Network Security 101 Securing the Network Infrastructure Security Partner Program Unified Security Framework Security Advisory Task Force Technical Journal Leading the industry toward a standard foundation for infrastructure security. Download the Nortel Technical Journal, Issue 3 (zip)

Securing the infrastructure means ensuring that unauthorized users cannot disrupt the network. There are many techniques which may be used to disrupt a network, such as "hacking" into the switch to alter its configuration, or bombarding the switch with so much invalid traffic that it cannot perform its job effectively. Protecting the infrastructure can be broken down into three layers: Ensuring the physical protection of equipment (physical security), ensuring that only authorized personnel have access to applications (user security), and ensuring that the network elements are hardened from attack (device security).

As a provider of award-winning enterprise security products, our security products secure user traffic using SSL and IPSec. But it is equally important to protect the underlying infrastructure, and few companies focus on this critical component.

Several organizations define security requirements, such as the need to authenticate network users or encrypt management traffic. Examples of these include Telcordia Technologies Generic Requirements (GR-815-CORE, Issue 1, November 1997) and ANSI Baseline of Security Requirements for the Management Plane (T1.276-2003).

Nortel Baseline Security Standards takes this further, specifying the capabilities to meet these requirements across all of our products and providing "how-to" guidance on implementing the capabilities. This ensures a consistent set of capabilities, lowers training costs, and speeds the introduction of new security capabilities across our products.

• User Security
• Platform Security
• Transport Security
• Application Security
• Perimeter Security

User security ensures that only authorized network users can access the network elements.

1. RADIUS has been chosen as the basic mechanism of choice for automating centralized authentication within Nortel products. RADIUS is a standard authentication mechanism which is widely deployed. RADIUS provides storage of passwords in encrypted (hashed) format. The use of Plugable Authentication Mechanism (PAM) software in conjunction with the RADIUS clients is recommended. PAM will allow other authentication mechanisms in addition to RADIUS to be more easily incorporated should this be required to meet specific customer authentication needs.
   
   
2. Passwords themselves must be of sufficient strength to prevent guessing and/or machine cracking attacks. Nortel provides "strong password" recommendations that meets the requirements of Telcordia GR-815 and ANSI T1-276.2003.

Platform security protects the network element from outside attack.

3. The most basic requirement here is to "harden" the operating system by disabling unused capabilities and ensuring that the latest patches are applied. OS hardening guidelines are available on this website.
   
4. Equally important, application software which is hardened against intrusion and ensured to be free of viruses and worms. Nortel undergo a Threat Risk Assessment (TRA) before being made available to customers. Essentially, a team of security experts attempt to bring down our own products before anybody else tries!
   
   
5. In addition, every network element contains audit logs which adhere to standardized format and content. This ensures that the proper information is available and can be processed/correlated by a single tool.

Transport security ensures that management traffic and traffic from each customer are isolated from each other.

6. Although often overlooked, the first line of defense for in-band management is the user of VLANs and VPNs. These should be used where practical to ensure only authorized personnel have management access to a network element or EMS. In addition, each VLAN/VPN should have explicit resource limits (percentage of processing cycles, amount of memory, size of MAC or IP forwarding tables,…) to ensure that management traffic can traverse the network.

Application security ensures that the information sent to a network element is not modified or read by unauthorized users.

7. Nortel requires the use of a security protocols such as IPsec, SSL/TLS and SNMPv3 to be used to protect all management traffic. All security protocols is used with strong underlying cryptographic algorithms to provide machine-to-machine authentication, data integrity, and data confidentiality services.
   
   For newer platforms, this capability will be integrated directly into the network element. As an interim step, the network element may be front-ended with a Nortel VPN Router to provides this support.
   
   
8. In addition, a virtual private networking device such as the Nortel VPN Router is used to provide secure access for remote network operators and administrators.

Perimeter security prevents unauthorized access to the network.

9. Nortel security guidelines dictate that networks will be segmented using firewalls. Among other things, firewalls prevent traffic from unauthorized users from entering the network.
   
   
10. Intrusion Detection Systems, such as the Nortel Threat Protection System, should be used to provide even stronger defense against network intrusions. This is an emerging technology, but current state-of-the-art still results in many "false positives". As a result, the use of these systems is optional.