, that means that the network also reaches hackers, cyber-thieves, disgruntled employees, and others who wouldmisappropriate network resources for personal gain.

Whether or not they leverage the inherently insecure Internet for business applications, all enterprises have an obligation toprotect network integrity and data confidentiality—for their own sakes as well as for their customers and business partners.

The good news is that enterprises can minimize their risks from unauthorized users without sacrificing performance for legiti-mate users. The Nortel Networks Unified Security Architecture defines a conceptual, physical, and procedural framework ofbest recommendations for end-to-end enterprise network security. Addressing the Top Ten security challenges with flexibleimplementation choices, this comprehensive security strategy is based on these key principles:

1. Multi-layer security that defines security protection functions at application, network-assisted, and network securitylevels

2. Variable-depth security across the enterprise, not just at the edge of the Internet

3. Closed-loop policy management that entails continuous evolution of policy to address changing business requirements,network conditions, and industry knowledge

4. Uniform access management via stringent authentication and authorization at a granular level, defined and managedcentrally for the entire enterprise

5. Secure network operations, by physically or logically partitioning network management from user traffic, and applyingsecurity best practices to suit critical operational activities

6. Secure multimedia communications, protected by high-performance encryption and tunneling

7. Survival under attack, ensuring that the network continues to deliver critical services even as it detects and wards offmalicious activities

The principles underpinning the Unified Security Architecture offer enterprises a blueprint for implementing security solutionsto ensure information integrity and confidentiality across a full range of network applications and architectures, includingprotection from external attacks, application abuse, viruses, unauthorized access, interception, or manipulation of data en route.

With Nortel Networks Security Solutions, enterprises can protect business critical resources, and confidently and confidentiallyuse the Internet as an extension of their trusted internal network.

For more information about security products, terms, standards, organizations, legislation, and certification, visit our securitysolutions Web site at http://www.nortelnetworks.com/solutions/security/related.html.

46

47

Appendix A. Hackers’ tools of the tradeUnauthorized access to network resources is usually the result of improper system configuration and usage flaws. Attackerscan take advantage of weak user authentication and authorization tools, improper allocation of hidden space, shared privilegesamong applications, or even sloppy employee habits, such as posting their secret passwords on the side of their computers.

Attackers can obtain illegal access by guessing user names and passwords using a dictionary of common strings, by derivingpasswords by algorithmic means, or capturing them in transit if they are sent unencrypted. After guessing or intercepting a username and associated password, the attacker gains a dangerous level of access to internal resources. How much access dependson the privileges assigned to the compromised account, naturally. But in reality, the potential for damage depends more on thehacker’s intent. Usually the hacker’s mission is to use the compromised account to install a backdoor entry to the enterprise.

Protocols for remote access to e-mail such as IMAP, POP3, and POP2 use simple user name and password authentication tech-niques. These protocols can be used to facilitate brute force attacks. In fact, there are published methods that allow attackers toremotely exploit the services of these protocols.

There are even more sophisticated ways of gaining unauthorized access. Worms can be used to perform system-spoofing attackswhereby one system component masquerades as another. For example, worms can exploit flows in the debug option of send-mail and in .rhosts (e.g used in UNIX) due to weak authentication. The debug option of sendmail can be turned off. Leavingthe option on is an example of usage flaw.

IP spoofing or session hijacking is a complex attack that exploits trust relationships. The attacker assumes the identity of atrusted host in order to sabotage the security of the target host. As far as the target host knows, it is carrying on a conversationwith a trusted host.

In this assault, the attacker first identifies a trusted host whose identity will be assumed, perhaps by first determining the“patterns of trust” for the host—that is, the range of IP addresses that the host trusts. The next step involves the disabling ofthe host (such as by TCP SYN flooding attacks), since the attacker will assume its identity.

IP spoofing attacks succeed because it is easy to forge IP addresses and network-based address authentication techniques arelimited. The IP spoofing attack is blind, since the attacker may not have access to the responses from the target host. However,the attacker can obtain two-way communication if routing tables are manipulated to use the spoofed source IP address. IPspoofing attacks are often used as a first step for other assaults such as Denial of Service (DoS) and flooding attacks.

Network sniffers were originally designed to enable network managers to diagnose problems, perform analysis, or improve theperformance of their networks. Network sniffers work in a network segment that is not switched, such as segments connectedthrough a hub. In this way, the sniffer can see all traffic on that segment.

Older sniffers read packet headers of the network traffic and focused on identifying low-level packet characteristics such assource and destination address. However, current sniffers can decode data from packets across all layers of the OSI model.

Attackers can use sniffers to view user information and passwords from packets across public or private networks. By usingsniffers, attackers can obtain valuable information about user names and passwords in particular from applications such as FTP,telnet, and others that send passwords in the clear. Protocols for remote access to e-mail such as IMAP, POP3, and POP2 usesimple user name and password authentication techniques and are especially susceptible to sniffer attacks.

Since users tend to reuse passwords across multiple applications and platforms, attackers can use the acquired information toobtain access to various resources on the network, where their confidentiality could be compromised. Moreover, these resourcescould also be used as launch pads for other attacks.

48

In general, attackers can use network sniffers by compromising the physical security of the corporation—say, walking into the office and plugging a laptop into the network. With the growing use of wireless networks, someone in the parking lot witha wireless device can access the enterprise’s local network. Gaining access to the core packet network enables the attacker todetermine configurations and modes of operation for further exploitation.

Denial of Service (DoS) attacks flood a network with illegitimate requests and thereby prevent legitimate users from accessingtheir service. DoS attacks are easy to implement and can cause significant damage, disrupting the operation of the enterpriseand effectively disconnecting it from the rest of the world.

DoS attacks can take various forms and target a variety of services. DoS attacks focus on exhausting network, servers, host, andapplication resources and on disrupting network connectivity. For example, the SYN flooding attack uses bogus half-open TCPconnection requests that exhaust memory capacity of the targeted resource. These types of attacks can prevent legitimate usersfrom accessing hosts, Web applications, and other network resources. Distributed DoS attacks use the resources of more thanone machine to launch synchronized DoS attacks on a resource.

DoS attacks exploit weaknesses in the architecture of the system that is under attack. In some cases, it exploits the weakness ofmany common Internet protocols, such as the Internet Control Message Protocol (ICMP). For example, some DoS attackssend large number of ICMP echo (ping) packets to an IP broadcast address. The packets use a spoofed IP address of a potentialtarget. The replies coming back to the target can cripple it. These types of attacks are called Smurf attacks. Another form ofattack uses UDP packets but works on the same concept.

Bucket brigade attacks are also known as “man-in-the-middle” attacks. In this kind of assault the attacker intercepts messagesin a public key exchange between a server and a client. The attacker retransmits the messages, substituting their public key forthe requested one. The original parties will think that they are communicating with each other. The attacker may just haveaccess to the messages or may modify them. Network sniffers can be used to launch such attacks.

Back door entries to access network resources can be accidentally or intentionally opened by users and procedural oversights,such as these:

• Deliberately placed by system developers to allow quick access during development and not turned off upon delivery

• Placed by employees to facilitate performance of their duties

• Part of standard operating system installs that have not been eliminated by “OS hardening,” such as retaining default user logon ID and password combinations

• Placed by disgruntled employees to allow access after termination

• Created by the execution of malicious code, such as viruses

Masquerading or elevation of privilege enables a hacker to pose as a valid administrator or engineer to access the network.Masquerading as a user with administrative privileges, the intruder can modify accounts, configuration data, network signaling,and billing and usage data.

Eavesdropping takes advantage of the “promiscuous mode” of off-the-shelf Ethernet adaptors that are sold in the market. This mode enables an attacker to capture every packet on the network to listen and record data communications on theenterprise LAN. There are plenty of free network sniffers on the Web today that an attacker can use for eavesdropping.Eavesdropping is an insidious problem because it is difficult to detect.

Appendix B. Application and network level threats

Application threats

Application-layer attacks exploit vulnerabilities in the operating system and applications to gain access to resources. For example, since Web hosts are accessible by the public at known port addresses specified by protocols (such as port 80 for HTTP traffic), hackers can use this knowledge to launch attacks that can bypass firewalls.

Improper configuration and authorization can lead to security holes. For example, a Web server host should freely distributeWeb pages but restrict shell command access to authorized administrators as specified in the security policy.

Account harvesting targets the authentication process when an application requests the user’s logon ID and password.Applications that generate different error messages for wrong user logon ID and wrong password are vulnerable to this type of attack. Based on the type of error message, an intruder can customize an attack that first determines a valid user logon IDand then uses other forms of password cracking techniques to get the password.

Application-layer attacks can be based on viruses, worms, buffer overflow, and password harvesting among others. Someapplication-layer attacks are aimed at just dismantling the Web site. Other attacks poison a Web site’s cookies to gain illegiti-mate information about a particular server. Applications in general do not check the validity of cookies and can fall victim tomalicious code hidden in the cookies. Known vulnerabilities in current Web browsers allow such cookies-based attacks.

An attacker may also use cross-site scripting technique to insert malicious code in the form of a script tag that is added to a URL and executed when an unsuspecting user clicks on the URL. SSL can solve some of these application-layer securityproblems but doesn’t fully protect Web applications. Attacks such as account harvesting and password cracking can still belaunched even if SSL is used.

Network threats

Internet-connected enterprises expose their network infrastructure to serious security threats such as sabotage, vandalism, badsystem configuration, denial of service (DoS), snooping, industrial espionage, and theft of service. Attacks may be launchedfrom inside the network by insiders and also from external sources such as hackers.

Recent developments in hacker technology—such as mobile terminal-based port scanners—demonstrate that attacks onnetwork infrastructure can originate from the mobile terminal as well. How do you protect switches, routers, access points,remote access servers, wireless access points, hosts, and other resources from these threats?

The typical IP packet infrastructure demonstrates a wide array of vulnerabilities:

• It commonly uses protocols with known security vulnerabilities, such as ICMP, TELNET, SNMPv1 and v2, DHCP,TFTP, RIPv1, NTP, DNS, and HTTP. Other common protocols (e.g., FTP, IMAP, SMTP) may also have vulnerabilities.

• It uses weak, locally managed, static passwords based on short, common dictionary words that are easy to guess. Some administrators may use one password across network elements, which may be shared and would be known by all administrators.

• It leaves security information unprotected—for instance—by not encrypting password files, improperly setting firewallrules, or using weak encryption methods for transmitting passwords.

• It supports unauthenticated software loads and configuration files that are intentionally or maliciously incorrect, resultingin erroneous device configurations, poor performance, loss of service, and open invitations for Trojan horses or othermalicious code.

• It uses “non-hardened” network elements and operating systems that still use factory default settings, which may rununnecessary services and have default accounts and passwords still enabled.

• It unnecessarily exposes management ports and interfaces to the public network, or allows unauthorized managementactions over dial-up, ISDN, or other connections.

49

Nortel Networks is an industry leader and innovator focused on transforming how the worldcommunicates and exchanges information. The company is supplying its service provider andenterprise customers with communications technology and infrastructure to enable value-added IP data, voice and multimedia services spanning Metro and Enterprise Networks, Wireless Networks,and Optical Long Haul Networks. As a global company, Nortel Networks does business in more than150 countries. More information about Nortel Networks can be found on the web at:

www.nortelnetworks.com/security

For more information, contact your Nortel Networks representative, or call 1-800-4 NORTEL or 1-800-466-7835 from anywhere in North America.

*Nortel Networks, the Nortel Networks logo, and the globemark design are trademarks of Nortel Networks. All other trademarks are the property of their owners

Copyright © 2002 Nortel Networks. All rights reserved. Information in this document is subject to change without notice.Nortel Networks assumes no responsibility for any errors that may appear in this document.

NN102060-0902

In the United States:Nortel Networks35 Davis Drive Research Triangle Park, NC 27709USA

In Canada:Nortel Networks8200 Dixie Road,Suite 100Brampton, Ontario L6T 5P6Canada

In Caribbean and Latin America:Nortel Networks1500 Concorde TerraceSunrise, FL 33323USA

In Europe:Nortel NetworksMaidenhead Office ParkWestacott WayMaidenhead Berkshire SL6 3QHUK

In Asia:Nortel Networks Asia6/F Cityplaza 4,Taikooshing,12 Taikoo Wan Road,Hong Kong