Security Unified Architecture PDF

White Paper
Nortel Networks
Unified Security Architecture

for enterprise network security
A conceptual, physical, and procedural framework
for high-performance, multi-level, multi-faceted security
to protect campus networks, data centers, branch networking,
remote access, and IP telephony services.
The greater the reach and availability of the network, the greater its vulnerability
to threats from within and outside the organization.
The new openness of networked communications introduces new ethical,
financial, and regulatory pressures to protect networks and enterprises from
internal and external threats and attacks.
Every IT security professional should be up-to-date on the Top Ten challenges to
enterprise securityand the latest recommendations to address those challenges.
Contents
Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Part I. The Top Ten challenges to enterprise network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Enterprise Security Challenge #1The Internet was designed to share, not to protect . . . . . . . . . . . . . . . . . 4
Enterprise Security Challenge #2Security is not optional. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Enterprise Security Challenge #3The bad guys have good guns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Enterprise Security Challenge #4Security threats recognize no boundaries. . . . . . . . . . . . . . . . . . . . . . . . . .6
Enterprise Security Challenge #5Security depends on people, process, and technology. . . . . . . . . . . . . . . . .6
Enterprise Security Challenge #6Its not enough to guard the front gate. . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Enterprise Security Challenge #7Theres no stock blueprint. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Enterprise Security Challenge #8Frisking everybody and everything takes time. . . . . . . . . . . . . . . . . . . . . .9
Enterprise Security Challenge #9Grace under fire is a requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Enterprise Security Challenge #10Security is a closed-loop process with an open-ended date. . . . . . . . . . . .9
Part II. The Nortel Networks Unified Security Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.1.
2.2.
2.3.
2.4.
2.5.
2.6.
2.7.
2.8.
2.9.
Multi-layer security across application and network levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Variable-depth security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Closed-loop policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Uniform access management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Secure network operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Secure multimedia communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Network survivability under attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
The closed-loop policy management reference model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
A closer look at uniform access management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Part III. Network security in the real world . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.1.
3.2.
3.3.
3.4.
3.5.
Securing the campus network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Securing the data center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Securing the remote office . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Securing remote access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Securing IP telephony services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Part IV. Nortel Networks technology and expertise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.1.
4.2.
4.3.
4.4.
4.5.
Design tenets built into the Nortel Networks security portfolio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Expanded choice through partnerships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Security services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Nortel Networks product assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Nortel Networks and cross-industry security developments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Appendix A. Hackers tools of the trade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Appendix B. Application and network level threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Executive summary
Todays connected enterprise faces a security paradox. The very openness and ubiquity that make the
Internet such a powerful business tool also make it a tremendous liability. The Internet was designed to
share, not to protect. The ports and portals that welcome remote sites, mobile users, customers, and business partners into the trusted internal network also potentially welcome cyber-thieves, hackers, and others
who would misappropriate network resources for personal gain.
The only effective network security strategy is one that permeates the end-to-end architecture and enforces
corporate policies on multiple levels and multiple network points.
Nortel Networks, a global leader in secure data networking, offers proven solutions to satisfy end-to-end
network security requirements. Security in the DNA is a key tenet of our strategy for the new enterprise
network, a convergence framework we call One Network. A World of Choice.
This document presents the security component of that enterprise network strategy. The Unified Security
Architecture provides a conceptual, physical, and procedural framework of best recommendations and
solutions for enterprise network security. It serves as an important reference guide for IT professionals
responsible for designing and implementing secure networks.
What are the requirements and vulnerabilities? What technology options and implementation choices are
available? How do you protect the network at all levels? This comprehensive strategy addresses those
pressing concerns facing IT security specialists, and offers encouraging news about the depth and breadth
of options available for securing critical network resources.
The Unified Security Architecture is realistic.
It assumes that all components of an IT infrastructure are targets... that even internal users could be
network threats... attacks are inevitable... network performance cannot be compromised by processingintensive security measures... and IT budgets are constrained.
The Unified Security Architecture acknowledges the diversity of networked enterprises.
It is not a one-size-fits-all prescription, but rather a framework of functionality that offers multiple
implementation choices suitable for closed, extended, and open enterprises in different industries
and for diverse application requirements within all enterprise types.
The Unified Security Architecture addresses the multi-level complexity of network threats.
It provides answers on multiple levelsfor instance, from a firewall guardian to block intruders at the
front gate to encryption to shroud every packet in privacy... from virtual private networks that span
the global Internet to virtual LANs that segregate network management traffic from desktop users.
The Unified Security Architecture promotes a process, rather than an endpoint.
Effective security is not achieved through a one-time initiative. This architecture outlines measures
for strong ongoing policy management, reflecting both human and technical factors.
Read on for a discussion of the Top Ten challenges facing IT professionals today and how the
Nortel Networks Unified Security Architecture addresses the challenges.

for enterprise network security
A conceptual, physical, and procedural framework for high-performance, multi-level, multifaceted security to protect campus networks, data centers, branch networking, remote access,
and IP telephony services.
Part I. The Top Ten challenges to enterprise network security

Every enterprise that relies on network-connected applications and services is subject to 10 key security realities:
1. The Internet was designed to share, not to protect.
2. Security is not optional.
3. The bad guys have good guns.
4. Security threats recognize no boundaries.
5. Security depends on people, process, and technology.
6. Its not enough to guard the front gate.
7. Theres no stock blueprint.
8. Frisking everybody and everything takes time.
9. Grace under fire is a requirement.
10. Security is a closed-loop process with an open-ended date.
Lets take a closer look at these challengesand what IT security professionals can do about them.
Enterprise Security Challenge #1

The Internet was designed to share, not to protect.
In six or seven short years, the Internet has evolved from an adjunct contact channel into the backbone of many critical
business applications. Enterprises are leveraging their IP-based intranets and the world-wide Internet to bring remote offices,
mobile workers, and business partners into their trusted network environments. Many enterprises are capitalizing on the
growing reach and reliability of IP data networks to completely redefine the way they deliver and manage approved corporate
applications.
The Internet enables them to interact more effectively with customers, streamline operations, reduce operating costs, and
increase revenues. However, the Internet was designed to share, not to protect. The ports and portals that welcome outside
users into the trusted internal network also potentially open the door to serious threats. The level of threat only increases as
legacy applications become network-enabled and as network managers open their networks to more new users and applications.
How do you manage mission-critical communications on an inherently insecure medium? Managing that flow is somewhat
like guarding a revolving door. You cant lock it unless you also close out the traffic you do want.
Remote access services that enable traveling employees to dial in for e-mail access... remote offices connected via dial-up lines...
intranets, and extranets that connect outside parties to the enterprise network... all these business-enabling communications
increase the vulnerability of the network.
4

Security is not optional.
Security breaches and unlawful access to confidential data can cost enterprises millions, but the requirement for network security goes beyond financial incentives. The governments of many countries are forcing enterprises to comply with regulations
governing network security and privacy.
In the U.S., the Federal government regulates the privacy and security of electronic information with such regulations as the
Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Safe Harbor Act, the USA
Patriot Act, and the Childrens Internet Protection Act (CIPA). More are coming.
Similar regulations are being enacted in Europe and elsewhere, such as the Data Protection Act and Computer Misuse Act in
the U.K. Failure to comply with these regulations brings civil and criminal penalties, even prison terms.
Even if governmental regulations werent an issue, organizations that suffer security breaches may be sued by customers and
damaged by negative publicity. All enterprises that leverage the Internet for remote access have an obligation to protect network
integrity and data confidentialityfor their own sakes as well as for their customers and business partners.

The bad guys have good guns.
Attackers have a broad repertoire of tools and techniques they can use to compromise a network. With these tools of the trade,
they can launch multi-level attacks to access the networkcreating an access hole to intrude upon the network, and then using
secondary attacks to exploit other parts of the network.
For example, attackers can take advantage of weak user authentication and authorization tools, improper allocation of hidden
space, shared privileges among applications, or even sloppy employee habits to gain unauthorized access to network resources.
They can disable a trusted host and assume its identity, a threat known as IP spoofing or session hijacking.
Using sophisticated new network sniffers that can decode data from packets across all layers of the OSI model, hackers can
steal user names and passwords, and use that information to launch deeper attacks.
Denial of Service (DoS) attacks flood a network with illegitimate requests and thereby prevent legitimate users from accessing
their service.
In bucket brigade attacks, also known as man-in-the-middle assaults, the attacker intercepts messages in a public key
exchange between a server and a client, retransmits the messages substituting their public key, and in the process tricks the
original entities/users into thinking they are communicating with each other.
Back door entries to access network resources can be accidentally or intentionally opened by users and procedural oversights.
Masquerading enables a hacker to pose as a valid administrator or engineer to access the network, often to elevate user privileges.
For more information about these types of attacks, see Appendix A, Hackers Tools of the Trade.

Security threats recognize no boundaries.
The typical enterprise internal trusted network is anything but internal these days. It extends to include supply chain partners, telecommuters, remote access users, Web users, application service providers, disaster recovery providers, and more.
Unfortunately, that means that the network also reaches hackers, cyber-thieves, disgruntled employees, and others who would
misappropriate network resources for personal gain.
In todays business environment, the concept of a network perimeter is disappearing. Boundaries between inside and outside
networks are becoming thinner, almost irrelevant. Applications run on top of networks in a layered fashion.
The OSI (Open Systems Interconnection) model was built to allow different layers to work without knowledge of each other.
Unfortunately, that means that if one layer is hacked, communications are compromised without the other layers being aware
of the attack. That means security must address unique considerations at application and network layersand bridge these
layers to ward off multi-level threats.
Application-layer attacks exploit vulnerabilities in the operating system and applications to gain access to resources.
Application-layer attacks can be based on viruses, worms, buffer overflow, and password harvesting, among others. Web services and single sign-on technologies aggravate the problem, since they encourage Web-enabling legacy-based applications that
were not designed with Web connectivity and security issues in mind.
Network-layer threats expose the network infrastructure to sabotage, vandalism, bad system configuration, denial of service
(DoS), snooping, industrial espionage, and theft of service. Attacks may be launched from inside the network by insiders and
also from external sources such as hackers.
For more information about application-layer and network-layer threats, see Appendix B: Application and network level threats.

Security depends on people, process, and technology.
Vulnerabilities arise both from people and process failures (such as posting their passwords in public view, or slack policy
enforcement) and technical aspects (such as rogue programs and Trojan horses)and combinations of all three.
The Nimda virus that recently caused havoc in IT environments is a perfect example. At first glance, Nimda was technical in
nature: a virus. But on closer inspection, the havoc was caused more by human error than technical devilry. Nimda exploited
six previous technical vulnerabilities; it was just a variant of previous vulnerabilities that were documented and communicated
many months before Nimda actually spread on the Internet.
Organizations should all have known about these vulnerabilities and disseminated that knowledge to the people responsible for
protecting IT systems. Nimda was a non-issue for enterprises that had established processes in place for translating knowledge
into action tasks, assigning responsibility for those tasks, and auditing successful completion.

Its not enough to guard the front gate.
Every component of the IT infrastructure is susceptible to attacks, not just obvious gateways to the Internet. Hosts, applications
such as IP telephony, routers, and switches can be attacked by hackers or unauthorized users from inside or outside the enterprise.
At the network level, the use of firewalls, proxy servers, and user-to-session filtering can add protection, but hackers seem to get
smarter all the time. Using user access control at the network and application level with appropriate authentication and authorization can minimize the risks of unauthorized access.
But the sheer diversity of the types of attacksand the multi-level nature of many attacksrequires that IT managers understand
how security breaches are instigated and be able to assess and recover from any inflicted damage. That means the only effective
network security strategy is one that permeates the end-to-end architecture and enforces corporate policies on multiple levelsuser,
application, and networkand at multiple network points.

Theres no stock blueprint.
Each enterprise has a unique set of business needs and has evolved their networking environment accordingly. That means the
right security strategy is more a prescription of functionality and characteristics than a stock blueprint. Security is not a one size
fits all situation. Neither is it a static implementation, any more than the network or technology remains static.
For general purposes, we can categorize enterprises into three types of security spheres:
The closed enterprise uses logical (e.g. frame relay) or physical private lines between sites, with PC dial access provided selectively for employees needing access into the Internet. Web presence is achieved through an Internet data center provided by a
service provider (who is responsible for establishing a secure environment). The organization also provides conventional dial access
for remote employees (e.g. working from a hotel). The company uses private e-mail among employees with no external access.
Wireless LANs are also starting to be used.
Even the closed enterprise has security concerns, not just from disgruntled internal users, but also because there are a number of
backdoor exposures. Users with dial access to the Internet from their desktop PCs, employees surfing the Net from laptops they
use at home or on the road, and wireless LANs all introduce Internet-related threats. Perhaps, the greatest risk comes from the
specious belief that the closed enterprise is immune to external risks.
The extended enterprise is an extension of the closed enterprise. Web presence is still achieved via a service provider. Support
for remote employee and office access over IP virtual private networks (VPNs) over the Internet is provided, delivering higher
speed, lower cost connectivity. The enterprise provides general-purpose access for all employees into the Internet, allowing them to
leverage the abundance of business-related information available on the Internet. Inter-working between the internal e-mail system
and the rest of world is provided.
The open enterprise leverages the Internet by allowing partners, suppliers, and customers to have access to an enterprisemanaged Internet Data Center, even allowing selective access to internal databases and applications (e.g. as part of a supply chain
management system). Internal and external users access the enterprise network from home, remote offices, or other networks using
wired or mobile devices.
For the extended enterprise, the diversity of supported services and access mechanisms translates into multiple paths into the
enterprise network, and in turn increases the risk. Naturally, that risk increases exponentially with the open enterprise, which
has the greatest susceptibility to application-layer and network-layer threats, unauthorized access, and eavesdropping.
Infrastructure, applications, and network management systems are equally vulnerable.
Figure 1. Generic Enterprise types
Closed enterprise
ASP Data Center
Customers
Employees
Dedicated WAN
PC dial-in access
PC Internet dial-out
Internet
Outsourced Web site
Enterprise
network
Private e-mail
Extended enterprise
Employees
Employees
Internet Data Center
Remote access and office IP-VPNs
Employee Internet access
Internet
Enterprise
network
Interworked e-mail
Open enterprise
Customers/partners/
employees
Customers/
Employees
Controlled partner and select
customer access
Internet
Enterprise
network
Connectivity boundaries lowered

Frisking everybody and everything takes time.
Anyone who has traveled by airplane knows that the trade-off for enhanced security is delay. The more closely you inspect bags
and travelers, the longer the lines at security.
On enterprise networks as well, turning up the full complement of security features can slow Web servers to a crawl as they bog
down with processing-intensive encryption, decryption, key management, and more. Bolting IP-VPN capabilities onto legacy
routers brings its own brand of performance penalty. Voice applications, such as live Webcasts and Voice over IP, are very sensitive to delay and jitter and are therefore dramatically affected by traditional security mechanisms.

Grace under fire is a requirement.
In the context of security, reliability and survivability have somewhat different meanings. Network reliability ensures that
the network continues to operate in spite of incidental failure of software and/or hardware components. Network survivability
means the network continues to operatedelivering essential services in a timely mannerwhile battling security threats, even
if parts of the network are unreachable or disabled due to overt attack.

Security is a closed-loop process with an open-ended date.
Organizations must view security as a steady process and evolving way of thinking about how to protect systems, networks,
applications, and resources. Reduce risk by continually and steadily making progress in identifying and addressing vulnerabilities and security policy holes. Corporations and government institutions must be able to determine what is at stake when security measures fail, how to detect security breaches, and what to do about them.
This process also entails continual training and awareness, since breaches of security policy are usually caused by human error
or carelessness. Employees, managers, and administrators must all be aware of established security policies and best practices.
The good news is that enterprise networks can minimize their risks from unauthorized users without sacrificing performance
for legitimate users. Part II of this document shows how the Nortel Networks Unified Security Architecture addresses these
Top Ten challenges.
Figure 2. Enterprises need a security framework to optimally use IT techniques, tools, and methodologies against attackers
Possible attacks
Authorization threats
IP spoofing
Network sniffers
Denial of service
Intrusion
Bucket brigade
Attacks
Protected enterprise
Anti-virus software
Deep packet filtering
Digital certificate
IPsec and SSL encryption
Firewalls
Enterprise
network
Back door traps

Data modification
Masquerading
Network and host-based

Intrusion Detection Systems (IDS)
Infrastructure
Network sniffers
Part II. The Nortel Networks

What can security IT professionals do about the Top Ten challenges?
The Nortel Networks Unified Security Architecture defines a conceptual, physical, and procedural framework of best recommendations for end-to-end enterprise network securityaddressing all the Top Ten challenges:
The Internet was designed to share, not to protect.
So the Unified Security Architecture defines virtual private networks, virtual LANs, firewalls, encryption, and other
mechanisms that enable enterprises to reduce the risk of being Internet-connected.
Security is not optional.
The Unified Security Architecture upgrades enterprise security programs and infrastructures to comply with business,
ethical, and regulatory mandates to protect data integrity and confidentiality.
The bad guys have good guns.
The Unified Security Architecture identifies the various tools of the trade, how they operate, and what kinds of protections thwart these attacks.
Security threats recognize no boundaries.
The Unified Security Architecture addresses threats on multiple functional and architectural layers, enabling enterprises
to flexibly define what needs to be protected, from what kinds of threats, implemented how, and at what layers.
Security depends on people, process, and technology.
The Unified Security Architecture calls for developing and enforcing security policies that address technical considerations and human aspects of security, such as staff training and process.
Its not enough to guard the front gate.
The Unified Security Architecture begins with perimeter firewall defense and documents security provisions all the way
to the individual user and application.
Theres no stock blueprint.
The Unified Security Architecture defines the required functionality and offers enterprises broad choice in which functions to implement, to what degree, using what platforms and protocols.
Frisking everybody and everything takes time.
The Unified Security Architecture introduces purpose-built security products that use load-balancing, health-checking,
and innovative acceleration technologies to minimize latency.
Grace under fire is a requirement.
The Unified Security Architecture defines ways to segregate critical resources and sustain performance even under attack.
Security is a closed-loop process with an open-ended date.
The Unified Security Architecture calls for policy management to be a process of continuous feedback and improvement, reflecting the latest industry knowledge and best practices.
10
The comprehensive security strategy set forth in this document is based on seven key principles:
1. Multi-layer security that defines security protection functions at application, network-assisted, and network security
levelsin a layered architecture that can be flexibly defined and implemented.
2. Variable-depth security across the enterprisenot just at the edge of the Internetfor example, from firewall
perimeter defense, to VPNs to protect Internet-traversing traffic, and to VLANs to segregate traffic within a network.
3. Closed-loop policy management, including configuration of edge devices, enforcement of policies in the network,
and verification of network functionality as seen by the end user application.
4. Uniform access management, including stringent authentication and roles-based authorization of access to all
resources for all users, with granular access policies defined at the application level and managed enterprise-wide.
5. Secure network operations, by physically or logically partitioning network management from user traffic, and
applying other recommended security mechanisms to operational activities.
6. Secure multimedia communications, protected by encrypting the data, voice, and video payload without introducing
delays that this real-time traffic cannot tolerate.
7. Survival under attack, for instance, by using resilient architectures with no single point of failure, and applying
intrusion-detection systems, anti-virus software, content filtering, and ongoing vigilance as attackers continue adopting
new weaponry.
ni
Figure 3. Principles behind Nortel Networks Unified Security Architecture
fie
ec
d Se
c u r i ty A r c h i t
tu
Layered security
Securing network operations
Variable-depth security
Securing multimedia
communications
Closed-loop policy management
Survivability under attack
Uniform access management
11
The principles underpinning the Unified Security Architecture offer enterprises a security blueprint to use as they move
towards increasingly open environments. Lets take a look at each of the seven key principles of the Unified Security
Architecture.
2.1. Multi-layer security across application and network levels
Recognizing the multi-layered, interdependent nature of enterprise networksand the critical need for security at more than
the application levelthe Nortel Networks Unified Security Architecture logically organizes security into multiple levels:
The Network Security Layer provides security functions at OSI layers 1 to 3 (physical, link, and data levels).
The Network-Assisted Security Layer provides security functions at OSI layers 4 to 7 (network to application/
presentation layers) on top of the network level for added security.
The Application Security Layer provides security in layer 7 of the OSI model, the application layer, and includes all
security built into server and storage platforms.
Some functions, such as access lists and VLANs, operate purely at the Network Security Level. Others, such as firewalls,
operate at either the Network or Network-Assisted Security Levels, depending on whether they are stateful or not. Others such
as SSL (Secure Sockets Layer) can be viewed as network-assisted or application security. The power of the Unified Security
Architecture is that industry-defined security functions are leveraged in a structured fashion, tightening security overall.
See Part III, Security in the Real World, for examples of these security layers in action for protecting campus and branch
networks, data centers, IP telephony services, and remote access.
Hardening server operating systems
Within the application level of the multi-layer security framework, a key element is hardening the multiple
operating systems used in network and user applications, such as OSs for data communications devices, servers,
network management systems, IP telephony servers, and more.
In an increasingly open, multivendor IT environment, network elements are frequently based on commercially available OSs. For example, Nortel Networks CallPilot unified messaging system, Symposium Contact Centers, and
Business Communications Manager use a hardened version of Windows NT with off-the-shelf security software for
functions such as anti-virus protection, intrusion-detection, and login audits. Nortel Networks Succession CSE 1000
and Meridian IP-enabled PBX portfolios are built on an embedded real-time OS called VxWorks. The Nortel
Networks Succession CSE MX system is built on UNIX.
Procedures for hardening the OSs in Nortel Networks products are provided in our documentation. For third-party
operating systems where no specific hardening guide exists, consult the OS vendor for the latest OS hardening patches
and procedures.
Figure 4. Unified Security Architecture
12
Application Security
Network-Assisted Security
Network Security
Secure
Access Mgmt.
Network Mgmt.
Security
Policy Management
End users
Operators
Partners
Customers
The remaining elements of the architecturediscussed in the sections to followare inter-related and somewhat orthogonal to
these layers. The table below illustrates how common security technologies map to the elements of Nortel Networks Unified
Security Architecture.
Figure 5. Security functionality mapping to the Unified Security Architecture
Security functionality
Network
Security
Network-assisted
Security
Application
Security
Policy management functionality

Policy Repository
Policy Decision Point
Policy Enforcement Point
Layer 2 VPN, EAP, and port security
Yes
Network Address Translation
Yes
Access control List
Yes
IPsec encryption
Yes
SRT
Secure dynamic routing
Yes
FW
Firewalling
Yes
IDS
Intrusion detection
Yes
Yes
Network management security

functionality
SSL
SSL encryption
Yes
Yes
CF
Content filtering
Yes
Yes
VS
Virus scanning
Yes
Yes
L2
NAT
AL
IPsec
Secure access management functionality

Authentication client
Authentication server
Authentication database
Auth
Yes
Secure activity logs

Network operator authentication
Access control/operator authorization
Encryption
Secure remote access
Firewalls
Intrusion detection
OS hardening
Virus free software
2.2. Variable-depth security

Defining security policy at multiple network levels produces a security strategy where each security level builds upon the
capabilities of the layer below and provides finer grained security the closer you get to resources.
VLANs (Virtual LANs) provide basic network compartmentalization and segmentation, enabling business functions to
be segregated in their own private local area networks, with cross-traffic from other VLAN segments strictly controlled
or prohibited. The use of VLAN tags enables the segregation of traffic into specific groups such as Finance, HR, and
Engineering, separating their data without leakage between disparate functions.
Perimeter and distributed firewall-filtering capabilities provide another level of protection at strategic points within the
network. Firewalls enable the network to be further segmented into smaller areas, and enable secure connections to the public
network. Firewalls limit access to inbound and outbound traffic to the protocols and authentication methods that are explicitly
configured in the firewall. Firewalls that support Network Address Translation (NAT) enable optimization of IP addressing
within the network as specified in RFC 1918 (Address Allocation for Private Internets).
Firewalls provide an extra layer of access control that can be customized based on business needs. Distributed firewalls add the
benefit of scalability. Personal firewalls can be deployed on end-users systems to protect application integrity.
13
Virtual private networks (VPNs) provide an even finer granularity of user access control and personalizationenabling
secure access at the individual user level from remote sites and business partners, without requiring dedicated pipes.
Dynamic routing over secure tunnels across the Internet provides a highly secure, reliable and scalable solution. VPNs, VLANs,
and firewalls together allow the network administrator to limit access by a user or user group based on strictly defined policy
criteria and business needs. VPNs provide strong assurance of data integrity and confidentiality with strong encryption.
VLANs alone may satisfy the security needs of the closed enterprise. Extended and open enterprises will likely require a
combination of security level capabilities.
2.3. Closed-loop policy management
A properly designed and implemented security policy is an absolute requirement for all types of enterprises and has to be
owned by one group. It should be a living document and process, which is enforced, implemented, and updated to reflect the
latest changes in the enterprise infrastructure and service requirements.
The security policy must clearly identify the resources in the enterprise that are at risk and resulting threat mitigation methodologies. It should define which users or classes of users have access to which resources. The policy must define the use of audit
trails to help identify and discover violations and the appropriate responses.
Users think of the network in terms of people, applications, locations, time of day, etc.not in technical terms such as
firewall stateful inspection or access lists. Security policies should use non-technical vocabulary to the extent possible for
user-facing issues, automatically translated by the policy management system into technical security mechanisms for network
implementation.
Policy management addresses the full realm of security componentsfirewalls, intrusion-detection systems, access lists and
filters, authentication techniques, and morealong with a system-wide view of network environments, such as data center,
remote office, and campus networks.
Ultimately, policy operates at a granular level to address pieces of the solution while providing centralized control and accountability. Centralization ensures that security parameters are set consistently across multiple nodes, and that multiple policies for
different administrative domains all reflect enterprise-wide policy and inter-domain consistency.
Closed-loop policy management is implemented using the reference architecture described in 2.8, and includes configuration
management of network devices, enforcement of policies in the network, and verification of network functionality via audit
trails. Verification and audit trails close the loop on policy management, and result in updates to the policy to reflect corrective
actions.
2.4. Uniform access management
Access management refers to authentication and authorization services that control users access to resources. During authentication, users identify themselves to the network; during authorization, the network determines users level of privileges based
on their identity, as defined in policy.
Access management is controlled by multiple methods, such as IP source filtering, proxies, and credential-based methods
often used in combination, and each with its advantages and limitations. For example, an enterprise may choose to manage
access for workstations using IP source filtering, and may choose to use a credential-based scheme for other users.
Since users could be employees, network technicians, supply chain partners, inter-organization team members, or even
customers, it is important to have robust, centralized access control enforced by the local or remote network device interfacing
to the user.
14
Several methods can be used to authenticate a user, such as: permanent or one-time passwords, biometric techniques, smart
cards, and certificates. Password-based authentication must use strong passwords that are at least eight characters in length with
at least one alphabetic, one numeric, and one special character.
Where stronger authentication is required, password authentication can be combined with another authentication and authorization process based on protocols such as RADIUS and LDAP to provide authentication, authorization, and accounting (AAA)
services. Additionally, key management can be based on Internet Key Exchange (IKE), certificate management on Public Key
Infrastructure X.509 (PKIX), Certificate Management Protocol (CMP), Online Certificate Status Protocol (OCSP), and
Simple Certificate Validation Protocol (SCVP).
In defining access privileges on all ports and devices, the concept of least privilege should be applied, granting access only as
needed.
Open and extended enterprises face the greatest challenges when designing access management policy. They require finegrained rules that properly interface with identity directories and databases, multiple authentication systems such as RADIUS,
and various hosts, applications, and application servers.
The system should perform session management per user after the user is authenticatedand use flexible configuration and
policy enforcement with fine-grained rules, capable of dealing with specific objects. Unique accounts for each administrator
should be used, with accountability for actions traceable to individuals, to provide for appropriate monitoring, accounting, and
secure audit trails.
For more information about authentication and authorization, see section 2.9, A closer look at uniform access management.
2.5. Secure network operations
On the one hand, network management is like other data applications, running on servers and workstations, complemented by
application-level security and taking advantage of network-level and network-assisted security. On the other hand, network
operators are specialized users who should be subject to more stringent authentication and authorization procedures.
Because of the greater access authority and functional privilege granted to network management personnel, their access and
activities must be carefully secured to protect network configuration, performance, and survivability. The more open the enterprise and the more centralized the network management system, the greater the requirement for stringent security for network
management processes.
Secure network management requires a holistic approach, rather than a specific security feature set on a network element.
Our Unified Security Architecture recommendations address nine critical areas:
Secure activity logs
Network operator authentication
Authorization for network operators
Encryption of network management traffic
Secure remote access for operators
Firewalls and VLANs to partition the network
intrusion-detection
Hardening operating systems
Anti-virus protection
15
Secure activity logs provide a verifiable audit trail of user or administrator activities and events generated by network devices.
Security activity logs must contain sufficient information to establish individual accountability, reconstruct past events, detect
intrusion attempts, and perform after-the-fact analysis of security incidents and long-term trend analysis. Activity log information helps identify the root cause of a security problem and prevent future incidents. For instance, activity logs can be used to
reconstruct the sequence of events that led up to a problem, such as an intruder gaining unauthorized access to system
resources, or a system malfunction caused by an incorrect configuration or a faulty implementation. Syslog is the most
common mechanism used by equipment vendors; Syslog works with all third-party log analyzer systems. Because the information contained in activity logs can be used to compromise a network, this log information itself must be secured.
Network operator authentication based on strong centralized administration and enforcement of passwords ensures that only
authenticated operators gain access to management systems. Centralized administration of passwords enables enforcement of
password strength and removes the need for local storage of passwords on the network elements and EMS (Element
Management Systems). RADIUS is the basic mechanism of choice for automating centralized authentication within Nortel
Networks products.
Authorization for network operators uses authenticated identity to determine the users access privilegeswhat systems they
can access, what functions they can perform. Techniques based on RADIUS servers provide a basic level of access control. An
additional LDAP server can provide more fine-grained access control if necessary.
Encryption of network management traffic protects the confidentiality and integrity of network management data traffic
especially important with the growing use of in-band network management. Encryption provides a high degree of protection
from internal and external threats, with the exception of the small group of insiders that have legitimate access to encryption
keys.
Encryption between network operations center (NOC) clients and Element Management System (EMS) servers and/or
Network Elements should be provided. This includes SNMP traffic, because there are known vulnerabilities with SNMP v1
and v2, which are intended to be addressed by SNMP v3. Given the widespread deployment of SNMP v1 and v2, IPsec
can be used to secure this traffic.
Depending on traffic type, the security protocols to use for these links are IPsec (IP Security), Secure Shell (SSH), and SSL:
SSH is an application-level security protocol that can be used in place of IPsec if the traffic consists of Telnet and FTP
only, but it cannot normally be used to protect other traffic types.
IPsec protocol runs between the network layer (Layer 3) and the transport layer (Layers 4) and is the preferred protocol
to protect any type of data traffic, independent of applications and protocols. External IPsec VPN devices, such as
Nortel Networks Contivity Secure IP Services Gateways, can be used in various parts of the network to secure
management traffic.
SSL technologyintegrated into all standard Web browsersis the de-facto standard security protocol to protect
HTTP traffic.
Secure remote access for operators: Security must be provided for operators and administrators who manage the network
from a remote location over a public network. Providing a secure virtual private network using IPsec is the mandatory solution,
as this will provide strong encryption and authentication of all remote operators. An IP-VPN product such as Nortel Networks
Contivity Secure IP Services Gateway should be placed at the management system interface and all operators should be
equipped with extranet access clients for their laptop or workstations.
16
Figure 6. Secure connectivity options for network management traffic
Browser
client
Network Operating Center

Telnet
client
Management
client
Management
client
Remote
SSL
IPsec
L2
IPsec
Internet
NOC
VLAN
SSL
IPsec or SSH
IPsec or SSH
Management
Systems
IPsec or SSH
VS
IDS
IPsec
FW
Auth
IPsec
AL
Enterprise network
Network devices
Firewalls and VLANs partition the network to segregate management devices and traffic from other, less confidential systems
such as public Web servers. The firewall controls the type of traffic (defined by protocol, port number, source and destination
address) that can transit the boundary between security domains. Depending on the type of firewall (application versus packet
filtering), firewalls can also filter the application content of the data flow.
Intrusion-detection systems incorporated into management servers defend against network intrusions by warning
administrators of potential security incidents, such as a server compromise or denial-of-service attack.
Hardening operating systems used for network management close potential security gaps in general-purpose operating
systems and embedded real-time operating systems. OS hardening should use the latest procedures and patches from the
OS manufacturer.
Anti-virus protection involves scanning all in-house and third-party software packages with virus-detection tools before
incorporating the software into a product or network. A rigorous, established process ensuresto the extent possible
that network management software is virus-free.
17
2.6. Secure multimedia communications

Unified networks can carry voice, data, and videoeach with their unique performance requirements and security considerations. When and where to encrypt this traffic is a major consideration, and is a key element of any enterprise security policy.
This can be done on a per-application basis using SSL, on a client-server basis using SSH (Secure Shell), or for all traffic using
IPsec VPN technology. Generally, all traffic over the Internet and wireless LANs and potentially critical information leaving the
premises should be secured via strong encryption technology.
IP telephony represents a particularly important class of application. As with any applications, a risk assessment of IP telephony
needs to be done to assess its intrinsic value, the implications of loss understood, and a security policy formulated. We can start
this assessment by making some key observations on telephony and data security in general. First of all, telephony is a critical
business function and therefore, like the network itself, the telephony system as a whole must be protected from security
attacks. Secondly, we trust the public voice network and live with the inherent vulnerability of eavesdropping of public cell
phone systems. Third, we trust PBX networks, the critical components of which are locked away in a telecom room. In addition, IT organizations have spent a lot of effort to minimize toll fraud and misuse of the voice network for personal calls.
On the data side, we also rely on physical security to ensure that only employees have access to the internal network, and we
trust that information sent over LANs, campus nets, and over private WANs running over physical and virtual private lines are
generally secure. Outside of the confines of the enterprise network, most enterprises have established security policies that all
internal data transmissions to employees and remote offices over the Internet need to be encrypted and authenticated.
Likewise, critical customer interactions over the Web are protected via SSL. From a user perspective, keeping it simple has been
the objective.
The Nortel Networks Unified Security Architecture for IP telephony follows the guidelines below:
Enterprise IP telephony operated within the confines of the enterprise, inter-working with the public network over circuitswitched connections. End-to-end VoIP connectivity between public phones and phones within the enterprise is not
considered in this version of the document.
The IP networking infrastructure that supports IP telephony must be secure from a data perspective and engineered to
meet the stringent latency and reliability requirements of telephony.
IP telephony communications servers are business-critical and must be physically secure and protected from internal and
external attack.
Secure authentication of VoIP clients must be provided. While data users may expect to log in with multiple userIDs and
passwords, they wont tolerate that authentication requirement for every phone call. Generally, telephony users have only
been required to authenticate themselves for off-net access using a feature set called Direct Inward System Access (DISA).
Encryption of voice is only a requirement when traversing a shared media LAN or the Internet.
Security must be holistic and span the entire telephony environment, including VoIP clients and servers, application
servers (such as for unified messaging and contact centers), and traditional PBXs.
Encryption can be achieved with VPN techniques using IPSec, with Authentication Header (AH) and Encapsulating Security
Payload (ESP), tunneling through the use of Layer 2 Tunneling Protocol (L2TP), key management based on Internet Key
Exchange (IKE), and certificate management based on Public Key Infrastructure X.509 (PKIX), Certificate Management
Protocol (CMP), Online Certificate Status Protocol (OCSP), and Simple Certificate Validation Protocol (SCVP). SSL and
Transport Layer Security (TLS) protect communications at the application layer.
Standards-based encryption algorithms and hashes such as DES, 3DES, AES, RSA and DSA. MD5 and SHA-1 should be used
for message integrity, and Diffie-Hellman and RSA for key exchange.
The Wired Equivalent Privacy (WEP) as defined in the 802.11 standard defines a technique to protect over-the-air transmission between wireless LAN (WLAN) access points and network interface cards (NICs). This protocol has been shown to be
insecure. IEEE 802.11 is working on standardizing encryption improvements for WLANs. Therefore, added measures of
protection such as IPsec must be used to secure WLAN traffic over WEP.
18
2.7. Network survivability under attack

The typical enterprise network supports mission-critical operations and is essential for conducting business. That means the
network must continue to operatedelivering essential services in a timely mannerwhile battling security threats, even if
parts of the network are unreachable or disabled due to overt attack.
This kind of survivability starts by logically organizing network services into at least two categoriesessential services and nonessential servicesand defining strategies that enable these services to resist, address, and recover from attacks. The most effective approaches combine multiple resistance, identification, and recovery strategies in an adaptable manner that responds to
changing network conditions. For example, the network can re-route traffic from one server to another if an intrusion or an
attack is detected on the first server. That means an effective survivability plan is holistic; it spans management systems, hosts,
applications, routers, and switches across the network.
Naturally, the first line of resistance to attacks is strong access control through authentication and encryption. Keep intruders
out at the first point of entry, if possible. Message and packet filtering and network and server segmentation provide strong
secondary defenses. Intrusion-detection systems identify attacks in progress. Faithful attention to backup techniques enables
rapid system and network recovery after a successful system breach.
This includes high availability through redundancy of critical security functions, such as through the use of application
switches, which provide redundancy between intrusion-detection servers. Additional techniques include the encryption of all
mission-critical traffic, multi-link trunking (MLT), virtual router redundancy protocol (VRRP), dual/mirroring of disk drives,
backup CPUs, backup power supplies, and hot-swappable components. These mechanisms provide a higher level of confidence
in the survivability of critical applications (such as IP telephony).
2.8. The closed-loop policy management reference model
The Nortel Networks Unified Security Architecture is based on the IETF architectural framework for policy management
(RFC 2753). In this model, policy management is implemented across the network and at all levels (application, networkassisted, network), and applicable to all types of user and applications.
Figure 7. Policy management within the Unified Security Architecture
Policy
repository
LDAP
Policy management
console
LDAP
Policy server
Policy Decision Point
(PDP)
COP-PR, SNMP, CLI
Network devices
Policy Enforcement
Point (PEP)
L2
NAT
Auth
AL
FW
CF
19
The IETF policy management model uses these key elements and protocols:
Policy Decision Points (PDPs) or policy servers abstract network policies into specific device control messages, which are
then passed to policy enforcement points. These policy servers are often standalone systems running Unix or Windows
NT/2000, controlling switches and routers within an administrative domain; they communicate with these devices using a
control protocol (e.g., COPS, SNMP Set commands, Telnet, or the devices specific Command Line InterfaceCLI).
A Policy Enforcement Point (PEP) is a network or security device that accepts a policy (configuration rules) from the Policy
Decision Point and enforces that policy against network traffic traversing that device. This enforcement leverages network and
network-assisted security mechanisms as appropriate.
Common Open Policy Service (COPS) is a simple query-and-response, stateful, TCP-based protocol that exchanges policy
information between a Policy Decision Point (PDP) and its clientsPolicy Enforcement Points (PEPs). It is specified in
RFC 2748. COPS relies on the PEP to establish connections to a primary PDP (and a secondary PDP when the primary
is unreachable) at all times. Alternatively, a COPS proxy device can be used to translate COPS messages originating from a
policy server into SNMP or CLI commands understood by network and security devices.
The COPS protocol supports two different extension models for policy control: a dynamic outsourcing model COPS-RSVP,
specified in RFC 2749, and a configuration or Provisioning model COPS-PR, specified in RFC 3084. Provisioning extensions
to the COPS protocol allow policies to be installed on the PEP up front by the PDP, thus allowing the PEP to make policy
decisions for data packets based on this pre-provisioned information. Further communication between the PDP and PEP is
necessary to keep policies provisioned in the data repository (i.e. the directory) in sync with those sent to the PEP.
The Policy Repository stores all policy information in a network directory. It describes network users, applications, computers,
and services (i.e., objects and attributes), and the relationships between these entities. There is tight integration between IP
address and the end user (via Dynamic Host Control Protocol - DHCP and a Domain Name System - DNS). This policy
repository is usually implemented on a special-purpose database machine running Unix or Windows NT/2000 accessed by
policy servers via LDAP.
The Policy Repository stores relatively static information about the network (such as device configurations), whereas policy
servers store more dynamic network state information (such as bandwidth allocation or information about established connections). The policy server retrieves policy information from the directory and deploys it to the appropriate network elements.
There is no established standard to describe the structure of the directory database, i.e., how network objects and their attributes are defined and represented. A common directory schema is needed if multiple vendor applications are to share the same
directory information; for example, all vendors need a common way to interpret and store configuration information about
routers. The forthcoming Directory-Enabled Networking (DEN) standard, now being developed by the DMTF (Desktop
Management Task Force), addresses this need. DEN includes an information model that provides an abstraction of profiles and
policies, devices, protocols, and services. This provides a unified model for integrating users, applications, and networking services, and an extensible service-oriented framework.
The Lightweight Directory Access Protocol (LDAP version 3) is specified in RFC 2251. LDAP is a client-server protocol for
accessing a directory service. The LDAP information model is based on the entry, which contains information about some
object (e.g., a person), and is composed of attributes, which have a type and one or more values. Each attribute has a syntax
that determines what kinds of values are allowed in the attribute and how those values behave during directory operations.
The last element is the policy management consolegenerally running on a personal computer or workstationthat provides
the human interface to the policy management system. A Web browser can be used to provide manager access from virtually
anywhere, with policy object-level security used to limit which policies can be modified by a specific individual. The console
provides a graphical user interface and the tools to define network policies as business rules. It may also give the operator
access to lower-level security configurations in individual switches and routers.
20
These elements of the IETF policy management reference model interoperate to deliver closed-loop policy management. This
includes configuration of edge devices, enforcement of policies in the network, and verification of network functionality as seen
by the end-user application. Enforcement of policies in the network includes admission controls of applications or users vying
for access to network resources. Sound policy management based on this model simplifies the configuration management environment inside enterprises and minimizes the chance of human error.
Policy Management through Nortel Networks Optivity Policy Services
Nortel Networks is leading the way in delivering policy-enabled networking to enterprise customers. For example, Nortel
Networks Optivity Policy Services (OPS) is a system-level software application that manages security parameters and traffic
prioritization. Optivity Policy Services enables a proactive approach to bandwidth management, security, and prioritization of
business-critical traffic flows across the enterprise. Rather than applying policies to control traffic on a per-device basis, OPS
takes a centralized systems approach to policy configuration and deployment that ensures consistency across the network while
lowering total cost of ownership.
Based on the IETF policy architecture, Optivity Policy Services supports the major IETF policy management standards,
including COPS-PR, LDAP, Diffserv, and IEEE 802.1p. OPS uses COPS-PR to pre-provision routers and switches with policy
information based on Roles reported in from the PEP. Roles are a logical abstraction of the devices interfaces for policy
management purposes. With the ability to manage up to 1,000 devices per server and 20,000 devices per system, OPS reliably
delivers QoS and security policies in large networks. Moreover, OPS uses LDAPv3 to support redundant data storage,
preserving valuable policy information.
As the number of denial-of-service attacks on networks increases, a centralized mechanism to limit potentially dangerous traffic
flows is important. OPS makes it easy to set policies for metering traffic. For example, many denial-of-service attacks occur
when too many packets of a certain protocol type (such as ICMP) flood a device. OPS policies can control that flow of traffic.
With its Advanced Security Provisioning capabilities, OPS can protect valuable network and application assets by enabling the
application of consistent, reliable, and robust security policies. OPS complements existing firewall implementations (e.g.
Alteon) and IP-VPN devices (e.g. Contivity) by adding an extra layer of protection to network resources. OPS features enable
the creation of policies to restrict traffic through a particular policy enforcement point or to deny all traffic on a particular
device. OPS enables control of traffic flows through a device by simply creating admission control policies through a central
JAVA-based management console.
2.9. A closer look at uniform access management
Secure access management is created through a combination of authentication, authorization, and accounting services,
often called AAA.
Authentication, initiated by an authentication client in a PC or gateway device, positively verifies the identity of a user
as a prerequisite to allowing access.
Authorization determines which system resources are appropriate for that authenticated user to access.
Accounting capabilities rely on audit logs or records of security-related events for future examination.
This section takes a closer look at authentication and authorization.
Authentication
Authentication systems can be categorized according to the number of identification factors required to ascertain identity.
Single-factor authentication uses userID/password combinations to prove identity.
Two-factor authentication requires two components, usually a combination of something the user knows
(such as a password) and something the user possesses (such as a physical token SecureID card).
Three-factor authentication adds a biometric, a measurement of a human body characteristic.
21
The more authentication factors used, the more secure the process. However, the more factors you add, the more you add
complexity, cost, and management overhead. Every scenario will offer a different break-even point in the trade-off between
simplicity and security.
Single-factor authentication with userID and password is the most common authentication system today. Its easy to administer, familiar to users, and can provide a high level of security if strong password procedures are enforced. Legacy password
systems have had some challenges, however, since multiple strong passwords are very hard for users to remember. The recommendations in this section will show how this problem can be minimized with a Single Strong Password system.
Tokens such as smartcards and SecureID cards are added as a second factor in many authentication systemsrequiring that the
user have physical possession of the token. An attacker would similarly have to have possession of the users token in order to
gain system access. The higher level of authentication comes with additional system cost, however, due to the necessary tokens
and token readers. In addition, tokens can be easily lost, which can present a high administration overhead for reissuing.
Biometric factors for authentication measure characteristics of the users body such as fingerprint, handprint, retina, iris, or
voice characteristics. Biometric measurements are a useful additional factor and add an even higher level of authentication security. A biometric authentication system entails a measurement proving whom the person actually is, rather than proving they
have something such as a token or proving that they know something such as a password. Unfortunately, biometric measurements are not 100 percent effective; with the present state of the technology, it is possible to register false positives and false
negatives. Biometric authentication systems also require biometric readers at system access points, adding new system costs.
Strong cryptographically-based authentication can be provided through the use of digital certificates issued to users and stored
on tokens or within the users computer memory. Cryptographic algorithms are used to ensure that a particular certificate has
been legitimately issued to the user. A Public Key Infrastructure is used to enable the issuance and maintenance of digital
certificates. Strong cryptographically-based systems provide very stringent authentication. However, these systems are expensive
and incur additional management overhead. Therefore, they are currently being adopted only in very secure environments.
Authorization
Once authenticated, authorization mechanisms control user access to appropriate system resources. Authorization can be categorized according to the granularity of control; that is, according to how detailed a division is made between system resources.
Fine-grained authorization refers generically to a system where access is controlled to very fine increments, such as to individual
applications or services.
Authorization is often role based whereby access to system resources is based on a persons assigned role in an organization.
The System Administrator role may have highly privileged access to all system resources whereas the General User role would
only have access to a subset of these resources. Finer grained authorization can be applied to define other roles, such as a
Human Resources Administrators role that has exclusive access to confidential HR databases, and an Accounting role that has
exclusive access to accounting systems.
Authorization may also be rules based whereby access to system resources is based on specific rules associated with each user,
independent of their role in the organization. For example, rules may be set up to allow Read Only access or Read/Write access
all or certain files within a system, or access only during certain times or from certain devices.
Authentication and authorization protocols
Several protocols have been commonly adopted for authentication services. The RADIUS protocol (Remote Authentication
Dial In User Service IETF RFC2865) is widely used to centralize password authentication services. Originally designed to
authenticate remote dial-in users, the RADIUS protocol has been adopted for general user authentication services. Recently,
the LDAP (lightweight directory access protocol IETF RFC2251) has been finding extensive use in authentication and
authorization systems. LDAP provides a convenient method for storing user authentication and authorization credentials.
22
RADIUS authentication servers are often coupled with credential storage in LDAP directories to provide centralized authentication and authorization. When a user attempts to access a particular application on such a system, the application queries the
user for authentication credentials and forwards them to the centralized system. The RADIUS server then checks the presented
credentials against those stored in the LDAP database, and also queries the LDAP database for authorization rule information.
The authentication results (pass or fail) are returned to the application along with authorization rule information for the particular user. Authorization rules are then enforced at the application to allow the user to access particular data or services. From
an end-user perspective, these authentication and authorization systems should be automatic and easy to use.
Authentication and authorization recommendations
Nortel Networks recommends the following general principles to be followed when implementing enterprise authentication
and authorization systems:
Use a uniform access management system for end users, network operators, partners and customers, with the appropriate
level of authentication and resource access authorization to meet business needs.
Use a centralized authentication mechanism to facilitate administration and remove the need for locally stored passwords,
which tend to be static and weak.
Use a centralized authorization system, tightly coupled with authentication system, with appropriate granularity for the
enterprise.
Enforce strong, complex rules for all passwords.
Securely store all passwords in one-way encrypted (hashed) format.
Maintain simplicity to the extent appropriate, for maximum ease of use, ease of administration, and compliance.
Securely log authentication and authorization events for audit purposes.
Figure 8. Secure authentication and authorization reference model

DHCP server
DNS server
Local wired
PC access
Centralized
Authenticaton
Server
Remote IP-VPN office
(RADIUS based)
Auth
Remote IP-VPN user
Enterprise network
WLAN IP-VPN user
Secure IP
Services Gateway
Level 1 Password
Authentication
Database
Internet
Remote Access
FW
IPsec
SRT
Auth
Auth
Level 3 Biometric
Authentication
Database
Level 2 Token
Authentication
Database
Application server
with Centralized
Authentication
23
A Case example: Single Strong Password in the Nortel Networks corporate network
Nortel Networks uses a Single Strong Password approach in its own worldwide network to authenticate internal and external
users, from employees and contractors to joint venture representatives and even customers. The user has one very strong password that is maintained on a centralized password system and synchronized with applications and systems across the enterprise.
Users only have to remember one password, making the system simple to use and not likely to be bypassed.
Dedicated password servers on several continents manage the system and provide Web-based password management for users
and security administrators. These password servers communicate directly with RADIUS authentication servers. The system
automatically synchronizes passwords across multiple systems and platforms, such as Windows networking, remote access,
UNIX, purchasing, and niche business applications.
The system enables fine-grained authorization at the application level. An internally developed tool enables applications to
access the Single Strong Password system, and a list of users allowed to access each application is stored in the authorization
database. When an application is accessed, the Single Strong Password system authenticates the user and returns authorization
information. The system logs attempted violations of authorization rules and multiple simultaneous logins to geographically
dispersed systems, to detect and prevent misuse.
The Single Strong Password system enforces strict password rules. For example, passwords must contain at least eight characters, both upper and lowercase letters, and at least one number or symbol. Additionally, passwords must not contain dictionary
words of four characters or longer, a previously used password, a password that matches an account name, contain a date or
year, keyboard patterns, or repeating characters. Users are required to change passwords at predefined intervals.
After years of real-world use, Nortel Networks has seen the following advantages of this system:
Single consistent method for setting passwords
Single consistent method for authentication and authorization
Single method for registering and terminating user accounts
Enforcement of corporate password strength guidelines
Consistency across applications, so employees know what to do
Standardization that makes the system easy to support and adopt
Fast, seamless performance through standard interface and APIs
Lower costs, fewer help desk calls
Figure 9. Single password access management in Nortel Networks corporate network
RADIUS server
Local, remote,
wired, wireless
Employees
Password
Authentication
Database
Single
password
access
management
Technicians
Contractors
Partners
Enterprise network
Customers
RADIUS-enabled enterprise applications:

CRM, SCM, ERP, unified messaging,
self-serve benefits, expense system ...
24
Part III. Network security in the real world

The previous section outlined key principles and practices of the Nortel Networks Unified Security Architecture.
This section demonstrates this multi-level security framework in action for several real-world scenarios:
Securing the campus network
Securing the data center
Securing the remote office
Securing remote access
Securing IP telephony services
3.1. Securing the campus network
In this context, the term campus describes a corporate headquarters or large regional office where the network uses a mix
of technologies, products, and applications, and serves a large user population. The campus network presents a challenging
security picture because of the diversity of elements to protect:
Servers, including departmental servers for user access and file sharing, central application servers such as finance and
databases, and Web servers for either public Web or Intranet applications.
Operating systems, typically multiple versions of multiple operating systems running on servers and clients.
Network devices, including routers, Layer 4-7 load-balancing switches, Layer 3 core switches, Layer 2 distribution
switches, and wireless LAN access points.
Security devices, such as firewalls, VPN gateways, intrusion-detection and anti-virus servers, SSL accelerators,
authentication servers, and content filtering servers.
Securing the campus network at the network security level
Layer 2 switching security. VLANs based on IEEE 802.1Q standard and Ethernet switches segregate traffic for greater security and manageability. When port-based VLANs are configured, each VLAN is completely separated from othersparticularly
those in the broadcast domain. In order to limit network access, numbers of Ethernet switches provide port security that ties a
MAC address list to specific switches or even ports of those switches and prevents unknown workstations to get access. This
list may be built either by auto-discovery or by manual update.
With the general availability of the 802.1x authentication standard, Ethernet switches offer embedded capabilities to apply
security at every node in the network, providing an effective framework for authenticating and controlling user traffic to a
protected network. 802.1x ties a protocol called EAP (Extensible Authentication Protocol, originally developed for PPP) to
LAN media and supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates,
and public key authentication. It enables enforcement of client authorization on corporate authentication servers like RADIUS.
EAP not only controls Layer 2 port connectivity, but can be extended (as being done by Nortel Networks) along with secure
access management to customize the security (and QoS) end-user profiles of the port for a particular authenticated user. When
a host attempts to log onto the network, the host and an authentication service exchange data via EAP. Under an end-user
profile architecture, the EAP protocol enables the policy server to leverage information in a third-party authentication service
to validate users and assign appropriate network access and QoS (Quality of Service) capabilities.
Layer 2 wireless LAN security. Wireless LANs offer a flexible alternative to regular Ethernet connectivity, but they suffer from
known vulnerabilities. For one, its hard to control who is really accessing the system. Second, the current Wired Equivalent
Privacy (WEP) 802.11 encryption method is weak.
25
Figure 10. Securing the campus network

Engineering
Virus
screening
server
L2
VS
Load-balanced
IDS servers
IDS
CF
Backbone
Layer 2-7
Routing Switch
with Web
Switching
Human resources
L2
Distribution
Layer 2-7
Routing
Switch
Enterprise
NAT
L2
FW
AL
Switched
Firewall
High
capacity
router
Internet
IP-VPN
Services
Gateway
SSL
Finance
Auth
SRT
IPsec
FW
IP PBX
L2
SSL
WLAN PC
PSTN
Campus servers
For both reasons, it is recommended to use VPN technology for wireless LANs and run an IP-VPN client, such as Nortel
Networks Contivity Client, on the wireless device. VPN-based wireless security is platform and radio technology agnostic
that is, the client system establishes a connection to the network via 802.11b, 802.11a, or even Bluetooth, and the VPN takes
over from there. Most of the authentication takes place independently of the wireless network, keeping access point maintenance simple. The VPN can treat the wireless LAN just as the corporate backbone with wireless access points. Users trying to
access the network via the wireless LAN would then be authenticated, their information encrypted, and all communication
logged by the VPN system.
Alternatively, with some WLAN IP phones, encryption and authentication is built in. For example, Nortel Networks has a
strategic partnership with Symbol, whose WLAN IP phones support 128-bit WEP encryption between the client and the
wireless access point, and Kerberos authentication. Combining those approaches provides robust user authentication and
encryption required for WLAN environments.
Layer 3 switching and routing security. Network address translation (NAT) enables an organization to present a public IP
address to the world and hide internal addresses from public view. Processing NAT in hardware with a switch is an innovative
strategy for converting internal addresses into public addresses (and vice versa), making routing and firewall solutions highly
efficient.
26
Proper design and use of routing and Layer 3 switching enhance the survivability of the campus network. Access control lists,
IP segmentation and sub-netting, redundancy protocols such as Virtual Router Redundancy Protocol (VRRP), and fast convergence routing using OSPF (Open Shortest Path First) all contribute to a more survivable infrastructure.
Routers and routing switches secure the data path using IP filters that drop undesirable packets. Routing can be further
secure by implementing route policies, encryption and authentication of OSPF and BGP route updates with MD5, and
broadcast/multicast rate limiting.
Last but not least is the innovative Secure Routing Technology (SRT), which enables dynamic routing over secure IPsec tunnels
for RIP and OSPF. Contivity Secure IP Services Gateways implement this dynamic secure routing approach, which is
described later in this document in the Securing Remote Access scenario.
Securing remote communication via IPsec VPNs and SSL extranets. Typically, the campus network also supports VPNs to
connect with branch offices and remote userscarrying private network traffic within a secure, encrypted tunnel carried over
a public network. Robust and secure central site solutions that support both remote access and remote office IP-VPNs and firewalls are key elements of the campus network. For more information, see Securing the Remote Office and Securing Remote
Access, later in this section.
Securing the campus network at the network-assisted security level
Perimeter control via firewalls and intrusion-detection servers. The enterprise network often provides employees with
connection to the Internet from the corporate headquarters campus. It is usually centralized in order to more easily protect a
single interface to the public world. Thats exactly where perimeter control solution such as firewalls and intrusion-detection
systems (IDSs) are generally deployed to prevent malicious intrusion of unauthorized persons.
It is highly recommended that firewalls be implemented at every site within an enterprise to secure internal and external traffic,
and at every point of interconnection with the Internet (e.g. even a remote PC). In some cases, it is appropriate to integrate
this functionality with secure IP services gateways used also for remote office and remote access IP-VPNs.
Firewalls provide a perimeter defense against unauthorized accessan essential first step when planning for Internet access.
Firewalls come in various sizes and capabilities, fitting many specific network requirements depending on their point of use.
An emerging trend is to use new, multi-gigabit firewalls to interconnect segments of the campus LAN, which keeps departments separate and enables communication only through firewall security policies.
An IDS monitors the network to identify unauthorized users or suspicious patterns of utilization. Most IDS applications
compare network traffic and host log entries to match data signatures and host address profiles indicative of hackers.
Intrusion-detection software identifies traffic patterns that indicate the presence of unauthorized users. Suspicious activities
trigger administrator alarms and other configurable responses. Nortel Networks partners with best-of-breed companies such
as Internet Security Systems (ISS) to offer specialty software solutions for intrusion-detection.
Content inspection via content filtering and anti-virus systems. These tools provide essential protections for remote and
local computing, and are discussed in more detail in Part III under Securing the Data Center.
Layer 4 to 7 switching and filtering security. Layer 4 to 7 switches provide control services to application, management,
and traffic to improve resource utilization and performance, ensure security with high performance, provide network scalability,
and provide failsafe network assurance. They are usually deployed near security devices and in server farms. Integrated security
filtering offloads firewall processing of NAT, monitors network activity, protects against denial-of-service attacks and some virus
types such as Code Red / Blue, and protects data without compromising throughput. Nortel Networks Passport 8600 and
Nortel Neworks Alteon Web switches offer extensive Layer 4 to 7 capabilities.
27
These solutions are more generally implemented in the data center, but have value in front of campus servers:
Load-balancing. Firewalls and VPNs are compute-intensive applications and can become bottlenecks to network performance. Load-balancing using an application switch mitigates this problem by distributing traffic among multiple active
devices, enabling many firewalls/VPNs to operate in parallel.
Port mirroring. Similarly, IDS functions are extremely compute-intensive and can slow network performance. Port
mirroring on an application switch duplicates the data and sends it to one or more intrusion-detection servers (which
can be load-balanced) for packet inspection at the same time the original data flow is being forwarded without delay.
In small campus networks, these capabilities can be provided by Alteon Web switches. In large campus networks, a
Nortel Networks Passport 8600 system with integrated Alteon Web Switching Module provides the required scalability.
3.2. Securing the data center
The typical enterprise data center supports mission-critical applications and houses a high concentration of capital-intensive
resources and confidential dataall connected to the inherently insecure Internet as well as internal users. That means securing
the data center presents some unique requirements for failsafe security without compromising performance and availability for
users. The need increases as enterprises discover new ways to exploit high-performance, Internet-empowered data centers:
Ensure business continuity. Massive processing throughput and transport bandwidth now make it feasible to store
primary and duplicate sets of critical data in multiple data centers, in real timeto extend business continuity services,
real-time storage mirroring, and live backup across service provider networks.
Support critical business applications. Enterprises use data centers to host business applications, implement firewalls or
virtual private networks, provide storage services and content delivery of static and streaming media, and more.
Produce economies of scale on infrastructure. Enterprises can consolidate or outsource data center functions, to
centralize critical computing resources, create virtual data centers that span multiple locations, and reduce operational costs
without the performance penalty or security concerns typically associated with remote access.
The closed enterprise may outsource its Web presence to a third party, but extended and open enterprises are exposed to
the Internet for customer access, business-to-business connectivity, and interworking with application service providers, disaster
recovery providers, and more. Theres a big survival risk for companies that dont Web-connect with extended communities
yet theres a big security risk for those that do.
A comprehensive data center security strategy requires multiple, inter-working technologies, protocols, and procedures
with partitioning among these functions provided by VLANs and firewalls.
Securing the data center at the network security level
Virtual Private Networks. It is highly recommended that firewalls be implemented at every site within an enterprise to secure
internal and external traffic, and at every point of interconnection with the Internet (e.g. even a remote PC). In some cases,
it is appropriate to integrate this functionality with Secure IP Services Gateways used also for remote office and remote access
IP-VPNs enable enterprises to enjoy secure connectivity with branch offices, business partners, and remote users. For employee
access, the central site VPN solution can be implemented at the campus edge; for partner and business-to-business connectivity, the VPN can be implemented in the data center, or the two can be integrated. The ideal VPN gateway should provide
an all-in-one solution for routing, bandwidth management, authentication, encryption, network address translation, data
integrity, logging, and firewall capabilities. Nortel Networks market-leading Contivity Secure IP Services Gateways (built on
Secure Routing TechnologySRT) meets these requirements.
Network address translation (NAT) enables the enterprise data center to present a public IP address to the world and hide
internal server addresses from public view. Converting external to internal addresses (and vice versa) can be performed in
switch hardware, thereby enhancing the efficiency of routing, switching, and firewall functions.
28
Figure 11. Securing the data center
Mission-critical
enterprise applications
DMZ
SSL
Web
servers
VS
Virus
screening
server
L2
CF
Backbone
Layer 2-7 Routing
Switch with
Web Switching
SSL
Enterprise
NAT
FW
AL
L2
High
capacity
router
Switched
Firewall
Other enterprise applications
L2
Internet
SSL
IP-VPN
Services
Gateway
Management domain
Auth
SRT
IPsec
FW
LDAP
L2
IDS
RADIUS
DNS
Load-balanced
IDS servers
Securing the data center at the network-assisted security level

Switched firewalls can now provide multi-gigabit throughput and state-of-the-art filtering to secure and safeguard data center
servers without the performance degradation that typically occurs with deep packet inspection. Switched firewalling introduced
the same level of performance improvements to perimeter security as Layer 3 switching brought to LAN routing. Therefore,
a switch-based firewall is recommended for perimeter security in transaction-oriented environments. The Nortel Networks
Alteon Switched Firewall combines Layer 4-7 cut-through switching with firewall software processing to deliver more than
4 Gbps throughput. Logical demilitarized zones can be created through the use of VLANs.
Secure Sockets Layer (SSL) protocolbuilt into most browsers and Web serversis widely used to protect communications
to and from Web applications. Unfortunately, SSL processing is very compute-intensive and significantly reduces server
performance. This results in increased cost and operational complexity when it comes time to scale secure transaction
processing. SSL Acceleratorssuch as Nortel Networks Alteon solutionoffload SSL processing from local servers without
imposing delays on other traffic in the same data path, and offer a simpler way to deploy and maintain the Public Key
Infrastructure (PKI) required for electronic transactions.
29
intrusion-detection, anti-virus, and content filtering tools provide essential protections for online commerce and remote
computing in general. IDS software identifies traffic patterns that indicate the presence of unauthorized users. Anti-virus
software detects and defuses potential cyber attacks. Content filtering software restricts the type of data that can be accessed
or distributed.
IDSs can be broadly categorized according to the following criteria:
Incident detection timeframereal-time or off-line, depending on whether system logs and network traffic are analyzed
as events take place or in batch mode during off hours.
Type of installationnetwork-based or host-based. A network-based IDS typically involves multiple monitors
(often pre-configured appliances) installed at choke points on the network (where all traffic between two points can be
monitored). A host-based IDS requires that software be installed directly on the servers to be protected, and monitors
the network connections and user activity on those servers.
Type of reaction to incidentswhether the IDS actively intervenes to head off attacks (such as by modifying firewall
rules or router filters) or simply notifies staff or other network systems of the problem.
Most commercial IDS products provide a combination of network- and host-based monitoring capabilities, with a central
management host to receive reports from the various monitors and alert network support staff. A network-based IDS is
recommended for most installations.
Anti-virus solutions continuously monitor applications to ensure that no virus damages the system. It detects malicious
viruses, worms, and Trojan horses in all major file types, including mobile code and compressed file formats.
Content filtering software restricts the type of data that can be accessed or distributed to expose employees and partners only
to correct and appropriate content. Content filtering can identify inappropriate Web surfing and stem productivity losses due
to prolonged Internet use. Content filtering also helps minimize the spread of viruses from Web servers. The Alteon Content
Cache (ACC) supports hundreds of URL filters providing customers with the ability to protect themselves from well-known
URL server attacks. ACC also stops many viruses like NIMDA and Code Red, and can be used to control which sites are
accessible.
Together, these measures enable networks to be open and accessible for legitimate uses, but not wide open for inappropriate
or malicious uses.
Layer 4 to 7 application switching provides high-availability traffic management by filtering and switching traffic based on
application and content information, without compromising throughput. To increase protection against denial-of-service
(DoS) attacks and Syn Attack Alarms, routing switches such as Nortel Networks Passport 8600 enable network administrators
to set a threshold for new half-open sessions and have the Layer 4-7 Switch trigger a trap to notify the administrator when the
threshold is exceeded.
A protection from application abuse feature limits the rate of new TCP connections on a per-client basis. Administrators can
limit users to a particular connection rate and limit the number of sessions for users accessing a specific domain or application
within the domain. Benefits include protection from application abuse, increased application availability, and increased control
of user access to applications. Layer 7 Deny Filters allow network administrators to create filters and assign URLs to those
filters to deny certain traffic. This is particularly useful for added anti-virus protection for preventing access to disallowed
Web content.
Alteon Web switches and Passport 8600 systems equipped with an Alteon Web Switching Module both offer high-performance
Layer 2-7 filtering. These systems also perform load balancing to eliminate data center performance bottlenecks, including
VPN, firewall, IDS, DNS, and IDS systems.
30
Securing data center storage

When enterprises were organized into business siloseach running their own applications and databasesdirect
attached storage (DAS) was sufficient. Storage devices were dedicated and physically attached to each server; securing
them was relatively simple.
With the emergence of storage area networks (SANs) to support global applications more cost-effectively, the security
picture becomes more complex. SANs connect a number of storage devices and application servers across a dedicated
network running protocols such as Fibre Channel, ESCON, and FICON at speeds up to 2 Gbps. Optical systems
such as Nortel Networks OPTera Coarse/Dense Wave Division Multiplexing (CWDM/DWDM) systemhave
enabled massively scalable SANs that span the MAN and WAN.
As SANs are extended globally, storage security becomes a significant concern. Within the data center, storage access is
protected within the SAN by creating zones of trust. As storage is extended on CWDM/DWDM optics, carrier-grade
connectivity and security is required (and provided by Nortel Networks solutions). Optical connectivity solutions are
inherently secure since the sniffing of an optical signal is not possible and the network elements do not operate in the
IP data plane. The optical storage data is a completely private and secure optical signal.
Within the network core, carrier-grade network elements are required that are IP hacker-proof. The management
plane of the optical network elements that are used by enterprises (and form the core of service provider and carrier
networks) for transporting storage, video, voice and data are secured through the application of techniques for securing
management described in this document. In contrast, using the enterprise IP for storage networking (such as with
iSCSI) opens up this critical enterprise resource to a broad range of vulnerabilities.
3.3 Securing the remote office

In this context, the term remote office refers to any remote workplace that requires persistent, two-way communication with
the enterprisefor locations as diverse as a telecommuters home office or a major regional office. Connecting remote offices
is a significant network cost in many industries, such as retail banking, health care, and government.
Traditionally, remote offices were connected to the enterprise network using various LAN technologies and multi-protocol
routers, working into frame relay networks with ISDN circuit-switched backup. VSAT satellite terminals have also been widely
deployedfor instance, for credit card validation in the retail industry. Four major developments are transforming the remoteoffice networking scenario: (1) the convergence on Ethernet as the LAN standard, (2) universal acceptance of IP as the
protocol of choice, (3) the Internet, and (4) a growing list of Layer 2 and 3 VPN services. However, these developments also
introduce a variety of security challenges, particularly for extended and open enterprises.
WAN (wide area network) edge requirements at the branch office level include routing between VLANs locally and into the
network, QoS and bandwidth management, and scalable interfacing into the WAN. This includes supporting the required
encapsulation scheme over the WAN and whatever level of reliability is appropriate. Cost effective security over the Internet
(and even over frame relay) is a key requirement. Managing the transition from legacy (relatively secure) WAN technologies
to IP-VPNs is also a challenge. Some enterprises want to have direct Internet access from every remote office, opening up the
need for remote firewalls.
Others want highly reliable, dynamically routed connectivity between branches and the enterprise backbone, with centralized
firewalls into the Internet, in some cases using frame relay as the primary path and the Internet as a backupor moving
towards IP-VPNs as a primary configuration. Dynamic routing enhances scalability and reliability by automatically learning
network topology and end-user addresses, and adapting to changes in network topology.
However, security in routed networks has been an afterthought. For example, there has been no effective way to run dynamic
routing over VPN-encrypted tunnels, which themselves have been difficult to manage.
These limitations have led enterprises to buy, install, maintain, and manage multiple security and networking devices for
remote office and branch networks, resulting in a complex and costly architecture.
31
Dynamic routing vulnerabilities

Although dynamic exchange of routing information among enterprise sites eases the administrative tasks of managing
network traffic flows and can enhance reliability, it can also introduce security issues if not configured and managed
properly.
One key issue is the handling of default routes, which determine where traffic with unknown destination addresses
will be sent. Typically, the default route points to the Internet. In this case, if routing information for some site in the
enterprise is lost (perhaps due to equipment failure, but possibly due to a security attack), then traffic meant for that
site may be sent into the Internet, without security protection. If the missing route is actually reachable through the
Internet (e.g., if it is advertised by an Internet gateway at the remote office), then full bi-directional communication
might be established, with traffic flowing unprotected across the Internetall unknown to the systems involved in the
communication.
Another issue with dynamic routing is the problem of misleading routing information. If one routing system is
hijacked, or if a workstation in the network is configured to send false routing messages, an attacker could redirect
traffic to a point where it can be compromised. Likewise, a misconfigured router at a remote office can advertise incorrect routing information and disrupt communications, even if no malicious intent or traffic interception is involved.
An example is when one remote office routing system is configured with a static route for another site, then advertises
this route as if it were located at that site. This can disrupt traffic actually intended for the other site.
The solution for these routing issues is to ensure that gateway systems for remote offices contain effective route
filtering capabilities, so they will not simply blindly exchange any routing information they receive from the internal
network, but will apply intelligent rules to it. This strategy enables the enterprise network to benefit from the manageability of dynamic routing without exposing the network to dynamic routing vulnerabilities. Clearly, routing information received from the Internet should be carefully filtered, and internal enterprise routes should never be accepted
from the Internet.
With the move to IP-VPNs over the Internet, a complete set of security requirements have to be met as cost-effectively as
possible at multiple network levels:
Network security level functions include IP routing over secure tunnels and VPNs
Network-assisted security level functions include encryption and stateful firewall inspection
Application security level functions must be provided if data servers and/or IP telephony are deployed at the remote office
Access management provisions include remote-office authentication and directory services that enable users to have a unique
security profile that stays within them whether they log in locally over the intranet or from home across the Internet
Network management security provisions must be extended to the remote office, without back doors that might
compromise network security
Traditional solutions for secure remote office connections
Traditional solutions have proven problematic for meeting remote office security requirements. Many enterprises
considered turning on the requisite security functionality on their routers, only to find that adding security may not be
possible on low-end routers, or it may impact router performance and require an expensive upgrade that may represent
up to 50 percent of the cost of the original router.
Even if a router can be upgraded to support filtering, firewalls, and VPNs, treating security as an application on top of
monolithic routing code introduces other problems. One example is in routing over IPsec tunnels, required to manage
redundant paths, route around failed nodes, and perform load balancing and on-the-fly route selection based on link
utilization. Today, these functions are done by double encapsulating IP packets via Generic Routing Encapsulation
(GRE) on top of IPsec tunnels, resulting in extra processing, memory, and transmission overheadsin fact, an additional 24 bytes per packetand requiring manual configuration of each end user. GRE also presents recognized packet
fragmentation issues. If this is unacceptable to the customer, then the only practical option is manually configured
static routes, which are clearly labor intensive, provide ineffective load balancing at best and awkward for managing
changes.
32
Figure 12. Securing the remote office
Internet
Legacy branch
Converged branch
Secure IP
Services Gateway
Token,
PKI
Token, PKI
FW
Auth
SRT
IPsec
FW
L2
Auth
IPsec
Layer 2 switch
and IP telephony
system
PBX
PSTN
RADIUS
server
L2
RADIUS
server
IP telephones
A new architecture for securing the remote office

Adding security to routers (see Traditional Solutions sidebar) is a sub-optimal solution that doesnt measure up to the
mission-critical service delivery requirements of branch networks. Multi-box solutions raise total cost of ownership, a problem
that multiplies with the hundreds or thousands of sites that may need to be served.
A new approach uses secure IP services gateways, which are purpose-built devices that deliver security and security-related IP
services in a single, integrated platform designed for remote offices. A single hardware device provides bandwidth management
over a range of WAN services, dynamic IP routing over encrypted tunnels, IP-VPN support, and a range of security features,
including stateful firewall inspection, encryption, and authenticationall operating under directory and policy services.
Targeted at the enterprise edgethe intersection of an enterprises private and public IP networkssecure IP services gateways
provide secure communications over an inherently insecure medium, the Internet.
The Nortel Networks Contivity Secure IP Services Gateway is a new class of device in this area, and a key component of our
Unified Security Architecture. Contivity Secure IP Services Gateways:
Run over ISDN, frame relay, IP-VPN and emerging Layer 2 VPN services (such as Optical Ethernet)
Deliver encryption/authentication/firewall performance at wire-speed
Operate under a unified security policy management architecture that covers remote users and sites across the enterprise
Support dynamic end-to-end routing for a mix of frame relay virtual circuits, Layer 2 Virtual Private Ethernets, and IPsec
tunnelsthe latter achieved by making tunnels visible to the routing code and by encapsulating routing messages directly
in IPsec (bypassing the GRE layer of todays solutions)
Centralize provisioning of critical IP services with tightly integrated security
Interoperate with existing routing, authentication/directory, and security services
33
Figure 13. Remote office dynamic routing for increased reliability and scalability
Redundant Secure IP Services Gateways at central site

FW
Remote
access
clients
IPsec
IPsec
SRT
FW
IPsec
Static and dynamic

routing over secure FR
or secure tunnels
Internet
FW
SRT
Auth
Branch Secure IP Services Gateways
SRT
Frame Relay
FW
IPsec
SRT
Auth
Branch Secure IP Services Gateways
Secure Routing Technology (SRT) features in Contivity systems

Secure IP services applications decoupled from the hardware
Software-configurable IP service deployment
Designed for secure management, secure policy, secure access, and secure routing
Compatible with existing Contivity VPN switches and Succession IP telephony
Policy Management
Applied to frame relay, PPP connections, and secure tunnels
Secure Access Management
Strong user authentication (PKI) services, and LDAP, RADIUS, digital certificates,
smart cards, and user name/password
Network Security
Dynamic routing of IP packets over encrypted tunnels
NAT, PPP over Ethernet, DHCP server and client, DNS with VPN, and DNS Proxy
Network-assisted Security
Full stateful firewall with 100 application gateways
Management Security
Remotely managed using strong encryption (IPsec)
Secure base configuration, denying all Internet and providing DoS protection
Logging and protection against hacker attacks
34
3.4 Securing remote access

Remote access enables extended and open enterprises to make efficient use of people and resources wherever they are
locatedat home, on the road, using public PCs, or drop-in business centers in hotels. However, opening the network to
access from anywhere introduces security concerns.
One of the most prevalent security threats is a remarkably low-tech issuetheft of personal computersthat can lead to more
serious issues, i.e., using the stolen PC to steal locally stored data or to masquerade as a legitimate user to access the enterprise
network.
For that reason, sensitive information on systems used for remote access should be encrypted using a system that integrates
seamlessly into normal application use. Encryption systems are currently available that enable the user to operate normally,
not requiring manual or individual encryption/decryption of files. For example, entire file systems or folders can be stored
in encrypted form, with decryption being integrated in normal file system access.
Another threat occurs when the remote-access user is operating on an easily hacked wireless LAN, perhaps at home or in a
hotel. For wireless access, the users access device should be equipped with anti-virus software and an up-to-date personal
firewall that prevents unauthorized users from hacking into the users PC during an open communication session.
Figure 14. Securing the remote access
Home office
Central site
Redundant Secure
IP Services Gateways
FW
IPsec
SRT
IPsec
VS
IDS
Auth
Internet
SSL VPN Gateway

SSL
FW
Hotel
Auth
FW
IPsec
VS
IDS
SSL
Airport
SSL
Customer site
FW
IPsec
VS
IDS
Payphone
with data jack
Securing dial-up access. Remote access over dial-up connectionssuch as ISDN switched access or a modem call over standard telephone linesmust be protected with stringent access authentication and authorization procedures. Encryption adds
another level of security for confidential communications, but this method is inherently insecure because it can be used to
circumvent firewalls and other IP-enabled security techniques. Direct switched accesswidely used in the 1980s and early
1990s is rapidly being replaced by Internet-based remote access VPNs.
35
Remote access VPNs. Internet-based remote access provides tremendous flexibility and high bandwidth.
Two approaches are common:
VPNs based on IPsec, with IPsec client software loaded on the users access device.
SSL extranets based on SSL, that uses the SSL capability built into standard Web browsers and requires no other client
software. We chose not to use the term VPN when describing SSL implementations, since SSL only gives access to an
application, not the full network.
Lets take a closer look at these popular VPN strategies.
IPsec-based VPNs
IPsec is a network-layer approach that can be used across applications. For example, an IPsec-based VPN connection can be
used to access e-mail, HR self-serve applications on the intranet, and browse the network. An IPsec client (the user-interface
software), such as Nortel Networks Contivity Multi-OS Client, must be installed on the access devicePC, PDA, handheld
computer, etc. The access device should also be loaded with anti-virus detection software.
Whether based on dial access to an ISP point of presence (POP) or on wired or wireless direct access, the VPN client authenticates the user, verifies the integrity of the users computer system, and establishes a secure link ( tunnel) to the enterprise. The
VPN client ensures that the remote system is secure even during session setup, where exchange of authentication information is
encrypted.
Remote access VPNs must be able to detect and, if possible, bypass common Internet obstacles such as NAT and outbound
firewalls, such as when linking to the enterprise network from within another firewall-protected network. At minimum, the
VPN must tell the remote user the nature of obstacles encountered. An important feature of Nortel Networks Contivity client
is the support of split tunneling, with simultaneous secure access to the enterprise and clear access to the public Internet.
Remote access connections from the Internet are handled by an IPsec gateway system at the enterprise edge. Multiple gateways
with multiple paths to the Internet provide essential redundancy in case of the failure of any one path or device. Larger enterprises or those with critical confidentiality requirements should consider separation of gateways as well.
The effective IP services gateway should provide: simple client configuration; the ability to pass connections through to the
internal enterprise network as opposed to session termination; a stateful firewall functionality to preclude the need for a separate firewall; support for multiple authentication methods such as RADIUS, PKI and LDAP, directory-based userID and password systems such as Microsoft Active Directory and Novell Directory Services; and smart card or token-card authentication
on users laptop. Support for L2TP and PPTP be beneficial.
SSL extranets
SSL is session-layer approach, which means that every application has to support SSL and have its own user authentication
approach. For example, when you go to Amazon.com, the SSL session is set up before you enter your userID or credit number.
User authentication could include going to an authentication server. Firewall traversal and NAT is easily supported with SSL.
SSL is built into standard Web browsers such as Microsoft Internet Explorer, so no special client software is required. This
feature makes SSL extranets particularly attractive for scenarios where the enterprise doesnt own or control the remote access
devices, or where users need access from public PCs.
Web browsers are common targets of hackers, but the benefits outweigh the risks and can be mitigated by using personal firewalls and intrusion-detection systems on the access device. The application-agnostic SSL protocol is considered robust enough
that it is used extensively for consumer access to online shopping Web sites.
However, Web browsers support SSL only for Web-enabled (HTML) applications. As a result, if an enterprise wants to use
SSL extranets for access to, say, its legacy supply chain management application, then either the application has to have an
36
HTML/SSL front end or an external application-specific gateway. Several vendors offer external gateways for common applications, but every application will need to have a unique front-end acquired or developed. In addition to this trade-off, there are
also potential incompatibilities among browsers and browser versions. For example, some versions of SSL will actually allow a
fallback to very weak 40-bit encryption if 128-bit encryption is not present.
In conclusion:
SSL extranets operate at the transport layer, are good for Web applications and extranets and limited application access,
and dont require any special client software. However, SSL extranets open up a large security hole when used from uncontrolled PCssuch as public PCs in kioskswhich may lack personal firewalls and/or be infected.
IPsec VPNs operate at the network layer, are application agnostic, and require a PC client. IPsec VPNs provide complete
control over the security environment.
Nortel Networks offers both types of VPNs. Contivity Secure IP Services Gateways lead the market in IPsec-based remote
access and remote office VPNs, with more than half a million VPN clients in service. Nortel Networks has recently extended
its Alteon portfolio to implement SSL extranets.
3.5. Securing IP telephony services
Enterprises are starting to roll-out IP telephony solutions to reap the benefits of convergence in the LAN and the WAN,
and of converged applications. Every VoIP system is a hardware/software solution that comprises four logical functions:
IP telephones and PC soft clients
Communications servers (also called call management servers or gatekeepers)
Media gateways that provide flexible network access, for example, via traditional PBXs and the public switched telephone
network (PSTN) and the public wireless network
Application servers for such purposes as unified messaging, conferencing, and collaborative applications enabled by
Session Initiation Protocol (SIP)
These functions and related application serverssuch as contact center systemsare distributed across a telephony- or
business-grade IP network that delivers the required levels of reliability, voice quality, and congestion management.
Extended reach and mobility are provided over wireless LANs and over the Internet via IP-VPNs.
IP telephony is very time-sensitive and critical to the business, and just like other data applications, subject to a variety
of attacks. For example:
Attacks on the router can bring down both voice and data services
Denial of Service can overload an IP telephony communications server or client
Ping of Death can disrupt VoIP operations by sending multiple pings to VoIP devices
Port scanning can find vulnerabilities in VoIP clients and servers
Packet sniffing can record and/or intercept conversations
IP spoofing can misrepresent the source or destination of the media or signaling stream
Viruses, worms, Trojan horses, and time-triggered bombs can attack servers and clients
There have already been cases of hackers taking over IP clientsdue to lack of administration passwords in one case (i.e.
PingTel), and due to vulnerabilities associated with running XML in another (Cisco). However, while these could be very
disruptive, they are primarily a threat when running VoIP natively across the Internet and a relatively lesser threat when run
within the enterprise or over tunneled Internet connections. We are a few years away from seeing VoIP used end-to-end
between employees and the outside world; the security architecture for VoIP will be extended when standards, public services,
and interoperability have reached greater maturity.
37
Toll fraud prevention

Toll fraud theft of service occurs when a PBX and its communications facilities are accessed and used illegally by
unauthorized usersinternal or external. Just like a computer hacker, PBX hackers look for weak spots in the PBX
and use an array of complex hacking tools ranging from password-stealing software to automatic dialers. Often,
hackers are difficult to detect until the damage is already done. With so many different internal and vendor or system
integrator technicians accessing the PBX as part of routine maintenance, PBX hackers are often discovered only after
theyve had days or even weeks to access facilities and rack up hundreds or thousands of dollars on the enterprise
phone bill.
This complex problem requires sophisticated countermeasures, even in a world where the cost of an individual phone
call is measured in pennies. IP telephony solutions must offer toll fraud prevention and other features that work with
both VoIP and traditional telephony.
PBXssuch as Nortel Networks Meridian 1 and state-of-the-art IP telephony systems such as Nortel Networks
Succession CSE 1000support toll-fraud prevention mechanisms. These mechanisms are founded on Telephony
Class of Service, which defines on each users accessibility to making state, national, and international long distance
calls. The user can be denied all access, or allowed to make certain types of on-net/internal and off-net/external long
distance calls. The default for new phones is restricted calling. These rules can be applied on a time-of-day basis and be
overridden with an authorization code. Indirect access to long-distance calling is also controlled, including potential
access via speed call lists, call forwarding, voicemail call answering through dial, and DISA access for employees dialing
into the enterprise network remotely.
Figure 15. Securing IP telephony
Management VLAN
L2
IP-enabled
PBX
Multimedia
Application
Server
IP
Telephony
Server
IDS
Unified
Messaging
Server
IDS
VS
Contact
Center
IDS
VS
IDS
VS
VS
Telephony-grade IP Network
SRT
FW
IPsec
VS
IDS
NAT
FW
1
4
7
*
*
2
5
8
0
0
3
6
9
#
#
#
Digital
802.11
IDS
IPsec
AL
Auth
IPsec
FW
IPsec
VS
IDS
PC
IP sets
SIP enabled
Management VLAN
L2
IP-enabled
PBX
IP
Telephony
Server
Multimedia
Application
Server
Unified
Messaging
Server
Contact
Center
IDS
IDS
IDS
IDS
VS
VS
VS
VS
Telephony-grade IP network
SRT
FW
IPsec
VS
IDS
NAT
FW
1
4
7
*
*
2
5
8
0
0
3
6
9
#
#
#
38
Digital
802.11
IDS
IPsec
AL
Auth
IPsec
FW
IPsec
VS
IDS
PC
IP sets
SIP enabled
Securing IP telephony requires a coordinated approach across all aspects of the Unified Security Architecture. Policy management and secure access management authenticate users and authorize the use of features and calling capabilities. Management
security secures management of VoIP devices such as communications servers and media gateways.
Security mechanisms that have been implemented for IP data can be extended to cover IP telephonyfor example, using
IPsec and IP-VPNs for secure remote access and branch connectivity for VoIP and data, and for wireless LAN access. Stateful
inspection firewalls and network address translation can be applied to VoIP services. Policies governing data and VoIP should
be integrated under policy management. Application-level security is provided through such methods as OS hardening,
PC-based virus protection, and personal firewalls.
Securing IP telephony at the application security level
Securing application and IP telephony communications servers. The heart of the IP telephony system is the communications serverwhich can be a standalone server, such as the Nortel Networks Succession CSE 1000/2000 server, or integrated
with other components, such as Nortel Networks IP-enabled Meridian system and Business Communications Manager.
Equally important are application servers delivering contact center services (such as Nortel Networks Symposium), multimedia
applications (such as Nortel Networks CSE Multimedia Xchange), unified messaging (such as Nortel Networks CallPilot),
and self-serve interactive voice response systems. Securing these servers starts with hardening of the operating systems.
Securing VoIP clients. VoIP solutions support a broad range of clients and access configurations, including IP wired and
wireless telephones (e.g. Nortel Networks i2002 and i2004, and Symbols wireless LAN IP phone) and PC-based soft clients
(e.g. Nortel Networks i2050 and SIP clients). When connected to an IP network, these clients are vulnerable to attack.
There are a number of different telephony signaling protocols such as SIP, H.323, UniStim used by Nortel Networks IP
telephones, and Meridian Customer Defined Networking for network-wide feature operation. In the future, the ability to
secure signaling traffic at the VoIP client will be generally available. In IP telephony systems, the voice signal is packetized
using a standard such as G.729 (at 8 kbps) and a speech activity detection algorithm, and uses the Real-Time Protocol (RTP)
protocol with UDP at the transport level. Encryption of the voice at source will emerge as an option, as required by special
sectors such as the military community.
The process is different for securing IP telephones and PC-based soft telephony clients:
IP telephones, such as Nortel Networks i2004/2002, are custom-built appliances for telephony only. There is no storage
or asset on the phone itself to protect other than its presence on the network as a trusted device. The identification of the
caller and the call itself are the only assets to be protected. These telephony appliances most commonly use a proprietary
thin client protocol that relies on the communications server for feature/functionality and security. Approaches that rely
on XML in the VoIP set for feature operation are open to greater vulnerability.
VoIP soft-clients on users PCs co-exist with other applications and assets, and run widely available operating systems. That
means a successful attack can be damaging to several valued assets, and these devices should be protected with personal
firewalls, anti-virus detection, and IP-VPN clientsthe same mechanisms used for data security on that access device.
Securing IP telephony at the network security level
Securing VoIP in the wiring closet and across the campus. IP devices are wired into a campus network using either shared
media or, more commonly, dedicated switched Ethernet connections. Wireless LANs are being widely adopted, especially in
education and healthcare environments.
VoIP soft clients and dedicated VoIP appliances should be connected to switched Ethernet environments right to the desktop,
for the following reasons:
VoIP latency variation is minimized by eliminating CSMA/CD operation of shared media Ethernet operation
Other devices are prohibited from eavesdropping on VoIP calls
Enterprises may also chose to logically group VoIP telephones in their own VLANs to enhance security and manageability.
39
Special considerations apply when using wireless LANs (WLANs) to extend IP telephony services within the enterprise; for
example, from the desktop to conference rooms, classrooms, or shop floor personnel. Because wireless LANs are relatively insecure, both the signaling and voice planes need added security over the wireless segment of the call path. One method is to
configure soft clients co-resident with an IP-VPN client on the access device. Alternatively, some WLAN IP phones have builtin encryption and authentication. Nortel Networks has a strategic partnership with Symbol, whose WLAN IP phones support
128-bit WEP encryption between the client and the wireless access point, plus Kerberos authentication.
Securing branches for IP telephony. Several approaches are available for securing remote office VoIP solutions. For example,
an enterprise could:
Support VoIP telephones and soft clients from an office-in-a-box system that integrates IP telephony capabilities and
VPN security, such as Nortel Networks Business Communications Manager with integrated Contivity IP-VPN client.
Leverage the distributed nature of VoIP by deploying clients off a centralized server such as a Nortel Networks IP-enabled
Meridian platform, CSE 1000 server, and CSE MX server, and running this traffic over an IP-VPN.
Support a Nortel Networks Remote Office 9150 VoIP telephone off a central site IP-enabled Meridian PBX, which
supports Meridian digital telephones over an IP-VPN infrastructure while supporting a fully featured back-up path by
tunneling over the PSTN. This approach is unique to Nortel Networks.
Nortel Networks Contivity IP-VPN solution is unique for its Secure Routing Technology, which minimizes latency for VoIP
calls through meshed connectivity of secure tunnels over the Internet. This same solution can provide security for voice and
data traffic traversing frame relay networks.
Figure 16. Securing remote networking for IP telephony
Remote office
IDS
IP sets
IP telephony
soft client
VS
IDS
VS
802.11
IPsec
FW
SIP soft client
Secure IP
Services Gateway
1
4
7
*
*
2
5
8
0
0
3
6
9
#
#
#
SRT
SIP soft client

IP telephony soft client
Central site
Secure IP Services Gateways
Internet
FW
IPsec
SRT
Hotel
Auth
FW
IPsec
VS
IDS
SIP data
soft client
SSL
Airport
SSL
Customer site
40
FW
Payphone
with data jack
IPsec
VS
IDS
Securing remote access for IP telephony. At home, in a hotel, or on the road, remote users can benefit from the convenience,
control, and productivity of IP telephony. To secure this kind of telephony access, VoIP soft clients would be co-resident with
an IP-VPN client on a laptopand ultimately on a suitably equipped PDAfor mobile employees. This same configuration
is used to take advantage of WLAN access points in hotels, airports, and convention centers. VoIP telephones for telecommuters and remote contact center agents could be secured with a home office IP-VPN, such as a Contivity 1000 Secure IP
Services Gateway.
Network management security for IP telephony. Management of IP telephony services should be protected with the same
level of network management security accorded to the network and security infrastructure in general.
A physically dedicated Ethernet port should be configured for VoIP management functionspart of a management VLAN
that blocks all non-management traffic at the routing level via access lists and perimeter security, and has all unused ports
turned off. Only authorized application software should be run on the servers in this VLAN. Multi-level security should be
applied with various levels of privileges (monitor, configure, control) for authenticated operational personnel. User passwords
must be securely stored and password formatting and change management strictly controlled. Management traffic (such as
billing information) can be optionally encrypted, even for internal transmission through IP-VPN technology. Off-net access for
suppliers, system integrators, and/or VARs can be provided via IP-VPNs.
Securing Web-enabled contact centers for IP telephony

Web-enabled contact centers are a key platform for offering engaged customer services that seamlessly integrate Web
and telephony interfaces with the organization. Using IP telephony in contact centers makes it cost-effective to widely
distribute agents, without compromising features and functionality.
However, because of the inherent security exposures of the Web interface and the critical nature of telephony services,
special security considerations apply. Securing servers at the application and OS levels is based on hardened OS architectures and off-the-shelf security packages. Securing server management is based on partitioned operations using
VLAN and remote access via IP-VPNs. IP-VPNs are also used to secure remote VoIP agents operating over the
public network.
41
Part IV. Nortel Networks technology and expertise

Nortel Networks has defined a new strategy for the enterprise network, known as One Network. A World of Choice.
One Network because it supports infrastructure convergence and eliminates boundaries. A World of Choice because
it delivers options on how enterprises build the optimal networks to suit their needs. The vision is of a single, converged
network that answers the critical business realities that strain and constrain todays networks.
Absolutely central to this vision is the principle that security is inherent in all applications and servicesintrinsic to the very
DNA of the network. The Unified Security Architecture outlined in this document represents the Nortel Networks blueprint
for that new enterprise network.
Within this One Network. A World of Choice. strategy, security provisions are in place to:
Make enterprise networking products secure from a management perspective.
Address network and voice/multimedia application security needs.
Evolve from a perimeter-based security model towards a distributed and layered network security architecture with centralized administration.
Deliver reliable high-performance security solutions, including VoIP and wireless.
Provide choices to enterprises in meeting their security requirements, driven by their business needs.
Leverage industry-leading technologies and solutions across enterprise and service provider markets.
4.1. Design tenets built into the Nortel Networks security portfolio
Nortel Networks enterprise networking productsincluding security products and solutionshave been designed and built to
adhere to the following tenets:
Security in the DNA means Nortel Networks security productssuch as Alteon Switched Firewall, Alteon SSL Accelerator,
and Contivity Secure IP Service Gatewaysare designed from the ground up with security in mind.
Failsafe business continuity relies on network resilience from the physical layer to the application layer for mission-critical
applications and data, using session persistence, load balancing, acceleration methods, and optical technologies. For example,
the Alteon Security Cluster provides a comprehensive security framework that delivers multi-gigabit acceleration and integrates
firewalls, SSL offload, intrusion-detection, and anti-virus protection into a scalable, easy-to-manage architecture.
Scalability by design extends and protects network investments and lowers operational costs. The Alteon Switched Firewall,
delivering the highest capacity in the industry at 3 Gbps, demonstrates this tenet in practice.
Application-optimized network components such as the Alteon SSL Accelerator combine network-assisted security with
network intelligence to add a layer of security across multiple applications while optimizing server performance.
Communications convergence ensures that IP telephony and multimedia applications such as Nortel Networks Succession
products can securely operate within both the enterprise environment and across the Internet.
Engaged applications deliver timely, context-sensitive, user-aware content to users as quickly, efficiently, and securely as
possible across multiple service delivery channels.
Comprehensive management ensures that security policies are effectively and consistently implemented throughout the
network. For example, Optivity Policy Services complements other Optivity management solutions to secure the management
system and enhance survivability.
42
Figure 17. Design tenets behind Nortel Networks products
Security in the DNA

Scalability by design
Fail-safe business continuity
Communications convergence
Comprehensive management
Application-optimized network
Engaged applications
These design tenets apply to the entire Nortel Networks portfolio, including for example:
Alteon switches that provide firewall/IDS/IP-VPN load balancing and content filtering
Passport 8600 routing switches that provide extensive filtering and access list controls, as well as firewall/IDS/IP-VPN
load balancing when equipped with an Alteon Web Switching Module. The Passport 8600 is a 256 Gbps platform so
robust that it is used in service provider central offices
Ethernet hubs and switches from the BayStack portfolio that support VLANs and user authentication via EAP
Security is also a key element of Nortel Networks applications for IP telephony and multimedia, contact centers, unified
messaging, and more. Integration with solutions from our business partners delivers important capabilities such as intrusiondetection, anti-virus, content filtering, and authentication. Whether offered as intrinsic features in multi-purpose products
or purpose-built security devicesNortel Networks security solutions protect the network and applications with high
performance and low cost of ownership.
4.2. Expanded choice through partnerships
Nortel Networks partners with service providers to enable them to offer best-in-class secure managed service solutions.
For example, our Contivity systems have been deployed by the majority of the worlds leading service providers for their
managed IP-VPN services. Nortel Networks Shasta Broadband Service Node (which uses the same VPN client as Contivity)
is the foundation for many providers network-based IP servicesincluding VPNs, firewalls, and other security services.
Nortel Networks also partners with best-of-breed security application vendors for two types of collaboration:
Working with select security application vendors to achieve full code integration with the Alteon Open Security
Architecture for the purposes of accelerating existing security technologies.
Ensuring seamless interoperability with third-party security methods for authentication (RADIUS, digital certificate/PKI,
hardware/software tokens, and smart card), intrusion-detection, anti-virus, content filtering, firewall reporting, and more.
43
4.3. Security services

With new data privacy legislation pending and enacted, a constantly changing scene of network threats and vulnerabilities,
and IT security teams operating on limited budgets and manpower, many enterprises turn some or all of their security
functions to certified security specialists. Security consulting services can help the enterprise move forward with confidence to:
Achieve and maintain compliance with Gramm-Leach-Bliley, HIPAA, and other legislation.
Obtain objective third-party validation of their security implementation, policy, and practices.
Establish security baseline information from thorough vulnerability analysis of the network, overall site surveys of wireless
nodes added to the wired network, and other security services.
Organizations in the health care, financial, and insurance industries would be particularly interested in any or all of the
following services related to recent Federal legislation:
Assessing and analyzing the current network and environment for compliance with new industry regulations
Developing plans to address noncompliant areas
Implementing policies, procedures, processes, and the technology to meet the new standards
Certifying that the enterprise organization complies with regulations and legislation
Monitoring to assure continued compliance
Nortel Networks partners with security services vendors (e.g. Olympus Security Group) with CISSP-certified personnel
to provide security deployment assistance, security training, security assessments, and regular security audits to ensure new
products and/or practices have not defeated security policies.
4.4. Nortel Networks product assurance
Nortel Networks product assurance initiatives ensure that security functions perform to industry-accepted standards and
specifications, where they exist.
Firewalls. Nortel Networks firewalls are or are being certified by the International Computer Security Association (ICSA),
an internationally recognized, independent organization that enforces strict standards of certification for security products.
Encryption. Nortel Networks Contivity and Alteon SSL Accelerator products have achieved compliance with U.S. Federal
Information Processing Standard (FIPS) 140. To earn this status, cryptographic modules are tested by accredited laboratories
and assigned a rating from 1 to 4 (lowest to highest) in 11 key design and implementation areas. The overall testing program is
overseen by the U.S. National Institute of Standards and Technology (NIST) and the Communications Security Establishment
(CSE) of the Government of Canada.
Common Criteria international certification. Responding to the newly established and globally accepted Common Criteria
evaluation program, Nortel Networks has begun work to obtain this certification for key products, first for Alteon Switched
Firewall and Contivity Secure IP Services Gateways.
44
A closer look at Common Criteria

An international effort to develop international IT security criteria, the Common Criteria initiative is designed as a
taxonomy of security requirements specified either as Protection Profiles or as a Security Target.
Protection Profiles are customer- or community of interest-generated sets of security requirements that are made
publicly available before, during, or after certification as reusable by any organization or group with similar needs.
These profiles can be established as standards for a particular application area such as electronic commerce, a government-authored list of requirements for a particular type of product such as a firewall, a particular market place vertical
such as healthcare, or a customers own list of requirements.
Security Targets are the security objectives of a specific product or system, known as the Target of Evaluation (TOE).
The Target can conform to one or more Protection Profiles as part of its evaluation.
The documentInternational Common Criteria for Information Technology Security Evaluationspecifies security
functionality and evaluation methods, based on: the original United States government Orange Book or Trusted
Computer System Evaluation Criteria (TCSEC), Canadas Trusted Computer Product Evaluation Criteria (CTCPEC),
and Europes Information Technology Security Evaluation Criteria (ITSEC) (which combines work from the
Netherlands, French criteria, German criteria, and UK Confidence Levels) security criteria.
To date, the Common Criteria have been formally recognized by 23 countries. Common Criteria (CC) v2.1 was
released in 1998 and has been adopted by the International Organization for Standardization (ISO) as standard
15408. For more information, see the Nortel Networks Common Criteria datasheet.
4.5. Nortel Networks and cross-industry security developments

Nortel Networks participates actively in ongoing security standards development within the Internet Engineering Task Force
(IETF), the International Telecommunications Union (ITU), the European Telecommunications Standards Institute (ETSI),
for IPsec, NAT, PKI, SYSLOG, etc., as well as the following international private and public sector organizations, which work
to find solutions for the growing number of security vulnerabilities on a worldwide basis:
Internet Security Alliance. Nortel Networks is a founding sponsor of this organization, created to share information and
lead thought on information security issues. It is a collaborative effort between the Carnegie Mellon University Software
Engineering Institute (SEI)*, the Carnegie Mellon CERT Coordination Center (CERT/CC), and the Electronic
Industries Alliance (EIA), a federation of trade associations. The Internet Security Alliance represents industrys interest
before legislators and regulators, and creates a collaborative environment to identify and standardize best practices and
solutions.
National Reliability and Interoperability Council (NRIC). Part of the Homeland Security Working Group, the NRIC
works to ensure the optimal reliability, interoperability, accessibility, and interconnectivity of public telecommunications
networks.
The TelecommunicationsInformation Sharing and Analysis Center (Telecom-ISAC). Nortel Networks cooperates
with this subgroup of the National Coordinating Center for Telecommunications (NCC), which facilitates voluntary
collaboration and information sharing among government and industry ISAC members. The NCC gathers information on
threats, outages, intrusions, and anomalies; analyzes and sanitizes the information; disseminates the information in accord
with sharing agreements; and alerts others in near real time.
National Security Telecom Advisory Committee (NSTAC). Nortel Networks participates in the Network Security
Information Exchange (NSIE) subcommittee of this group, driving the establishment of a common security baseline for
enterprises and carriers to reduce customer operating expense and vendor R&D expense.
Joint Group on Network and Information Security (NIS). This is a new European initiative formed by ETSI and the
European Committee for Standardization. NIS helps coordinate effective use of security standards to establish trust
on the Internet. Nortel Networks chairs NIS.
45
Nortel Networks maintains an internal cross-functional teamthe Security Advisory Task Force (SATF)which reports to the
Chief Technology Officer and addresses security vulnerabilities that could impact Nortel Networks products, as soon as these
vulnerabilities are discovered.
This internal task force has established relationships with key security vulnerability agencies in the industry such as CERT,
SANS, and ISA to ensure rapid awareness of new vulnerabilities. A process has been established to determine the level of risk
of each potential vulnerability to Nortel Networks customers, along with a risk mitigation plan, where required.
Where appropriate, the vulnerability status of Nortel Networks portfolio is communicated in Vendor Statements on the
corresponding CERT Web page and through action bulletins created with internal product teams that specify a risk analysis,
vulnerability status, mitigation plan, and planned patch release dates. These bulletins are made available to customers,
customer support teams, and account teams. Finally, the team follows up on all issues until closure.
Summary
The typical enterprise internal trusted network is anything but internal these days. It extends to include supply chain
partners, telecommuters, remote access users, Web users, application service providers, disaster recovery providers, and more.
Unfortunately, that means that the network also reaches hackers, cyber-thieves, disgruntled employees, and others who would
misappropriate network resources for personal gain.
Whether or not they leverage the inherently insecure Internet for business applications, all enterprises have an obligation to
protect network integrity and data confidentialityfor their own sakes as well as for their customers and business partners.
The good news is that enterprises can minimize their risks from unauthorized users without sacrificing performance for legitimate users. The Nortel Networks Unified Security Architecture defines a conceptual, physical, and procedural framework of
best recommendations for end-to-end enterprise network security. Addressing the Top Ten security challenges with flexible
implementation choices, this comprehensive security strategy is based on these key principles:
1. Multi-layer security that defines security protection functions at application, network-assisted, and network security
levels
2. Variable-depth security across the enterprise, not just at the edge of the Internet
3. Closed-loop policy management that entails continuous evolution of policy to address changing business requirements,
network conditions, and industry knowledge
4. Uniform access management via stringent authentication and authorization at a granular level, defined and managed
centrally for the entire enterprise
5. Secure network operations, by physically or logically partitioning network management from user traffic, and applying
security best practices to suit critical operational activities
6. Secure multimedia communications, protected by high-performance encryption and tunneling
7. Survival under attack, ensuring that the network continues to deliver critical services even as it detects and wards off
malicious activities
The principles underpinning the Unified Security Architecture offer enterprises a blueprint for implementing security solutions
to ensure information integrity and confidentiality across a full range of network applications and architectures, including
protection from external attacks, application abuse, viruses, unauthorized access, interception, or manipulation of data en route.
With Nortel Networks Security Solutions, enterprises can protect business critical resources, and confidently and confidentially
use the Internet as an extension of their trusted internal network.
For more information about security products, terms, standards, organizations, legislation, and certification, visit our security
solutions Web site at http://www.nortelnetworks.com/solutions/security/related.html.
46
Appendix A. Hackers tools of the trade

Unauthorized access to network resources is usually the result of improper system configuration and usage flaws. Attackers
can take advantage of weak user authentication and authorization tools, improper allocation of hidden space, shared privileges
among applications, or even sloppy employee habits, such as posting their secret passwords on the side of their computers.
Attackers can obtain illegal access by guessing user names and passwords using a dictionary of common strings, by deriving
passwords by algorithmic means, or capturing them in transit if they are sent unencrypted. After guessing or intercepting a user
name and associated password, the attacker gains a dangerous level of access to internal resources. How much access depends
on the privileges assigned to the compromised account, naturally. But in reality, the potential for damage depends more on the
hackers intent. Usually the hackers mission is to use the compromised account to install a backdoor entry to the enterprise.
Protocols for remote access to e-mail such as IMAP, POP3, and POP2 use simple user name and password authentication techniques. These protocols can be used to facilitate brute force attacks. In fact, there are published methods that allow attackers to
remotely exploit the services of these protocols.
There are even more sophisticated ways of gaining unauthorized access. Worms can be used to perform system-spoofing attacks
whereby one system component masquerades as another. For example, worms can exploit flows in the debug option of sendmail and in .rhosts (e.g used in UNIX) due to weak authentication. The debug option of sendmail can be turned off. Leaving
the option on is an example of usage flaw.
IP spoofing or session hijacking is a complex attack that exploits trust relationships. The attacker assumes the identity of a
trusted host in order to sabotage the security of the target host. As far as the target host knows, it is carrying on a conversation
with a trusted host.
In this assault, the attacker first identifies a trusted host whose identity will be assumed, perhaps by first determining the
patterns of trust for the hostthat is, the range of IP addresses that the host trusts. The next step involves the disabling of
the host (such as by TCP SYN flooding attacks), since the attacker will assume its identity.
IP spoofing attacks succeed because it is easy to forge IP addresses and network-based address authentication techniques are
limited. The IP spoofing attack is blind, since the attacker may not have access to the responses from the target host. However,
the attacker can obtain two-way communication if routing tables are manipulated to use the spoofed source IP address. IP
spoofing attacks are often used as a first step for other assaults such as Denial of Service (DoS) and flooding attacks.
Network sniffers were originally designed to enable network managers to diagnose problems, perform analysis, or improve the
performance of their networks. Network sniffers work in a network segment that is not switched, such as segments connected
through a hub. In this way, the sniffer can see all traffic on that segment.
Older sniffers read packet headers of the network traffic and focused on identifying low-level packet characteristics such as
source and destination address. However, current sniffers can decode data from packets across all layers of the OSI model.
Attackers can use sniffers to view user information and passwords from packets across public or private networks. By using
sniffers, attackers can obtain valuable information about user names and passwords in particular from applications such as FTP,
telnet, and others that send passwords in the clear. Protocols for remote access to e-mail such as IMAP, POP3, and POP2 use
simple user name and password authentication techniques and are especially susceptible to sniffer attacks.
Since users tend to reuse passwords across multiple applications and platforms, attackers can use the acquired information to
obtain access to various resources on the network, where their confidentiality could be compromised. Moreover, these resources
could also be used as launch pads for other attacks.
47
In general, attackers can use network sniffers by compromising the physical security of the corporationsay, walking into
the office and plugging a laptop into the network. With the growing use of wireless networks, someone in the parking lot with
a wireless device can access the enterprises local network. Gaining access to the core packet network enables the attacker to
determine configurations and modes of operation for further exploitation.
Denial of Service (DoS) attacks flood a network with illegitimate requests and thereby prevent legitimate users from accessing
their service. DoS attacks are easy to implement and can cause significant damage, disrupting the operation of the enterprise
and effectively disconnecting it from the rest of the world.
DoS attacks can take various forms and target a variety of services. DoS attacks focus on exhausting network, servers, host, and
application resources and on disrupting network connectivity. For example, the SYN flooding attack uses bogus half-open TCP
connection requests that exhaust memory capacity of the targeted resource. These types of attacks can prevent legitimate users
from accessing hosts, Web applications, and other network resources. Distributed DoS attacks use the resources of more than
one machine to launch synchronized DoS attacks on a resource.
DoS attacks exploit weaknesses in the architecture of the system that is under attack. In some cases, it exploits the weakness of
many common Internet protocols, such as the Internet Control Message Protocol (ICMP). For example, some DoS attacks
send large number of ICMP echo (ping) packets to an IP broadcast address. The packets use a spoofed IP address of a potential
target. The replies coming back to the target can cripple it. These types of attacks are called Smurf attacks. Another form of
attack uses UDP packets but works on the same concept.
Bucket brigade attacks are also known as man-in-the-middle attacks. In this kind of assault the attacker intercepts messages
in a public key exchange between a server and a client. The attacker retransmits the messages, substituting their public key for
the requested one. The original parties will think that they are communicating with each other. The attacker may just have
access to the messages or may modify them. Network sniffers can be used to launch such attacks.
Back door entries to access network resources can be accidentally or intentionally opened by users and procedural oversights,
such as these:
Deliberately placed by system developers to allow quick access during development and not turned off upon delivery
Placed by employees to facilitate performance of their duties
Part of standard operating system installs that have not been eliminated by OS hardening, such as retaining default
user logon ID and password combinations
Placed by disgruntled employees to allow access after termination
Created by the execution of malicious code, such as viruses
Masquerading or elevation of privilege enables a hacker to pose as a valid administrator or engineer to access the network.
Masquerading as a user with administrative privileges, the intruder can modify accounts, configuration data, network signaling,
and billing and usage data.
Eavesdropping takes advantage of the promiscuous mode of off-the-shelf Ethernet adaptors that are sold in the market.
This mode enables an attacker to capture every packet on the network to listen and record data communications on the
enterprise LAN. There are plenty of free network sniffers on the Web today that an attacker can use for eavesdropping.
Eavesdropping is an insidious problem because it is difficult to detect.
48
Appendix B. Application and network level threats

Application threats
Application-layer attacks exploit vulnerabilities in the operating system and applications to gain access to resources.
For example, since Web hosts are accessible by the public at known port addresses specified by protocols (such as port 80
for HTTP traffic), hackers can use this knowledge to launch attacks that can bypass firewalls.
Improper configuration and authorization can lead to security holes. For example, a Web server host should freely distribute
Web pages but restrict shell command access to authorized administrators as specified in the security policy.
Account harvesting targets the authentication process when an application requests the users logon ID and password.
Applications that generate different error messages for wrong user logon ID and wrong password are vulnerable to this type
of attack. Based on the type of error message, an intruder can customize an attack that first determines a valid user logon ID
and then uses other forms of password cracking techniques to get the password.
Application-layer attacks can be based on viruses, worms, buffer overflow, and password harvesting among others. Some
application-layer attacks are aimed at just dismantling the Web site. Other attacks poison a Web sites cookies to gain illegitimate information about a particular server. Applications in general do not check the validity of cookies and can fall victim to
malicious code hidden in the cookies. Known vulnerabilities in current Web browsers allow such cookies-based attacks.
An attacker may also use cross-site scripting technique to insert malicious code in the form of a script tag that is added to
a URL and executed when an unsuspecting user clicks on the URL. SSL can solve some of these application-layer security
problems but doesnt fully protect Web applications. Attacks such as account harvesting and password cracking can still be
launched even if SSL is used.
Network threats
Internet-connected enterprises expose their network infrastructure to serious security threats such as sabotage, vandalism, bad
system configuration, denial of service (DoS), snooping, industrial espionage, and theft of service. Attacks may be launched
from inside the network by insiders and also from external sources such as hackers.
Recent developments in hacker technologysuch as mobile terminal-based port scannersdemonstrate that attacks on
network infrastructure can originate from the mobile terminal as well. How do you protect switches, routers, access points,
remote access servers, wireless access points, hosts, and other resources from these threats?
The typical IP packet infrastructure demonstrates a wide array of vulnerabilities:
It commonly uses protocols with known security vulnerabilities, such as ICMP, TELNET, SNMPv1 and v2, DHCP,
TFTP, RIPv1, NTP, DNS, and HTTP. Other common protocols (e.g., FTP, IMAP, SMTP) may also have vulnerabilities.
It uses weak, locally managed, static passwords based on short, common dictionary words that are easy to guess.
Some administrators may use one password across network elements, which may be shared and would be known
by all administrators.
It leaves security information unprotectedfor instanceby not encrypting password files, improperly setting firewall
rules, or using weak encryption methods for transmitting passwords.
It supports unauthenticated software loads and configuration files that are intentionally or maliciously incorrect, resulting
in erroneous device configurations, poor performance, loss of service, and open invitations for Trojan horses or other
malicious code.
It uses non-hardened network elements and operating systems that still use factory default settings, which may run
unnecessary services and have default accounts and passwords still enabled.
It unnecessarily exposes management ports and interfaces to the public network, or allows unauthorized management
actions over dial-up, ISDN, or other connections.
49
In the United States:

Nortel Networks
35 Davis Drive
Research Triangle Park, NC 27709
USA
In Canada:
Nortel Networks
8200 Dixie Road,
Suite 100
Brampton, Ontario L6T 5P6
Canada
In Caribbean and Latin America:

Nortel Networks
1500 Concorde Terrace
Sunrise, FL 33323
USA
In Europe:
Nortel Networks
Maidenhead Office Park
Westacott Way
Maidenhead Berkshire SL6 3QH
UK
In Asia:
Nortel Networks Asia
6/F Cityplaza 4,
Taikooshing,
12 Taikoo Wan Road,
Hong Kong
Nortel Networks is an industry leader and innovator focused on transforming how the world
communicates and exchanges information. The company is supplying its service provider and
enterprise customers with communications technology and infrastructure to enable value-added
IP data, voice and multimedia services spanning Metro and Enterprise Networks, Wireless Networks,
and Optical Long Haul Networks. As a global company, Nortel Networks does business in more than
150 countries. More information about Nortel Networks can be found on the web at:
www.nortelnetworks.com/security
For more information, contact your Nortel Networks representative, or
call 1-800-4 NORTEL or 1-800-466-7835 from anywhere in North America.
*Nortel Networks, the Nortel Networks logo, and the globemark design are trademarks of Nortel Networks.
All other trademarks are the property of their owners
Copyright 2002 Nortel Networks. All rights reserved. Information in this document is subject to change without notice.
Nortel Networks assumes no responsibility for any errors that may appear in this document.
NN102060-0902

Security Unified Architecture PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Security Unified Architecture PDF

Caricato da

Copyright:

Formati disponibili

White Paper

Unified Security Architecture

Multi-layer security across application and network levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Part III. Network security in the real world . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Securing the campus network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Part IV. Nortel Networks technology and expertise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Unified Security Architecture

Part I. The Top Ten challenges to enterprise network security

Enterprise Security Challenge #1

Enterprise Security Challenge #2

Enterprise Security Challenge #3

Enterprise Security Challenge #4

Enterprise Security Challenge #5

Enterprise Security Challenge #6

Enterprise Security Challenge #7

Figure 1. Generic Enterprise types

Outsourced Web site

Connectivity boundaries lowered

Enterprise Security Challenge #8

Enterprise Security Challenge #9

Enterprise Security Challenge #10

Back door traps

Network and host-based

Part II. The Nortel Networks

Figure 3. Principles behind Nortel Networks Unified Security Architecture

Securing network operations

Closed-loop policy management

Survivability under attack

Uniform access management

Policy management functionality

Layer 2 VPN, EAP, and port security

Network Address Translation

Access control List

Secure dynamic routing

Network management security

Secure access management functionality

Secure activity logs

2.2. Variable-depth security

Figure 6. Secure connectivity options for network management traffic

Network Operating Center

2.6. Secure multimedia communications

2.7. Network survivability under attack

Figure 8. Secure authentication and authorization reference model

Remote IP-VPN office

Remote IP-VPN user

WLAN IP-VPN user

RADIUS-enabled enterprise applications:

Part III. Network security in the real world

Figure 10. Securing the campus network

Figure 11. Securing the data center

Other enterprise applications

Securing the data center at the network-assisted security level

Securing data center storage

3.3 Securing the remote office

Dynamic routing vulnerabilities

Figure 12. Securing the remote office

A new architecture for securing the remote office

Redundant Secure IP Services Gateways at central site

Static and dynamic

Branch Secure IP Services Gateways

Branch Secure IP Services Gateways

Secure Routing Technology (SRT) features in Contivity systems

3.4 Securing remote access