nortel networks portfolio summary cert advisory ca .nortel networks portfolio summary in response

Download Nortel Networks Portfolio Summary CERT Advisory CA .Nortel Networks Portfolio Summary in response

Post on 13-Jun-2018




0 download

Embed Size (px)


  • OverviewSimple Network Management Protocol(SNMP) is a widely deployed protocolcommonly used to monitor and managea wide range of network equipment.Finlands Oulu University SecureProgramming Group (OUSPG) has performed an extensive study on potential SNMP v1 vulnerabilities( findings were recently made publicknowledge through CERT SecurityBulletin CA-2002-03 ( (SNMP Advisory). Thewidespread utilization of SNMP v1combined with public availability of atest suite that could be used to exploitSNMP vulnerabilities has led the infor-mation technology industry to respondto these potential vulnerabilities.

    Product/Service Bulletin

    Nortel Networks Portfolio Summary in response to CERT SNMP vulnerabilities

    Advisory CA-2002-03Version 1.0February 18, 2002

    General description of CERT AdvisoryOn February 12, 2002, CERT, a US federally funded Internet security watchdog organization, issued a global security advisory concerning SNMP v1. The advisory states that network equipmentincluding switches, routers, hubs, printers, and operating systemsmay be vulnerable to an SNMP-related attack that could cause equipment to fail or allow unautho-rized users to take control of it. Simple Network Management Protocol (SNMP) serves as thebasis for software tools that enable administrators to monitor the status and performance,as well to configure, network systems. For example, enabling prioritization of traffic andnetwork traffic flow control by managing the various elements of the network.

    It is important to keep in mind that theinformation technology industry facessecurity issues regularly and has devel-oped common means of dealing withsuch issues. Nortel Networks recom-mends that network owners and opera-tors continue to use currently employedbest practices or adopt those availablefrom many public sources such asCERT.

    A risk analysis should be the first stepundertaken in dealing with this issue andbe a key factor in considering the prior-ity in which mitigating actions are taken.In instances such as this, a networkoperator will typically have to install andtest software patches from many differ-ent vendors of network equipment and

    computing platforms. This process takestime to complete. There are many strate-gies that can be employed to protect thenetwork during this interval to provide asafer environment in which to completenetwork upgrades. Nortel Networksworks with several groups, both privateand public, to develop and communicatepractices and methods for securing net-works. A high-level strategy is outlinedbelow as an example for our customerson how to deal with the potentialSNMP vulnerabilities detailed in theSNMP Advisory.

  • Mitigation strategyIn reading the portfolio-specific productsections of this document, please notethat the vast majority of potentialvulnerabilities exist only in parts of theproduct that should not be accessible tothe public or by untrusted parties. Thatis, the potential vulnerabilities exist inthe private management network. Thismeans that the risk associated with thepotential SNMP vulnerability needs to be analyzed in the context of thepotential vulnerability of externalnetwork protection mechanisms such asfirewalls or other packet filtering mecha-nisms, the option to disable SNMP, the use of more secure managementsystems, and the number of employeesand management stations allowed to bepresent in the network.

    Step 1 Secure the network

    CERT, a center of Internet securityexpertise, has produced information thatcan be useful to diminish the effects of these potential SNMP vulnerabilitiesat the network level. For detailed guide-lines on these actions, specifically relatedto the SNMP Advisory v1 vulnerability,refer to the following Web site: Section III. Solution.

    CERT recommends these solutions befollowed as part of an overall networkrisk assessment and network protectionplan. Implementing strategies as out-lined by CERT should provide a risk-reduced environment in which toconduct the patching process.

    Step 2 Apply patches

    Ensure that software patches from vendors are applied to any affected equipment.

    Perform testing to ensure propernetwork operation.

    Step 3 Review and extend security architectureexample actions

    Revisit actions performed in Step 1 to determine if these steps should remain as part of permanent securitypolicy, e.g. can services turned off remain so permanently?

    Review the network architecture to mitigate future security vulnera-bilities.

    Protect domains of interest and critical computing assets by establishing isolated subnets with firewalls or packet filtering routers.

    Secure the management traffic with encryption technologies or by employing secure management protocols

    Nortel Networks Commitment to CustomersOn February 12, 2002 CERT issuedthe SNMP Advisory. Nortel Networkswas advised of this issue earlier andimmediately created an internal taskforce that has been operating under theconfidentiality requirements of CERTand the U.S. Government. The NortelNetworks team has been evaluating thepotential vulnerabilities outlined in theSNMP Advisory and has been one ofthe companies working closely withCERT in developing a strategy for

    dealing with this issue. At the request ofCERT and the U.S. Government,Nortel Networks has necessarily keptthis matter very confidential.

    Our task force continues its efforts toassess the SNMP Advisory and developan appropriate response plan. We haveundertaken a thorough review of ourproduct portfolio so that appropriateremedies may be put in place to addressthe potential vulnerabilities highlightedin the SNMP Advisory. We have madesignificant progress and have developedthis comprehensive plan outlining on a product-by-product basis whether ornot each product is potentially vulnera-ble to the issues outlined in the SNMPAdvisory. For each product requiringaction, an appropriate action planincluding an expected patch release date when applicableas well as bestpractice guidelines for increasing theproducts security are included.

    Nortel Networks product-by-productplan to the SNMP Advisory follows.This plan will be updated as necessary.


  • Product Portfolio Index

    Optical Long Haul 4

    Metro Optical 5

    Wireless 6

    Enterprise 10

    Circuit Switching 12

    ATM/IP Products 14

    Intelligent Internet 14

    Carrier Voice over Packet 17

    Miscellaneous Products 21


  • Product Affected Status Mitigating practices Software fix available



    - OPTera Connect DX Connection Manager

    - S/DMS TransportNode OC-192- S/DMS TransportNode OC-48- S/DMS TransportNode TN-64X- S/DMS TransportNode TN-16X- S/DMS TransportNode OC-12 TBM

    - S/DMS TransportNode OC-48 OPTeraPacket Edge (OPE)

    - OPTera Connect HDX Connection Manager

    - OPTera Connect PX Connection Manager

    - Preside Site Manager- Preside Application Platform- Preside Trail Manager- Preside Multiterabit Element

    Manager- Preside Optical Applications- Preside Configurable Surveillance

    Adapter- Preside Configurable Trail Adapter

    - Preside IP Device Adapter

    Reason not impacted

    For these products, the SNMP software is delivered as part of a third-party operating system on the OPC (OPerationsController) but it is not used, and it is dis-abled by default. Tests showed that therewas no impact.

    The OPTera Packet Edge (OPE) containsSNMP agent software. The OPE card onthe S/DMS TransportNode OC-48 hasbeen tested and passed.

    This product does not use SNMP.

    This product has not been deployed andthere are no customer impacts.

    These software products do not use an SNMP agent. Even though thethird-party platforms on which they run may be equipped with SNMP agent software, the server platform environment is controlled by the customer. Nortel Networks recommends customers contact thethird-party vendors for recommendedcorrective action.

    Product uses SNMP. All tests have passed.

    Optical Long Haul Optical Long Haul summaryThe impact of the SNMP potential vulnerability on the Optical Long Haulproducts is very limited as most of theseproducts do not use SNMP. The CERTapproved test suite as per the SNMPAdvisory (Test Suite) was utilized. At this time, the only product found to be impacted via the Test Suite is theOPTera Long Haul 4000. The riskposed by the potential vulnerability to the OPTera Long Haul 4000 is lowas the SNMP agent for this product ison the private side of the networkconnected to the customer DCN.

    Products not affected Enclosed is an initial listing of NortelNetworks Optical Long Haul productsnot impacted by the potential vulnera-bilities outlined in the SNMP Advisory.We are continuing to test and evaluateour remaining products and will be pro-viding updates to this document.Additional products may be added tothis list as further product testing iscompleted.

    Optical Long Haulpotentially affected products

    Product Affected Status Mitigating practices Software fix available


    Product is currently underinvestigation but the expectation is that therewill be no impact.Product currently underinvestigation but the expectation is that therewill be no impact.

    Impact has been established; in contactwith third-party software vendor regarding a patch.

    Waiting for investiga-tion/test status.

    Waiting for investiga-tion/test status.

    - OPTera Long Haul 4000Optical Line System

    - S/DMS TransportNodeOC-48 LITE

    - OPTera Long Haul 1600 Optical Line System

    SNMP is on the privateside of the network con-nected to the customer-controlled DCN, whichreduces the risk posed bythis potential vulnerability.On

View more >