The AT&T Seven Pillars of MPLS Security Helping Protect Your Network As networking evolves to meet sophisticated communications needs, enhanced application performance becomes a strategic priority for most enterprises. To support the complexity associated with changing application requirements, many businesses are responding by converging multiple networks onto a single IP/MPLS network. By providing voice, data and video on the same network, IP maximizes network infrastructure investments, simplifies control and administration and facilitates the management of multiple applications. Security needs to evolve with the demands of this new environment. According to Tom Siracusa, Director of VPN Strategy at AT&T Labs, “In a converged environment, the complexity of the network tends to grow exponentially. Complexity means added security must be put in place to manage that environment effectively. Security in the network is critical and should be the first line of defense from security breaches.” Staying Ahead of the Hackers Viruses have moved from an occasional nuisance to a critical daily concern for companies everywhere. Hackers create more than 200 new viruses and worms every month that are becoming more sophisticated and resistant to anti-virus software. Privileged data in the network is more exposed than ever to outside intruders, particularly as alternative access methods like wireless continue to grow. Keeping a corporate network secure is more than just installing firewall technologies. Security in a converged environment is multi-faceted. It should address all infrastructure layers, including physical transport, the network and applications. To be effective, security measures must be end-to-end, extending from the network to the customer application. Some providers suggest that simply isolating corporate networks from the Internet can guarantee security. However, avoiding the Internet to prevent security issues can undermine the basic effectiveness and productivity of business operations. Systems can be protected using a combination of a secure, MPLS-enabled network, and a comprehensive security plan that crosses all networking layers. The Network is a Frontline Security Device AT&T’s security starts within its Global Network, and extends to customers and their applications. According to Ed Amoroso, AT&T’s Chief Information Security Officer, “AT&T’s network is a major component in the security model that customers are building for their businesses.” To protect customer networks and services, AT&T uses a “defense in depth” security architecture, with security built into every network layer and every supporting process. The theory of “defense in depth” is that if the security fails at the first layer, the second layer has more security with which to contend. Thus, it can be difficult to penetrate because there are many layers of security built into every system, process and piece of the network architecture. No single layer of security can guard against information theft, corruption, disclosure and denial of service. Unique security services at each layer are needed to provide enhanced protection – preventing unauthorized access and attempting to detect, respond and mitigate the damage if access is achieved. The Best Defense? Using Real-Time Data to Prevent Attacks “The best defense companies have is to formulate proactive plans, advanced networking and security solutions. This strategy can assess risk and eradicate attacks that are brewing-long before they penetrate the network,” states Amoroso. AT&T takes a preventative approach to security to identify, detect and manage intrusions before they inflict damage. AT&T collects, analyzes, interprets and communicates data to customers real-time, enabling incident response. Traffic anomalies are detected and cyber attacks are predicted in the early stages. This advance notice enables customers to take quick remedial action to contain and minimize damage inflicted by an attack. AT&T’s security architecture includes: • Secure connectivity • Perimeter security • Intrusion management • Identity management • Policy management • Monitoring and management • Incident management Security is viewed at both the macro level, addressing routers, firewalls and gateways, and at the micro level, looking deep inside packets traveling on the network. Secure Customer Applications on the AT&T Global Network AT&T has evolved to a single, global, Multi-Protocol Label Switching (MPLS) enabled backbone over an intelligent optical core network. MPLS, an industry standard, is the key technological component underpinning this network evolution. Enabled by the new IP Multimedia Subsystems (IMS) Standard, AT&T’s traditional voice network will convert to a packet-based architecture for transport over our global MPLS backbone. The result? AT&T can support businesses’ migration to a converged environment with a range of networking solutions to meet their needs. Applications such as Voice over IP and Enterprise Resource Planning (ERP) are designed to solve specific networking problems faced by customers. These applications demand networking flexibility, quality of service, and often require capabilities beyond those found on a private network. How do businesses satisfy the networking requirements of these applications while minimizing security risks? MPLS adds significant reliability and performance capabilities, enabling applications to perform and scale as business needs change. AT&T is regarded as one of the MPLS industry leaders based on our early and continuing work with the technology, and continues to pioneer its use by offering a suite of virtual private networks (VPNs) that enable MPLS. MPLS Facts • MPLS separates the traffic of one business’s VPN from another’s, avoiding potential security breaches from unauthorized viewing and access • MPLS enables Class of Service (CoS) to prioritize network applications, eliminating the need to overprovision for expected network utilization • MPLS enables network scalability to accommodate new applications and technology standards • MPLS in the “core” network infrastructure enables enhanced restoration, providing better performance for applications The combined force of MPLS in conjunction with AT&T’s multilayered security protection ensures that businesses can utilize a secure network that is flexible and scalable for future applications. Does Your Provider Follow the Seven Pillars? As IP networks are embedded in the critical processing of applications, it is essential to ensure superior levels of carrier-grade security. With the integration of MPLS, AT&T has developed a set of seven basic security protection methods, or “pillars.” These pillars maintain a constant security focus in all design, deployment, and operational processes around our MPLS core network infrastructure. Does your provider follow the principles of the Seven Pillars? AT&T’s seven pillars of MPLS security include: 1. Separation Customer traffic is separated using MPLS Virtual Private Networks, assuring data packets cannot leak from or to another customer’s VPN or other data traffic on the backbone • Containment: Traffic between customer-edge (CE) routers stays inside that customer’s VPN. No spill over can occur • Isolation: No customer’s VPN can in any way materially impact or influence the content or privacy of another customer’s VPN • Availability: Denial of service activities injected from a CE router will only impact that customer’s VPN services • Simplicity: Through development and innovation, AT&T automated provisioning – resulting in improved security by reducing configuration mistakes. MPLS also provides scalable provider architectures that enable growth, while reducing router configuration changes. These changes can potentially disrupt customers To provide the highest level of security, most VPN customers are connected to physically separate provider-edge devices from Internet customers. This architecture provides: • VPN route uniqueness and segregation through the use of route distinguisher, virtual routing and forwarding tables, and route targets • VPN traffic segregation • Automated provisioning systems control VPN membership The network core is shared across the services, with reliability achieved using: • A Label Switched Core: Internet and VPN traffic is Label switched across the backbone • Control Plane Protection: No backbone routers visible to outside or reachable from external endpoint • Data Plane Protection: VPN and Internet traffic are kept in separate label switched paths so traffic can be differentiated in the core – keeping VPN capacity protected if an Internet incident occurs 2. Automation Automated perimeter security tools protect AT&T’s MPLS core, ensuring customer-edge (CE) to provider-edge (PE) routes are properly managed and represented. • Filtering: AT&T uses automated provisioning and management of its access control lists (ACLs) on all AT&T provider-edge (PE) routers • Least Privilege: Infrastructure routers, and PE interfaces, are hardened by turning-off, or severely restricting unnecessary protocols and ports TACACS+ Authentication for authorized AT&T technicians: TACACS+ (Terminal Access Controller Access Control System), a mechanism for ensuring access control and authentication to any device, is used to time-out, limit and lock out users after multiple access attempts. All access to AT&T network elements is controlled by a TACACS+ authentication system, with a strict hierarchy enforced of which technicians are allowed access to what commands. All changes are logged on secure, high-capacity log servers to help ensure security and accountability. 3. Monitoring IP traffic net flow monitoring provides early warning of Internet viruses and worms. A critical component of managing large-scale network traffic is the capture, monitoring, and analysis of traffic flow data to detect trends and anomalies, such as worms and viruses. This monitoring provides unique protection benefits for the MPLS network in two ways: (1) allowing security teams to take steps toward appropriate filtering, and (2) reducing risk in the core by using the monitoring system to detect any probes aimed at MPLS core address space. • External Access: AT&T also monitors any external access to its core address space from the Internet on a 24x7 basis • Analysis: The world-class statisticians from AT&T continue to make great strides in algorithms for security anomaly detection 4. Control AT&T enforces strict operational security controls in its MPLS core. • Processes: AT&T’s operations follow mature Methods and Procedures (M&Ps) that are derived from decades of best practices in operating customer networks • Certification: AT&T’s operations are certified to the best industry standards, wherever appropriate, and are compliant with the National Reliability Industry Consortium (NRIC) certification requirements • Root Cause Analysis: All incidents are subject to comprehensive Root Cause Analysis steps to ensure process improvements through any operational policy violations 5. Testing AT&T ensures security compliance with testing, audits and reviews. • Testing: Experts are constantly performing intrusion detection, audits and penetration testing against server complexities for network management, customer care and service support – Because customer MPLS VPNs are configured by an automated provisioning system, changes or discrepancies in router configuration are detected by regular exception reports • Auditing: Ongoing independent audits are used to confirm compliance with the AT&T Security Policy Requirements • Reviews: All processes have embedded controls that require expert security reviews 6. Response AT&T’s security specialists’ rapid response mitigates risk. • Tiered Response: Incidents are dealt with via a mature tiered response infrastructure that includes senior security and operations experts • Proactive Indicators: The AT&T Computer Security Incident Response Team acts routinely in a proactive manner on indicators that typically precede any customer-visible problems • Innovative Customer Notification Service: AT&T has extended this capability to customers through a novel notification service to extend the 24x7 knowledge to customer-specific environments – AT&T offers a service called AT&T Internet ProtectSM in which real-time indicators of anomalous behavior or detected security events are provided to clients on a 24/7 basis ©2006 AT&T Knowledge Ventures. All rights reserved. 09/11/06 AB-0276-01 7. Innovation AT&T funds extensive MPLS security research and is heavily involved in industry standards bodies where MPLS innovations are taking place. • Security is a key focus area of AT&T’s research laboratory, which finds new techniques for protecting customer traffic and systems • AT&T remains committed to networking, security and MPLS research Trust Your Security to AT&T “AT&T has a long legacy of security,” states Amoroso. “We have the necessity to protect our own core IP backbone for customers, and have taken that capability and developed it into core products. Products that really answer the need to address a defense in depth architecture, all the way from the information level to the network level.” AT&T offers a complete range of security, availability and recovery services that provide businesses with integrated business continuity solutions to support complex networking requirements. Glossary Route Distinguisher – Qualifies a VPN’s IPV4 routes Virtual Routing and Forwarding Tables – tables in which routes are stored Route Targets – Used to control iBGP distribution of a VPN’s routes to its virtual routing and forwarding tables For more information visit AT&T’s Networking Exchange, at www.att.com/networkingexchange.