Securing Your Network

Network security is a requirement for any wireless carrier. The growth of the Internet as a cost-effective and preferred method of information transfer has heightened security awareness and forced carriers to take additional steps in protecting their data. As the Internet plays an increasingly vital role in business, whether providing information through a web site or building a virtual private network (VPN), the possibility of a breach of your internal network's security is greater than ever.

And an attack can be costly. Richard Petillo, Lucent Technologies director of communications security consulting services, said security attacks can cost from $1,000 to hundreds of thousands.

"Consider the cost to a wireless carrier of putting in an authentication system, of migrating the customers to authenticatible phones and then having someone download the database in the authentication center," he said. "The cost would be enormous."

According to the Yankee Group, the network-security-management market, which includes both intrusion-detection software and monitoring tools, hit $45 million in 1997. The market is poised to reach $160 million this year and top $315 million in 1999, which reveals just how significant network security has become.

Carriers' Concerns Security concerns can be assuaged with a well-designed and implemented security-management system, but carriers must demand secure network-access capabilities.

"The greatest challenge today is not 'what can I block?' but 'what can I allow into my network in a secure fashion?'" said Greg Smith, Check Point Technologies production marketing manager.

According to Chris Wilson, Harris senior software engineer, companies must be concerned with both internal and external threats. The 1998 Computer Security Institute/FBI Computer Crime and Security Survey showed that the number of internal vs. external attacks was almost even. Of the 520 respondents, 74% cited one to five incidents from outside the network, and 70% cited one to five incidents from inside the network.

Wilson said network vulnerability depends on the type of network involved, but the most common problem carriers face is a denial-of-service attack, where a malicious user attacks the network and takes it out of service.

"Some things are in the protocols themselves, and the denial-of-service attack exploits the protocol," he said, "but the majority can be patched just by keeping up with the latest packs for operating systems."

Other common attacks include abusing a trusted relationship between two computers, he said. If two computers on your network are set up so that users of one computer have easy access to data files on the other, attackers may take advantage of that to gain access to one computer by impersonating the other one. That problem is solved by proper firewall configurations that eliminate spoofed traffic. You can configure routers to catch that type of traffic, and using firewalls internally also can be a defense, Wilson said.

Wireless carriers are wary of the threat and take network security seriously.

"We're in a competitive business, and we're always concerned about network intrusions," said Claudio Bacinello, manager of corporate security for Clearnet Communications, a Canadian PCS provider. "But we're also concerned about maintaining the integrity of the information we present to the public. We have several external firewalls between ourselves and the Internet, and between ourselves and business partners. We also utilize firewalls internally to separate our switched operational network from the administrative network, so our telephony-focused network isn't at risk from casual users."

Clearnet has multiple layers of security between its core business systems and external environments. Its network segments also are partitioned so that a problem in one won't necessarily spread. For added security, Clearnet uses private lines, although it transfers a small number of files via the Internet.

AirTouch Cellular also employs a multilevel security strategy. According to media relations manager Patti Finley, the carrier limits access to those with a specific need. Those who have a need and have received permission to access the network are closely monitored and limited. AirTouch also works with suppliers to make sure they comply with its security guidelines.

Sprint PCS has combined network security and physical security into one functional, collaborative operation. This centralized national physical and logical access security management greatly enhances the speed with which Sprint can respond to security threats, said Michael Robinson, Sprint PCS vice president of network operations. He said Sprint PCS performs risk analysis on all of its network elements, has initiated a strong "root" management program to centrally manage privileged information and has set up passive network sniffers on its network backbone to show the high frequency of remote access attempts. In addition, internal systems access is controlled from a central entity, and all access requests are approved or denied by three different authorities.

Firewalls Are Not Enough Application gateway-based solutions alone cannot defend against attacks. In fact, the firewall itself may be attacked to create a denial-of-service condition.

Firewalls can provide effective perimeter defense, and strong host security always will be a requirement, but these controls are difficult to monitor for real-time network intrusions, especially from an insider. Wilson compared firewalls to a security turnstile at a store or a guard at the gate. Intrusion-detection tools are more important because they are analogous to security cameras inside a store.

"Once the network traffic goes through the firewall, then it's not checked anymore," he said, "so you need some other tool that works in real time to monitor what happens after you get through the firewall."

Smith said a firewall allows companies to find a security policy that controls traffic going in and out of a network. But "a firewall is only as good as the security policy that is defined," he said.

Although firewalls provide basic, but essential security, much more is necessary to fully protect your network. Smith said carriers often buy a firewall, install it in the Internet gateway and hastily throw together a security policy.

"What has to come before erecting a firewall and throwing together a policy is looking at your needs for the organization -- what resources you need to protect, what users you want to allow into your network -- and defining an organizational security policy," he said. "Once you understand what you need to protect, then you're in a position to implement a security policy."

Internet Security Any security policy should address using leased private lines or the Internet. Private lines are more secure because there is not as much access to them, but they are more expensive.

Smith said carriers are moving away from leased lines and toward the Internet for several reasons, including cost, reach (individual users can dial into their ISPs and get Internet access, which is not possible if you rely solely on private lines) and flexibility.

But carriers that rely on the Internet should be especially vigilant.

"The number of organizations that cited their Internet connection as a frequent point of attack rose from 47% in 1997 to 54% in 1998," Wilson said. "In the past, a greater number of attacks came from inside the network."

Because of carriers' increased interest in the Internet, VPNs are growing because they can help remove the risks that come with Internet use, Smith said. Companies are moving more of their business communications to the Internet, but to protect the privacy of the data, they are using VPNs to establish private tunnels between sites or between users of sites. The VPN authenticates users and encrypts the data. Encryption technologies prevalent in the marketplace allow Internet users to have as much security as carriers using a private line, Wilson added.

Most large carriers have security at their Internet gateways for protection against external threats. But Smith said they are realizing that tools are readily available to allow internal employees to gain unauthorized access, and many are erecting internal firewalls as well.

"Some have requested hundreds of firewalls, but they don't have hundreds of Internet gateways," Smith said. "They're looking at putting firewalls throughout their network and their organization. Some are even looking at putting firewalls on a single server to control access to a single machine."

Security Solutions To reduce management cost and ensure consistent and comprehensive security throughout the network, defining and implementing an enterprise-wide security policy is essential. Deploying this policy has become increasingly complex, however, as large networks typically include security tools from multiple vendors. Each of these devices requires a separate and different configuration process, which is time-consuming and error-prone. Too often, security managers do not have a comprehensive view of their security policies when using multi-vendor security-enforcement tools.

Because network security is only as good as your ability to control and manage the technology, a vendor-managed service provides a solution for carriers that don't want to invest in the capital or the human resources needed to implement and manage network security.

In a vendor-managed environment, carriers can focus on core business operations while the vendor manages security. By outsourcing security management, you don't need to purchase expensive equipment or hire a dedicated firewall administrator. But this approach, however, requires allowing more users to access your network.

Whether you manage network security or a vendor does, you need a security solution that hides all internal IP addresses, prevents unauthorized users from disguising themselves as valid network entities and ensures a safer environment for Internet access. Clearnet's Bacinello said security comes before the service.

"We build the infrastructure before offering the service," he said. "We put the firewalls in place before initiating file transfer with our trading partners, for example. It's a matter of being pro-active on the security front, as opposed to creating a business environment and trying to retrofit security to it."