NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS TABLE OF CONTENTS NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS 1 EXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . 2 2 THE IMPORTANCE OF NETWORK SECURITY . . . . . . . . . . . . . . . 4 ANATOMY OF NETWORK THREATS . . . . . . . . . . . . . . . . . . . 8 Overview of Security Threats . . . . . . . . . . . . . . . . . . . . . 8 Distributed Denial of Service (DDoS) . . . . . . . . . . . . . . . . . . 8 Bots and Botnets . . . . . . . . . . . . . . . . . . . . . . . . . 9 Worms. . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Zero Day Attacks . . . . . . . . . . . . . . . . . . . . . . . . 10 Vulnerable Network Components . . . . . . . . . . . . . . . . . . 11 3 BEST PRACTICES FOR SERVICE PROVIDER SECURITY . . . . . . . . . . 11 4 GENERAL BEST PRACTICES AND TOOLS FOR SERVICE PROVIDER NETWORK SECURITY . . . . . . . . . . . . . . . 11 Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 MPLVS VPN . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Network Address Translation (NAT). . . . . . . . . . . . . . . . . . 12 Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . 13 Network Firewall . . . . . . . . . . . . . . . . . . . . . . . . 13 Intrusion Protection System (IPS) . . . . . . . . . . . . . . . . . . 13 Application Servers . . . . . . . . . . . . . . . . . . . . . . . 14 Identity and Policy Management . . . . . . . . . . . . . . . . . . 14 BEST PRACTICES FOR SECURING VOIP NETWORKS . . . . . . . . . . . 15 Securing the IP Edge of the VOIP Network . . . . . . . . . . . . . . . 17 Securing VOIP Elements in the Data Center . . . . . . . . . . . . . . 17 Securing Internet Peering Points for VoIP . . . . . . . . . . . . . . . 17 5 BEST PRACTICES FOR SECURING TV AND MULTIMEDIA SERVICES . . . . . . 18 Securing External Network Peering Points . . . . . . . . . . . . . . . 19 Securing the Video/Super Head-end . . . . . . . . . . . . . . . . . 19 Securing the Video/Hub Serving Ofce . . . . . . . . . . . . . . . . 19 BEST PRACTICES FOR SECURING 3 RD GENERATION MOBILE DATA NETWORKS . . .20 BEST PRACTICES FOR SECURING SERVICE PROVIDER DATA CENTERS . . . . 22 4 JUNIPER NETWORKS SECURITY PRODUCT PORTFOLIO . . . . . . . . . . 24 Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Firewalls and IDP . . . . . . . . . . . . . . . . . . . . . . . . 25 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Intrusion Detection and Prevention . . . . . . . . . . . . . . . . . 26 Session Border Controller . . . . . . . . . . . . . . . . . . . . . 26 Identity and Policy Management . . . . . . . . . . . . . . . . . . 27 5 CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . 27 1 NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS Network Strategy Partners, LLC (NSP) — Management Consultants to the networking industry — helps service providers, enterprises, and equipment vendors around the globe make strategic decisions, mitigate risk, and affect change through custom consulting engagements. NSP’s consulting includes business case and ROI analysis, go-to-market strategies, development of new service offerings, pricing and bundling as well as infrastructure consulting. NSP’s consultants are respected thought-leaders in the networking industry and inuence its direction through condential engagements for industry leaders and through public appearances, white papers, and trade magazine articles. Contact NSP at www.nspllc.com. Juniper Networks high-performance network infrastructure helps businesses accelerate the deployment of services and applications to take advantage of opportunities to innovate, grow, and strengthen their business. With Juniper, businesses can answer the challenge of complicated, legacy networks with high-performance, open, and exible solutions. Jointly published by Juniper Networks and Network Strategy Partners, LLC: 2 NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS 1. Executive Summary The telecommunications industry is in the midst of a major paradigm shift. In the 1990s, most major service providers maintained separate networks for wireline voice, mobile voice, data, and TV. Today, many service providers are migrating all of their network services to IP packet switched networks. Voice services are still a major component of service provider revenue. As voice moves from circuit switched to VoIP packet switched networks (see Figure 1), service providers will have a major incentive to wind down operations on their expensive, legacy circuit switched infrastructure. By converging network services to integrated IP networks, service providers reduce capital and operations expenses while dramatically improving network scalability and service exibility. Furthermore, the migration to IP is increasing competition in the telecommunications market. Cable TV providers are offering traditional voice services, telephone companies are offering Internet and IPTV, and new entrants are building broadband wireless networks with Wi-Fi and WiMax technology. As increased competition is accelerating the migration to IP, service providers operating legacy networks risk shrinking revenues and operating margins. NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS 3 NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS Figure 1 - Forecast of VoIP Subscribers Worldwide Service provider migration to IP networks has signicant benets and is, in fact, necessary for long term survival. However, the rapid growth in the Internet is also driving rapid growth in network security threats, which are escalating both in numbers and level of severity. Threats come from a myriad of sources that are distributed around the world. In the early days of the Internet, most threats were created by hackers who were just causing trouble for fun. Today, threats come from independent hackers as well as highly organized crime syndicates focused on proting from Internet criminal activities. Some of the potential threats to service provider networks include: Distributed denial of service attacks (DDoS) • Bots and botnets attacking servers and network infrastructure• Worms propagating throughout the network• Attacks on Domain Name System (DNS)• Attacks on IP routing protocols• Zero day attacks (these are new attacks which are unpredictable in nature) • 0 50 100 150 200 CY04 CY05 CY06 CY07 CY08 CY09 CY10 CY11 Asia Pacic EMEA North America CALA r 75.3M VoIP Subs Worldwide in 2007, +62% Year over Year r Worldwide: 185.7M by CY11, a 5 - year CAGR of 25% >22M net new subs/year 2008 Infonetics Research, Inc. Millions Worldwide VoIP Subscribers 4 NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS The ramications of such attacks on service provider networks include: Service outages • Lost, damaged, or stolen customer data• Lost, damaged, or stolen service provider data (usage data, billing records, • passwords, and so on) Global telecommunications revenues are expected to reach $2 trillion by the end of 2008 1 , therefore as network services migrate to IP, it is essential that service providers and telecommunications equipment vendors be vigilant about security. Network infrastructure must defend itself from attacks, and operators must implement network security best practices. This network security handbook provides service providers with an anatomy of network security threats and a set of best practices for protecting the network. Best practices for network security architecture are dened for some of the most important services, applications, and network infrastructure including: Voice services • TV and multimedia services• Mobile networks• Service provider data centers• 2. The Importance of Network Security The convergence of voice, data, TV, and mobile telecommunications on IP networks has elevated the importance of network security. For many service providers, IP network security presents new technical challenges because legacy networks are fundamentally more secure than IP networks. The legacy phone network is based on a closed, circuit switching model. Call signaling uses the SS7 packet network which is not connected to the Internet or any other data network. Legacy television service is delivered using broadcast over digital or analog cable; specialized equipment which is not connected to any external packet networks is used for video service delivery. Many legacy data networks are based on Frame Relay and ATM; these technologies use secure layer 2 protocols with little or no connectivity outside the private network. Similarly, second-generation mobile networks are closed, circuit switching 1 Gartner NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS 5 NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS architectures with limited and controlled gateways to the Internet and other data networks. In general, legacy telecommunications networks: Implement service-specic networks • Are based on closed and proprietary architectures• Utilize end-to-end management by service providers• Have no customer controls• Have no external exposure• The migration to IP next-generation networks (NGNs) offers many strategic advantages to service providers, however, the open, exible architecture of IP networks also pose a complex set of security threats. Multiple services, including wireline voice, video, data, and mobile voice and data are converging on a single IP network. This means that IP network attacks could affect all network services and, therefore, all network revenue. Also, threats that emerge from one service (for example the Internet) could affect other services like TV that were previously isolated. The IP network is based on an open, standards-based architecture that allows for rapid and massive worldwide growth. The open nature of the IP protocols, however, has also allowed intruders to easily access the tools needed for network intrusions. Everyone has access to RFC documents explaining the technical details of Internet protocols. In addition, extensive technical knowledge is not required because there is easy access to open source tools on the Web for creating network attacks and stealing valuable data. IP networks use open standards for network management, operations, and provisioning. Protocols and standards such as SNMP, XML, and the newer Web services management model enhance the power and exibility of operations support systems (OSS), but they also create opportunities for intruders to access the most sensitive and critical areas of the telecommunications network—the network management and control plane. Another dimension of the problem is that business users, residential users, and mobile users are sharing the same IP network. Each of these customers has different security requirements that need to be addressed in the service offerings provided to them. Attacks on IP networks can have serious and potentially devastating consequences. Attacks can result in: Service outages • Lost, damaged, or stolen customer data• Lost, damaged, or stolen service provider data (usage data, billing records, • passwords, and so on) 6 NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS Service outages can result in loss of revenue, payment of penalties for violated service-level agreements (SLAs), and increased customer churn. There are serious liabilities associated with lost or stolen customer data; lawsuits often result in high payments of damages as well as a tarnished public image. Lost or stolen service provider data can result in compromised networks and billing systems, or other serious problems. As network services converge to IP, service availability of the IP network is critical. Downtime, as a result of network attacks, software errors, or conguration errors, often result in high costs. The cost of downtime is highly variable based on the business and applications, but in all cases is quite high. Estimates of downtime costs for various industries and applications 2 are presented in Table 1. INDUSTRY APPLICATION AVERAGE COST/ HOUR OF DOWNTOWN Transportation Airline Reservations $ 89,500 Retail Catalog Sales $ 90,000 Media Pay-per-view $ 1,150,000 Financial Credit Card Sales $ 2,600,000 Financial Brokerage Operations $ 6,500,000 Table 1 - Downtime Cost Estimates in Different Vertical Markets Downtime in service provider networks results in lost revenue due to SLA penalties and, to add insult to injury, results in increased customer churn. Table 2 depicts some estimates 3 for hourly revenue loss for service provider network outages in small metro areas where 100,000 residential customers and 2,000 business customers are affected by an outage. In these small areas, residential losses are estimated to be over $8,333 per hour and business losses almost $6,944 per hour. While revenue loss is problematic, the potentially more serious problem (espe- cially in markets where there are competitive offerings) is customer churn due to poor service. Table 3 presents a scenario for a small metro area with 100,000 customers, an increased churn rate of 5 percent due to dissatisfaction with network service availability, and an average cost of churn of $400 per subscriber 4 . 2 See “Storage Virtualization and the full impact of Storage Disruptions: Relief and ROI”, Computer Technology Review, February 2002, Volume XX11 Number 2. 3 These estimates are based on an ROI model developed by Network Strategy Partners, LLC. 4 The churn projections were based on an ROI model developed by Network Strategy Partners, LLC NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS 7 NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS In this scenario the average cost of churn for this small metro area would be $2,000,000 per year. Clearly, network reliability and availability is a critical business requirement for enterprises and service providers. RESIDENTIAL BUSINESS Number of Customers 100,000 2,000 Average Revenue per Customer $60.00 $2,500 Hourly Lost Revenue in an Outage $8,333 $6,944 Table 2 - Service Provider Hourly Lost Revenue for Business and Residential Network Outages RESIDENTIAL Number of Residential Subscribers 100,0000 Increase Rate of Churn 5% Total Cost of Churn per Year $400 Total Cost of Churn per Year $2,000,000 Table 3 - Service Providers Costs of Increased Churn Due to Network Outages Corporate executives, furthermore, are now legally responsible for the security of their corporate information systems. There are multiple federal and state government regulatory requirements requiring executives and companies to comply with government mandated security requirements. These regulations include: Sarbanes-Oxley (SOX) • Cyber Security Critical Infrastructure Protection (CIP)• Gramm-Leach-Bliley Act (GLBA)• California Senate Bill Number 1386 (SB1386)• Health Insurance Portability and Accounting Act (HIPAA)• Payment Card Industry Data Security Standard (PCI DSS) • Network security, clearly, is one of the highest priorities in IP NGNs, and service providers need to be educated and vigilant to prevent devastating network attacks. 8 NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS Anatomy of Network Threats The open IP architecture presents a myriad of threats from many sources to all parts of the network. The following paragraphs give an overview of some common threats, threat sources, and components of the network that could be affected. Overview of Security Threats There are many types of security threats and they continue to grow, develop, and mutate over time. A high level distribution of network security threats is presented in Figure 2, and a brief description of security threats is given in the following subsections of this paper. This is not meant to be an exhaustive description of network threats, but rather an overview of some common threats and terminology. Figure 2 - Distribution of Network Security Threats Distributed Denial of Service Attack (DDoS) A distributed denial of service (DDoS) attack is an attempt to make a computer resource unavailable to its intended users. Perpetrators of DDoS attacks typically target sites or services hosted on high-prole Web servers such as banks, credit card payment gateways, and even DNS root servers. One common method of attack involves saturating the target (victim) machine with external communications requests such that it cannot respond to legitimate trafc, or responds so slowly as to be rendered unavailable. In general terms, DDoS attacks are implemented by either forcing the targeted network elements or servers to reset, consuming their resources so that they can no longer provide their intended service, or obstructing the communication media between the 0 5 10 15 20 25 30 35 40 45 50 DDoS Bots and Botnets Worms Compromised Infrastructure DNS BGP Route Hijacking [...]... firewall and IDP SR 580 X 0 Scalable Performance for Wider Range of Services Rich Standard Services - Firewal - IDP - Routing - QoS Extensible Security Services Integrated Networking Services Common Mangement (NSM) IS 200 G 0 SR 560 X 0 NS 540 0 NS 520 0 IS 100 G 0 Figure 10 - Juniper Networks Security Product Family 25 Network Security Handbook for Service Providers Firewalls The top end of the product... Application or Content Provider Figure 8 - Architecture of Service Provider Data Centers 22 E32 Hosting or Content Delivery Operator Network Security Handbook for Service Providers Data centers are the brains running the network services and therefore are a focal point for network criminals attacking service providers There are a complex set of systems and services running in the data center with vulnerabilities... elements, data center, and Internet peering points 16 Network Security Handbook for Service Providers Securing the IP Edge of the VoIP Network The primary mechanisms for controlling traffic and securing the edge of the VoIP network are Session Border Controllers (SBCs) and IPS SBCs are specialized network devices designed to perform specific services in VoIP networks They are inserted into the signaling and/or... closely related - this discussion addresses both types of threats 6 Internet Information Services (IIS)—formerly called Internet Information Server—is a Microsoft-produced set of Internet-based services for servers using Microsoft Windows Network Security Handbook for Service Providers In contrast, zero day attacks are new and therefore have no attack signatures to identify them To defend against zero day... management solutions Routers The Juniper Networks intelligent services edge includes the M-series and MX-series routing platforms that provide a broad range of edge functionality to support next-generation applications Each routing platform supports VLANs, MPLS VPNs, and ACLs for baseline security defenses 24 Network Security Handbook for Service Providers Additional security is available with the MS-DPCs... a network security best practice overview which is summarized in Table 4 We start by providing a summary of general best practices that can be applied to any service provider network General Best Practices and Tools for Service Provider Network Security This section provides an overview of some of the devices and technologies for securing service provider networks The devices that provide network security. .. time-tomarket for new services 5 Conclusion Service provider networks are undergoing a massive paradigm shift as networks migrate from legacy circuit switched and closed data networks to converged IP and Carrier Ethernet networks This shift has created many business opportunities, but also created serious network security vulnerabilities This network security handbook has explained why security is of... guratio n Confi Fixed guratio n Figure 9 - Establishing a Security Perimeter in a Virtualized Data Center 23 Network Security Handbook for Service Providers A common approach for securing network and system infrastructure in data centers is a layered security model (seeFigure 9) In this model, security perimeter(s) are maintained such that trusted network components are separated from untrusted components... 12 Network Security Handbook for Service Providers to attack hosts This is especially important for network servers that are a focal point for many attacks Access Control Lists (ACLs) The ACL is a list of permissions that specifies who or what is allowed to access the router or device, and what operations they are allowed to perform In an ACL-based security model, when a subject requests to perform... the network components above can result in loss of service or loss of data 3 Best Practices for Service Provider Security Every network is unique and requires the attention of professional network architects and designers to ensure that the network is defensible The principles used by network designers to secure networks are based on a set of industry best practices This section of the security handbook . Route Hijacking NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS 9 NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS intended. Windows. NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS 11 NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS In