Cyber Security Principles and Its Challenges in 21st Century – Part 3

In continuation of my previous blogs on security principles, I am going to discuss how corporations can harden their infrastructure elements to help them be protected against many hacking attacks that take place today in our environment worldwide.

Designing Security:  Hardening Infrastructure Elements

Network infrastructure security includes both host-based and network-based security. The foundation of infrastructure security is a secure server. All servers are “hardened” per vendor, industry, and internal recommendations. Host-based agents continuously monitor servers looking for unauthorized changes in software and configurations.

In addition to hardening the network elements themselves, service providers need to deploy a number of measures to protect against denial of service attacks at the host and element, network, and service (application) levels.

Service providers worldwide need to deploy state-of-the-art security mechanisms to protect their global IP network and IP services against denial of service (DoS) and other attacks.

Designing Security:  Separate Services over IP Infrastructure

Voice over IP (VoIP) poses particular security challenges to carriers due to the protocol design itself. With VoIP both the signaling as well as the actual voice messages (called media) are carried in-band, thus making signaling vulnerable to the same security risks as other Internet traffic.

Recognizing these challenges, service providers should design separate “services over IP” architecture to carry traffic such as VoIP. I once called such architecture XoIP, where the X is a variable standing for a number of possible services that might be carried over IP; voice is merely one flavor of XoIP.

Such a XoIP infrastructure functions as an overlay network on top of service provider’s public MPLS IP network. The services over IP architecture needs to be designed in multiple layers, consistent with “defense in depth” principles, in order to ensure security of these communications.  The design principle of layers is consistent with the general architecture used in protecting corporate assets in the Internet, and includes three security domains, each with its own security requirements. To further enhance the security of these communications, service providers should also deliberately depart from the “any-to-any” Internet communications model; strict boundaries will define which device can communicate with which device, providing additional control.

An additional challenge with VoIP is that SIP servers and associated devices have not been designed and built with security as a priority. Most of them do not include firewall functions as part of their configuration. Therefore, in order to ensure the security of our services over IP infrastructure and our customers’ traffic, a Border Element needs to be defined within the service providers’ services over IP architecture. A border element is an intermediary between the trusted domain and the untrusted domain, and thus provides an additional layer of security over that provided inherently within VoIP devices. By creating this design element service providers will also need to protect the services over IP call processing and management infrastructure by using multiple firewalls. Together, they will create a demilitarized zone (DMZ) between border elements and call control elements (CCEs) within a separate “Trusted Domain.”

Under a denial-of-service (DoS) attack, the border elements may be allowed to fail in order to protect the rest of the services over IP infrastructure. A multi-pointed or distributed DoS (DDoS) attack can be waged using multiple customer premise equipment (CPE) within a single customer network to simultaneously generate a large quantity of signaling or media packets directed to a specific customer’s border element. This type of attack is prevented by barring a border element from processing packets from the CPE assigned to another element.

Service provider or enterprise networks must adhere to three security domains:

•  Un-trusted: includes all elements of either customer or peer networks that are connected to service provider border elements. These elements are not within service provider control, so they cannot be assumed to be secure.

•  Trusted: consisting of provider-owned and -operated network elements, including call control elements that communicate only with other service provider devices — never directly with CPE.

•  Trusted but vulnerable: includes edge devices and border elements that communicate with both internal service provider devices and CPE edge networks.

Securing Networks, Systems, and Services

Securing networks, systems and services require:

BGP Authentication: Border gateway protocol (BGP) MD5 authentication should be implemented on all service providers’ peering links and can be implemented on customer access links. MD5 authentication on BGP routing ensures that route announcements for a given network (autonomous system) are indeed being received from that network and not an imposter. It also prevents BGP resets from being received by an unauthorized source, thus helping to maintain network stability.

Least Privilege: Infrastructure routers and provider edge interfaces are hardened by turning off, or severely restricting, unnecessary protocols and ports.

Limits: Route dampening is used to limit the rate, or total number, of route update transactions performed by a router.

Center and Service Complex Protection: Network management centers, data centers, and service complexes — like the XoIP infrastructure described above — are further protected by firewalls and intrusion detection systems, another example of domain separation.

Automation of perimeter security tools to protect service providers’ MPLS core; service providers should also focus on automated methods to ensure that customer-edge to provider-edge routes are properly managed and represented in VPN Forwarding and Routing (VFR) instances. Service providers should develop tools to support MPLS VPN environment management.

Monitoring of IP traffic to provide early warning of Internet viruses and worms. Traffic flow is captured, monitored and analyzed to identify clear patterns of network anomalies.

Control of operational security in service providers’ core networks should be strictly enforced to maintain high levels of reliability and availability. To accomplish this, providers’ operations should follow mature and proven methods and procedures. These methods should be certified, wherever appropriate, to the highest industry standards. Additionally, all incidents must be subject to comprehensive root cause analysis to ensure that processes are improved.

In my next and perhaps final blog, I will discuss some of the network management issues corporations must consider to protect themselves in preventing major hacking attacks.

Dr. H. Eslambolchi