In developing the Unified Security Architecture, the following considerations were taken into account:

The Internet was designed to share, not to protect. IP networks and the Internet are redefining the way many enterprises deliver corporate applications. The level of threat increases as legacy applications become network-enabled and as network managers open their networks to more new users and applications.

Security is not optional. Security breaches and unlawful access to confidential data can cost enterprises millions, but the security mandate goes beyond financial incentives to enforcing regulatory laws.

The bad guys have good guns. Attackers have a broad repertoire of tools and techniques they can use to compromise a network, such as IP spoofing, network sniffers, bucket brigade attacks, denial-of-service attacks, and masquerading. With these tools of the trade, hackers can launch multi-level attacks to access the network, and then exploit parts of your information systems.

Security threats recognize no boundaries. The typical enterprise "internal" trusted network is anything but internal these days. It extends to include supply chain partners, telecommuters, remote access users, Web users, application service providers, disaster recovery providers, and more.

Security depends on people, process, and technology. Vulnerabilities arise both from people and process failures (such as posting their passwords in public view, or slack policy enforcement) and technical aspects (such as rogue programs and Trojan horses), and combinations of all three.

It's not enough to guard the front gate. Every component of the IT infrastructure is susceptible to attacks, not just obvious gateways to the Internet. Hosts, applications such as IP telephony, routers, and switches can be attacked from inside or outside the enterprise.

There's no stock blueprint. Each enterprise has unique business needs and networking environment. The "closed enterprise" uses private lines between sites, with dial-up Internet access for selected users. The extended enterprise uses IP virtual private networks (VPNs) and offers Internet access for all employees. The "open enterprise" invites partners, suppliers, and customers into the internal trusted network via the Internet. That means the "right" security strategy is neither a "one size fits all" nor a static implementation.

Frisking everybody and everything takes time. On enterprise networks, turning up the full complement of security features can slow Web servers and legacy routers to a crawl as they bog down with processing-intensive encryption, decryption, key management, and more. Voice applications, such as live Webcasts and Voice over IP (VoIP), are particularly sensitive to delay and jitter and are therefore dramatically affected by traditional security mechanisms. The security strategy has to ensure that performance is not bogged down.

Grace under fire is a requirement. In the context of security, network survivability means the network must continue to operate — delivering essential services in a timely manner — while battling security threats, even if parts of the network are unreachable or disabled due to overt attack.

Security is a closed-loop process with an open-ended date. Security must be viewed as a steady process and evolving way of thinking about how to protect systems, networks, applications, and resources. Corporations and government institutions must be able to assess risk, identify vulnerabilities, detect security breaches, and know what to do about them.

Multi-level variable-depth security

Provide multi-level variable-depth security that defines security protection functions at application, network-assisted, and network security levels — in a layered architecture that can be flexibly defined and implemented (see figure 1). Implement variable-depth security across the enterprise — not just at the edge of the Internet — from firewall perimeter defense, to VPNs to protect Internet-traversing traffic, and to VLANs to segregate and protect traffic within a network.

The application security layer provides security in Layer 7 of the OSI model, the application layer, and includes security built into server and storage platforms, such as personal firewalls. The network-assisted security layer adds security functions at OSI Layers 4-7, protecting the network layer and application/ presentation layers. The network security provides security functions at OSI Layers 1-3, securing physical, link, and data levels. As such, each security level builds upon the capabilities of the layer below and provides finer grained security and policy enforcement, the closer you get to resources.

Implement on-going security policy management, including configuration of edge devices, enforcement of policies in the network, and verification of network functionality as seen by the end-user application. Security policy should be a living document and process — enforced, implemented, and updated to reflect the latest changes in the enterprise infrastructure and services. For example, when a new device such as a wireless LAN (WLAN) is introduced into the network, on-going security policy management ensures that this device has been evaluated for its security risk and if needed, the security policy for the enterprise is updated to reflect the addition of this new device. This may result in the introduction of WLAN security switch into the network to ensure that traffic is encrypted over the WLAN.

Provide access management, including stringent authentication and roles-based authorization of access to all resources for all users, with granular access policies defined at the application level and managed enterprise-wide. In defining access privileges on all ports and devices, the concept of "least privilege" should be applied, granting access only as needed.

Secure network operations

Secure network operations, by physically or logically partitioning network management from user traffic, and applying other recommended security mechanisms to operational activities. These include securing activity logs (Syslog), implementing network operator authentication and authorization, encrypting network management traffic, and securing remote access for operators using either SSL or IPSec VPNs.

In addition to this, it is wise to partition the network with firewalls and VLANs to segregate management devices and management traffic from other traffic. Beyond this, install intrusion detection systems on the management servers themselves and implement anti-virus protection. Last, but not least, harden the operating systems used for network management. This closes potential security gaps in general-purpose operating systems and embedded real-time operating systems.

Secure multimedia communications, by encrypting the data, voice, and video payload without introducing delays that this real-time traffic cannot tolerate. This implies using high performance VPN systems and applying the appropriate security protocol — be it SSL, SSH or IPSec — depending on the multimedia application.

IP telephony represents a particularly important class of application. The IP networking infrastructure that supports IP telephony must be secure from a data perspective and engineered to meet the stringent latency and reliability requirements of telephony. Security must be holistic and span the entire telephony environment, including VoIP clients and servers, application servers (such as for unified messaging and contact centers), and traditional PBXs.

Ensure survivability under attack by using resilient architectures with no single point of failure, and applying intrusion-detection systems, anti-virus software, content filtering, and ongoing vigilance as attackers continue adopting new weaponry (Figure 2). This starts by logically organizing network services into at least two categories — essential services and non-essential services — and defining strategies that enable these services to resist, address, and recover from attacks.

The most effective approaches combine multiple resistance, identification, and recovery strategies in an adaptable manner that responds to changing network conditions.

Marie Hattar is director of security solutions at Nortel Networks (Brampton, Ontario). She is also the chair of the BCD Forum and has authored numerous articles in addition to co-authoring a book titled Implementing IP Services at the Network Edge (Addison-Wesley).

See related chart