CISCO SHIELDED OPTICAL NETWORKING

Similar documents
Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Achieving End-to-End Security in the Internet of Things (IoT)

NIST Revision 2: Guide to Industrial Control Systems (ICS) Security

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

HP Security Solutions for business PCs. Comprehensive protection measures so you can work smarter and with greater confidence.

Security Fundamentals for your Privileged Account Security Deployment

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Cisco 5921 Embedded Services Router

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

White Paper. The North American Electric Reliability Corporation Standards for Critical Infrastructure Protection

SECURE DATA EXCHANGE

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

The Top 6 WAF Essentials to Achieve Application Security Efficacy

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Security+ SY0-501 Study Guide Table of Contents

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

CyberArk Privileged Threat Analytics

Cisco 5921 Embedded Services Router

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

UNIVERSITY OF WISCONSIN MADISON POLICY AND PROCEDURE

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Xceedium Xio Framework: Securing Remote Out-of-band Access

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Network Security and Cryptography. 2 September Marking Scheme

Security for SIP-based VoIP Communications Solutions

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Safeguarding Cardholder Account Data

HIPAA Regulatory Compliance

Firewalls for Secure Unified Communications

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Keys to a more secure data environment

Axway Validation Authority Suite

Next Generation Privilege Identity Management

Inventory and Reporting Security Q&A

Education Network Security

PKI is Alive and Well: The Symantec Managed PKI Service

Carbon Black PCI Compliance Mapping Checklist

Securing Mainframe File Transfers and TN3270

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

The Road to a Secure, Compliant Cloud

Accelerate Your Enterprise Private Cloud Initiative

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

Security Enhancements

RSA Solution Brief. Providing Secure Access to Corporate Resources from BlackBerry. Devices. Leveraging Two-factor Authentication. RSA Solution Brief

Securing Wireless LANs with Certificate Services

SECURING YOUR BUSINESS INFRASTRUCTURE Today s Security Challenges & What You Can Do About Them

TACACS Device Access Control with Cisco Active Network Abstraction

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Projectplace: A Secure Project Collaboration Solution

Securing Network Devices with the IEC Standard What You Should Know. Vance Chen Product Manager

Make security part of your client systems refresh

Preparing your network for the next wave of innovation

Run the business. Not the risks.

DATA CENTRE & COLOCATION

TEL2813/IS2820 Security Management

Defense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Insurance Industry - PCI DSS

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Federal Agency Firewall Management with SolarWinds Network Configuration Manager & Firewall Security Manager. Follow SolarWinds:

The Honest Advantage

TRACKVIA SECURITY OVERVIEW

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

تاثیرفناوری اطالعات برسازمان ومدیریت جلسه هشتم و نهم

Certeon s acelera Virtual Appliance for Acceleration

Cracking the Access Management Code for Your Business

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

Getting the Most Out of Your Next-Generation Firewall

Cisco Prime Cable Provisioning 5.1

NGN: Carriers and Vendors Must Take Security Seriously

Business White Paper IDENTITY AND SECURITY. Access Manager. Novell. Comprehensive Access Management for the Enterprise

Data Retrieval Firm Boosts Productivity while Protecting Customer Data

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

Privileged Account Security: A Balanced Approach to Securing Unix Environments

white paper SMS Authentication: 10 Things to Know Before You Buy

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

Top-Down Network Design

A company built on security

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

What can the OnBase Cloud do for you? lbmctech.com

Radius, LDAP, Radius, Kerberos used in Authenticating Users

The Nasuni Security Model

HIPAA Compliance Checklist

10 Hidden IT Risks That Might Threaten Your Business

Mobile Data Security Essentials for Your Changing, Growing Workforce

System Security Features

Indicate whether the statement is true or false.

Cisco Connected Factory Accelerator Bundles

TB+ 1.5 Billion+ The OnBase Cloud by Hyland 600,000,000+ content stored. pages stored

HIPAA / HITECH Overview of Capabilities and Protected Health Information

AN IPSWITCH WHITEPAPER. 7 Steps to Compliance with GDPR. How the General Data Protection Regulation Applies to External File Transfers

KantanMT.com. Security & Infra-Structure Overview

Transcription:

CISCO SHIELDED OPTICAL NETWORKING Dr. Gaurav Kumar Jain Regional College For Education, Research and Technology Email: gaurav.rinkujain.jain@gmail.com Tarun Kumawat JECRC,UDML,College of Engineering Purabi Samanta, JECRC,UDML,College of Engineering Abstract Optical network users, whether service providers, enterprises, or government and military agencies, have unique and growing security needs. Today s optical networks must provide end-to-end protection that is fully integrated with other security services, technologies, and management systems. To provide the greatest flexibility, optical network elements should support advanced AAA services, and provide multiple layers of protection. In this paper we describes the security requirements of optical networks, and the ways in which the Cisco ONS Family of optical network platforms meets the demanding requirements of government agencies, service providers, and enterprises. Cisco Systems has a longstanding reputation as a global leader in network security. Cisco developed the SAFE Blueprint, a comprehensive framework for defending networks, and has incorporated robust security technologies and features into all Cisco network devices, including optical platforms. Index Terms Optical networks, AAA services, ONS, SAFE Blueprint. 1.0 INTRODUCTION Once largely the domain of service providers, optical technology is today helping numerous government and military agencies, research institutions, and enterprises to meet their growing bandwidth and availability requirements. This widespread adoption can be largely attributed to the expanded capabilities of nextgeneration optical platforms. Offering integrated IP services, storage-extension capabilities, and support for video applications, next-generation platforms provide an attractive solution for deploying highly available, high-speed, multiservice infrastructures. These platforms not only bring tremendous flexibility and improved network efficiency they also offer the opportunity to take a more coordinated, consistent and proactive approach to optical networking security. In the past, optical networking equipment was often protected simply by being kept in locked cages or facilities with restricted physical access. But because today s optical platforms are deployed in more open environments and more closely integrated with the rest of an organization s network, physical protection alone is not enough. Integrated optical and IP environments demand new security considerations beyond the inherent security benefits of optical technology. Organizations must ensure that optical platforms are part of an end-to-end network security strategy, and are just as protected as the rest of the network. In this paper we describes the security requirements of optical networks, and the ways in which the Cisco ONS Family of optical network platforms meets the demanding requirements of government agencies, service providers, and enterprises. Cisco Systems has a longstanding reputation as a global leader in network security. Cisco developed the SAFE Blueprint, a comprehensive framework for defending networks, and has incorporated robust security technologies and features into all Cisco network devices, including optical platforms. 84 P a g e

2.0 THE NEED FOR SECURITY IN OPTICAL NETWORKS Today s organizations recognize the ever-growing sophistication of network attacks, and are constantly evolving networks and security technologies to thwart them. However, security considerations for optical networks have historically been treated differently than copper networks. In the past, optical networks were segregated from more open copper networks. Today, the opticalprovisioning paradigm has shifted, as optical networks have become more integrated with IP. This shift has provided tremendous advantages. By bringing A-to-Z, point-and-click provisioning; automatic network discovery; and other traditional IP features to optical platforms, organizations can now provision optical wavelengths with the same ease and flexibility they would use to provision traditional Ethernet or voice services. However, this paradigm shift also exposes optical networks to new vulnerabilities, including: Increased exposure Optical platforms used to be behind a firewall or in a physically secure cage. Now, they may be accessible through the Internet and vulnerable to the same types of attacks as any other network element. Increased interdependence with IP networks Previously, optical networks were managed separately from the rest of the copper network. Today, they are integrated, and must be just as secure as every other network element. Greater demand for access from outside parties Partners and customers of today s service providers, enterprises, and government agencies may be given limited management access to the network, enabling a variety of new efficiencies. This accelerates the need for stronger authentication and authorization procedures, and increasingly sophisticated security-policy management to provide tiered levels of access. Rapidly changing workforce Organizations face constant fluctuations in the individuals and systems that require access to parts of the network. Organizations must be able to quickly and comprehensively change, add, or remove access. 3.0 SECURITY CONCERNS IN DIFFERENT ENVIRONMENTS When it comes to security features of network elements, all organizations share some basic security requirements. A secure optical network must support: Strong identification, authorization, and accesscontrol tools Sophisticated logging to provide an audit trail Support for new and emerging security standards such as Kerberos, public key infrastructure (PKI) certification, and IEEE 802.11X Support for secure communications protocols such as Secure Shell (SSH) Protocol and HTTPS Advanced policy-management tools to support a wide range of users and access levels Simplified integration with other security services, technologies, and management systems that may be operating within the environment However, as use of optical network elements has expanded beyond service providers to government agencies and enterprises, these different environments also demand unique security considerations. 4.0 SECURITY REQUIREMENTS FOR OPTICAL NETWORKS To provide a secure solution for service providers, government and military agencies, and enterprises, optical networks should support several critical security features. These include authentication, authorization, and accounting (AAA); authentication protocols such as RADIUS and TACACS/TACACS+; as well as compliance with GR-815 standards. P a g e 85

4.1 Authentication, Authorization, and Accounting The most basic level of protection an optical network must provide is a means of establishing the identity of an individual or system attempting to access the network, and applying the policies that control what that user is authorized to do. This process, along with the process of keeping track of a user s activity on the network, is referred to as authentication, authorization, and accounting, or AAA. The SAFE Blueprint also refers to a fourth A, address management. Address management services provide a means to map IP addresses to individual identities. AAA capability is supported by AAA servers in the network. Network elements use protocols such as RADIUS and TACACS+ to communicate with AAA servers and respond to user requests for access. The most complex aspect of AAA is authentication, the process of verifying the identity of a user requesting access. The standard model for authenticating users relies on three factors, referred to as the three Ws : What you know, such as a PIN or password What you have to gain access, such as a digital token, public key certificate, or smart card Who you are, established using a fingerprint, voice, or DNA Most organizations strive for two-factor authentication, though many organizations, especially government and military agencies, are increasingly using biometrics to support all three factors. 4.2 Authentication and Authorization Protocols When an individual or system attempts to gain access to an optical network element, that network element uses a service such as RADIUS or TACACS+ to communicate with authentication and authorization systems and apply security policies. 5.0 RADIUS RADIUS is a client/server protocol that enforces broad-based access control and identity policies for users attempting to access network elements. It combines authentication and authorization into a single service, and has been widely used throughout the networking industry. In a RADIUS system, a RADIUS server receives client connection requests, authenticates the user, and then returns the configuration information that allows the client to deliver services to the user. A RADIUS server can also act as a proxy client to other RADIUS servers or other authentication servers. Transactions between the client and RADIUS server are authenticated through the use of a shared secret, which is never sent over the network. User passwords are sent encrypted between the client and RADIUS server to eliminate the possibility that a password could be intercepted on an unsecured network. In addition to providing basic RADIUS support, an optical network should support RADIUS for all management interfaces, including Cisco Transport Controller, Transaction Language 1 (TL1), FTP, VxWorks, Telnet, etc. 6.0 TACACS/TACACS+ The TACACS protocol and its newest version, TACACS+, are Cisco proprietary protocols that enforce access control and identity policies for administrative network access and configuration functions. TACACS+ provides similar capability to RADIUS, with a few important differences. Where RADIUS combines authentication and authorization into a single step, TACACS+ breaks down the process into the three separate AAA functions. This provides greater flexibility for P a g e 86

incorporating separate, stronger authentication services, such as Kerberos. TACACS+ also supports a wider range of protocols and userprivilege levels than RADIUS. And TACACS+ provides greater confidentiality by encrypting the entire client/server transmission (including username, authorized services, and accounting information), whereas RADIUS encrypts only the password. Optical networks must support RADIUS and/or TACACS/TACACS+ capability to provide the most options and flexibility for securing network assets. 6.1 Compliance with GR-815 Standards In addition to supporting strong AAA services and protocols, the Cisco ONS Family of network platforms complies with GR-815 standards. While GR-815 was designed specifically to meet the security needs of service providers, network platforms that are GR-815-compliant provide enhanced protection in government or enterprise environments. GR-815 security features include: Identity and authentication services for individuals or systems requesting access Enhanced confidentiality through cryptographic services System access control to manage communication sessions with the network, including login protection, connection-oriented communications, connectionless communications, and emergency entry Resource access control to deny users access to network elements without proper authorization Audit log tools to configure and manage audit trail services Data integrity services that confirm that communications have not been altered or destroyed in an unauthorized manner System integrity tools for managing reliability of a network element, including maintaining acceptable levels of service if a security breach occurs Continuity of service tools for addressing threats that can cause a network element to be taken out of service or perform at a reduced level Security administration tools for proper use and management of network-element security features, including overriding vendor defaults, ensuring appropriate backup procedures, managing security databases, and generating security audits Non repudiation tools for communicating with networks that require irrefutable proof that a message has been sent or received Password services that provide greater flexibility to manage password functions 6.2 Government and Military Agencies Growing numbers of government agencies are using or considering using optical networking systems, including the Defense Information Systems Agency (DISA), agencies within the Department of Homeland Security, and even civilian agencies such as the Centers for Disease Control and Prevention. For a government or military organization, the cost of a security breach is more than just lost revenues and productivity. It represents a threat to critical services and, potentially, national security. In addition to the basic security requirements, government and military networks require the strongest trust and identity services, including support for advanced identifiers, such as biometrics. Government networks, especially for the military, have global footprints and support hundreds of critical information services, so optical networks must integrate security services into a unified, manageable system. That means supporting unified directory services and the P a g e 87

ability to configure and disable individual services on any network element. Government and military networks must also provide the flexibility to segregate black, or secure and encrypted networks, from more open, non sensitive red networks. The use of RADIUS in these networks provides the security that keeps them secure. 6.3 Service Providers In addition to protecting against internal and external attacks, service providers must take extra precautions to protect against accidental networkconfiguration changes that could disrupt service to customers. Service providers also must ensure that configuration policies are tightly controlled to enable faster rollout of new services. Service provider networks must also comply with Telcordia Technologies General Requirements for Network Element/Network System Security guidelines commonly referred to as GR-815. GR- 815 provides a standardized set of security features and requirements for any network element used in any service provider network across the industry. 6.4 Enterprises As enterprises have adopted more applications using much bandwidth, such as disaster recovery implementations, they have increasingly turned to optical networks. In an enterprise environment, hundreds of individuals and systems may require access to a given network element, so identity and authentication services, access control, and userbased policy services must be extremely sophisticated. Enterprise optical networks must also allow for fast, comprehensive access changes to support a mobile, constantly changing workforce. Use of applications such as RADIUS and TACACS/TACACS+ provide higher levels of security for the optical products that support these secure applications. 7.0 FUNDAMENTALS OF NETWORK SECURITY While optical networks demand some unique security considerations, the fundamental principles of network security apply to any network environment. The SAFE Blueprint from Cisco provides a comprehensive framework for designing, implementing, and maintaining secure networks. Every network solution from Cisco, including the Cisco ONS Family of optical network platforms, was designed in accordance with the following fundamental networkprotection concepts outlined in the SAFE Blueprint: A true security solution is a process, not a product. An effective security solution must be able to continually evolve and change to accommodate new threats or requirements. All access points of the network are potential targets, and must be protected accordingly. A successful security solution requires comprehensive, integrated safeguards throughout the entire network infrastructure. Security solutions must be modular in order to be scalable, flexible, and cost-effective. A layered, in-depth defense strategy ensures more complete protection and minimizes areas of potential vulnerability. 7.1 Securing Network Platforms The SAFE Blueprint recognizes that router security is critical in any network. Routers control access from every network to every network, advertise networks, and filter who can and cannot gain access. As a result, they present an extremely attractive target for potential attacks. The Cisco ONS Family of optical network platforms incorporates best practices for router security described in the SAFE Blueprint. These principles require network platforms to support: Locking down of Simple Network Management Protocol (SNMP) and Telnet access to the router, and support for more secure access methods such as SSH Protocol P a g e 88

User authentication and authorization through services such as RADIUS and TACACS/TACACS+ Ability to disable unneeded services Logging at all appropriate levels to provide a comprehensive audit trail Authentication of routing updates Integration with security and other features of network switches The Cisco ONS Family also provides additional security benefits by: Combining standard network security services with GR-815 services, providing multiple layers of security on every network element Allowing organizations to shut off or turn on access to physical ports on the platform Providing additional methods for detecting security breaches, because a properly designed optical network will detect any degradation of optical signals Allowing organizations to manage optical security within the same management framework as the rest of the network 8.0 CONCLUSION Optical network users, whether service providers, enterprises, or government and military agencies, have unique and growing security needs. Today s optical networks must provide end-toend protection that is fully integrated with other security services, technologies, and management systems. To provide the greatest flexibility, optical network elements should support advanced AAA services, and provide multiple layers of protection. Optical network security services should also be scalable and standards-based to ensure that organizations can continually evolve security postures as threats and requirements change. Cisco Systems offers more than just a secure optical platform. By engineering network elements as part of a comprehensive, broad-based security strategy, Cisco can help organizations ensure that optical networks are just as secure as traditional copper networks, and provide robust, multi layered protection. Security threats will continue to evolve, and optical networks must evolve with them. Cisco is already building a framework for defending networks against tomorrow s security threats. As part of its vision of the Intelligent Information Network, Cisco is developing a model for integrated, collaborative, and adaptive security services that take advantage of the ubiquitous sensing and control capabilities inherent within the network itself. By engineering optical and other network components as part of a coordinated, consistent, and proactive network environment, Cisco can help organizations build a unified threat-defense system that will reduce windows of network vulnerability and lower security-management burden. ACKNOWLEDGEMENTS We would like to thank everyone, especially developers, early adopters, I.T. enthusiast and family members who provided support and followed up with us. REFERENCES [1.] http://www.cisco.com/en/us/products /hw/optical/index.html [2.] http://en.wikipedia.org/wiki/synchrono us_optical_networking [3.] http://en.wikipedia.org/wiki/passive_o ptical_network [4.] http://www.cisco.com/en/us/prod/coll ateral/optical/ps5724/ps2006/brochure_ c02-452560.html [5.] http://docwiki.cisco.com/wiki/cisco_op tical_networking [6.] http://searchtelecom.techtarget.com/new s/1263785/fiber-optic-network-securitya-necessity P a g e 89

[7.] http://www.paessler.com/manuals/prtg _traffic_grapher/automaticnetworkdiscov ery [8.] http://kerberos.org/ [9.] http://www.kerberos.info/ [10.] en.wikipedia.org/wiki/public_key_infra structure [11.] www.ssh.com [12.] http://www.cisco.com/en/us/tech/tk5 9/technologies_tech_note09186a00800945c c.shtml [13.] http://www.cisco.com/en/us/docs/ios /12_0/security/command/reference/srta cs.pdf [14.] http://www.cisco.com/en/us/docs/op tical/15000r4_5/15454/sonet/reference/g uide/r45ectc.html [15.] http://docwiki.cisco.com/wiki/ons_15 454_Reference_Manual_R8.5.x_-- _Cisco_Transport_Controller_Operation [16.] http://www.tutorgigpedia.com/ed/tra nsaction_language_1 P a g e 90

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback