Presentation is loading. Please wait.

Presentation is loading. Please wait.

Alcatel e-Business Networking Division Network Security: Issues, Processes and Technologies.

Similar presentations


Presentation on theme: "Alcatel e-Business Networking Division Network Security: Issues, Processes and Technologies."— Presentation transcript:

1 Alcatel e-Business Networking Division lawrence.chong@alcatel.com Network Security: Issues, Processes and Technologies

2 2 Agenda  Network Security  Threats  Need for Security  Security Processes  Security Policies  Network Security Technologies  Alcatel’s Strategy

3 3 Information Security is Key  Historically, information was controllable through good state- of-the-art-alarm systems and physical security  banks  R&D facilities  government complexes  airports  power grids  Today, traditional businesses and services are controlled electronically  information security has not kept up with the times  traditional secure environments are now wide open

4 4 Network Security Threats  Identity interception  “discovery” of a valid user ID & password  stolen files  Masquerade  one user pretending to be another  address spoofing  Replay attack  login monitoring and playback  protocol analyzers  Data interception  intermediate capture of data  wiretaps and monitoring devices

5 5 Threats (cont.)  Manipulation  unauthorized data change  virus  Integrity  doubts as to data origin  Macro viruses  application-specific viruses (Word & Excel)  Denial of service attacks  data flooding of servers consuming CPUs  Malicious mobile code  auto-executables via ActiveX or Java

6 6 Growing Needs for Security  Privacy  personal  governmental  Multilevel security  classifications / need to know  Anonymity  commercial  medical  Authentication  proof of identity / accuracy  Integrity  validity of data  datum’s relationship to itself over time  has the data been modified since creation  Audit  records / logs  aids forensics  Electronic currency  credit / debit cards  letters of credit  digital cash

7 7 “Security is a process, not a product” - Bruce Schneier

8 8 Network Security Process Closed Loop Corrective Action Evaluate Policies / Processes Design Vulnerabilities Implement Patches New policies & designs Authentication Firewalls & VPNs Content security Intrusion detection Monitor & Measure Self Service Improve Training / Awareness Adherence Incident Response Team

9 9 General Employees Watch Team Forensics Response Attacker Elements of a Security Policy  Build a Security Team  skills and roles  Training and Awareness  explaining security  Physical Security  Monitoring  logs and analysis  Auditing  assess security posture  Prepare for an Attack  incident response team  Handling an Attack  Forensics  analyze data

10 10 Network Security Technologies  Authentication  Traditional  Public Key Infrastructure  Single Sign-On  Layer 2  Firewalls  packet filtering  proxy  stateful inspection  VPNs / Cryptography  Data Confidentiality  Data Integrity  Non-Repudiation  NAT  DNS  Content Filtering  virus  URLs  Intrusion Detection  network & host  Vulnerabilities  network  host

11 11 ALcatel Security Solutions Strategy embedded  Adding value to core eND platforms through embedded security standalone  Delivering a full-function, standalone, security appliance family partnerships  Establishing partnerships with organizations that offer security solutions outside of Alcatel’s core business

12 12 Alcatel Omni Switch Family Security Features Controlling management / attacks  Authenticated Switch Access - users  Secure Switch Access - devices  Denial of Service defenses  Partitioned Management Security to the switch Security through the switch Security between switches Secure Traffic Management  Firewall/NAT - embedded FW-1  Secure Switch Access - devices  IP-based Access Control Lists  Authenticated-VLANs - users  Binding VLANs - devices  Port Mapping Privacy & Authentication  Secure VPN Gateways (external)  VPN on OA512 (1Q02)  Router Authentication (RIP/OSPF/BGP4)

13 13 Example Rule: Port + IP protocol Example Rule: Port + IP protocol IP DEC Port-Binding VLANs Device Authentication  Security at the switch port  Device “bound” by VLAN policy  port + MAC + protocol  port + MAC + IP address  port + MAC  port + protocol  port + IP address  MAC + IP address  Device fail authenticated if any policy element not met.  Violation results in SNMP trap  Applications  non-mobile systems (printers & servers)  reduces the likelihood of address spoofing

14 14 AuthenticationServer AuthenticatedUser Backbone Switch VLAN User Authentication User Authentication at Layer 2  Authenticates users at switch port  permissions to users, not devices  Leverages common auth systems  RADIUS  front-ends RSA ACE/Server, NT Domain, NDS, etc.  LDAP Directory Server  Moves user’s MAC from default VLAN to authorized VLAN(s)  based on Group Mobility technology  Once authenticated, operating at LAN speed  Ideal for mobile environment  campus  cybercafes  hospitals

15 15 Alcatel XOS-based Security  Feature Overview  software-based flow control based  src/dst IP address  tcp/udp port numbers  icmp type  tied to layer-7 classifier implementation  standard software for the OmniAccess 512  Applications  control communications between networks  basic packet filtering without typical cost  security embedded in device Src/dst = */* Action = deny Src = 10.1.1.x dst = 10.1.2.x type = http Action = allow 10.1.1.x network 10.1.2.x network 10.1.3.x network 10.1.4.x network HTTP

16 16 Remote Office Internet Central Corporate OA512 Security Appliance VPN Tunnel Alcatel XOS-based Security VPN on OmniAccess 512  Feature Overview  add VPN to OA512 (1Q02)  switching/routing, LAN/WAN, VoIP, ACLs, compression in 1 unit  VPN as optional software module leveraging the OA512’s Hi/fn chip  Applications  full security feature support  provid provisioning platform for routing / switching / VoIP / VPN  1 box vs 2 or 3 boxes  Interoperate with central gateway

17 17 Alcatel Secure VPN Solution  Key Points  Timestep - a first commercial VPN equipment provider  Core group of security experts part of eND  we own the technology and roadmap  Successes  U.S. Department of Defense and Federal Reserve (US)  Westpac, INSNET (AU), etc.  Compliance with standards  IPSec  ICSA (Trusecure.com)  FIPS 140-1  Seamless support for PKI  first VPN vendor to offer PKI support  Product Set  713x Secure VPN Gateways  Secure VPN Client  5630 Secure VPN Management suite

18 18 Speed Touch Pro II  Speed Touch Pro II =  Enhanced platform as compared to Speed Touch Pro  Allows to integrate features of the Alcatel 713x Secure VPN Gateway onto this platform xDSLEthernet xDSLEthernet Speed Touch ProAlcatel 713x SVG Speed Touch Pro II integration

19 19 Global Secure Remote Access and Branch Office Intranet Internet Alcatel 7137 Secure VPN Gateway Firewall Internet POP Alcatel Secure VPN Client Field agents Branch office LANHead office LAN Secure Unsecure LDAP-compliant directory Alcatel 5631 Secure VPN Policy Manager and Entrust/PKI Alcatel 7134 Secure VPN Gateway Alcatel Secure VPN Client Internet POP

20 20 RO/BO Summary a true security solution  Edge / Core Switches  ACLs & embedded firewall/NAT  A-VLANs  Standalone appliances  713x VPN gateways  VPN/FW/NAT appliance  VPN client software  Windows  Switch-embedded VPN  RO/BO – OmniAccess 512  Hardened switch OS  Secure switch mgmt  device & user  Common management  standalone today  integrate with OmniVista with SecureView tomorrow RO/BO VPN Tunnels OA512 OmniPCX VPN Client Security Appliance Security Appliance OmniVista w/ SecureView SO/HO Internet Central Site DSL

21 Alcatel e-Business Networking Division Thank You


Download ppt "Alcatel e-Business Networking Division Network Security: Issues, Processes and Technologies."

Similar presentations


Ads by Google