security posture for civilian and non-civilian networks
TRANSCRIPT
� Security Posture for Civilian and Non-civilianNetworksRao Vasireddy, Steven Wolter, Uma Chandrashekhar,Robert J. Thornberry Jr., and Andrew R. McGee
Network security is dependent upon securing individual components,services, and applications. This is done through the prevention, detection,and correction of threats and attacks that exploit vulnerabilities in thenetwork. Network security must be analyzed using various factors, such assecurity requirements, the inherent strengths and vulnerabilities of differentnetwork technologies, and the processes used to design, deploy, and operatenetworks. The Bell Laboratories security model provides the frameworkrequired to plan, design, and assess the end-to-end security of networks. Inthis paper, the Bell Labs security model is used to (1) define the basic securityneeds of civilian and non-civilian networks, (2) examine the securitycapabilities of various technologies and identify their security strengths andgaps, (3) identify key threat-mitigation strategies for civilian and non-civiliannetworks, and (4) illustrate the value of a comprehensive framework (e.g.,the Bell Labs model) in any security program, whether designed for a civilianor a non-civilian network. © 2004 Lucent Technologies Inc.
IntroductionNetwork security is dependent upon securing
individual components, services, and applications.
This is done through the prevention, detection, and
correction of attacks or threats that exploit security
vulnerabilities. A vulnerability is a security weakness
present in a network. A threat can disrupt legitimate
network activities if it is able to exploit a vulnerabil-
ity. Recent worldwide threats (e.g., viruses and worm
attacks like Slammer) show that network security
must be analyzed by considering a variety of factors,
e.g., the security policy, the requirements, the inher-
ent strengths and weaknesses of different network
technologies, and the processes used to plan, design,
deploy, and operate networks. A continuous, ongoing,
security design and implementation program that
focuses on the prevention, detection, and correction
of threats and vulnerabilities is essential for main-
taining secure networks. Here we discuss the value
of security strategy and planning in minimizing the
vulnerabilities and identifying mitigation strategies for
both civilian and non-civilian networks.
Civilian and Non-civilian NetworksThe terms civilian networks and non-civilian
networks, as used in this paper, refer to communica-
tions networks that are used by private corporations
(e.g., network operators) and government agencies,
respectively. Non-civilian networks consist of a variety
of organizations, each of which may have varying
Bell Labs Technical Journal 8(4), 187–202 (2004) © 2004 Lucent Technologies Inc. Published by Wiley Periodicals, Inc.Published online in Wiley InterScience (www.interscience.wiley.com). • DOI: 10.1002/bltj.10095
188 Bell Labs Technical Journal
Panel 1. Abbreviations, Acronyms, and Terms
3DES—triple data encryption standardAES—advanced encryption standardATM—asynchronous transfer modeCAIDA—Cooperative Association for Internet
Data AnalysisCERT*—Computer Emergency Response TeamCIO—chief information officerDCN—data communications networkDES—data encryption standardDoS—denial of serviceENISA—European Network and Information
Security AgencyETSI—European Telecommunications Standard
InstituteFCAPS—fault, configuration, accounting,
performance, and securityFIPS—Federal Information Processing StandardFR—frame relayGigE—gigabit EthernetHIPPA—Health Insurance Portability and
Accountability ActIDS—intrusion detection systemIEC—International Electrotechnical
CommissionIETF—Internet Engineering Task ForceIP—Internet protocolISO—International Organization for
Standardization
IPSec—Internet protocol securityIRS—Internal Revenue ServiceISDN—integrated services digital networkIT—information technologyITU—International Telecommunication UnionKG—cryptographic deviceL2TP—layer 2 tunneling protocolLAN—local area networkNASA—National Aeronautics and Space
AdministrationNIAP—National Information Assurance
PartnershipNIST—National Institute of Science and
TechnologyNSA—National Security AgencyPKI—public key infrastructurePSTN—public switched telephone networkRADIUS—remote authentication dial-in user
serviceRBAC—role-based access controlsSMS—service management systemSNMP—simple network management protocolSP—service providerTMN—telecommunications management
networkToD—time of dayVPN—virtual private networkWAN—wide area network
functional roles and responsibilities. These roles and
responsibilities can vary from public information dis-
semination to national security and defense-related
matters. Non-civilian networks require communica-
tion interfaces not only between internal organiza-
tions, but also with external civilian networks. The
interconnection requirements and varying organiza-
tional roles determine the security requirements and
day-to-day operations of such networks.
Network InfrastructureCivilian and non-civilian communications net-
works use both private and shared public network
infrastructure to provide services. Many common
network technologies (e.g., Wi-Fi [for example,
802.11�], frame relay [FR], asynchronous transfer
mode [ATM], Internet protocol [IP], gigabit Ethernet
[GigE], and virtual private network [VPN]) and com-
mon security mechanisms (e.g., firewalls, encryption,
and policy-based authentication) are used by both
civilian and non-civilian networks. However, both
security policies [4] and the degree to which they are
enforced differ in civilian and non-civilian networks.
Furthermore, different applications and different user
groups require varying levels of security in both civil-
ian and non-civilian networks.
Security assessment results obtained during a
given time period provide an indication of the security
posture of a network and how well the policies are
enforced. A desirable assessment would look at both
the strategic and the tactical aspects of security. The
Bell Labs Technical Journal 189
strategic aspect deals with such things as how well
the network responds to unwanted external or inter-
nal queries from unauthorized users. The tactical
aspect deals with such things as whether or not the
network allows unauthorized external or internal
queries to occur.
Different security postures can be expressed in
terms of the specific network technologies, the secu-
rity policies, and the operational procedures of a
network. Non-civilian networks often have more
stringent requirements than civilian networks. Non-
civilian network security policies address issues that
vary from information dissemination to national
security and military concerns. These wide-ranging
security requirements are satisfied by employing
dedicated (non-civilian) as well as shared (with civil-
ian networks) network infrastructure. However, the
shared infrastructure increases the exposure of
potential vulnerabilities (e.g., simple network man-
agement protocol [SNMP] weakness) to internal as
well as external threats. The security mechanisms to
mitigate the potential vulnerabilities can be incorpo-
rated into requirements for each of the security clas-
sification levels for civilian and non-civilian networks.
Security Classification LevelsNetwork operators or enterprise organizations
that are responsible for running civilian networks
usually implement the following security classifica-
tion levels (from highest to lowest): confidential,
private, sensitive, and public. The military and gov-
ernment organizations responsible for running non-
civilian networks usually implement the following
security classification levels (from highest to lowest):
top secret, secret, confidential, sensitive but unclassi-
fied, and unclassified data. Whether the network is
civilian or non-civilian, these levels each have a set of
requirements that must be developed into security
policies and techniques that can be successfully
implemented and controlled. Some of the factors that
determine which classification level should apply to
the data in a network or access to network resources
include the value of the data, potential damage due to
data disclosure or modification, legal requirements,
and associated liabilities.
Typically, non-civilian networks, because they con-
tain data that must be kept secret, have much more
stringent requirements for data confidentiality, in-
tegrity, non-repudiation, and communication security
than do civilian networks. These different requirements
and the differences between the security classification
level structures of civilian and non-civilian networks
dictate the types of technology and operational proce-
dures that must be implemented. Appropriate man-
agement personnel must approve the technology and
the operational procedures. Data custodians must be
assigned the responsibility of implementing the con-
trols and performing the procedures required to main-
tain the appropriate level of security at all times.
Network TopologyMany civilian networks (e.g., large enterprise net-
works) have geographically dispersed locations that
are connected by wide area network (WAN) links.
Access to the network and the WAN links is usually
provided by service providers (SPs), who are also re-
sponsible for WAN security. The security features (e.g.,
access controls and communication security [5]) are
predetermined by the service options and agreements
between the enterprise and the service provider.
Like civilian networks, non-civilian networks may
also be dispersed over a wide geographic area and
they may serve the needs of several organizations
(e.g., the Internal Revenue Service [IRS], the intelli-
gence communities, and defense). In some instances,
non-civilian networks share a service provider’s trans-
port network (e.g., the public switched telephone net-
work [PSTN] and IP) with civilian networks, allowing
them to reach a large number of people nationwide or
around the globe. Figure 1 shows a typical network
topology that can be applied to both civilian and non-
civilian networks. Each enterprise local area network
(LAN) in Figure 1 can be viewed as representing
either a corporate or a non-civilian data or operations
center in a given location. Depending upon the service
requirements, these enterprise sites may be intercon-
nected by a service provider’s network. Different
enterprise sites may belong to the same corporate
entity or to a partner or customer. The access and
interconnecting WAN links may be dedicated or
190 Bell Labs Technical Journal
DMZ—Demilitarized zoneLAN—Local area network
Internet
Operationssupport
WANR
R
R
R
Service provider‘s network
DirectInternetaccess
Sharedfacility
Dedicatedfacility
EnterpriseLAN
DMZ
EnterpriseLAN
EnterpriseLAN
EnterpriseLAN
DMZ
DMZ
DMZ
Access networks
R R
R R
R—RouterWAN—Wide area network
Access networks
Figure 1.Network topology.
shared among many customers. Application and
service security requirements determine the degrees
of logical separation between different traffic flows.
Policy specifications that require the implementation
of confidentiality, privacy, integrity, non-repudiation,
availability, and prevention of replication of data will
have a direct bearing on the security capabilities of
the networks and services [2].
It is essential to ensure that both operations
activities and infrastructure are secure at all times.
Because of the trend toward self-provisioning and
monitoring services using a Web portal and dial-up
provisioning systems, both network operators and end
users are more aware of the operations support func-
tions and the importance of security than they used to
be. Security posture assessment must identify capa-
bilities, vulnerabilities, probable threats, and mitiga-
tion strategies to address security breaches of both
infrastructure and operations networks.
Currently, security assessment is an exercise in
which information about network elements, services,
and applications is obtained from various sources.
This information, along with security assessment tools
and techniques, is used to discover and analyze
potential vulnerabilities and threats. The typical focus
of such an assessment is on vulnerabilities in indi-
vidual network elements. However, to cover the
entire security life cycle of a network and associated
services, a holistic approach that evaluates the secu-
rity of user, control, and management traffic flows
in the network under different usage scenarios is
required. The Bell Laboratories security model [5],
which is briefly described in the following section,
presents a comprehensive approach to security. This
approach allows specific security requirements and
nuances to be addressed in both civilian and non-
civilian networks.
Security Posture and the Bell Labs Security ModelBell Labs has developed a security model [5] to
address the security of networks and services (see
Figure 2). This model is used to plan and implement
security from the concept development, design, and
implementation of networks to their on-going opera-
tions and maintenance. The model provides a
methodology to analyze security capabilities in mul-
tiple security layers and planes. The security layers
in the model are the infrastructure, services, and
applications layers. The security planes are the end
user, management, and control planes. The Bell Labs
Bell Labs Technical Journal 191
Acc
ess
man
agem
ent
Security dimensions
Dat
a co
nfi
den
tial
ity
Co
mm
un
icat
ion
sec
uri
ty
Inte
gri
ty
Ava
ilab
ility
/rel
iab
ility
Priv
acy
Au
then
tica
tio
n
No
n-r
epu
dia
tio
n
Control plane
Management plane
Infrastructure security
Security layersApplication security
Vulnerabilities can existin each layer and each plane
Service securityVulnerabilities
Types of threatsand attacks
Interruption
Fabrication
Interception
Modification
End user plane
Figure 2.Bell Labs security model.
security model analyzes the security impact on these
layers and planes using the following security
dimensions: access management or access control,
authentication, non-repudiation, data confidentiality,
communication security, integrity, availability, and
privacy. The example in Table I shows the areas cov-
ered for the end-user plane when the three different
security layers for the eight security dimensions are
analyzed. The reader is encouraged to refer to the
paper on the Bell Labs security framework [5] listed in
the references for detailed information.
The network security dimensions used in the Bell
Labs model are defined as follows:
• Access management or access control ensures that only
authorized personnel or devices are allowed
access to network elements, stored information,
information flows, services, and applications. In
addition, strong accountability provides a non-
reputable means to correlate actions with indi-
viduals or devices. Finally, different access levels
guarantee that individuals and devices can only
gain access to network elements, stored informa-
tion, and information flows for which they have
authorization.
• Authentication is used to confirm the identities of
communicating entities. Authentication ensures
the validity of the claimed identities of the
communicating entities (e.g., people, devices,
services, and applications) and provides assurance
that an entity is not attempting a masquerade or
an unauthorized replay of a previous communi-
cation. The authentication security dimension
addresses the fabrication security threat.
• Non-repudiation provides proof of the origin of
data or the cause of an event or an action. It
ensures the availability of evidence that can be
used to prove that some kind of event or action
has taken place, so that the cause of the event
or action cannot be repudiated later. The non-
repudiation security dimension also addresses the
fabrication security threat.
• Data confidentiality or data security ensures that data
is kept private and prevents unauthorized access
or viewing. Encryption is normally used to keep
data secure.
• Communication security ensures that information
flows only between the authorized endpoints and
that it is not diverted or intercepted as it flows
between these endpoints.
• Data integrity ensures the correctness or accuracy
of data by preventing unauthorized modifications,
deletions, creations, and replications and provides
an indication of unauthorized activities in these
areas.
192 Bell Labs Technical Journal
Access management
Authentication
Non-repudiation
Data confidentiality
Communicationsecurity
Integrity
Availability
Privacy
Controls access toindividual networkelements or transmissionfacilities.
Confirms identity ofperson attempting toaccess individual networkelements or transmissionfacilities.
Maintains a record ofactivities performed byeach person who hasaccessed individualnetwork elements ortransmission facilities.
Protection against theunauthorized reading ofdata stored on individualboxes.
Protection against theincorrect installation ofcables.
Protection againstunauthorized creation,modification, anddeletion of data storedon individual networkelements.
Individual networkelement is available.
Information aboutindividual networkelements (e.g., IPaddresses) is kept private.
Controls access tonetwork services.
Confirms identity ofperson attempting toaccess network services.
Maintains a record ofactivities performed byeach person who hasaccessed networkservices.
Protection against theunauthorized reading ofdata as it traverses thenetwork.
Data is not diverted orintercepted as it traversesthe network.
Protection againstunauthorized creation,modification, anddeletion of data as ittraverses the network.
Network service isavailable.
Information aboutservices being used byend users is kept private.
Controls access tonetwork-basedapplications.
Confirms identity ofperson attempting toaccess networkapplications.
Maintains a record ofactivities performed byeach person who hasaccessed networkapplications.
Protection against theunauthorized reading ofdata as it is beingprocessed or generatedby an application.
Data is only transmittedbetween authorizedapplications andendpoints.
Protection againstunauthorized creation,modification, anddeletion of data byapplications.
Application is available.
Information aboutapplications beingaccessed by end users iskept private.
Table I. Bell Labs security framework—end-user plane and security layers.
Security layer
Security dimension Infrastructure Services Applications
• Availability ensures that there is no denial of
authorized access to network elements, stored
information, information flows, services, and
applications. Disaster recovery solutions are
included in this dimension.
• Privacy ensures that confidential information (e.g.,
account information stored by the service provider
and usage or location information pertaining to
the end user) is not accessible by unauthorized
personnel or devices.
When a security analysis is performed for non-
civilian networks, it will be noted that some security
dimensions (e.g., data security and privacy) will have
stricter requirements than others, whereas in civilian
Bell Labs Technical Journal 193
networks this would only be true if the network
included health, financial, or other industry applica-
tions that require strict security measures.
Security Capabilities of NetworksNetwork security is designed and implemented
using a distributed architecture. Security is function-
ally implemented in different network elements,
management/application servers, and firewalls that are
distributed throughout the network. Network design
should begin with security as part of the design criteria.
The design process should translate the security policies
into verifiable technology implementations that en-
force rules on how to access, use, and modify network
resources. These implementations, in addition to pro-
viding security, will reduce churn and tradeoffs involv-
ing performance and security, thereby reducing the cost
of managing both civilian and non-civilian networks.
Vulnerabilities and threats can originate from var-
ious internal and external sources. Analysts estimate
that virus attacks alone caused $17 billion in dam-
ages during 2002 [10]. Viruses are well-known
threats, but there are also other kinds of attacks on the
infrastructure. To implement network security, a
defense-in-depth strategy should be employed that
addresses security threats from internal and external
sources. The level of security required for civilian and
non-civilian networks depends on the nature of the
services supported on the network, the applications
that may be accessed using the network, and security
classification levels. Security classification levels imply
that different groups of individuals are allowed to
access different network resources with different priv-
ilege levels. Privilege levels define who can access
which network resources at a given time and loca-
tion. Applying the principle of least privilege ensures
that minimum privilege levels are applied to enable
tasks performed by specific groups, thus minimizing
security risk. Privilege levels are applicable to both
network administrators and end users. In the follow-
ing sections security requirements for civilian and
non-civilian networks are discussed.
Civilian NetworksFigure 3 shows a typical civilian network.
Examples of such networks are the Internet and the
networks belonging to various service providers
and corporations. The security capabilities protect
network resources such as the network elements,
customer premises equipment, applications, and data.
To protect users, data, and network elements from
the threats that can occur in the different planes and
layers described in the Bell Labs security model,
security capabilities should be distributed throughout
the network to implement access management,
authentication, non-repudiation, data confidentiality,
communication security, integrity, availability, and
privacy.
The security requirements for civilian networks
are application dependent; security requirements
required for an Internet access service are different
from those required for an IP VPN service. A civilian
network should be capable of supporting different
security requirements for various services at the same
time, even when a common infrastructure is used to
support those services.
Security policy. An end-to-end network connec-
tion consists of several network segments that belong
to one or more organizations in enterprises, service
providers/network operators, and application service
providers. Security policies for these network seg-
ments are different, because the segments are owned
and operated by different entities. The initial security
needs of the organizations determine what types of
policies should be created and enforced. These, in
turn, should be compatible with the security require-
ments that are implemented in the network for a
service that spans all these network segments. To eval-
uate security in this scenario it is necessary to assess all
the relevant aspects of both the network and the
associated services and operations.
Security for management traffic. Network man-
agement includes the functions of fault, configura-
tion, accounting, performance, and security (FCAPS)
management. FCAPS security is critical to ensure un-
interrupted service availability. FCAPS support infra-
structure and application security—from both internal
and external threats—should be included as a part of
the security policy. To ensure that networks can be
configured, monitored, and restored in accordance
with the security policy, it is necessary to have a
194 Bell Labs Technical Journal
AAA—Authentication, authorization, accountingATM—Asynchronous transfer modeCA—Certificate authorityDHCP—Dynamic host configuration protocolDNS—Domain name serverDSLAM—Digital subscriber line access multiplexerEMS—Element management systemFR—Frame relayFW—FirewallIP—Internet protocolIPSec—Internet protocol security
MPLS—Multiprotocol label switchingNMS—Network management systemPPP—Point-to-point protocolR—RouterRAS—Remote access serverSMS—Service management systemSOHO—Small office home officeSP—Service providerVPN—Virtual private networkxDSL—Digital subscriber line
Dial-upaccess
RAS
VPN demarcationcustomer premises
Service provider.Edge devices.
A
DSLAM
DSLxDSL
Internet
SOHO
Access net
SP access net
R/FW
R/FW
IP/FR
Dedicated orremote access
IPSec/IP/ATM
IPSec/IP/PPP
IP/ATM IP/ATM
IPSwitch
EMS, NMS,SMS
AAA,DNS,DHCP
CA
Policy
SP network
SP/3rd-partyapplication servers(Web, mail, database)
Applications
SP service/net. mgmt.Customers
Customers
Loc. X
Loc. A
Loc. Y
Loc. B
SP core
(IP, MPLS, ATM, …)
Figure 3.Typical civilian network with security capabilities distributed throughout the network.
logically separate data communications network
(DCN) for FCAPS. Security methods and procedures
for network interfaces, role-based access controls
(RBAC), and public key infrastructure (PKI) for
telecommunications management networks (TMNs)
help ensure operations network security. International
Telecommunication Union (ITU) TMN [1, 9] standards
specify the capabilities required for operations security
and the means of implementing them.
User profiles. User profiles establish privilege lev-
els and authentication mechanisms that are required
to implement multi-tiered, restricted access to net-
work resources and applications. Proper design and
implementation of user profiles provides a flexible,
multi-tiered authentication capability to enforce
security requirements and apply appropriate encryp-
tion methods, e.g., traffic originating from a given
user could always be encrypted and records could be
stored in a log file for audit purposes (a basic require-
ment for meeting the data security, integrity, and non-
repudiation dimensions of the Bell Labs model) if the
user profile demands such features.
Audits/reports. A verification and alarm capability
makes it possible to monitor how well network secu-
rity is functioning. Audit logs are created by network
technologies such as authentication systems, proxies,
Bell Labs Technical Journal 195
firewalls, and intrusion detection systems (IDSs).
Automation and centralization of audit logs is a valu-
able capability for analyzing network activity and
threats.
Non-civilian NetworksNon-civilian network policy has the intent of
using standards-based interfaces and protocols where
practical to maximize interoperability with commer-
cial and other governmental organizations and to
minimize the cost of deployment and operations.
Formerly, when commercially available technology
was not mature or was not available, non-civilian
agencies like the Navy would develop custom or pro-
prietary communications protocols and networks to
support their mission. Although this approach works,
it can be far more costly to implement, secure, man-
age, and maintain over the life of the system than a
commercially available service. As network security
technology matured, civilian and non-civilian agen-
cies adopted an approach to security design that not
only optimizes cost, but also encourages standards-
based interoperability between different networks.
Security complexity grew as non-civilian agencies
started to inter-network numerous communications
protocols. The federal government, for example, uses
numerous network protocols and technologies,
including ATM, IP, FR, integrated services digital net-
work (ISDN), leased circuit, optical, satellite, and, in
some cases, customized network technologies. Each
of these technologies has its own unique security
vulnerabilities. In addition, the need to store data
securely and process a large volume of data efficiently
amplifies the security capabilities the government
must possess to conduct business securely.
The idea that the federal government could oper-
ate an interwoven network with unified security pro-
files based on a single, cohesive security architecture
is a misconception. Like most large organizations, the
federal government operates an interwoven network
with security profiles defined by numerous sub-
organizations (e.g., the Army, the Navy, the IRS, the
National Aeronautics and Space Administration
[NASA], and the National Security Agency [NSA]).
As a result, the federal network is better imagined as
having dozens of chief information officers (CIOs)
independently funding the network interoperability
and security requirements of their organizations. At
first glance, this may appear to make providing secu-
rity impossible.
Recognizing the need for an overarching, sys-
tematic process to make government computer net-
works secure, the NSA and the National Institute of
Science and Technology (NIST) have developed a
series of documents detailing design constructs, doc-
umentation methods, and auditing processes for
network and computer systems. Developing the tax-
onomy of network security is arguably one of the
biggest contributions the government has made to
network and computer security. The other area of net-
work security to which both Bell Labs and the gov-
ernment have made important contributions is the
research and development of cryptographic devices,
key exchange methods, algorithms, and protocols for
secure communications [7]. This framework allows
organizations with differing security requirements to
tailor individual solutions to meet their threat profile.
In conjunction with the Bell Labs security model,
techniques, and methodology, this framework can
address all aspects of security.
Non-civilian networks (e.g., the IRS network)
that deal with less stringent security requirements
find that commercial-grade encryption (e.g., triple
data encryption standard [3DES] and advanced
encryption standard [AES]) is sufficient for their
threat profile. The federal government has been
instrumental in establishing accreditation programs
for commercial security products. A noteworthy
example of this is the National Information Assurance
Partnership (NIAP), a joint NSA and NIST project that
has established the Common Criteria evaluation and
validation process for commercial security products.
Separately, NIST maintains cryptographic standards
and coordinates validation programs, including the
FIPS-140 cryptographic module and the algorithm
validation program.
Together, the Bell Labs security framework and
the governmental security certification processes can
provide integrated security that could not be provided
by addressing and securing individual technologies
and protocols separately.
196 Bell Labs Technical Journal
Mitigation Strategies to Address VulnerableNetwork Technologies
Mitigation strategies are designed to prevent or
reduce the exploitation of security vulnerabilities and
deter attackers. Networks typically employ firewalls,
authentication mechanisms, and host- and network-
based intrusion-detection systems for threat mitiga-
tion. Source address spoofing is filtered at the network
peering points. Demilitarized zones reduce the impact
of denial of service (DoS) attacks on publicly accessed
applications (e.g., Web servers).
Civilian NetworksFigure 4 shows a set of key mitigation techniques
for civilian networks. This list does not cover all of
the security technologies and mitigation strategies
used in civilian networks. These techniques should
be augmented by security best practices. These miti-
gation strategies are common to enterprise networks,
WANs, and SP networks. Security policy enforcement
and training are critical for the effective implementa-
tion of mitigation strategies. The mitigation strategy
relies upon proper security design, implementation
of industry best practices, audit, and training pro-
grams. Mitigation techniques such as firewalls, IDS,
password protection, virus scanning, and alarms are
required throughout networks to protect infrastruc-
ture, operations, and user data, e.g., firewall mainte-
nance should, at a minimum, include proper updates
of security patches, applications, and the host operat-
ing system. Whenever a network configuration is
changed, a review of firewall policy should be made
mandatory. To keep a network secure, it is also nec-
essary to keep track of the latest security vulnerabili-
ties [3] and vendor advisories and to implement the
mitigation techniques suggested by the Computer
Emergency Response Team Coordination Center*
(CERT*/CC), Cooperative Association for Internet
Data Analysis (CAIDA), and NIST organizations. The
automatic identification and download of new patches
needed for updates to components (i.e., a system sim-
ilar to a service management system [SMS] capability
at the client/server level) should be enforced. Periodic
audits that evaluate how the security policies are
implemented can provide an ongoing assessment of
security posture.
Non-civilian NetworksAlthough military networks have always been
built with both security and open communication in
DMZ—Demilitarized zoneDNS—Domain name serverFW—FirewallIDS—Intrusion detection systemIP—Internet protocol
LAN—Local area networkOS—Operating systemR—RouterWAN—Wide area network
1.2.3.
4.5.6.7.8.9.
10.
11.12.
13.14.
IDS (network, host)FW rules, filtersPrevent source addressspoofingStrong authenticationEncryptionDMZ design, DNSIP address managementPatch managementVirus scanningSingle sign-on, role-basedaccess controlOS/server hardeningLogs, 3rd-party securityauditsPassword managementTraining
Internet
Operationssupport
EnterpriseLAN
EnterpriseLAN
DMZ
DMZ
FWR
FWRWAN
Figure 4.Sample mitigation strategies for civilian networks.
Bell Labs Technical Journal 197
KG
Secret enclave Secret enclave
KG—Cryptographic device PC—Personal computer WAN—Wide area network
PC
PC
PC
Swit
ch
Router KG
PC
PC
PC
Swit
ch
RouterWAN
Link encryption
Figure 5.Cryptographic link encryption.
mind, even these networks are being improved in
new ways. Classified military communications are
scrambled by applying NSA cryptographic devices
(KGs) to the network links. (Because many commu-
nication networks are circuit-based [e.g., T1 and T3],
early KGs were designed to encrypt a point-to-point
circuit; therefore, KGs were implemented in pairs.)
Figure 5 depicts cryptographic link encryption.
This implementation, although very secure, was
inefficient and inflexible, because it forced network
designers to construct multiple independent networks
based on the security level of the data passing over the
network. If an organization had to conduct business
within three different security classification levels,
three independent networks had to be constructed to
support the processing requirements of each individual
security classification level. Secret data, for instance,
could not be intermingled with unclassified data. This
security model became especially inefficient when two
or more security enclaves were housed within one
facility and multiple physical network interfaces had to
be provisioned. Figure 6 depicts link encryption sup-
porting multiple security classifications.
More recently, military packet-based encryption
devices (including commercial-grade 3DES Internet
protocol security [IPSec] devices) have modernized
security architectures in several ways. Packet-based
encryptors have the ability to scramble discrete packets
of data to one or more endpoint destinations, en-
crypting and decrypting the packets just once, because
packet-based encryption operates above layer 2
(i.e., the link layer) and thus provides more flexible
end-to-end security associations. This packet-based
encryption is a marked improvement over link
encryption, which requires multiple encryption and
decryption cycles in a multi-hop routed network.
Network designers can also gain efficiencies when
two or more security enclaves are present at the same
network node. Unlike link-encryption techniques,
packet-encryption techniques can support a crypto-
graphically strong separation method within a single
physical interface. When security policy allows, packet
encryption in conjunction with other security tech-
niques may make possible a reduction in network cir-
cuits and equipment when multiplexing gains are
taken into consideration. Furthermore, the privacy of
sensitive but unclassified (SBU) network data is im-
proved when commercial-grade encryption is applied.
Figure 7 shows how packet encryption might be ap-
plied to networks supporting multiple security levels.
Highlights of Civilian and Non-civilian Networks Civilian networks implement standards-based
solutions to ensure that the networks are secure when
used for their intended purposes. Firewall policy and
configurations [11], VPN implementation with tun-
neling, and encryption, for example, are all based on
standards-compliant, interoperable protocols. Because
of the use of these technologies, the availability of
civilian networks for services such as VPN is high. The
goals of civilian networks are to provide universal
access and to provide adequate security for business
198 Bell Labs Technical Journal
Sensitive butunclassified network
Site A Site B
Secret network
Top–secret network
KG—Cryptographic device PC—Personal computer WAN—Wide area network
PC
PC
PC
Router
PC
PC
PCSw
itch
RouterWAN
KG
PC
PC
PC
Router KG
PC
PC
PC
Swit
ch
RouterWAN
KG
PC
PC
PC
Swit
chSw
itch
Swit
chRouter KG
PC
PC
PC
Swit
ch
RouterWAN
Figure 6.Link encryption supporting multiple security classifications.
and residential customer applications. In civilian net-
works, the prevention of threats and the avoidance,
detection, and correction of security vulnerabilities
by means of mitigation strategies is a continuous
process. The trend is to make data and networks
secure so that the loss due to threats is minimized and
network availability is high.
Government computer systems and networks are
high-profile targets for denial of service, virus, and
other more sophisticated attacks. Not surprisingly, net-
works that are intended to be the most openly accessi-
ble are also subject to some of the most frequent attacks
[8]. This fact highlights the security dilemma of
providing a secure service while making it transparent
and usable by those who need it. Because these sys-
tems are targets, many government networks have
implemented a multifaceted defense-in-depth strategy
to mitigate the risk associated with a single point of
Bell Labs Technical Journal 199
PC PC PC
3 security enclaveswithin one physical interface
Site A Site B
KG—Cryptographic devicePC—Personal computer
SBU—Sensitive but unclassifiedVPN—Virtual private network
WAN—Wide area network
Top-secret enclave
SBU enclave SBU enclave
Top-secret enclaveSecret enclave Secret enclave
PC PC PC
Router Router
WAN
Switch Switch Switch Switch
KG
Switch
VPN
Switch
VPN
KG KG KG
PC PC PC PC PC PC
PC PC PC PC PC PC PC PC PC
Figure 7.Packet encryption in networks supporting multiple security levels.
security failure. Civilian and non-civilian networks
must remain vigilant and continue to adopt state-of-
the-art techniques on an ongoing basis to prevent,
detect, and correct potential vulnerabilities and threats.
Depending on their value, non-civilian network
assets are protected by one or more security mecha-
nisms and techniques. Highly valued facilities and net-
works typically have physical security mechanisms
(e.g., fences, armed guards at the gates, biometric
technology, and surveillance cameras). The specific
requirements of each security dimension (i.e., access
management, authentication, non-repudiation, data
confidentiality, communication security, integrity,
availability, and privacy) of the Bell Labs security
model translate into specific techniques, methods, and
tools that must be implemented and enforced in plan-
ning, design, policy definition, ongoing security pro-
grams covering incident response, security awareness,
and training to produce minimal vulnerabilities and
threats.
Global Trends in SecurityIn many parts of the world, the globalization of
commerce and the increasing cooperation and inter-
dependence of governments are generating increased
interest in the security of civilian and non-civilian
200 Bell Labs Technical Journal
networks. In Europe, for example, organizations such
as the European Telecommunications Standards
Institute (ETSI) in conjunction with the ITU and the
Internet Engineering Task Force (IETF) have focused
on network security standards and the interoperability
of security technologies. Recent developments in the
growth of e-commerce and e-governance [6] in the
European Union have resulted in the European
Council recommending the creation of a European
Network and Information Security Agency (ENISA)
by the end of 2003. This agency will foster increased
cooperation across Europe to ensure the security of
networks and secure access to services. It will focus on
fostering security best practices and providing a body
of knowledge about security to enable the growth
of information-age network services. International
security standards [4] are of general use to all net-
works. The ISO/IEC 17799:2000 Code of Practice for
Information Security Management is an example of
voluntary security guidelines aimed at improving
security in civilian and non-civilian networks by
providing best practices for information security in
organizations. Globally, it is expected that, because it
is an enabler of civilian and non-civilian network
growth, security will continue to grow in importance.
ConclusionsUnderstanding network security posture is critical
for both civilian and non-civilian networks. This can
only be achieved by analyzing the synergies and the
different requirements for the two types of networks
and by adopting a holistic approach to security. This
holistic approach can be achieved by applying a com-
prehensive security framework, such as the Bell Labs
security framework and model, in all phases of net-
work development and maintenance. Government
organizations are very active in leading and funding
security related activities and working with private
industries to foster standards development. This
highlights both the importance of the national infra-
structure and the interdependence of the national
infrastructure and the economy of the country.
Standards and government regulation and guidelines
are critical to an interoperable security environment
for civilian and non-civilian networks.
Civilian and non-civilian networks have their
own requirements for maintaining transparent access
for some applications and restricted access for others.
While the requirements vary, the fundamental con-
cepts of security planning, assessment practices that
focus on prevention, detection, and correction of
threats and vulnerabilities, and designing mitigation
strategies are the same for both civilian and non-
civilian networks. The Bell Labs security model, tech-
niques, methodologies, and intellectual property serve
as a good foundation on which to establish a com-
prehensive strategy and assessment program to secure
infrastructure, services, and applications across the
management, control, and user planes in both civilian
and non-civilian networks.
*TrademarksCERT and CERT Coordination Center are registered
trademarks of Carnegie-Mellon University.
References[1] ANSI National Standards Institute, “OAM&P—
Security Framework for TelecommunicationsManagement Network (TMN) Interfaces,”T1.233-1993 (R1999), Aug. 1993,<http://www.ansi.org>.
[2] Vanessa Antoine, Raymond Bongiorni,Anthony Borza, Patricia Bosmajian, DanielDuesterhaus, Michael Dransfield, BrianEppinger, Kevin Gallicchio, James Houser,Andrew Kim, Phyllis Lee, Tom Miller, DavidOpitz, Florence Richburg, Michael Wiacek,Mark Wilson, and Neal Ziring, “Router SecurityConfiguration Guide,” Report no. C4-040R-02,NSA, 9/27/2002, ver. 1.1,<http://www.nsa.gov/snac/cisco/guides/cis-2.pdf>.
[3] CERT Coordination Center: Vulnerabilities,Incidents and Fixes,<http://www.cert.org/nav/index_red.html>.
[4] ISO/IEC 17799:2000, “InformationTechnology—Code of Practice for InformationSecurity Management,”<http://www.iso.ch/iso/en/ISOOnline.frontpage>.
[5] A. R. McGee, S. R. Vasireddy, C. Xie, D. D.Picklesimer, U. Chandrashekhar, and S. H.Richman, “A Framework for Ensuring NetworkSecurity,” Bell Labs Tech. J., 8:4 (2003),
[6] Ministerial Meeting: “Tools of e-governance inthe European Union and its South Eastern
Bell Labs Technical Journal 201
European Neighbours,” Ministerial Declaration,2-3/5/2003,<http://unpan1.un.org/intradoc/groups/public/documents/untc/unpan009907.pdf>.
[7] NSA Rainbow Series, Orange Book, NCSC-TG-003, version-1, National Computer SecurityCenter, “A Guide to UnderstandingDiscretionary Access Control in TrustedSystems,” 10/30/1987, approved for publicrelease, Fort George G. Meade, MD 20755-6000.
[8] SANS/FBI Top 20 List, The Twenty Most CriticalInternet Security Vulnerabilities,<http://www.sans.org/top20/#index>.
[9] Telcordia Technologies, “Generic Requirementsfor Security of Public Key Infrastructure (PKI)Supporting Telecommunications ManagementNetwork (TMN),” GR-3025-CORE Iss. 1, July2001, <http://www.telcordia.com>.
[10] Virus Damage Estimates,<http://newsletter.varbusiness.com/cgi-bin4/DM/y/eMBV0EuiZF0hk0Bzlq0Az>.
[11] J. Wack, K. Cutler, and J. Pole, “Guidelines onFirewalls and Firewall Policy,” National Instituteof Standards and Technology (NIST) SpecialPublication 800-41, Jan. 2002,<http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf>.
(Manuscript approved October 2003)
RAO VASIREDDY is a member of technical staff at BellLaboratories, Lucent Technologies inHolmdel, New Jersey. He has many yearsof experience in the research anddevelopment of communication services.His current responsibilities include research
and development of new services with a focus on end-to-end security. His other research interests includearchitecture and applications for IP VPN and qualityof service. He has an M.S. degree in computer sciencefrom the University of Louisville, Kentucky, and an M.S.degree in electrical engineering from RegionalEngineering College, Warangal, India.
STEVEN WOLTER is an engineering manager andsolutions architect for defense programsand a member of Lucent’s GovernmentCustomer Team in Herndon, VA. Hereceived a B.S. degree in computer sciencefrom the University of Maryland in
Baltimore County and an M.S. degree in information
systems from George Mason University in Fairfax,Virginia. Mr. Wolter is a recipient of GMU’s Master’sin Information Systems award. His currentresponsibilities include providing network security andtelecommunications solutions to federal governmentprograms.
UMA CHANDRASHEKHAR is technical manager ofAdvanced Network Security and Reliabilityin the Network Planning and StandardsCenter at Bell Labs in Holmdel, New Jersey.Along with her team, she addressesnetwork security and reliability (technical
and business) challenges in both wireless and wirelineinfrastructures. She has in-depth expertise andexperience in systems engineering, standards planning,standards management, operations planning, networkmanagement, billing platform development, and datacommunications. She has led and managed strategicprojects from concept to market in the areas ofnetwork operations, reliability, security, enablers,standards, network monitoring systems, and networkmanagement, and she has led industry teams insupport of government work. Over many years ofindustrial experience, she has worked extensively withnetwork operators, telecommunication research units,and equipment manufacturers, and she has six pendingpatents in security, operations, and reliability. She alsohas participated in a program on technologybreakthroughs at Carnegie Mellon University as wellas in a management program at NorthwesternUniversity’s Kellogg School of Management.Ms. Chandrashekhar holds bachelor’s and master’sdegrees in electrical engineering, and she has heldexecutive positions in the Canadian chapters ofthe IEEE.
ROBERT J. THORNBERRY JR., currently based inNaperville, Illinois, is a principal networkarchitect and senior manager in theIntegrated Network Solutions ChiefTechnology Office of Lucent Technologies.In this position, he is responsible for
architectures, technical strategies, security, and servicedefinitions for Lucent’s high availability and securedata networking offers. Prior to his current assignment,Mr. Thornberry held a number of development,planning, and architecture positions. He worked tocreate voice over Internet protocol (VoIP) solutions andnetwork-based service architectures for convergednetworks. His development teams designed and
202 Bell Labs Technical Journal
delivered system integrity, fault recognition, and fault-tolerant call processing capabilities for the 5ESS™switch and provided a reliable remote switchingcapability. His professional interests include IP serviceplatforms, converged networks, and network security.Mr. Thornberry holds an A.A. degree in electronicstechnology and engineering from Montgomery Collegein Rockville, Maryland, a B.S. degree in electricalengineering from the University of Maryland in CollegePark, and an M.S. degree in electrical engineering andcomputer science from the University of California atBerkeley. He holds six patents and is a member of theIEEE and the Eta Kappa Nu and Tau Beta Pi honorsocieties.
ANDREW R. MCGEE is a distinguished member oftechnical staff in the Advanced NetworkPlanning Department at Bell Labs AdvancedTechnologies in Holmdel, New Jersey.Mr. McGee has many years of datacommunications experience and is currently
responsible for the development and analysis ofadvanced security architectures and security services fornext-generation networks. His research interestsinclude data network architectures and virtual privatenetworking technologies, and he holds a patent in thearea of data networking. Mr. McGee received a B.S.degree from Michigan State University in East Lansing,and an M.S. degree from Rutgers University in NewJersey, both in computer science. �