� Security Posture for Civilian and Non-civilianNetworksRao Vasireddy, Steven Wolter, Uma Chandrashekhar,Robert J. Thornberry Jr., and Andrew R. McGee

Network security is dependent upon securing individual components,services, and applications. This is done through the prevention, detection,and correction of threats and attacks that exploit vulnerabilities in thenetwork. Network security must be analyzed using various factors, such assecurity requirements, the inherent strengths and vulnerabilities of differentnetwork technologies, and the processes used to design, deploy, and operatenetworks. The Bell Laboratories security model provides the frameworkrequired to plan, design, and assess the end-to-end security of networks. Inthis paper, the Bell Labs security model is used to (1) define the basic securityneeds of civilian and non-civilian networks, (2) examine the securitycapabilities of various technologies and identify their security strengths andgaps, (3) identify key threat-mitigation strategies for civilian and non-civiliannetworks, and (4) illustrate the value of a comprehensive framework (e.g.,the Bell Labs model) in any security program, whether designed for a civilianor a non-civilian network. © 2004 Lucent Technologies Inc.

IntroductionNetwork security is dependent upon securing

individual components, services, and applications.

This is done through the prevention, detection, and

correction of attacks or threats that exploit security

vulnerabilities. A vulnerability is a security weakness

present in a network. A threat can disrupt legitimate

network activities if it is able to exploit a vulnerabil-

ity. Recent worldwide threats (e.g., viruses and worm

attacks like Slammer) show that network security

must be analyzed by considering a variety of factors,

e.g., the security policy, the requirements, the inher-

ent strengths and weaknesses of different network

technologies, and the processes used to plan, design,

deploy, and operate networks. A continuous, ongoing,

security design and implementation program that

focuses on the prevention, detection, and correction

of threats and vulnerabilities is essential for main-

taining secure networks. Here we discuss the value

of security strategy and planning in minimizing the

vulnerabilities and identifying mitigation strategies for

both civilian and non-civilian networks.

Civilian and Non-civilian NetworksThe terms civilian networks and non-civilian

networks, as used in this paper, refer to communica-

tions networks that are used by private corporations

(e.g., network operators) and government agencies,

respectively. Non-civilian networks consist of a variety

of organizations, each of which may have varying

Bell Labs Technical Journal 8(4), 187–202 (2004) © 2004 Lucent Technologies Inc. Published by Wiley Periodicals, Inc.Published online in Wiley InterScience (www.interscience.wiley.com). • DOI: 10.1002/bltj.10095

188 Bell Labs Technical Journal

Panel 1. Abbreviations, Acronyms, and Terms

3DES—triple data encryption standardAES—advanced encryption standardATM—asynchronous transfer modeCAIDA—Cooperative Association for Internet

Data AnalysisCERT*—Computer Emergency Response TeamCIO—chief information officerDCN—data communications networkDES—data encryption standardDoS—denial of serviceENISA—European Network and Information

Security AgencyETSI—European Telecommunications Standard

InstituteFCAPS—fault, configuration, accounting,

performance, and securityFIPS—Federal Information Processing StandardFR—frame relayGigE—gigabit EthernetHIPPA—Health Insurance Portability and

Accountability ActIDS—intrusion detection systemIEC—International Electrotechnical

CommissionIETF—Internet Engineering Task ForceIP—Internet protocolISO—International Organization for

Standardization

IPSec—Internet protocol securityIRS—Internal Revenue ServiceISDN—integrated services digital networkIT—information technologyITU—International Telecommunication UnionKG—cryptographic deviceL2TP—layer 2 tunneling protocolLAN—local area networkNASA—National Aeronautics and Space

AdministrationNIAP—National Information Assurance

PartnershipNIST—National Institute of Science and

TechnologyNSA—National Security AgencyPKI—public key infrastructurePSTN—public switched telephone networkRADIUS—remote authentication dial-in user

serviceRBAC—role-based access controlsSMS—service management systemSNMP—simple network management protocolSP—service providerTMN—telecommunications management

networkToD—time of dayVPN—virtual private networkWAN—wide area network

functional roles and responsibilities. These roles and

responsibilities can vary from public information dis-

semination to national security and defense-related

matters. Non-civilian networks require communica-

tion interfaces not only between internal organiza-

tions, but also with external civilian networks. The

interconnection requirements and varying organiza-

tional roles determine the security requirements and

day-to-day operations of such networks.

Network InfrastructureCivilian and non-civilian communications net-

works use both private and shared public network

infrastructure to provide services. Many common

network technologies (e.g., Wi-Fi [for example,

802.11�], frame relay [FR], asynchronous transfer

mode [ATM], Internet protocol [IP], gigabit Ethernet

[GigE], and virtual private network [VPN]) and com-

mon security mechanisms (e.g., firewalls, encryption,

and policy-based authentication) are used by both

civilian and non-civilian networks. However, both

security policies [4] and the degree to which they are

enforced differ in civilian and non-civilian networks.

Furthermore, different applications and different user

groups require varying levels of security in both civil-

ian and non-civilian networks.

Security assessment results obtained during a

given time period provide an indication of the security

posture of a network and how well the policies are

enforced. A desirable assessment would look at both

the strategic and the tactical aspects of security. The

Bell Labs Technical Journal 189

strategic aspect deals with such things as how well

the network responds to unwanted external or inter-

nal queries from unauthorized users. The tactical

aspect deals with such things as whether or not the

network allows unauthorized external or internal

queries to occur.

Different security postures can be expressed in

terms of the specific network technologies, the secu-

rity policies, and the operational procedures of a

network. Non-civilian networks often have more

stringent requirements than civilian networks. Non-

civilian network security policies address issues that

vary from information dissemination to national

security and military concerns. These wide-ranging

security requirements are satisfied by employing

dedicated (non-civilian) as well as shared (with civil-

ian networks) network infrastructure. However, the

shared infrastructure increases the exposure of

potential vulnerabilities (e.g., simple network man-

agement protocol [SNMP] weakness) to internal as

well as external threats. The security mechanisms to

mitigate the potential vulnerabilities can be incorpo-

rated into requirements for each of the security clas-

sification levels for civilian and non-civilian networks.

Security Classification LevelsNetwork operators or enterprise organizations

that are responsible for running civilian networks

usually implement the following security classifica-

tion levels (from highest to lowest): confidential,

private, sensitive, and public. The military and gov-

ernment organizations responsible for running non-

civilian networks usually implement the following

security classification levels (from highest to lowest):

top secret, secret, confidential, sensitive but unclassi-

fied, and unclassified data. Whether the network is

civilian or non-civilian, these levels each have a set of

requirements that must be developed into security

policies and techniques that can be successfully

implemented and controlled. Some of the factors that

determine which classification level should apply to

the data in a network or access to network resources

include the value of the data, potential damage due to

data disclosure or modification, legal requirements,

and associated liabilities.

Typically, non-civilian networks, because they con-

tain data that must be kept secret, have much more

stringent requirements for data confidentiality, in-

tegrity, non-repudiation, and communication security

than do civilian networks. These different requirements

and the differences between the security classification

level structures of civilian and non-civilian networks

dictate the types of technology and operational proce-

dures that must be implemented. Appropriate man-

agement personnel must approve the technology and

the operational procedures. Data custodians must be

assigned the responsibility of implementing the con-

trols and performing the procedures required to main-

tain the appropriate level of security at all times.

Network TopologyMany civilian networks (e.g., large enterprise net-

works) have geographically dispersed locations that

are connected by wide area network (WAN) links.

Access to the network and the WAN links is usually

provided by service providers (SPs), who are also re-

sponsible for WAN security. The security features (e.g.,

access controls and communication security [5]) are

predetermined by the service options and agreements

between the enterprise and the service provider.

Like civilian networks, non-civilian networks may

also be dispersed over a wide geographic area and

they may serve the needs of several organizations

(e.g., the Internal Revenue Service [IRS], the intelli-

gence communities, and defense). In some instances,

non-civilian networks share a service provider’s trans-

port network (e.g., the public switched telephone net-

work [PSTN] and IP) with civilian networks, allowing

them to reach a large number of people nationwide or

around the globe. Figure 1 shows a typical network

topology that can be applied to both civilian and non-

civilian networks. Each enterprise local area network

(LAN) in Figure 1 can be viewed as representing

either a corporate or a non-civilian data or operations

center in a given location. Depending upon the service

requirements, these enterprise sites may be intercon-

nected by a service provider’s network. Different

enterprise sites may belong to the same corporate

entity or to a partner or customer. The access and

interconnecting WAN links may be dedicated or

190 Bell Labs Technical Journal

DMZ—Demilitarized zoneLAN—Local area network

Internet

Operationssupport

WANR

R

R

R

Service provider‘s network

DirectInternetaccess

Sharedfacility

Dedicatedfacility

EnterpriseLAN

DMZ

EnterpriseLAN

EnterpriseLAN

EnterpriseLAN

DMZ

DMZ

DMZ

Access networks

R R

R R

R—RouterWAN—Wide area network

Access networks

Figure 1.Network topology.

shared among many customers. Application and

service security requirements determine the degrees

of logical separation between different traffic flows.

Policy specifications that require the implementation

of confidentiality, privacy, integrity, non-repudiation,

availability, and prevention of replication of data will

have a direct bearing on the security capabilities of

the networks and services [2].

It is essential to ensure that both operations

activities and infrastructure are secure at all times.

Because of the trend toward self-provisioning and

monitoring services using a Web portal and dial-up

provisioning systems, both network operators and end

users are more aware of the operations support func-

tions and the importance of security than they used to

be. Security posture assessment must identify capa-

bilities, vulnerabilities, probable threats, and mitiga-

tion strategies to address security breaches of both

infrastructure and operations networks.

Currently, security assessment is an exercise in

which information about network elements, services,

and applications is obtained from various sources.

This information, along with security assessment tools

and techniques, is used to discover and analyze

potential vulnerabilities and threats. The typical focus

of such an assessment is on vulnerabilities in indi-

vidual network elements. However, to cover the

entire security life cycle of a network and associated

services, a holistic approach that evaluates the secu-

rity of user, control, and management traffic flows

in the network under different usage scenarios is

required. The Bell Laboratories security model [5],

which is briefly described in the following section,

presents a comprehensive approach to security. This

approach allows specific security requirements and

nuances to be addressed in both civilian and non-

civilian networks.

Security Posture and the Bell Labs Security ModelBell Labs has developed a security model [5] to

address the security of networks and services (see

Figure 2). This model is used to plan and implement

security from the concept development, design, and

implementation of networks to their on-going opera-

tions and maintenance. The model provides a

methodology to analyze security capabilities in mul-

tiple security layers and planes. The security layers

in the model are the infrastructure, services, and

applications layers. The security planes are the end

user, management, and control planes. The Bell Labs

Bell Labs Technical Journal 191

Acc

ess

man

agem

ent

Security dimensions

Dat

a co

nfi

den

tial

ity

Co

mm

un

icat

ion

sec

uri

ty

Inte

gri

ty

Ava

ilab

ility

/rel

iab

ility

Priv

acy

Au

then

tica

tio

n

No

n-r

epu

dia

tio

n

Control plane

Management plane

Infrastructure security

Security layersApplication security

Vulnerabilities can existin each layer and each plane

Service securityVulnerabilities

Types of threatsand attacks

Interruption

Fabrication

Interception

Modification

End user plane

Figure 2.Bell Labs security model.

security model analyzes the security impact on these

layers and planes using the following security

dimensions: access management or access control,

authentication, non-repudiation, data confidentiality,

communication security, integrity, availability, and

privacy. The example in Table I shows the areas cov-

ered for the end-user plane when the three different

security layers for the eight security dimensions are

analyzed. The reader is encouraged to refer to the

paper on the Bell Labs security framework [5] listed in

the references for detailed information.

The network security dimensions used in the Bell

Labs model are defined as follows:

• Access management or access control ensures that only

authorized personnel or devices are allowed

access to network elements, stored information,

information flows, services, and applications. In

addition, strong accountability provides a non-

reputable means to correlate actions with indi-

viduals or devices. Finally, different access levels

guarantee that individuals and devices can only

gain access to network elements, stored informa-

tion, and information flows for which they have

authorization.

• Authentication is used to confirm the identities of

communicating entities. Authentication ensures

the validity of the claimed identities of the

communicating entities (e.g., people, devices,

services, and applications) and provides assurance

that an entity is not attempting a masquerade or

an unauthorized replay of a previous communi-

cation. The authentication security dimension

addresses the fabrication security threat.

• Non-repudiation provides proof of the origin of

data or the cause of an event or an action. It

ensures the availability of evidence that can be

used to prove that some kind of event or action

has taken place, so that the cause of the event

or action cannot be repudiated later. The non-

repudiation security dimension also addresses the

fabrication security threat.

• Data confidentiality or data security ensures that data

is kept private and prevents unauthorized access

or viewing. Encryption is normally used to keep

data secure.

• Communication security ensures that information

flows only between the authorized endpoints and

that it is not diverted or intercepted as it flows

between these endpoints.

• Data integrity ensures the correctness or accuracy

of data by preventing unauthorized modifications,

deletions, creations, and replications and provides

an indication of unauthorized activities in these

areas.

192 Bell Labs Technical Journal

Access management

Authentication

Non-repudiation

Data confidentiality

Communicationsecurity

Integrity

Availability

Privacy

Controls access toindividual networkelements or transmissionfacilities.

Confirms identity ofperson attempting toaccess individual networkelements or transmissionfacilities.

Maintains a record ofactivities performed byeach person who hasaccessed individualnetwork elements ortransmission facilities.

Protection against theunauthorized reading ofdata stored on individualboxes.

Protection against theincorrect installation ofcables.

Protection againstunauthorized creation,modification, anddeletion of data storedon individual networkelements.

Individual networkelement is available.

Information aboutindividual networkelements (e.g., IPaddresses) is kept private.

Controls access tonetwork services.

Confirms identity ofperson attempting toaccess network services.

Maintains a record ofactivities performed byeach person who hasaccessed networkservices.

Protection against theunauthorized reading ofdata as it traverses thenetwork.

Data is not diverted orintercepted as it traversesthe network.

Protection againstunauthorized creation,modification, anddeletion of data as ittraverses the network.

Network service isavailable.

Information aboutservices being used byend users is kept private.

Controls access tonetwork-basedapplications.

Confirms identity ofperson attempting toaccess networkapplications.

Maintains a record ofactivities performed byeach person who hasaccessed networkapplications.

Protection against theunauthorized reading ofdata as it is beingprocessed or generatedby an application.

Data is only transmittedbetween authorizedapplications andendpoints.

Protection againstunauthorized creation,modification, anddeletion of data byapplications.

Application is available.

Information aboutapplications beingaccessed by end users iskept private.

Table I. Bell Labs security framework—end-user plane and security layers.

Security layer

Security dimension Infrastructure Services Applications

• Availability ensures that there is no denial of

authorized access to network elements, stored

information, information flows, services, and

applications. Disaster recovery solutions are

included in this dimension.

• Privacy ensures that confidential information (e.g.,

account information stored by the service provider

and usage or location information pertaining to

the end user) is not accessible by unauthorized

personnel or devices.

When a security analysis is performed for non-

civilian networks, it will be noted that some security

dimensions (e.g., data security and privacy) will have

stricter requirements than others, whereas in civilian

Bell Labs Technical Journal 193

networks this would only be true if the network

included health, financial, or other industry applica-

tions that require strict security measures.

Security Capabilities of NetworksNetwork security is designed and implemented

using a distributed architecture. Security is function-

ally implemented in different network elements,

management/application servers, and firewalls that are

distributed throughout the network. Network design

should begin with security as part of the design criteria.

The design process should translate the security policies

into verifiable technology implementations that en-

force rules on how to access, use, and modify network

resources. These implementations, in addition to pro-

viding security, will reduce churn and tradeoffs involv-

ing performance and security, thereby reducing the cost

of managing both civilian and non-civilian networks.

Vulnerabilities and threats can originate from var-

ious internal and external sources. Analysts estimate

that virus attacks alone caused $17 billion in dam-

ages during 2002 [10]. Viruses are well-known

threats, but there are also other kinds of attacks on the

infrastructure. To implement network security, a

defense-in-depth strategy should be employed that

addresses security threats from internal and external

sources. The level of security required for civilian and

non-civilian networks depends on the nature of the

services supported on the network, the applications

that may be accessed using the network, and security

classification levels. Security classification levels imply

that different groups of individuals are allowed to

access different network resources with different priv-

ilege levels. Privilege levels define who can access

which network resources at a given time and loca-

tion. Applying the principle of least privilege ensures

that minimum privilege levels are applied to enable

tasks performed by specific groups, thus minimizing

security risk. Privilege levels are applicable to both

network administrators and end users. In the follow-

ing sections security requirements for civilian and

non-civilian networks are discussed.

Civilian NetworksFigure 3 shows a typical civilian network.

Examples of such networks are the Internet and the

networks belonging to various service providers

and corporations. The security capabilities protect

network resources such as the network elements,

customer premises equipment, applications, and data.

To protect users, data, and network elements from

the threats that can occur in the different planes and

layers described in the Bell Labs security model,

security capabilities should be distributed throughout

the network to implement access management,

authentication, non-repudiation, data confidentiality,

communication security, integrity, availability, and

privacy.

The security requirements for civilian networks

are application dependent; security requirements

required for an Internet access service are different

from those required for an IP VPN service. A civilian

network should be capable of supporting different

security requirements for various services at the same

time, even when a common infrastructure is used to

support those services.

Security policy. An end-to-end network connec-

tion consists of several network segments that belong

to one or more organizations in enterprises, service

providers/network operators, and application service

providers. Security policies for these network seg-

ments are different, because the segments are owned

and operated by different entities. The initial security

needs of the organizations determine what types of

policies should be created and enforced. These, in

turn, should be compatible with the security require-

ments that are implemented in the network for a

service that spans all these network segments. To eval-

uate security in this scenario it is necessary to assess all

the relevant aspects of both the network and the

associated services and operations.

Security for management traffic. Network man-

agement includes the functions of fault, configura-

tion, accounting, performance, and security (FCAPS)

management. FCAPS security is critical to ensure un-

interrupted service availability. FCAPS support infra-

structure and application security—from both internal

and external threats—should be included as a part of

the security policy. To ensure that networks can be

configured, monitored, and restored in accordance

with the security policy, it is necessary to have a

194 Bell Labs Technical Journal

AAA—Authentication, authorization, accountingATM—Asynchronous transfer modeCA—Certificate authorityDHCP—Dynamic host configuration protocolDNS—Domain name serverDSLAM—Digital subscriber line access multiplexerEMS—Element management systemFR—Frame relayFW—FirewallIP—Internet protocolIPSec—Internet protocol security

MPLS—Multiprotocol label switchingNMS—Network management systemPPP—Point-to-point protocolR—RouterRAS—Remote access serverSMS—Service management systemSOHO—Small office home officeSP—Service providerVPN—Virtual private networkxDSL—Digital subscriber line

Dial-upaccess

RAS

VPN demarcationcustomer premises

Service provider.Edge devices.

A

DSLAM

DSLxDSL

Internet

SOHO

Access net

SP access net

R/FW

R/FW

IP/FR

Dedicated orremote access

IPSec/IP/ATM

IPSec/IP/PPP

IP/ATM IP/ATM

IPSwitch

EMS, NMS,SMS

AAA,DNS,DHCP

CA

Policy

SP network

SP/3rd-partyapplication servers(Web, mail, database)

Applications

SP service/net. mgmt.Customers

Customers

Loc. X

Loc. A

Loc. Y

Loc. B

SP core

(IP, MPLS, ATM, …)

Figure 3.Typical civilian network with security capabilities distributed throughout the network.

logically separate data communications network

(DCN) for FCAPS. Security methods and procedures

for network interfaces, role-based access controls

(RBAC), and public key infrastructure (PKI) for

telecommunications management networks (TMNs)

help ensure operations network security. International

Telecommunication Union (ITU) TMN [1, 9] standards

specify the capabilities required for operations security

and the means of implementing them.

User profiles. User profiles establish privilege lev-

els and authentication mechanisms that are required

to implement multi-tiered, restricted access to net-

work resources and applications. Proper design and

implementation of user profiles provides a flexible,

multi-tiered authentication capability to enforce

security requirements and apply appropriate encryp-

tion methods, e.g., traffic originating from a given

user could always be encrypted and records could be

stored in a log file for audit purposes (a basic require-

ment for meeting the data security, integrity, and non-

repudiation dimensions of the Bell Labs model) if the

user profile demands such features.

Audits/reports. A verification and alarm capability

makes it possible to monitor how well network secu-

rity is functioning. Audit logs are created by network

technologies such as authentication systems, proxies,

Bell Labs Technical Journal 195

firewalls, and intrusion detection systems (IDSs).

Automation and centralization of audit logs is a valu-

able capability for analyzing network activity and

threats.

Non-civilian NetworksNon-civilian network policy has the intent of

using standards-based interfaces and protocols where

practical to maximize interoperability with commer-

cial and other governmental organizations and to

minimize the cost of deployment and operations.

Formerly, when commercially available technology

was not mature or was not available, non-civilian

agencies like the Navy would develop custom or pro-

prietary communications protocols and networks to

support their mission. Although this approach works,

it can be far more costly to implement, secure, man-

age, and maintain over the life of the system than a

commercially available service. As network security

technology matured, civilian and non-civilian agen-

cies adopted an approach to security design that not

only optimizes cost, but also encourages standards-

based interoperability between different networks.

Security complexity grew as non-civilian agencies

started to inter-network numerous communications

protocols. The federal government, for example, uses

numerous network protocols and technologies,

including ATM, IP, FR, integrated services digital net-

work (ISDN), leased circuit, optical, satellite, and, in

some cases, customized network technologies. Each

of these technologies has its own unique security

vulnerabilities. In addition, the need to store data

securely and process a large volume of data efficiently

amplifies the security capabilities the government

must possess to conduct business securely.

The idea that the federal government could oper-

ate an interwoven network with unified security pro-

files based on a single, cohesive security architecture

is a misconception. Like most large organizations, the

federal government operates an interwoven network

with security profiles defined by numerous sub-

organizations (e.g., the Army, the Navy, the IRS, the

National Aeronautics and Space Administration

[NASA], and the National Security Agency [NSA]).

As a result, the federal network is better imagined as

having dozens of chief information officers (CIOs)

independently funding the network interoperability

and security requirements of their organizations. At

first glance, this may appear to make providing secu-

rity impossible.

Recognizing the need for an overarching, sys-

tematic process to make government computer net-

works secure, the NSA and the National Institute of

Science and Technology (NIST) have developed a

series of documents detailing design constructs, doc-

umentation methods, and auditing processes for

network and computer systems. Developing the tax-

onomy of network security is arguably one of the

biggest contributions the government has made to

network and computer security. The other area of net-

work security to which both Bell Labs and the gov-

ernment have made important contributions is the

research and development of cryptographic devices,

key exchange methods, algorithms, and protocols for

secure communications [7]. This framework allows

organizations with differing security requirements to

tailor individual solutions to meet their threat profile.

In conjunction with the Bell Labs security model,

techniques, and methodology, this framework can

address all aspects of security.

Non-civilian networks (e.g., the IRS network)

that deal with less stringent security requirements

find that commercial-grade encryption (e.g., triple

data encryption standard [3DES] and advanced

encryption standard [AES]) is sufficient for their

threat profile. The federal government has been

instrumental in establishing accreditation programs

for commercial security products. A noteworthy

example of this is the National Information Assurance

Partnership (NIAP), a joint NSA and NIST project that

has established the Common Criteria evaluation and

validation process for commercial security products.

Separately, NIST maintains cryptographic standards

and coordinates validation programs, including the

FIPS-140 cryptographic module and the algorithm

validation program.

Together, the Bell Labs security framework and

the governmental security certification processes can

provide integrated security that could not be provided

by addressing and securing individual technologies

and protocols separately.

196 Bell Labs Technical Journal

Mitigation Strategies to Address VulnerableNetwork Technologies

Mitigation strategies are designed to prevent or

reduce the exploitation of security vulnerabilities and

deter attackers. Networks typically employ firewalls,

authentication mechanisms, and host- and network-

based intrusion-detection systems for threat mitiga-

tion. Source address spoofing is filtered at the network

peering points. Demilitarized zones reduce the impact

of denial of service (DoS) attacks on publicly accessed

applications (e.g., Web servers).

Civilian NetworksFigure 4 shows a set of key mitigation techniques

for civilian networks. This list does not cover all of

the security technologies and mitigation strategies

used in civilian networks. These techniques should

be augmented by security best practices. These miti-

gation strategies are common to enterprise networks,

WANs, and SP networks. Security policy enforcement

and training are critical for the effective implementa-

tion of mitigation strategies. The mitigation strategy

relies upon proper security design, implementation

of industry best practices, audit, and training pro-

grams. Mitigation techniques such as firewalls, IDS,

password protection, virus scanning, and alarms are

required throughout networks to protect infrastruc-

ture, operations, and user data, e.g., firewall mainte-

nance should, at a minimum, include proper updates

of security patches, applications, and the host operat-

ing system. Whenever a network configuration is

changed, a review of firewall policy should be made

mandatory. To keep a network secure, it is also nec-

essary to keep track of the latest security vulnerabili-

ties [3] and vendor advisories and to implement the

mitigation techniques suggested by the Computer

Emergency Response Team Coordination Center*

(CERT*/CC), Cooperative Association for Internet

Data Analysis (CAIDA), and NIST organizations. The

automatic identification and download of new patches

needed for updates to components (i.e., a system sim-

ilar to a service management system [SMS] capability

at the client/server level) should be enforced. Periodic

audits that evaluate how the security policies are

implemented can provide an ongoing assessment of

security posture.

Non-civilian NetworksAlthough military networks have always been

built with both security and open communication in

DMZ—Demilitarized zoneDNS—Domain name serverFW—FirewallIDS—Intrusion detection systemIP—Internet protocol

LAN—Local area networkOS—Operating systemR—RouterWAN—Wide area network

1.2.3.

4.5.6.7.8.9.

10.

11.12.

13.14.

IDS (network, host)FW rules, filtersPrevent source addressspoofingStrong authenticationEncryptionDMZ design, DNSIP address managementPatch managementVirus scanningSingle sign-on, role-basedaccess controlOS/server hardeningLogs, 3rd-party securityauditsPassword managementTraining

Internet

Operationssupport

EnterpriseLAN

EnterpriseLAN

DMZ

DMZ

FWR

FWRWAN

Figure 4.Sample mitigation strategies for civilian networks.

Bell Labs Technical Journal 197

KG

Secret enclave Secret enclave

KG—Cryptographic device PC—Personal computer WAN—Wide area network

PC

PC

PC

Swit

ch

Router KG

PC

PC

PC

Swit

ch

RouterWAN

Link encryption

Figure 5.Cryptographic link encryption.

mind, even these networks are being improved in

new ways. Classified military communications are

scrambled by applying NSA cryptographic devices

(KGs) to the network links. (Because many commu-

nication networks are circuit-based [e.g., T1 and T3],

early KGs were designed to encrypt a point-to-point

circuit; therefore, KGs were implemented in pairs.)

Figure 5 depicts cryptographic link encryption.

This implementation, although very secure, was

inefficient and inflexible, because it forced network

designers to construct multiple independent networks

based on the security level of the data passing over the

network. If an organization had to conduct business

within three different security classification levels,

three independent networks had to be constructed to

support the processing requirements of each individual

security classification level. Secret data, for instance,

could not be intermingled with unclassified data. This

security model became especially inefficient when two

or more security enclaves were housed within one

facility and multiple physical network interfaces had to

be provisioned. Figure 6 depicts link encryption sup-

porting multiple security classifications.

More recently, military packet-based encryption

devices (including commercial-grade 3DES Internet

protocol security [IPSec] devices) have modernized

security architectures in several ways. Packet-based

encryptors have the ability to scramble discrete packets

of data to one or more endpoint destinations, en-

crypting and decrypting the packets just once, because

packet-based encryption operates above layer 2

(i.e., the link layer) and thus provides more flexible

end-to-end security associations. This packet-based

encryption is a marked improvement over link

encryption, which requires multiple encryption and

decryption cycles in a multi-hop routed network.

Network designers can also gain efficiencies when

two or more security enclaves are present at the same

network node. Unlike link-encryption techniques,

packet-encryption techniques can support a crypto-

graphically strong separation method within a single

physical interface. When security policy allows, packet

encryption in conjunction with other security tech-

niques may make possible a reduction in network cir-

cuits and equipment when multiplexing gains are

taken into consideration. Furthermore, the privacy of

sensitive but unclassified (SBU) network data is im-

proved when commercial-grade encryption is applied.

Figure 7 shows how packet encryption might be ap-

plied to networks supporting multiple security levels.

Highlights of Civilian and Non-civilian Networks Civilian networks implement standards-based

solutions to ensure that the networks are secure when

used for their intended purposes. Firewall policy and

configurations [11], VPN implementation with tun-

neling, and encryption, for example, are all based on

standards-compliant, interoperable protocols. Because

of the use of these technologies, the availability of

civilian networks for services such as VPN is high. The

goals of civilian networks are to provide universal

access and to provide adequate security for business

198 Bell Labs Technical Journal

Sensitive butunclassified network

Site A Site B

Secret network

Top–secret network

KG—Cryptographic device PC—Personal computer WAN—Wide area network

PC

PC

PC

Router

PC

PC

PCSw

itch

RouterWAN

KG

PC

PC

PC

Router KG

PC

PC

PC

Swit

ch

RouterWAN

KG

PC

PC

PC

Swit

chSw

itch

Swit

chRouter KG

PC

PC

PC

Swit

ch

RouterWAN

Figure 6.Link encryption supporting multiple security classifications.

and residential customer applications. In civilian net-

works, the prevention of threats and the avoidance,

detection, and correction of security vulnerabilities

by means of mitigation strategies is a continuous

process. The trend is to make data and networks

secure so that the loss due to threats is minimized and

network availability is high.

Government computer systems and networks are

high-profile targets for denial of service, virus, and

other more sophisticated attacks. Not surprisingly, net-

works that are intended to be the most openly accessi-

ble are also subject to some of the most frequent attacks

[8]. This fact highlights the security dilemma of

providing a secure service while making it transparent

and usable by those who need it. Because these sys-

tems are targets, many government networks have

implemented a multifaceted defense-in-depth strategy

to mitigate the risk associated with a single point of

Bell Labs Technical Journal 199

PC PC PC

3 security enclaveswithin one physical interface

Site A Site B

KG—Cryptographic devicePC—Personal computer

SBU—Sensitive but unclassifiedVPN—Virtual private network

WAN—Wide area network

Top-secret enclave

SBU enclave SBU enclave

Top-secret enclaveSecret enclave Secret enclave

PC PC PC

Router Router

WAN

Switch Switch Switch Switch

KG

Switch

VPN

Switch

VPN

KG KG KG

PC PC PC PC PC PC

PC PC PC PC PC PC PC PC PC

Figure 7.Packet encryption in networks supporting multiple security levels.

security failure. Civilian and non-civilian networks

must remain vigilant and continue to adopt state-of-

the-art techniques on an ongoing basis to prevent,

detect, and correct potential vulnerabilities and threats.

Depending on their value, non-civilian network

assets are protected by one or more security mecha-

nisms and techniques. Highly valued facilities and net-

works typically have physical security mechanisms

(e.g., fences, armed guards at the gates, biometric

technology, and surveillance cameras). The specific

requirements of each security dimension (i.e., access

management, authentication, non-repudiation, data

confidentiality, communication security, integrity,

availability, and privacy) of the Bell Labs security

model translate into specific techniques, methods, and

tools that must be implemented and enforced in plan-

ning, design, policy definition, ongoing security pro-

grams covering incident response, security awareness,

and training to produce minimal vulnerabilities and

threats.

Global Trends in SecurityIn many parts of the world, the globalization of

commerce and the increasing cooperation and inter-

dependence of governments are generating increased

interest in the security of civilian and non-civilian

200 Bell Labs Technical Journal

networks. In Europe, for example, organizations such

as the European Telecommunications Standards

Institute (ETSI) in conjunction with the ITU and the

Internet Engineering Task Force (IETF) have focused

on network security standards and the interoperability

of security technologies. Recent developments in the

growth of e-commerce and e-governance [6] in the

European Union have resulted in the European

Council recommending the creation of a European

Network and Information Security Agency (ENISA)

by the end of 2003. This agency will foster increased

cooperation across Europe to ensure the security of

networks and secure access to services. It will focus on

fostering security best practices and providing a body

of knowledge about security to enable the growth

of information-age network services. International

security standards [4] are of general use to all net-

works. The ISO/IEC 17799:2000 Code of Practice for

Information Security Management is an example of

voluntary security guidelines aimed at improving

security in civilian and non-civilian networks by

providing best practices for information security in

organizations. Globally, it is expected that, because it

is an enabler of civilian and non-civilian network

growth, security will continue to grow in importance.

ConclusionsUnderstanding network security posture is critical

for both civilian and non-civilian networks. This can

only be achieved by analyzing the synergies and the

different requirements for the two types of networks

and by adopting a holistic approach to security. This

holistic approach can be achieved by applying a com-

prehensive security framework, such as the Bell Labs

security framework and model, in all phases of net-

work development and maintenance. Government

organizations are very active in leading and funding

security related activities and working with private

industries to foster standards development. This

highlights both the importance of the national infra-

structure and the interdependence of the national

infrastructure and the economy of the country.

Standards and government regulation and guidelines

are critical to an interoperable security environment

for civilian and non-civilian networks.

Civilian and non-civilian networks have their

own requirements for maintaining transparent access

for some applications and restricted access for others.

While the requirements vary, the fundamental con-

cepts of security planning, assessment practices that

focus on prevention, detection, and correction of

threats and vulnerabilities, and designing mitigation

strategies are the same for both civilian and non-

civilian networks. The Bell Labs security model, tech-

niques, methodologies, and intellectual property serve

as a good foundation on which to establish a com-

prehensive strategy and assessment program to secure

infrastructure, services, and applications across the

management, control, and user planes in both civilian

and non-civilian networks.

*TrademarksCERT and CERT Coordination Center are registered

trademarks of Carnegie-Mellon University.

References[1] ANSI National Standards Institute, “OAM&P—

Security Framework for TelecommunicationsManagement Network (TMN) Interfaces,”T1.233-1993 (R1999), Aug. 1993,<http://www.ansi.org>.

[2] Vanessa Antoine, Raymond Bongiorni,Anthony Borza, Patricia Bosmajian, DanielDuesterhaus, Michael Dransfield, BrianEppinger, Kevin Gallicchio, James Houser,Andrew Kim, Phyllis Lee, Tom Miller, DavidOpitz, Florence Richburg, Michael Wiacek,Mark Wilson, and Neal Ziring, “Router SecurityConfiguration Guide,” Report no. C4-040R-02,NSA, 9/27/2002, ver. 1.1,<http://www.nsa.gov/snac/cisco/guides/cis-2.pdf>.

[3] CERT Coordination Center: Vulnerabilities,Incidents and Fixes,<http://www.cert.org/nav/index_red.html>.

[4] ISO/IEC 17799:2000, “InformationTechnology—Code of Practice for InformationSecurity Management,”<http://www.iso.ch/iso/en/ISOOnline.frontpage>.

[5] A. R. McGee, S. R. Vasireddy, C. Xie, D. D.Picklesimer, U. Chandrashekhar, and S. H.Richman, “A Framework for Ensuring NetworkSecurity,” Bell Labs Tech. J., 8:4 (2003),

[6] Ministerial Meeting: “Tools of e-governance inthe European Union and its South Eastern

Bell Labs Technical Journal 201

European Neighbours,” Ministerial Declaration,2-3/5/2003,<http://unpan1.un.org/intradoc/groups/public/documents/untc/unpan009907.pdf>.

[7] NSA Rainbow Series, Orange Book, NCSC-TG-003, version-1, National Computer SecurityCenter, “A Guide to UnderstandingDiscretionary Access Control in TrustedSystems,” 10/30/1987, approved for publicrelease, Fort George G. Meade, MD 20755-6000.

[8] SANS/FBI Top 20 List, The Twenty Most CriticalInternet Security Vulnerabilities,<http://www.sans.org/top20/#index>.

[9] Telcordia Technologies, “Generic Requirementsfor Security of Public Key Infrastructure (PKI)Supporting Telecommunications ManagementNetwork (TMN),” GR-3025-CORE Iss. 1, July2001, <http://www.telcordia.com>.

[10] Virus Damage Estimates,<http://newsletter.varbusiness.com/cgi-bin4/DM/y/eMBV0EuiZF0hk0Bzlq0Az>.

[11] J. Wack, K. Cutler, and J. Pole, “Guidelines onFirewalls and Firewall Policy,” National Instituteof Standards and Technology (NIST) SpecialPublication 800-41, Jan. 2002,<http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf>.

(Manuscript approved October 2003)

RAO VASIREDDY is a member of technical staff at BellLaboratories, Lucent Technologies inHolmdel, New Jersey. He has many yearsof experience in the research anddevelopment of communication services.His current responsibilities include research

and development of new services with a focus on end-to-end security. His other research interests includearchitecture and applications for IP VPN and qualityof service. He has an M.S. degree in computer sciencefrom the University of Louisville, Kentucky, and an M.S.degree in electrical engineering from RegionalEngineering College, Warangal, India.

STEVEN WOLTER is an engineering manager andsolutions architect for defense programsand a member of Lucent’s GovernmentCustomer Team in Herndon, VA. Hereceived a B.S. degree in computer sciencefrom the University of Maryland in

Baltimore County and an M.S. degree in information

systems from George Mason University in Fairfax,Virginia. Mr. Wolter is a recipient of GMU’s Master’sin Information Systems award. His currentresponsibilities include providing network security andtelecommunications solutions to federal governmentprograms.

UMA CHANDRASHEKHAR is technical manager ofAdvanced Network Security and Reliabilityin the Network Planning and StandardsCenter at Bell Labs in Holmdel, New Jersey.Along with her team, she addressesnetwork security and reliability (technical

and business) challenges in both wireless and wirelineinfrastructures. She has in-depth expertise andexperience in systems engineering, standards planning,standards management, operations planning, networkmanagement, billing platform development, and datacommunications. She has led and managed strategicprojects from concept to market in the areas ofnetwork operations, reliability, security, enablers,standards, network monitoring systems, and networkmanagement, and she has led industry teams insupport of government work. Over many years ofindustrial experience, she has worked extensively withnetwork operators, telecommunication research units,and equipment manufacturers, and she has six pendingpatents in security, operations, and reliability. She alsohas participated in a program on technologybreakthroughs at Carnegie Mellon University as wellas in a management program at NorthwesternUniversity’s Kellogg School of Management.Ms. Chandrashekhar holds bachelor’s and master’sdegrees in electrical engineering, and she has heldexecutive positions in the Canadian chapters ofthe IEEE.

ROBERT J. THORNBERRY JR., currently based inNaperville, Illinois, is a principal networkarchitect and senior manager in theIntegrated Network Solutions ChiefTechnology Office of Lucent Technologies.In this position, he is responsible for

architectures, technical strategies, security, and servicedefinitions for Lucent’s high availability and securedata networking offers. Prior to his current assignment,Mr. Thornberry held a number of development,planning, and architecture positions. He worked tocreate voice over Internet protocol (VoIP) solutions andnetwork-based service architectures for convergednetworks. His development teams designed and

202 Bell Labs Technical Journal

delivered system integrity, fault recognition, and fault-tolerant call processing capabilities for the 5ESS™switch and provided a reliable remote switchingcapability. His professional interests include IP serviceplatforms, converged networks, and network security.Mr. Thornberry holds an A.A. degree in electronicstechnology and engineering from Montgomery Collegein Rockville, Maryland, a B.S. degree in electricalengineering from the University of Maryland in CollegePark, and an M.S. degree in electrical engineering andcomputer science from the University of California atBerkeley. He holds six patents and is a member of theIEEE and the Eta Kappa Nu and Tau Beta Pi honorsocieties.

ANDREW R. MCGEE is a distinguished member oftechnical staff in the Advanced NetworkPlanning Department at Bell Labs AdvancedTechnologies in Holmdel, New Jersey.Mr. McGee has many years of datacommunications experience and is currently

responsible for the development and analysis ofadvanced security architectures and security services fornext-generation networks. His research interestsinclude data network architectures and virtual privatenetworking technologies, and he holds a patent in thearea of data networking. Mr. McGee received a B.S.degree from Michigan State University in East Lansing,and an M.S. degree from Rutgers University in NewJersey, both in computer science. �