Uma Chandrashekhar

A brink of failure and breach of security detection and recovery system

In todays complex networks, a series of seemingly unrelated and minor events over an extended time period can escalate to catastrophic failure as well as alter the networks security posture. The interactions between these events are too subtle and occur over too long a time for people to recognize and respond to the impending outage or security vulnerability. This paper presents a new concept termed “brink of failure” and demonstrates its relationship to network security. The paper describes an automated Brink of Failure (BOF) and Breach of Security (BOS) Detection and Recovery System that correlates network events to recognize and diagnose BOF conditions and their impact on the networks security posture and also suggests remedial actions. All information is provided on a single display that can be integrated into network operations centers. Scenarios that demonstrate how this system can be used to proactively predict and prevent network outages are also identified.

A framework for ensuring network security

The current focus of network security is concerned with securing individual components as well as preventing unauthorized access to network services. While these are necessary concerns, they do not represent a complete view of network security. In this paper, we present the Lucent Network Security Framework, which provides a comprehensive, top-down, end-to-end perspective on network security. We show how this framework can be applied to network elements, services, and applications including detecting, correcting, and preventing security vulnerabilities. In addition, we demonstrate how the Network Security Framework can be applied to all types of networks and across all layers of the protocol stack. This framework has been submitted to several government and standards bodies (e.g., ITU-T and ISO), and it has been very well received. Service provider networks developed with attention to the Lucent Network Security Framework will have a comprehensive security architecture enabling new value-added revenue-generating security services such as security service-level agreements (SLAs).

Dynamic virtual private networks

Modifications to a virtual private networks (VPNs) topology, security, service provisioning options, or quality of service (QoS) typically require an end-user request to their service provider, whose personnel currently perform the VPN management. This process incurs more provisioning delay and is more costly than user self-provisioning. This paper presents a new service approach and dynamic virtual private network (D-VPN) technology that marries VPNs with directory enabled networking and Web-based subscriber service selection. It places VPN management into the hands of the user to produce instantaneous results, lowering service-provider operations costs, and subsequently reducing the cost to the end user. The paper also describes the target architecture and framework as well as the initial types of services that could be supported by D-VPN technology.3

Optimal availability and security for IMS-based VoIP networks

Consumers are continuously looking for ways of improving their productivity, simplifying their tasks, and streamlining communications both domestically and globally. This has resulted in the need to support different applications and thus the ongoing process of migrating many network services from traditional circuit-switched networks to Internet Protocol (IP) to converged networks. The circuit-switched public switched telephone network (PSTN) was a closed network where cyber-security threats were not a major issue. With the advent of converged networks and IP-based services, service providers, government, and enterprises are concerned about the growing security threat. The new networks and equipment will be subject to many types of threats and their vulnerabilities may expose mission critical applications and infrastructure to risk. Realization of these threats can lead to service outage. Todays communications service provider must decide how to treat the effects of security breaches so as to minimize service downtime. This paper highlights a methodology, with examples to identify the effect of security-related failures and the critical design factors to be considered when modeling service reliability. The ITU-TX.805 standard (now also ISO standard 18028-2), based on the Bell Labs security model, is used to evaluate potential high impact threats and vulnerabilities. The analysis uses the Bell Labs domain technique known as security domain evaluation. One of the critical outputs provides a prioritized understanding of the threats the network is exposed to and the vulnerabilities in the security architecture. The next step in the methodology includes incorporating the threats (vulnerabilities) identified in a reliability model and quantifying the corresponding service degradation. In this paper, these concepts are applied to IP Multimedia Subsystem (IMS)-based VoIP (Voice over IP) networks. Using reliability metrics, our analysis shows that reliability models are optimistic if we do not consider security. We demonstrate how reliability models can be enhanced to take security issues into account and that the X.805 standard can be used to identify the security threats. Finally, the model shows the mitigation in downtime by including intrusion-tolerance features in the product and network design. Consideration of security-caused downtime will lead to increased focus on preventing security vulnerabilities that can lead to service outages and also allow service providers to save on maintenance costs.

The role of slas in reducing vulnerabilities and recovering from disasters

Many service providers and network operators offer service level agreements (SLAs) supporting various service dimensions, such as price, reliability, and performance, to their customers. SLAs are usually considered more of a luxury item today than a necessity. With the increased focus on homeland security, does it make sense to use security-type SLAs as a vehicle for the government to help secure national critical infrastructures and recover quickly from a disaster? Are network security SLAs a viable option as an umbrella to protect the basic critical infrastructures? This paper discusses (a) the need and value of technical SLAs, (b) SLAs available today and widely used in industry, (c) critical components and content of security SLAs, (d) examples of security SLA architectural design for critical national services, (e) examples of what an SLA can do for homeland security, (f) viability of implementing security SLAs based on the inherent value of security, and (g) improvements required in the future to realize security SLAs as a service provider offering.

Challenges of Securing an Enterprise and Meeting Regulatory Mandates

Security incidents continue to rise globally-up 22% in 2005. Enterprises and service providers alike are faced with the challenge of ensuring a rigorous approach to network security throughout the entire lifecycle of their security programs. Many critical security requirements are currently addressed as an afterthought in a reaction to the security incidents. This results in piecemeal security fixes, which do not provide a comprehensive and cost effective security solution. Network security should be designed around a strong security framework, the available tools, standardized protocols, and where available, easily configured software and hardware. Naturally, in a multi-vendor environment, no end-to-end security solution can be achieved without standards. The Lucent Technologies Bell Laboratories Security Framework, which is the foundation for security standards ITU-T X.805 and ISO/IEC 18028-2, was developed as a comprehensive methodology for assessing and integrating network security across the enterprise. The ISO/IEC 18028 standard, which is broken into five sub-levels, provides guidance on the security aspects of the management, operation and use of IT networks. ISO/IEC 18028-2 defines a standard security architecture, which describes a consistent framework to support the planning, design and implementation of network security for the IT industry. In this paper, we discuss how the standard can be applied as a framework for network security assessment by presenting a threat analysis case study. We also discuss the applicability of the framework for implementing the technical controls for regulatory compliance initiatives. ISO/IEC 18028-2 provides a common and rigorous methodology for defining a robust security program of next generation networks

Security posture for civilian and non-civilian networks

Network security is dependent upon securing individual components, services, and applications. This is done through the prevention, detection, and correction of threats and attacks that exploit vulnerabilities in the network. Network security must be analyzed using various factors, such as security requirements, the inherent strengths and vulnerabilities of different network technologies, and the processes used to design, deploy, and operate networks. The Bell Laboratories security model provides the framework required to plan, design, and assess the end-to-end security of networks. In this paper, the Bell Labs security model is used to (1) define the basic security needs of civilian and non-civilian networks, (2) examine the security capabilities of various technologies and identify their security strengths and gaps, (3) identify key threat-mitigation strategies for civilian and non-civilian networks, and (4) illustrate the value of a comprehensive framework (e.g., the Bell Labs model) in any security program, whether designed for a civilian or a non-civilian network.

Delivering network assurance through secure and reliable solutions

With the ability to virtualize everything, we will be able to instantiate servers, networks, services, data, and appliances in a more cost effective way, allowing for cloud offerings with an expand-as-you grow model continuing to expand a borderless border. Autonomous machine-to-machine communication will not only improve our lives, but will actually spur new ways of living. Advances in technology make it possible to imagine a world in which automated oral drug delivery systems allow us to live absolutely normal lives by providing timely dosage based on symptoms; in which a refrigerator can relay a list of items to be replenished from a grocery repository; where an automobile can drive to a bus stop as it recognizes the passenger getting off the bus; or where smart meters will adjust the temperature in a building based on external weather patterns and residents. As a result of this proliferation we will have smart grids, smart homes, smart cities, smart everything performing essential and key actions on behalf of the consumer. Imagine being able to build-in dynamic preferences based on network intelligence and user or user-device behavior. So what does all of this mean? Rapidly evolving technology provides users with more power at their fingertips, but requires continuous monitoring, managing, and awareness of security and reliability to minimize exposure to threats and to ensure seamless availability of services.