T
aking a layered defense approach to security as outlined in the Nortel Networks Unified Security Framework, Nortel Networks offers enterprise customers ‘a world of choice’ of security options to implement the solutions that make the most sense for their own unique networks.Overview
Today’s enterprises are enjoying the many benefits of greater communications with fewer boundaries between them and their business partners, customers, and remote employees. These many benefits outweigh the various risks of doing business on public networks, yet enterprises must still make the right business decisions to appropriately protect their corporate assets—sensitive corporate information (payroll, research and development, etc.) and their customers’ privacy. With their increasing business on public networks, enterprises are unfortunately more likely to be victim to the risks associated with these public networks—most frequently worms, blended threats, and software vulnerabilities. A combination of choosing the right security solutions and putting the appropriate processes in place will help enterprises face these challenges directly and continue to enjoy the many benefits of Business without Boundaries. Ultimately, a solid approach to network security not only ensures security of your network, but your overall network reliability, resiliency, and business continuity.
Nortel Networks layered defense
Securing the network perimeter and prohibiting unauthorized access from within can prove to be a daunting challenge. Today’s businesses must guarantee uninterrupted access to network resources. Products must be designed in their DNA to offer a high level of resiliency and security even under attack. Concepts such as redundant power, data, and control planes are not optional any more. Accordingly,
customers can no longer afford down-time to perform network maintenance. Network products have to be designed to allow plug-and-play operations of physical components as well as new protocols and applications. Evolution of the enterprise and the way it does busi-ness, coupled with today’s network threats, has reduced the effectiveness of traditional perimeter security. Nortel Networks has devised a new paradigm for enterprise network security which recognizes the need for flexible and extensible security with low management over-head. This paper describes Nortel Networks layered defense approach to network security based on the Unified Security Framework model1(Figure 1). This comprehensive
approach encompasses the endpoint devices, switches, gateways, wired and wireless connections, tunneled, and non-tunneled traffic. It is complemented by existing anti-virus, intrusion detection, and personal firewall services from best of breed vendors. With this open, vendor partner-neutral, standards-based approach, Nortel Networks security solutions provide security for the entire enterprise network—remote and resident network users, wired and wireless connections.
Position Paper
Layered network
security defense
Unified
Security
Framework
Network survivability under attack Security for operations,administration, and management
Variable depth security Security for converged
communications Continuous security policy management
Authentication/ authorization Figure 1. Unified Security Framework
protecting
the
Protecting against today’s threats
In 2003, Denial of Service (DoS) attacks against North American companies reporting such attacks accounted for over $65 million in corporate losses (CSI/FBI Survey, 2003). Another costly threat to networks today is that of malicious code—primarily viruses, worms, and Trojan horses. These threats can result in many hours of downtime for staff, network resources, and those dependent upon them. Viruses alone accounted for $27 million in corporate losses in 2003 (CSI/FBI Survey, 2003), within North America, while merely one worm— the Slammer worm—is estimated to have cost enterprises $1.25B (Computer Economics, Inc.).
In the near future, the most likely threats to corporate networks continue to be Denial of Service attacks and worms. The increasing sophistication of these worms—with payloads that could include Trojan horses which lie dormant and later use victim machines to launch other attacks, become massive spam relays or other damaging actions—and the speed at which they are propagated are of greatest concern. The speed with which exploits to known vulnerabilities are released is increasing. Today, the usual event chain is vulnerability announce-ment, vendor-issued patch (or anti-virus vendor-issued update), company installs patch (or update), and by the time exploit is readily available or trafficking across the Internet, most enterprise systems have the chance to defend themselves. In the likely scenarios of the near-term future, an otherwise unknown vulnerability will have exploit code readily available on the Internet before the vendor may even be aware of the vulnerability—much less has the time to issue a patch, and the enterprise has time to install it. This is why it is absolutely critical to plan a layered defense approach to network security to mitigate as much damage as possible from these threats in the event you must wait days or even a month for a patch.
The avenues for such threats may come from new applications on corporate networks, specifically given the growth in Instant Messaging and Peer-to-Peer networks for file sharing of music. And in addition to monitoring these applications for threats to the network, ensuring against liability for copyright infringement in Peer-to-Peer networks is a new and growing concern.
Figure 2. Layered Defense approach
Network security solutions
For protection against many of these contemporary vulnerabilities, multiple layers of defense are necessary—from the
remote endpoints, to the network perimeter, to the department perimeter
down to the core internal switching and desktops (Figure 2). Filters for signatures and keywords common to the attacks, stateful firewall inspection of known protocols, and anti-virus and intrusion protection software are also necessary components. According to Gartner, “Enterprises that rely only on proxy or stateful packet inspection will experience successful application-layer attacks at twice the rate of enterprises that use leading deep-packet-inspection approaches.”2
Nortel Networks layered defense approach, announced in September 2002 as the
Unified Security Framework, provides a number of security technology and process options to effectively secure against today’s network threats. This paper moves beyond the architecture of the Unified Security Framework to explain specific technology and product solutions within Nortel Networks Enterprise portfolio which can enable an enterprise layered defense strategy. With solutions based on the Nortel Networks philosophy—Security in the DNA—leveraging security products, product security, and Nortel Networks best practices, customers can pick and choose which Nortel Networks products they want to leverage in a heterogeneous network environment. The beauty of the open framework is that customers can pick and choose which products and solutions they want to leverage and presumes a multi-vendor network environment. Based on open, vendor partner-neutral, standards-based solutions, this approach covers the network end-to-end.
Blocking threats at the end-user: endpoint security
As employees, business partners, and customers make more use of the enterprise network to meet their business and retail objectives, enterprises need more control of the endpoints. Because so many threats are from internal users on the network, this must include the endpoints within the corporate network as well as those at remote endpoints, where there is less control over the user’s device.
802.1x and device authentication
To protect the network from threats from inside the network, Nortel Networks portfolio of Ethernet-based edge switches support the 802.1x standard to separate user authentication from device authentication. The BayStack* and Passport* 8600 switches can require that end-users securely log into the network before being given access to any of its resources (Figure 3). Nortel Networks Wireless Local Area Network (WLAN) Access Points and Access Ports support 802.1x, Wi-Fi Protected Access (WPA), and MAC-based authentication to ensure only designated users and devices are permitted on the enterprise network through the WLAN. BayStack and Passport switches also support Media Access Control (MAC) address filtering as an added form of access control.
Wireless Local Area Network (WLAN)-specific protections
Nortel Networks WLAN 2200 Series provides for a number of additional security steps to ensure security from the wireless segment of your network.3The Access Points (APs) are the first layer of security as they provide multiple security standards and filters. Besides several
Extensible Authentication Protocol (EAP) implementations of 802.1X, Nortel Networks APs offer the latest security standard Wi-Fi Protected Access (WPA), a subset of the current 802.11i draft4. Filters ensure that only legitimate users connect to the AP even for local
communication bridge and prevent users from changing the configuration of the AP to which they are connected. Access rights can be
Optional Check anti-virus, personal firewall definitions, patches Yes No Remediation VLAN Validate users with 802.1x 802.1x (in OS) Desktop
Figure 3. Wired or wireless: inside network
2
Gartner Predicts 2004: Security and Privacy, 20 November 2003
3
defined in a very granular way (different groups of users such as visitors and employees, and different profiles within the same group such as employees in different departments). Nortel Networks APs also provide a ‘closed system’ mechanism to prevent unauthorized users from attaching to the network by preventing the broadcast of the SSID. A second security layer, the WLAN Security Switch, provides VPN encryption and firewall along with the capability to not only detect unauthorized or ‘rogue’ Access Points, but also prevents users from connecting to them, and locating unauthorized APs within a 10-meter perimeter.
Tunnel Guard and LAN Enforcer
In environments where there is less control over where and how the end-user device is used, particularly users who use their own personal e-mail systems, Instant Messaging, and Peer-to-Peer file sharing, processes to check for viruses and other threats once the device re-connects to the corporate environment are even more critical than ever before. This protects the corporation from uneducated users such as mobile employees and business partners who may not be aware of the extent of such threats. Such protective processes include status checks as part of the external VPN or internal authentication process. This enforcement mechanism checks for the latest anti-virus, fire-wall definitions, or software patches before users are permitted authorized access to the network. Using the Tunnel Guard feature—Nortel Networks VPN solutions, based on open APIs, a user’s platform can be tested and either accepted or rejected from the VPN connection to the corporate network. Many Nortel Networks partners offering these services have taken advantage of the open API, available to all soft-ware vendors, to provide automatic pushes of their definitions to VPN users.
For protecting internal devices connecting to the network, Nortel Networks LAN Enforcer enables the BayStack and Passport portfolios to use 802.1x to check that someone connecting inside the corporate network is in fact a legitimate user. They go one step further to interoperate with third-party vendor solutions to check the endpoint security posture—virus and firewall definitions. Non-compliant systems authenticating to the switches may be placed in a remediation VLAN, updates can be pushed to the internal user’s device, and users can then subsequently re-attempt to join the network.
User-based provisioning
User-based networking takes one step beyond the 802.1x/EAP authentication into the network. It ensures that users have access to only those services authorized and marries that authorization to individual user-based security policies based on individuals, departmental, or corporate policies. Nortel Networks Optivity* Policy Services (OPS) supports 802.1x authentication against RADIUS and other authenti-cation, authorization, and accounting (AAA) repositories to authenticate the user, grant access to specific applications, and provide real-time policy-provisioning capabilities across Nortel Networks devices on the network to mitigate the swift penetration of a virus or worm.
Protecting the perimeter
Nortel Networks provides a number of options for protecting the perimeter—be it the internal perimeter around departments, secure voice zones to protect IP Telephony call servers, or at the external edge of the corporate network.
Firewalls
Firewall technologies have advanced from traditional packet filters to more sophisticated, state-aware, packet filtering firewalls. Today’s next-generation firewalls, such as Nortel Networks Alteon* Switched Firewall (ASF), can perform deep-packet inspection to thwart the growing threat from attacks that directly target applications and data within the packet payload. Deep-packet inspection, Layer 4-7 content filtering, and DoS protection within the Accelerator OS of the Alteon Switched Firewall, along with the ASF’s Layer 2-7 security provided by the Check Point NG Application Intelligence engine, provide multiple layers of multi-gigabit throughput protection at the perimeter. For additional perimeter protection, the ASF can load balance multiple groups of IDS servers. The integration of Nortel Networks switch-accelerated platform with Check Point Next Generation software and Secure XL™ acceleration technology provides perimeter protection without relinquishing application performance, incorporating deep packet inspection with a Denial of Service signa-ture database which identifies the most popular attacks: Teardrop, Smurf, Ping of Death, SQL Slammer, LAND, etc.5
Contivity* Secure IP Services Gateways include Nortel Networks ICSA-certified stateful inspection firewall which provides gateway and branch office firewall protections. This ensures that encrypted traffic is also firewall-inspected. Firewall user authentication goes one step further to provide protections for both tunneled and non-tunneled traffic entering the enterprise—authenticating the user but also deter-mining resources to which they have access.
Nortel Networks WLAN Security Switches also firewall WLAN traffic while also detecting and isolating unauthorized Access Points which may be attached to the network.
5
Alteon Switched Firewall Product Brief
Intelligent traffic management and switch protections
Application Switches can afford similar protections on the network through Denial of Service/virus signature attack recognition, filtering of signatures in the data traffic associated with known threats, and Peer-to-Peer application monitoring, policing, and blocking. The Application Switches allow support for thousands of filters, delayed binding which acts as a proxy to the web servers until TCP packets are ensured against SYN floods, and can offer the aforementioned signature-based protections6(Figure 4).
To mitigate the risks from Instant Messaging and Peer-to-Peer networks and the copyright concerns from the latter, enterprises do have a choice: to either minimize the use of such applications or deny their use altogether. Nortel Networks Alteon Application Switches offer Peer-to-Peer application filtering to provide network administrators control for this traffic. Although these applications use dynamic port allocations, the deep packet inspection of the switch can identify the traffic content and completely block it, rate limit, or shape it. In many cases, malicious attacks from employees who have been authenticated are a threat; therefore the application switch can be the last line of defense for the application servers. The switch protects the application availability in case a DoS attack hits a server.
To protect against application abuse—again by legitimate, authenticated users—and its impact to the reliability of the network, the Application Switches can serve yet another function. If a user initiates sessions above a predefined limit, the user can be placed in a penalty box and restricted access to that application for a predefined time and only once the session level drops below the limit. These types of post-authentication quarantines are an effective mechanism in a layered approach to security. Ultimately, for reliability, resiliency and business continuity, real-time deep packet inspection to mitigate many of today’s threats is best done by switch-based archi-tectures such as those from Nortel Networks.
Protecting information in transit—VPNs and Virtual Local Area Networks (VLANs)
Protecting the communications from remote users is another important element of the layered security approach. Enterprises have several options from the Nortel Networks portfolio to secure their traffic leaving or arriving at the enterprise. This offering of multiple method-ologies affords our customers a business without boundaries using the solutions that most suit their corporate needs. Coupled with the endpoint protections mentioned earlier, VPN and VLAN users’ devices are also checked before joining the network.
While IPSec provides cryptographic protection at the network layer (OSI Layer 3), web traffic uses Secure Sockets Layer (SSL) to secure commu-nications at the transport layer (Layer 4). Nortel Networks was the first vendor to offer support for both VPN technologies in a single platform. • Supporting up to 5,000 tunnels, Contivity Security IP Services Gateways are Nortel Networks award-winning, market-leading IPSec
VPN platforms for the smallest small office/home office (SOHO) to large enterprises which use Contivity for tunnels between head-quarters and branch offices. Expanding on the breadth of its capabilities, Nortel Networks has recently added SSL VPN support to the Contivity VPN portfolio.
Figure 4. Protect against DoS attacks and threats in Peer-to-Peer networking
• SSL VPNs are offered through the VPN Gateway 3050 with added endpoint protections such as automatic timeout for walkaway situa-tions at kiosks, and dynamic access policies to limit application access based on the employee’s location.
• SSL VPN support is also available on the Alteon Application Switch 2424-SSL which, in combination with its additional security protections, affords Layer 2-7 support.
• To secure the wireless LAN communications, the WLAN Security Switches provide PPTP, SSL, and IPSec tunneling, and support seamless secure roaming across IP subnets while maintaining the VPN tunnels. The APs offer separate VLANs to isolate traffic. Over the air SSIDs can be associated to VLANs and separate wireless traffic flows.
• SSL acceleration offload is provided in standalone platforms, such as the Nortel Networks VPN Gateway 3050, offering SSL VPN as well as through an optional SSL acceleration blade on the Passport 8600.
• Up to 50,000 IPSec tunnels are supported for large enterprises or VPN service providers on the Shasta 5000 Broadband Service Node (BSN) platform.
Virtual Local Area Networking (VLANs), to provide for isolation and separation of network traffic, are supported in many Nortel Networks products, including the BayStacks, Passports, and Wireless Access Points.
• For example, the internal architecture of the Passport 8600 allows users to build “secure” VLANs. When port-based VLANs are config-ured, each VLAN is completely separate from the others (broadcast domain). Its unique hardware architecture (distributed ASICs with local decision) analyzes each packet independently of the preceding ones. This approach allows complete traffic isolation. Allowing the user to discard untagged traffic on tagged ports or tagged traffic on untagged ports guarantees that this traffic is completely discarded— even if a tagged port receives traffic with a VLAN ID that identifies a VLAN from another “customer” configured on the box.
• BayStack switches provide policies which can direct application-specific (the IP Telephony) traffic to the firewall, and separate it from the data traffic through the network. The switches can do this while also providing the QoS necessary for delay-sensitive traffic, such as voice, to ensure the highest priority on the network.
IP filters and access control lists (ACLs) can of course be used as additional granular enforcement tools to protect against unauthorized access.
Ensuring network high availability
As part of the layered approach to security, the solutions an enterprise chooses must also be based on their reliability to ensure the highest level of uptime. Throughout its history, Nortel Networks has been designing products with the highest reliability for carrier environments. With this heritage providing resilient, 5 9’s reliability, Nortel Networks brings high availability and reliability to the full suite of enterprise products, including call servers, Layer 2-7 switching, VPNs, firewalls, and server applications. Some examples of this reliability include: • Specialized Virtual Router Redundancy Protocol (VRRP) in the Alteon suite of Application Switches to add redundancy and provide load balancing to critical network resources such as intrusion detection systems, anti-virus products, and any number of server functions. • Active-Active high availability allows automatic failover in the Alteon Switched Firewall to other firewalls in the security cluster.
Discrete Accelerator and Director (firewall) failover eliminates single points of failure in the network. Sophisticated persistence support helps ensure that high priority transactions, such as eCommerce, maintain state so businesses don’t lose one sale.
• Full redundancy in Contivity Secure IP Services Gateways from hot swappable components, mirrored disk drives, dual CPUs and power supplies, automated off-system storage of images and configurations, and protocols such as VRRP, RIP/OSPF, and ECMP. The gateways are frequently used with the Alteon suite of switches to deliver VPN redundancy in a network through load balancing and mirroring of VPN functions.
• Split Multi-Link Trunking (SMLT) (or Link Aggregation/802.3ad) and Distributed Multi-Link Trunking technologies that provide real-time protection against link, component, switch, and protocol failure in the BayStack Layer 2 and Passport 8xxx Layer 3 switches have been independently tested with <1 second failover. The Passport 8600 is the first Layer 2-7 switch in the industry with software and hardware designed specifically for the rigorous scalability and high-reliability requirements of enterprises and service providers.
• Power over Ethernet in Nortel Networks WLAN solutions ensures that all Nortel Networks WLAN APs can be directly connected to Ethernet switches for power. In addition to maintenance cost savings, in case of electrical outage, the WLAN connection can use the back-up power of the Ethernet switches, thus maintaining service.
• WLAN dual firmware images provide built-in redundancy for increased network availability. Should an Access Point experience an issue with the primary image, it will automatically switch to the secondary image and continue operations.
• Fast recovery and switchover support capabilities for Switch Fabric Card (SFC) failure and hot swapping for all line cards in the Shasta 5000 Broadband Service Node (BSN).
Core network security: Security in the DNA
A key aspect of the layered defense approach is to leverage the security that is part of the core products themselves. Nortel Networks Security in the DNA philosophy means that security is not only in Nortel Networks security products and those that enable security, part-nering with best-of-breed security partners for a layered approach to security, but also building security into the core networking products for IP Telephony, WLANs, switching, network management, and many other core enterprise products. Examples of the Security in the DNA principle include:
• Stateful firewall inspection and IPSec VPN tunneling for IP Telephony traffic in Nortel Networks Business Communications Manager • Hardened operating systems, multiple layers of access controls, and other security options for call services in Nortel Networks
Succession portfolio of IP Telephony products
• Access control mechanisms, Windows access controls interoperability, voice recognition for authentication, and password protections in Nortel Networks Contact Centers and Self-Service Solutions
• Security of management traffic as a key dictate for enterprise products, including secure shell (SSH), SNMPv3, and SSL
Also part of the Security in the DNA philosophy, Nortel Networks practices its own security best practices behind-the-scenes to ensure security is a priority for the industry. Our security best practices mean incorporating vulnerability assessments as part of the Quality Assurance cycle prior to general availability release, and a Security Advisory Task Force (SATF) to work with CERT and other vulnera-bility monitoring organizations to quickly respond to network threats. This task force quickly and effectively responds to product and protocol vulnerabilities as they are identified from CERT, SANS, ISA, channels, and customers so that customers can know how to respond to vulnerabilities. Nortel Networks participates and drives security best practices within National Advisory Bodies, including the
National Security Telecommunications Advisory Council (NSTAC) with executive participation from Nortel Networks President of Wireline
Networks; the FCC’s National Reliability and Interoperability Council (NRIC); the Internet Security Alliance, and the ITU Study Group 17—
Network Security. Nortel Networks also pursues security standards development so that vendors need not develop unique and proprietary
ways to handle security within their network products but follow standards for security throughout networking products.
Tying it all together: centralized network protection
Finally, the ability of the network to quickly respond to threats before patches are available or virus updates are released is critical. While being able to leverage the user-based policy provisioning of the Optivity Policy Services, enterprises can also construct static policies which would apply to the entire enterprise network to push security policies to various devices. This ensures the enterprise has a “quick reaction” capability as they learn of new threats, without relying on individual security policy updates per device. Through protocol type or port for the malicious traffic, policies can be pushed either temporarily or permanently to prevent the traffic from hitting the supported devices. OPS strength is in its ability to push filters real-time to numerous devices on the network—very important as enterprises risk the systemic and swiftly-spreading threats posed by today’s vulnerabilities.
Security partnerships
The icing on the cake: incorporating security best practices into the enterprise
As part of the Unified Security Framework, processes such as security policy definition, education, and enforcement play as important a role as the technology. The human errors on the network are the enablers of the vulnerabilities. In addition to the technology options, security practices, including employee education about how they may be unwitting hosts to these network threats and how to protect against them, as well as strong enforcement of existing corporate security policies are complementary yet critical parts of the solution against these problems. As part of security best practices, system administrators must keep abreast of the latest software patches that protect against known vulnerabili-ties to different software products. According to Gartner, a close interworking between the operations and support organizations who analyze security risks and implement security based on those risks must collaborate better. “Enterprises that implement a vulnerability management process will experience 90 percent fewer successful attacks than those that make an equal investment only in intrusion detection systems.”2
Overall, a strong enterprise security policy, enforced across a network and its users, and education for network users are essential elements to ensuring that those using the network do their best to protect that network.
Nortel Networks on Nortel Networks
Nortel Networks own network, one of the largest and most technically advanced enterprise networks in the world, connecting more than 280 locations across six continents, runs on products from Nortel Networks own portfolio. That’s about 33 million minutes of voice calls, 1.1 petabytes of data traffic (including 19 million e-mails), and 100 live web casts in a typical month—all on Nortel Networks products. Leveraging the latest security available in Nortel Networks portfolio, Nortel Networks IS can use the Internet as a transport to reduce the costs and complexities associated with multiple network topologies and access methods while still protecting these critical network resources. Currently, as an example of a layered defense approach, among its many solutions, Nortel Networks IS uses the Alteon Switched Firewall for its deep packet inspection, having prevented over 133 worms in the first month in the network, and with minimal latency, to protect our network IP Telephony applications. Alteon Application Switches are used to provide redundancy to Session Initiation Protocol (SIP) servers to ensure high availability of our SIP applications and bandwidth management of Peer-to-Peer network applications. The Application Switches provide global multi-site and local redundancy of key servers, flexible packet inspection with packet offset, and pattern matching for UDP, ICMP, IP, and TCP traffic, and to auto-learn and auto-update the latest attack signatures. Contivity Secure IP Services Gateways are used to provide mobile employees with secured communications with the added protections of stateful firewall inspection. Using best-of-breed security technologies available through Nortel Networks vendor partnerships, and security best practices including a strongly enforced and well-understood security policy, Nortel Networks IS enjoys a true end-to-end layered approach to security.
Summary
The enterprise’s need to communicate with its remote employees, business partners, and customers should not be hampered by the threats to public networks and instead should fully leverage the benefits realized from public IP networks for a Business without Boundaries. By taking a realistic approach to network security—including the technology options and human-related processes—based on Nortel Networks Unified Security Framework layered defense approach, enterprises can be well-positioned to defend their networks against today’s network threats.
In the United States:
Nortel Networks 35 Davis Drive
Research Triangle Park, NC 27709 USA
In Canada:
Nortel Networks 8200 Dixie Road Suite 100
Brampton, Ontario L6T 5P6 Canada
In Caribbean and Latin America:
Nortel Networks 1500 Concorde Terrace Sunrise, FL 33323 USA
In Europe:
Nortel Networks Maidenhead Office Park Westacott Way
Maidenhead Berkshire SL6 3QH UK
In Asia:
Nortel Networks Asia Level 5, 495 Victoria Avenue Chatswood, NSW, 2067, Australia Phone: +61 2 8870 5200
Nortel Networks is an industry leader and innovator focused on transforming how the world communicates and exchanges information. The company is supplying its service provider and enterprise customers with communications technology and infrastructure to enable value-added IP data, voice and multimedia services spanning Wireless Networks, Wireline Networks, Enterprise Networks, and Optical Networks. As a global company, Nortel Networks does business in more than 150 countries. More information about Nortel Networks can be found on the Web at:
www.nortelnetworks.com
For more information, contact your Nortel Networks representative, or call 1-800-4 NORTEL or 1-800-466-7835 from anywhere in North America.
*Nortel Networks, the Nortel Networks logo,the globemark design, Alteon, BayStack, Contivity, Optivity, and Passport are trademarks of Nortel Networks. All other trademarks are the property of their owners.
Copyright © 2004 Nortel Networks.
All rights reserved. Information in this document is subject to change without notice. Nortel Networks assumes no responsibility for any errors that may appear in this document.