Dr. Hossein Eslambolchi
Global Service providers and their customers are facing growing problems. They are now required to protect their network and computing infrastructures from attack by amateurs, malicious intruders, industrial spies, cyber-criminals, and potential cyber-terrorists. The 2004 E-Crime Watch survey of security and law enforcement executives by CSO magazine, the U.S Secret Service, and the CERT Coordination Center found an increase in e-crimes and network, system, or data intrusions over 2011. According to the survey, 50 percent of respondents reported an increase in e-crimes and intrusions over the previous year, and 80 percent reported at least one e-crime or intrusion was committed against their organization. Moreover, survey respondents estimate that e-crime cost their organizations approximately $3.0 billion in 2011 alone. Beyond actual losses, corporations in the United States and abroad now face legal liabilities if they fail to ensure the availability of their networks and protect the privacy of business and personal data.
Network vulnerability has increased since the Internet shifted from restricted access and availability to unlimited access from anywhere, at any time. Furthermore, the base IP protocols like TCP and UDP as well as supporting technologies such as DNS and the BGP routing protocol deployed in the Internet’s “Age of Innocence” were not developed with security in mind, and the complexity of modern systems and software has resulted in implementation errors that can be exploited by attackers.
Networks, primarily IP networks that are part of the Internet, are prone to attack because of the vulnerabilities that are unique to packet-based networks. These vulnerabilities fall into three key areas: inherent protocol vulnerabilities, implementation errors and configuration errors.
• Protocol vulnerabilities: Unlike voice, private line, or frame relay, there is no “admission control” mechanism that’s part of the protocol suite itself. Anyone who has a connection to the network can inject packets into it. There is no mechanism for deciding which packets should be allowed into the network or not. This “open admission” architecture makes it easy for hackers or others wishing to cause harm to inject their destructive traffic. In addition, there are no authentication mechanisms inherent in the IP protocol. Anyone with a connection can send traffic, and their authority to do so is not questioned.
Authentication has to be added to the edges or in other areas of the network’s design for it to happen at all; it’s not part of the base protocol design. The IP protocol, actually a suite of related protocols including IP, UDP, and TCP, to name a few, is vulnerable to many different types of denial of service (DoS) attacks, including session hijacking and cache poisoning. This problem is particularly serious when applied to control plane technologies, such as the domain
name system (DNS) and the border gateway protocol (BGP).
Thus, DoS mitigation and authentication as technologies need to be retrofitted so that an IP network that’s part of the Internet can be protected against DoS attacks. In order to maintain availability and performance, a public IP network and its supporting systems need to be protected just like a physical infrastructure — at multiple locations and points of entry.
• Implementation errors: In their haste to introduce the new features required by enterprises, vendors often neglect design choices that promote security. A constant stream of security advisories emanates from major vendors, thus posing an ongoing challenge to carriers and enterprises to secure their infrastructure. Often within days of these announcements, hackers have already developed exploits.
• Configuration errors: All of the components of the network (routers, firewalls, DNS servers, etc.) must be configured to control and customize their behavior and thus maximize potential security. The vendors of these products provide extremely complex, and often primitive, low-level languages for configuring the components, making these systems difficult and expensive to configure — and the configuration process prone to error.
An added complication is the complexity of configuration languages, the vendor’s dependence on them, and the continual changes that the languages are subjected to. These factors make it difficult to fully automate the configuration of the components. Despite these challenges, service providers will need to continue to develop a number of automated systems that help to mitigate potential security vulnerabilities introduced by configuration errors.
This section describes the basic principles adopted by service providers in managing their corporate enterprises and securing their networks and services. Subsequent sections will provide examples of how each of these principles is put into practice.
Providers should adhere to the following core security principles:
• Defense in Depth: One of the fundamental security design principles for service providers is a “Defense-in-Depth” strategy. This strategy provides a multi-layered secure environment. Defense-in-Depth ensures that many integrated mechanisms provide multiple levels of protection against attacks. Should one security mechanism be breached, other mechanisms continue to provide protection and prevent or limit the potential damage.
• Prevention: Service providers should focus on preventing network attacks by designing security into every network and service from the start, from architecture to deployment. They need to use the best available methods and technology, and they must design networks with security as a primary concern. Service providers should adopt measures to ensure that their network, systems, and services are secure against all known attacks.
• Security Management: Service providers should focus on deploying a variety of methods and systems for dealing with the evolving security environment. Areas of interest should include software management and system integrity; configuration management, traffic measurement and detection; response and mitigation; and post-event analysis and remediation. As part of this effort, providers will need to bring intelligence into the IP network to eliminate the costly inefficiencies of deploying security solutions at the edge of the network.
• Innovation Transfer: Service providers need to treat its enterprise network and infrastructure as a “living laboratory” where innovations are put into place and rigorously tested for feasibility, scalability, and reliability. They need to continue developing and implementing security innovations on their enterprise network first, and then extend those technologies to the networks and services provided to customers. A number of innovations discussed below were developed in this fashion.
Designing Security: Rigorous Processes
For many service providers and enterprise networks worldwide, security begins with security policy and requirements (ASPR). This family of policies and practices governs security in every service, from operating systems to operations. For each new service or feature, the service provider’s security team works closely with product management, systems architects and engineers, developers, and testers to ensure that security is built into the service or feature. For new services, the security team leads formal reviews that include subject matter experts (SMEs) for the services working closely with expert reviewers from the service providers’ security community.
Designing Security: Domain Separation
Service providers — as corporations and IP services suppliers — employ the principle of domain separation for their internal networks and for managing customer networks. Domain separation ensures that communications between domains are allowed only as authorized. Communications travel through designated gateways, which can detect suspicious activity and block it if necessary. If one domain is compromised in a security incident, domain separation protects the other domains from compromise and contains the incident, limiting the damage.
While networks and the Internet are generally perceived as being all about openness, in practice there is no real business need for everyone on a company’s network to access everything on that network. Common examples are the HR and Payroll records – they need to be protected rather than shared with all the company’s employees. The same principle applies to systems and whole networks. Different systems and networks have different characteristics, access needs, and personnel. Systems that access the Internet have different protection needs from systems that are completely internal to the company. It’s clear that different systems should be treated as separate entities, each with its own protection needs and level of trust. An entity that comprises one or more systems and networks, all with a common function, constitutes a domain. Each domain must have a set of rules for communication within the domain and another set for communication outside the domain.
Domain separation entails allowing communications between two domains to occur in a tightly controlled manner, through only a few communication points and under close scrutiny based on the type of traffic, its source, destination and volume. These few communication points are usually called choke points, or more generically security gateways, and the rules applied at each are called choke filtering. Service providers should employ this practice extensively within their corporate intranet as well as on their various service networks and between operational networks and network management infrastructures. Network management domains are strictly separated from the operational networks themselves.
Service provider points of presence should be built with multiple security zones. Within the buildings themselves only authorized technicians would be able to access equipment on an as-needed basis; visiting technicians and employees must be escorted at all times. Network equipment from different network layers (such as transport and IP) is secured in separate rooms with additional physical security mechanisms.
Service providers’ Internet data centers must be built in data center facilities that are designed for security. The data center architecture should include several logical zones for security. Each zone should have different requirements for security and be segmented so that traffic cannot leak between zones. Various complementary mechanisms would be deployed to maintain segmentation.
Designing Security: Hardening Infrastructure Elements
Network infrastructure security includes both host-based and network-based security. The foundation of infrastructure security is a secure server. All servers are “hardened” per vendor, industry, and internal recommendations. Host-based agents continuously monitor servers looking for unauthorized changes in software and configurations.
In addition to hardening the network elements themselves, service providers need to deploy a number of measures to protect against denial of service attacks at the host and element, network, and service (application) levels.
Service providers worldwide need to deploy state-of-the-art security mechanisms to protect their global IP network and IP services against denial of service (DoS) and other attacks.
Designing Security: Separate Services over IP Infrastructure
Voice over IP (VoIP) poses particular security challenges to carriers due to the protocol design itself. With VoIP both the signaling as well as the actual voice messages (called media) are carried in-band, thus making signaling vulnerable to the same security risks as other Internet traffic.
Recognizing these challenges, service providers should design separate “services over IP” architecture to carry traffic such as VoIP. I once called such architecture XoIP, where the X is a variable standing for a number of possible services that might be carried over IP; voice is merely one flavor of XoIP.
Such a XoIP infrastructure functions as an overlay network on top of service provider’s public MPLS IP network. The services over IP architecture needs to be designed in multiple layers, consistent with “defense in depth” principles, in order to ensure security of these communications. The design principle of layers is consistent with the general architecture used in protecting corporate assets in the Internet, and includes three security domains, each with its own security requirements. To further enhance the security of these communications, service providers should also deliberately depart from the “any-to-any” Internet communications model; strict boundaries will define which device can communicate with which device, providing additional control.
An additional challenge with VoIP is that SIP servers and associated devices have not been designed and built with security as a priority. Most of them do not include firewall functions as part of their configuration. Therefore, in order to ensure the security of our services over IP infrastructure and our customers’ traffic, a Border Element needs to be defined within the service providers’ services over IP architecture. A border element is an intermediary between the trusted domain and the untrusted domain, and thus provides an additional layer of security over that provided inherently within VoIP devices. By creating this design element service providers will also need to protect the services over IP call processing and management infrastructure by using multiple firewalls. Together, they will create a demilitarized zone (DMZ) between border elements and call control elements (CCEs) within a separate “Trusted Domain.”
Under a denial-of-service (DoS) attack, the border elements may be allowed to fail in order to protect the rest of the services over IP infrastructure. A multi-pointed or distributed DoS (DDoS) attack can be waged using multiple customer premise equipment (CPE) within a single customer network to simultaneously generate a large quantity of signaling or media packets directed to a specific customer’s border element. This type of attack is prevented by barring a border element from processing packets from the CPE assigned to another element.
Service provider or enterprise networks must adhere to three security domains:
• Un-trusted: includes all elements of either customer or peer networks that are connected to service provider border elements. These elements are not within service provider control, so they cannot be assumed to be secure.
• Trusted: consisting of provider-owned and -operated network elements, including call control elements that communicate only with other service provider devices — never directly with CPE.
• Trusted but vulnerable: includes edge devices and border elements that communicate with both internal service provider devices and CPE edge networks.
Securing Service Provider Networks, Systems, and Services
Service providers must be able to enable massive security around their private IP-MPLS. This is also true for enterprise customers.
MPLS should become the key technological component underpinning service provider’s current and future network evolution.
At the network edge, service providers should establish a rigorous set of security techniques and practices. They should also implement RFC 2547 to assure the isolation and separation of virtual private networks (VPN). This is necessary, but not sufficient, to protect the integrity and privacy of a VPN. A carrier must also protect the service infrastructure against compromise or overload that might subvert the VPN.
Service providers should also use the following measures to protect their shared infrastructure:
BGP Authentication: Border gateway protocol (BGP) MD5 authentication should be implemented on all service providers’ peering links and can be implemented on customer access links. MD5 authentication on BGP routing ensures that route announcements for a given network (autonomous system) are indeed being received from that network and not an imposter. It also prevents BGP resets from being received by an unauthorized source, thus helping to maintain network stability.
•Least Privilege: Infrastructure routers and provider edge interfaces are hardened by turning off, or severely restricting, unnecessary protocols and ports.
•Limits: Route dampening is used to limit the rate, or total number, of route update transactions performed by a router.
•Center and Service Complex Protection: Network management centers, data centers, and service complexes — like the XoIP infrastructure described above — are further protected by firewalls and intrusion detection systems, another example of domain separation.
•Automation of perimeter security tools to protect service providers’ MPLS core; service providers should also focus on automated methods to ensure that customer-edge to provider-edge routes are properly managed and represented in VPN Forwarding and Routing (VFR) instances. Service providers should develop tools to support MPLS VPN environment management.
•Monitoring of IP traffic to provide early warning of Internet viruses and worms. Traffic flow is captured, monitored and analyzed to identify clear patterns of network anomalies.
•Control of operational security in service providers’ core networks should be strictly enforced to maintain high levels of reliability and availability. To accomplish this, providers’ operations should follow mature and proven methods and procedures. These methods should be certified, wherever appropriate, to the highest industry standards. Additionally, all incidents must be subject to comprehensive root cause analysis to ensure that processes are improved.
•Response to security incidents by proactive teams trained in the details of MPLS as well as IP security. Service providers should utilize a multi-tiered approach to identify, respond to, and mitigate any detected security problems.
Enterprise Network Management
Service providers need to build a comprehensive multi-pronged program that will institute a disciplined and structured infrastructure to manage internal computing assets. These areas are:
• Advisory Management: Establish a process to receive and categorize vendor advisories for subsequent distribution to administrators, developers, and system owners.
• Patch Verification: Implement a process that ensures patches are applied for networked infrastructure.
• Information Repository: Establish a means to obtain information about networked devices. Such a repository helps identify and remediate devices that are vulnerable or infected by a worm or virus.
• Network Access Controls: Implement an automated process to disconnect vulnerable devices and ensure only registered devices are allowed to connect to the network.
As a large, technology-driven corporation, service providers have many internal applications that employees need to access.
Controlling access to more than a thousand applications is a security challenge. Service providers need to develop a Common Security Platform (CSP) to manage this authentication process. The CSP is a single-sign-on authenticating web proxy, built from off-the-shelf tools. The CSP uses public key cryptography for sharing user credentials with application web servers. It is used ubiquitously across service provider internal web applications.
Honoring the fundamental security principle of leveraging internally-developed technology to serve customers, the CSP platform is used as the single sign-on authentication and authorization platform.
DoS mitigation: Service providers also need to employ a variety of methods to detect and mitigate Denial of Service (DoS) attacks emanating from the Internet. Techniques include Perimeter Black holing, which uses a routing protocol such as BGP to divert traffic to a “bit bucket” into which packets are discarded before reaching their intended victim. Another similar technique, described later, diverts traffic to a packet scrubbing facility that can mitigate the malicious packets before sending the traffic back to its original destination.
•Dark-space Monitoring: Another facet of security analysis associated with the IP network is dark-space monitoring. Dark spaces are IP address blocks that are not registered to individual enterprise customers.
Most attackers do not know what IP address space is in use. They often randomly search for active hosts with a goal of wreaking havoc on any available victim. Thus, any activity addressed to unassigned space is at a minimum erroneous. In fact, it is likely malicious traffic, searching for vulnerable hosts. By observing the activity in this unassigned IP address space, service providers can gain valuable knowledge about attack patterns. Thus, studying “dark space” provides a method for detecting malicious traffic patterns by employing unused or privately routed address space to listen to Internet and network noise.
•Wireless Security: Recognizing that convergence is taking place at the “edges” of networks as well as the core, service providers must be actively involved in the development of wireless security protocols. Providers must take a leading role in the IETF, ITU, and IEEE. Wireless technologies were developed without security as part of the initial design, and multiple approaches to wireless security protocols have been developed, each with their own imperfections. Wireless Service Providers should play an active role in these standards bodies to ensure that strong and effective end-to-end wireless security is developed. Without it, enterprises will be unable to utilize wireless technology in a secure manner. As voice and data co-mingle on the same wireless LAN infrastructure, securing these end-points at the enterprise level and as well at the network entrance becomes critical to assuring the security of all an enterprise’s communications.
•Control Plane Monitoring: Service providers must also develop a number of tools to monitor activity in the network control plane. This type of monitoring has historically been very limited because the control plan operates autonomously, but is very useful for capturing clues to instability in the IP network.
OSPF (Open Shortest Path First) is a widely deployed intra-domain routing protocol. It is a link-state protocol; i.e., each network router “learns” the entire network topology and computes a shortest path tree (SPT) using the topology as a graph. Each router uses SPT to build its routing table. In order to disseminate topology information, routers describe their local connectivity in Link State Advertisements (LSAs) and flood them in the entire network. Despite widespread use of OSPF, very few tools exist for effective management and operation of OSPF networks.
The Border Gateway Protocol (BGP) is used to accomplish inter-domain routing. It is the “glue” that holds the Internet together, enabling all its networks to communicate with each other through the exchange for availability information. BGP is used at the “edges” of networks and is employed to exchange Internet routes between ISPs and between ISPs and their customers.
All of this information demonstrates the need for a deep commitment to security, both within the networks and within services.
The service provider commitment to security is a constant battle at the dawn of the 21st century, a battle that will continue for many years.
Technology trends point to the emergence of a global “virtual society.” Mobility will become the norm as businesses and consumers demand a multitude of digital services that can be accessed over IP networks from anywhere, at any time, by anyone. This trend will be driven by such technologies as services over IP, broadband communications and wireless Internet.
Service providers and enterprise customers need to commit to a deep security discipline and work at developing new practices and technologies that enhance security. There are great innovators out there — Solera Networks, for instance — with line-rate massive DPI that will allow any company to mitigate major threats.
Many vendors will leverage the power of quantum computing to enhance security on all possible fronts. These include embedding security into all computing and networking devices, developing “smart agents” to spot troubles and respond to them immediately, and building self-healing capabilities into systems and networks.