1 / 13

Bell Labs Network Security Model

Andrew R. McGee Distinguished Member of Technical Staff Lucent Technologies Bell Labs April 2, 2003. Bell Labs Network Security Model. Track 5.4 -- Emerging Network Security Technology: A Lucent Bell Labs Prospective. Topics. Building the Network Security Model: Security Threats.

oliver
Download Presentation

Bell Labs Network Security Model

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Andrew R. McGee Distinguished Member of Technical Staff Lucent Technologies Bell Labs April 2, 2003 Bell Labs Network Security Model Track 5.4 -- Emerging Network Security Technology: A Lucent Bell Labs Prospective

  2. Topics Building the Network Security Model: • Security Threats. • Security Layers. • Security Planes. • Security Dimensions. Applying the Network Security Model to Network Security Assessments: • Network, Host and Service Discovery. • Data Fusion - Putting it All Together. • Producing Meaningful Results.

  3. Types of Network Security Threats1 • Interruption (An Attack on Availability): • Network Becomes Unavailable or Unusable • Examples: • Malicious Destruction of a Network Element • Erasure of a Software Program or Data File • Cutting of a Communication Facility • Interception (An Attack on Confidentiality): • An Unauthorized Access to an Asset • Examples: • Unauthorized Data Capture (Data Sniffing) • Discovery of Unprotected WLAN Access Points • Modification (An Attack on Integrity): • An Unauthorized Tampering with an Asset • Examples: • Changing Network Configuration Information • Changing Data as it is Being Transmitted Across the Network • Fabrication (An Attack on Authenticity): • Unauthorized Creation, Modification, or Deletion of Objects on a Network • Examples: • Unauthorized Access to the Network • Insertion of Spurious Messages on the Network • Addition of Records to a Database 1C. Pfleeger, Security in Computing, Prentice Hall, Upper Saddle River, NJ, 1997.

  4. Applications Security Layer: • Network-Based Applications Accessed by End-Users • Includes: • Fundamental Applications (e.g., Web Browsing) • Basic Applications (e.g., Directory Assistance and Email) • High-End Applications (e.g., E-Commerce) Applications Security Applications Security THREATS THREATS Interruption Interruption Services Security Services Security Interception Interception VULNERABILITIES VULNERABILITIES Modification Modification Fabrication Fabrication Vulnerabilities Can Exist In Each Layer Infrastructure Security Infrastructure Security ATTACKS ATTACKS • Services Security Layer: • Services Provided to Customers or End-Users • Range from Basic Transport to High-End, Value-Added Services. • Examples: • Carrier Facilities (DS-1, DS-3, etc.) • Frame Relay, ATM, IP Connectivity • VoIP, QoS, IM, Location Services • 800-Services • Infrastructure Security Layer: • Fundamental Building Blocks of Networks, Services, and Applications. • Individual Network Elements and the Interconnecting Communications Facilities • Examples: • Individual Routers, Switches, Servers • Point-to-Point WAN Links • Ethernet Links Security Layers

  5. Example - Applying Security Layers to ATM Networks (Layer 2): Infrastructure Security Layer: Individual ATM Switches Point-to-Point Communication Links Between Switches (e.g., DS-3 links, OC-48 links, etc.) Services Security Layer: ATM Services Classes: CBR, VBR-RT, VBR-nRT, ABR, UBR Applications Security Layer: ATM-Based Video Conferencing Application Example - Applying Security Layers to IP Networks (Layer 3): Infrastructure Security Layer: Wireline NEs: Individual Routers, Servers Wireless NEs: PDSN, SGSN, GGSN. Communication Links Between NEs - Note: Could be ATM PVCs Services Security Layer: Basic IP Transport IP Support Services (e.g., AAA, DNS, DHCP) Value-Added Services: (e.g., VPN, VoIP, QoS) Applications Security Layer: Basic Applications (e.g., ftp, Web Access) Fundamental Applications (e.g., Email) High-End Applications (e.g., E-Commerce, Training) Security Layers Apply to Every Protocol Layer

  6. Security Planes • End-User Security Plane: • How Customers Access and Use the Network • Represents End-User Data At Rest and In Motion • End-Users May Use the Network For: • Basic Connectivity/Transport • Value-Added Services (VPN, VoIP, etc.) • Access to Network-Based Applications (e.g., Email). Vulnerabilities Can Exist In Each Layer and Plane • Management Security Plane: • Concerned with OAM&P of Network Elements, Transmission Facilities, Operations/Business Systems • Concerned with Management and Provisioning of Network Services and Applications • Supports the FCAPS Functions • May Be In-Band or Out-of-Band • Control/Signaling Security Plane: • Enables the Efficient Delivery of Information, Services, and Applications Across the Network • Machine-to-Machine Communications to Determine How to Best Route or Switch Traffic Across the Network • May Be In-Band or Out-of-Band

  7. End User Security Plane: Activities Protocols • End-User Data Transfer • End-User – Application Interactions • HTTP, RTP, POP, IMAP • TCP, UDP, FTP • IPSec, TLS Control/Signaling Security Plane: Activities Protocols • Update of Routing/Switching Tables • Service Initiation, Control, and Teardown • Application Control • BGP, OSPF, IS-IS, RIP, PIM • SIP, RSVP, H.323, SS7. • IKE, ICMP • PKI, DNS, DHCP, SMTP Management Security Plane: Activities Protocols • Operations • Administration • Management • Provisioning • SNMP • Telnet • FTP • HTTP Example: Applying Security Planes to Network Activities/Protocols

  8. Access Management Authentication Non-repudiation Data Confidentiality Communication Security Integrity Availability Privacy Security Dimensions Address the Breadth of Network Vulnerabilities • Limit and Control Access to Network Elements, Services, and Applications. • Techniques Include: ACL, Firewall, IDS, Password, Security Token, RBAC. • Ensure Proof of Identity of the Claimed Entity (Person, Device, Application). • Techniques Include: Shared Secret, PKI, Digital Signature, Digital Certificate. • Prevent the Denial of an Activity on the Network or Transmission Through a Network. • Techniques Include: System Logs, Digital Signatures, Asymmetrical Encryption. • Ensure the Confidentiality of Data to Prevent Unauthorized Viewing. • Techniques Include: Encryption. • Ensure Information Only Flows from the Source to the Destination. • Techniques Include: VPN, MPLS, L2TP, Source Path Routing. • Ensure that Data is Received as Sent or Retrieved as Stored. • Techniques Include: MD5, Digital Signature, Anti-Virus Software. • Ensure network elements, services and application are available to legitimate users. • Techniques Include: Reliable network design, IDS, network redundancy, and disaster recovery. • Ensure that confidential information of end user, network element, and network architecture is not disclosed to unauthorized entity. • Techniques Include: Encryption, Service Level agreement, etc.

  9. Interruption Interruption Interception Interception Modification Modification Fabrication Fabrication • Applicable To: • Wireless, Wireline and Optical Networks • Voice, Data, and Converged Networks • Any Layer of the Protocol Stack • Management, Administrative and Data Center Networks • SP Infrastructure Networks • Enterprise Networks Supported by Government Agencies & Standards Bodies: • NSIE • NSTAC • NRIC • DHS • ITU-T SG17 • Industry Canada Bell Labs Network Security Model Security Layers Security Layers Applications Security Applications Security THREATS THREATS repudiation repudiation Services Security Services Security Communication Security Communication Security Access Management Access Management Data Confidentiality Data Confidentiality Authentication Authentication Availability Availability Privacy Privacy Integrity Integrity VULNERABILITIES VULNERABILITIES - - Non Non Vulnerabilities Can Exist In Each Layer, Plane, Dimension Infrastructure Security Infrastructure Security ATTACKS ATTACKS End User Security End User Security 8 Security Dimensions 8 Security Dimensions Control/Signaling Security Control/Signaling Security Security Planes Security Planes Management Security Management Security

  10. Access Management Communication Security Authentication Integrity Non-repudiation Availability Data Confidentiality Privacy The Eight Security Dimensions Are Applied to Each Security Perspective Methodical & Modular Approach to Network Security Analysis(TheBell Labs Network Security Model in Tabular Form) • Execute • Top Row for Analysis of Management Network • Middle Column for Analysis of Network Services • Intersection of Each Layer and Plane for analysis of Security Perspective

  11. Applying the Bell Labs Network Security Model to Security Programs • Can Apply to Every Aspect of a Network Security Program • Definition & Planning: Helps define comprehensive Security Policies, Incident Response & Recovery Plans and Technology Architectures by taking Security Dimensions, Layers and Planes into account • Implementation: Forms basis of an assessment that examines how the Security Dimensions, Layers and Planes are addressed as Policies and Procedures are rolled out and technology is deployed • Maintenance: Assists in managing the Security Policies & Procedures, Incident Response & Recovery Plans and Technology Architectures by ensuring modifications to the Security Program address Security Dimensions, Layers and Planes

  12. BL Network Security Model in Action:Network Survivability Assessment Service

  13. Conclusion Bell Labs Network Security Model • Provides Comprehensive, End-to-End View of Network Security. • Applies to Any Networking Technology: • Wireless, Wireline and Optical Networks. • Voice, Data and Converged Networks. • Applies to Any Layer of the Protocol Stack. • Applies to Any Portion of a Network: • Management, Administrative and Data Center Networks. • Infrastructure Networks. • Enterprise Networks. • Widely Accepted by Government Agencies and Standards Bodies: • National Security Information Exchange (NSIE). • National Security Telecommunications Advisory Committee (NSTAC). • National Reliability and Interoperability Council (NRIC). • U.S. Department of Homeland Security (DHS). • Industry Canada. • ITU-T. Comprehensive Network Security Assessments Based on BL Network Security Model • Tools and Techniques are used to Assess Security Layers, Planes, Dimensions. • Results are Provided in Terms of Network and Business Impact.

More Related