FCAPS Series: Security Management for Carrier Ethernet
Welcome to March 2012 issue of Creanord EchoNEWS, keeping you informed of developments at Creanord and in the fields of SLA assurance, automated Ethernet service delivery and OAM (Operations, Administration and Maintenance).
This edition of EchoNews is part of a series on EchoVault and FCAPS, providing guidance to Communications Service Providers (CSPs) on implementing FCAPS (Fault, Configuration, Accounting, Performance and Security in the ITU-T TMN model). Any complete EMS/NMS platform should support a comprehensive set of FCAPS functions and integrate seamlessly with OSS/BSS systems. This edition focuses on Security Management for Carrier Ethernet. For previous articles, please see the Creanord EchoNEWS Archive.
FCAPS Security Management - Maximize Utility while Minimizing Risk
The goal of FCAPS Security Management is to prevent the network from disruption, either intentional or unintentional, while at the same time allowing smooth operations. Further, Security Management is the area of that is concerned with ensuring appropriate authentication and authorization to system and network resources according to specified security policies. Security is a very extensive area and is naturally required in all functional areas. This article focuses on system-level security as related to EchoVault and network elements and resources accessed through it.
Any endeavor to create secure system and network starts with basic security principles. Devices and areas that need to be kept free from tampering must have strictly controlled access, including limiting access to sensitive devices and servers, with the same being true for software functions. Further, it is important for the administrator to use all the available security tools.
The main areas within EchoVault Security Management are:
CE 2.0 includes standards in the following areas:
- Secure communication between EchoVault Controllers and network elements with optional SSL certificate authentication
- User and administrator access control to EchoVault functions
- URL security proxy for EchoVault Portal
- Audit trail and user logs
EchoVault is built for carrier and military grade security. Communication between EchoAgents and Controllers (and between controllers) is based on HTTPS. TCP Communication is always initiated by the EchoAgent residing on the network element, so no ports need to be opened for the EchoVault in the device running the EchoAgent. Each EchoAgent has an individually autocreated strong communication key, so even if one is broken into and the key accessed, the key cannot be used to access other nodes.
It is also possible to use SSL certificates to further strengthen the security. When enabled, SSL is used to validate certificates in network elements, Local Controllers and the Main Controller. Authentication is always required by the Local Controller and Main Controller and is used by the processes providing EchoVault communications services for the EchoAgent and the Local Controller identities.
The EchoVault portal allows service provider customers to access reports and views from EchoVault, but still to do so securely. A URL Security Proxy (USP) for publishing to EchoVault Portal Engine is included in the portal. This allows secure access to content via USP. The portal is based in the DMZ and communication to the NOC-based EchoVault happens via the USP. The USP limits the number of concurrent connections and protects the EchoVault Server against Denial of Service attacks. The USP proxies traffic to the EchoVault reporting component, not to the UI component.
All connections from customers or portal users connect to IP address of EchoVault Portal. Access to the EchoVault Portal can further be controlled by DMZ tools such as Firewalls and Remote Access gateways. See the below picture for details.
Security for Users - Secure or Usable?
In user and privilege management there is often a balance of security versus usability. In EchoVault the design principle has been to allow flexible configuration of privileges to avoid having to give users too broad privileges. Administrators have powerful yet easy-to-use tools to manage users, groups and privileges. Convenient privilege groups are provided for e.g. operations, reporting and administrator users, while preserving the option to give more granular privileges at the function-level to override defaults. To allow access where no updating is required, Read-only privileges per function are provided in addition to Full control privileges. The access privileges are fully customizable and extend to a very granular level, while still providing easily implementable standard levels of access. This provides the administrator a full set of tools to give each user the privileges to perform their duties.
One FCAPS requirement is that an administrator shall be able to view the changes done by a user. EchoVault provides a view to each version of configuration for each policy and this can be accessed to see what the configuration was at a previous point in time, with timestamp and user ID. Additionally included in the system is audit trail functionality, which tracks user access to the system, in order to provide an understanding of unauthorized usage if needed.
Stay tuned for more information on how EchoVault helps you with Carrier Ethernet FCAPS.