3. Network Security HaNdbook for Service ProviderS
Jointly published by Juniper Networks
and Network Strategy Partners, LLC:
Juniper Networks high-performance network infrastructure helps businesses accelerate the
deployment of services and applications to take advantage of opportunities to innovate,
grow, and strengthen their business. With Juniper, businesses can answer the challenge of
complicated, legacy networks with high-performance, open, and flexible solutions.
Network Strategy Partners, LLC (NSP) — Management Consultants to the networking
industry — helps service providers, enterprises, and equipment vendors around the globe
make strategic decisions, mitigate risk, and affect change through custom consulting
engagements. NSP’s consulting includes business case and ROI analysis, go-to-market
strategies, development of new service offerings, pricing and bundling as well as
infrastructure consulting. NSP’s consultants are respected thought-leaders in the
networking industry and influence its direction through confidential engagements for
industry leaders and through public appearances, white papers, and trade magazine
articles. Contact NSP at www.nspllc.com.
4. Network Security HaNdbook for Service ProviderS
1 Executive Summary
The telecommunications industry is in the midst of a major paradigm shift. In
the 1990s, most major service providers maintained separate networks for
wireline voice, mobile voice, data, and TV. Today, many service providers are
migrating all of their network services to IP packet switched networks. Voice
services are still a major component of service provider revenue. As voice
moves from circuit switched to VoIP packet switched networks (see Figure 1),
service providers will have a major incentive to wind down operations on their
expensive, legacy circuit switched infrastructure.
By converging network services to integrated IP networks, service providers
reduce capital and operations expenses while dramatically improving network
scalability and service flexibility. Furthermore, the migration to IP is increasing
competition in the telecommunications market. Cable TV providers are
offering traditional voice services, telephone companies are offering Internet
and IPTV, and new entrants are building broadband wireless networks with Wi-Fi
and WiMax technology. As increased competition is accelerating the migration
to IP service providers operating legacy networks risk shrinking revenues and
5. Network Security HaNdbook for Service ProviderS
Worldwide VoIP Subscribers
CY04 CY05 CY06 CY07 CY08 CY09 CY10 CY11
Asia Paci c EMEA North America CALA
75.3M VoIP Subs Worldwide in 2007, +62% Year over Year
Worldwide: 185.7M by CY11, a 5 - year CAGR of 25% >22M net new subs/year
2008 Infonetics Research, Inc.
Figure 1 - Forecast of VoIP Subscribers Worldwide
Service provider migration to IP networks has significant benefits and is, in fact,
necessary for long term survival. However, the rapid growth in the Internet is
also driving rapid growth in network security threats, which are escalating both
in numbers and level of severity. Threats come from a myriad of sources that
are distributed around the world. In the early days of the Internet, most threats
were created by hackers who were just causing trouble for fun. Today, threats
come from independent hackers as well as highly organized crime syndicates
focused on profiting from Internet criminal activities. Some of the potential
threats to service provider networks include:
• Distributed denial of service attacks (DDoS)
• Bots and botnets attacking servers and network infrastructure
• Worms propagating throughout the network
• Attacks on Domain Name System (DNS)
• Attacks on IP routing protocols
• Zero day attacks (these are new attacks which are unpredictable in nature)
6. Network Security HaNdbook for Service ProviderS
The ramifications of such attacks on service provider networks include:
• Service outages
• Lost, damaged, or stolen customer data
• Lost, damaged, or stolen service provider data (usage data, billing records,
passwords, and so on)
Global telecommunications revenues are expected to reach $2 trillion by the
end of 20081, therefore as network services migrate to IP it is essential that
service providers and telecommunications equipment vendors be vigilant
about security. Network infrastructure must defend itself from attacks, and
operators must implement network security best practices. This network
security handbook provides service providers with an anatomy of network
security threats and a set of best practices for protecting the network. Best
practices for network security architecture are defined for some of the most
important services, applications, and network infrastructure including:
• Voice services
• TV and multimedia services
• Mobile networks
• Service provider data centers
2 The Importance of Network Security
The convergence of voice, data, TV, and mobile telecommunications on IP
networks has elevated the importance of network security. For many service
providers, IP network security presents new technical challenges because
legacy networks are fundamentally more secure than IP networks. The legacy
phone network is based on a closed, circuit switching model. Call signaling
uses the SS7 packet network which is not connected to the Internet or any
other data network. Legacy television service is delivered using broadcast over
digital or analog cable; specialized equipment which is not connected to any
external packet networks is used for video service delivery. Many legacy data
networks are based on Frame Relay and ATM; these technologies use secure
layer 2 protocols with little or no connectivity outside the private network.
Similarly, second-generation mobile networks are closed, circuit switching
7. Network Security HaNdbook for Service ProviderS
architectures with limited and controlled gateways to the Internet and other
data networks. In general, legacy telecommunications networks:
• Implement service-specific networks
• Are based on closed and proprietary architectures
• Utilize end-to-end management by service providers
• Have no customer controls
• Have no external exposure
The migration to IP next-generation networks (NGNs) offers many strategic
advantages to service providers, however, the open, flexible architecture of IP
networks also pose a complex set of security threats. Multiple services, including
wireline voice, video, data, and mobile voice and data are converging on a single
IP network. This means that IP network attacks could affect all network services
and, therefore, all network revenue. Also, threats that emerge from one service
(for example the Internet) could affect other services like TV that were previously
isolated. The IP network is based on an open, standards-based architecture
that allows for rapid and massive worldwide growth. The open nature of the IP
protocols, however, has also allowed intruders to easily access the tools needed
for network intrusions. Everyone has access to RFC documents explaining the
technical details of Internet protocols. In addition, extensive technical knowledge
is not required because there is easy access to open source tools on the Web for
creating network attacks and stealing valuable data.
IP networks use open standards for network management, operations, and
provisioning. Protocols and standards such as SNMP XML, and the newer Web
services management model enhance the power and flexibility of operations
support systems (OSS), but they also create opportunities for intruders to access
the most sensitive and critical areas of the telecommunications network—the
network management and control plane.
Another dimension of the problem is that business users, residential users, and
mobile users are sharing the same IP network. Each of these customers has
different security requirements that need to be addressed in the service offerings
provided to them.
Attacks on IP networks can have serious and potentially devastating
consequences. Attacks can result in:
• Service outages
• Lost, damaged, or stolen customer data
• Lost, damaged, or stolen service provider data (usage data, billing records,
passwords, and so on)
8. Network Security HaNdbook for Service ProviderS
Service outages can result in loss of revenue, payment of penalties for violated
service-level agreements (SLAs), and increased customer churn. There are
serious liabilities associated with lost or stolen customer data; lawsuits often
result in high payments of damages as well as a tarnished public image. Lost
or stolen service provider data can result in compromised networks and billing
systems, or other serious problems.
As network services converge to IP service availability of the IP network is critical.
Downtime, as a result of network attacks, software errors, or configuration errors,
often result in high costs. The cost of downtime is highly variable based on the
business and applications, but in all cases is quite high. Estimates of downtime
costs for various industries and applications2 are presented in Table 1.
INduStry APPLICAtIoN AVerAge CoSt/
Hour oF doWNtoWN
transportation Airline Reservations $ 89,500
retail Catalog Sales $ 90,000
Media Pay-per-view $ 1,150,000
Financial Credit Card Sales $ 2,600,000
financial Brokerage Operations $ 6,500,000
table 1 - downtime Cost estimates in different Vertical Markets
Downtime in service provider networks results in lost revenue due to SLA
penalties and, to add insult to injury, results in increased customer churn. Table
2 depicts some estimates3 for hourly revenue loss for service provider network
outages in small metro areas where 100,000 residential customers and 2,000
business customers are affected by an outage. In these small areas, residential
losses are estimated to be over $8,333 per hour and business losses almost
$6,944 per hour.
While revenue loss is problematic, the potentially more serious problem (espe-
cially in markets where there are competitive offerings) is customer churn due to
poor service. Table 3 presents a scenario for a small metro area with 100,000
customers, an increased churn rate of 5 percent due to dissatisfaction with
network service availability, and an average cost of churn of $400 per subscriber4.
See “Storage Virtualization and the full impact of Storage Disruptions: Relief and ROI”, Computer Technology Review,
February 2002, Volume XX11 Number 2.
These estimates are based on an ROI model developed by Network Strategy Partners, LLC.
The churn projections were based on an ROI model developed by Network Strategy Partners, LLC
9. Network Security HaNdbook for Service ProviderS
In this scenario the average cost of churn for this small metro area would be
$2,000,000 per year. Clearly, network reliability and availability is a critical
business requirement for enterprises and service providers.
Number of customers 100,000 2,000
average revenue per customer $60.00 $2,500
Hourly Lost revenue in an outage $8,333 $6,944
table 2 - Service Provider Hourly Lost revenue for
Business and residential Network outages
Number of residential Subscribers 100,0000
increase rate of churn 5%
total cost of churn per year $400
total cost of churn per year $2,000,000
table 3 - Service Providers Costs of Increased Churn due to Network outages
Corporate executives, furthermore, are now legally responsible for the security
of their corporate information systems. There are multiple federal and state
government regulatory requirements requiring executives and companies to
comply with government mandated security requirements.
These regulations include:
• Sarbanes-Oxley (SOX)
• Cyber Security Critical Infrastructure Protection (CIP)
• Gramm-Leach-Bliley Act (GLBA)
• California Senate Bill Number 1386 (SB1386)
• Health Insurance Portability and Accounting Act (HIPAA)
• Payment Card Industry Data Security Standard (PCI DSS)
Network security, clearly, is one of the highest priorities in IP NGNs, and
service providers need to be educated and vigilant to prevent devastating
10. Network Security HaNdbook for Service ProviderS
Anatomy of Network Threats
The open IP architecture presents a myriad of threats from many sources to
all parts of the network. The following paragraphs give an overview of some
common threats, threat sources, and components of the network that could
Overview of Security Threats
There are many types of security threats and they continue to grow, develop,
and mutate over time. A high level distribution of network security threats is
presented in Figure 2, and a brief description of security threats is given in
the following subsections of this paper. This is not meant to be an exhaustive
description of network threats, but rather an overview of some common threats
DDoS Bots and Worms Compromised DNS BGP Route
Botnets Infrastructure Hijacking
Figure 2 - distribution of Network Security threats
Distributed Denial of Service Attack (DDoS)
A distributed denial of service (DDoS) attack is an attempt to make a computer
resource unavailable to its intended users. Perpetrators of DDoS attacks
typically target sites or services hosted on high-profile Web servers such as
banks, credit card payment gateways, and even DNS root servers. One common
method of attack involves saturating the target (victim) machine with external
communications requests such that it cannot respond to legitimate traffic,
or responds so slowly as to be rendered unavailable. In general terms, DDoS
attacks are implemented by either forcing the targeted network elements or
servers to reset, consuming their resources so that they can no longer provide
their intended service, or obstructing the communication media between the
11. Network Security HaNdbook for Service ProviderS
intended users and the victim devices so that they can no longer
Bots and Botnets
Bots are computer programs that secretly install themselves on machines and
run in the background often hidden from view of users, administrators, and even
the operating system. A botnet is a group of bots that can propagate across
the Internet and can be controlled by a malicious hacker or criminal. Once bots
install themselves on machines, they scan for system vulnerabilities and collect
information such as passwords and user names. The bots in a botnet can
communicate with each other and the central controller to steal information,
exploit system weaknesses, send spam, and execute DDoS attacks.
Bots can result in network service outages or loss of critical customer or service
provider data. This is especially serious if passwords and user names are
compromised. For this reason, botnets have become one of the most serious
threats on the Internet.
The majority of botnets are used by cyber criminals to send spam and also to
illegally seek financial information. According to shadowserver.org, an organization
that tracks botnets, the number of bots measured in September 2008 peaked at
a half million infected computers. Because bots are hard to detect, the numbers
could be much larger.
One example of a current botnet is Kraken. The Kraken malware infects victims’
PCs and uses encrypted communications between bots. It also has the ability
to move command and control functionality around the botnet. And, like many
botnets, the purpose of the Kraken network seems to be the propagation of
massive amounts of spam. Individual machines infected with Kraken could send
as many as 500,000 spam messages in a single day.
Bots are rampant throughout the world as illustrated in Figure 3, and they are
growing in number and severity levels. Service providers need to understand the
nature and dynamics of botnets in order to adequately secure their networks.
Active BOT Infected Computers
80,000 Kingdom France Poland
Canada (6) 4% (3) 6% (8) 3%
60,000 United States (5) 5%
Germany (1) 26% Taiwan
(4) 6% (7) 4%
10,000 (X) = Current rank
% = Current proportion
Jan. 01, Apr. 11, Jul. 20, Oct. 28, Feb. 05, May 16, BOT infected Computers By Country* (*Source: Symantec)
2006 2006 2006 2006 2007 2007
Active BOTS per Day
Figure 3 - Worldwide Statistics on Bots
12. Network Security HaNdbook for Service ProviderS
There are a large variety of Internet worms. The common characteristic
of worms is that they:
• Exploit vulnerabilities in a computer’s operating system or application software
to launch malicious software that runs on the machine
• Find information in the computer (such as email lists or lists of IP addresses)
to propagate between different machines
• Cause significant damage and financial losses to large numbers of companies
worldwide in a short period of time
• One example of a well known Internet worm is Code Red. This worm exploited
a vulnerability in the indexing software distributed with IIS6 for which a patch
had been available a month earlier. The worm spread itself using a common
type of vulnerability known as a buffer overflow. It did this by using a long
string of the repeated character “N” to overflow a buffer, allowing the worm
to execute arbitrary code infecting the machine. The worm spread by probing
random IP addresses and infecting all hosts vulnerable to the IIS exploit.
Another example of a well known worm is the Love Bug Virus. This virus arrived
in email boxes on May 4, 2000, with the simple subject of “ILOVEYOU” and an
attachment “LOVE-LETTER-FOR-YOU.TXT.vbs”. Upon opening the attachment, the
virus sent a copy of itself to everyone in the user’s address list, posing as the
user. It also made a number of malicious changes to the user’s system.
Two aspects of the virus made it effective:
• It relied on user curiosity to entice users to open the attachment and ensure
its continued propagation.
• It exploited the weakness of the email system design that an attached
program could be run by simply opening the attachment.
Worms come in many forms and varieties, and they can result in network
service outages and loss of customer and service provider data.
Zero Day Attacks
Fundamentally, there are two types of attacks on networks: 1) known attacks
and 2) zero day attacks. The first is a known attack on a known vulnerability
which can be identified in an intrusion prevention system (IPS) by a signature.
Worms and viruses are closely related - this discussion addresses both types of threats.
Internet Information Services (IIS)—formerly called Internet Information Server—is a Microsoft-produced set of
Internet-based services for servers using Microsoft Windows.
13. Network Security HaNdbook for Service ProviderS
In contrast, zero day attacks are new and therefore have no attack signatures
to identify them. To defend against zero day attacks, the IPS requires more
sophistication such as protocol anomalies. This topic will be covered more fully
later in the paper.
Vulnerable Network Components
Many parts of an IP network are vulnerable to threats including:
• End user equipment—PCs, servers, mobile phones,
PDAs, and so on
• Network equipment—routers, Ethernet switches, and so on
• Control and signaling—network management plane, softswitches, and so on
• Applications and services—network and application servers
• OSS—network management, billing and operations
Attacks to any of the network components above can result in loss of service
or loss of data.
3 Best Practices for Service Provider Security
Every network is unique and requires the attention of professional network
architects and designers to ensure that the network is defensible. The
principles used by network designers to secure networks are based on a set
of industry best practices. This section of the security handbook provides a
network security best practice overview which is summarized in Table 4. We
start by providing a summary of general best practices that can be applied to
any service provider network.
general Best Practices and Tools for Service Provider Network Security
This section provides an overview of some of the devices and technologies
for securing service provider networks. The devices that provide network
• Network firewall
• Intrusion Protection Systems (IPS)
• Application servers
• Identity and policy management
14. Network Security HaNdbook for Service ProviderS
Network routers are core components in the IP network infrastructure. As such,
it is critical that routers implement security technologies to protect networks
Some of the security technologies implemented in routers are:
• MPLS VPN
• Network Address Translation (NAT)
• Access Control Lists (ACLs)
Virtual lANs (VlANs)
A VLAN is a layer 2 segmentation technology that allows for a group of end
stations to be grouped together into a logical LAN, even if they are not located
on the same network switch. It can also be used to segment traffic, such as
segmenting VoIP traffic from regular data traffic. The segmentation of users
and/or traffic provides a level of security by creating a virtual network, making it
difficult to intercept traffic or access a traffic segment.
The MPLS virtual private network (VPN) is a common method of securing IP
communications. The basic concept of the MPLS VPN is that a common
physical routing infrastructure hosts multiple logical routing networks. Each
logical network appears to hosts and users to be a separate IP network.
The logical network, or MPLS VPN, can use a set of private IP addresses, run
independent routing protocols local to the VPN, and remain isolated from the
Internet and all other MPLS VPNs, unless the network administrator
intentionally provides routing connectivity between networks. An MPLS VPN
therefore is equivalent to building a physically separate IP routing network.
This logical separation of IP networks provides a cost-effective approach to
securing subscriber and service-specific networks from attacks that emanate
from the Internet or other private IP networks.
Network Address Translation (NAT)
NAT is a common mechanism for mapping private IP addresses to public
addresses. The process is simple: a private IP address and TCP port is
mapped to a public address using an NAT server. One of the additional benefits
of NAT is that malicious users on the Internet cannot see the true IP source
address of the host. Without knowing the IP source address, it is more difficult
15. Network Security HaNdbook for Service ProviderS
to attack hosts. This is especially important for network servers that are a focal
point for many attacks.
Access Control lists (ACls)
The ACL is a list of permissions that specifies who or what is allowed to access
the router or device, and what operations they are allowed to perform. In an
ACL-based security model, when a subject requests to perform an operation
on an object, the system first checks the list for an applicable entry in order
to decide whether to proceed with the operation. Depending on the ACL, the
request may be accepted or denied. ACLs provide router protection by denying
unauthorized users or packets from accessing the router.
A network firewall is a dedicated appliance which inspects network traffic and
denies or permits passage based on a set of rules. The primary objective of the
firewall is to regulate traffic flows between computer networks of different trust
levels. Typical examples are the Internet, which is a zone with no trust, and an
internal network, which is a zone of higher trust. A zone with an intermediate
trust level, situated between the Internet and a trusted internal network, is
often referred to as a “perimeter network” or demilitarized zone (DMZ).
The classes of firewalls are:
• Stateless firewalls
• Stateful firewalls
Stateless firewalls are usually implemented in routers and switches as ACLs
that filter packets based on parameters in layer 3 IP headers and layer 4
TCP headers. For instance, packets can be filtered based on IP source and
destination address and TCP ports.
Stateful firewalls extend simple packet filtering to create rules based on
sessions. Filtering rules can account for the history of a session as opposed to
working on individual packets. For example, if an Internet user accesses a Web
site from an internal network, a stateful firewall will let the return packets into
the network from the Web site based on the state of the session. This is not
possible with stateless firewalls.
Intrusion Protection System (IPS)
IPS is used to detect and prevent network attacks. IPS analyzes network traffic
for threats and takes some action to mitigate the threat when one is detected.
16. Network Security HaNdbook for Service ProviderS
IPS typically uses deep packet inspection (DPI) technology to look at all layers
of network protocols from layer 2 to layer 7.
There are two fundamental mechanisms for detecting network intrusions:
• Protocol and application anomaly detection
Signatures are patterns of known network attacks that could operate at any
level of the protocol stack. The IPS monitors network traffic and matches
traffic with known signatures. If a sequence of packets in a session matches a
signature, then the IPS detects a known attack and takes action on the session
based on a set of user policies.
The weakness of IPS signatures is that only known attacks are detected. In
order to detect zero day attacks, IPS uses protocol, application, and traffic
pattern anomaly analysis. This method of detection uses behavior monitoring
at all layers of the stack and detects packet sequences that appear to be
abnormal. The IPS then takes action on the traffic based on a set of user
defined network policies.
Application servers should also be able to defend against certain security
threats. The defense should include antivirus and other anti-malware software.
This ensures that if a virus or worm does penetrate the network layer defenses,
the application server has the means to defend itself.
Identity and Policy Management
The identification and authentication of users is essential for securing the
network. Knowledge about who is accessing the network, what they are
trying to access, and when is critical to the security of the overall network.
Implementing an identity and policy management solution adds a level of
intelligence to the network, and can provide security defenses in cases
where unauthorized users try to access the network, or a legitimate user
attempts to access an application that they are not authorized to access.
In addition, identity and policy management can help to manage user sign-on by
implementing a single sign-on (SSO) system; allowing users to access multiple
networks or applications with a single sign-on. Table 4 provides a summary of
some of the best practices service providers employ to protect their networks.
17. Network Security HaNdbook for Service ProviderS
L2/3 traffic routers and switches can segment traffic into
Segmentation virtual networks using L2 vLaNs or L3 MPLS vPNs.
L3/4 Stateless access control Lists (acLs) are used to permit or
filtering deny traffic based on parameters in L3 and L4
L3/4 Stateful firewalls maintain information regarding a session,
firewall and permit or deny sessions based on L3 and L4
parameters. the difference between stateless
filtering and stateful firewalls is that rules apply to
sessions, not individual packets.
L7 intrusion deep packet inspection (dPi) is used to analyze
detection L7 application content in sessions, and rules
+ Prevention for processing traffic or alerting network
administrators to attacks are made based on
L7 application analysis.
application antivirus, anti-malware, and other application layer
Layer security models are implemented on servers.
table 4 - Best Practices for Service Provider Security
Best Practices for Securing VoIP Networks
Mobile and fixed voice services still dominate service provider revenue
worldwide. As voice services migrate to VoIP security challenges increase in
complexity and criticality.
Figure 4 represents a typical service provider VoIP network architecture. In a
VoIP network, there are two fundamental forms of transport:
• A control plane using either Session Initiation Protocol (SIP), H.323, or some
other VoIP signaling protocol
• A data plane transporting VoIP packets
VoIP signaling is completely separate from VoIP data plane. IP phones set
up calls using a VoIP signaling protocol which communicates with IP PBX, IP
Centrex services, or network softswitches to establish VoIP sessions. Calls
can be routed across the service provider IP network, across the Internet, or to
the Public Switched Telephone Network (PSTN) via a VoIP gateway. After VoIP
sessions are set up by network softswitches, VoIP sessions are established
between the VoIP endpoints, and Real Time Transport Protocol (RTP) is used to
transport VoIP between VoIP endpoints over the IP network.
18. Network Security HaNdbook for Service ProviderS
Switc Vide Apps Switc way
or k VoIP
ay Application Media OSS Gateway
h Server Server
VoIP Router Other
Class 5 Carrier
Switch VoIP Service Provider
or IP net
POTS Carrier to Carrier
Inter n Wholesale VoIP Peering
Figure 4 - representative Network Architecture of a typical VoIP Network
The VoIP network architecture offers a myriad of security vulnerabilities. DDoS
attacks are a primary area of concern, as they can come in many shapes and
forms. Typically executed by botnets, the result of a DDoS attack could be a
telephone network service outage. Some of the network elements that are
vulnerable to DDoS attacks are:
• VoIP media gateways
• VoIP application servers
• IP PBX
• Session border controllers (SBCs)
Fraud and theft of services is another type of security threat. If network
criminals are able to penetrate network softswitches, media gateways, or OSS
systems, they can steal services by making free calls, modifying or deleting
billing records, or transferring false settlements to other carriers.
An overview of the best practices for network security is provided in the
following subsections for transport network elements, IP edge elements, data
center, and Internet peering points.
19. Network Security HaNdbook for Service ProviderS
Securing the IP Edge of the VoIP Network
The primary mechanisms for controlling traffic and securing the edge of the VoIP
network are Session Border Controllers (SBCs) and IPS. SBCs are specialized
network devices designed to perform specific services in VoIP networks. They
are inserted into the signaling and/or media paths between calling and called
parties in a VoIP call. In some cases, the SBC masquerades as the called
VoIP phone and places a second call to the called party. The effect of this
behavior is that signaling traffic and media traffic (voice, video, and so on) can
be monitored and controlled by the SBC. The SBC also has the ability to modify
control signaling, allowing service providers to restrict or redirect certain calls
and helping them overcome potential problems caused by firewalls and NAT.
There are multiple security benefits to SBCs. They monitor traffic, help prevent
DDoS attacks, and they provide a mechanism for lawful intercept of VoIP calls.
SBCs also create a general framework for monitoring malicious VoIP usage and
shutting down offending users or bots.
SBCs, however, are also subject to attacks, and don’t typically have the
capability to quickly update and defend against new security threats.
IPS is designed to quickly load new signatures in defense of newly found
security threats. These signatures can be created and loaded within hours,
providing the necessary response for stopping new threats. For this reason,
many networks deploy IPS in front of SBCs to prevent attacks on the SBC.
Securing VoIP Elements in the Data Center
There are multiple servers and network elements in the data center that
support VoIP services. Servers must be regularly patched, and antivirus and
anti-spyware must be kept up to date. In addition, VoIP MPLS VPNs can be
extended to the data center to provide network isolation for VoIP application
and media servers. Standard firewall/IPS configurations can result in SIP
signaling problems, therefore these elements must be configured to support
VoIP transport and defend the data center from intruders. Firewalls should
utilize Application Layer Gateways (ALGs) to open and close pinholes to allow
the VoIP traffic to traverse the firewall. ALG support is required for the VoIP
signaling protocol (SIP H.323, other) used in the network.
Securing Internet Peering Points for VoIP
For obvious reasons, Internet peering points are high risk locations. It is a best
practice to use SBCs at peering points to protect from DDoS and other attacks.
Firewalls and IPS are also a must at peering points and should be used in
conjunction with SBCs to ensure adequate security, while minimizing service
20. Network Security HaNdbook for Service ProviderS
disruptions due to NAT or other protocol problems associated with VoIP
signaling and network firewalls.
Securing the IP Edge SBCs and IPS systems are used to
secure the edge of the network from
Securing VoIP Elements Use firewalls and IPS to secure VoIP
in the Data Center servers in the data center.
Securing Internet Peering Peering points should be secured with
Points for VoIP SBCs, firewalls, and IPS.
table 5 - Summary of VoIP Network Security Best Practices
Best Practices for Securing TV and Multimedia Services
Traditional telephone companies are entering the TV and multimedia
entertainment markets by leveraging IPTV and video on demand (VOD)
technology. Delivering video entertainment services over IP networks creates
the opportunity for new and enhanced services that provide competitive
advantages over incumbents. Figure 5 depicts a typical network architecture for
IPTV and VOD.
Head-End Of ce
& VoD Servers
Broadcast TV VLAN Video/Hub E-serie
(Multicast Serving s SDX-300
Replication) Of ce
Switc IP Edge Policy
Figure 5 - Internet tV and Multimedia Architecture
21. Network Security HaNdbook for Service ProviderS
Security vulnerabilities exist throughout the IPTV architecture. Virtually all IP
network devices are subject to DDoS attacks, and prevention mechanisms
should be put into place. In addition, IP routers should utilize ACLs, NAT, MPLS
VPNs, and VLANs to secure routers and traffic. In addition, the IPTV architecture
provides some additional challenges at the network peering points, head-end
and/or the video serving office.
Securing External Network Peering Points
At all points where the video IP network interconnects with external IP networks
(the Internet or any other third-party network), stateful firewalls with IPS should
be used to prevent external attacks. Firewalls should also use NAT to shield
internal IP addresses from the outside world. This limits the information that
can be collected by an intruder for the purposes of an attack.
Securing the Video/Super Head-End
The video/super head-end is a critical component of the network that must be
secured. Network firewalls and IPS should be used to control access to the
head-end. This is also a point where digital rights management needs to be
enforced. Encryption technology combined with IPSec tunnels can be used to
ensure privacy and prevent unauthorized access to video content.
Securing the Video/Hub Serving Office
The video/hub serving office is another critical location in the network that
needs protection. Best practices include inline IDP protection with custom
signatures to detect DDoS and other attacks on video networks. Digital rights
management also needs to be enforced at these locations using encryption.
Securing External Stateful firewalls and routers should
Network Peering Points secure external peering points. NAT
should be used to shield internal IP
addresses. IPS should be used for
Securing the Video/ Routers, firewalls, and IPS should secure
Super Head-End the video head-end.
Securing the Video/ Routers, firewalls, and IPS should secure
Hub Serving Office the video/hub serving office.
table 6 - Summary of Best Practices for Securing an IP Video Network
22. Network Security HaNdbook for Service ProviderS
Best Practices for Securing 3rd Mobile Data Networks
The rapid growth of wireless data service riding on third-generation networks
has increased the need for security in the mobile packet core. Figure 6
presents a high level overview of the third-generation packet architecture.
Data Critical Servers
Mobile Packet Core
SGSN GGSN PDSN
Figure 6 - High Level overview of third-generation Network Architecture
The threats on the third-generation network are similar in nature to the threats
discussed earlier. Protection is needed from DDoS attacks, botnets, worms,
and intruders attempting to hijack services and illegally monitor voice or data
communications. One of the differences in the third-generation networks is
that the Serving General Packet Radio Service (GPRS) Support Node (SGSN),
gateway GPRS support node (GGSN), and packet data serving node (PDSN) (for
CDMA2000) packet control nodes are used to manage and control all wireless
data. Since all data traffic passes through these controllers, any attack
on these systems will cause network-wide service outages. It is therefore
imperative to defend these network elements.
The key areas in the third-generation network that must be defended are
highlighted in Figure 7. Starting from the edge of the network, security must
be maintained on mobile handsets. It is the responsibility of the handset
manufacturer to install and maintain virus protection, intrusion detection, and
firewall software on the handset to defend against attacks. Handsets must also
be capable of encrypting data using SSL clients to maintain privacy.
23. Network Security HaNdbook for Service ProviderS
In the data core network, the methods of protection are similar to those
discussed earlier. Firewalls, IPS, and encrypted tunnels should be used to
secure interfaces to external networks. MPLS VPNs should also be used to
isolate the third-generation core network from any other IP traffic on the
network. For example, if the IP core network is supporting many services,
including third-generation mobile, Internet, wireline voice, IPTV, and business
services, an MPLS VPN can create a secure virtual IP network to support the
third-generation core packet network. Security must also be provided for all
servers, billing systems, and packet control nodes. This can be done with
firewalls, IPS, antivirus and anti-malware software running on servers. Some
specific requirements for third-generation networks are that firewalls must be
capable of passing GPRS tunnels (GTP), which are commonly used to pass data
traffic securely across the network.
Roaming Partner Connection
Access nodes Application
Security on the (UNC, RNC, etc.) Servers Protection
Mobile-Handset GTP/Gp-Attacks (potentially compromises
(Mandatory in LIG, HLR, VLR)
Data IP nodes
(SGSN, GGSN) Critical Servers
RAN 4. IP/MPLS 7.
Roaming Partner SGSN GGSN PDSN
Network (GRX) 2. 6.
Figure 7 - Best Practices for Securing 3rd Packet Core Networks
24. Network Security HaNdbook for Service ProviderS
Securing the PSTN Firewalls and IPS protect interfaces to
Connections PSTN gateways.
Securing the SGSN, MPLS VPNs isolate mobile IP network
GGSN, and/or PDSN from other service provider IP networks.
Firewalls and IPS protect SGSN, GGSN,
Securing the OSS, Billing MPLS VPNs isolate mobile IP network
Systems, and Application from other service provider IP networks.
Servers Firewalls and IPS protect data center
OSS and billing systems.
table 7 - Summary of Best Practices for Securing an IP Mobile Network
Best Practices for Securing Service Provider Data Centers
Rollout of new data services has led to an explosive growth in data centers.
Figure 8 presents an overview of how data centers fit into the typical service
provider network architecture. Network services are provided by multiple data
centers and application servers. These could be metro data centers or national
and regional data centers. Additionally, some services are provided by third
parties with applications hosted in remote data centers across the Internet.
Serving Center or Content Provider
E32 MX- E32 MX-
0 serie 0 serie
or Content Provider
Data Center Data Center
MX- E32 serie
J-seri MX- MX- series
Metro Core Super Core
Access IP Edge Metro Core Super Core Peered MX-
Metro or Market Data Center
or Content Provider
Figure 8 - Architecture of Service Provider data Centers
25. Network Security HaNdbook for Service ProviderS
Data centers are the brains running the network services and therefore are a
focal point for network criminals attacking service providers. There are a
complex set of systems and services running in the data center with
vulnerabilities in each layer. These include:
• Server and OS vulnerabilities
• Application layer vulnerabilities
• Network switching vulnerabilities
• Network routing vulnerabilities
• Storage network vulnerabilities
• Data center management and control vulnerabilities
An important trend in modern data center design is system virtualization. LANs,
storage area networks (SANs), and servers are virtualized such that a single
physical network or system element can run multiple logical elements. This
has helped improve scalability, reduced operations expenses such as power
consumption and cooling, and improved data center security by isolating
components of the network and system infrastructure. In designing a secure
data center networking infrastructure, the virtualization and security defenses
in the network must correctly map to the virtualization models deployed across
the data center as a whole.
“Untrusted Conﬁ Fixed
L3/L4 Stateful MX9
MX9 Conﬁ Fixed Apps
60 guratio Apps
Data Center “Trusted
L3/L4 Stateless Zone”
60 L2 Area
Virual Data Center Conﬁ Fixed
Perimeter L3 Area
Conﬁ Fixed Apps
Figure 9 - establishing a Security Perimeter in a Virtualized data Center
26. Network Security HaNdbook for Service ProviderS
A common approach for securing network and system infrastructure in data
centers is a layered security model (seeFigure 9). In this model, security
perimeter(s) are maintained such that trusted network components are
separated from untrusted components. In some cases, there are multiple
perimeters and multiple layers of trust assigned to systems. It is also possible
to have tiered virtual security perimeters mapped to virtual servers and storage
networks. Network elements and systems outside the perimeter are managed
differently than those inside the perimeter. Different systems and components
have varying levels of importance and vulnerabilities, and therefore are
managed differently from a security perspective. However, all systems must be
protected from attacks at some level. Systems that house extremely sensitive
data should be deep inside the security perimeters, while systems that provide
Internet Web services should be outside the perimeter or in a demilitarized
zone (DMZ). The DMZ is an area in the data center that is accessed by arbitrary
users over the Internet, but has some level of protection using Internet firewalls
and IPS. The DMZ is separated from the trusted network using a second layer
of firewall and IPS.
The layered security architecture must correspond to the virtualization archi-
tecture that is implemented in the data center. This is done by mapping virtual
networks at layer 2 (L2) and layer 3 (L3) to virtual storage networks and virtual
servers. L2 virtual networks are normally implemented with VLANs, while L3
virtual networks are implemented with MPLS VPNs.
In summary, securing data centers is a complex task that requires a detailed
security design. This design must provide security at layer 2-7 and must be
consistent with the logical design and systems requirements in the data center.
4 Juniper Networks Security Product Portfolio
Juniper Networks is a leader in carrier-class routing and network security.
Juniper’s routers scale from small routers for home offices or small businesses
to the largest core Internet routers. Juniper also offers a full range of scalable
firewalls, Intrusion Detection and Prevention (IDP) systems, SBCs, and identity
and policy management solutions.
The Juniper Networks intelligent services edge includes the M-series and
MX-series routing platforms that provide a broad range of edge functionality to
support next-generation applications. Each routing platform supports VLANs,
MPLS VPNs, and ACLs for baseline security defenses.
27. Network Security HaNdbook for Service ProviderS
Additional security is available with the MS-DPCs on the MX-series, and the
MS-PICs on the M-series. The MS-DPC and MS-PIC support a broad set of IP
services and security functions including:
• Session border control (SBC) functions
• Intrusion Detection and Prevention (IDP)
• Deep packet inspection
• Stateful firewall
• Network Address Translation (NAT)
Built-in security mechanisms along with the MS-DPC and MS-PIC capabilities
provide a comprehensive security solution available on both the MX- and
M-series routing platforms.
In addition, the T-series routers are core routers designed to provide IP
scalable routing deep in the core network. T-series routers also leverage the
same built-in security and MS-PIC as the M-series routers for the same
Firewalls and IDP
Juniper Networks has a scalable set of integrated network security devices
that are designed for large networks and data centers (See Figure 10). These
products have scalable performance and integrated security and routing
capabilities. All products have best-in-class capabilities in firewall and IDP
for Wider Range of Services
Rich Standard Services
- Routing SR
- QoS 0
Extensible Security Services
Integrated Networking Services
Common Mangement (NSM) 540 -
Figure 10 - Juniper Networks Security Product Family
28. Network Security HaNdbook for Service ProviderS
The top end of the product line is the SRX-series 5600/5800, a highly
scalable integrated firewall and IDP for use in data centers and service provider
networks. Based on the Dynamic Services Architecture, the SRX-series
provides unrivaled scalability. A fully equipped SRX 5800 supports up to 120
Gbps firewall throughput and 30 Gbps IDP throughput.
Juniper Networks NetScreen-5000 series is a line of purpose-built firewall/VPN
security systems designed to deliver a new level of high-performance
capabilities. NetScreen-5000 security systems integrate firewall, VPN, denial
of service (DoS) and DDoS protection, and traffic-management functionality in
a low profile, modular chassis. Built around Juniper’s third-generation security
ASIC and distributed system architecture, the NetScreen-5000 series offers
excellent scalability and flexibility, while providing a higher level security system
through Juniper Networks NetScreen ScreenOS® custom operating system.
In addition, the Integrated Security Gateways (ISG) are purpose-built, security
solutions that leverage a fourth-generation security ASIC, the GigaScreen3,
along with high-speed microprocessors to deliver unmatched firewall and VPN
performance. The Juniper Networks ISG 1000 and ISG 2000 are ideally suited
for securing carrier and data center environments where advanced applications
such as VoIP and streaming media dictate consistent, scalable performance.
Integrating best-in-class Deep Inspection firewall, VPN, and DoS solutions, the
ISG 1000 and ISG 2000 enable secure, reliable connectivity along with network
and application-level protection for critical, high-traffic network segments. The
ISG can be upgraded to support integrated IDP to provide robust network and
application layer protection against current and emerging threats. Leveraging
the same software as found on Juniper Networks IDP platforms, but
integrated into ScreenOS, the ISG product family provides a combination of
best-in-class firewall, VPN, and IDP in a single solution.
Intrusion Detection and Prevention
Juniper Networks Intrusion Detection and Prevention (IDP) products provide
comprehensive and easy-to-use inline protection that stops network and
application-level attacks before they inflict any damage to the network,
minimizing the time and costs associated with maintaining a secure network.
Using industry-recognized stateful intrusion detection and prevention
techniques, Juniper Networks IDP provides zero day protection against worms,
trojans, spyware, keyloggers, and other malware from penetrating the network
or spreading from already infected users.
29. Network Security HaNdbook for Service ProviderS
Session Border Controller
Juniper Networks session border control (SBC) border gateway function (BGF)
for JUNOS® software fully integrates voice and multimedia session support onto
the M-series M120 and M320 multiservice edge routers and the T-series T640
core router. The SBC BGF runs on MS-PICs which include dedicated hardware
accelerators for optimized performance and scalability. The SBC BGF for JUNOS
software provides many important VoIP functions such as media gateway control
and media latching, NAT and Network Address Port Translation (NAPT) traversal,
Differentiated Services code point (DSCP) marking and rate limiting that
together ensure the appropriate handling of voice traffic at the access and peer
edges of converged IP services networks.
Identity and Policy Management
The Juniper Networks Steel-Belted Radius (SBR) family offers AAA products
based on RADIUS standards that provide the performance and reliability to
handle any traffic load and fully support any network infrastructure. Designed
for both enterprise and service provider networks, SBR products provide
uniform security policy enforcement across all network access methods,
including wireless LAN (WLAN), remote/VPN, dial up, and identity-based (wired
802.1X). Specialized solutions for service providers also manage subscriber
authentication, support any service delivery model, and accelerate time-to-
market for new services.
Service provider networks are undergoing a massive paradigm shift as networks
migrate from legacy circuit switched and closed data networks to converged
IP and Carrier Ethernet networks. This shift has created many business
opportunities, but also created serious network security vulnerabilities.
This network security handbook has explained why security is of critical
concern to service providers, described common vulnerabilities, and presented
some approaches to securing networks. Network security is critical to service
provider operations; a thoughtful and systematic approach must be taken to
network security architecture and design, and best-in-class security products
must be implemented to optimize defense against threats.
30. Network Security HaNdbook
corPorate aNd SaLeS
coNtactS Juniper Networks, Inc.
Michael Kennedy in the Boston area: 1194 North Mathilda Avenue
Phone: 978.405.5084 Sunnyvale, CA 94089 USA
Fax: 978.405.0263 Phone: 888-JUNIPER (888-586-4737)
Peter Fetterolf in the San Francisco Bay area: or 408.745.2000
Phone: 510.451.2740 Fax: 408.745.2100
Fax: 978.405.0263 www.juniper.net
Copyright 2008 Network Strategy Partners, LLC. All rights reserved
Copyright 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, and
ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOSe is a trademark
of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property
of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks
reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
710095 Dec. 2008