Upload
truongcong
View
220
Download
2
Embed Size (px)
Citation preview
Availability and Security of Complex and Integrated Telecommunications Networks
Network and Information security:Political and Technical ChallengesRoma, Italy – 02/04 November 2005
Giuseppe [email protected]
All rights reserved © 2005, AlcatelNetwork Security – Roma, November 2005 Page 2
Outline
> Networks & Technology overview
> Communications Security
> Logical security
> Conclusions
All rights reserved © 2005, AlcatelNetwork Security – Roma, November 2005 Page 3
Networks & Technology overviewFrom many isolated Networks to single multi technologies Network
Isolated Networks Universal Broadband Network
Wireless Broadband
Mobile Broadband
Service
Delivery
Platform
Service
Delivery
Platform
Service AwareEdge
& Data
Aware Transport
Service AwareEdge
& Data
Aware Transport
UniversalBB AccessEnterprise
Infrastructure & Applications
Any
App
lianc
e
ConsumerEnd-users
OSS & BSS
Any
Con
tent
FixedWireless
Wireline
Mobile
Fixed Broadband
Tomorrow:Adapt to services & applications
Today:Infrastructure for connectivity
All rights reserved © 2005, AlcatelNetwork Security – Roma, November 2005 Page 4
Communications SecurityThe failures in the Networks: Why & How many?
Physical – Hardware – Software – Human errors> Cable cut (average values)
• Sea Segment: 1 cut / 300km / year• Rural Segment: 1 cut / 200km / year• Metropolitan Segment: 1 cut / 30km / year
> E.g.: 4.500 Km of line (75% rural, 25% metro) means 52 cuts/year (Alcatel Elaboration on official data)
All rights reserved © 2005, AlcatelNetwork Security – Roma, November 2005 Page 5
How minimize the failures impact? 1 - Adopt Meshed Architecture (1/2)
> High flexibility> High scalability> High availability> Efficient use of bandwidth> Lower maintenance costs
High security
SNCP - Mesh Comparison
0
2000
4000
6000
8000
10000
12000
4 8 12 16 20 24 36 48 60 72 84 96
MTTR (Hours)
Dow
ntim
e (m
ins)
0,96
0,97
0,98
0,99
1A
vaila
bilit
y
Ring 1 DowntimeRing 2 DowntimeHC DowntimeMesh DowntimeRing 1 AvailabilityRing 2 AvailabilityHC AvailabilityMesh Availability
(Example of the Pan-European Network)
London CC
Duesseldorf
FrankfurtLondon
Antwerp
Brussels
Lille
Paris
Lowestoft
DomburgMargate
Folkestone Calais
Eurotunnel
RB 1
RB 2
LeidenBeverwijkC & N
O.Beijl.
194226
54
19
164
63 140
196
8091
70
198
271526
200
250
271
68
28
6
80
80
80
> Associate to GMPLS> Adopt both Protection and
Restoration policy
All rights reserved © 2005, AlcatelNetwork Security – Roma, November 2005 Page 6
How minimize the failures impact? 1 - Adopt Meshed Architecture (2/2)
Example Mesh Bkb Study Case> Cost Comparison of 3 Selected Scenarios
• Traffic demand of 2006: 2 Tbps
1. Reference architecture> IP over DWDM
2. Transport optimized IP> IP, SDH, DWDM
3. Full mesh IP> IP, SDH, embedded
L2, DWDM
Cost Comparison
0102030405060708090
100
Reference Transport opt. IP Full mesh IP
Scenario
Rel
ativ
e C
ost [
%]
SDHWDMIP
Cost effective
All rights reserved © 2005, AlcatelNetwork Security – Roma, November 2005 Page 7
How minimize the failures impact? 2 - Adopt Geographical Redundancy
Standard Configuration• All local BSC resources
connect to single MGW
Split Rack – Basic• MGW resources split over two
racks• Incremental CAPEX• Each BSC parented to one
MGW
Split Rack – Dual Homed• MGW resources split over two
racks• Incremental CAPEX• Each BSC parented to multiple
MGWs (single TRKGRP)• Engineering flexibility for 50/50
thru 100/100 split for added resilience in busy hour
Multi-Site – Dual Homed• Traffic balanced over multiple
MGWs on multiple sites• Incremental OPEX• Engineering flexibility for 50/50
thru 100/100 split for added resilience in busy hour
Site 1 Site 1 Site 1 Site 1 Site 2
e.g. Alcatel Spatial Atrium Redundant Configurations
Up to now New possibility
All rights reserved © 2005, AlcatelNetwork Security – Roma, November 2005 Page 8
How minimize the failures impact? 3 - Adopt Equipments with Robust Architecture (1/3)
> “Absolute availability” requires solutions and tools to address all causes of network outages
• To achieve 99.999 percent availability (~5 min outage/year), HW and/or SW fail over must occur rapidly while data sessions are preserved
> What does non-stop routing mean?• Automated switchover of routing plane including BGP, OSPF and IS-IS without data
session interruption• TCP session state is maintained• No routing update messages lost during switchover
> Alcatel solution: ACEIS (Alcatel Carrier Environment Internet System)• Combination of hardware and software technology that delivers true carrier grade IP• Not only standard hardware redundancy, but an architecture designed from the ground up for
voice quality IP• Truly modular IP software stack Implementation Example
> What in the future? From non-stop routing to Continuous Routing?
All rights reserved © 2005, AlcatelNetwork Security – Roma, November 2005 Page 9
How minimize the failures impact? 3 - Adopt Equipment with Robust Architecture (2/3)
Results!
Alcatel Performance
average performance
(05 October 2005)
All rights reserved © 2005, AlcatelNetwork Security – Roma, November 2005 Page 10
How minimize the failures impact? 3 - Adopt Equipment with Robust Architecture (3/3)
Network Security
Voice server security
ManagementSecurity
Authentication& encryption
VLANs
Media Gateways& Com. ServerManagementIP phones
Com. Server FireWallprotection
AccessControl
Lists
Rate limitingARP floodingARP spoofingIP spoofing
Com ServerSpatial
Redundancy
Com ServerHardened
Linux
Com ServerData basemirroring
Com Servertool fraudProtection
Media Gateway
hardening
Encryption of Management
traffic
Com ServerConfiguration
logsRole based
Management Disaster recovery
Encryptionrequires
Authentication
Independent from O.S. &com. server Easy to
manage
HW Based
Example of IP Telephony security layered Approach adopted by Alcatel
All rights reserved © 2005, AlcatelNetwork Security – Roma, November 2005 Page 11
Logical securityGlobal Security Control
Policy Management
User Management
Security Monitoring
Editorial Management
AuditManagement
Security Management
Training
Awareness
ReferenceManagement
User Management
Hot line
Incident Detection,Response
& Reporting
EventCorrelation
Vulnerability Management
AdvisoryManagement
Vulnerabilitycorrection
BaselineManagement& Reporting
TechnicalSurvey
InformationLetter & News
Security Portal Management
Intrusion
Conformity
VulnerabilitiesOperations
Maintenance &Upgrade
Reporting
Security Audit
Training &Incident
Response
Business Continuity CERT-IST
Advisories &Management
Access & Data Protection
Management
Authorisation & AuthenticationManagement
SingleSign-On
Encryption
SOC
Example: The Alcatel Security Operation Centre
All rights reserved © 2005, AlcatelNetwork Security – Roma, November 2005 Page 12
ConclusionWhat we have to do?
> Organization
> Control
> TechnologyVPN
RiskAnalysis
RiskAnalysis Intrusive
AuditIntrusive
Audit
Vulnerability Audit(Code,
Applications,Architecture)
Vulnerability Audit(Code,
Applications,Architecture)
Investigation Audit
Investigation AuditConformity
AuditConformity
Audit
VPN
www.alcatel.com