It’s 3 a.m. Do you know who’s got access to your network elements?

A paper recently released by The President’s National Security Telecommunications Advisory Committee underlined how network security has become a major priority for service providers across North America. Due in part to heightened awareness of vulnerabilities since the World Trade Center attacks, the U.S. Administration ordered an initiative forcing major service providers to ensure the security of their networks by taking all necessary measures possible.

Unfortunately, the reality today does not reflect the security measures one might reasonably expect to find in service provider networks. Many network elements, particularly legacy devices, have limited security features designed into their software. Tools to centralize and automate security administration are lacking at best. Due to these challenges, combined with a lack of resources and time, security administrators are often forced to overlook basic procedures such as password strength enforcement, with the original, default password set by the manufacturer sometimes left unchanged on many network elements.

Consider also the true cost of security administration. According to industry estimates, companies will typically spend between $30 and $50 in operating expenditures (OPEX) for every password change they administer. With substantial numbers of passwords on a network being changed many times per year, automation of credential management can amount to many millions of dollars in annual expenditures.

Beyond the direct costs of security administration, there are the associated costs of opportunity that include Service Level Agreement credits, customer dissatisfaction and churn, and network outages that can be attributed to two sources. The first is the inadvertent misuse of commands by innocent network operators dealing with fast-paced, complex network operations, day in and out. The second, more ominous, is the prospect of increasingly sophisticated hackers with more than mild mischief in mind gaining control of a group of network elements within your network.

In spite of the pressing need, the reality is that the service providers face daunting challenges in administering security over their networks. They are routinely forced to use rudimentary tools, such as scripts, to effectuate password changes across their networks, with failure rates often exceeding 50% on a first pass. They are forced to allow shared passwords among network operators because of the inherent limitations in the number of accounts that can exist on a network element – a hundred employees may require access to a network element on which there is a limit of only five to six passwords. This is in spite of the fact that shared passwords compromise security altogether and make tracking network activity difficult at best. Central logging activity is also a challenge because different vendor systems log activity differently -- some on the network element, some on the element management system that accompanies the network element, etc.

Perhaps equal to the risk of hacker intrusions, at least in terms of potential network outages, in the innocent misuse of commands from within. The inability of security administrators to restrict a network operator from using specific commands beyond the scope of his responsibilities is a primary reason for this. The end result is that a network operator is typically granted greater privileges than would be ideal from the perspective of a security administrator, which in turn leads to the possibility of inadvertent or accidental human errors that can occur when configuring a network element.

Conceptually, a solution to the challenges described above entails breaking from the traditional approach of allowing users direct access to network element accounts. A better approach is to create a new layer of ‘user’ security that is distinct from the network element security layer.

This is achieved by deploying a distributed Security Proxy Server that behaves as a layer of abstraction between users logged onto the system and network element accounts. The Security Proxy Server’s job is to authenticate users and determine their command privileges before logging them on to a network element account. It furthermore filters all of their commands, allowing only those that an individual has been authorized to use. The solution described is compliant with the emerging ANSI (ATIS T1.276-2003) and ITU-T (M.3016) standard specifications being driven by governmental interest in motivating service providers to secure their infrastructure.

In taking this overall approach, several benefits arise:

1. Unique passwords for all network operators: First, passwords are no longer shared. Every network operator is assigned a unique user ID, password, and set of command privileges. All are strictly enforced by virtue of the Security Proxy Server serving as a ‘gatekeeper’ for access to the network element accounts. A further benefit is that network element account passwords remain unknown to all but a few security administrators and the Security Proxy Server.
2. Secure centralized dissemination and control of passwords: Second, security administrators avoid “swivel chair” management with one, centralized system for managing all security administration across the network. Only this sort of centralization can pave the way for true automation of the ongoing user ID and password management challenge, in turn saving the service provider millions of dollars per year in security administration effort.
3. Overcoming security feature limitations: A third benefit of such a proxy layer is that security policy and security enforcement can reside side-by-side at this single access gateway to all elements. The same server that manages all credential information and policies can apply network-wide security policies to access control enforcement as each user logs on. Indeed, the proxy also streamlines element management itself by providing a venue for single sign-on by each user, versus requiring network operators to log on to each network element in series.
4. Centralized logging of all user activities: A tiered architecture that makes use of the Security Proxy Server as described allows the tracking and logging to move out of individual elements and into a central repository. Central logging and auditing of all user activity suddenly becomes possible, with all user commands being funneled through the Security Server Proxy. Effort, time and money is spared by security administrators who can now easily access activity records from a single source in a consistent format, which in turn proves invaluable when the clock is ticking in the event of a network outage or other crisis.
5. Granular security privilege control: Not every field technician is trained and qualified to enter every possible command on every network element, nor should they be. The Security Proxy Server is required to assign and restrict command-specific privileges from among available commands by acting as a “broker.” This kind of granular control allows top-level administrators to minimize the potential for human error to occur. The novice technician cannot accidentally issue a fatal command if he is not permitted to touch that lever.

Faced with the layered challenges of authenticating each user accessing network element accounts, and of maintaining control over the commands an individual is authorized to use, many network operators are forced to accept the risk of a breach by cutting corners on standard security management practices. To date, this short-cutting has been viewed as a necessary compromise in ensuring that vital network operations go uninterrupted.

As next generation telecommunications networks become more complex and susceptible to outages, and as hacker activity continues to thrive—note emerging reports of VoIP and cellular data network concerns—such corner-cutting will become very costly. It is inevitable that, driven by survival, competition, and customer pressure to ensure high levels of network security and availability, all service providers must soon address the need for new approaches to securing the management plane.

Rob Saloman is Vice President of Sales & Marketing at Nakina Systems.

Visit Nakina Systems online.