Network Security 101 Securing the Network Infrastructure Security Partner Program Unified Security Framework Security Advisory Task Force Blog Join the conversation. Nortel's official Voice Security Blog will discuss and debate the hottest issues and topics facing voice and multimedia security. Join the conversation Technical Journal Leading the industry toward a standard foundation for infrastructure security. Download the Nortel Technical Journal, Issue 3 (zip)

• Security Glossary
  
• Security Certifications
  
• Security Organizations
  
• Security Legislation
  
• Security Information sources for CxO's and Implementers
  

Security risks are categorized into three basic categories:

• Service Disruption, in which the network is not available for its intended use. This can be caused by a classic "denial of service" attack in which the network is bombarded with false information that it must process, effectively shutting down the network. Holes in the operating systems of key servers could also cause them to be taken out of service, preventing new sessions from being established.
  
  
• Theft of Service, in which an unauthorized user gets to use network bandwidth (or an authorized user gets access to an unauthorized service).
  
  
• Privacy Violations, in which information is captured by a third party. These include eavesdropping, collection of network usage information, and theft of specific data such as credit card numbers.

Securing the network from attack involves both protecting the infrastructure and protecting the traffic.

• Protecting the traffic means ensuring that all information traversing the network is unaltered and can be read only by its intended recipient. Protecting the traffic includes preventing outside attacks through the use of firewalls, NAT and similar (perimeter security), ensuring that the information is unmodified and not seen by others through the use of authentication and/or encryption (application security), and ensuring that each network user can securely transport information across the shared infrastructure (transport security).
• Protecting the infrastructure means ensuring that unauthorized users cannot disrupt the network by such techniques as "hacking" into the switch to alter it's configuration, or bombarding the switch with so much invalid traffic that it cannot perform its job effectively. Protecting the infrastructure includes locked doors and video cameras (physical security), ensuring that only authorized personnel have access to applications (user security), and ensuring that the network elements are hardened from attack (device security).

 From A to Z: Security Glossary (269 KB) -- Download this glossary for an easy reference on today's most widely used security terms and definitions.

Back To Top

Security certifications previously existed primarily to meet those security requirements of the U.S. Federal Government. However, corporations in the private sector also find the security certifications as a good measure of a product's purported security capabilities. Nortel Networks works with its customers to understand the certifications necessary and where appropriate, certifies its products to meet these certification requirements. The following list includes those certifications found in Nortel Networks security products as well as an explanation of the newer Common Criteria certification standard, which is not yet a standard requirement of vendors, but is under careful review by vendors of security products.

• FIPS 140-1*: Security certification developed by the U.S. National Institute of Standards and Technology (NIST) and Canada's Communications Security Establishment (CSE) as a standard for cryptographic modules. Products can be evaluated to 4 different levels of FIPS 140-1 certification. This certification is soon to be superseded by FIPS 140-2.
• ICSA*: TruSecure Corporation's ICSA Labs sets standards for, tests and certifies commercial security products. To maintain a product's certification, participants in ICSA Lab's Certification Program must pursue technological improvements and implement a strategy of practical risk reduction. ICSA's certification process is a dynamic one. Continued testing with certified products with successive versions of the Certification Criteria is expected. ICSA's evolutionary criteria and methodologies are internationally applicable and appropriate; and although failure is an option, ICSA expects that applicants for certification will eventually pass and will remain compliant with the dynamic criteria.
• Common Criteria*: Effort to unify the security requirements of the U.S. DoD Orange Book, the United Kingdom Information Technology Security Evaluation Criteria (ITSEC), and the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC). Products evaluated by one country's evaluation program would be accepted by another. Target: As many participating countries as possible (now 23), Goal to become an ISO standard now ISO 15408, Specifies security requirements -> "Protection Profiles" or the security features demonstrated by a product -> "Security Targets".
• VPN Consortium (VPNC)*: An international trade association for manufacturers that participate in VPN markets. Its mission is to promote VPN products to the press and customers, and to increase interoperability between member products. To validate product conformance, VPNC has defined a list of basic tests to verify members' implementation of VPN technologies. Member products that pass these tests will be issued a conformance logo as a stamp of approval. Interoperability tests between member products are also encouraged, the results of which will be posted on VPNC web site.

Back To Top

Beyond the ongoing security standards work within the IETF, ETSI, and other organizations, these organizations represent newer ongoing security activities which seek better community communication about security threats impacting networks today. Nortel Networks participates in all of these organizations, in addition to its participation in the security standards for IPSec, NAT, PKIX, SYSLOG, etc.

• Alliance for Telecommunications Industry Solutions*
  ATIS is a United States based body that is committed to rapidly developing and promoting technical and operations standards for the communications and related information technologies industry worldwide using a pragmatic, flexible and open approach. ATIS is accredited by the American National Standards Institute (ANSI).
• The CERT Coordination Center*
  • Federally-funded
  • Located at Carnegie-Mellon University
  • Clearing house
  • Coordination center for computer security incidents
• Communications Security Establishment*
  CSE provides technical advice, guidance and services to the Government of Canada to maintain the security of its information and information infrastructures. It also provide technical and operational assistance to federal law enforcement and security agencies.
• ICSA*
  Industry recognized authority for security certifications in firewalls, VPNs, and other security technology products.
• International Telecommunication Union (ITU)*
  New Initiative on Security: Workshop in May in Seoul, South Korea, held May 21-22 2002: In line with Council Decision 496*, the main objective is to inform the Secretary-General on the subject of possible new work items for the Union. A further aim is to promote the exchange of views and information in this field and to share experiences internationally, resulting in mutual benefits for all parties.
• Internet Security Alliance*
  promotes sound information security practices, policies, and technologies that enhance the security of the Internet and global information systems.
• National Reliability and Interoperability Council (NRIC)*
  Part of the Homeland Security Working Group, the NRIC works to ensure the optimal reliability, interoperability, and interconnectivity of, and accessibility to, the public telecommunications networks.
• The National Coordinating Center (NCC) for Telecommunications - Information Sharing and Analysis Center (Telecom-ISAC)*
  Under the National Coordinating Center for Telecommunications (NCC), facilitates voluntary collaboration and information sharing among Government and industry ISAC members in support of Executive Order 12472 and the critical infrastructure protection goals of Presidential Decision Directive 63 (PDD-63). Nortel Networks cooperates with the U.S. Government and industry to investigate security vulnerabilities. NCC gathers information on threats, outages, intrusions, and anomalies; analyzes and sanitizes the information; disseminates the information in accord with sharing agreements, and alerts others in "near real time."
• SANS: System Administration Networking Security Institute*
  A cooperative research and education organization
  • More than 96,000 system administrators, security professionals, and network administrators share the lessons they are learning and fine solutions to the challenges they face.
  • Founded in 1989
  • The SANS community creates four types of products:
    • System and security alerts and news updates
    • Special research projects and publications
    • In-depth education
    • Certification

Back To Top

Security has gone from a corporation-based responsibility to one which is now being legislated from a privacy-protection perspective. This legislation currently impacts certain industry verticals such as healthcare and the financial industries in order to protect consumer privacy information, as well as U.S. corporations doing business with European corporation. Nortel Networks works with its customers impacted by this legislation to use the appropriate technology and products to meet the security requirements necessary to adhere to these regulations.

• Gramm-Leach-Bliley Financial Services Act (GLB)*: Effective 1 Jul 2001 for the financial Industry—CIOs must document the security policies and practices with respect to protecting confidentiality and security of non-public personal information or face criminal prosection and fines if not in compliance.
• EU Data Protection Act and U.S. Safe Harbor Framework*: The European Commission's Directive on Data Protection Act of 1998 establishes rules to ensure that personal data of European Union citizens is transferred to countries outside the EU only when its continued protection is guaranteed, to ensure that the high standards of protection introduced by the Directive within the EU are not undermined. The Safe Harbor Agreement works in conjunction with the Directive to provide continued adherence of the regulations across the Atlantic to U.S. companies.

Back To Top

• Computerworld Knowledge Center: Security*
  
• Network World Fusion security news*
  
• ZDNet Technical Updates on security*
  
• Network Magazine*
  

Back To Top

Back To Top