Transcript Powerpoint

Network Security:
Issues, Processes and Technologies
[email protected]
Alcatel e-Business Networking Division
Agenda
 Network Security


Threats
Need for Security
 Security Processes
 Security Policies
 Network Security Technologies
 Alcatel’s Strategy
2
Information Security is Key

Historically, information was controllable through good stateof-the-art-alarm systems and physical security






banks
R&D facilities
government complexes
airports
power grids
Today, traditional businesses and services are controlled
electronically


information security has not kept up with the times
traditional secure environments are now wide open
3
Network Security Threats
 Identity interception


“discovery” of a valid user ID & password
stolen files
 Masquerade


one user pretending to be another
address spoofing
 Replay attack


login monitoring and playback
protocol analyzers
 Data interception


intermediate capture of data
wiretaps and monitoring devices
4
Threats (cont.)

Manipulation


unauthorized data change
virus
 Integrity


Macro viruses


application-specific viruses (Word & Excel)
Denial of service attacks


doubts as to data origin
data flooding of servers consuming CPUs
Malicious mobile code

auto-executables via ActiveX or Java
5
Growing Needs for Security

Privacy




personal
governmental
validity of data


classifications / need to know
Anonymity



Integrity
Multilevel security



proof of identity / accuracy
Audit


commercial
medical
Authentication



datum’s relationship to
itself over time
has the data been
modified since creation
records / logs
aids forensics
Electronic currency



credit / debit cards
letters of credit
digital cash
6
“Security is a process, not a product”
- Bruce Schneier
7
Network Security Process
Closed Loop Corrective Action
Evaluate
• Policies / Processes
• Design
• Vulnerabilities
Improve
• Training / Awareness
• Adherence
Incident
Response
Team
Monitor &
Measure
Implement
• Patches
• New policies & designs
• Authentication
• Firewalls & VPNs
• Content security
• Intrusion detection
• Self
• Service
8
Elements of a Security Policy

Build a Security Team


Training and Awareness



logs and analysis
assess security posture
Prepare for an Attack



Attacker
Auditing


explaining security
Physical Security
Monitoring


skills and roles
incident response team
Handling an Attack
Forensics

analyze data
Response
Forensics
Watch Team
General Employees
9
Network Security Technologies

Authentication





Traditional
Public Key Infrastructure
Single Sign-On
Layer 2

NAT

DNS

Content Filtering


Firewalls



packet filtering
proxy
stateful inspection

Intrusion Detection


VPNs / Cryptography



Data Confidentiality
Data Integrity
Non-Repudiation

virus
URLs
network & host
Vulnerabilities


network
host
10
ALcatel Security Solutions Strategy
 Adding value to core eND platforms through
embedded security
 Delivering a full-function, standalone, security
appliance family
 Establishing partnerships with organizations that
offer security solutions outside of Alcatel’s core
business
11
Alcatel Omni Switch Family
Security Features
Controlling management / attacks
Security to
the switch




Authenticated Switch Access - users
Secure Switch Access - devices
Denial of Service defenses
Partitioned Management
Secure Traffic Management
Security through
the switch
Security
between
switches






Firewall/NAT - embedded FW-1
Secure Switch Access - devices
IP-based Access Control Lists
Authenticated-VLANs - users
Binding VLANs - devices
Port Mapping
Privacy & Authentication



Secure VPN Gateways (external)
VPN on OA512 (1Q02)
Router Authentication (RIP/OSPF/BGP4)
12
Port-Binding VLANs
Device Authentication
 Security at the switch port
 Device “bound” by VLAN policy






port + MAC + protocol
port + MAC + IP address
port + MAC
port + protocol
port + IP address
MAC + IP address
Example Rule:
Port + IP protocol
 Device fail authenticated if any policy
element not met.
 Violation results in SNMP trap
 Applications
IP
IP
DEC
 non-mobile systems (printers & servers)
 reduces the likelihood of address spoofing
13
VLAN User Authentication
User Authentication at Layer 2
 Authenticates users at switch port
 permissions to users, not devices
Authenticated
User
 Leverages common auth systems
 RADIUS
 front-ends RSA ACE/Server, NT
Domain, NDS, etc.
Switch
 LDAP Directory Server
 Moves user’s MAC from default
VLAN to authorized VLAN(s)
 based on Group Mobility technology
Backbone
 Once authenticated, operating at
LAN speed
 Ideal for mobile environment
 campus
 cybercafes
 hospitals
Authentication
Server
14
Alcatel XOS-based Security
 Feature Overview

software-based flow control
based
10.1.1.x
network
 src/dst IP address
 tcp/udp port numbers
 icmp type


Src = 10.1.1.x
dst = 10.1.2.x
type = http
Action = allow
HTTP
tied to layer-7 classifier
implementation
standard software for the
OmniAccess 512
10.1.2.x
network

Src/dst = */*
Action = deny
10.1.3.x
network
10.1.4.x
network
Applications



control communications between
networks
basic packet filtering without
typical cost
security embedded in device
15
Alcatel XOS-based Security
VPN on OmniAccess 512
 Feature Overview

Remote Office
add VPN to OA512 (1Q02)
 switching/routing,
LAN/WAN, VoIP, ACLs,
compression in 1 unit

Remote Office
VPN as optional software module
leveraging the OA512’s Hi/fn chip
OA512
OA512
Internet
VPN
Tunnel
 Applications


full security feature support
provid provisioning platform for
routing / switching / VoIP / VPN
Security
Appliance
 1 box vs 2 or 3 boxes

Interoperate with central gateway
Central
Corporate
16
Alcatel Secure VPN Solution
 Key Points
 Timestep - a first commercial VPN
equipment provider
 Core group of security experts
part of eND
 we own the technology and
roadmap

Product Set



713x Secure VPN Gateways
Secure VPN Client
5630 Secure VPN
Management suite
 Successes
 U.S. Department of Defense
and Federal Reserve (US)
 Westpac, INSNET (AU), etc.
 Compliance with standards
 IPSec
 ICSA (Trusecure.com)
 FIPS 140-1
 Seamless support for PKI
 first VPN vendor to offer PKI
support
17
Speed Touch Pro II
 Speed Touch Pro II =


Enhanced platform as compared to Speed Touch Pro
Allows to integrate features of the Alcatel 713x Secure VPN Gateway
onto this platform
xDSL
Ethernet
Speed Touch Pro
Ethernet
Alcatel 713x SVG
integration
xDSL
Ethernet
Speed Touch Pro II
18
Global Secure Remote Access and
Branch Office Intranet
Head office LAN
LDAP-compliant
directory
Branch office LAN
Alcatel 5631
Secure VPN
Policy Manager
and Entrust/PKI
Internet
Alcatel 7134
Secure VPN Gateway
Firewall
Alcatel 7137
Secure VPN Gateway
Secure
Unsecure
Internet
POP
Internet
POP
Field agents
Alcatel Secure
VPN Client
Alcatel Secure
VPN Client
19
Summary
a true security solution

Edge / Core Switches



Standalone appliances



713x VPN gateways
VPN/FW/NAT appliance
SO/HO
OA512
Internet
Windows
VPN
Tunnels
RO/BO – OmniAccess 512

Hardened switch OS

Secure switch mgmt

Security
Appliance
device & user
Common management


RO/BO
Security
Appliance
Switch-embedded VPN


VPN
Client
DSL
VPN client software


ACLs & embedded firewall/NAT
A-VLANs
RO/BO
standalone today
integrate with OmniVista with SecureView
tomorrow
OmniVista
w/ SecureView
OmniPCX
Central Site
20
Thank You
Alcatel e-Business Networking Division