>THIS IS THE WAY ENTERPRISES CAN BE WELL-POSITIONED TO DEFEND THEIR NETWORKS AGAINST TODAY’S NETWORK THREATS >THIS IS Position Paper >Protecting the enterprise network Layered network security Taking a layered defense approach to security as outlined in the Nortel Unified defense Security Framework, Nortel offers enterprise customers ‘a world of choice’ of security options to implement the solutions that make the most sense for their own unique networks. Overview Today’s enterprises are enjoying the many benefits of greater communications with fewer boundaries between them and their business partners, customers and remote employees. These many benefits outweigh the various risks of doing business on public networks, yet enterprises must still make the right business decisions to appropriately protect their corporate assets—sensitive corporate information (payroll, research and development, etc.) and their customers’ privacy. With their increasing business on public networks, enterprises are unfortunately more likely to be victim to the risks associated with these public networks—most frequently worms, blended threats and software vulnerabilities. A combination of choosing the right security solutions and putting the appropriate processes in place will help enterprises face these challenges directly. Ultimately, a solid approach to network security not only ensures security of your network, but your overall network reliability, resiliency and business continuity. >Contents Nortel’s layered defense 3 Protecting against today’s threats 3 Network security solutions 5 Blocking threats at the end-user: endpoint security 5 802.1x and device authentication 6 Wireless Local Area Network (WLAN)-specific protections 6 Tunnel Guard and Endpoint Security 6 User-based provisioning 8 Protecting the perimeter 8 Firewalls 8 Intelligent traffic management and switch protections 10 Protecting information in transit-VPNs and Virtual Local Area Networks (VLANs) 10 Ensuring network high availability 11 Core network security: Security in the DNA 12 Tying it all together: centralized network protection 12 Security partnerships 12 The icing on the cake: incorporating security best practices into the enterprise 13 Nortel on Nortel 13 Summary 13 Nortel’s layered defense Securing the network perimeter and prohibiting unauthorized access from within can prove to be a daunting challenge. Today’s businesses must guarantee uninterrupted access to network resources. Products must be designed in their DNA to offer a high level of resiliency and security even under attack. Concepts such as redundant power, data and control planes are not optional any more. Accordingly, customers can no longer afford down-time to perform network maintenance. Network products have to be designed to allow plug-and-play operations of physical components as well as new protocols and applications. Evolution of the enterprise and the way it does business, coupled with today’s network threats, has reduced the effectiveness of traditional perimeter security. Nortel has devised a new paradigm for enterprise network security which recognizes the need for flexible and extensible security with low management overhead. This paper describes Nortel’s layered defense approach to network security based on the Unified Security Framework model1 (Figure 1). This comprehensive approach encompasses the endpoint devices, switches, gateways, wired and wireless connections, tunneled, and non-tunneled traffic. It is complemented by existing anti-virus, intrusion detection and personal firewall services from best-of-breed vendors. With this open, vendor partner-neutral, standards-based approach, Nortel’s security solutions provide security for the entire enterprise network—remote and resident network users, wired and wireless connections. Figure 1. Unified Security Framework Network survivability Continuous security under attack policy management Security for operations, Unified Authentication/ administration and Security authorization management Framework Variable depth security Security for converged communications Protecting against today’s threats In 2003, Denial of Service (DoS) attacks against North American companies reporting such attacks accounted for over $65 million in corporate losses (CSI/FBI Survey, 2003). Another costly threat to networks today is that of malicious code—primarily viruses, worms and Trojan horses. These threats can result in many hours of downtime for staff, network resources and those dependent upon them. Viruses alone accounted for $27 million in corporate losses in 2003 (CSI/FBI Survey, 2003), within North America, while merely one worm—the Slammer worm—is estimated to have cost enterprises $1.25B (Computer Economics, Inc.). In the near future, the most likely threats to corporate networks continue to be Denial of Service attacks and worms. The increasing sophistication of these worms—with payloads that could include Trojan horses which lie dormant and later use victim machines to launch other attacks, become massive spam relays or other damaging actions—and the speed at which they are propagated are of greatest concern. The speed with which exploits to known vulnerabilities are released is increasing. Today, the usual event chain is vulnerability announcement, vendor-issued patch (or anti-virus vendor-issued update), company installs patch (or update), and by the time exploit is readily available or trafficking across the Internet, most enterprise systems have the chance to defend themselves. In the likely scenarios of the near-term future, an otherwise unknown vulnerability will have exploit code readily available on the Internet before the vendor may even be aware of the vulnerability—much less has the time to issue a patch, and the enterprise has time to install it. This is why it is absolutely critical to plan a layered defense approach to network security to mitigate as much damage as possible from these threats in the event you must wait days or even a month for a patch. The avenues for such threats may come from new applications on corporate networks, specifically given the growth in Instant Messaging and Peer-to-Peer networks for file sharing of music. And in addition to monitoring these applications for threats to the network, ensuring against liability for copyright infringement in Peer-to-Peer networks is a new and growing concern. 1 Unified Security Framework white paper (http://a624.g.akamai.net/7/624/5107/20030925231743/www.nortelnetworks.com/solutions/security/collateral/nn102060-0902.pdf) 3 > A costly threat to networks today is that of malicious code— primarily viruses, worms and Trojan horses. 4 Network security solutions For protection against many of these contemporary vulnerabilities, multiple layers of defense are necessary—from the remote endpoints, to the network perimeter, to the department perimeter down to the core internal switching and desktops (Figure 2). Filters for signatures and keywords common to the attacks, stateful firewall inspection of known protocols and anti-virus and intrusion protection software are also necessary components. According to Gartner, “Enterprises that rely only on proxy or stateful packet inspection will experience successful application-layer attacks at twice the rate of enterprises that use leading deep-packet-inspection approaches.”2 Nortel’s layered defense approach, announced in September 2002 as the Unified Security Framework, provides a number of security technology and process options to effectively secure against today’s network threats. This paper moves beyond the architecture of the Unified Security Framework to explain specific technology and product solu- tions within Nortel’s Enterprise portfolio which can enable an enterprise layered defense strategy. With solutions based on the Nortel philosophy Security in the DNA leveraging security products, product security, and Nortel’s best practices, customers can pick and choose which Nortel products they want to leverage in a heterogeneous network environment. The beauty of the open framework is that customers can pick and choose which products and solutions they want to leverage and presumes a multi-vendor network environment. Based on open, vendor partner-neutral, standards-based solutions, this approach covers the network end-to-end. Figure 2. Layered defense approach Engineering VPN Firewall Layer 4-7 Application HR Switch VLANs VLANs Internet Ethernet Switches Remote endpoint security Finance Wireless Security Secure communications Switch Secure perimeters Core network security Layer 2 Switch Internal endpoint security Blocking threats at the end-user: endpoint security As employees, business partners and customers make more use of the enterprise network to meet their business and retail objectives, enterprises need more control of the endpoints. Because so many threats are from internal users on the network, this must include the endpoints within the corporate network as well as those at remote endpoints, where there is less control over the user’s device. 2 Gartner Predicts 2004: Security and Privacy, 20 November 2003 5 802.1x and device authentication To protect the network from threats from inside the network, Nortel’s portfolio of Ethernet Switches supports the 802.1x standard to separate user authentication from device authentication. Both Nortel Ethernet Switch (formerly known as BayStack) and Ethernet Routing Switch (formerly known as Passport) portfolios can require that end-users securely log into the network before being given access