Don’t neglect security during network transition and transformation
“MPLS is dead!”, declared the CTO I was meeting at the headquarters of a publishing company in New York. It was clear that he had bought into the current fashion for hybrid networks and considered the logical extension of this to be the “All Internet Network”.
There is no doubt, that building tunnels over the Internet using low-bandwidth access circuits can appear attractive – not least because they can be delivered at a fraction of the cost of dedicated private networks based on Multi-Protocol Label Switching (MPLS) – but this approach should come with a health warning: whilst the tunnel itself is encrypted and is therefore relatively secure, the tunnel end points may be vulnerable to Denial of Service (DoS) attacks, says James Meek of T-Systems Ltd.
Recent estimates put cyber crime’s annual cost to the UK at £27 billion (€ 37.6 billion). With the incidence of DDoS attacks and cyber extortion on the increase, it has never been more important to understand whether the corporate network strategy strengthens the overall security of the organisation’s information assets or actually undermines it.
When organisations make the difficult decision to go to market to procure network services, there will be multiple drivers to do so. Existing contracts may be coming to an end or perhaps the LAN infrastructure is approaching the end of its life. Change in itself carries with it some level of risk and this is managed as part of the overall Transition project. It is often the case, however, that relatively little attention is paid to the subject of security during Transition and Transformation (T&T). The following steps will assist organisations to consider and plan a secure migration:
The new provider will need to provide connectivity into the existing network estate during transition to facilitate the configuration of its Operational Support Systems (OSS). New routes must be securely advertised into the existing network via a routing protocol such as BGP. It is good practice to protect these new routing adjacencies through the use of MD5 authentication. A range of ‘loopback’ IP address must be assigned to enable the new provider’s Network Management Systems (NMS) to access all devices located at the customer’s premises. Since these systems support multiple customers, they must be housed on a secure network protected by firewalls. Ideally, there should be multiple NMS locations, each with a contiguous IP address range. The NMS firewalls must be configured such that they allow only specific (e.g. SSH, SNMP) protocols from the ‘loopback’ addresses described earlier.
The Transition project must now begin to configure each of the network devices to enable them to be accessed by the new provider’s NMS. The Transition project must ensure that each device has:
- A new loopback IP address
- SNMP server host addresses and community strings
- SNMP and Virtual Terminal Access Control Lists (ACLs)
- SNTP server addresses
- SYSLOG server addresses
- RADIUS server addresses
The new provider’s NMS can now be configured to periodically poll the devices for performance statistics etc. Any configuration relating to the incumbent provider can now be removed and device Transition is deemed to be complete.
The Transformation project will normally run in parallel with the Transition, but the point at which a given WAN device gets Transformed to the ‘future state’ is dependent on a number of factors including the length of the contract term of the associated existing access circuit(s). Transformation involves the deployment of new access routers and circuits on a site by site basis. Each device is deployed with a minimal initial configuration that allows it to access a special “walled garden” provisioning network. This allows the new provider to securely deploy its standard configurations. After a period of testing each site is ‘cut over’ from the existing, Transitioned network devices to the new devices that will be provide the site’s network connectivity for the contract term.
- Organisations should carry out a risk assessment of the current network estate to determine whether the overall level of risk is compatible with the organisation’s risk appetite.
- T&T capabilities should form part of the vendor evaluation process at RFP. Security can be maintained during T&T provided that people, process and technology are consider.
The author of this blog is James Meek, an enterprise architect at T-Systems Ltd. He can be reached at firstname.lastname@example.org