Peter H. Gregory, CISA, CISSP A Reference for the Rest of Us! ® FREE eTips at dummies.com ® Compliments of Avaya, Juniper Networks & Extreme Networks® This Avaya custom edition of Converged Network Security For Dummies shows you how to protect the communications and business application assets that you rely on to run your business. Find out how Avaya Strategic Alliance partners Juniper Networks and Extreme Networks provide multi-layered, industry-leading security infrastructures — and how Avaya Security Services can help you assess, deploy, and ultimately protect your networks. As an IT manager or decision-maker, you’ll appreciate the way that these converged network security solutions protect your corporate assets and infrastructure not only from external threats but also from threats within the ever-more-mobile business environment. And once you’ve secured your converged network, check out Avaya’s limited edition of VoIP Security For Dummies for more hints on how to effectively secure your Avaya IP Telephony solutions. Available from www.avaya.com. ISBN:978-0-470-12098-9 Avaya Part #: SVC3359 Not resaleable @ ߜ Find listings of all our books ߜ Choose from many different subject categories ߜ Sign up for eTips at etips. dummies.com Is your converged voice, video, and data network safe from threats, both internal and external? Explanations in plain English “ Get in, get out ” information Icons and other navigational aids Top ten lists A dash of humor and fun Protect your mission-critical communications systems and networks from harm Ensure that security spans the entire enterprise network Use Juniper Networks and Extreme Networks comprehensive security solutions for converged networks Extend remote access to employees without compromising security Develop converged network security policies with Avaya Security Services Avaya Custom Edition Protect your IP network from threats and misuse Converged Network Security What is the challenge with converged network security? Finding the right partners to deliver a secure, reliable, converged voice and data network infrastructure — without limiting your flexibility to grow your business and extend the reach of your network — is the key. Converged network security isn’t something to be added after the fact — the need to protect your mission-critical communications systems and business applications should be considered from the very start of your converged network planning. At the same time, it’s not enough to simply protect your network from external threats. With more and more employees using laptops and IP Softphones, converged network security has to enable protection of these assets from within the network as well — without limiting the ability of these employees to work remotely when necessary. Avaya has partnered with two of the market leaders for converged networks, Juniper Networks and Extreme Networks, to bring best-in-class security solutions to converged voice and data networks. Avaya Global Services provides expert advice on security design and implementations for small businesses to world-wide enterprises. Explore the possibilities at www.avaya.com. by Peter H. Gregory, CISA, CISSP Converged Network Security FOR DUMmIES ‰ AVAYA CUSTOM EDITION 01_120989 ffirs.qxp 1/19/07 9:04 PM Page i Converged Network Security For Dummies ® , Avaya Custom Edition Published by Wiley Publishing, Inc. 111 River Street Hoboken, NJ 07030-5774 www.wiley.com Copyright © 2007 by Wiley Publishing, Inc., Indianapolis, Indiana No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions. Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not asso- ciated with any product or vendor mentioned in this book. LIMIT OF LIABILITY/DISCLAIMER OF W ARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETE- NESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITU- ATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PRO- FESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRIT- TEN AND WHEN IT IS READ. For general information on our other products and services, please contact our Customer Care Department within the U.S. at 800-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002. ISBN: 978-0-470-12098-9 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 01_120989 ffirs.qxp 1/19/07 9:04 PM Page ii Publisher’s Acknowledgments We’re proud of this book; please send us your comments through our online registra- tion form located at www.dummies.com/register/. For information on a custom Dummies book for your business or organization, or information about licensing the For Dummies brand for products or services, contact BrandedRights&Licenses@ Wiley.com. Some of the people who helped bring this book to market include the following: Acquisitions, Editorial, and Media Development Project Editor: Jan Sims Business Development Representative: Jacqueline Smith Editorial Manager: Rev Mengle Composition Services Project Coordinator: Kristie Rees Layout and Graphics: Erin Zeltner Proofreaders: Laura Albert, Brian H. Walls Special Help: Jon Alperin Publishing and Editorial for Technology Dummies Richard Swadley, Vice President and Executive Group Publisher Andy Cummings, Vice President and Publisher Mary Bednarek, Executive Acquisitions Director Mary C. Corder, Editorial Director Publishing for Consumer Dummies Diane Graves Steele, Vice President and Publisher Joyce Pepple, Acquisitions Director Composition Services Gerry Fahey, Vice President of Production Services Debbie Stailey, Director of Composition Services Avaya Acknowledgments This book would not have been complete without the assistance and expertise of Craig Adams and Tim Bardzil of Extreme Networks, and Shrikant Latkar of Juniper Networks. 01_120989 ffirs.qxp 1/19/07 9:04 PM Page iii 01_120989 ffirs.qxp 1/19/07 9:04 PM Page iv Contents at a Glance Introduction 1 Chapter 1: The Importance of Securing Converged Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Arrival of Converged Networks 6 Protection of Converged Networks and Devices 6 VoIP-related complexities and challenges 7 Evolving protection techniques to answer new threats 8 Understanding threats in today’s business environment 10 Partnering for Better Protection 12 Chapter 2: Jumping Juniper Networks: Improving Converged Network Security for All . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Juniper Networks’ Security Solutions 14 Firewalls and IPSec VPN 14 Intrusion detection and prevention (IDP) 15 SSL VPN secure remote access 15 Network Access Control 16 Unified management 16 Security Deployment Scenarios 17 Security for office-based users 17 Security for Road Warriors 23 Security for Teleworkers 24 Deploying Juniper Networks Solutions 25 Chapter 3: Extreme Improvements for Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Network Access Control 27 Authenticating users or devices 28 Discovering your needs automagically 30 Host integrity checking 31 Network Segmentation 32 Virtual LANs 32 Wire-speed encryption 33 Access control lists 33 02_120989 ftoc.qxp 1/19/07 9:04 PM Page v Threat Mitigation 33 IP and MAC security 34 Virtualized Security Resources 34 Deploying Extreme Networks’ Solutions 35 Chapter 4: Plans, Policies, and Avaya Security Services. . . . . . . . . . . . . . . . . . . . . . . . 37 Understanding Avaya Security Consulting Services 37 Why You Need Avaya’s Security Consulting Services 38 New services introduce new vulnerabilities 38 Expertise 39 Regulation 39 Even old technology is still important 40 02_120989 ftoc.qxp 1/19/07 9:04 PM Page vi Introduction C ompetitive businesses today need competitive security — and it’s a team effort. What is your role in your organization? Are you responsible for network architec- ture, policy, security, and strategy? Then this book can help you understand how to secure your converged network. If you’re a network practitioner, this book introduces you to the security technologies and practices you will likely be set- ting up and performing in a converged network environment. If you’re in management, you can gain an appreciation for what others in the organization need to think about in order to ensure the security and success of your converged network. Don’t forget to check out the Avaya Limited Edition of VoIP Security For Dummies for additional insight into how Avaya IP telephony relies and builds upon the security environment of the underlying converged network. You can request a copy from Avaya’s Web site at www.avaya.com. Understanding Network Security Inside-Out Getting a grip on security in today’s converged network environment can seem like a daunting and abstract exercise. But the steps you take are actually similar to those for basic home security: When you think of providing security and pro- tection for your family and possessions, first you typically create a layer of security that surrounds your house and family — you put locks on doors and windows, set alarms to notify you of intruders, and perhaps even contract with a security firm to respond in case intruders manage to get in. And when your family is traveling outside the home, you may provide them with mobile phones so that they can stay in touch with other family members in case of emergencies. 03_120989 intro.qxp 1/19/07 9:05 PM Page 1 In many ways, this level of externally oriented security is what Avaya’s partnership with Juniper Networks brings to the table — Network Access Control, firewalls, intrusion detection and prevention systems, and Virtual Private Networks (VPNs) all create a level of security that protects the converged net- work of enterprises from external threats. But if you have young children, you may also think of child- proofing inside the house — putting locks on cabinets to keep children away from chemicals and other dangerous items, covering electrical outlets to make sure that they aren’t stick- ing their fingers in them, and so on. And perhaps you lock your expensive home electronics behind cabinet doors to keep little ones from storing their grilled cheese sandwiches in the DVD player. You also teach children not to open the door to strangers. This is a case of protecting against internal threats and mishaps. This variety of security from within is where Avaya’s partner- ship with Extreme Networks brings extra security value. Virtual LANs (VLANs) help protect network resources by logically separating different types of traffic from impact by other activities. Extreme Networks also uses industry-standard protocols such as 802.1x and LLDP-MED, as well as host integrity checking, to validate the permissions of devices to connect to and use the resources of the network. It can also provide powerful switch-based capabilities that can detect anomalous behavior and identify potentially damaging net- work traffic for further evaluation. Finally, just as your entire family can often end up with a cold or virus that is sweeping through your child’s elementary school, so viruses and security threats can bypass the exter- nally facing firewalls of your enterprise. With 60 to 70 percent of virus and security threats coming from inadvertent actions of remote workers who bring their laptops back and forth between work, home, and public access points, the need to protect the network, communication systems, and other mission-critical business applications and systems from within is as important as protecting them from overt malicious hack- ing. As recently as October 2006, Apple computer admitted that a small number of their iPOD music devices were inadvertently shipped with a PC virus that could infect laptops that they are attached to. No matter how good your network firewall is, you are still vulnerable to a wide variety of attacks from within. Converged Network Security For Dummies, Avaya Custom Edition 2 03_120989 intro.qxp 1/19/07 9:05 PM Page 2 [...]... describes how Juniper Networks, one of Avaya’s strategic partners, contributes to the security of converged networks through its product offerings Chapter 3: Extreme Improvements for Network Security Chapter 3 shows how Avaya’s strategic partner, Extreme Networks, contributes to converged network security 03_120989 intro.qxp 4 1/19/07 9:05 PM Page 4 Converged Network Security For Dummies, Avaya Custom... architecture and security of your new or existing converged network, you can look to Juniper Networks products to help build as well as secure the network This chapter describes Juniper Networks’ security solutions that protect converged networks and their services Juniper Networks’ Security Solutions Juniper Networks has the full spectrum of best-in-class security technology for converged networks This... with Avaya’s security consulting services 05_120989 ch02.qxp 1/19/07 9:05 PM Page 13 Chapter 2 Jumping Juniper Networks: Improving Converged Network Security for All In This Chapter ᮣ Security for office-based users ᮣ Security for road warriors ᮣ Security for remote workers ᮣ Access control ᮣ Deployment scenarios J uniper Networks is changing the way people look at securing their converged networks Organizations... the start of your converged network project, not after the ribbon-cutting ceremony when someone asks, “Oh, by the way, where’s the security? ” 05_120989 ch02.qxp 14 1/19/07 9:05 PM Page 14 Converged Network Security For Dummies, Avaya Custom Edition Juniper Networks provides an impressive array of converged network infrastructure products, including top-quality leading-edge routing platforms, firewalls,... off the voice network and onto the data network This new network is still a data network, but it carries more than just your data, it carries your voice Or put another way, your voice is data! The new voice-plus-data network is called a converged network The applications are converged, the protocols are converged, and even the wiring is converged The single, multi-technology converged network carries... segmentation, and threat mitigation Network Access Control In its product families, Extreme Networks includes powerful access control capabilities that protect your converged network from security and performance problems By integrating 06_120989 ch03.qxp 28 1/19/07 9:05 PM Page 28 Converged Network Security For Dummies, Avaya Custom Edition access control into the network, organizations can breathe... enterprise network from the inside-out Extreme Networks builds advanced security features into its switches and routers, and offers some impressive security appliances that protect networks from disrupting security events As I explain in Chapter 1, security in a converged network is not just a perimeter challenge, solved with firewalls and IPS — it’s also vital to protect the network from within Security. .. just won’t fly on converged networks today Not only is performance more vital, but so is security Threats don’t originate only on the Internet, to be repelled by the firewall and antivirus software That’s the old school of security Threats exist within the network as well — from sick laptops to mobile user carelessness A new approach for security is called for — scalable, holistic security that protects... (Trusted Network Connect), a suite of open standards for network access control developed by the Trusted Computing Group The TNC specifications are designed to help network administrators solve the difficult task of enforcing security policies for network access in heterogeneous networks with an increasingly diverse mix of devices and software ߜ 802.1X authentication, coupled with Juniper Networks... their converged enterprise networks for both voice and data based communications Certainly converged networks reduce costs and introduce a multitude of business opportunities, yet converged networks can potentially introduce additional security risks, unless they are designed and deployed properly I emphasize designed properly — you need to line up strategic partners such as Avaya and Juniper Networks . CISA, CISSP Converged Network Security FOR DUMmIES ‰ AVAYA CUSTOM EDITION 01_120989 ffirs.qxp 1/19/07 9:04 PM Page i Converged Network Security For Dummies ® ,. leaders for converged networks, Juniper Networks and Extreme Networks, to bring best-in-class security solutions to converged voice and data networks.