ITU-T Workshop on
“New challenges for Telecommunication
Security Standardizations"
Geneva, 9(pm)-10 February 2009
IP NGN
Security Framework
Mikhail Kader,
Distinguished Systems Engineer, Cisco, Russia
mkader@cisco.com
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
IP NGN Security
A Paradigm Shift in Miscreant Economy
Mischief of course, but mostly money – a miscreant economy has
evolved to steal or extort money from attractive targets
Yesterday’s
Threats
Today’s
Threats
Geeks and adolescents
Professional hackers
Operated alone or with a
small group of friends
Operating in syndicates or
cooperatives
Interested in demonstrating
Prowess, gaining notoriety
Interested in extortion,
espionage, or economic gain
Targeted individual computers
or applications
Targeting businesses,
governments, and networks
Little or no business
Sophistication
BotNets for Sale…
Scott Borg, Dartmouth College, Institute for Security Technology Studies
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
2
IP NGN Secure Platform
What is IP NGN Security?
A hierarchical model for framing security discussions with service providers
Business Relevance
Security Policies
Security
Operations
Business Goals
and Objectives
Security Principals
Security Actions
Identify
Visibility
Monitor
Correlate
Threat and
Risk
Assessment
Threats to
Goals and
Objectives
Describes customer-specific
business goals, and the threats
to goal attainment
Security
Policies
Describes the iterative
development and monitoring of
security policies
Geneva, 9(pm)-10 February 2009
Harden
Control
Isolate
Enforce
Describes the primary Security
Principals that are affected by
security policies
Describes essential actions
that enable Visibility and
Control
International
Telecommunication
Union
3
Business Relevance
Business Goals and Objectives
Security helps meet all key business goals and objectives for
service providers:
 Protect Service Revenue
Business disruptions due to security events can result in both
immediate and long-term loss of revenue
 Meet Customer Expectations / Minimize Churn
Customers expect safe, private, reliable services, and they’re
willing to change operators to get them…
 Safeguard Brand
Public disclosure of security or privacy breaches can destroy
carefully managed marketing campaigns and brand reputation
 Regulatory Requirements Adherence
Adherence to social and legal requirements for parental
control, data retention, and service monitoring is mandated in
many markets
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
4
Business Relevance
Threats to Business Goals Leads to Risk Analysis
Migration to 3.5G or IP networks brings changes threat
landscape hence a Risk Analysis is necessary.
An example for Mobile: Illustrate the
effects of the evolution from 2G to 3.5G
2G
Isolated
3.5G
 Highly Networked
No IP

IP End-to-End
Simple
Devices

Sophisticated
Devices
Proprietary
Services

Open Services
Few Security
Targets

Numerous
Security Targets
Little Risk

Much Risk
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
5
Developing Security Policies
Risk Assessment Methodologies
IP NGN Security requires the definition of security policies,
but is agnostic to the methodologies needed to create them
eTOM – enhanced
Telecom Operators Map
ITIL – Information
Technology
Infrastructure Library
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
6
Developing Security Policies
Many Methodologies – One Goal
Regardless of the risk assessment methodology utilized, the
core steps are the same:
How can the device, service, or system be
Threat Models attacked, disrupted, compromised, or
exploited?
Risk
Assessments
What impact would an attack have on my
business? How important is the asset?
Policy
Development
What entities, attributes, processes, or
behaviors can be controlled to prevent or
mitigate each attack?
These steps result in the creation of
security policies and guidelines that define
the acceptable and secure use of each
device, system, and service
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
7
IP NGN Security Principles
Visibility and Control
Security Policies always define a need or means to increase
Visibility or Control
Visibility:
 Identify subscribers, traffic, applications,
protocols, behaviors…
 Monitor and record baselines patterns for
comparisons to real-time
 Collect and correlate data from every source to
identify trends, macro events
 Classify to allow the application of controls
Control:
 Limit access and usage per subscriber, protocol,
service, packet…
 Protect against known threats and exploits
 Authenticate management- and control-plane
access / traffic
 Isolate subscribers, services, subnets
 React dynamically to anomalous events
No visibility means no control; no control means no security 
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
8
IP NGN Security Actions
Increasing Visibility and Control
IP NGN Security defines six fundamental actions that apply
defined policies, improving Visibility and Control
Identify
Monitor
Correlate
Harden
Isolate
Enforce
These actions, properly taken, enhance service security, resiliency, and
International
reliability – primary goals for subscribers and operators alike
Telecommunication
Geneva, 9(pm)-10 February 2009
Union
9
IP NGN Security Actions
Identify
Identifying and assigning trust-levels to subscribers, networks, devices,
services, and traffic is a crucial first step to infrastructure security
Principal Actions
Relevant Technologies
 Identify and authenticate subscribers
and subscriber devices (where possible)
 Associate security profiles with each
subscriber and device
 Associate network addresses and
domain identifiers subscriber devices
 Classify traffic, protocols, applications,
and services at trust-boundaries
 Inspect traffic headers and payloads to
identify subscribers, protocols, services,
and applications
Identify
Monitor
Geneva, 9(pm)-10 February 2009
Correlate
 Authentication, Authorization, and
Accounting (AAA) Servers
 Extensible Authentication Protocols
 Deep Packet Inspection
 Network-Base Application Recognition
 Service Control Engines / Application
Performance Assurance
 DNS / DHCP Servers
 Service / Subscriber Authenticators
 Service Gateways
 Signaling Gateways
 Session Border Controllers
Harden
Isolate
Enforce
International
Telecommunication
10
Union
IP NGN Security Actions
Monitor
Any device that touches a packet or delivers a service can provide data
describing policy compliance, subscriber behavior, and network health
Principal Actions
Relevant Technologies
 Gather performance- and securityrelevant data inherent to routers and
switches
 Log transactional and performance data
at access and service gateways
 Link IP traffic with specific subscribers
devices, and origins whenever possible
 Deploy protocol-, traffic-, and serviceinspection for reporting and detection
 Develop behavior baselines for
comparison to real-time measurements
 Employ command / change accounting
Identify
Monitor
Geneva, 9(pm)-10 February 2009
Correlate









Netflow
SNMP / RMON / SysLog
Network / Traffic Analysis Systems
Intrusion Detection Systems
Virus- / Message-Scanning Systems
Deep Packet Inspection
Packet Capturing Tools
SPAN / RSPAN
Authentication, Authorization, and
Accounting (AAA) Servers
 DHCP / DNS Servers
Harden
Isolate
Enforce
International
Telecommunication
11
Union
IP NGN Security Actions
Correlate
Important macro trends and events can often go unrecognized until other
numerous – seemingly unrelated – events are correlated
Principal Actions
Relevant Technologies
 Assure time synchronization throughout
network and service infrastructures
 Collect and collate data from distributed,
disparate monitoring services
 Analyze and correlate data to identify
trends and macro-level events
Identify
Monitor
Geneva, 9(pm)-10 February 2009
Correlate
 Security Information Management
Systems (SIMS)
 Netflow Analysis Systems
 Event Correlation Systems
 Behavioral Analysis Systems
 Anomaly Detection Systems
Harden
Isolate
Enforce
International
Telecommunication
12
Union
IP NGN Security Actions
Harden
Hardening is the application of tools and technologies to prevent known –
or unknown – attacks from affecting network or service infrastructures
Principal Actions
Relevant Technologies
 Deploy layered security measures –
defense-in-depth
 Authenticate control-, and managementplane traffic
 Authenticate and limit management
access to devices, servers, and services
 Prevent Denial of Service (DoS) attacks
– state attacks, resource exhaustion,
protocol manipulation, buffer overflows...
 Validate traffic sources to prevent
spoofing
Identify
Monitor
Geneva, 9(pm)-10 February 2009
Correlate
 Access Control Lists
 Authentication, Authorization, and
Accounting (AAA) systems
 Reverse-Path Forwarding Checks
 Control-Plane Policing
 Role-based control interfaces
 Memory and CPU thresholds
 Intrusion Detection Systems
 High-Availability Architectures
 Load Balancing
Harden
Isolate
Enforce
International
Telecommunication
13
Union
IP NGN Security Actions
Isolate
Isolating is a critical design practice then helps prevent access to critical
resources, protect data, and limit the scope of disruptive events
Principal Actions
Relevant Technologies
 Limit and control access to (and
visibility into) transport-, operations-,
and service-delivery infrastructures
 Prevent visibility and access between
different services, customers…
 Create network zones to isolate based
on functionality – DNS, network
management, service delivery, access…
 Define strict boundaries between
networks, operational layers, and
services of different trust-levels
 Encrypt sensitive traffic to prevent
unauthorized access
Identify
Monitor
Geneva, 9(pm)-10 February 2009
Correlate








Virtual Private Networks
Virtual Routing and Forwarding
Route Filtering
Routing Protocol / Transport Boundaries
Firewalls
IPSec and SSL Encryption
Out-of-Band Management
Demarcation / Functional Separation
Zones
 Access Control Lists
Harden
Isolate
Enforce
International
Telecommunication
14
Union
IP NGN Security Actions
Enforce
Shaping the behavior of subscribers, traffic, and services, as well as the
mitigation of detected security events are the primary goals of enforcement
Principal Actions
Relevant Technologies
 Prevent the entry and propagation of
known exploits – viruses, worms, SPAM
 Identify and mitigate anomalous traffic,
events, and behaviors
 Detect and prevent address spoofing
 Limit subscribers and traffic to
authorized networks, services, and
service-levels
 Shape and police traffic the assure
compliance with established service
level agreements
 Identify and quench unauthorized
protocols, services, and applications
Identify
Monitor
Geneva, 9(pm)-10 February 2009
Correlate









Firewalls
Intrusion Prevention Systems
Remotely Triggered Black Holes
Service Control Engines
Traffic Classifiers, Policers, and Shapers
Virus and Message Filtering Systems
Anomaly Guards / Traffic Filters
Quarantine Systems
Policy Enforcement Points (Routers,
Access Gateways, Session Border
Controllers)
Harden
Isolate
Enforce
International
Telecommunication
15
Union
IP NGN Security
Implementation and Operations
IP NGN Security defines the actions and technologies to be
implemented and operated by an organization
The security of any given IP service depends greatly upon the network
architecture, implementation, and organizational competence
Geneva, 9(pm)-10 February 2009
International
Telecommunication
16
Union
IP NGN Security
Summary
Define a security model to reach operational excellence based
on security policies and process gaining enhanced visibility,
control and high availability.
Security Policies
Business Relevance
Security Principals
Security Actions
Identify
Security Operations
Business Goals and
Objectives
Visibility
Monitor
Correlate
Threat and Risk
Assessment
Control
Threats to Goals
and Objectives
Describes customer-specific business
goals, and the threats to goal
attainment
Harden
Security
Policies
Describes the iterative development
and monitoring of security policies
Geneva, 9(pm)-10 February 2009
Isolate
Enforce
Describes the primary Security
Principals that are affected by
security policies
Describes essential actions that
enable Visibility and Control
International
Telecommunication
17
Union