Alcatel e-Business Networking Division

lawrence.chong@alcatel.com

Network Security:Issues, Processes and

Technologies

Network Security:Issues, Processes and

Technologies

2

Agenda

Network Security Threats Need for Security

Security Processes

Security Policies

Network Security Technologies

Alcatel’s Strategy

3

Information Security is Key

Historically, information was controllable through good state-of-the-art-alarm systems and physical security

banks R&D facilities government complexes airports power grids

Today, traditional businesses and services are controlled electronically

information security has not kept up with the times traditional secure environments are now wide open

4

Network Security Threats

Identity interception “discovery” of a valid user ID & password stolen files

Masquerade one user pretending to be another address spoofing

Replay attack login monitoring and playback protocol analyzers

Data interception intermediate capture of data wiretaps and monitoring devices

5

Threats (cont.)

Manipulation unauthorized data change virus

Integrity doubts as to data origin

Macro viruses application-specific viruses (Word & Excel)

Denial of service attacks data flooding of servers consuming CPUs

Malicious mobile code auto-executables via ActiveX or Java

6

Growing Needs for Security

Privacy personal governmental

Multilevel security classifications / need to

know

Anonymity commercial medical

Authentication proof of identity / accuracy

Integrity validity of data

datum’s relationship to itself over time

has the data been modified since creation

Audit records / logs aids forensics

Electronic currency credit / debit cards letters of credit digital cash

7

“Security is a process, not a product”

- Bruce Schneier

8

Network Security ProcessClosed Loop Corrective Action

Evaluate•Policies / Processes

•Design•Vulnerabilities

Implement•Patches

•New policies & designs

•Authentication•Firewalls & VPNs•Content security

•Intrusion detectionMonitor &Measure

•Self•Service

Improve•Training / Awareness

•Adherence

IncidentResponse

Team

9

General Employees

Watch Team

Forensics

Response

Attacker

Elements of a Security Policy

Build a Security Team skills and roles

Training and Awareness explaining security

Physical Security Monitoring

logs and analysis Auditing

assess security posture Prepare for an Attack

incident response team Handling an Attack Forensics

analyze data

10

Network Security Technologies

Authentication Traditional Public Key Infrastructure Single Sign-On Layer 2

Firewalls packet filtering proxy stateful inspection

VPNs / Cryptography Data Confidentiality Data Integrity Non-Repudiation

NAT

DNS

Content Filtering virus URLs

Intrusion Detection network & host

Vulnerabilities network host

11

ALcatel Security Solutions Strategy

Adding value to core eND platforms through embeddedembedded security

Delivering a full-function, standalonestandalone, security appliance family

Establishing partnershipspartnerships with organizations that offer security solutions outside of Alcatel’s core business

12

Alcatel Omni Switch FamilySecurity Features

Controlling management / attacks Authenticated Switch Access - users Secure Switch Access - devices Denial of Service defenses Partitioned Management

Security toSecurity tothe switchthe switch

Security throughSecurity throughthe switchthe switch

Security Security betweenbetweenswitchesswitches

Secure Traffic Management Firewall/NAT - embedded FW-1 Secure Switch Access - devices IP-based Access Control Lists Authenticated-VLANs - users Binding VLANs - devices Port Mapping

Privacy & Authentication Secure VPN Gateways (external) VPN on OA512 (1Q02) Router Authentication (RIP/OSPF/BGP4)

13

Example Rule:Port + IP protocol

Example Rule:Port + IP protocol

IPIP

DEC

Port-Binding VLANsDevice Authentication

Security at the switch port Device “bound” by VLAN policy

port + MAC + protocol port + MAC + IP address port + MAC port + protocol port + IP address MAC + IP address

Device fail authenticated if any policy element not met.

Violation results in SNMP trap Applications

non-mobile systems (printers & servers) reduces the likelihood of address

spoofing

14

AuthenticationAuthenticationServerServer

AuthenticatedAuthenticatedUserUser

BackboneBackbone

SwitchSwitch

VLAN User AuthenticationUser Authentication at Layer 2

Authenticates users at switch port

permissions to users, not devices Leverages common auth

systems RADIUS

front-ends RSA ACE/Server, NT Domain, NDS, etc.

LDAP Directory Server Moves user’s MAC from default

VLAN to authorized VLAN(s) based on Group Mobility technology

Once authenticated, operating at LAN speed

Ideal for mobile environment campus cybercafes hospitals

15

Alcatel XOS-based Security

Feature Overview software-based flow

control based src/dst IP address tcp/udp port

numbers icmp type

tied to layer-7 classifier implementation

standard software for the OmniAccess 512

Applications control communications

between networks basic packet filtering without

typical cost security embedded in device

Src/dst = */*Action = deny

Src = 10.1.1.xdst = 10.1.2.xtype = httpAction = allow

10.1.1.xnetwork

10.1.2.xnetwork

10.1.3.xnetwork

10.1.4.xnetwork

HTTP

16

Remote Office Remote Office

Internet

CentralCorporate

OA512OA512

SecurityAppliance

VPNTunnel

Alcatel XOS-based Security VPN on OmniAccess 512

Feature Overview add VPN to OA512 (1Q02)

switching/routing, LAN/WAN, VoIP, ACLs, compression in 1 unit

VPN as optional software module leveraging the OA512’s Hi/fn chip

Applications full security feature support provid provisioning platform

for routing / switching / VoIP / VPN 1 box vs 2 or 3 boxes

Interoperate with central gateway

17

Alcatel Secure VPN Solution

Key Points Timestep - a first commercial VPN

equipment provider Core group of security

experts part of eND we own the technology and

roadmap Successes

U.S. Department of Defense and Federal Reserve (US)

Westpac, INSNET (AU), etc. Compliance with standards

IPSec ICSA (Trusecure.com) FIPS 140-1

Seamless support for PKI first VPN vendor to offer PKI

support

Product Set 713x Secure VPN

Gateways Secure VPN Client 5630 Secure VPN

Management suite

18

Speed Touch Pro II

Speed Touch Pro II = Enhanced platform as compared to Speed Touch Pro Allows to integrate features of the Alcatel 713x Secure VPN

Gateway onto this platform

xDSL Ethernet Ethernet

xDSL Ethernet

Speed Touch Pro Alcatel 713x SVG

Speed Touch Pro II

integration

19

Global Secure Remote Access and Branch Office Intranet

Internet

Alcatel 7137Secure VPN Gateway

Firewall

InternetPOP

Alcatel Secure VPN Client

Field agents

Branch office LANHead office LAN

Secure

Unsecure

LDAP-compliantdirectory

Alcatel 5631 Secure VPN

Policy Manager and Entrust/PKI

Alcatel 7134Secure VPN Gateway

Alcatel Secure VPN Client

InternetPOP

20

RO/BO

Summarya true security solution

Edge / Core Switches ACLs & embedded firewall/NAT A-VLANs

Standalone appliances 713x VPN gateways VPN/FW/NAT appliance

VPN client software Windows

Switch-embedded VPN RO/BO – OmniAccess 512

Hardened switch OS

Secure switch mgmt device & user

Common management standalone today integrate with OmniVista with

SecureView tomorrow

RO/BO

VPNTunnels

OA512

OmniPCX

VPNClient

SecurityAppliance

SecurityAppliance

OmniVistaw/ SecureView

SO/HO

Internet

Central Site

DSL

Alcatel e-Business Networking Division

Thank YouThank You