No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
A Framework for Ensuring Network Security
Abstract
The current focus of network security is concerned with securing individual components as well as preventing unauthorized access to network services. While these are necessary concerns, they do not represent a complete view of network security. In this paper, we present the Lucent Network Security Framework, which provides a comprehensive, top-down, end-to-end perspective on network security.We show how this framework can be applied to network elements, services, and applications including detecting, correcting, and preventing security vulnerabilities. In addition, we demonstrate how the Network Security Framework can be applied to all types of networks and across all layers of the protocol stack. This framework has been submitted to several government and standards bodies (e.g., ITU-T and ISO), and it has been very well received. Service provider networks developed with attention to the Lucent Network Security Framework will have a comprehensive security architecture enabling new value-added revenue-generating security services such as security service-level agreements (SLAs). © 2004 Lucent Technologies Inc.
... Managerial activities are considered as one of the most important types of network activities which are often performed by the network administrator or Chief Security O±cers (CSOs) periodically. These activities are comprised of all operational, maintenance, con¯guration activities, logistics and security issues related to infrastructure components, services and network applications (McGee et al., 2004). ...
... , a view of ITU-TX-805 security architecture was displayed. Some reasons for the application of this architecture to the proposed framework can be summarised as follows(McGee et al., 2004;Hajian et al., 2009;Mohammadi et al., 2013): ...
Recently, knowledge management (KM) has been considered as a strategic weapon in a competitive environment. Corporate knowledge portals are one of the popular KM mechanisms for managing organisational knowledge and implementing knowledge management systems (KMSs) which use the communication networks. Since these portals are one of the main sources of organisational knowledge, their security becomes more essential. Despite the importance of the knowledge portal security, there are few studies to identify and evaluate the vulnerabilities of knowledge portals. The main purpose of this study is to offer an integrated framework to recognise, categorise and prioritise the key knowledge portal vulnerabilities based on the ITU-TX-805 architecture in order to enhance the security of KMSs. To identify the knowledge portal vulnerabilities, related studies were reviewed and then using the survey method, the main categories and related items were weighted by KM experts. The results proposed a new framework for identifying and prioritising knowledge portal vulnerabilities by using ITU-TX-805 architecture. The framework contains three main categories of vulnerabilities such as network components, network activities, and network security dimensions. In KM initiatives implementation, knowledge sharing along with knowledge protection must be considered. The proposed framework identifies and prioritizes the main vulnerabilities of knowledge portals which must be considered to make secure knowledge sources. It can assist knowledge manager officers (CKOs) to identify vulnerabilities, strengthen the security of knowledge portals, and protect knowledge assets.
... Statistics show that network attacks continue to increase at an alarming rate. For instance, Andrew et al. (2004) showed that over 182,000 threats were reported between 2002 and 1988 while just 6 were reported in 1988, and 82,000 occurring in 2002 alone. Industry estimates in Maughan (2007) revealed that the global cost of cyber attacks in 2003 was US$ 226 billion. ...
... These three security layers identify areas where security must be addressed. They build on one another to provide comprehensive, end-to-end security solutions (Andrew et al., 2004). ...
One such wireless technology used to deploy sensitive network services requiring low rate communication, short distance application with low power consumption is the IEEE802.15.4 Low-Rate Wireless Personal Area Networks (LR-WPAN). These network services have stringent security requirements and, irrespective of the scale of deployment, the network should be secure enough to protect users, infrastructure, network services and applications. In this paper, we focus on the security mechanisms defined in the standard; evaluating it in the light of the ITU-T recommendation X.805 security architecture for end-to-end communication. We identify and assess the security dimensions, planes and layers in IEEE802.15.4 LR-WPAN as defined in the X.805 framework.
... Aqun et al. [50] compared L2TP, IPSec, IP/IP, and GRE on the basis of diferent features, including security mechanisms (conidentiality, authentication, etc). The scope of this research is limited, and it leaves out many performances and security features that should have been incorporated, as can be seen in Tables 7 and 8 given in the appendix B. McGee et al. [51] presented a network security test that can be helpful for improving the security of network traic encapsulated via a VPN. The four major security threats highlighted in this research work are Interruption, Interception, Modiication, and Fabrication. ...
The use of Virtual Private Networks (VPNs) has witnessed an outstanding rise as they aim to provide confidentiality and anonymity to communication. Despite this enormous and ubiquitous usage, VPNs come with various security, misconfiguration
and performance related issues thereby hindering the users to take maximum advantage of this revolutionary technology. To address this concern, VPN users must choose the most secure and perfect VPN solution for the smooth functioning of daily life activities. Generally, no clear set of directions is available for assisting a common VPN user thereby accentuating the need to develop an elucidated and coherent checklist that thoroughly helps in evaluating any VPN based on its security, performance, auditing, and management function. This research comprehensively surveys VPN Technologies, its features, working principles, and compliance principles that evolved over the last two decades. Based on it, this research presents a new methodology in the form of a feature-enriched template to comprehensively analyze a VPN solution. Each VPN feature is given its score against the potential damage it may cause in case of failure and the probability of occurrence of that failure. In this way, the corporate sector and individual users can quantitatively and qualitatively grade available options while choosing a VPN and use it effectively.
... The main framework of Lucent network security concentrates on security layers and security planes. Lucent security framework has grouped the security layers into infrastructure, services, and applications layer whereas security planes are defined by network activities which are the management planes, control plane and end-user plane [17] as shown in Figure 2. ...
Ever since the existence of Internet, the world has constantly changing and upgrading with evolving technologies. As most of organisations have increasingly migrated to computer and network system, threats and cybercrime rises parallels with the growing network. The need for network security has then been an essential and vital in today's world in order to keep the network protected and secured from any threats or attacks. The security of the network has been a concern since valuable information can be easily acquired through the internet. The concern for security has been tracked back as far as the 1930s where several key events that highlighted the importance of network security. Network security has always been highly associated with identification, authentication, and authorization. The definition of network security is to consider the security of the network as a whole and not just concentrating on securing the endpoint. In this article, we propose a framework as a source for orginasation, particularly Royal Malaysian Navy to characterize the protection level that fits its operation domain and network design.
... To provide comprehensive, end-to-end security solutions, Lucent Networks came up with the concept of security layer which consists of services that customers receive from service providers [5]. These services range from basic transport and basic Internet connectivity (e.g., Internet access), IP service enablers such as authentication, authorization, and accounting services, dynamic host configuration services, and do-main name services to value-added services such as voice over IP, quality of service (QoS), virtual private networks(VPNs), location services, 800-services, and instant messaging. ...
... In our research to date, a system framework titled Critical Infrastructure Auto-Immune Response System (CIAIRS), which is able to identify threats to a network and communicate the potential impact, has been put forward [2]. The quality of the framework depends on four main features: Simplicity, Clarity, Boundaries, Expandability [17]. Therefore, these features were taken in mind while forming the research approach. ...
The Internet is now heavily relied upon by the Critical Infrastructures (CI). This has led to different security threats facing interconnected security systems. By understanding the complexity of critical infrastructure interdependency, and how to take advantage of it in order to minimize the cascading problem, enables the prediction of potential problems before they happen. Our proposed system, detailed in this paper, is able to detect cyber-attacks and share the knowledge with interconnected partners to create an immune system network. In order to demonstrate our approach, a realistic simulation is used to construct data and evaluate the system put forward. This paper provides a summary of the work to-date, on the development of a system titled Critical Infrastructure Auto-Immune Response System (CIAIRS). It provides a view of the main CIAIRS segments, which comprise the framework and illustrates the functioning of the system.
... We developed a holistic collaborative ISMS framework [19]. This innovative framework integrates for the first time stakeholder oriented IS governance frameworks [3], [4], [5], [8], with more technical IS architecture oriented frameworks [20], [21], [22], IS culture research [1], [3], [4], [5], [6], [11], [15], as well as different best practice methods (COBIT, ITIL), the requirements of the international standards ISO/IEC 2700x [1], [10] and other standard based management systems. It is further based on our practical experiences and a holistic, interdisciplinary approach. ...
The importance of information, asset and technology as key differentiator for modern organizations is increasingly recognized. More than 6,600 organizations worldwide are implementing an information security management system (ISMS) in accordance to ISO/IEC 27001. An optimal information management is a critical success factor for the effectiveness, performance and sustainability of ISMS. Information security (IS) has been considered as technical job for a long time. In the last years IS research has developed further an IS governance and people oriented direction. Additionally, different best practices such as control objectives for information and related technology (COBIT) and the information technology infrastructure library (ITIL) have been published. In accordance to the IS approaches the information management for ISMS was studied either only from a technical perspective or a measurement perspective. In this paper we integrate all perspectives by defining a holistic, generic IS management taxonomy. To establish this taxonomy we start from a collaborative ISM framework that considers the different IS research approaches and best practices. Based on our novel IS management taxonomy we define the requirements for information system integration and information processing for a holistic, collaborative IS management.
... The behavioral requirements for security attributes provided in the previous section are consistent with the general descriptions of the eight security dimensions (access control, authentication, non-repudiation, data confidentiality, communication flow security, data integrity, availability, and privacy), as contained in standard ISO/IEDC 18028-2, Information Technology -Security Techniques -IT Network Security -Part 2: Network Security Architecture [3] and originally provided in the Bell Labs Security Framework [6]. We expect that the CSA approach to security attribute analysis will be very supportive of work to address the challenges of security management and approaches to secure an enterprise and regulatory mandates (Discussions of the challenges of security management, are provided in [2,8].) ...
In the current state of practice, security properties of software systems are typically assessed through subjective, labor-intensive human evaluation. Moreover, much of the quantitative security analysis research to date is characterized by the development of approximate solutions and/or based on assumptions that severely constrain the operational utility of the results. In order to achieve a dramatic increase in maturing the discipline of software security engineering, a fundamentally different approach to analysis and evaluation of security attributes is required. The computational security attributes (CSA) approach to software security analysis provides a new approach for specification of security attributes in terms of data and transformation of data by programs. This paper provides an introduction to the CSA approach, provides behavioral requirements for several security attributes, and discusses possible application of the CSA approach to support analysis of security attributes during software development, acquisition, verification,and operation.
... For example, a server system of which IP address has already been preoccupied by another system during its rebooting can-not use the network. That is, the IP address may cause internal security problems in the network, not from externally [2][3] [4]. ...
Currently, the major focus on the network security is securing individual components as well as preventing unauthorized access
to network services. Ironically, Address Resolution Protocol (ARP) poisoning and spoofing techniques can be used to prohibit
unauthorized network access and resource modifications. The protecting ARP which relies on hosts caching reply messages can
be the primary method in obstructing the misuse of the network. This paper proposes a network service access control framework,
which provides a comprehensive, host-by-host perspective on IP (Internet Protocol) over Ethernet networks security. We will
also show how this framework can be applied to network elements including detecting, correcting, and preventing security vulnerabilities.
... The paper also demonstrates how the X.80S Security Architecture can be applied to an entire network security program, including network assessments. The Bell Labs network security framework [4] provided the foundation for the X.80S recommendation. The paper concludes with a real-world application of X. 805 by describing how the X.80S Security Architecture has been incorporated into the Lucent security methodology. ...
In the wake of recent events, network security and reliability have become top issues for service providers and enterprises. The worldwide cost of cyber attacks is estimated to have been in the $145 billion dollar range for 2003. 2003 was also regarded as the "worst year ever" for computer viruses and worms; in 2001 the Code Red worm took several days to create widespread damage, whereas Slammer in 2003 had significant impact in just minutes. Over 90% of network attacks resulting in significant financial loss originate from inside a network's perimeter. Unfortunately, there appears to be no end in sight to these threats to network security; in fact, there is an increasing trend of attacking financial resources in addition to computing resources. The newly ratified ITU-T Recommendation X.805 "security architecture for systems providing end-to-end communications" was developed as the framework for the architecture and dimensions in achieving end-to-end security of distributed applications. It provides a comprehensive, multilayered, end-to-end network security framework across eight security dimensions in order to combat network security threats. We introduce the X.805 standard and describe how it can be applied to all phases of a network security program. We also provide examples of the business impact of network security vulnerabilities and the application of X.805 for network security assessments. Enterprises and service providers alike should use X.805 to provide a rigorous approach to network security throughout the entire lifecycle of their security programs.
In this chapter, a novel performance model for assessing security of a layered network has been proposed. The work is motivated by the fact that there is a need for a reference framework to account for all threats to a networked system. There are few such models available, and one of them is recommended by the International Telecommunications Union (ITU). The proposed assessment model is based on the ITU security framework, recommended in the ITU-T Recommendation X.805. We employ this model to quantify network security against five threat categories mentioned in the recommendations. The quantification has been done based on the recommended measures against all threats. A threat vector has been proposed that defines required measures for a particular threat category. Other vectors, such as the security implementation vector define how effectively these measures are implemented in a given device, system, or network. As a simple application of the proposed model, the security provided by the IEEE 802.15.4 standard is analyzed, viewing it as an ‘end-to-end’ system (e.g., for ad hoc sensor network applications). The proposed security assessment model can be applied to any type of network (wireless, wired, optical, service oriented, transport, etc.). The model can be employed to obtain security assessment in the form of five security metrics, one for each threat category (destruction, corruption, removal, disclosure, and interruption). An expression for the overall security against all threats has also been derived.
In the last decade RFID technology has become a major contender for managing large scale logistics operations and generating and distributing the massive amount of data involved in such operations. One of the main obstacles to the widespread deployment and adoption of RFID systems is the security issues inherent in them. This is compounded by a noticeable lack of literature on how to identify the vulnerabilities of a RFID system and then effectively identify and develop counter measures to combat the threats posed by those vulnerabilities. In this chapter, the authors develop a conceptual framework for analysing the threats, attacks, and security requirements pertaining to networked RFID systems. The vulnerabilities of, and the threats to, the system are identified using the threat model. The security framework itself consists of two main concepts: (1) the attack model, which identifies and classifies the possible attacks, and (2) the system model, which identifies the security requirements. The framework gives readers a method with which to analyse the threats any given system faces. Those threats can then be used to identify the attacks possible on that system and get a better understanding of those attacks. It also allows the reader to easily identify all the security requirements of that system and identify how those requirements can be met.
Network Security is a vital part of any corporate and enterprise network. Network attacks greatly compromise not only the sensitive data of the consumers but also cause outages to these networks. Thus inadequately protected networks need to be "hardened". The hardening of network devices refers to the hardware and software components, device operating system's features, management controls, access-list restrictions, operational configurations and above all making sure that the data and credentials are not stored or transferred in 'plaintext' over the network. This article investigates the use of cryptography and network protocols based on encryption, to meet the need for essential security requirements. Use of non-secure protocols, underrating and misconfigurations of management protection are reasons behind network devices not properly being hardened; hence leaving vulnerabilities for the intruders. The gap identified after conducting intense search and review of past work is used as the foundation to present solutions. When performing cryptography techniques by encrypting packets using tunnelling and security protocols, management level credentials are encrypted. These include password encryption and exceptional analysis of the emulated IOS (Internetwork Operating System). Necessary testing is carried out to evaluate an acceptable level of protection of these devices. In a virtual testing environment, security flaws are found mainly in the emulated IOS. The discoveries does not depend on the hardware or chassis of a networking device. Since routers primarily rely on its Operating System (OS), attackers focus on manipulating the command line configuration before initiating an attack. Substantial work is devoted to implementation and testing of a router based on Cryptography and Security Protocols in the border router. This is deployed at the core layer and acts as the first point of entry of any trusted and untrusted traffic. A step-by-step hardening approach is adopted to secure the proposed network framework's border router. Encrypted services coupled with best practice configurations are implemented and tested in an emulated environment. The use of protocol analysers, CISCO Configuration Professional's Audit and penetration testing tools corroborated the success of the project.
In this chapter, a novel performance model for assessing security of a layered network has been proposed. The work is motivated by the fact that there is a need for a reference framework to account for all threats to a networked system. There are few such models available, and one of them is recommended by the International Telecommunications Union (ITU). The proposed assessment model is based on the ITU security framework, recommended in the ITU-T Recommendation X.805. We employ this model to quantify network security against five threat categories mentioned in the recommendations. The quantification has been done based on the recommended measures against all threats. A threat vector has been proposed that defines required measures for a particular threat category. Other vectors, such as the security implementation vector define how effectively these measures are implemented in a given device, system, or network. As a simple application of the proposed model, the security provided by the IEEE 802.15.4 standard is analyzed, viewing it as an 'end-to-end' system (e.g., for ad hoc sensor network applications). The proposed security assessment model can be applied to any type of network (wireless, wired, optical, service oriented, transport, etc.). The model can be employed to obtain security assessment in the form of five security metrics, one for each threat category (destruction, corruption, removal, disclosure, and interruption). An expression for the overall security against all threats has also been derived.
Network vulnerability taxonomy has become increasingly important in the area of information and data exchange not only for its potential use in identification of vulnerabilities but also in their assessment and prioritization. Computer networks play an important role in information and communication infrastructure. However, they are constantly exposed to a variety of vulnerability risks. In their attempts to create secure information exchange systems, scientists have concentrated on understanding the nature and typology of these vulnerabilities. Their efforts aimed at establishing secure networks have led to the development of a variety of methods and techniques for quantifying vulnerability.
The objective of the present paper is developing a method based on the second edition of common vulnerability scoring system (CVSS) for the quantification of Computer Network vulnerabilities. It is expected that the proposed model will help in the identification and effective management of vulnerabilities by their quantification.
Organizations have to meet most different enterprise-specific stakeholders', business, standard, legal and regulatory information security requirements. They are faced with a wide range of potential security threats and socio-organizational challenges. To invest all security efforts effectively the collaborators and partners of the whole value chain must be aware how they contribute to achieve common objectives and compliance. This is scarcely supported by fragmented approaches. To bridge the gaps we analyze accordingly to a design-science approach the different requirements and present a coherent and systematic stakeholder oriented information security reporting model. The comprehensive, systemic and structured reporting approach demonstrates the value of information security and sustains informed decision making to invest security efforts pro-actively, effectively and efficiently. The stakeholder oriented focus on security reporting offer new impacts for practice and a wide range of most different research questions.
Organizations are faced with increasing complexity, uncertainty and enhanced threats from a wide range of forces. Depending on how this situation is handled, it can become risk or opportunity to erode or enhance business value. In addition, organizations have to meet most different stakeholders’, legal and regulatory risk management requirements. Thus, comprehensive enterprise risk management has become key challenge and core competence for organizations’ sustainable success. Given the central role of information security management and the common goals with enterprise risk management, organizations need guidance how to extend information security management in order to fulfill enterprise risk management requirements. Yet, interdisciplinary security research at the organizational level is still missing. Accordingly, we propose a systemic framework, which guides organizations to promote enterprise risk management starting from information security management. The results of our case studies in different small and medium-sized organizations suggest that the framework was useful to promote enterprise risk management in an effective, efficient, cost-effective and sustainable way. New insights for practice and future research are offered.
Network vulnerability taxonomy has become increasingly important in the area of information and data exchange for its potential use not only in identification of vulnerabilities but also in their assessment and prioritization. Computer networks play an important role in information and communication infrastructure. However, they are constantly exposed to a variety of vulnerability risks. In their attempts to create secure information exchange systems, scientists have concentrated on understanding the nature and typology of these vulnerabilities. Their efforts aimed at establishing secure networks have led to the development of a variety of methods and techniques for quantifying vulnerability. The objectives of the present paper are twofold: (1) to develop a taxonomy framework for the classification of network vulnerabilities on the basis of the ITU-TX-805 security architecture and (2) to develop a method on the basis of the second edition of Common Vulnerability Scoring System for the quantification of vulnerabilities within the proposed taxonomy framework. It is expected that the framework proposed in this paper will provide a comprehensive taxonomic structure that can be extended to all the different aspects of network vulnerability. Furthermore, it will help in the identification and effective management of vulnerabilities by their quantification. Copyright © 2012 John Wiley & Sons, Ltd.
SSL (secure sockets layer) protocol is one of key technologies to keep userpsilas data in secure transmission via Internet. This paper is present to analyze the security of SSL protocol and propose a new scheme of SSL protocol configured in the Linux operating system (OS). The experimental results show that the proposed scheme is feasible and practical as a secure solution for Web-based communication, and the SSL protocol is compatible to the other protocol in application layer via proper configuration.
As a result of the increased dependency on obtaining information and connecting each computer together for ease of access/communication, organizations risk being attacked and losing private information through breaches or insecure business activities. To help protect organizations and their assets, companies need to develop a strong understanding of the risks imposed on their company and the security solutions designed to prevent/minimize vulnerabilities. To reduce the impact threats have on a network, organizations need to: design a defense layer system that provides multiple instances of protection to prevent unauthorized access to core information, implement a strong network hardware/intrusion prevention system, and create all-inclusive network/security policies that detail user rules and company rights. In order to enhance the overall security of a basic infrastructure, this paper will provide a detailed look into gathering the organizational requirements, designing and implementing a secure physical network layout, and selecting the standards needed to prevent unauthorized access.
Network security is dependent upon securing individual components, services, and applications. This is done through the prevention, detection, and correction of threats and attacks that exploit vulnerabilities in the network. Network security must be analyzed using various factors, such as security requirements, the inherent strengths and vulnerabilities of different network technologies, and the processes used to design, deploy, and operate networks. The Bell Laboratories security model provides the framework required to plan, design, and assess the end-to-end security of networks. In this paper, the Bell Labs security model is used to (1) define the basic security needs of civilian and non-civilian networks, (2) examine the security capabilities of various technologies and identify their security strengths and gaps, (3) identify key threat-mitigation strategies for civilian and non-civilian networks, and (4) illustrate the value of a comprehensive framework (e.g., the Bell Labs model) in any security program, whether designed for a civilian or a non-civilian network. © 2004 Lucent Technologies Inc.
Network survivability nowadays has priority over everything for both network design and implementation. The key focus on the
network security is securing individual components as well as preventing unauthorized access to network services. Ironically,
Address Resolution Protocol (ARP) poisoning and spoofing techniques can be used to prohibit unauthorized network access and
resource occupations. Our work deals with simulation of intrusion traffic by explicitly generating data packets that contain
ARP spoofing packets. In this paper we report experimental studies of simulation efficiency and network performance of simulated
networks using a host isolation system to capture duplicate ARP spoofing attacks. The Virtual Local Area Network (VLAN) based
network access control framework proposed in this paper works in parallel with the policy based real-time access control function
to make the utmost use of the network resources and to provide a high-quality service to the user.
Security incidents continue to rise globally-up 22% in 2005. Enterprises and service providers alike are faced with the challenge of ensuring a rigorous approach to network security throughout the entire lifecycle of their security programs. Many critical security requirements are currently addressed as an afterthought in a reaction to the security incidents. This results in piecemeal security fixes, which do not provide a comprehensive and cost effective security solution. Network security should be designed around a strong security framework, the available tools, standardized protocols, and where available, easily configured software and hardware. Naturally, in a multi-vendor environment, no end-to-end security solution can be achieved without standards. The Lucent Technologies Bell Laboratories Security Framework, which is the foundation for security standards ITU-T X.805 and ISO/IEC 18028-2, was developed as a comprehensive methodology for assessing and integrating network security across the enterprise. The ISO/IEC 18028 standard, which is broken into five sub-levels, provides guidance on the security aspects of the management, operation and use of IT networks. ISO/IEC 18028-2 defines a standard security architecture, which describes a consistent framework to support the planning, design and implementation of network security for the IT industry. In this paper, we discuss how the standard can be applied as a framework for network security assessment by presenting a threat analysis case study. We also discuss the applicability of the framework for implementing the technical controls for regulatory compliance initiatives. ISO/IEC 18028-2 provides a common and rigorous methodology for defining a robust security program of next generation networks
The paper presents the major concepts for a next-generation personal network as defined, developed, and tested by the project My Personal Adaptive Global NET (MAGNET), including the growing personal area network (PAN) style networking. The MAGNET vision is that personal networks (PNs) will support users' professional and private activities without being obtrusive and while safeguarding their privacy and security. A PN can operate on top of any number of existing networks or may be composed in an ad hoc, self-organized manner. PNs are dynamic and diverse in composition, configuration, and connectivity depending on time, place, preference, and context as well as resources available and required, and they function in cooperation with all necessary/required and preferred partners. This paper focuses on specific aspects related to PNs such as advances in peer-to-peer networking and interworking with infrastructure-based networks (e.g., dynamic personal virtual private networks) and security requirements and solutions for secure personal networking. © 2006 Lucent Technologies Inc.
The security of mobility voice networks has traditionally been ensured by deploying point-to-point circuit-switched transport between network elements and by isolating the voice infrastructure from the public data network. However, with the introduction of new services such as Voice over Internet Protocol (VoIP) and the trend toward IP transport between network elements, this approach is no longer adequate. To guarantee the security of IP-based voice and data networks, both human-to-machine and machine-to-machine interfaces must be secured using an approach that is consistent with industry best practices, and is robust and easy to manage. This paper describes a common infrastructure for managing network element security, encompassing both CDMA2000* 1x and CDMA2000 1x evolution data optimized (1x EV-DO) networks that contain hundreds of individual network elements. The architecture provides a common, centralized infrastructure for security management, including configuration management, data audits, logging, and key distribution. The networks are secured against both internal and external threats by addressing standard security dimensions such as authentication, privacy, non-repudiation, and access control. © 2007 Alcatel-Lucent.
Many security vulnerabilities in current information technology (IT) solutions and products are the result of a piecemeal “strap-on” security approach. The inclusion of many security add-ons, such as firewalls, antivirus software, intrusion detection systems (IDSs), and intrusion prevention systems (IPSs), may imply that the security objectives were an afterthought, not adequately defined initially, or that the required security objectives were never met by the individual system components. In fact, a “grounds-up” approach to security, where each component is individually secure, in a defined network deployment scenario helps meet the need of minimal risk exposure. Security should not be bolted on; rather, it should be the prime consideration from the beginning and throughout the entire lifecycle—from concept to deployment and ongoing operation for each product in the solution. Given the ever-increasing sophistication of attacks, developing and monitoring secure products have become increasingly difficult. Despite the wide-scale awareness of common security flaws in software products, e.g., buffer overflows, resource exhaustion, and structured query language (SQL) injection, the same flaws continue to exist in some of the current products. The objective of this paper is to introduce a technology-agnostic approach to integrating security into the product development lifecycle. The approach leverages the Bell Labs Security Framework, the foundation of the International Telecommunication Union, Telecommunication Standardization Sector (ITU-T) X.805 global standard. Building this framework into the product lifecycle supports the goal of realizing secure products. The security framework can be applied to any product domain to facilitate security requirements analysis and the development of usable tools such as checklists, guidelines, and security policies. The application of Bell Labs Security Framework concepts and its use in the development of secure products are illustrated using the example of a centrally managed firewall product. © 2007 Alcatel-Lucent.
The 3rd Generation Partnership Project (3GPP) IP Multimedia Subsystem (IMS) standards provide a core telecommunications network architecture that promises high flexibility in the creation of new and blended services. This stems primarily from two aspects: access independence and the highly flexible, extensible Session Initiation Protocol (SIP). Lucent Technologies' Service Enhancement Layer provides a suite of standards-compliant tools and technologies that can work in and above the IMS core, allowing service providers to realize the full potential of IMS in a cost-effective manner. These enablers are, at a fundamental level, carrier-grade middleware that can reside on the most appropriate hardware platform. The three most important components of this layer are the Lucent Service Broker™ application, which enables blending of IMS services without having to modify the application servers; the Unified Subscriber Data Server, which provides a comprehensive approach to managing subscriber profile data regardless of where it is sourced; and the Lucent Vortex™ policy management infrastructure, which provides a high-speed rules engine suitable for personalization and flexible network optimizations. This layer, which also includes other components such as the presence server, can grow to include additional components. The Active PhoneBook application, which includes both server-side and client-side components, is useful as a hub for providing blended services to end users. © 2006 Lucent Technologies Inc.
The global information technology (IT) industry recognizes the need for standards to improve the quality and consistency of security for IT products and services. As such, the International Organization for Standardization/ International Electrotechnical Commission (ISO/IEC) 27000 series is focusing on the requirements, security controls, and implementation guidance for an organization's information security management system (ISMS). This guidance establishes general principles that can be used in various industries and government; however, standardized techniques are also needed to identify, implement, and operate security controls as part of the ISMS life cycle. The Bell Labs Security Framework identifies both the minimal and differentiating security controls by decomposing an IT product or service into a layered hierarchy of equipment and facilities groupings and examining the types of activities that occur at each layer in a standardized manner. Furthermore, the Bell Labs Security Framework security dimensions provide the necessary mechanisms to implement and operate the selected controls. The Bell Labs Security Framework enhances the ISO/IEC 27000 series by providing a comprehensive end-to-end approach to implementing IT security. © 2007 Alcatel-Lucent.
The telecommunications industry's transition to Internet Protocol (IP)-based networks is exciting and cost effective, but it also introduces new challenges for service providers, particularly as they begin to integrate Web services with communication services. Security is one key area that poses a significant challenge for service providers while at the same time providing opportunities for vendors. Because these new networks will have a number of service enablers and enriched services will be offered, application and user identity security becomes a chief concern. This paper focuses on IP-based services security architecture for evolving wireless and public domain networks, especially where Web services are brought into play. A Security Assertion Markup Language (SAML) is a basis for the security architecture, which incorporates federated architecture, authentication, encryption, and digital rights management. The paper also details a blended service scenario, highlighting enforcement of security at different entry points in the network. © 2006 Lucent Technologies Inc.
The IP Multimedia Subsystem (IMS) provides a powerful session and service architecture creating a platform for next-generation user services. In order to enable these services, a security approach and architecture is required to address the vulnerabilities inherent to Internet Protocol (IP)-based solutions. The security architecture is driven by 3rd Generation Partnership Project (3GPP) and 3rd Generation Partnership Project 2 (3GPP2) security standards along with the security model described in International Telecommunications Union (ITU) Recommendation X.805, “Security Architecture for Systems Providing End-to-End Communications.” This paper examines threats and vulnerabilities of IMS implementations as well as high-level service provider security requirements, and defines an implementation approach to provide the desired level of security for IMS deployments.
The Bell Labs Security Framework provides a comprehensive matrix that can be used to evaluate the security of an application (service), host, protocol, or communication link. The methodology has been used to assess the security of information technology (IT) and telecommunications services, as well as technologies such as Institute of Electrical and Electronics Engineers (IEEE) 802.11. The goal of this paper is to provide systems designers and researchers with a methodology to gauge where the Internet telephony industry, products, and protocols are in terms of security with the hope of prioritizing future needs and establishing a baseline measurement for potential changes. The methodology itself consists of cataloging a body of observed attacks against Internet telephony systems over the standard definitions from the framework. This is an early work that aims to quantify where in the framework security attacks on Internet telephony infrastructure appear. We envision that on the basis of data collected over a prolonged period, it will be feasible to determine the set of intersection of the layer and plane at which such attacks are clustered and thus proactively put safeguards in products to thwart such attacks. © 2007 Alcatel-Lucent.
Consumers are continuously looking for ways of improving their productivity, simplifying their tasks, and streamlining communications both domestically and globally. This has resulted in the need to support different applications and thus the ongoing process of migrating many network services from traditional circuit-switched networks to Internet Protocol (IP) to converged networks. The circuit-switched public switched telephone network (PSTN) was a closed network where cyber-security threats were not amajor issue. With the advent of converged networks and IP-based services, service providers, government, and enterprises are concerned about the growing security threat. The new networks and equipment will be subject to many types of threats and their vulnerabilities may expose mission critical applications and infrastructure to risk. Realization of these threats can lead to service outage. Today's communications service provider must decide how to treat the effects of security breaches so as to minimize service downtime. This paper highlights amethodology, with examples to identify the effect of security-related failures and the critical design factors to be considered when modeling service reliability. The ITU-T X.805 standard (now also ISO standard 18028-2), based on the Bell Labs security model, is used to evaluate potential high impact threats and vulnerabilities. The analysis uses the Bell Labs domain technique known as security domain evaluation. One of the critical outputs provides a prioritized understanding of the threats the network is exposed to and the vulnerabilities in the security architecture. The next step in themethodology includes incorporating the threats (vulnerabilities) identified in a reliability model and quantifying the corresponding service degradation. In this paper, these concepts are applied to IP Multimedia Subsystem (IMS)-based VoIP (Voice over IP) networks. Using reliability metrics, our analysis shows that reliability models are optimistic if we do not consider security. We demonstrate how reliability models can be enhanced to take security issues into account and that the X.805 standard can be used to identify the security threats. Finally, the model shows themitigation in downtime by including intrusion-tolerance features in the product and network design. Consideration of security-caused downtimewill lead to increased focus on preventing security vulnerabilities that can lead to service outages and also allow service providers to save on maintenance costs. © 2006 Lucent Technologies Inc.
Survey: Security Remains Job 1
- J Cox