for Service
Network Security HaNdbook for Service ProviderS

1    EXECUTIVE SUMMARY                                                ...
Network Security HaNdbook for Service ProviderS

                       Jointly published by Juniper Networks
Network Security HaNdbook for Service ProviderS

    1 Executive Summary
    The telecommunications industry is in the ...
Network Security HaNdbook for Service ProviderS

                                      Worldwide VoIP Subscribers
Network Security HaNdbook for Service ProviderS

        The ramifications of such attacks on service provider networks...
Network Security HaNdbook for Service ProviderS

architectures with limited and controlled gateways to the Internet and...
Network Security HaNdbook for Service ProviderS

    Service outages can result in loss of revenue, payment of penaltie...
Network Security HaNdbook for Service ProviderS

In this scenario the average cost of churn for this small metro area w...
Network Security HaNdbook for Service ProviderS

    Anatomy of Network Threats
    The open IP architecture presents a...
Network Security HaNdbook for Service ProviderS

intended users and the victim devices so that they can no longer
Network Security HaNdbook for Service ProviderS

     There are a large variety of Internet worms. The comm...
Network Security HaNdbook for Service ProviderS

In contrast, zero day attacks are new and therefore have no attack sig...
Network Security HaNdbook for Service ProviderS

     Network routers are core components in the IP networ...
Network Security HaNdbook for Service ProviderS

to attack hosts. This is especially important for network servers that...
Network Security HaNdbook for Service ProviderS

     IPS typically uses deep packet inspection (DPI) technology to loo...
Network Security HaNdbook for Service ProviderS

         FuNCtIoN        deSCrIPtIoN
         L2/3 traffic    routers ...
Network Security HaNdbook for Service ProviderS

           SS7                                                        ...
Network Security HaNdbook for Service ProviderS

Securing the IP Edge of the VoIP Network
The primary mechanisms for co...
Network Security HaNdbook for Service ProviderS

     disruptions due to NAT or other protocol problems associated with...
Network Security HaNdbook for Service ProviderS

Security vulnerabilities exist throughout the IPTV architecture. Virtu...
Network Security HaNdbook for Service ProviderS

     Best Practices for Securing 3rd Mobile Data Networks
     The rap...
Network Security HaNdbook for Service ProviderS

In the data core network, the methods of protection are similar to tho...
Network Security HaNdbook for Service ProviderS

                          FuNCtIoN                                    ...
Network Security HaNdbook for Service ProviderS

Data centers are the brains running the network services and therefore...
Network Security HaNdbook for Service ProviderS

     A common approach for securing network and system infrastructure ...
Network Security HaNdbook for Service ProviderS

Additional security is available with the MS-DPCs on the MX-series, and...
Network Security HaNdbook for Service ProviderS

     The top end of the product line is the SRX-series ...
Network Security HaNdbook for Service ProviderS

Session Border Controller
Juniper Networks session border control (SBC...
Network Security HaNdbook

                                                                      corPorate aNd SaLeS
Upcoming SlideShare
Loading in …5

Network Security Handbook for Service Providers


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Network Security Handbook for Service Providers

  1. 1. Network Security HaNdbook for Service ProviderS
  2. 2. Network Security HaNdbook for Service ProviderS 1 EXECUTIVE SUMMARY 2 2 THE IMPORTANCE OF NETWORK SECURITY 4 ANATOMY OF NETWORK THREATS . . . . . . . . . . . . . . . . . . .8 Overview of Security Threats . . . . . . . . . . . . . . . . . . . . .8 Distributed Denial of Service (DDoS). . . . . . . . . . . . . . . . . .8 Bots and Botnets . . . . . . . . . . . . . . . . . . . . . . . . .9 Worms. . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Zero Day Attacks . . . . . . . . . . . . . . . . . . . . . . . . 10 Vulnerable Network Components . . . . . . . . . . . . . . . . . . 11 3 BEST PRACTICES FOR SERVICE PROVIDER SECURITY 11 4 gENERAl BEST PRACTICES AND TOOlS FOR SERVICE PROVIDER NETWORK SECURITY 11 Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 MPLVS VPN . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Network Address Translation (NAT). . . . . . . . . . . . . . . . . . 12 Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . 13 Network Firewall . . . . . . . . . . . . . . . . . . . . . . . . 13 Intrusion Protection System (IPS) . . . . . . . . . . . . . . . . . . 13 Application Servers . . . . . . . . . . . . . . . . . . . . . . . 14 Identity and Policy Management . . . . . . . . . . . . . . . . . . 14 beSt PRACTICES FOR SECURINg VOIP NETWORKS 15 Securing the IP Edge of the VOIP Network . . . . . . . . . . . . . . . 17 Securing VOIP Elements in the Data Center . . . . . . . . . . . . . . 17 Securing Internet Peering Points for VoIP . . . . . . . . . . . . . . . 17 5 BEST PRACTICES FOR SECURINg TV AND MUlTIMEDIA SERVICES 18 Securing External Network Peering Points . . . . . . . . . . . . . . . 19 Securing the Video/Super Head-end . . . . . . . . . . . . . . . . . 19 Securing the Video/Hub Serving Office . . . . . . . . . . . . . . . . 19 BEST PRACTICES FOR SECURINg 3RD gENERATION MOBIlE DATA NETWORKS 20 BEST PRACTICES FOR SECURINg SERVICE PROVIDER DATA CENTERS 22 4 JUNIPER NETWORKS SECURITY PRODUCT PORTFOlIO 24 Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Firewalls and IDP . . . . . . . . . . . . . . . . . . . . . . . . 25 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Intrusion Detection and Prevention . . . . . . . . . . . . . . . . . 26 Session Border Controller . . . . . . . . . . . . . . . . . . . . . 26 Identity and Policy Management . . . . . . . . . . . . . . . . . . 27 5 CONClUSION 27 TABLE OF CONTENTS
  3. 3. Network Security HaNdbook for Service ProviderS Jointly published by Juniper Networks and Network Strategy Partners, LLC: Juniper Networks high-performance network infrastructure helps businesses accelerate the deployment of services and applications to take advantage of opportunities to innovate, grow, and strengthen their business. With Juniper, businesses can answer the challenge of complicated, legacy networks with high-performance, open, and flexible solutions. Network Strategy Partners, LLC (NSP) — Management Consultants to the networking industry — helps service providers, enterprises, and equipment vendors around the globe make strategic decisions, mitigate risk, and affect change through custom consulting engagements. NSP’s consulting includes business case and ROI analysis, go-to-market strategies, development of new service offerings, pricing and bundling as well as infrastructure consulting. NSP’s consultants are respected thought-leaders in the networking industry and influence its direction through confidential engagements for industry leaders and through public appearances, white papers, and trade magazine articles. Contact NSP at 1
  4. 4. Network Security HaNdbook for Service ProviderS 1 Executive Summary The telecommunications industry is in the midst of a major paradigm shift. In the 1990s, most major service providers maintained separate networks for wireline voice, mobile voice, data, and TV. Today, many service providers are migrating all of their network services to IP packet switched networks. Voice services are still a major component of service provider revenue. As voice moves from circuit switched to VoIP packet switched networks (see Figure 1), service providers will have a major incentive to wind down operations on their expensive, legacy circuit switched infrastructure. By converging network services to integrated IP networks, service providers reduce capital and operations expenses while dramatically improving network scalability and service flexibility. Furthermore, the migration to IP is increasing competition in the telecommunications market. Cable TV providers are offering traditional voice services, telephone companies are offering Internet and IPTV, and new entrants are building broadband wireless networks with Wi-Fi and WiMax technology. As increased competition is accelerating the migration to IP service providers operating legacy networks risk shrinking revenues and , operating margins. 2
  5. 5. Network Security HaNdbook for Service ProviderS Worldwide VoIP Subscribers 200 150 Millions 100 50 0 CY04 CY05 CY06 CY07 CY08 CY09 CY10 CY11 Asia Paci c EMEA North America CALA 75.3M VoIP Subs Worldwide in 2007, +62% Year over Year Worldwide: 185.7M by CY11, a 5 - year CAGR of 25% >22M net new subs/year 2008 Infonetics Research, Inc. Figure 1 - Forecast of VoIP Subscribers Worldwide Service provider migration to IP networks has significant benefits and is, in fact, necessary for long term survival. However, the rapid growth in the Internet is also driving rapid growth in network security threats, which are escalating both in numbers and level of severity. Threats come from a myriad of sources that are distributed around the world. In the early days of the Internet, most threats were created by hackers who were just causing trouble for fun. Today, threats come from independent hackers as well as highly organized crime syndicates focused on profiting from Internet criminal activities. Some of the potential threats to service provider networks include: • Distributed denial of service attacks (DDoS) • Bots and botnets attacking servers and network infrastructure • Worms propagating throughout the network • Attacks on Domain Name System (DNS) • Attacks on IP routing protocols • Zero day attacks (these are new attacks which are unpredictable in nature) 3
  6. 6. Network Security HaNdbook for Service ProviderS The ramifications of such attacks on service provider networks include: • Service outages • Lost, damaged, or stolen customer data • Lost, damaged, or stolen service provider data (usage data, billing records, passwords, and so on) Global telecommunications revenues are expected to reach $2 trillion by the end of 20081, therefore as network services migrate to IP it is essential that , service providers and telecommunications equipment vendors be vigilant about security. Network infrastructure must defend itself from attacks, and operators must implement network security best practices. This network security handbook provides service providers with an anatomy of network security threats and a set of best practices for protecting the network. Best practices for network security architecture are defined for some of the most important services, applications, and network infrastructure including: • Voice services • TV and multimedia services • Mobile networks • Service provider data centers 2 The Importance of Network Security The convergence of voice, data, TV, and mobile telecommunications on IP networks has elevated the importance of network security. For many service providers, IP network security presents new technical challenges because legacy networks are fundamentally more secure than IP networks. The legacy phone network is based on a closed, circuit switching model. Call signaling uses the SS7 packet network which is not connected to the Internet or any other data network. Legacy television service is delivered using broadcast over digital or analog cable; specialized equipment which is not connected to any external packet networks is used for video service delivery. Many legacy data networks are based on Frame Relay and ATM; these technologies use secure layer 2 protocols with little or no connectivity outside the private network. Similarly, second-generation mobile networks are closed, circuit switching 1 Gartner 4
  7. 7. Network Security HaNdbook for Service ProviderS architectures with limited and controlled gateways to the Internet and other data networks. In general, legacy telecommunications networks: • Implement service-specific networks • Are based on closed and proprietary architectures • Utilize end-to-end management by service providers • Have no customer controls • Have no external exposure The migration to IP next-generation networks (NGNs) offers many strategic advantages to service providers, however, the open, flexible architecture of IP networks also pose a complex set of security threats. Multiple services, including wireline voice, video, data, and mobile voice and data are converging on a single IP network. This means that IP network attacks could affect all network services and, therefore, all network revenue. Also, threats that emerge from one service (for example the Internet) could affect other services like TV that were previously isolated. The IP network is based on an open, standards-based architecture that allows for rapid and massive worldwide growth. The open nature of the IP protocols, however, has also allowed intruders to easily access the tools needed for network intrusions. Everyone has access to RFC documents explaining the technical details of Internet protocols. In addition, extensive technical knowledge is not required because there is easy access to open source tools on the Web for creating network attacks and stealing valuable data. IP networks use open standards for network management, operations, and provisioning. Protocols and standards such as SNMP XML, and the newer Web , services management model enhance the power and flexibility of operations support systems (OSS), but they also create opportunities for intruders to access the most sensitive and critical areas of the telecommunications network—the network management and control plane. Another dimension of the problem is that business users, residential users, and mobile users are sharing the same IP network. Each of these customers has different security requirements that need to be addressed in the service offerings provided to them. Attacks on IP networks can have serious and potentially devastating consequences. Attacks can result in: • Service outages • Lost, damaged, or stolen customer data • Lost, damaged, or stolen service provider data (usage data, billing records, passwords, and so on) 5
  8. 8. Network Security HaNdbook for Service ProviderS Service outages can result in loss of revenue, payment of penalties for violated service-level agreements (SLAs), and increased customer churn. There are serious liabilities associated with lost or stolen customer data; lawsuits often result in high payments of damages as well as a tarnished public image. Lost or stolen service provider data can result in compromised networks and billing systems, or other serious problems. As network services converge to IP service availability of the IP network is critical. , Downtime, as a result of network attacks, software errors, or configuration errors, often result in high costs. The cost of downtime is highly variable based on the business and applications, but in all cases is quite high. Estimates of downtime costs for various industries and applications2 are presented in Table 1. INduStry APPLICAtIoN AVerAge CoSt/ Hour oF doWNtoWN transportation Airline Reservations $ 89,500 retail Catalog Sales $ 90,000 Media Pay-per-view $ 1,150,000 Financial Credit Card Sales $ 2,600,000 financial Brokerage Operations $ 6,500,000 table 1 - downtime Cost estimates in different Vertical Markets Downtime in service provider networks results in lost revenue due to SLA penalties and, to add insult to injury, results in increased customer churn. Table 2 depicts some estimates3 for hourly revenue loss for service provider network outages in small metro areas where 100,000 residential customers and 2,000 business customers are affected by an outage. In these small areas, residential losses are estimated to be over $8,333 per hour and business losses almost $6,944 per hour. While revenue loss is problematic, the potentially more serious problem (espe- cially in markets where there are competitive offerings) is customer churn due to poor service. Table 3 presents a scenario for a small metro area with 100,000 customers, an increased churn rate of 5 percent due to dissatisfaction with network service availability, and an average cost of churn of $400 per subscriber4. 2 See “Storage Virtualization and the full impact of Storage Disruptions: Relief and ROI”, Computer Technology Review, February 2002, Volume XX11 Number 2. 3 These estimates are based on an ROI model developed by Network Strategy Partners, LLC. 4 The churn projections were based on an ROI model developed by Network Strategy Partners, LLC 6
  9. 9. Network Security HaNdbook for Service ProviderS In this scenario the average cost of churn for this small metro area would be $2,000,000 per year. Clearly, network reliability and availability is a critical business requirement for enterprises and service providers. reSIdeNtIAL BuSINeSS Number of customers 100,000 2,000 average revenue per customer $60.00 $2,500 Hourly Lost revenue in an outage $8,333 $6,944 table 2 - Service Provider Hourly Lost revenue for Business and residential Network outages reSIdeNtIAL Number of residential Subscribers 100,0000 increase rate of churn 5% total cost of churn per year $400 total cost of churn per year $2,000,000 table 3 - Service Providers Costs of Increased Churn due to Network outages Corporate executives, furthermore, are now legally responsible for the security of their corporate information systems. There are multiple federal and state government regulatory requirements requiring executives and companies to comply with government mandated security requirements. These regulations include: • Sarbanes-Oxley (SOX) • Cyber Security Critical Infrastructure Protection (CIP) • Gramm-Leach-Bliley Act (GLBA) • California Senate Bill Number 1386 (SB1386) • Health Insurance Portability and Accounting Act (HIPAA) • Payment Card Industry Data Security Standard (PCI DSS) Network security, clearly, is one of the highest priorities in IP NGNs, and service providers need to be educated and vigilant to prevent devastating network attacks. 7
  10. 10. Network Security HaNdbook for Service ProviderS Anatomy of Network Threats The open IP architecture presents a myriad of threats from many sources to all parts of the network. The following paragraphs give an overview of some common threats, threat sources, and components of the network that could be affected. Overview of Security Threats There are many types of security threats and they continue to grow, develop, and mutate over time. A high level distribution of network security threats is presented in Figure 2, and a brief description of security threats is given in the following subsections of this paper. This is not meant to be an exhaustive description of network threats, but rather an overview of some common threats and terminology. 50 45 40 35 30 25 20 15 10 5 0 DDoS Bots and Worms Compromised DNS BGP Route Botnets Infrastructure Hijacking Figure 2 - distribution of Network Security threats Distributed Denial of Service Attack (DDoS) A distributed denial of service (DDoS) attack is an attempt to make a computer resource unavailable to its intended users. Perpetrators of DDoS attacks typically target sites or services hosted on high-profile Web servers such as banks, credit card payment gateways, and even DNS root servers. One common method of attack involves saturating the target (victim) machine with external communications requests such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered unavailable. In general terms, DDoS attacks are implemented by either forcing the targeted network elements or servers to reset, consuming their resources so that they can no longer provide their intended service, or obstructing the communication media between the 8
  11. 11. Network Security HaNdbook for Service ProviderS intended users and the victim devices so that they can no longer communicate adequately. Bots and Botnets Bots are computer programs that secretly install themselves on machines and run in the background often hidden from view of users, administrators, and even the operating system. A botnet is a group of bots that can propagate across the Internet and can be controlled by a malicious hacker or criminal. Once bots install themselves on machines, they scan for system vulnerabilities and collect information such as passwords and user names. The bots in a botnet can communicate with each other and the central controller to steal information, exploit system weaknesses, send spam, and execute DDoS attacks. Bots can result in network service outages or loss of critical customer or service provider data. This is especially serious if passwords and user names are compromised. For this reason, botnets have become one of the most serious threats on the Internet. The majority of botnets are used by cyber criminals to send spam and also to illegally seek financial information. According to, an organization that tracks botnets, the number of bots measured in September 2008 peaked at a half million infected computers. Because bots are hard to detect, the numbers could be much larger. One example of a current botnet is Kraken. The Kraken malware infects victims’ PCs and uses encrypted communications between bots. It also has the ability to move command and control functionality around the botnet. And, like many botnets, the purpose of the Kraken network seems to be the propagation of massive amounts of spam. Individual machines infected with Kraken could send as many as 500,000 spam messages in a single day. Bots are rampant throughout the world as illustrated in Figure 3, and they are growing in number and severity levels. Service providers need to understand the nature and dynamics of botnets in order to adequately secure their networks. 100,000 Active BOT Infected Computers 90,000 United 80,000 Kingdom France Poland Canada (6) 4% (3) 6% (8) 3% 70,000 (10)2% Spain 60,000 United States (5) 5% (2)14% China Germany (1) 26% Taiwan 50,000 (4) 6% (7) 4% 40,000 30,000 Brazil (9) 3% 20,000 Key 10,000 (X) = Current rank 0 % = Current proportion Jan. 01, Apr. 11, Jul. 20, Oct. 28, Feb. 05, May 16, BOT infected Computers By Country* (*Source: Symantec) 2006 2006 2006 2006 2007 2007 Active BOTS per Day Figure 3 - Worldwide Statistics on Bots 9
  12. 12. Network Security HaNdbook for Service ProviderS Worms5 There are a large variety of Internet worms. The common characteristic of worms is that they: • Exploit vulnerabilities in a computer’s operating system or application software to launch malicious software that runs on the machine • Find information in the computer (such as email lists or lists of IP addresses) to propagate between different machines • Cause significant damage and financial losses to large numbers of companies worldwide in a short period of time • One example of a well known Internet worm is Code Red. This worm exploited a vulnerability in the indexing software distributed with IIS6 for which a patch had been available a month earlier. The worm spread itself using a common type of vulnerability known as a buffer overflow. It did this by using a long string of the repeated character “N” to overflow a buffer, allowing the worm to execute arbitrary code infecting the machine. The worm spread by probing random IP addresses and infecting all hosts vulnerable to the IIS exploit. Another example of a well known worm is the Love Bug Virus. This virus arrived in email boxes on May 4, 2000, with the simple subject of “ILOVEYOU” and an attachment “LOVE-LETTER-FOR-YOU.TXT.vbs”. Upon opening the attachment, the virus sent a copy of itself to everyone in the user’s address list, posing as the user. It also made a number of malicious changes to the user’s system. Two aspects of the virus made it effective: • It relied on user curiosity to entice users to open the attachment and ensure its continued propagation. • It exploited the weakness of the email system design that an attached program could be run by simply opening the attachment. Worms come in many forms and varieties, and they can result in network service outages and loss of customer and service provider data. Zero Day Attacks Fundamentally, there are two types of attacks on networks: 1) known attacks and 2) zero day attacks. The first is a known attack on a known vulnerability which can be identified in an intrusion prevention system (IPS) by a signature. 5 Worms and viruses are closely related - this discussion addresses both types of threats. 6 Internet Information Services (IIS)—formerly called Internet Information Server—is a Microsoft-produced set of Internet-based services for servers using Microsoft Windows. 10
  13. 13. Network Security HaNdbook for Service ProviderS In contrast, zero day attacks are new and therefore have no attack signatures to identify them. To defend against zero day attacks, the IPS requires more sophistication such as protocol anomalies. This topic will be covered more fully later in the paper. Vulnerable Network Components Many parts of an IP network are vulnerable to threats including: • End user equipment—PCs, servers, mobile phones, PDAs, and so on • Network equipment—routers, Ethernet switches, and so on • Control and signaling—network management plane, softswitches, and so on • Applications and services—network and application servers • OSS—network management, billing and operations management Attacks to any of the network components above can result in loss of service or loss of data. 3 Best Practices for Service Provider Security Every network is unique and requires the attention of professional network architects and designers to ensure that the network is defensible. The principles used by network designers to secure networks are based on a set of industry best practices. This section of the security handbook provides a network security best practice overview which is summarized in Table 4. We start by providing a summary of general best practices that can be applied to any service provider network. general Best Practices and Tools for Service Provider Network Security This section provides an overview of some of the devices and technologies for securing service provider networks. The devices that provide network security are: • Router • Network firewall • Intrusion Protection Systems (IPS) • Application servers • Identity and policy management 11
  14. 14. Network Security HaNdbook for Service ProviderS Routers Network routers are core components in the IP network infrastructure. As such, it is critical that routers implement security technologies to protect networks from intruders. Some of the security technologies implemented in routers are: • VLANs • MPLS VPN • Network Address Translation (NAT) • Access Control Lists (ACLs) Virtual lANs (VlANs) A VLAN is a layer 2 segmentation technology that allows for a group of end stations to be grouped together into a logical LAN, even if they are not located on the same network switch. It can also be used to segment traffic, such as segmenting VoIP traffic from regular data traffic. The segmentation of users and/or traffic provides a level of security by creating a virtual network, making it difficult to intercept traffic or access a traffic segment. MPlS VPN The MPLS virtual private network (VPN) is a common method of securing IP communications. The basic concept of the MPLS VPN is that a common physical routing infrastructure hosts multiple logical routing networks. Each logical network appears to hosts and users to be a separate IP network. The logical network, or MPLS VPN, can use a set of private IP addresses, run independent routing protocols local to the VPN, and remain isolated from the Internet and all other MPLS VPNs, unless the network administrator intentionally provides routing connectivity between networks. An MPLS VPN therefore is equivalent to building a physically separate IP routing network. This logical separation of IP networks provides a cost-effective approach to securing subscriber and service-specific networks from attacks that emanate from the Internet or other private IP networks. Network Address Translation (NAT) NAT is a common mechanism for mapping private IP addresses to public addresses. The process is simple: a private IP address and TCP port is mapped to a public address using an NAT server. One of the additional benefits of NAT is that malicious users on the Internet cannot see the true IP source address of the host. Without knowing the IP source address, it is more difficult 12
  15. 15. Network Security HaNdbook for Service ProviderS to attack hosts. This is especially important for network servers that are a focal point for many attacks. Access Control lists (ACls) The ACL is a list of permissions that specifies who or what is allowed to access the router or device, and what operations they are allowed to perform. In an ACL-based security model, when a subject requests to perform an operation on an object, the system first checks the list for an applicable entry in order to decide whether to proceed with the operation. Depending on the ACL, the request may be accepted or denied. ACLs provide router protection by denying unauthorized users or packets from accessing the router. Network Firewall A network firewall is a dedicated appliance which inspects network traffic and denies or permits passage based on a set of rules. The primary objective of the firewall is to regulate traffic flows between computer networks of different trust levels. Typical examples are the Internet, which is a zone with no trust, and an internal network, which is a zone of higher trust. A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a “perimeter network” or demilitarized zone (DMZ). The classes of firewalls are: • Stateless firewalls • Stateful firewalls Stateless firewalls are usually implemented in routers and switches as ACLs that filter packets based on parameters in layer 3 IP headers and layer 4 TCP headers. For instance, packets can be filtered based on IP source and destination address and TCP ports. Stateful firewalls extend simple packet filtering to create rules based on sessions. Filtering rules can account for the history of a session as opposed to working on individual packets. For example, if an Internet user accesses a Web site from an internal network, a stateful firewall will let the return packets into the network from the Web site based on the state of the session. This is not possible with stateless firewalls. Intrusion Protection System (IPS) IPS is used to detect and prevent network attacks. IPS analyzes network traffic for threats and takes some action to mitigate the threat when one is detected. 13
  16. 16. Network Security HaNdbook for Service ProviderS IPS typically uses deep packet inspection (DPI) technology to look at all layers of network protocols from layer 2 to layer 7. There are two fundamental mechanisms for detecting network intrusions: • Signatures • Protocol and application anomaly detection Signatures are patterns of known network attacks that could operate at any level of the protocol stack. The IPS monitors network traffic and matches traffic with known signatures. If a sequence of packets in a session matches a signature, then the IPS detects a known attack and takes action on the session based on a set of user policies. The weakness of IPS signatures is that only known attacks are detected. In order to detect zero day attacks, IPS uses protocol, application, and traffic pattern anomaly analysis. This method of detection uses behavior monitoring at all layers of the stack and detects packet sequences that appear to be abnormal. The IPS then takes action on the traffic based on a set of user defined network policies. Application Servers Application servers should also be able to defend against certain security threats. The defense should include antivirus and other anti-malware software. This ensures that if a virus or worm does penetrate the network layer defenses, the application server has the means to defend itself. Identity and Policy Management The identification and authentication of users is essential for securing the network. Knowledge about who is accessing the network, what they are trying to access, and when is critical to the security of the overall network. Implementing an identity and policy management solution adds a level of intelligence to the network, and can provide security defenses in cases where unauthorized users try to access the network, or a legitimate user attempts to access an application that they are not authorized to access. In addition, identity and policy management can help to manage user sign-on by implementing a single sign-on (SSO) system; allowing users to access multiple networks or applications with a single sign-on. Table 4 provides a summary of some of the best practices service providers employ to protect their networks. 14
  17. 17. Network Security HaNdbook for Service ProviderS FuNCtIoN deSCrIPtIoN L2/3 traffic routers and switches can segment traffic into Segmentation virtual networks using L2 vLaNs or L3 MPLS vPNs. L3/4 Stateless access control Lists (acLs) are used to permit or filtering deny traffic based on parameters in L3 and L4 packet headers. L3/4 Stateful firewalls maintain information regarding a session, firewall and permit or deny sessions based on L3 and L4 parameters. the difference between stateless filtering and stateful firewalls is that rules apply to sessions, not individual packets. L7 intrusion deep packet inspection (dPi) is used to analyze detection L7 application content in sessions, and rules + Prevention for processing traffic or alerting network administrators to attacks are made based on L7 application analysis. application antivirus, anti-malware, and other application layer Layer security models are implemented on servers. Security table 4 - Best Practices for Service Provider Security Best Practices for Securing VoIP Networks Mobile and fixed voice services still dominate service provider revenue worldwide. As voice services migrate to VoIP security challenges increase in , complexity and criticality. Figure 4 represents a typical service provider VoIP network architecture. In a VoIP network, there are two fundamental forms of transport: • A control plane using either Session Initiation Protocol (SIP), H.323, or some other VoIP signaling protocol • A data plane transporting VoIP packets VoIP signaling is completely separate from VoIP data plane. IP phones set up calls using a VoIP signaling protocol which communicates with IP PBX, IP Centrex services, or network softswitches to establish VoIP sessions. Calls can be routed across the service provider IP network, across the Internet, or to the Public Switched Telephone Network (PSTN) via a VoIP gateway. After VoIP sessions are set up by network softswitches, VoIP sessions are established between the VoIP endpoints, and Real Time Transport Protocol (RTP) is used to transport VoIP between VoIP endpoints over the IP network. 15
  18. 18. Network Security HaNdbook for Service ProviderS SS7 Gate Gate way Netw IN Switc Vide Apps Switc way h o Switc h Softswitch h or k VoIP VoIP Media Media Gateway Softswitch Switc Gatew ay Application Media OSS Gateway h Server Server VoIP Router Other PSTN Class 5 Carrier Switch VoIP Service Provider Inter or IP net NW POTS Carrier to Carrier Inter n Wholesale VoIP Peering et Enterprise SOHO/Residential SME Figure 4 - representative Network Architecture of a typical VoIP Network The VoIP network architecture offers a myriad of security vulnerabilities. DDoS attacks are a primary area of concern, as they can come in many shapes and forms. Typically executed by botnets, the result of a DDoS attack could be a telephone network service outage. Some of the network elements that are vulnerable to DDoS attacks are: • VoIP media gateways • Softswitches • VoIP application servers • IP PBX • Session border controllers (SBCs) Fraud and theft of services is another type of security threat. If network criminals are able to penetrate network softswitches, media gateways, or OSS systems, they can steal services by making free calls, modifying or deleting billing records, or transferring false settlements to other carriers. An overview of the best practices for network security is provided in the following subsections for transport network elements, IP edge elements, data center, and Internet peering points. 16
  19. 19. Network Security HaNdbook for Service ProviderS Securing the IP Edge of the VoIP Network The primary mechanisms for controlling traffic and securing the edge of the VoIP network are Session Border Controllers (SBCs) and IPS. SBCs are specialized network devices designed to perform specific services in VoIP networks. They are inserted into the signaling and/or media paths between calling and called parties in a VoIP call. In some cases, the SBC masquerades as the called VoIP phone and places a second call to the called party. The effect of this behavior is that signaling traffic and media traffic (voice, video, and so on) can be monitored and controlled by the SBC. The SBC also has the ability to modify control signaling, allowing service providers to restrict or redirect certain calls and helping them overcome potential problems caused by firewalls and NAT. There are multiple security benefits to SBCs. They monitor traffic, help prevent DDoS attacks, and they provide a mechanism for lawful intercept of VoIP calls. SBCs also create a general framework for monitoring malicious VoIP usage and shutting down offending users or bots. SBCs, however, are also subject to attacks, and don’t typically have the capability to quickly update and defend against new security threats. IPS is designed to quickly load new signatures in defense of newly found security threats. These signatures can be created and loaded within hours, providing the necessary response for stopping new threats. For this reason, many networks deploy IPS in front of SBCs to prevent attacks on the SBC. Securing VoIP Elements in the Data Center There are multiple servers and network elements in the data center that support VoIP services. Servers must be regularly patched, and antivirus and anti-spyware must be kept up to date. In addition, VoIP MPLS VPNs can be extended to the data center to provide network isolation for VoIP application and media servers. Standard firewall/IPS configurations can result in SIP signaling problems, therefore these elements must be configured to support VoIP transport and defend the data center from intruders. Firewalls should utilize Application Layer Gateways (ALGs) to open and close pinholes to allow the VoIP traffic to traverse the firewall. ALG support is required for the VoIP signaling protocol (SIP H.323, other) used in the network. , Securing Internet Peering Points for VoIP For obvious reasons, Internet peering points are high risk locations. It is a best practice to use SBCs at peering points to protect from DDoS and other attacks. Firewalls and IPS are also a must at peering points and should be used in conjunction with SBCs to ensure adequate security, while minimizing service 17
  20. 20. Network Security HaNdbook for Service ProviderS disruptions due to NAT or other protocol problems associated with VoIP signaling and network firewalls. FuNCtIoN deSCrIPtIoN Securing the IP Edge SBCs and IPS systems are used to secure the edge of the network from external threats. Securing VoIP Elements Use firewalls and IPS to secure VoIP in the Data Center servers in the data center. Securing Internet Peering Peering points should be secured with Points for VoIP SBCs, firewalls, and IPS. table 5 - Summary of VoIP Network Security Best Practices Best Practices for Securing TV and Multimedia Services Traditional telephone companies are entering the TV and multimedia entertainment markets by leveraging IPTV and video on demand (VOD) technology. Delivering video entertainment services over IP networks creates the opportunity for new and enhanced services that provide competitive advantages over incumbents. Figure 5 depicts a typical network architecture for IPTV and VOD. Video/Super Head-End Of ce Global Head-E Streams nd Vide o Vide o Intern Head- End Vide o et M- series T-seri M- es series T-seri Middleware es & VoD Servers T-seri es Head- End M- Customer series Broadcast TV VLAN Video/Hub E-serie (Multicast Serving s SDX-300 Replication) Of ce Vide o Switc IP Edge Policy h Manager DSLA M Aggregation RG Access Home VoD Figure 5 - Internet tV and Multimedia Architecture 18
  21. 21. Network Security HaNdbook for Service ProviderS Security vulnerabilities exist throughout the IPTV architecture. Virtually all IP network devices are subject to DDoS attacks, and prevention mechanisms should be put into place. In addition, IP routers should utilize ACLs, NAT, MPLS VPNs, and VLANs to secure routers and traffic. In addition, the IPTV architecture provides some additional challenges at the network peering points, head-end and/or the video serving office. Securing External Network Peering Points At all points where the video IP network interconnects with external IP networks (the Internet or any other third-party network), stateful firewalls with IPS should be used to prevent external attacks. Firewalls should also use NAT to shield internal IP addresses from the outside world. This limits the information that can be collected by an intruder for the purposes of an attack. Securing the Video/Super Head-End The video/super head-end is a critical component of the network that must be secured. Network firewalls and IPS should be used to control access to the head-end. This is also a point where digital rights management needs to be enforced. Encryption technology combined with IPSec tunnels can be used to ensure privacy and prevent unauthorized access to video content. Securing the Video/Hub Serving Office The video/hub serving office is another critical location in the network that needs protection. Best practices include inline IDP protection with custom signatures to detect DDoS and other attacks on video networks. Digital rights management also needs to be enforced at these locations using encryption. FuNCtIoN deSCrIPtIoN Securing External Stateful firewalls and routers should Network Peering Points secure external peering points. NAT should be used to shield internal IP addresses. IPS should be used for intrusion protection. Securing the Video/ Routers, firewalls, and IPS should secure Super Head-End the video head-end. Securing the Video/ Routers, firewalls, and IPS should secure Hub Serving Office the video/hub serving office. table 6 - Summary of Best Practices for Securing an IP Video Network 19
  22. 22. Network Security HaNdbook for Service ProviderS Best Practices for Securing 3rd Mobile Data Networks The rapid growth of wireless data service riding on third-generation networks has increased the need for security in the mobile packet core. Figure 6 presents a high level overview of the third-generation packet architecture. Billing Data Critical Servers like HLR/VLR RNC Apps RAN IP/MPLS Mobile Packet Core SGSN GGSN PDSN Roaming Partner Network (GRX) PSTN Internet Figure 6 - High Level overview of third-generation Network Architecture The threats on the third-generation network are similar in nature to the threats discussed earlier. Protection is needed from DDoS attacks, botnets, worms, and intruders attempting to hijack services and illegally monitor voice or data communications. One of the differences in the third-generation networks is that the Serving General Packet Radio Service (GPRS) Support Node (SGSN), gateway GPRS support node (GGSN), and packet data serving node (PDSN) (for CDMA2000) packet control nodes are used to manage and control all wireless data. Since all data traffic passes through these controllers, any attack on these systems will cause network-wide service outages. It is therefore imperative to defend these network elements. The key areas in the third-generation network that must be defended are highlighted in Figure 7. Starting from the edge of the network, security must be maintained on mobile handsets. It is the responsibility of the handset manufacturer to install and maintain virus protection, intrusion detection, and firewall software on the handset to defend against attacks. Handsets must also be capable of encrypting data using SSL clients to maintain privacy. 20
  23. 23. Network Security HaNdbook for Service ProviderS In the data core network, the methods of protection are similar to those discussed earlier. Firewalls, IPS, and encrypted tunnels should be used to secure interfaces to external networks. MPLS VPNs should also be used to isolate the third-generation core network from any other IP traffic on the network. For example, if the IP core network is supporting many services, including third-generation mobile, Internet, wireline voice, IPTV, and business services, an MPLS VPN can create a secure virtual IP network to support the third-generation core packet network. Security must also be provided for all servers, billing systems, and packet control nodes. This can be done with firewalls, IPS, antivirus and anti-malware software running on servers. Some specific requirements for third-generation networks are that firewalls must be capable of passing GPRS tunnels (GTP), which are commonly used to pass data traffic securely across the network. PSTN Roaming Partner Connection Protection Protection Protecting Access nodes Application Security on the (UNC, RNC, etc.) Servers Protection Mobile-Handset GTP/Gp-Attacks (potentially compromises (Mandatory in LIG, HLR, VLR) FMC/UMA) PSTN Connection 5. Protection 1. Billing Protecting Data IP nodes (SGSN, GGSN) Critical Servers like HLR/VLR RNC Apps RAN 4. IP/MPLS 7. Mobile Packet Core 3. Roaming Partner SGSN GGSN PDSN Network (GRX) 2. 6. PSTN Internet Figure 7 - Best Practices for Securing 3rd Packet Core Networks 21
  24. 24. Network Security HaNdbook for Service ProviderS FuNCtIoN deSCrIPtIoN Securing the PSTN Firewalls and IPS protect interfaces to Connections PSTN gateways. Securing the SGSN, MPLS VPNs isolate mobile IP network GGSN, and/or PDSN from other service provider IP networks. Firewalls and IPS protect SGSN, GGSN, and PDSN. Securing the OSS, Billing MPLS VPNs isolate mobile IP network Systems, and Application from other service provider IP networks. Servers Firewalls and IPS protect data center OSS and billing systems. table 7 - Summary of Best Practices for Securing an IP Mobile Network Best Practices for Securing Service Provider Data Centers Rollout of new data services has led to an explosive growth in data centers. Figure 8 presents an overview of how data centers fit into the typical service provider network architecture. Network services are provided by multiple data centers and application servers. These could be metro data centers or national and regional data centers. Additionally, some services are provided by third parties with applications hosted in remote data centers across the Internet. National or Regional Application Serving Center or Content Provider E32 MX- E32 MX- 0 serie 0 serie s s E32 0 MX- serie s E32 0 MX- serie s Application or Content Provider Data Center Data Center E32 MX- 0 serie s Wireless MX- MX- E32 serie 0 s MX- series series MX4 80 E320 Internet MX- MX- series Data Center J-seri MX- MX- series series series es AN Business Metro Core Super Core E32 MX- 0 serie s Access IP Edge Metro Core Super Core Peered MX- Partner E32 serie 0 s STB RG Data Center Residential E32 0 MX- serie s Hosting or Content Delivery MX- Data Center E32 serie 0 s Operator Metro or Market Data Center Serving Center Application or Content Provider Figure 8 - Architecture of Service Provider data Centers 22
  25. 25. Network Security HaNdbook for Service ProviderS Data centers are the brains running the network services and therefore are a focal point for network criminals attacking service providers. There are a complex set of systems and services running in the data center with vulnerabilities in each layer. These include: • Server and OS vulnerabilities • Application layer vulnerabilities • Network switching vulnerabilities • Network routing vulnerabilities • Storage network vulnerabilities • Data center management and control vulnerabilities An important trend in modern data center design is system virtualization. LANs, storage area networks (SANs), and servers are virtualized such that a single physical network or system element can run multiple logical elements. This has helped improve scalability, reduced operations expenses such as power consumption and cooling, and improved data center security by isolating components of the network and system infrastructure. In designing a secure data center networking infrastructure, the virtualization and security defenses in the network must correctly map to the virtualization models deployed across the data center as a whole. L7 Signature “Untrusted Confi Fixed Apps Apps Zone” guratio L3/L4 Stateful MX9 60 n Confi Fixed MX9 guratio 60 n MX9 60 MX9 Confi Fixed Apps 60 guratio Apps n Data Center “Trusted L3/L4 Stateless Zone” MX9 60 L2 Area Apps Apps Confi Fixed Tiered MX9 60 guratio n Virual Data Center Confi Fixed guratio Perimeter L3 Area n Confi Fixed Apps guratio Apps n Figure 9 - establishing a Security Perimeter in a Virtualized data Center 23
  26. 26. Network Security HaNdbook for Service ProviderS A common approach for securing network and system infrastructure in data centers is a layered security model (seeFigure 9). In this model, security perimeter(s) are maintained such that trusted network components are separated from untrusted components. In some cases, there are multiple perimeters and multiple layers of trust assigned to systems. It is also possible to have tiered virtual security perimeters mapped to virtual servers and storage networks. Network elements and systems outside the perimeter are managed differently than those inside the perimeter. Different systems and components have varying levels of importance and vulnerabilities, and therefore are managed differently from a security perspective. However, all systems must be protected from attacks at some level. Systems that house extremely sensitive data should be deep inside the security perimeters, while systems that provide Internet Web services should be outside the perimeter or in a demilitarized zone (DMZ). The DMZ is an area in the data center that is accessed by arbitrary users over the Internet, but has some level of protection using Internet firewalls and IPS. The DMZ is separated from the trusted network using a second layer of firewall and IPS. The layered security architecture must correspond to the virtualization archi- tecture that is implemented in the data center. This is done by mapping virtual networks at layer 2 (L2) and layer 3 (L3) to virtual storage networks and virtual servers. L2 virtual networks are normally implemented with VLANs, while L3 virtual networks are implemented with MPLS VPNs. In summary, securing data centers is a complex task that requires a detailed security design. This design must provide security at layer 2-7 and must be consistent with the logical design and systems requirements in the data center. 4 Juniper Networks Security Product Portfolio Juniper Networks is a leader in carrier-class routing and network security. Juniper’s routers scale from small routers for home offices or small businesses to the largest core Internet routers. Juniper also offers a full range of scalable firewalls, Intrusion Detection and Prevention (IDP) systems, SBCs, and identity and policy management solutions. Routers The Juniper Networks intelligent services edge includes the M-series and MX-series routing platforms that provide a broad range of edge functionality to support next-generation applications. Each routing platform supports VLANs, MPLS VPNs, and ACLs for baseline security defenses. 24
  27. 27. Network Security HaNdbook for Service ProviderS Additional security is available with the MS-DPCs on the MX-series, and the MS-PICs on the M-series. The MS-DPC and MS-PIC support a broad set of IP services and security functions including: • Session border control (SBC) functions • Intrusion Detection and Prevention (IDP) • Deep packet inspection • Stateful firewall • Network Address Translation (NAT) Built-in security mechanisms along with the MS-DPC and MS-PIC capabilities provide a comprehensive security solution available on both the MX- and M-series routing platforms. In addition, the T-series routers are core routers designed to provide IP scalable routing deep in the core network. T-series routers also leverage the same built-in security and MS-PIC as the M-series routers for the same comprehensive security. Firewalls and IDP Juniper Networks has a scalable set of integrated network security devices that are designed for large networks and data centers (See Figure 10). These products have scalable performance and integrated security and routing capabilities. All products have best-in-class capabilities in firewall and IDP . SR 580 X 0 Scalable Performance for Wider Range of Services Rich Standard Services - Firewal - IDP - Routing SR 560 X - QoS 0 Extensible Security Services Integrated Networking Services NS Common Mangement (NSM) 540 - 0 IS 200 G 0 NS 520 - 0 IS 100 G 0 Figure 10 - Juniper Networks Security Product Family 25
  28. 28. Network Security HaNdbook for Service ProviderS Firewalls The top end of the product line is the SRX-series 5600/5800, a highly scalable integrated firewall and IDP for use in data centers and service provider networks. Based on the Dynamic Services Architecture, the SRX-series provides unrivaled scalability. A fully equipped SRX 5800 supports up to 120 Gbps firewall throughput and 30 Gbps IDP throughput. Juniper Networks NetScreen-5000 series is a line of purpose-built firewall/VPN security systems designed to deliver a new level of high-performance capabilities. NetScreen-5000 security systems integrate firewall, VPN, denial of service (DoS) and DDoS protection, and traffic-management functionality in a low profile, modular chassis. Built around Juniper’s third-generation security ASIC and distributed system architecture, the NetScreen-5000 series offers excellent scalability and flexibility, while providing a higher level security system through Juniper Networks NetScreen ScreenOS® custom operating system. In addition, the Integrated Security Gateways (ISG) are purpose-built, security solutions that leverage a fourth-generation security ASIC, the GigaScreen3, along with high-speed microprocessors to deliver unmatched firewall and VPN performance. The Juniper Networks ISG 1000 and ISG 2000 are ideally suited for securing carrier and data center environments where advanced applications such as VoIP and streaming media dictate consistent, scalable performance. Integrating best-in-class Deep Inspection firewall, VPN, and DoS solutions, the ISG 1000 and ISG 2000 enable secure, reliable connectivity along with network and application-level protection for critical, high-traffic network segments. The ISG can be upgraded to support integrated IDP to provide robust network and application layer protection against current and emerging threats. Leveraging the same software as found on Juniper Networks IDP platforms, but integrated into ScreenOS, the ISG product family provides a combination of best-in-class firewall, VPN, and IDP in a single solution. Intrusion Detection and Prevention Juniper Networks Intrusion Detection and Prevention (IDP) products provide comprehensive and easy-to-use inline protection that stops network and application-level attacks before they inflict any damage to the network, minimizing the time and costs associated with maintaining a secure network. Using industry-recognized stateful intrusion detection and prevention techniques, Juniper Networks IDP provides zero day protection against worms, trojans, spyware, keyloggers, and other malware from penetrating the network or spreading from already infected users. 26
  29. 29. Network Security HaNdbook for Service ProviderS Session Border Controller Juniper Networks session border control (SBC) border gateway function (BGF) for JUNOS® software fully integrates voice and multimedia session support onto the M-series M120 and M320 multiservice edge routers and the T-series T640 core router. The SBC BGF runs on MS-PICs which include dedicated hardware accelerators for optimized performance and scalability. The SBC BGF for JUNOS software provides many important VoIP functions such as media gateway control and media latching, NAT and Network Address Port Translation (NAPT) traversal, Differentiated Services code point (DSCP) marking and rate limiting that together ensure the appropriate handling of voice traffic at the access and peer edges of converged IP services networks. Identity and Policy Management The Juniper Networks Steel-Belted Radius (SBR) family offers AAA products based on RADIUS standards that provide the performance and reliability to handle any traffic load and fully support any network infrastructure. Designed for both enterprise and service provider networks, SBR products provide uniform security policy enforcement across all network access methods, including wireless LAN (WLAN), remote/VPN, dial up, and identity-based (wired 802.1X). Specialized solutions for service providers also manage subscriber authentication, support any service delivery model, and accelerate time-to- market for new services. 5 Conclusion Service provider networks are undergoing a massive paradigm shift as networks migrate from legacy circuit switched and closed data networks to converged IP and Carrier Ethernet networks. This shift has created many business opportunities, but also created serious network security vulnerabilities. This network security handbook has explained why security is of critical concern to service providers, described common vulnerabilities, and presented some approaches to securing networks. Network security is critical to service provider operations; a thoughtful and systematic approach must be taken to network security architecture and design, and best-in-class security products must be implemented to optimize defense against threats. 27
  30. 30. Network Security HaNdbook corPorate aNd SaLeS HeadQuarterS coNtactS Juniper Networks, Inc. Michael Kennedy in the Boston area: 1194 North Mathilda Avenue Phone: 978.405.5084 Sunnyvale, CA 94089 USA Fax: 978.405.0263 Phone: 888-JUNIPER (888-586-4737) Peter Fetterolf in the San Francisco Bay area: or 408.745.2000 Phone: 510.451.2740 Fax: 408.745.2100 Fax: 978.405.0263 Copyright 2008 Network Strategy Partners, LLC. All rights reserved Copyright 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 710095 Dec. 2008