Alcatel-Lucent

Enterprise
Cloud Connect Operation Security overview

July 2017
CTO/CTSO

1 Reference : 8AL_22_CCO_security_overview_00505 Edition : 01

Copyright © ALE International, 2017
Infrastructure Security

2
Infrastructure Security

• CCO data centers are located in France

• CCO data centers hosting providers are ISO 27001 certified
• Security controls covers
• Physical Access Control to the infrastructure sites
• High availability controls against physical threats and disasters
• Continuous resource monitoring for permanent availability/resiliency of the
infrastructure
• Logical in depths defense against network DoS/DDoS threats
• Perimeter security protection with Firewalls and multi-tier architecture

3
Operations Security

4
Operations Security

Strict personnel and change control policies supported by

• ALE Organization security policy
• Human resource security
• Asset management
• Access control policies / high privilege management

• CCO operational security

• Software Change control
• Configuration control
• Backup / business continuity
• Software patching / vulnerability management

5
Network Security

6
Network & Communication Security
• All network interfaces secured
ALE CLOUD

Fleet OXO CC
XMPP Proxy
SOCKS5 dashboard connectivity
server

CUSTOMERS BUSINESS PARTNERS

WSS Encrypted HTTPs HTTPs
socks5

OXE XMPP on WebSocket Secure

CC Agent BP IT infrastructure
SOCKS5 with AES encryption

Internet
XMPP on WebSocket Secure
OXO
CC Agent
SOCKS5 with AES encryption
VPN client
VPN Access
IPSec VPN IPSec VPN
Gateway OMC

7
Communication links

• Control links
• Outgoing secured connections from the customer product to ALE CCO infrastructure
• XMPP: full secured websocket secure/TLS connection with mutual authentication
• SOCKS5: strong payload encryption to deliver end to end data integrity and confidentiality

• Management link (for OXO only)

• On demand restricted IPSec VPN outgoing connection from the customer site to the BP
network to maintain a full secure OAM&P link to the customer product

Cloud Connect operation remains optional: ALE communication products can still work as standalone CPE

8
Customer network requirements

Low level footprint on the customer network security policy

• ALE communication product must have an outgoing connection to the
Internet for reaching the public CCO infrastructure
• Customers Network Gateways & firewalls must allow outbound
connections to CC op infra
• Outgoing connections must be allowed
• for XMPP over HTTPS  port 443/tcp
• for SOCKS5 connection over HTTP  port 80/tcp
• for DNS resolution  port 53/udp
• Outgoing connections for ipsec must be allowed (OXO only)
– port 500/udp
– port 4500/udp
9
Transport Layer Security

10
SSL/TLS Policy

• No plain-text connection from the Internet

• TLS enforced for using secure WebSockets
• Applicative encryption with AES-GCM mode cipher on SOCKS5 connection
• No other service is exposed on public Internet
• TLS services are served by a dedicated network security gateway
• X509v3 digital certificates managed within ALE proprietary PKI
• Minimum 2048 bits-RSA key pairs with RSA-SHA256 signature
• Trust store management on both ends using certificate pinning
• Manufacturer PKI with multilevel security grade on Certificate Authority protection
• SSLv2/SSLv3 disabled in favor of TLS 1.2
• No support of deprecated/vulnerable protocol versions
• No support of deprecated/vulnerable ciphers: no RC4, no DES/3DES, no md5
• Safe against all recent protocol vulnerabilities: DROWN, POODLE, HeartBleed

11
Application Services Security

12
XMPP services

• The Cloud Connect infrastructure uses XMPP as a message exchange

protocol between the OXE/OXO products and the CCO infra :
• Relying on standard XMPP server implementation + additional application
services
• XMPP
• Extensible message oriented middleware platform
• Open standard / Mature
• Flexibility
• Security (TLS, SASL) addressed with dedicated XEP
• Support of NAT/Firewall traversal
• Proven technology (Whatsapp, UPnP Cloud…)
13
Application Protocol Security – XMPP XMPP
SASL
WS
TLS
TCP
Server Authentication (Infrastructure)
• The whole stream between product and server is authenticated and encrypted with TLS
• TLS configuration of XMPP server follows latest security standards, RFC 5246

Client Authentication (Product)

• Supports security standards RFC 4422 RFC 5802
• performed after TLS secured connection
• User authentication with SCRAM-SHA1 mechanism
• XMPP credentials (login + password) are unique and server-side generated with strong password
policies
• XMPP ACL enforced to prevent non-authorized IQs to be forged

14
Application Protocol Security – SOCKS5 AES enc. payload
SOCKS5
TCP

• Encrypted channel data with state of the art AES256-GCM cipher

• Key exchange performed within the WSS/XMPP control channel
• Key and IV (Initialization Vector) randomly set for each session

15
Application Protocol Security – Web Services

• HTTPs based connection to secure all web applications

• Fleet Dashboard
• OXO CC Connectivity
• User authentication on ALE Business Store
• User profile and role based access control to monitor and manage CCO systems

16
Application Protocol Security – IPsec VPN (OXO only)

• Cloud Connect Operations provides the remote connection capabilities with IPSec VPN through OXO CC
Connectivity
• VPN creation request is initiated by OXO, by triggering an IKE negotiation with the VPN
gateway
• VPN is based on the IPsec protocol in tunnel mode
• Support of IKEv1 and IKEv2 (IKEv2 recommended)
• VPN Gateway located on Business Partner premise
• Supported gateways, tested with OXO
• FORTINET Fortigate 60D
• Fortigate Virtual Appliance
• Documentation available with OXO Connect 2.1 - 8AL91215ENAA, VPN server reference design for OXO
Connect

17
IPsec VPN parameters security (OXO only)

• Securing IPSec parameters storage

• Secure storage: Encrypted storage in Cloud Connect Operation infrastructure
• Secure profile sharing: Export/import functions allow reusing VPN profile parameters with OXO
connectivity user for without disclosing parameters values

• Securing IPSec parameters transfer

• All data transfers rely on secured TLS based CCO architecture

18
Acronyms
• AES : Advanced Encryption Standard
• CCO : Cloud Connect Operation
• DoS/DDoS : Denial of Service Attacks ; Distributed Denial Of Service
• GCM : Galois Counter Mode
• HTTPS : HyperText Transfer Protocol Secure , eq. HTTP over TLS
• IQ stanza: Info/Query stanzas
• NAT : Network Address Translation
• OAM&P : Operations, Administration, Maintenance & Provisioning
• OMC : OmniPCX Office Management Console
• OXO : OmniPCX Office
• PKI : Public Key Infrastructure
• SASL : Simple Authentication and Security Layer
• SCRAM : Salted Challenge Response Authentication Mechanism
• SHA: Secure Hash Algorithm
• SOCKS5 : Socket Secure
• TLS : Transport Layer Security
• VPN : Virtual Private Network
• WSS: WebSocket Secure
• XEP : XMPP Extension Protocols
• XMPP : Extensible_Messaging_and_Presence_Protocol
• XMPP ACL : XMPP All access control list

19
 enterprise.alcatel-lucent.com

Facebook.com/ALUEnterprise

Twitter.com/ALUEnterprise

Linkedin.com/company/alcatellucententerprise

Youtube.com/user/enterpriseALU

20