Availability and Security of Complex and Integrated Telecommunications Networks

Network and Information security:Political and Technical ChallengesRoma, Italy – 02/04 November 2005

Giuseppe Fortinigiuseppe.fortini@alcatel.it

All rights reserved © 2005, AlcatelNetwork Security – Roma, November 2005 Page 2

Outline

> Networks & Technology overview

> Communications Security

> Logical security

> Conclusions

All rights reserved © 2005, AlcatelNetwork Security – Roma, November 2005 Page 3

Networks & Technology overviewFrom many isolated Networks to single multi technologies Network

Isolated Networks Universal Broadband Network

Wireless Broadband

Mobile Broadband

Service

Delivery

Platform

Service

Delivery

Platform

Service AwareEdge

& Data

Aware Transport

Service AwareEdge

& Data

Aware Transport

UniversalBB AccessEnterprise

Infrastructure & Applications

Any

App

lianc

e

ConsumerEnd-users

OSS & BSS

Any

Con

tent

FixedWireless

Wireline

Mobile

Fixed Broadband

Tomorrow:Adapt to services & applications

Today:Infrastructure for connectivity

All rights reserved © 2005, AlcatelNetwork Security – Roma, November 2005 Page 4

Communications SecurityThe failures in the Networks: Why & How many?

Physical – Hardware – Software – Human errors> Cable cut (average values)

• Sea Segment: 1 cut / 300km / year• Rural Segment: 1 cut / 200km / year• Metropolitan Segment: 1 cut / 30km / year

> E.g.: 4.500 Km of line (75% rural, 25% metro) means 52 cuts/year (Alcatel Elaboration on official data)

All rights reserved © 2005, AlcatelNetwork Security – Roma, November 2005 Page 5

How minimize the failures impact? 1 - Adopt Meshed Architecture (1/2)

> High flexibility> High scalability> High availability> Efficient use of bandwidth> Lower maintenance costs

High security

SNCP - Mesh Comparison

0

2000

4000

6000

8000

10000

12000

4 8 12 16 20 24 36 48 60 72 84 96

MTTR (Hours)

Dow

ntim

e (m

ins)

0,96

0,97

0,98

0,99

1A

vaila

bilit

y

Ring 1 DowntimeRing 2 DowntimeHC DowntimeMesh DowntimeRing 1 AvailabilityRing 2 AvailabilityHC AvailabilityMesh Availability

(Example of the Pan-European Network)

London CC

Duesseldorf

FrankfurtLondon

Antwerp

Brussels

Lille

Paris

Lowestoft

DomburgMargate

Folkestone Calais

Eurotunnel

RB 1

RB 2

LeidenBeverwijkC & N

O.Beijl.

194226

54

19

164

63 140

196

8091

70

198

271526

200

250

271

68

28

6

80

80

80

> Associate to GMPLS> Adopt both Protection and

Restoration policy

All rights reserved © 2005, AlcatelNetwork Security – Roma, November 2005 Page 6

How minimize the failures impact? 1 - Adopt Meshed Architecture (2/2)

Example Mesh Bkb Study Case> Cost Comparison of 3 Selected Scenarios

• Traffic demand of 2006: 2 Tbps

1. Reference architecture> IP over DWDM

2. Transport optimized IP> IP, SDH, DWDM

3. Full mesh IP> IP, SDH, embedded

L2, DWDM

Cost Comparison

0102030405060708090

100

Reference Transport opt. IP Full mesh IP

Scenario

Rel

ativ

e C

ost [

%]

SDHWDMIP

Cost effective

All rights reserved © 2005, AlcatelNetwork Security – Roma, November 2005 Page 7

How minimize the failures impact? 2 - Adopt Geographical Redundancy

Standard Configuration• All local BSC resources

connect to single MGW

Split Rack – Basic• MGW resources split over two

racks• Incremental CAPEX• Each BSC parented to one

MGW

Split Rack – Dual Homed• MGW resources split over two

racks• Incremental CAPEX• Each BSC parented to multiple

MGWs (single TRKGRP)• Engineering flexibility for 50/50

thru 100/100 split for added resilience in busy hour

Multi-Site – Dual Homed• Traffic balanced over multiple

MGWs on multiple sites• Incremental OPEX• Engineering flexibility for 50/50

thru 100/100 split for added resilience in busy hour

Site 1 Site 1 Site 1 Site 1 Site 2

e.g. Alcatel Spatial Atrium Redundant Configurations

Up to now New possibility

All rights reserved © 2005, AlcatelNetwork Security – Roma, November 2005 Page 8

How minimize the failures impact? 3 - Adopt Equipments with Robust Architecture (1/3)

> “Absolute availability” requires solutions and tools to address all causes of network outages

• To achieve 99.999 percent availability (~5 min outage/year), HW and/or SW fail over must occur rapidly while data sessions are preserved

> What does non-stop routing mean?• Automated switchover of routing plane including BGP, OSPF and IS-IS without data

session interruption• TCP session state is maintained• No routing update messages lost during switchover

> Alcatel solution: ACEIS (Alcatel Carrier Environment Internet System)• Combination of hardware and software technology that delivers true carrier grade IP• Not only standard hardware redundancy, but an architecture designed from the ground up for

voice quality IP• Truly modular IP software stack Implementation Example

> What in the future? From non-stop routing to Continuous Routing?

All rights reserved © 2005, AlcatelNetwork Security – Roma, November 2005 Page 9

How minimize the failures impact? 3 - Adopt Equipment with Robust Architecture (2/3)

Results!

Alcatel Performance

average performance

(05 October 2005)

All rights reserved © 2005, AlcatelNetwork Security – Roma, November 2005 Page 10

How minimize the failures impact? 3 - Adopt Equipment with Robust Architecture (3/3)

Network Security

Voice server security

ManagementSecurity

Authentication& encryption

VLANs

Media Gateways& Com. ServerManagementIP phones

Com. Server FireWallprotection

AccessControl

Lists

Rate limitingARP floodingARP spoofingIP spoofing

Com ServerSpatial

Redundancy

Com ServerHardened

Linux

Com ServerData basemirroring

Com Servertool fraudProtection

Media Gateway

hardening

Encryption of Management

traffic

Com ServerConfiguration

logsRole based

Management Disaster recovery

Encryptionrequires

Authentication

Independent from O.S. &com. server Easy to

manage

HW Based

Example of IP Telephony security layered Approach adopted by Alcatel

All rights reserved © 2005, AlcatelNetwork Security – Roma, November 2005 Page 11

Logical securityGlobal Security Control

Policy Management

User Management

Security Monitoring

Editorial Management

AuditManagement

Security Management

Training

Awareness

ReferenceManagement

User Management

Hot line

Incident Detection,Response

& Reporting

EventCorrelation

Vulnerability Management

AdvisoryManagement

Vulnerabilitycorrection

BaselineManagement& Reporting

TechnicalSurvey

InformationLetter & News

Security Portal Management

Intrusion

Conformity

VulnerabilitiesOperations

Maintenance &Upgrade

Reporting

Security Audit

Training &Incident

Response

Business Continuity CERT-IST

Advisories &Management

Access & Data Protection

Management

Authorisation & AuthenticationManagement

SingleSign-On

Encryption

SOC

Example: The Alcatel Security Operation Centre

All rights reserved © 2005, AlcatelNetwork Security – Roma, November 2005 Page 12

ConclusionWhat we have to do?

> Organization

> Control

> TechnologyVPN

RiskAnalysis

RiskAnalysis Intrusive

AuditIntrusive

Audit

Vulnerability Audit(Code,

Applications,Architecture)

Vulnerability Audit(Code,

Applications,Architecture)

Investigation Audit

Investigation AuditConformity

AuditConformity

Audit

VPN

www.alcatel.com