The Three A's

Security breaches currently cost companies billions each year. As your network grows, so does your potential for financial loss and exposure to infiltration. New vendors, employees, methods and business practices all make your network vulnerable. People come and go, pass codes change, new business relationships form, and management control at the back-office level, or even at a remote field site, is increasingly difficult. Many experts see these security issues as the next century's largest problem.

"Once the Y2K panic has subsided, the next high-visibility issue will be network security," said Fred Hawkes, CyberGuard marketing vice president. "Means of protecting networks will be getting attention."

The primary network-security issues are the three A's: authentication, access control and auditing. Authentication is validating passwords to access data. Access control is monitoring how much information each authentic user is permitted to access, and auditing is continuous checking to determine that authorized users are the only ones on the system. Network-security components include: virtual private networks (VPNs), encryption technologies, digital signatures, firewalls and physical security. But how do you prioritize risk and decide which tools are most important?

"Security management is a constant evolution," said James McDonald, Alltel network services vice president. "We prioritize risk based on the asset value -- whether intellectual or physical -- and vulnerabilities. We do root-cause analysis and look at alternatives based on that analysis. We combat security problems by many approaches, making adjustments in policy and procedures or by using effective software tools."

Alltel uses little commercial security software, he said, because people outside the company know these tools pretty well. Instead, Alltel develops and installs its own in-house software to safeguard its wireless systems.

AUTHENTICATION Traditionally, carriers designed their control systems by physically isolating the back office from all subscriber connections, said Joe Head, ODS Networks senior vice president. Management systems were largely proprietary and did not have public wide-area connectivity. With increasing IP deployment for internal-control functions and remote-management capability, barriers have come down.

In addition, the move toward IP-based internal controls and the fact that carriers cover large geographical areas means that the legitimate IP-control messages from the network operation centers (NOCs) must traverse large areas. This problem opens the door to physical breaches and forged management traffic, so internal command authentication is required. Since a forged control message could be inserted anywhere in your thousands of circuits, the only way to ensure a message's authenticity is for each message to carry its own digital cryptographic signature. This concept is a simple extension of public key authority concepts and digital signature concepts applied at the single packet/message level. No forgery, spoofing or replay attack is possible.

Network messages that are l00% authenticated by digital signatures cannot be forged, said Billy Austin, ODS marketing director.

"Using strong encryption and solid digital-signature technology is a necessary first step," he said. "Picking good hardware-based prime numbers is also essential."

With increasing reliance on VPN-based management functions, up to 90% of core management control can be based in routers and typical IP infrastructure that hackers know how to reach. The Internet Key Exchange (IKE) protocol, used in conjunction with the IP Security (IPSec) protocol was developed to secure data in private virtual channels on the Internet.

The three main components of IPSec are: encryption, in which a symmetric key scrambles the packet data; authentication, to ensure that data is from the correct source; and compression, which reduces the amount of data to secure and reduces or eliminates IP packet fragmentation.

For data rates greater than 1Mb/s, software quickly is overwhelmed by adding IPSec. Therefore, emerging companies have developed software and silicon solutions for implementing and accelerating VPNs. For example, Hi/fn's silicon accelerator line for the IPSec and IKE protocols helps reduce IPSec's hit on a wireless system at aggregation point. Hardware acceleration of the VPN function is required for wide-area carrier service. During encryption, the Hi/fn processors unscramble every byte of every secure packet. During authentication, they calculate based on every byte. During compression, they search and look for patterns.

"Wireless carriers have traded off lease-line costs for the smaller investment of using Internet, but with greater security risks," explained Mark Muegee, Hi/fn product manager. "For a completely secure solution, carriers need to do some public key cryptography to set up the secure link. It takes significantly more computational horsepower to operate public key cryptography than simple symmetric key, which just looks at headers."

By compressing the packet before encryption and authentication, fragmentation is eliminated. Each packet byte, including header and payload, is checked for authenticity, making data-packet processing on the network faster and more secure.

ACCESS CONTROL Triton PCS recently launched 15 markets throughout the southeast United States and plans to build a dozen more before year-end. The carrier is ensuring network quality and security by implementing remote-access capability that will migrate to a token environment. In a token environment, users do not need to maintain password changes but must supply a secure token to go through an encryption algorithm process in which new passwords are supplied at each log-in. Once inside the remote access server, users must provide user names and passwords to get into systems. Firewalls are used for perimeter security, helping protect external and internal systems.

"Now that wireless communications networks are so integrated with IT networks, the security of data and information that traverses the network has become vitally important," explained Clyde Smith, Triton PCS executive vice president & CTO. "We are fortunate because we are a new company. As such, we are able to deploy the latest technology to ensure that none of our systems are compromised. Deploying these technology enhancements, along with a rigorous focus on security issues in general, form the basis of our network strategy."

The FBI stated that 70% to 90% of telecommunications crime is by insiders. Companies rely on products such as Technologic's Interceptor firewall to manage network activity. By requiring authentication and encryption between a browser and a Web server, the solution helps guarantee policy enforcement, keeps employees from defacing network policy or modifying Web pages, and even controls employee access to prohibited destinations, such as pornographic sites.

"In any application, the Web site as a management tool has to be secure," said Dave Aylesworth, Technologic product manager.

AUDITING Firewall security comes in three general forms. Packet filtering checks "to" and "from" addresses only. Stateful inspection, also called dynamic packet filtering, performs packet filtering plus sequence checking to ascertain the proper order of incoming packets. Proxy filtering includes a security check that goes inside the packet and blocks it if it does not have the proper components.

Strong firewalls, in conjunction with central-management and secure remote-management tools, can be monitored and maintained via a VPN, which actually tunnels through the Internet. The CyberGuard firewall, for instance, is a multilevel secure firewall that resides between internal networks to provide a single secure connection point through which all data must travel. Reports can be generated from all sites remotely. Audit logs can indicate why a packet was rejected or if an unauthorized person has tried to access a site. The firewall can make virus checks, too.

Hawkes said failsafe central management even can identify security problems halfway around the world.

"Recently, an attack occurred on a firewall in Asia," he said. "That occurrence was automatically relayed back to a stateside central office within five seconds, preventing a major disruption of service."

Firewalls are an integral part of networks. Once you protect the main authentication databases and modem connections to the server maintaining the secure database, there is no reason to have a modem connection to the computer containing the database, said Simon Mizikovsky, Lucent Technologies technical manager of wireless secure communications and fraud analysis. A mobile phone's cryptographic authentication signature, which varies from access to access, is based on a secure key specific for every phone. As long as the network database containing these keys is secure, you can preserve your authentication system's integrity. This database is computer accessed for specific authentication operations, which limits the need for access-authorized employees to access that database.

"There is nothing secret in the tower infrastructures, and only very limited requirements for secrets in the mobile switching center," Mizikovsky said. "The database that maintains a position of every mobile phone signed on the network, the (HLR), as well as the authentication center (AC) database, are a part of the mobility management security."

Although a set of communications messages exists between HLR/AC computer and MSC of the visited serving systems, they are standard messages and carry secondary and temporary secret codes. Therefore, the only vulnerable part of a secured network is the AC, where a limited power computer with a large database resides.

Wireless networks are becoming larger and more complex, and so are the security issues. Hackers are becoming more technically astute, so better and more sophisticated safeguards are required. Through internal security, personnel evaluation and monitoring, digital signatures or passwords, and cryptographic authentication, you can provide reliable uninterrupted service and secure your records, customer information, and business protocols.

Correlation is becoming the name of the game in network management, and for good reason: Troubleshooting isn't fast nor easy when the problem just as easily could be a bad radio as an underprovisioned trunk. To boot, RF and SS7 engineers rarely have overlapping expertise, and multivendor environments add more layers of complexity. Determining why, say, a particular site drops calls can feel like looking for a needle in a haystack: Is it perpetually at capacity? Did the neighbor list not update during the past round of cell-splitting? Is the uplink signal weak? Or is an incorrect database directing handoffs to a channel that doesn't exist?

At PCS '99, vendors showed off new tools aiming to streamline troubleshooting. GN Nettest's Compass, for example, correlates RF- and SS7-performance statistics in GSM networks. A call-trace feature gathers information on a call and allows the user to dig through multiple layers of parameters, including received signal strength at both the mobile and the site, to ferret out the problem's cause. GN Nettest touts Compass as reducing the need for drive-testing by turning every subscriber into a drive-tester. The next version, due out by year-end, will include GPRS capabilities.

The latest version of Watch-Mark's Pilot network-surveillance system, 1.3, includes a VCR-like tool that replays events to pinpoint the problem's source. Other features include making almost any element, including generator fuel tanks and tower lights, a node that the network operations center can monitor and alarm. And in keeping with the trend toward remote access to surveillance systems, companion-tool Prospect also includes real-time access to centralized network-monitoring tools via the Web.

Also at the show:

* ADC debuted CDCmanager, a turnkey CALEA-compliance solution that pulls call information from disparate, multivendor network elements for export to law-enforcement agencies. Metrica/APT, a profiling tool for catching deviations in network performance, also debuted.

* Hewlett-Packard's ESG-D series of signal generators and the 89441A signal analyzer added Bluetooth capabilities. The Point-of-Service-Test tool, which allows store clerks to troubleshoot common handset problems, expanded to include AMPS, CDMA, GSM and TDMA.

* Tekelec's MGTS i3000 network-diagnostic tool added W-CDMA- and GPRS-testing abilities.