1 / 26

Enterprise Security

Enterprise Security. CrystalSec Secure Network Infrastructure Strategy. The CrystalSec Thesis. CrystalSec delineates Alcatel eND’s security value proposition and solution set Today’s networks must be secure networks

ronat
Télécharger la présentation

Enterprise Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enterprise Security CrystalSec Secure Network Infrastructure Strategy

  2. The CrystalSec Thesis • CrystalSec delineates Alcatel eND’s security value proposition and solution set • Today’s networks must be secure networks • CrystalSec establishes the overlying security architecture for Alcatel networking devices • Security is a mandatory design element of all products • All network devices are hardened against attacks and vulnerability exploitations • all eND products adhere to the security-by-default paradigm • CrystalSec design and feature implementation position Alcatel Omni products as key elements in a security-in-depth network architecture • Omni products enhance overall organizational security

  3. Security-in-Depth “Security professionals agree that network security requires a multi-layered defense. To meet the challenges posed by sophisticated and run-of-the-mill attacks, enterprises have been forced to deploy layers of security products.” - IDC Extensive Policies Vulnerability Management Honeypots CriticalResources IntrusionPrevention Content Security IPSec VPN VLAN Security WLAN Security Physical Security Firewall & ACLs DoS Management & Monitoring Strong Authentication Solutions addressed by Alcatel and AAPP partners

  4. OmniSwitch 7800 OmniSwitch 7700 OmniSwitch 8800 OmniSwitch 6624 OmniSwitch 6648 OmniPCX 4400 OmniPCX Office CrystalSec • Converged network security framework enforced across all eND communications platforms • OmniSwitch and PCX product lines • Hardened network devices • Security of the device • Highly secure management • Security to the device • Secure network services • Security through the network • Extended by partnership solutions • AAPP

  5. Enabled Switch Security Hardened Switch Posture

  6. Enabled Switch Security Trends • DoS and Vulnerabilities • Network infrastructure increasingly target of attack • DoS attacks being launched from switches & routers • Time between discovery and exploitation is decreasing • Distributed DoS (DDoS) attacks and Code Red-like worms impact networkperformance significantly • Customer awareness of impact of intrusions and DoS attacks are increasing • Expect suppliers to react to compromise quickly • Ability of network equipment to survive DoS and traffic storms generated by DDoS used as evaluation criteria • Scalability/availability of security solutions is key • Security appliances are key pieces of network infrastructure • Detection of intrusion attempts or occurrences vital • IDS used to track patterns in traffic • Network administrators want to be notified when intrusion attempt occurs

  7. HA firewall cluster Enabled Switch Security • Denial of Service defense • Most common attacks defended against • Passive defense only • Unicast (Router) Authentication • Routing tables exchanged between routers once router identity established • Supported by standard routing protocols • RIP v2 - simple password • OSPF v2 - null, simple pswd, or cryptographic • BGP4 - MD5 signature authentication • High-availability firewall off-load • Cluster support for dedicated security clusters • Redundancy • Load balancing (by the security application) • Performance • Stonesoft’s StoneBeat • Used in association with Check Point, NAI, & Symantec on Unix/Windows • Server load balancing • Switch-enabled Attacker

  8. Secure Switch Management Controlling Administrative Accessto the Switch

  9. Secure Switch Management Trends • User identification • Fixed length passwords viewed as inadequate • Credentials that support non-repudiation • Single set of secure credentials allowing access to multiple systems • 2-factor identification becoming the norm – tokens and biometrics • Securing management traffic • Increased focus on security of management flows • Managing network resources over insecure network • Alternative to separate management network • Restrictions on sources of management traffic • By subnet, by host, by physical port • Default userID’s and passwords posted on Internet web sites • Need to be able to audit access to switches • Support for standard AAA servers required • RADIUS and LDAP standard servers • TACACS+ commonly used in Cisco shops • IETF AAA Working Group focused on DIAMETER

  10. ACL 10.1.1.250 10.1.2.200 http 10.1.2.222 http ftp snmp Admin Joe = super user Bob = routing, FR, VLAN Sue = security Steve = routing, slot/port Authentication Server Admins Switch Encrypted Admin Switch Attacker Secure Switch Management • Security by default • CLI via console port only • All other management services off by default • Physical Device Access Control • Regulation of switch administration based on characteristicsof requesting device • ACLs • Layer 3 (IP src/dst) • Layer 4 (TCP/UDP src/dst) • User Access Control • Regulation of switch admin based on user ID • Local switch database • Remote database - RADIUS, LDAP, RSA ACE • Least-Privilege / Separation of Duties management option • Port (via remote db) • Switch (via remote db) • Accounting records maintained when using LDAP or RADIUS for authenticating users • username, MAC address, IP address, switch id, slot/port, login time, logout time, transmitted bytes, received bytes, disconnect reason • Network administrator can use to monitor access to network devices • Secure Traffic • Secure mgmt traffic between client/switch • Secure Socket Layer (SSL) for securing HTTP and LDAP based policies • SNMPv3 Switch

  11. User Access Control enhancements One-time password certified ActivCard, VASCO, RSA Security, Secure Computing, CRYPTOCard LDAP directory certified Microsoft, Novell, Sun, Netscape, OpenLDAP Secure Traffic enhancements Secure Shell (SSH) (secure telnet and FTP) Authentication Server Branch Edge/ Workgroup Core Switch Admin SSH Server Client requests SSH link Each sends protocol ver Key Ex. & Alg. negotiation Encrypted link established Client requests service 1 2 3 4 5 SSH Client SSH Client Secure Switch Management

  12. Secure Network Access Controlling Access to Network Services Facilitated by the Switch

  13. Secure Network Access Trends • Control access to network resources • Network resources just as critical as servers and business applications • Policies/rules that control layer 2 and layer 3 access • Need to identify user with non-repudiation • Need ability to audit and account for network usage • Authentication technologies evolving to multiple factor systems • Smartcards, PKI, one-time password tokens, biometrics • 802.1x • IEEE standard for port based authentication • Support incorporated into Windows XP • Controlling network traffic • Protect network resources from internal and external threats • Limit traffic to that needed to conduct business • Prevent network from being used to generate DoS attack or intrusion attempt

  14. Switch User 2 1 3 RADIUS or LDAP Server RADIUS or LDAP Agent Switch Port IP IPX IP MAC-1 MAC-2 MAC-3 MAC-4 Allow Network Network Subnetwork Subnetwork Host Host Deny Secure Network Access • Layer 2 / VLAN Security (AAA) • A-VLANs • User authenticated into VLAN • Secure HTTP & AV-Client to RADIUS & LDAP • MS-based AV-Client with VLAN/NOS SSO • Accounting records maintained when using LDAPor RADIUS • username, MAC, IP, switch id, slot/port, login / logout time, sent/recv bytes, disconnect reason • Net admin monitors access to network devices • 802.1x • Binding VLANs • Device characteristics define access rights • Learned Port Security • Lock a switch port to a limited set of MAC addressesdynamically learned • Firewalling • ACLs - ASIC-based packet filtering • Src/dst - slot/port, VLAN, IP, TCP/UDP ports • Source MAC • NAT • hide private addresses from public • one-to-one and many-to-one

  15. Client Secure Network Access • VLAN Security • One-time password certified through RADIUS • ActivCard, VASCO, RSA Security, Secure Computing, CRYPTOCard • LDAP directory certified • Microsoft, Novell, Sun, Netscape • Application Briefs and Interworking Reports available on AAPP website Target Network 3 OTP Server 2 AAA Server (RADIUS/LDAP) 1

  16. Security Management

  17. Security Management Trends • Management key element of security solution • Consistent establishment and enforcement of security rules across network • Configuring element by element prone to errors and omissions • Consistent reporting, analysis and correlation of activity • Audits to satisfy legal requirements • Emerging Security Information Management (SIM) market • For example: E-Security, ArcSight, netIQ, netForensics, Open Service, Solsoft, Ponte • Some companies focus on the command function • Event aggregation and correlation • SNMP traps, XML, logs from IDSes, firewalls, VPNs, ACLs • Focused on working with security market leaders - Cisco and Check Point • Some companies focus on the control function • Policy and configuration deployment • Specific to 3rd party market leader implementations of FW, VPN, IDS • Toolkits to create vendor-specific drivers • Some companies trying to add the containment function • Evalute and automatically response to threats – dynamic enforcement • Security-focused vendors doing global management for their products • Networking companies with security products • Most deliver element management only • All products not manageable under a common umbrella

  18. Security Management: OmniVista 2.0 • Secure Management Traffic • SSL for access to WebView • SNMPV3 for access to BoP switches • Security features managed via Webview • Each switch configured/managed individually – element management

  19. Global Management Application: SecureView • What • Suite of applications for managing OmniSwitch security features • Administrator can see and configure all available security capabilities from a common tool set • Phase 1 - Secure Switch Management • SecureView Switch Access – OmniVista 2.3 • Phase 2 - Secure Network Access (2004) • Benefits • Common management and monitoring toolfor eND security features and products • Based on global perspective, not on individual elements • priced and ordered independently Intranet Internet

  20. Partnerships

  21. Alcatel Applications Partner Program- Data Solutions Partners - • Partnerships based on a mutual solution demonstrated by formal interoperability testing and joint promotion for key security technologies • Provides increased awareness of total solution for Alcatel field personnel, partners’ field personnel, channel personnel • Details of AAPP found at • http://www.applicationspartner.alcatel.com/ • Evolved from the CSBU products (OmniPCX product family) • Approved updates to web site will be more friendly to other Alcatel product lines and business groups • eND has added 15 security partners in 2003 • Application briefs and interworking reports available on AAPP website • Redesigned to make the program more partner friendly—give partners adequate value for their time and marketing efforts

  22. Alcatel Applications Partner Program- Data Solutions Partners - • RADIUS Server • Funk Software • Interlink Networks RAD • LDAP Directory Server • Microsoft, Novell, Sun, Netscape • One-Time Password Token System • RSA, Vasco, CRYPTOCard, ActivCard, Secure Computing • High-Available Firewall Off-Load • Stonesoft • Integrity Management • Tripwire

  23. Alcatel Applications Partner Program- Data Solutions Partners - • Denial of Service Defense • Esphion • Others under evaluation • Firewall / VPN • NetScreen • Build on existing relationship (713x VPN trade-in program) • Synergy with market leader in area not directly competitive to Alcatel • SonicWALL • Existing relationship for securing remote testing of 4400 partners • SIP Firewall • Ingate • Intrusion Detection & Prevention • NetScreen, Top Layer • Anti-Virus • Network Associates, Trend Micro

  24. Alcatel Applications Partner Program- Data Solutions Partners - • Vulnerability Management • Network and host assessment • Current partner: Qualys • Policy Provisioning • Provisioning in multi-vendor environment (ACLs/A-ACLs, A-VLANs, etc.) • Possible partners: Solsoft, other • Event Management & Correlation • Aggregation from any source of security-relevant info, real time correlation, incident investigation and reporting • Possible partners: ArcSight, netIQ, e-Security, netForensics • Security Professional Services • Perimeter & vulnerability assessment, policy mgmt, network security design, product deployment • Couple switch and embedded security features with FW/VPN/IDS offering • Partners: Ubizen (today); IBM Global, Guardent

  25. Summary

  26. OmniSwitch 7800 OmniSwitch 7700 OmniSwitch 8800 OmniSwitch 6624 OmniSwitch 6648 OmniPCX 4400 OmniPCX Office CrystalSec • Converged network security framework enforced across all eND communications platforms • OmniSwitch and PCX product lines • Hardened network devices • Security of the device • Highly secure management • Security to the device • Secure network services • Security through the network • Extended by partnership solutions • AAPP

More Related