Security is getting enormous attention these days and it’s easy to understand why. Selling into carriers and government is big business and architecting and building secure management systems is essential.
In this blog, I’ll discuss a few representative NMS/EMS use cases and cover the three key security layers required in management systems: Authentication, Authorization and Audit (AAA), device-to-application communication, and the sometimes forgotten layer of inter-system communications.
The First Layer of NMS/EMS Security: AAA
NOC security usually assumes a good physical security system is already in place. You would see the guard station with the security cameras and maybe see a biometric entry mechanism, but once you are in the facility, it is all about the management system software.
The first layer of NMS/EMS security is generally around AAA or Authentication, Authorization, and Auditing.
Authentication is accomplished through a challenge-handshake mechanism where the credentials of the user are verified using a three-way handshake. The passwords are never sent across to the authentication module; rather a one-way-hash (called key) is used. This provides protection against playback attack using an incrementally changing identifier and a variable challenge value. Polices with strong password rules or the use of tokens can also be employed.
Once the user gets authenticated, he or she is given authorization for access control. Support for user groups provides a mechanism to collectively associate access rights to a set of users. Also, it is not sufficient to just tie up the access rights of a user with the operation performed. Hence, it becomes necessary to have a framework where the permissions are associated with the subsets of objects concerned with the application. This in turn delivers fine-grained access control. The authorization policy is designed with "Fine-Grained Access Control" as the focus. With a vast number of operators using the application, it’s essential that each one works within the allowed space.
Considering the complexity of applications, the Access Control Policy should have the flexibility to define access rights of a user to operate on a subset of objects that the applications work with. The security service achieves this by defining a set of authorized views called scopes. These authorized scopes consist of sets of properties associated with the user operations. Thus, managed object properties such as network, IP address, node, type, etc., are used in authorized views to control the access of the users to a specific type of device within a given IP range in a specified network. Database access or device configuration access may be limited to a few operators as well.
Auditing is about monitoring what the user does from the moment they sign in including the time and status of operation performed. This enables the network administrator to take necessary steps when an unauthorized execution is attempted by any user. Not only for security purposes, audit controls are extremely useful for debugging issues, for they allow you to determine what users were on the system before, during and after an incident so you can reverse engineer problems.
Device-to-Application Communications
The second layer of NMS/EMS protection is securing communications between the management application and devices across various protocols.
Of course, the first thing people think about are the various encryption standards. In the telecom business, the most common is SNMP v3 that can support SHA, MD5 or DES encryption algorithms. In the government and military space, SNMP v3 with AES encryption as defined and in some cases, mandated by the National Security Agency (NSA).
Besides the secure protocol layers, the management system has various infrastructure components, each looking through various ports. The management system should be flexible enough to be able to assign non-standard port configurations, harden the system by design and be able to monitor port activity.
The Third Layer: Inter-System Communication and Server Security
In the past, people figured that AAA and securing the device to the app pipe was sufficient protection. But to be truly secure today, inter-system communication is also vital.
The NMS/EMS can be deployed in various environments where it needs to support different data stores depending on the requirements. Different data stores like Relational Database, XML, LDAP, NDS, etc., can be integrated. The security module provides administrative interfaces to configure the data store.
In addition, an NMS/EMS can operate across several IT architectures. For instance, the back-end server, database server and a presentation-layer server are often components running on different hardware. Server-to-client communication and database access need to be secure by using SSL or secure RMI (Remote Management Interface). Remote access is set up via HTTPS.
Then, the physical server environment must be hardened. Several steps are involved, such as: ensuring OS patches are up to date; tuning the OS to stop unwanted services running in the system; removing unwanted user accounts; setting a short timeout value for the root account; setting BIOS passwords; and setting automated notification triggers when a list of commands is executed or when system files are modified. Often overlooked, the checking third-party software component configurations are also key.
Use Cases
Here are three representative cases in telecom, military and mobility apps to show how security is being applied in management systems.
Telecom Systems – GENBAND, an innovator in carrier VoIP systems deployed in Tier 1 carriers such as Verizon, views security as essential and a key differentiator. To harden its management system, GenView, GENBAND typically secures NMS-to-NE communications with protocols such as SSH, SFTP, IPsec and SNMPv3 – depending on customer requirements.
AAA is achieved via a RADIUS-supported central security server with configurable password-reset policies. The central security server can also be integrated into the customer AAA system using standard protocols such as Radius and LDAP. Single Sign On (SSO) is provided when launching applications within GenView. Alternatively, the app can be accessed remotely via HTTPS.
Other GENBAND security measures include: pushing performance data via secure FTP, hardening the OS, using restricted ports, conducting periodic vulnerability scans, developing rules to better manage loads, and enforcing rigorous backup/restore procedures to protect data from being corrupted.
Military Grade – An expert in military-grade security, L-3 Communications deploys Type-1 voice/data over IP technologies for governments around the world. L-3’s management system uses many of the same secure infrastructures as commercial carriers, but also supports High Assurance Internet Protocol Encryptor (HAIPE), a National Security Agency-certified technology.
HAIPE is encrypted utilizing Advanced Encryption Standard (AES) algorithms over SNMP v3. The security aspects of L-3’s management platform encompass access control, authentication, data integrity and end-to-end network traffic protection with dual IPv4/IPv6 encryptor capabilities. From a network management point of view, its NMS features real-time equipment fault and performance status, network provisioning and automated policy changes.
L-3 also performs extensive security level checking with an emphasis on device-to-device authentication, audit logging, secure remote software updates, and access control lists. The system is also hardened to operate in extreme temperatures in the range of -40 degrees C to 60 degrees C. The system is also built to withstand vibration/shock, sand, salt and other harsh environments that you don’t want to be in.
Mobile Intelligence & Public Safety – Motorola Solutions ASTRO and Public Safety LTE are leaders in the world of secure, real-time voice/data network for emergency response and mobile intelligence. Their systems, which service local fire/police and state governments, employ end-to-end AES over SNMPv3 for protocol message integrity and authentication. Similar to mil-spec, these systems are rugged, mission-critical and need to be managed via a central console.
These Motorola systems allow operators to troubleshoot faults and remotely configure/optimize system parameters. Since the systems are deployed for government agencies, they comply with FIPs 140-2, a government computer security standard. These days, Motorola Public Safety is moving beyond on-premise systems to managed services and a cloud core offering with guaranteed service levels.
As our brief uses cases show, security is a complex problem area that defies easy answers. Carrier and governmental security requirements are high, yet this has been done before and can be economically accomplished with the right tools and procedures.
Thursday, January 12, 2012
The Business of Sports and Information Technology
An upset of epic proportions, the off the scale magnitude, the incredible happened this past weekend. The Indiana University Hoosiers (unranked and my Alma Mater) defeated the NCAA #1 ranked team, the Kentucky Wildcats, on a last second 3 pointer at the buzzer. The lead changed hands three times in the closing 2 minutes, Score 73-72. The barn burner could not have been predicted better.
Not only the significance of this win, the Hoosiers has not beat a ranked team since 2002 and have not won the National Championship since 1987 (under Bobby Knight fame and the heroes of Steve Alford and Keith Smart...And Yes, I was at the Fountain in Bloomington, but that is another story). Let me put this into perspective, there are over 340 Division 1 schools in the nation. It takes a lot of talent and hard work to be #1.
With the Indy Colts in the cellar without Peyton Manning, the State of Indiana needed and shot in the arm, a hair of dog pick-me-up, a just a plain old fashion confidence boost. Even the engineers from Purdue were cheering.
I know what you are thinking. What does this have to do with Business of Sports and Information Technology? Two Things:
1. Just like sports competition, there is competition in business. If you consider the breadth of the ManageEngine product line, we compete with over 100 other software vendors in the market. That's a lot of choice. ManageEngine has over 20 products covering network management, application management, desktop management, Active Directory management, log analysis, traffic analysis...and there is more. Then, if you consider the depth of the ManagEngine product line, it covers operational, security and compliance management. Each category has several distinct players in the marketplace.
2. The Sporting industry is big business. They have the same needs as any other business. They have networks and servers to run their infrastructure to serve their employees, their players and in some cases, their Fans. And Fans are pretty loyal. The parallel that I will draw is our customers are Fans. By last count, we have over 50,000 customers and the vast majority renew year after year. Price competition will only take you so far. High functioning technology and high quality support proves to be the determining factors on the playing field of IT Software.
I have compiled a list of Sporting companies who use ManageEngine. From the major leagues, the Sacramento Kings, Chicago Cubs and the 1st American League Central, Detroit Tigers, use ManageEngine. USA Olympic Volleyball too. Not only from the USA, but the Australian Football League and Chelsea Football Club use ManageEngine. These teams need to play somewhere and the Philly Comcast Spectacor, home of the National Hockey League’s Philadelphia Flyers and the National Basketball Association’s Philadelphia 76ers and Mercedes-Benz Superdome, home of the National Football League’s New Orleans Saints and the Allstate Sugar Bowl, use ManageEngine. These teams have players who need equipment and Nike Bauer, the best Hockey skates in the world (I know, I played hockey for 25 years) and Easton Bell Sports, leader is protective sports, cycling and motorcycle helmets (that I personally own), both use ManageEngine. And it would not be complete unless I mentioned that SportingIndex.com, the world's #1 online sports spread betting website and MapleLeafSports.com, proudly serving collectors of sportscards and autographed memorabilia, use ManageEngine.
With the Indy Colts in the cellar without Peyton Manning, the State of Indiana needed and shot in the arm, a hair of dog pick-me-up, a just a plain old fashion confidence boost. Even the engineers from Purdue were cheering.
I know what you are thinking. What does this have to do with Business of Sports and Information Technology? Two Things:
1. Just like sports competition, there is competition in business. If you consider the breadth of the ManageEngine product line, we compete with over 100 other software vendors in the market. That's a lot of choice. ManageEngine has over 20 products covering network management, application management, desktop management, Active Directory management, log analysis, traffic analysis...and there is more. Then, if you consider the depth of the ManagEngine product line, it covers operational, security and compliance management. Each category has several distinct players in the marketplace.
2. The Sporting industry is big business. They have the same needs as any other business. They have networks and servers to run their infrastructure to serve their employees, their players and in some cases, their Fans. And Fans are pretty loyal. The parallel that I will draw is our customers are Fans. By last count, we have over 50,000 customers and the vast majority renew year after year. Price competition will only take you so far. High functioning technology and high quality support proves to be the determining factors on the playing field of IT Software.
I have compiled a list of Sporting companies who use ManageEngine. From the major leagues, the Sacramento Kings, Chicago Cubs and the 1st American League Central, Detroit Tigers, use ManageEngine. USA Olympic Volleyball too. Not only from the USA, but the Australian Football League and Chelsea Football Club use ManageEngine. These teams need to play somewhere and the Philly Comcast Spectacor, home of the National Hockey League’s Philadelphia Flyers and the National Basketball Association’s Philadelphia 76ers and Mercedes-Benz Superdome, home of the National Football League’s New Orleans Saints and the Allstate Sugar Bowl, use ManageEngine. These teams have players who need equipment and Nike Bauer, the best Hockey skates in the world (I know, I played hockey for 25 years) and Easton Bell Sports, leader is protective sports, cycling and motorcycle helmets (that I personally own), both use ManageEngine. And it would not be complete unless I mentioned that SportingIndex.com, the world's #1 online sports spread betting website and MapleLeafSports.com, proudly serving collectors of sportscards and autographed memorabilia, use ManageEngine.
Subscribe to:
Posts (Atom)