>THIS IS THE WAY ENTERPRISES CAN BE WELL-POSITIONED TO DEFEND THEIR NETWORKS AGAINST TODAY’S NETWORK THREATS >THIS IS

Position Paper >Protecting the enterprise network

Layered network security Taking a layered defense approach to security as outlined in the Nortel Unified defense Security Framework, Nortel offers enterprise customers ‘a world of choice’ of security options to implement the solutions that make the most sense for their own unique networks.

Overview Today’s enterprises are enjoying the many benefits of greater communications with fewer boundaries between them and their business partners, customers and remote employees. These many benefits outweigh the various risks of doing business on public networks, yet enterprises must still make the right business decisions to appropriately protect their corporate assets—sensitive corporate information (payroll, research and development, etc.) and their customers’ privacy. With their increasing business on public networks, enterprises are unfortunately more likely to be victim to the risks associated with these public networks—most frequently worms, blended threats and vulnerabilities. A combination of choosing the right security solutions and putting the appropriate processes in place will help enterprises face these challenges directly. Ultimately, a solid approach to network security not only ensures security of your network, but your overall network reliability, resiliency and business continuity. >Contents

Nortel’s layered defense 3 Protecting against today’s threats 3 Network security solutions 5 Blocking threats at the end-user: endpoint security 5 802.1x and device authentication 6 Wireless Local Area Network (WLAN)-specific protections 6 Tunnel Guard and Endpoint Security 6 User-based provisioning 8 Protecting the perimeter 8 Firewalls 8 Intelligent traffic management and switch protections 10 Protecting information in transit-VPNs and Virtual Local Area Networks (VLANs) 10 Ensuring network high availability 11 Core network security: Security in the DNA 12 Tying it all together: centralized network protection 12 Security partnerships 12 The icing on the cake: incorporating security best practices into the enterprise 13 Nortel on Nortel 13 Summary 13 Nortel’s layered defense Securing the network perimeter and prohibiting unauthorized access from within can prove to be a daunting challenge. Today’s businesses must guarantee uninterrupted access to network resources. Products must be designed in their DNA to offer a high level of resiliency and security even under attack. Concepts such as redundant power, data and control planes are not optional any more. Accordingly, customers can no longer afford down-time to perform network maintenance. Network products have to be designed to allow plug-and-play operations of physical components as well as new protocols and applications. Evolution of the enterprise and the way it does business, coupled with today’s network threats, has reduced the effectiveness of traditional perimeter security. Nortel has devised a new paradigm for enterprise network security which recognizes the need for flexible and extensible security with low management overhead. This paper describes Nortel’s layered defense approach to network security based on the Unified Security Framework model1 (Figure 1). This comprehensive approach encompasses the endpoint devices, switches, gateways, wired and wireless connections, tunneled, and non-tunneled traffic. It is complemented by existing anti-virus, intrusion detection and personal services from best-of-breed vendors. With this open, vendor partner-neutral, standards-based approach, Nortel’s security solutions provide security for the entire enterprise network—remote and resident network users, wired and wireless connections.

Figure 1. Unified Security Framework

Network survivability Continuous security under attack policy management

Security for operations, Unified Authentication/ administration and Security management Framework

Variable depth security Security for converged communications

Protecting against today’s threats

In 2003, Denial of Service (DoS) attacks against North American companies reporting such attacks accounted for over $65 million in corporate losses (CSI/FBI Survey, 2003). Another costly threat to networks today is that of malicious code—primarily viruses, worms and Trojan horses. These threats can result in many hours of downtime for staff, network resources and those dependent upon them. Viruses alone accounted for $27 million in corporate losses in 2003 (CSI/FBI Survey, 2003), within North America, while merely one worm—the Slammer worm—is estimated to have cost enterprises $1.25B ( Economics, Inc.). In the near future, the most likely threats to corporate networks continue to be Denial of Service attacks and worms. The increasing sophistication of these worms—with payloads that could include Trojan horses which lie dormant and later use victim machines to launch other attacks, become massive spam relays or other damaging actions—and the speed at which they are propagated are of greatest concern. The speed with which exploits to known vulnerabilities are released is increasing. Today, the usual event chain is vulnerability announcement, vendor-issued patch (or anti-virus vendor-issued update), company installs patch (or update), and by the time exploit is readily available or trafficking across the Internet, most enterprise systems have the chance to defend themselves. In the likely scenarios of the near-term future, an otherwise unknown vulnerability will have exploit code readily available on the Internet before the vendor may even be aware of the vulnerability—much less has the time to issue a patch, and the enterprise has time to install it. This is why it is absolutely critical to plan a layered defense approach to network security to mitigate as much damage as possible from these threats in the event you must wait days or even a month for a patch. The avenues for such threats may come from new applications on corporate networks, specifically given the growth in Instant Messaging and Peer-to-Peer networks for file sharing of music. And in addition to monitoring these applications for threats to the network, ensuring against liability for copyright infringement in Peer-to-Peer networks is a new and growing concern.

1 Unified Security Framework white paper (http://a624.g.akamai.net/7/624/5107/20030925231743/www.nortelnetworks.com/solutions/security/collateral/nn102060-0902.pdf)

3 > A costly threat to networks today is that of malicious code—

primarily viruses, worms and Trojan horses.

4 Network security solutions For protection against many of these contemporary vulnerabilities, multiple layers of defense are necessary—from the remote endpoints, to the network perimeter, to the department perimeter down to the core internal switching and desktops (Figure 2). Filters for signatures and keywords common to the attacks, stateful firewall inspection of known protocols and anti-virus and intrusion protection software are also necessary components. According to Gartner, “Enterprises that rely only on proxy or stateful packet inspection will experience successful application-layer attacks at twice the rate of enterprises that use leading deep-packet-inspection approaches.”2 Nortel’s layered defense approach, announced in September 2002 as the Unified Security Framework, provides a number of security technology and process options to effectively secure against today’s network threats. This paper moves beyond the architecture of the Unified Security Framework to explain specific technology and product solu- tions within Nortel’s Enterprise portfolio which can enable an enterprise layered defense strategy. With solutions based on the Nortel philosophy Security in the DNA leveraging security products, product security, and Nortel’s best practices, customers can pick and choose which Nortel products they want to leverage in a heterogeneous network environment. The beauty of the open framework is that customers can pick and choose which products and solutions they want to leverage and presumes a multi-vendor network environment. Based on open, vendor partner-neutral, standards-based solutions, this approach covers the network end-to-end.

Figure 2. Layered defense approach

Engineering

VPN

Firewall Layer 4-7 Application HR Switch

VLANs VLANs Internet

Ethernet Switches Remote endpoint security Finance Wireless Security Secure communications Switch Secure perimeters

Core network security Layer 2 Switch Internal endpoint security

Blocking threats at the end-user: endpoint security As employees, business partners and customers make more use of the enterprise network to meet their business and retail objectives, enterprises need more control of the endpoints. Because so many threats are from internal users on the network, this must include the endpoints within the corporate network as well as those at remote endpoints, where there is less control over the user’s device.

2 Gartner Predicts 2004: Security and Privacy, 20 November 2003

5 802.1x and device authentication To protect the network from threats from inside the network, Nortel’s portfolio of Ethernet Switches supports the 802.1x standard to separate user authentication from device authentication. Both Nortel Ethernet Switch (formerly known as BayStack) and Ethernet Routing Switch (formerly known as Passport) portfolios can require that end-users securely log into the network before being given access to any of its resources (Figure 3). Nortel’s Wireless Local Area Network (WLAN) Access Points and Access Ports support 802.1x, Wi-Fi Protected Access (WPA) and MAC-based authentication to ensure only designated users and devices are permitted on the enterprise network through the WLAN. Nortel Ethernet Switches and Ethernet Routing Switches also support Media Access Control (MAC) address filtering as an added form of access control.

Figure 3. Wired or wireless: inside network

Yes

Optional

802.1x (in OS) Validate users Check anti-virus, with 802.1x personal firewall No definitions, patches Desktop

Remediation VLAN

Wireless Local Area Network (WLAN)-specific protections Nortel’s WLAN 2200 Series provides for a number of additional security steps to ensure security from the wireless segment of your network.3 The Access Points (APs) are the first layer of security as they provide multiple security standards and filters. Besides several Extensible Authentication Protocol (EAP) implementations of 802.1X, Nortel’s APs offer the latest security standard Wi-Fi Protected Access (WPA), a subset of the current 802.11i draft4. Filters ensure that only legitimate users connect to the AP for local communications and prevent users from changing the configuration of the AP to which they are connected. Access rights can be defined in a very granular way (different groups of users such as visitors and employees, and different profiles within the same group such as employees in different departments). Nortel’s APs also provide a ‘closed system’ mechanism to prevent unauthorized users from attaching to the network by preventing the broadcast of the SSID. A second security layer, the WLAN Security Switch, provides VPN encryption and firewall along with the capability to not only detect unauthorized or ‘rogue’ Access Points, but also prevents users from connecting to them, and locating unauthorized APs within a 10-meter perimeter.

Tunnel Guard and Endpoint Security In environments where there is less control over where and how the end-user device is used, particularly users who use their own personal e-mail systems, Instant Messaging, and Peer-to-Peer file sharing, processes to check for viruses and other threats once the device re-connects to the corporate environment are even more critical than ever before. This protects the corporation from

3 Nortel WLAN white paper: Securing and Scaling the WLAN, http://a1840.g.akamai.net/7/1840/5107/20040302071134/www.nortelnetworks.com/products/01/wlan/security_2250/collateral/nn103740-022704.pdf 4 Security specification currently under development by the IEEE.

6 > The enterprise’s need to communicate with its remote employees, business partners and customers should not be hampered by the threats to public networks.

7 uneducated users such as mobile employees and business partners who may not be aware of the extent of such threats. Such protective processes include status checks as part of the external VPN or internal authentication process. This enforcement mechanism checks for the latest anti-virus, firewall definitions or software patches before users are permitted authorized access to the network. Nortel’s Tunnel Guard feature for its VPN family of devices can check the security status of an endpoint PC, including the status of executables, software versions and , before accepting or rejecting the endpoint VPN connection to the corporate network. Tunnel Guard additionally provides an open API which third-party software vendors can use to perform more detailed self checking and automatic software updates on the remote endpoint.

For protecting internal devices connecting to the network, Nortel’s Ethernet Switch and Ethernet Routing Switch portfolios support 802.1x/EAP authentication verifying someone connecting inside the corporate network is in fact a legitimate user. The switches go one step further and can interoperate with third-party vendor solutions to check the endpoint security posture—virus and firewall definitions. Non-compliant systems authenticating to the switches may be placed in a remediation VLAN, updates can be pushed to the internal user’s device and users can then subsequently re-attempt to join the network.

User-based provisioning User-based networking takes one step beyond the 802.1x/EAP authentication into the network. It ensures that users have access to only those services authorized and marries that authorization to individual user-based security policies based on individuals, departmental or corporate policies. Nortel’s Optivity* Policy Services (OPS) supports 802.1x authentication against RADIUS and other authentication, authorization, and accounting (AAA) repositories to authenticate the user, grant access to specific applications and provide real-time policy-provisioning capabilities across Nortel’s devices on the network to mitigate the swift penetration of a virus or worm.

Protecting the perimeter Nortel provides a number of options for protecting the perimeter—be it the internal perimeter around departments, secure voice zones to protect IP Telephony call servers, or at the external edge of the corporate network.

Firewalls Firewall technologies have advanced from traditional packet filters to more sophisticated, state-aware, packet filtering firewalls. Today’s next-generation firewalls, such as Nortel’s Switched Firewall (formerly known as Alteon Switched Firewall), can perform deep-packet inspection to thwart the growing threat from attacks that directly target applications and data within the packet payload. Deep-packet inspection, Layer 4-7 content filtering and DoS protection within the operating system of the Nortel Switched Firewall, along with its Layer 2-7 security provided by the Check Point NG Application Intelligence engine, provide multiple layers of multi-gigabit throughput protection at the perimeter. For additional perimeter protection, the Nortel Switched Firewall can load balance multiple groups of IDS servers. The integration of Nortel’s switch-accelerated platform with Check Point Next Generation software and Secure XL™ acceleration technology provides perimeter protection without relinquishing application performance, incorporating deep packet inspection with a Denial of Service signature database which identifies the most popular attacks: Teardrop, Smurf, Ping of Death, SQL Slammer, LAND, etc.5

Nortel VPN Routers (formerly known as Contivity) include ICSA-certified stateful inspection firewall which provides gateway and branch office firewall protections. This ensures that encrypted traffic is also firewall-inspected. Firewall user authentication in the VPN Routers goes one step further in providing fine-grained access to network resources based on user, whether over a tunneled or non-tunneled connection.

Nortel’s WLAN Security Switches also firewall WLAN traffic while also detecting and isolating unauthorized Access Points which may be attached to the network.

5 Alteon Switched Firewall Product Brief http://a1200.g.akamai.net/7/1200/5107/20040209071449/www.nortelnetworks.com/products/01/alteon/asf/asf_6414/ collateral/nn106222-020404.pdf

8 > Nortel was the first vendor to offer support for both VPN technologies in a single platform.

Figure 4. Protect against DoS attacks and threats in Peer-to-Peer networking

DNS servers Hacker STOP

Application Employee Internet Intranet servers Nortel Application Switch

Worm victim Database servers

9 Intelligent traffic management and switch protections Nortel Application Switches (formerly known as Alteon Application Switches) can afford similar protections on the network through Denial of Service/virus signature attack recognition, filtering of signatures in the data traffic associated with known threats and Peer-to-Peer application monitoring, policing and blocking. The Application Switches allow support for thousands of filters, delayed binding which acts as a proxy to the Web servers until TCP packets are ensured against SYN floods and can offer the aforementioned signature-based protections6 (Figure 4).

To mitigate the risks from Instant Messaging and Peer-to-Peer networks and the copyright concerns from the latter, enterprises do have a choice: to either minimize the use of such applications or deny their use altogether. Nortel’s Application Switches offer Peer-to-Peer application filtering to provide network administrators control for this traffic. Although these applications use dynamic port allocations, the deep packet inspection of the switch can identify the traffic content and completely block it, rate limit or shape it. In many cases, malicious attacks from employees who have been authenticated are a threat; therefore, the application switch can be the last line of defense for the application servers. The switch protects the application availability in case a DoS attack hits a server.

To protect against application abuse—again by legitimate, authenticated users—and its impact to the reliability of the network, the Application Switches can serve yet another function. If a user initiates sessions above a predefined limit, the user can be placed in a penalty box and restricted access to that application for a predefined time and only granted access once the session level drops below the limit.

These types of post-authentication quarantines are an effective mechanism in a layered approach to security. Ultimately, for reliability, resiliency and business continuity, real-time deep packet inspection to mitigate many of today’s threats is best done by switch-based architectures such as those from Nortel.

Protecting information in transit—VPNs and Virtual Local Area Networks (VLANs) Protecting the communications from remote users is another important element of the layered security approach. Enterprises have several options from the Nortel portfolio to secure their traffic leaving or arriving at the enterprise. This offering of multiple methodologies affords our customers a business without boundaries using the solutions that most suit their corporate needs. Coupled with the endpoint protections mentioned earlier, VPN and VLAN users’ devices are also checked before joining the network.

While IPSec provides cryptographic protection at the network layer (OSI Layer 3), Web traffic uses Secure Sockets Layer (SSL) to secure communications at the transport layer (Layer 4). Nortel was the first vendor to offer support for both VPN technologies in a single platform. •Supporting up to 5,000 tunnels, Nortel VPN Routers are award-winning, market-leading IPSec VPN platforms that can address environments ranging from small office/home office (SOHO) to large enterprise data centers. Expanding on the breadth of its IPSec capabilities, Nortel has recently added SSL VPN support to its VPN Router portfolio. • SSL VPNs are offered through the VPN Gateway 3050 with added endpoint protections such as automatic timeout for walkaway situations at kiosks, and dynamic access policies to limit application access based on the employee’s location. • SSL VPN support is also available on the Nortel Application Switch 2424-SSL which, in combination with its additional security protections, affords Layer 2-7 support. •To secure the wireless LAN communications, the WLAN Security Switches provide PPTP, SSL, and IPSec tunneling, and support seamless secure roaming across IP subnets while maintaining the VPN tunnels. The APs offer separate VLANs to isolate traffic. Over the air SSIDs can be associated to VLANs to separate wireless traffic flows. • SSL acceleration offload is provided in standalone platforms, such as the Nortel VPN Gateway 3050, offering SSL VPN as well as through an optional SSL acceleration blade on the Nortel Ethernet Routing Switch 8600. •Up to 50,000 IPSec tunnels are supported for large enterprises or VPN service providers on the Services Edge Router 5500 platform.

6 Application Layer Security whitepaper, http://a240.g.akamai.net/7/240/5107/20031104071254/www.nortelnetworks.com/products/01/alteon/2224/ collateral/nn105560-100703.pdf

10 Virtual Local Area Networking (VLANs), to provide for isolation and separation of network traffic, are supported in many Nortel products, including the Ethernet Switches, Ethernet Routing Switches and Wireless Access Points. •For example, the internal architecture of the Ethernet Routing Switch 8600 allows users to build “secure” VLANs. When port-based VLANs are configured, each VLAN is completely separate from the others (broadcast domain). Its unique hardware architecture (distributed ASICs with local decision) analyzes each packet independently of the preceding ones. This approach allows complete traffic isolation. Allowing the user to discard untagged traffic on tagged ports or tagged traffic on untagged ports guarantees that this traffic is completely discarded—even if a tagged port receives traffic with a VLAN ID that identifies a VLAN from another “customer” configured on the box. •Nortel Ethernet Switches provide policies which can direct application-specific (the IP Telephony) traffic to the firewall, and separate it from the data traffic through the network. The switches can do this while also providing the QoS necessary for delay- sensitive traffic, such as voice, to ensure the highest priority on the network.

IP filters and access control lists (ACLs) can of course be used as additional granular enforcement tools to protect against unauthorized access.

Ensuring network high availability As part of the layered approach to security, the solutions an enterprise chooses must also be based on their reliability to ensure the highest level of uptime. Throughout its history, Nortel has been designing products with the highest reliability for carrier environments. With this heritage providing resilient, 5 9’s reliability, Nortel brings high availability and reliability to the full suite of enterprise products, including call servers, Layer 2-7 switching, VPNs, firewalls and server applications. Some examples of this reliability include: •Specialized Virtual Router Redundancy Protocol (VRRP) in the Nortel suite of Application Switches to add redundancy and provide load balancing to critical network resources such as intrusion detection systems, anti-virus products and any number of server functions. •Active-Active high availability allows automatic failover in the Nortel Switched Firewall to other firewalls in the security cluster. Discrete Accelerator and Director (firewall) failover eliminates single points of failure in the network. Sophisticated persistence support helps ensure that high-priority transactions, such as eCommerce, maintain state so businesses don’t lose one sale. •Full redundancy in Nortel VPN Routers from hot swappable components, mirrored disk drives, dual CPUs and power supplies, automated off-system storage of images and configurations, and protocols such as VRRP, RIP/OSPF, and ECMP. VPN Routers can also be used with the Nortel suite of Application Switches to deliver VPN redundancy in a network through load balancing and mirroring of VPN functions. •Split Multi-Link Trunking (SMLT) (or Link Aggregation/802.3ad) and Distributed Multi-Link Trunking technologies that provide real-time protection against link, component, switch and protocol failure in the Nortel Layer 2 Ethernet Switches and Nortel Layer 3 Ethernet Routing Switches have been independently tested with <1 second failover. The Ethernet Routing Switch 8600 is the first Layer 2-7 switch in the industry with software and hardware designed specifically for the rigorous scal- ability and high-reliability requirements of enterprises and service providers. • The Nortel WLAN portfolio provides failover protection and recovery. The WLAN adaptive solution includes state-of-the-art RF load balancing and self-healing. Should too many users be associated to the same AP, the WLAN Security Switch ensures users connect to the second strongest signal on a nearby AP. The network can then support more users with a better QoS and an optimum use of the radio resources. Self-healing capability ensures that if one WLAN AP fails, the remaining APs automatically increase their RF power to avoid a coverage hole, compensating for the failed AP. In addition, when APs lose their Ethernet link, the radio link is shut down and devices connected to them can re-associate with other APs with active LANs. An automatic recovery mechanism allows Nortel’s APs to periodically check the link status and activate the radio connection as soon as the connection to the LAN is back.

•Power over Ethernet in Nortel’s WLAN solutions ensures that all Nortel’s WLAN APs can be directly connected to Ethernet switches for power. In addition to maintenance cost savings, in case of electrical outage, the WLAN connection can use the back-up power of the Ethernet switches, thus maintaining service.

11 •WLAN dual firmware images provide built-in redundancy for increased network availability. Should an Access Point experience an issue with the primary image, it will automatically switch to the secondary image and continue operations.

•Fast recovery and switchover support capabilities for Switch Fabric Card (SFC) failure and hot swapping for all line cards in the Services Edge Router 5500.

Core network security: Security in the DNA A key aspect of the layered defense approach is to leverage the security that is part of the core products themselves. Nortel’s Security in the DNA philosophy means that security is not only in Nortel’s security products and those that enable security, partnering with best-of-breed security partners for a layered approach to security, but also building security into the core networking products for IP Telephony, WLANs, switching, network management, and many other core enterprise products. Examples of the Security in the DNA principle include: •Stateful firewall inspection and IPSec VPN tunneling for IP Telephony traffic in Nortel’s Business Communications Manager •Hardened operating systems, multiple layers of access controls and other security options for call services in Nortel’s Communication Server portfolio (formerly known as Succession) of IP Telephony products •Access control mechanisms, Windows access controls interoperability, voice recognition for authentication, and password protections in Nortel’s Contact Centers and Self-Service Solutions •Security of management traffic as a key dictate for enterprise products, including secure shell (SSH), SNMPv3 and SSL

Also as part of its Security in the DNA philosophy, Nortel practices its own security best practices behind-the-scenes to ensure security is a priority for the industry. Our security best practices mean incorporating vulnerability assessments as part of the Quality Assurance cycle prior to general availability release, and a Security Advisory Task Force (SATF) to work with CERT and other vulnerability monitoring organizations to quickly respond to network threats. This task force quickly and effectively responds to product and protocol vulnerabilities as they are identified from CERT, SANS, ISA, channels and customers so that customers can know how to respond to vulnerabilities. Nortel participates and drives security best practices within National Advisory Bodies, including the National Security Telecommunications Advisory Council (NSTAC) with executive participation from Nortel’s President of Wireline Networks; the FCC’s National Reliability and Interoperability Council (NRIC); the Internet Security Alliance, and the ITU Study Group 17—Network Security. Nortel also pursues security standards development so that vendors need not develop unique and proprietary ways to handle security within their network products but follow standards for security throughout networking products.

Tying it all together: centralized network protection Finally, the ability of the network to quickly respond to threats before patches are available or virus updates are released is critical. While being able to leverage the user-based policy provisioning of the Optivity Policy Services, enterprises can also construct static policies which would apply to the entire enterprise network to push security policies to various devices. This ensures the enterprise has a “quick reaction” capability as they learn of new threats, without relying on individual security policy updates per device. Through protocol type or port for the malicious traffic, policies can be pushed either temporarily or permanently to prevent the traffic from hitting the supported devices. OPS strength is in its ability to push filters real-time to numerous devices on the network—very important as enterprises risk the systemic and swiftly-spreading threats posed by today’s vulnerabilities.

Security partnerships Nortel products co-exist, interoperate with and load balance today’s intrusion detection, anti-virus and personal firewall products as well as provide complementary protections, such as configuration anomaly detection on the network. Security services partners work with Nortel customers to provide a host of security services from vulnerability assessments, HIPAA consulting, WLAN surveys and many other services to help offload some of the daunting security challenges facing the enterprise today. The enterprise—not Nortel—can choose which vendors’ products or services they desire, to meet their own unique requirements. For more information on Nortel security partner options, visit us at: www.nortelnetworks.com/solutions/security

12 The icing on the cake: incorporating security best practices into the enterprise As part of the Unified Security Framework, processes such as security policy definition, education and enforcement play as important a role as the technology. The human errors on the network are the enablers of the vulnerabilities. In addition to the technology options, security practices, including employee education about how they may be unwitting hosts to these network threats and how to protect against them, as well as strong enforcement of existing corporate security policies are complementary yet critical parts of the solution against these problems.

As part of security best practices, system administrators must keep abreast of the latest software patches that protect against known vulnerabilities to different software products. According to Gartner, a close interworking between the operations and support organizations who analyze security risks and implement security based on those risks must collaborate better. “Enterprises that implement a vulnerability management process will experience 90 percent fewer successful attacks than those that make an equal investment only in intrusion detection systems.”

Overall, a strong enterprise security policy, enforced across a network and its users, and education for network users are essential elements to ensuring that those using the network do their best to protect that network. Nortel on Nortel Nortel’s own network, one of the largest and most technically advanced enterprise networks in the world, connecting more than 280 locations across six continents, runs on products from Nortel’s own portfolio. That’s about 33 million minutes of voice calls, 1.1 petabytes of data traffic (including 19 million e-mails), and 100 live Web casts in a typical month—all on Nortel products. Leveraging the latest security available in Nortel’s portfolio, Nortel’s IS can use the Internet as a transport to reduce the costs and complexities associated with multiple network topologies and access methods while still protecting these critical network resources.

Currently, as an example of a layered defense approach, among its many solutions, Nortel’s IS uses the Switched Firewall for its deep packet inspection, having prevented over 133 worms in the first month in the network, and with minimal latency, to protect our network IP Telephony applications. Nortel Application Switches are used to provide redundancy to Session Initiation Protocol (SIP) servers to ensure high availability of our SIP applications and bandwidth management of Peer-to-Peer network applications. The Application Switches provide global multi-site and local redundancy of key servers, flexible packet inspection with packet offset, and pattern matching for UDP, ICMP, IP and TCP traffic, and to auto-learn and auto-update the latest attack signatures. Nortel VPN Routers are used to provide mobile employees with secured communications with the added protections of stateful firewall inspection. Using best-of-breed security technologies available through Nortel’s vendor partnerships, and security best practices including a strongly enforced and well-understood security policy, Nortel’s IS enjoys a true end-to-end layered approach to security.

Summary The enterprise’s need to communicate with its remote employees, business partners and customers should not be hampered by the threats to public networks and instead should fully leverage the benefits realized from public IP networks. By taking a realistic approach to network security—including the technology options and human-related processes—based on Nortel’s Unified Security Framework layered defense approach, enterprises can be well-positioned to defend their networks against today’s network threats.

13 In the United States: In Europe: Nortel Nortel 35 Davis Drive Maidenhead Office Park, Westacott Way Research Triangle Park, NC 27709 USA Maidenhead Berkshire SL6 3QH UK

In Canada: In Asia Pacific: Nortel Nortel 8200 Dixie Road, Suite 100 Nortel Networks Centre Brampton, Ontario L6T 5P6 Canada 1 Innovation Drive Macquarie University Research Park In Caribbean and Latin America: Macquarie Park NSW 2109 Australia Nortel Tel: +61 2 8870 5000 1500 Concorde Terrace Sunrise, FL 33323 USA In Greater China: Nortel Sun Dong An Plaza, 138 Wang Fu Jing Street Beijing 100006, China Phone: (86) 10 6528 8877

Nortel is a recognized leader in delivering communications capabilities that enhance the human experience, ignite and power global commerce, and secure and protect the world’s most critical information. Serving both service provider and enterprise customers, Nortel delivers innovative technology solutions encompassing end-to-end broadband, Voice over IP, multimedia services and applications, and wireless broadband designed to help people solve the world’s greatest challenges. Nortel does business in more than 150 countries. For more information, visit Nortel on the Web at www.nortel.com.

For more information, contact your Nortel representative, or call 1-800-4 NORTEL or 1-800-466-7835 from anywhere in North America.

This is the Way. This is Nortel, Nortel, the Nortel logo, the Globemark and Optivity are trademarks of Nortel Networks. All other trademarks are the property of their owners.

Copyright © 2004 Nortel Networks. All rights reserved. Information in this document is subject to change without notice. Nortel assumes no responsibility for any errors that may appear in this document.

NN108120-120204