network security handbook for service providers

Network Security HaNdbook for Service ProviderS

TABLE OF CONTENTS


1 EXECUTIVE SUMMARY 22 THE IMPORTANCE OF NETWORK SECURITY 4

ANATOMY OF NETWORK THREATS . . . . . . . . . . . . . . . . . . . 8 Overview of Security Threats . . . . . . . . . . . . . . . . . . . . . 8Distributed Denial of Service (DDoS) . . . . . . . . . . . . . . . . . . 8Bots and Botnets . . . . . . . . . . . . . . . . . . . . . . . . . 9Worms. . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Zero Day Attacks . . . . . . . . . . . . . . . . . . . . . . . . 10Vulnerable Network Components . . . . . . . . . . . . . . . . . . 11

3 BEST PRACTICES FOR SERVICE PROVIDER SECURITY 114 gENERAl BEST PRACTICES AND TOOlS FOR

SERVICE PROVIDER NETWORK SECURITY 11Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . 12MPLVS VPN . . . . . . . . . . . . . . . . . . . . . . . . . . 12Network Address Translation (NAT). . . . . . . . . . . . . . . . . . 12Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . 13Network Firewall . . . . . . . . . . . . . . . . . . . . . . . . 13Intrusion Protection System (IPS) . . . . . . . . . . . . . . . . . . 13

Application Servers . . . . . . . . . . . . . . . . . . . . . . . 14 Identity and Policy Management . . . . . . . . . . . . . . . . . . 14

beSt PRACTICES FOR SECURINg VOIP NETWORKS 15Securing the IP Edge of the VOIP Network . . . . . . . . . . . . . . . 17Securing VOIP Elements in the Data Center . . . . . . . . . . . . . . 17Securing Internet Peering Points for VoIP . . . . . . . . . . . . . . . 17

5 BEST PRACTICES FOR SECURINg TV AND MUlTIMEDIA SERVICES 18Securing External Network Peering Points . . . . . . . . . . . . . . . 19Securing the Video/Super Head-end . . . . . . . . . . . . . . . . . 19 Securing the Video/Hub Serving Office . . . . . . . . . . . . . . . . 19 BEST PRACTICES FOR SECURINg 3RD gENERATION MOBIlE DATA NETWORKS 20

BEST PRACTICES FOR SECURINg SERVICE PROVIDER DATA CENTERS 224 JUNIPER NETWORKS SECURITY PRODUCT PORTFOlIO 24

Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Firewalls and IDP . . . . . . . . . . . . . . . . . . . . . . . . 25Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Intrusion Detection and Prevention . . . . . . . . . . . . . . . . . 26Session Border Controller . . . . . . . . . . . . . . . . . . . . . 26Identity and Policy Management . . . . . . . . . . . . . . . . . . 27

5 CONClUSION 27

1

Network Security HaNdbook for Service ProviderS Network Security HaNdbook for Service ProviderS

Network Strategy Partners, LLC (NSP) — Management Consultants to the networking

industry — helps service providers, enterprises, and equipment vendors around the globe

make strategic decisions, mitigate risk, and affect change through custom consulting

engagements. NSP’s consulting includes business case and ROI analysis, go-to-market

strategies, development of new service offerings, pricing and bundling as well as

infrastructure consulting. NSP’s consultants are respected thought-leaders in the

networking industry and influence its direction through confidential engagements for

industry leaders and through public appearances, white papers, and trade magazine

articles. Contact NSP at www.nspllc.com.

Juniper Networks high-performance network infrastructure helps businesses accelerate the

deployment of services and applications to take advantage of opportunities to innovate,

grow, and strengthen their business. With Juniper, businesses can answer the challenge of

complicated, legacy networks with high-performance, open, and flexible solutions.

Jointly published by Juniper Networks and Network Strategy Partners, LLC:

2

Network Security HaNdbook for Service ProviderSNetwork Security HaNdbook for Service ProviderS

1 Executive SummaryThe telecommunications industry is in the midst of a major paradigm shift. In the 1990s, most major service providers maintained separate networks for wireline voice, mobile voice, data, and TV. Today, many service providers are migrating all of their network services to IP packet switched networks. Voice services are still a major component of service provider revenue. As voice moves from circuit switched to VoIP packet switched networks (see Figure 1), service providers will have a major incentive to wind down operations on their expensive, legacy circuit switched infrastructure. By converging network services to integrated IP networks, service providers reduce capital and operations expenses while dramatically improving network scalability and service flexibility. Furthermore, the migration to IP is increasing competition in the telecommunications market. Cable TV providers are offering traditional voice services, telephone companies are offering Internet and IPTV, and new entrants are building broadband wireless networks with Wi-Fi and WiMax technology. As increased competition is accelerating the migration to IP, service providers operating legacy networks risk shrinking revenues and operating margins.


3


Figure 1 - Forecast of VoIP Subscribers Worldwide

Service provider migration to IP networks has significant benefits and is, in fact, necessary for long term survival. However, the rapid growth in the Internet is also driving rapid growth in network security threats, which are escalating both in numbers and level of severity. Threats come from a myriad of sources that are distributed around the world. In the early days of the Internet, most threats were created by hackers who were just causing trouble for fun. Today, threats come from independent hackers as well as highly organized crime syndicates focused on profiting from Internet criminal activities. Some of the potential threats to service provider networks include:

Distributed denial of service attacks (DDoS)•

Bots and botnets attacking servers and network infrastructure•

Worms propagating throughout the network•

Attacks on Domain Name System (DNS)•

Attacks on IP routing protocols•

Zero day attacks (these are new attacks which are unpredictable in nature) •

0

50

100

150

200

CY04 CY05 CY06 CY07 CY08 CY09 CY10 CY11

Asia Paci�c EMEA North America CALA

75.3M VoIP Subs Worldwide in 2007, +62% Year over Year

Worldwide: 185.7M by CY11, a 5 - year CAGR of 25% >22M net new subs/year

2008 Infonetics Research, Inc.

Mill

ions

Worldwide VoIP Subscribers

4


The ramifications of such attacks on service provider networks include:

Service outages•

Lost, damaged, or stolen customer data•

Lost, damaged, or stolen service provider data (usage data, billing records, •

passwords, and so on)

Global telecommunications revenues are expected to reach $2 trillion by the end of 20081, therefore as network services migrate to IP, it is essential that service providers and telecommunications equipment vendors be vigilant about security. Network infrastructure must defend itself from attacks, and operators must implement network security best practices. This network security handbook provides service providers with an anatomy of network security threats and a set of best practices for protecting the network. Best practices for network security architecture are defined for some of the most important services, applications, and network infrastructure including:

Voice services•

TV and multimedia services•

Mobile networks•

Service provider data centers•

2 The Importance of Network SecurityThe convergence of voice, data, TV, and mobile telecommunications on IP networks has elevated the importance of network security. For many service providers, IP network security presents new technical challenges because legacy networks are fundamentally more secure than IP networks. The legacy phone network is based on a closed, circuit switching model. Call signaling uses the SS7 packet network which is not connected to the Internet or any other data network. Legacy television service is delivered using broadcast over digital or analog cable; specialized equipment which is not connected to any external packet networks is used for video service delivery. Many legacy data networks are based on Frame Relay and ATM; these technologies use secure layer 2 protocols with little or no connectivity outside the private network. Similarly, second-generation mobile networks are closed, circuit switching

1 Gartner


5


architectures with limited and controlled gateways to the Internet and other data networks. In general, legacy telecommunications networks:

Implement service-specific networks•

Are based on closed and proprietary architectures•

Utilize end-to-end management by service providers•

Have no customer controls•

Have no external exposure•

The migration to IP next-generation networks (NGNs) offers many strategic advantages to service providers, however, the open, flexible architecture of IP networks also pose a complex set of security threats. Multiple services, including wireline voice, video, data, and mobile voice and data are converging on a single IP network. This means that IP network attacks could affect all network services and, therefore, all network revenue. Also, threats that emerge from one service (for example the Internet) could affect other services like TV that were previously isolated. The IP network is based on an open, standards-based architecture that allows for rapid and massive worldwide growth. The open nature of the IP protocols, however, has also allowed intruders to easily access the tools needed for network intrusions. Everyone has access to RFC documents explaining the technical details of Internet protocols. In addition, extensive technical knowledge is not required because there is easy access to open source tools on the Web for creating network attacks and stealing valuable data.

IP networks use open standards for network management, operations, and provisioning. Protocols and standards such as SNMP, XML, and the newer Web services management model enhance the power and flexibility of operations support systems (OSS), but they also create opportunities for intruders to access the most sensitive and critical areas of the telecommunications network—the network management and control plane.

Another dimension of the problem is that business users, residential users, and mobile users are sharing the same IP network. Each of these customers has different security requirements that need to be addressed in the service offerings provided to them.

Attacks on IP networks can have serious and potentially devastating consequences. Attacks can result in:

Service outages•

Lost, damaged, or stolen customer data•

Lost, damaged, or stolen service provider data (usage data, billing records, •

passwords, and so on)

6


Service outages can result in loss of revenue, payment of penalties for violated service-level agreements (SLAs), and increased customer churn. There are serious liabilities associated with lost or stolen customer data; lawsuits often result in high payments of damages as well as a tarnished public image. Lost or stolen service provider data can result in compromised networks and billing systems, or other serious problems.

As network services converge to IP, service availability of the IP network is critical. Downtime, as a result of network attacks, software errors, or configuration errors, often result in high costs. The cost of downtime is highly variable based on the business and applications, but in all cases is quite high. Estimates of downtime costs for various industries and applications2 are presented in Table 1.

INduStry APPLICAtIoN AVerAge CoSt/ Hour oF doWNtoWN

transportation Airline Reservations $ 89,500

retail Catalog Sales $ 90,000

Media Pay-per-view $ 1,150,000

Financial Credit Card Sales $ 2,600,000

financial Brokerage Operations $ 6,500,000

table 1 - downtime Cost estimates in different Vertical Markets

Downtime in service provider networks results in lost revenue due to SLA penalties and, to add insult to injury, results in increased customer churn. Table 2 depicts some estimates3 for hourly revenue loss for service provider network outages in small metro areas where 100,000 residential customers and 2,000 business customers are affected by an outage. In these small areas, residential losses are estimated to be over $8,333 per hour and business losses almost $6,944 per hour.

While revenue loss is problematic, the potentially more serious problem (espe-cially in markets where there are competitive offerings) is customer churn due to poor service. Table 3 presents a scenario for a small metro area with 100,000 customers, an increased churn rate of 5 percent due to dissatisfaction with network service availability, and an average cost of churn of $400 per subscriber4.

2 See “Storage Virtualization and the full impact of Storage Disruptions: Relief and ROI”, Computer Technology Review, February 2002, Volume XX11 Number 2.

3 These estimates are based on an ROI model developed by Network Strategy Partners, LLC. 4 The churn projections were based on an ROI model developed by Network Strategy Partners, LLC


7


In this scenario the average cost of churn for this small metro area would be $2,000,000 per year. Clearly, network reliability and availability is a critical business requirement for enterprises and service providers.

reSIdeNtIAL BuSINeSS

Number of customers 100,000 2,000

average revenue per customer $60.00 $2,500

Hourly Lost revenue in an outage $8,333 $6,944

table 2 - Service Provider Hourly Lost revenue for Business and residential Network outages

reSIdeNtIAL

Number of residential Subscribers 100,0000

increase rate of churn 5%

total cost of churn per year $400

total cost of churn per year $2,000,000

table 3 - Service Providers Costs of Increased Churn due to Network outages

Corporate executives, furthermore, are now legally responsible for the security of their corporate information systems. There are multiple federal and state government regulatory requirements requiring executives and companies to comply with government mandated security requirements.

These regulations include:

Sarbanes-Oxley (SOX)•

Cyber Security Critical Infrastructure Protection (CIP)•

Gramm-Leach-Bliley Act (GLBA)•

California Senate Bill Number 1386 (SB1386)•

Health Insurance Portability and Accounting Act (HIPAA)•

Payment Card Industry Data Security Standard (PCI DSS) •

Network security, clearly, is one of the highest priorities in IP NGNs, and service providers need to be educated and vigilant to prevent devastating network attacks.

8


Anatomy of Network ThreatsThe open IP architecture presents a myriad of threats from many sources to all parts of the network. The following paragraphs give an overview of some common threats, threat sources, and components of the network that could be affected.

Overview of Security Threats

There are many types of security threats and they continue to grow, develop, and mutate over time. A high level distribution of network security threats is presented in Figure 2, and a brief description of security threats is given in the following subsections of this paper. This is not meant to be an exhaustive description of network threats, but rather an overview of some common threats and terminology.

Figure 2 - distribution of Network Security threats

Distributed Denial of Service Attack (DDoS)

A distributed denial of service (DDoS) attack is an attempt to make a computer resource unavailable to its intended users. Perpetrators of DDoS attacks typically target sites or services hosted on high-profile Web servers such as banks, credit card payment gateways, and even DNS root servers. One common method of attack involves saturating the target (victim) machine with external communications requests such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered unavailable. In general terms, DDoS attacks are implemented by either forcing the targeted network elements or servers to reset, consuming their resources so that they can no longer provide their intended service, or obstructing the communication media between the

0

5

10

15

20

25

30

35

40

45

50

DDoS Bots andBotnets

Worms CompromisedInfrastructure

DNS BGP RouteHijacking


9


intended users and the victim devices so that they can no longer communicate adequately.

Bots and Botnets

Bots are computer programs that secretly install themselves on machines and run in the background often hidden from view of users, administrators, and even the operating system. A botnet is a group of bots that can propagate across the Internet and can be controlled by a malicious hacker or criminal. Once bots install themselves on machines, they scan for system vulnerabilities and collect information such as passwords and user names. The bots in a botnet can communicate with each other and the central controller to steal information, exploit system weaknesses, send spam, and execute DDoS attacks.

Bots can result in network service outages or loss of critical customer or service provider data. This is especially serious if passwords and user names are compromised. For this reason, botnets have become one of the most serious threats on the Internet.

The majority of botnets are used by cyber criminals to send spam and also to illegally seek financial information. According to shadowserver.org, an organization that tracks botnets, the number of bots measured in September 2008 peaked at a half million infected computers. Because bots are hard to detect, the numbers could be much larger.

One example of a current botnet is Kraken. The Kraken malware infects victims’ PCs and uses encrypted communications between bots. It also has the ability to move command and control functionality around the botnet. And, like many botnets, the purpose of the Kraken network seems to be the propagation of massive amounts of spam. Individual machines infected with Kraken could send as many as 500,000 spam messages in a single day.

Bots are rampant throughout the world as illustrated in Figure 3, and they are growing in number and severity levels. Service providers need to understand the nature and dynamics of botnets in order to adequately secure their networks.

Active BOTS per Day

BOT infected Computers By Country* (*Source: Symantec)

Activ

e BO

T Inf

ecte

d Co

mpu

ters

100,000

90,000

80,000

70,000

60,000

50,000

40,000

30,000

20,000

10,000

0Jan. 01,

2006Apr. 11,2006

Jul. 20,2006

Oct. 28,2006

Feb. 05,2007

May 16,2007

Canada(10)2%

United States(2)14%

Key(X) = Current rank% = Current proportion

China(1) 26% Taiwan

(7) 4%

United Kingdom(6) 4%

Brazil(9) 3%

Germany(4) 6%

Spain(5) 5%

France(3) 6%

Poland(8) 3%

Figure 3 - Worldwide Statistics on Bots

10


Worms5

There are a large variety of Internet worms. The common characteristic of worms is that they:

Exploit vulnerabilities in a computer’s operating system or application software •

to launch malicious software that runs on the machine

Find information in the computer (such as email lists or lists of IP addresses) •

to propagate between different machines

Cause significant damage and financial losses to large numbers of companies •

worldwide in a short period of time

One example of a well known Internet worm is Code Red. This worm exploited •

a vulnerability in the indexing software distributed with IIS6 for which a patch had been available a month earlier. The worm spread itself using a common type of vulnerability known as a buffer overflow. It did this by using a long string of the repeated character “N” to overflow a buffer, allowing the worm to execute arbitrary code infecting the machine. The worm spread by probing random IP addresses and infecting all hosts vulnerable to the IIS exploit.

Another example of a well known worm is the Love Bug Virus. This virus arrived in email boxes on May 4, 2000, with the simple subject of “ILOVEYOU” and an attachment “LOVE-LETTER-FOR-YOU.TXT.vbs”. Upon opening the attachment, the virus sent a copy of itself to everyone in the user’s address list, posing as the user. It also made a number of malicious changes to the user’s system.

Two aspects of the virus made it effective:

It relied on user curiosity to entice users to open the attachment and ensure •

its continued propagation.

It exploited the weakness of the email system design that an attached •

program could be run by simply opening the attachment.

Worms come in many forms and varieties, and they can result in network service outages and loss of customer and service provider data.

Zero Day Attacks

Fundamentally, there are two types of attacks on networks: 1) known attacks and 2) zero day attacks. The first is a known attack on a known vulnerability which can be identified in an intrusion prevention system (IPS) by a signature.

5 Worms and viruses are closely related - this discussion addresses both types of threats.

6 Internet Information Services (IIS)—formerly called Internet Information Server—is a Microsoft-produced set of Internet-based services for servers using Microsoft Windows.


11


In contrast, zero day attacks are new and therefore have no attack signatures to identify them. To defend against zero day attacks, the IPS requires more sophistication such as protocol anomalies. This topic will be covered more fully later in the paper.

Vulnerable Network Components

Many parts of an IP network are vulnerable to threats including:

End user equipment—PCs, servers, mobile phones, •

PDAs, and so on

Network equipment—routers, Ethernet switches, and so on•

Control and signaling—network management plane, softswitches, and so on•

Applications and services—network and application servers•

OSS—network management, billing and operations •

management

Attacks to any of the network components above can result in loss of service or loss of data.

3 Best Practices for Service Provider SecurityEvery network is unique and requires the attention of professional network architects and designers to ensure that the network is defensible. The principles used by network designers to secure networks are based on a set of industry best practices. This section of the security handbook provides a network security best practice overview which is summarized in Table 4. We start by providing a summary of general best practices that can be applied to any service provider network.

general Best Practices and Tools for Service Provider Network Security

This section provides an overview of some of the devices and technologies for securing service provider networks. The devices that provide network security are:

Router•

Network firewall•

Intrusion Protection Systems (IPS)•

Application servers•

Identity and policy management•

12


Routers

Network routers are core components in the IP network infrastructure. As such, it is critical that routers implement security technologies to protect networks from intruders.

Some of the security technologies implemented in routers are:

VLANs•

MPLS VPN•

Network Address Translation (NAT)•

Access Control Lists (ACLs)•

Virtual lANs (VlANs)

A VLAN is a layer 2 segmentation technology that allows for a group of end stations to be grouped together into a logical LAN, even if they are not located on the same network switch. It can also be used to segment traffic, such as segmenting VoIP traffic from regular data traffic. The segmentation of users and/or traffic provides a level of security by creating a virtual network, making it difficult to intercept traffic or access a traffic segment.

MPlS VPN

The MPLS virtual private network (VPN) is a common method of securing IP communications. The basic concept of the MPLS VPN is that a common physical routing infrastructure hosts multiple logical routing networks. Each logical network appears to hosts and users to be a separate IP network. The logical network, or MPLS VPN, can use a set of private IP addresses, run independent routing protocols local to the VPN, and remain isolated from the Internet and all other MPLS VPNs, unless the network administrator intentionally provides routing connectivity between networks. An MPLS VPN therefore is equivalent to building a physically separate IP routing network. This logical separation of IP networks provides a cost-effective approach to securing subscriber and service-specific networks from attacks that emanate from the Internet or other private IP networks.

Network Address Translation (NAT)

NAT is a common mechanism for mapping private IP addresses to public addresses. The process is simple: a private IP address and TCP port is mapped to a public address using an NAT server. One of the additional benefits of NAT is that malicious users on the Internet cannot see the true IP source address of the host. Without knowing the IP source address, it is more difficult


13


to attack hosts. This is especially important for network servers that are a focal point for many attacks.

Access Control lists (ACls)

The ACL is a list of permissions that specifies who or what is allowed to access the router or device, and what operations they are allowed to perform. In an ACL-based security model, when a subject requests to perform an operation on an object, the system first checks the list for an applicable entry in order to decide whether to proceed with the operation. Depending on the ACL, the request may be accepted or denied. ACLs provide router protection by denying unauthorized users or packets from accessing the router.

Network Firewall

A network firewall is a dedicated appliance which inspects network traffic and denies or permits passage based on a set of rules. The primary objective of the firewall is to regulate traffic flows between computer networks of different trust levels. Typical examples are the Internet, which is a zone with no trust, and an internal network, which is a zone of higher trust. A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a “perimeter network” or demilitarized zone (DMZ).

The classes of firewalls are:

Stateless firewalls•

Stateful firewalls•

Stateless firewalls are usually implemented in routers and switches as ACLs that filter packets based on parameters in layer 3 IP headers and layer 4 TCP headers. For instance, packets can be filtered based on IP source and destination address and TCP ports.

Stateful firewalls extend simple packet filtering to create rules based on sessions. Filtering rules can account for the history of a session as opposed to working on individual packets. For example, if an Internet user accesses a Web site from an internal network, a stateful firewall will let the return packets into the network from the Web site based on the state of the session. This is not possible with stateless firewalls.

Intrusion Protection System (IPS)

IPS is used to detect and prevent network attacks. IPS analyzes network traffic for threats and takes some action to mitigate the threat when one is detected.

14


IPS typically uses deep packet inspection (DPI) technology to look at all layers of network protocols from layer 2 to layer 7.

There are two fundamental mechanisms for detecting network intrusions:

Signatures•

Protocol and application anomaly detection •

Signatures are patterns of known network attacks that could operate at any level of the protocol stack. The IPS monitors network traffic and matches traffic with known signatures. If a sequence of packets in a session matches a signature, then the IPS detects a known attack and takes action on the session based on a set of user policies.

The weakness of IPS signatures is that only known attacks are detected. In order to detect zero day attacks, IPS uses protocol, application, and traffic pattern anomaly analysis. This method of detection uses behavior monitoring at all layers of the stack and detects packet sequences that appear to be abnormal. The IPS then takes action on the traffic based on a set of user defined network policies.

Application Servers

Application servers should also be able to defend against certain security threats. The defense should include antivirus and other anti-malware software. This ensures that if a virus or worm does penetrate the network layer defenses, the application server has the means to defend itself.

Identity and Policy Management

The identification and authentication of users is essential for securing the network. Knowledge about who is accessing the network, what they are trying to access, and when is critical to the security of the overall network. Implementing an identity and policy management solution adds a level of intelligence to the network, and can provide security defenses in cases where unauthorized users try to access the network, or a legitimate user attempts to access an application that they are not authorized to access. In addition, identity and policy management can help to manage user sign-on by implementing a single sign-on (SSO) system; allowing users to access multiple networks or applications with a single sign-on. Table 4 provides a summary of some of the best practices service providers employ to protect their networks.


15


FuNCtIoN deSCrIPtIoN

L2/3 traffic Segmentation

routers and switches can segment traffic into virtual networks using L2 vLaNs or L3 MPLS vPNs.

L3/4 Stateless filtering

access control Lists (acLs) are used to permit or deny traffic based on parameters in L3 and L4 packet headers.

L3/4 Stateful firewall

firewalls maintain information regarding a session, and permit or deny sessions based on L3 and L4 parameters. the difference between stateless filtering and stateful firewalls is that rules apply to sessions, not individual packets.

L7 intrusion detection + Prevention

deep packet inspection (dPi) is used to analyze L7 application content in sessions, and rules for processing traffic or alerting network administrators to attacks are made based on L7 application analysis.

application Layer Security

antivirus, anti-malware, and other application layer security models are implemented on servers.

table 4 - Best Practices for Service Provider Security

Best Practices for Securing VoIP NetworksMobile and fixed voice services still dominate service provider revenue worldwide. As voice services migrate to VoIP, security challenges increase in complexity and criticality.

Figure 4 represents a typical service provider VoIP network architecture. In a VoIP network, there are two fundamental forms of transport:

A control plane using either Session Initiation Protocol (SIP), H.323, or some •

other VoIP signaling protocol

A data plane transporting VoIP packets•

VoIP signaling is completely separate from VoIP data plane. IP phones set up calls using a VoIP signaling protocol which communicates with IP PBX, IP Centrex services, or network softswitches to establish VoIP sessions. Calls can be routed across the service provider IP network, across the Internet, or to the Public Switched Telephone Network (PSTN) via a VoIP gateway. After VoIP sessions are set up by network softswitches, VoIP sessions are established between the VoIP endpoints, and Real Time Transport Protocol (RTP) is used to transport VoIP between VoIP endpoints over the IP network.

16


Figure 4 - representative Network Architecture of a typical VoIP Network

The VoIP network architecture offers a myriad of security vulnerabilities. DDoS attacks are a primary area of concern, as they can come in many shapes and forms. Typically executed by botnets, the result of a DDoS attack could be a telephone network service outage. Some of the network elements that are vulnerable to DDoS attacks are:

VoIP media gateways•

Softswitches•

VoIP application servers•

IP PBX•

Session border controllers (SBCs)•

Fraud and theft of services is another type of security threat. If network criminals are able to penetrate network softswitches, media gateways, or OSS systems, they can steal services by making free calls, modifying or deleting billing records, or transferring false settlements to other carriers.

An overview of the best practices for network security is provided in the following subsections for transport network elements, IP edge elements, data center, and Internet peering points.

SME

Enterprise

SOHO/Residential

Carrier to CarrierWholesale VoIP Peering

OtherCarrier

VoIP Service Provider

Switch

SS7 INNetwork

PSTN

POTS

Class 5Switch

Router

Switch

Gateway

VoIP

Switch

Gateway

VoIP

Softswitch MediaGateway

Internetor IP NW

Softswitch

MediaGateway OSSApplication

ServerMediaServer

AppsVideoSwitch

Gateway

VoIP

Internet


17


Securing the IP Edge of the VoIP Network

The primary mechanisms for controlling traffic and securing the edge of the VoIP network are Session Border Controllers (SBCs) and IPS. SBCs are specialized network devices designed to perform specific services in VoIP networks. They are inserted into the signaling and/or media paths between calling and called parties in a VoIP call. In some cases, the SBC masquerades as the called VoIP phone and places a second call to the called party. The effect of this behavior is that signaling traffic and media traffic (voice, video, and so on) can be monitored and controlled by the SBC. The SBC also has the ability to modify control signaling, allowing service providers to restrict or redirect certain calls and helping them overcome potential problems caused by firewalls and NAT.

There are multiple security benefits to SBCs. They monitor traffic, help prevent DDoS attacks, and they provide a mechanism for lawful intercept of VoIP calls. SBCs also create a general framework for monitoring malicious VoIP usage and shutting down offending users or bots.

SBCs, however, are also subject to attacks, and don’t typically have the capability to quickly update and defend against new security threats. IPS is designed to quickly load new signatures in defense of newly found security threats. These signatures can be created and loaded within hours, providing the necessary response for stopping new threats. For this reason, many networks deploy IPS in front of SBCs to prevent attacks on the SBC.

Securing VoIP Elements in the Data Center

There are multiple servers and network elements in the data center that support VoIP services. Servers must be regularly patched, and antivirus and anti-spyware must be kept up to date. In addition, VoIP MPLS VPNs can be extended to the data center to provide network isolation for VoIP application and media servers. Standard firewall/IPS configurations can result in SIP signaling problems, therefore these elements must be configured to support VoIP transport and defend the data center from intruders. Firewalls should utilize Application Layer Gateways (ALGs) to open and close pinholes to allow the VoIP traffic to traverse the firewall. ALG support is required for the VoIP signaling protocol (SIP, H.323, other) used in the network.

Securing Internet Peering Points for VoIP

For obvious reasons, Internet peering points are high risk locations. It is a best practice to use SBCs at peering points to protect from DDoS and other attacks. Firewalls and IPS are also a must at peering points and should be used in conjunction with SBCs to ensure adequate security, while minimizing service

SME

Enterprise

SOHO/Residential

Carrier to CarrierWholesale VoIP Peering

OtherCarrier

VoIP Service Provider

Switch

SS7 INNetwork

PSTN

POTS

Class 5Switch

Router

Switch

Gateway

VoIP

Switch

Gateway

VoIP

Softswitch MediaGateway

Internetor IP NW

Softswitch

MediaGateway OSSApplication

ServerMediaServer

AppsVideoSwitch

Gateway

VoIP

Internet

18


disruptions due to NAT or other protocol problems associated with VoIP signaling and network firewalls.


Securing the IP Edge SBCs and IPS systems are used to secure the edge of the network from external threats.

Securing VoIP Elements in the Data Center

Use firewalls and IPS to secure VoIP servers in the data center.

Securing Internet Peering Points for VoIP

Peering points should be secured with SBCs, firewalls, and IPS.

table 5 - Summary of VoIP Network Security Best Practices

Best Practices for Securing TV and Multimedia Services

Traditional telephone companies are entering the TV and multimedia entertainment markets by leveraging IPTV and video on demand (VOD) technology. Delivering video entertainment services over IP networks creates the opportunity for new and enhanced services that provide competitive advantages over incumbents. Figure 5 depicts a typical network architecture for IPTV and VOD.

Figure 5 - Internet tV and Multimedia Architecture

DSLAM

VoD

Home

Broadcast TV (Multicast

Replication)

RG Access

Switch

Aggregation

CustomerVLAN

Video

Video/HubServingOf�ce

IP Edge

T-series

T-series

T-series

Internet

M-series

Head-End

GlobalStreams

E-series SDX-300

PolicyManager

Video

Head-End

Video

Video

M-series

Middleware& VoD Servers

Video/SuperHead-End Of�ce

M-series

Head-End


19


Security vulnerabilities exist throughout the IPTV architecture. Virtually all IP network devices are subject to DDoS attacks, and prevention mechanisms should be put into place. In addition, IP routers should utilize ACLs, NAT, MPLS VPNs, and VLANs to secure routers and traffic. In addition, the IPTV architecture provides some additional challenges at the network peering points, head-end and/or the video serving office.

Securing External Network Peering Points

At all points where the video IP network interconnects with external IP networks (the Internet or any other third-party network), stateful firewalls with IPS should be used to prevent external attacks. Firewalls should also use NAT to shield internal IP addresses from the outside world. This limits the information that can be collected by an intruder for the purposes of an attack.

Securing the Video/Super Head-End

The video/super head-end is a critical component of the network that must be secured. Network firewalls and IPS should be used to control access to the head-end. This is also a point where digital rights management needs to be enforced. Encryption technology combined with IPSec tunnels can be used to ensure privacy and prevent unauthorized access to video content.

Securing the Video/Hub Serving Office

The video/hub serving office is another critical location in the network that needs protection. Best practices include inline IDP protection with custom signatures to detect DDoS and other attacks on video networks. Digital rights management also needs to be enforced at these locations using encryption.


Securing External Network Peering Points

Stateful firewalls and routers should secure external peering points. NAT should be used to shield internal IP addresses. IPS should be used for intrusion protection.

Securing the Video/ Super Head-End

Routers, firewalls, and IPS should secure the video head-end.

Securing the Video/Hub Serving Office

Routers, firewalls, and IPS should secure the video/hub serving office.

table 6 - Summary of Best Practices for Securing an IP Video Network

20


Best Practices for Securing 3rd Mobile Data Networks

The rapid growth of wireless data service riding on third-generation networks has increased the need for security in the mobile packet core. Figure 6 presents a high level overview of the third-generation packet architecture.

Figure 6 - High Level overview of third-generation Network Architecture

The threats on the third-generation network are similar in nature to the threats discussed earlier. Protection is needed from DDoS attacks, botnets, worms, and intruders attempting to hijack services and illegally monitor voice or data communications. One of the differences in the third-generation networks is that the Serving General Packet Radio Service (GPRS) Support Node (SGSN), gateway GPRS support node (GGSN), and packet data serving node (PDSN) (for CDMA2000) packet control nodes are used to manage and control all wireless data. Since all data traffic passes through these controllers, any attack on these systems will cause network-wide service outages. It is therefore imperative to defend these network elements.

The key areas in the third-generation network that must be defended are highlighted in Figure 7. Starting from the edge of the network, security must be maintained on mobile handsets. It is the responsibility of the handset manufacturer to install and maintain virus protection, intrusion detection, and firewall software on the handset to defend against attacks. Handsets must also be capable of encrypting data using SSL clients to maintain privacy.

Internet

RAN

Roaming PartnerNetwork (GRX)

IP/MPLSMobile Packet Core

PSTN

Critical Serverslike HLR/VLR

Apps

BillingData

SGSN GGSN PDSN

RNC


21


In the data core network, the methods of protection are similar to those discussed earlier. Firewalls, IPS, and encrypted tunnels should be used to secure interfaces to external networks. MPLS VPNs should also be used to isolate the third-generation core network from any other IP traffic on the network. For example, if the IP core network is supporting many services, including third-generation mobile, Internet, wireline voice, IPTV, and business services, an MPLS VPN can create a secure virtual IP network to support the third-generation core packet network. Security must also be provided for all servers, billing systems, and packet control nodes. This can be done with firewalls, IPS, antivirus and anti-malware software running on servers. Some specific requirements for third-generation networks are that firewalls must be capable of passing GPRS tunnels (GTP), which are commonly used to pass data traffic securely across the network.

Figure 7 - Best Practices for Securing 3rd Packet Core Networks

Internet

RAN

Roaming PartnerNetwork (GRX)

PSTN

Critical Serverslike HLR/VLR

Apps

BillingData

GGSNSGSN

RNCIP/MPLS

Mobile Packet Core

PDSN

Security on the Mobile-Handset (Mandatory in

FMC/UMA)

1.

2.

3.

4.

5.

6.

7.

Roaming PartnerProtection

Protecting Access nodes

(UNC, RNC, etc.)GTP/Gp-Attacks

PSTNConnectionProtection

PSTNConnectionProtection

ApplicationServers Protection

(potentially compromisesLIG, HLR, VLR)

ProtectingIP nodes

(SGSN, GGSN)

22



Securing the PSTN Connections

Firewalls and IPS protect interfaces to PSTN gateways.

Securing the SGSN, GGSN, and/or PDSN

MPLS VPNs isolate mobile IP network from other service provider IP networks. Firewalls and IPS protect SGSN, GGSN, and PDSN.

Securing the OSS, Billing Systems, and Application Servers

MPLS VPNs isolate mobile IP network from other service provider IP networks. Firewalls and IPS protect data center OSS and billing systems.

table 7 - Summary of Best Practices for Securing an IP Mobile Network

Best Practices for Securing Service Provider Data Centers

Rollout of new data services has led to an explosive growth in data centers. Figure 8 presents an overview of how data centers fit into the typical service provider network architecture. Network services are provided by multiple data centers and application servers. These could be metro data centers or national and regional data centers. Additionally, some services are provided by third parties with applications hosted in remote data centers across the Internet.

Figure 8 - Architecture of Service Provider data Centers

Super Core Metro Core

Application

or Content Provider

Residential

Business

Wireless

Access IP Edge

Metro or MarketServing Center

Internet

Metro Core PeeredPartner

Hosting orContent Delivery

Operator

Super Core

Data Center

Application or Content Provider

Application or Content Provider

Data Center

National or Regional

Serving Center

Data Center

Data Center

Data CenterMX-series

MX-series

MX-series

MX-series

MX-series

E320

MX-series

084XM

AN

J-series

STBRG

MX-series

MX-series

E320

E320

MX-series

MX-series

E320

E320

MX-series

MX-series

E320

E320

MX-series

MX-series

E320

E320

MX-series

MX-series

E320

E320Data Center


23


Data centers are the brains running the network services and therefore are a focal point for network criminals attacking service providers. There are a complex set of systems and services running in the data center with vulnerabilities in each layer. These include:

Server and OS vulnerabilities•

Application layer vulnerabilities•

Network switching vulnerabilities•

Network routing vulnerabilities•

Storage network vulnerabilities•

Data center management and control vulnerabilities •

An important trend in modern data center design is system virtualization. LANs, storage area networks (SANs), and servers are virtualized such that a single physical network or system element can run multiple logical elements. This has helped improve scalability, reduced operations expenses such as power consumption and cooling, and improved data center security by isolating components of the network and system infrastructure. In designing a secure data center networking infrastructure, the virtualization and security defenses in the network must correctly map to the virtualization models deployed across the data center as a whole.

Figure 9 - establishing a Security Perimeter in a Virtualized data Center

Apps

069XM

069XM

069XM

069XM

Data CenterL3 Area

“UntrustedZone”

TieredVirual

Perimeter

069XM

069XM

L3/L4 Stateless

L7 Signature

L3/L4 Stateful

Data CenterL2 Area

FixedConfiguration

FixedConfiguration

FixedConfiguration

FixedConfiguration

FixedConfiguration

FixedConfiguration

“TrustedZone”

Apps

Apps Apps

Apps Apps

Apps Apps

24


A common approach for securing network and system infrastructure in data centers is a layered security model (seeFigure 9). In this model, security perimeter(s) are maintained such that trusted network components are separated from untrusted components. In some cases, there are multiple perimeters and multiple layers of trust assigned to systems. It is also possible to have tiered virtual security perimeters mapped to virtual servers and storage networks. Network elements and systems outside the perimeter are managed differently than those inside the perimeter. Different systems and components have varying levels of importance and vulnerabilities, and therefore are managed differently from a security perspective. However, all systems must be protected from attacks at some level. Systems that house extremely sensitive data should be deep inside the security perimeters, while systems that provide Internet Web services should be outside the perimeter or in a demilitarized zone (DMZ). The DMZ is an area in the data center that is accessed by arbitrary users over the Internet, but has some level of protection using Internet firewalls and IPS. The DMZ is separated from the trusted network using a second layer of firewall and IPS.

The layered security architecture must correspond to the virtualization archi-tecture that is implemented in the data center. This is done by mapping virtual networks at layer 2 (L2) and layer 3 (L3) to virtual storage networks and virtual servers. L2 virtual networks are normally implemented with VLANs, while L3 virtual networks are implemented with MPLS VPNs.

In summary, securing data centers is a complex task that requires a detailed security design. This design must provide security at layer 2-7 and must be consistent with the logical design and systems requirements in the data center.

4 Juniper Networks Security Product PortfolioJuniper Networks is a leader in carrier-class routing and network security. Juniper’s routers scale from small routers for home offices or small businesses to the largest core Internet routers. Juniper also offers a full range of scalable firewalls, Intrusion Detection and Prevention (IDP) systems, SBCs, and identity and policy management solutions.

Routers

The Juniper Networks intelligent services edge includes the M-series and MX-series routing platforms that provide a broad range of edge functionality to support next-generation applications. Each routing platform supports VLANs, MPLS VPNs, and ACLs for baseline security defenses.


25


Additional security is available with the MS-DPCs on the MX-series, and the MS-PICs on the M-series. The MS-DPC and MS-PIC support a broad set of IP services and security functions including:

Session border control (SBC) functions•

Intrusion Detection and Prevention (IDP)•

Deep packet inspection•

Stateful firewall•

Network Address Translation (NAT)•

Built-in security mechanisms along with the MS-DPC and MS-PIC capabilities provide a comprehensive security solution available on both the MX- and M-series routing platforms.

In addition, the T-series routers are core routers designed to provide IP scalable routing deep in the core network. T-series routers also leverage the same built-in security and MS-PIC as the M-series routers for the same comprehensive security.

Firewalls and IDP

Juniper Networks has a scalable set of integrated network security devices that are designed for large networks and data centers (See Figure 10). These products have scalable performance and integrated security and routing capabilities. All products have best-in-class capabilities in firewall and IDP.

Figure 10 - Juniper Networks Security Product Family

Scalable Performance for Wider Range of ServicesRich Standard Services - Firewal - IDP - Routing - QoSExtensible Security Services

Integrated Networking Services

Common Mangement (NSM)

SRX5800

SRX5600

NS-5200

NS-5400

ISG1000

ISG2000

26


Firewalls

The top end of the product line is the SRX-series 5600/5800, a highly scalable integrated firewall and IDP for use in data centers and service provider networks. Based on the Dynamic Services Architecture, the SRX-series provides unrivaled scalability. A fully equipped SRX 5800 supports up to 120 Gbps firewall throughput and 30 Gbps IDP throughput.

Juniper Networks NetScreen-5000 series is a line of purpose-built firewall/VPN security systems designed to deliver a new level of high-performance capabilities. NetScreen-5000 security systems integrate firewall, VPN, denial of service (DoS) and DDoS protection, and traffic-management functionality in a low profile, modular chassis. Built around Juniper’s third-generation security ASIC and distributed system architecture, the NetScreen-5000 series offers excellent scalability and flexibility, while providing a higher level security system through Juniper Networks NetScreen ScreenOS® custom operating system.

In addition, the Integrated Security Gateways (ISG) are purpose-built, security solutions that leverage a fourth-generation security ASIC, the GigaScreen3, along with high-speed microprocessors to deliver unmatched firewall and VPN performance. The Juniper Networks ISG 1000 and ISG 2000 are ideally suited for securing carrier and data center environments where advanced applications such as VoIP and streaming media dictate consistent, scalable performance. Integrating best-in-class Deep Inspection firewall, VPN, and DoS solutions, the ISG 1000 and ISG 2000 enable secure, reliable connectivity along with network and application-level protection for critical, high-traffic network segments. The ISG can be upgraded to support integrated IDP to provide robust network and application layer protection against current and emerging threats. Leveraging the same software as found on Juniper Networks IDP platforms, but integrated into ScreenOS, the ISG product family provides a combination of best-in-class firewall, VPN, and IDP in a single solution.

Intrusion Detection and Prevention

Juniper Networks Intrusion Detection and Prevention (IDP) products provide comprehensive and easy-to-use inline protection that stops network and application-level attacks before they inflict any damage to the network, minimizing the time and costs associated with maintaining a secure network. Using industry-recognized stateful intrusion detection and prevention techniques, Juniper Networks IDP provides zero day protection against worms, trojans, spyware, keyloggers, and other malware from penetrating the network or spreading from already infected users.


27


Session Border Controller

Juniper Networks session border control (SBC) border gateway function (BGF) for JUNOS® software fully integrates voice and multimedia session support onto the M-series M120 and M320 multiservice edge routers and the T-series T640 core router. The SBC BGF runs on MS-PICs which include dedicated hardware accelerators for optimized performance and scalability. The SBC BGF for JUNOS software provides many important VoIP functions such as media gateway control and media latching, NAT and Network Address Port Translation (NAPT) traversal, Differentiated Services code point (DSCP) marking and rate limiting that together ensure the appropriate handling of voice traffic at the access and peer edges of converged IP services networks.

Identity and Policy Management

The Juniper Networks Steel-Belted Radius (SBR) family offers AAA products based on RADIUS standards that provide the performance and reliability to handle any traffic load and fully support any network infrastructure. Designed for both enterprise and service provider networks, SBR products provide uniform security policy enforcement across all network access methods, including wireless LAN (WLAN), remote/VPN, dial up, and identity-based (wired 802.1X). Specialized solutions for service providers also manage subscriber authentication, support any service delivery model, and accelerate time-to-market for new services.

5 ConclusionService provider networks are undergoing a massive paradigm shift as networks migrate from legacy circuit switched and closed data networks to converged IP and Carrier Ethernet networks. This shift has created many business opportunities, but also created serious network security vulnerabilities. This network security handbook has explained why security is of critical concern to service providers, described common vulnerabilities, and presented some approaches to securing networks. Network security is critical to service provider operations; a thoughtful and systematic approach must be taken to network security architecture and design, and best-in-class security products must be implemented to optimize defense against threats.

Copyright 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

710095 Dec. 2008

Network Security HaNdbook

Copyright 2008 Network Strategy Partners, LLC. All rights reserved

corPorate aNd SaLeS HeadQuarterS Juniper Networks, Inc. 1194 North Mathilda AvenueSunnyvale, CA 94089 USAPhone: 888-JUNIPER (888-586-4737)or 408.745.2000Fax: 408.745.2100www.juniper.net

coNtactS Michael Kennedy in the Boston area:Phone: 978.405.5084Fax: 978.405.0263Peter Fetterolf in the San Francisco Bay area: Phone: 510.451.2740 Fax: 978.405.0263

network security handbook for service providers

Documents