Upload
ocean-reilly
View
26
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Network Security: Issues, Processes and Technologies. [email protected]. Alcatel e-Business Networking Division. Agenda. Network Security Threats Need for Security Security Processes Security Policies Network Security Technologies Alcatel’s Strategy. Information Security is Key. - PowerPoint PPT Presentation
Citation preview
Alcatel e-Business Networking Division
Network Security:Issues, Processes and
Technologies
Network Security:Issues, Processes and
Technologies
2
Agenda
Network Security Threats Need for Security
Security Processes
Security Policies
Network Security Technologies
Alcatel’s Strategy
3
Information Security is Key
Historically, information was controllable through good state-of-the-art-alarm systems and physical security
banks R&D facilities government complexes airports power grids
Today, traditional businesses and services are controlled electronically
information security has not kept up with the times traditional secure environments are now wide open
4
Network Security Threats
Identity interception “discovery” of a valid user ID & password stolen files
Masquerade one user pretending to be another address spoofing
Replay attack login monitoring and playback protocol analyzers
Data interception intermediate capture of data wiretaps and monitoring devices
5
Threats (cont.)
Manipulation unauthorized data change virus
Integrity doubts as to data origin
Macro viruses application-specific viruses (Word & Excel)
Denial of service attacks data flooding of servers consuming CPUs
Malicious mobile code auto-executables via ActiveX or Java
6
Growing Needs for Security
Privacy personal governmental
Multilevel security classifications / need to
know
Anonymity commercial medical
Authentication proof of identity / accuracy
Integrity validity of data
datum’s relationship to itself over time
has the data been modified since creation
Audit records / logs aids forensics
Electronic currency credit / debit cards letters of credit digital cash
7
“Security is a process, not a product”
- Bruce Schneier
8
Network Security ProcessClosed Loop Corrective Action
Evaluate•Policies / Processes
•Design•Vulnerabilities
Implement•Patches
•New policies & designs
•Authentication•Firewalls & VPNs•Content security
•Intrusion detectionMonitor &Measure
•Self•Service
Improve•Training / Awareness
•Adherence
IncidentResponse
Team
9
General Employees
Watch Team
Forensics
Response
Attacker
Elements of a Security Policy
Build a Security Team skills and roles
Training and Awareness explaining security
Physical Security Monitoring
logs and analysis Auditing
assess security posture Prepare for an Attack
incident response team Handling an Attack Forensics
analyze data
10
Network Security Technologies
Authentication Traditional Public Key Infrastructure Single Sign-On Layer 2
Firewalls packet filtering proxy stateful inspection
VPNs / Cryptography Data Confidentiality Data Integrity Non-Repudiation
NAT
DNS
Content Filtering virus URLs
Intrusion Detection network & host
Vulnerabilities network host
11
ALcatel Security Solutions Strategy
Adding value to core eND platforms through embeddedembedded security
Delivering a full-function, standalonestandalone, security appliance family
Establishing partnershipspartnerships with organizations that offer security solutions outside of Alcatel’s core business
12
Alcatel Omni Switch FamilySecurity Features
Controlling management / attacks Authenticated Switch Access - users Secure Switch Access - devices Denial of Service defenses Partitioned Management
Security toSecurity tothe switchthe switch
Security throughSecurity throughthe switchthe switch
Security Security betweenbetweenswitchesswitches
Secure Traffic Management Firewall/NAT - embedded FW-1 Secure Switch Access - devices IP-based Access Control Lists Authenticated-VLANs - users Binding VLANs - devices Port Mapping
Privacy & Authentication Secure VPN Gateways (external) VPN on OA512 (1Q02) Router Authentication (RIP/OSPF/BGP4)
13
Example Rule:Port + IP protocol
Example Rule:Port + IP protocol
IPIP
DEC
Port-Binding VLANsDevice Authentication
Security at the switch port Device “bound” by VLAN policy
port + MAC + protocol port + MAC + IP address port + MAC port + protocol port + IP address MAC + IP address
Device fail authenticated if any policy element not met.
Violation results in SNMP trap Applications
non-mobile systems (printers & servers) reduces the likelihood of address
spoofing
14
AuthenticationAuthenticationServerServer
AuthenticatedAuthenticatedUserUser
BackboneBackbone
SwitchSwitch
VLAN User AuthenticationUser Authentication at Layer 2
Authenticates users at switch port
permissions to users, not devices Leverages common auth
systems RADIUS
front-ends RSA ACE/Server, NT Domain, NDS, etc.
LDAP Directory Server Moves user’s MAC from default
VLAN to authorized VLAN(s) based on Group Mobility technology
Once authenticated, operating at LAN speed
Ideal for mobile environment campus cybercafes hospitals
15
Alcatel XOS-based Security
Feature Overview software-based flow
control based src/dst IP address tcp/udp port
numbers icmp type
tied to layer-7 classifier implementation
standard software for the OmniAccess 512
Applications control communications
between networks basic packet filtering without
typical cost security embedded in device
Src/dst = */*Action = deny
Src = 10.1.1.xdst = 10.1.2.xtype = httpAction = allow
10.1.1.xnetwork
10.1.2.xnetwork
10.1.3.xnetwork
10.1.4.xnetwork
HTTP
16
Remote Office Remote Office
Internet
CentralCorporate
OA512OA512
SecurityAppliance
VPNTunnel
Alcatel XOS-based Security VPN on OmniAccess 512
Feature Overview add VPN to OA512 (1Q02)
switching/routing, LAN/WAN, VoIP, ACLs, compression in 1 unit
VPN as optional software module leveraging the OA512’s Hi/fn chip
Applications full security feature support provid provisioning platform
for routing / switching / VoIP / VPN 1 box vs 2 or 3 boxes
Interoperate with central gateway
17
Alcatel Secure VPN Solution
Key Points Timestep - a first commercial VPN
equipment provider Core group of security
experts part of eND we own the technology and
roadmap Successes
U.S. Department of Defense and Federal Reserve (US)
Westpac, INSNET (AU), etc. Compliance with standards
IPSec ICSA (Trusecure.com) FIPS 140-1
Seamless support for PKI first VPN vendor to offer PKI
support
Product Set 713x Secure VPN
Gateways Secure VPN Client 5630 Secure VPN
Management suite
18
Speed Touch Pro II
Speed Touch Pro II = Enhanced platform as compared to Speed Touch Pro Allows to integrate features of the Alcatel 713x Secure VPN
Gateway onto this platform
xDSL Ethernet Ethernet
xDSL Ethernet
Speed Touch Pro Alcatel 713x SVG
Speed Touch Pro II
integration
19
Global Secure Remote Access and Branch Office Intranet
Internet
Alcatel 7137Secure VPN Gateway
Firewall
InternetPOP
Alcatel Secure VPN Client
Field agents
Branch office LANHead office LAN
Secure
Unsecure
LDAP-compliantdirectory
Alcatel 5631 Secure VPN
Policy Manager and Entrust/PKI
Alcatel 7134Secure VPN Gateway
Alcatel Secure VPN Client
InternetPOP
20
RO/BO
Summarya true security solution
Edge / Core Switches ACLs & embedded firewall/NAT A-VLANs
Standalone appliances 713x VPN gateways VPN/FW/NAT appliance
VPN client software Windows
Switch-embedded VPN RO/BO – OmniAccess 512
Hardened switch OS
Secure switch mgmt device & user
Common management standalone today integrate with OmniVista with
SecureView tomorrow
RO/BO
VPNTunnels
OA512
OmniPCX
VPNClient
SecurityAppliance
SecurityAppliance
OmniVistaw/ SecureView
SO/HO
Internet
Central Site
DSL
Alcatel e-Business Networking Division
Thank YouThank You