Network Security HaNdbook for Service Providers doc

11 3 BEST PRACTICES FOR SERVICE PROVIDER SECURITY 11 4 gENERAl BEST PRACTICES AND TOOlS FOR SERVICE PROVIDER NETWORK SECURITY 11 Routers.. 19 BEST PRACTICES FOR SECURINg 3RD gENERATION

Security

HaNdbook for Service ProviderS

1 EXECUTIVE SUMMARY 2

2 THE IMPORTANCE OF NETWORK SECURITY 4

ANATOMY OF NETWORK THREATS 8

Overview of Security Threats 8

Distributed Denial of Service (DDoS) 8

Bots and Botnets 9

Worms 10

Zero Day Attacks 10

Vulnerable Network Components 11

3 BEST PRACTICES FOR SERVICE PROVIDER SECURITY 11

4 gENERAl BEST PRACTICES AND TOOlS FOR SERVICE PROVIDER NETWORK SECURITY 11

Routers 12

MPLVS VPN 12

Network Address Translation (NAT) 12

Access Control Lists 13

Network Firewall 13

Intrusion Protection System (IPS) 13

Application Servers 14

Identity and Policy Management 14

beSt PRACTICES FOR SECURINg VOIP NETWORKS 15

Securing the IP Edge of the VOIP Network 17

Securing VOIP Elements in the Data Center 17

Securing Internet Peering Points for VoIP 17

5 BEST PRACTICES FOR SECURINg TV AND MUlTIMEDIA SERVICES 18

Securing External Network Peering Points 19

Securing the Video/Super Head-end 19

Securing the Video/Hub Serving Office 19

BEST PRACTICES FOR SECURINg 3RD gENERATION MOBIlE DATA NETWORKS 20

BEST PRACTICES FOR SECURINg SERVICE PROVIDER DATA CENTERS 22

4 JUNIPER NETWORKS SECURITY PRODUCT PORTFOlIO 24

Routers 24

Firewalls and IDP 25

Firewalls 26

Intrusion Detection and Prevention 26

Session Border Controller 26

Identity and Policy Management 27

5 CONClUSION 27

Network Strategy Partners, LLC (NSP) — Management Consultants to the networking industry — helps service providers, enterprises, and equipment vendors around the globe make strategic decisions, mitigate risk, and affect change through custom consulting engagements NSP’s consulting includes business case and ROI analysis, go-to-market strategies, development of new service offerings, pricing and bundling as well as infrastructure consulting NSP’s consultants are respected thought-leaders in the networking industry and influence its direction through confidential engagements for industry leaders and through public appearances, white papers, and trade magazine articles Contact NSP at www.nspllc.com.

Juniper Networks high-performance network infrastructure helps businesses accelerate the deployment of services and applications to take advantage of opportunities to innovate, grow, and strengthen their business With Juniper, businesses can answer the challenge of complicated, legacy networks with high-performance, open, and flexible solutions

Jointly published by Juniper Networks and Network Strategy Partners, LLC:

1 Executive Summary

The telecommunications industry is in the midst of a major paradigm shift In the 1990s, most major service providers maintained separate networks for wireline voice, mobile voice, data, and TV Today, many service providers are migrating all of their network services to IP packet switched networks Voice services are still a major component of service provider revenue As voice moves from circuit switched to VoIP packet switched networks (see Figure 1), service providers will have a major incentive to wind down operations on their expensive, legacy circuit switched infrastructure

By converging network services to integrated IP networks, service providers reduce capital and operations expenses while dramatically improving network scalability and service flexibility Furthermore, the migration to IP is increasing competition in the telecommunications market Cable TV providers are

offering traditional voice services, telephone companies are offering Internet and IPTV, and new entrants are building broadband wireless networks with Wi-Fi and WiMax technology As increased competition is accelerating the migration

to IP, service providers operating legacy networks risk shrinking revenues and operating margins

Figure 1 - Forecast of VoIP Subscribers Worldwide

Service provider migration to IP networks has significant benefits and is, in fact, necessary for long term survival However, the rapid growth in the Internet is also driving rapid growth in network security threats, which are escalating both

in numbers and level of severity Threats come from a myriad of sources that are distributed around the world In the early days of the Internet, most threats were created by hackers who were just causing trouble for fun Today, threats come from independent hackers as well as highly organized crime syndicates focused on profiting from Internet criminal activities Some of the potential threats to service provider networks include:

Distributed denial of service attacks (DDoS)

r75.3M VoIP Subs Worldwide in 2007, +62% Year over Year

rWorldwide: 185.7M by CY11, a 5 - year CAGR of 25% >22M net new subs/year

2008 Infonetics Research, Inc

The ramifications of such attacks on service provider networks include:

passwords, and so on)

Global telecommunications revenues are expected to reach $2 trillion by the end of 20081, therefore as network services migrate to IP, it is essential that service providers and telecommunications equipment vendors be vigilant about security Network infrastructure must defend itself from attacks, and operators must implement network security best practices This network security handbook provides service providers with an anatomy of network security threats and a set of best practices for protecting the network Best practices for network security architecture are defined for some of the most important services, applications, and network infrastructure including:

2 The Importance of Network Security

The convergence of voice, data, TV, and mobile telecommunications on IP networks has elevated the importance of network security For many service providers, IP network security presents new technical challenges because legacy networks are fundamentally more secure than IP networks The legacy phone network is based on a closed, circuit switching model Call signaling uses the SS7 packet network which is not connected to the Internet or any other data network Legacy television service is delivered using broadcast over digital or analog cable; specialized equipment which is not connected to any external packet networks is used for video service delivery Many legacy data networks are based on Frame Relay and ATM; these technologies use secure layer 2 protocols with little or no connectivity outside the private network Similarly, second-generation mobile networks are closed, circuit switching

architectures with limited and controlled gateways to the Internet and other data networks In general, legacy telecommunications networks:

Implement service-specific networks

IP network This means that IP network attacks could affect all network services and, therefore, all network revenue Also, threats that emerge from one service (for example the Internet) could affect other services like TV that were previously isolated The IP network is based on an open, standards-based architecture that allows for rapid and massive worldwide growth The open nature of the IP protocols, however, has also allowed intruders to easily access the tools needed for network intrusions Everyone has access to RFC documents explaining the technical details of Internet protocols In addition, extensive technical knowledge

is not required because there is easy access to open source tools on the Web for creating network attacks and stealing valuable data

IP networks use open standards for network management, operations, and provisioning Protocols and standards such as SNMP, XML, and the newer Web services management model enhance the power and flexibility of operations support systems (OSS), but they also create opportunities for intruders to access the most sensitive and critical areas of the telecommunications network—the network management and control plane

Another dimension of the problem is that business users, residential users, and mobile users are sharing the same IP network Each of these customers has different security requirements that need to be addressed in the service offerings provided to them

Attacks on IP networks can have serious and potentially devastating consequences Attacks can result in:

Service outages can result in loss of revenue, payment of penalties for violated service-level agreements (SLAs), and increased customer churn There are serious liabilities associated with lost or stolen customer data; lawsuits often result in high payments of damages as well as a tarnished public image Lost

or stolen service provider data can result in compromised networks and billing systems, or other serious problems

As network services converge to IP, service availability of the IP network is critical Downtime, as a result of network attacks, software errors, or configuration errors, often result in high costs The cost of downtime is highly variable based on the business and applications, but in all cases is quite high Estimates of downtime costs for various industries and applications2 are presented in Table 1

Hour oF doWNtoWN

Financial Credit Card Sales $ 2,600,000

table 1 - downtime Cost estimates in different Vertical Markets

Downtime in service provider networks results in lost revenue due to SLA penalties and, to add insult to injury, results in increased customer churn Table

2 depicts some estimates3 for hourly revenue loss for service provider network outages in small metro areas where 100,000 residential customers and 2,000 business customers are affected by an outage In these small areas, residential losses are estimated to be over $8,333 per hour and business losses almost

$6,944 per hour

While revenue loss is problematic, the potentially more serious problem cially in markets where there are competitive offerings) is customer churn due to poor service Table 3 presents a scenario for a small metro area with 100,000 customers, an increased churn rate of 5 percent due to dissatisfaction with network service availability, and an average cost of churn of $400 per subscriber4

February 2002, Volume XX11 Number 2.

In this scenario the average cost of churn for this small metro area would be

$2,000,000 per year Clearly, network reliability and availability is a critical business requirement for enterprises and service providers

reSIdeNtIAL BuSINeSS

table 2 - Service Provider Hourly Lost revenue for Business and residential Network outages

reSIdeNtIAL

table 3 - Service Providers Costs of Increased Churn due to Network outages

Corporate executives, furthermore, are now legally responsible for the security

of their corporate information systems There are multiple federal and state government regulatory requirements requiring executives and companies to comply with government mandated security requirements

These regulations include:

Anatomy of Network Threats

The open IP architecture presents a myriad of threats from many sources to all parts of the network The following paragraphs give an overview of some common threats, threat sources, and components of the network that could

be affected

Overview of Security Threats

There are many types of security threats and they continue to grow, develop, and mutate over time A high level distribution of network security threats is presented in Figure 2, and a brief description of security threats is given in the following subsections of this paper This is not meant to be an exhaustive description of network threats, but rather an overview of some common threats and terminology

Figure 2 - distribution of Network Security threats

Distributed Denial of Service Attack (DDoS)

A distributed denial of service (DDoS) attack is an attempt to make a computer resource unavailable to its intended users Perpetrators of DDoS attacks typically target sites or services hosted on high-profile Web servers such as banks, credit card payment gateways, and even DNS root servers One common method of attack involves saturating the target (victim) machine with external communications requests such that it cannot respond to legitimate traffic,

or responds so slowly as to be rendered unavailable In general terms, DDoS attacks are implemented by either forcing the targeted network elements or servers to reset, consuming their resources so that they can no longer provide their intended service, or obstructing the communication media between the

Hijacking

intended users and the victim devices so that they can no longer communicate adequately

Bots and BotnetsBots are computer programs that secretly install themselves on machines and run in the background often hidden from view of users, administrators, and even the operating system A botnet is a group of bots that can propagate across the Internet and can be controlled by a malicious hacker or criminal Once bots install themselves on machines, they scan for system vulnerabilities and collect information such as passwords and user names The bots in a botnet can communicate with each other and the central controller to steal information, exploit system weaknesses, send spam, and execute DDoS attacks

Bots can result in network service outages or loss of critical customer or service provider data This is especially serious if passwords and user names are compromised For this reason, botnets have become one of the most serious threats on the Internet

The majority of botnets are used by cyber criminals to send spam and also to illegally seek financial information According to shadowserver.org, an organization that tracks botnets, the number of bots measured in September 2008 peaked at

a half million infected computers Because bots are hard to detect, the numbers could be much larger

One example of a current botnet is Kraken The Kraken malware infects victims’ PCs and uses encrypted communications between bots It also has the ability

to move command and control functionality around the botnet And, like many botnets, the purpose of the Kraken network seems to be the propagation of massive amounts of spam Individual machines infected with Kraken could send

as many as 500,000 spam messages in a single day

Bots are rampant throughout the world as illustrated in Figure 3, and they are growing in number and severity levels Service providers need to understand the nature and dynamics of botnets in order to adequately secure their networks

Active BOTS per Day

BOT infected Computers By Country* (*Source: Symantec)

60,000

40,000 30,000 20,000 10,000 0 Jan 01, 2006 Apr 11, 2006 Jul 20, 2006 Oct 28, 2006 Feb 05, 2007 May 16, 2007

Canada (10)2%

United States (2)14%

Key (X) = Current rank

% = Current proportion

China (1) 26% Taiwan (7) 4%

United Kingdom (6) 4%

Brazil (9) 3%

Germany (4) 6%

Spain (5) 5%

France (3) 6%Poland(8) 3%

Figure 3 - Worldwide Statistics on Bots

There are a large variety of Internet worms The common characteristic

of worms is that they:

Exploit vulnerabilities in a computer’s operating system or application software

•

to launch malicious software that runs on the machine

Find information in the computer (such as email lists or lists of IP addresses)

•

to propagate between different machines

Cause significant damage and financial losses to large numbers of companies

•

worldwide in a short period of time

One example of a well known Internet worm is Code Red This worm exploited

•

a vulnerability in the indexing software distributed with IIS6 for which a patch had been available a month earlier The worm spread itself using a common type of vulnerability known as a buffer overflow It did this by using a long string of the repeated character “N” to overflow a buffer, allowing the worm

to execute arbitrary code infecting the machine The worm spread by probing random IP addresses and infecting all hosts vulnerable to the IIS exploit

Another example of a well known worm is the Love Bug Virus This virus arrived

in email boxes on May 4, 2000, with the simple subject of “ILOVEYOU” and an attachment “LOVE-LETTER-FOR-YOU.TXT.vbs” Upon opening the attachment, the virus sent a copy of itself to everyone in the user’s address list, posing as the user It also made a number of malicious changes to the user’s system

Two aspects of the virus made it effective:

It relied on user curiosity to entice users to open the attachment and ensure

•

its continued propagation

It exploited the weakness of the email system design that an attached

•

program could be run by simply opening the attachment

Worms come in many forms and varieties, and they can result in network service outages and loss of customer and service provider data

Zero Day Attacks

Fundamentally, there are two types of attacks on networks: 1) known attacks and 2) zero day attacks The first is a known attack on a known vulnerability which can be identified in an intrusion prevention system (IPS) by a signature

Internet-based services for servers using Microsoft Windows.

In contrast, zero day attacks are new and therefore have no attack signatures

to identify them To defend against zero day attacks, the IPS requires more sophistication such as protocol anomalies This topic will be covered more fully later in the paper

Vulnerable Network ComponentsMany parts of an IP network are vulnerable to threats including:

End user equipment—PCs, servers, mobile phones,

•

PDAs, and so onNetwork equipment—routers, Ethernet switches, and so on

or loss of data

3 Best Practices for Service Provider Security

Every network is unique and requires the attention of professional network architects and designers to ensure that the network is defensible The principles used by network designers to secure networks are based on a set

of industry best practices This section of the security handbook provides a network security best practice overview which is summarized in Table 4 We start by providing a summary of general best practices that can be applied to any service provider network

general Best Practices and Tools for Service Provider Network SecurityThis section provides an overview of some of the devices and technologies for securing service provider networks The devices that provide network security are:

Network routers are core components in the IP network infrastructure As such,

it is critical that routers implement security technologies to protect networks from intruders

Some of the security technologies implemented in routers are:

Virtual lANs (VlANs)

A VLAN is a layer 2 segmentation technology that allows for a group of end stations to be grouped together into a logical LAN, even if they are not located

on the same network switch It can also be used to segment traffic, such as segmenting VoIP traffic from regular data traffic The segmentation of users and/or traffic provides a level of security by creating a virtual network, making it difficult to intercept traffic or access a traffic segment

MPlS VPN

The MPLS virtual private network (VPN) is a common method of securing IP communications The basic concept of the MPLS VPN is that a common physical routing infrastructure hosts multiple logical routing networks Each logical network appears to hosts and users to be a separate IP network The logical network, or MPLS VPN, can use a set of private IP addresses, run independent routing protocols local to the VPN, and remain isolated from the Internet and all other MPLS VPNs, unless the network administrator

intentionally provides routing connectivity between networks An MPLS VPN therefore is equivalent to building a physically separate IP routing network This logical separation of IP networks provides a cost-effective approach to securing subscriber and service-specific networks from attacks that emanate from the Internet or other private IP networks

Network Address Translation (NAT)

NAT is a common mechanism for mapping private IP addresses to public addresses The process is simple: a private IP address and TCP port is mapped to a public address using an NAT server One of the additional benefits

of NAT is that malicious users on the Internet cannot see the true IP source address of the host Without knowing the IP source address, it is more difficult

to attack hosts This is especially important for network servers that are a focal point for many attacks.

Access Control lists (ACls)The ACL is a list of permissions that specifies who or what is allowed to access the router or device, and what operations they are allowed to perform In an ACL-based security model, when a subject requests to perform an operation

on an object, the system first checks the list for an applicable entry in order

to decide whether to proceed with the operation Depending on the ACL, the request may be accepted or denied ACLs provide router protection by denying unauthorized users or packets from accessing the router

Network Firewall

A network firewall is a dedicated appliance which inspects network traffic and denies or permits passage based on a set of rules The primary objective of the firewall is to regulate traffic flows between computer networks of different trust levels Typical examples are the Internet, which is a zone with no trust, and an internal network, which is a zone of higher trust A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a “perimeter network” or demilitarized zone (DMZ)

The classes of firewalls are:

Stateful firewalls extend simple packet filtering to create rules based on sessions Filtering rules can account for the history of a session as opposed to working on individual packets For example, if an Internet user accesses a Web site from an internal network, a stateful firewall will let the return packets into the network from the Web site based on the state of the session This is not possible with stateless firewalls

Intrusion Protection System (IPS)IPS is used to detect and prevent network attacks IPS analyzes network traffic for threats and takes some action to mitigate the threat when one is detected