NETWORK
SECURITY
HANDBOOK
FOR SERVICE
PROVIDERS
TABLE OF CONTENTS
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
1 EXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . 2
2 THE IMPORTANCE OF NETWORK SECURITY . . . . . . . . . . . . . . . 4
ANATOMY OF NETWORK THREATS . . . . . . . . . . . . . . . . . . . 8
Overview of Security Threats . . . . . . . . . . . . . . . . . . . . . 8
Distributed Denial of Service (DDoS) . . . . . . . . . . . . . . . . . . 8
Bots and Botnets . . . . . . . . . . . . . . . . . . . . . . . . . 9
Worms. . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Zero Day Attacks . . . . . . . . . . . . . . . . . . . . . . . . 10
Vulnerable Network Components . . . . . . . . . . . . . . . . . . 11
3 BEST PRACTICES FOR SERVICE PROVIDER SECURITY . . . . . . . . . . 11
4 GENERAL BEST PRACTICES AND TOOLS FOR
SERVICE PROVIDER NETWORK SECURITY . . . . . . . . . . . . . . . 11
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
MPLVS VPN . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Network Address Translation (NAT). . . . . . . . . . . . . . . . . . 12
Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . 13
Network Firewall . . . . . . . . . . . . . . . . . . . . . . . . 13
Intrusion Protection System (IPS) . . . . . . . . . . . . . . . . . . 13
Application Servers . . . . . . . . . . . . . . . . . . . . . . . 14
Identity and Policy Management . . . . . . . . . . . . . . . . . . 14
BEST PRACTICES FOR SECURING VOIP NETWORKS . . . . . . . . . . . 15
Securing the IP Edge of the VOIP Network . . . . . . . . . . . . . . . 17
Securing VOIP Elements in the Data Center . . . . . . . . . . . . . . 17
Securing Internet Peering Points for VoIP . . . . . . . . . . . . . . . 17

5 BEST PRACTICES FOR SECURING TV AND MULTIMEDIA SERVICES . . . . . . 18
Securing External Network Peering Points . . . . . . . . . . . . . . . 19
Securing the Video/Super Head-end . . . . . . . . . . . . . . . . . 19
Securing the Video/Hub Serving Ofce . . . . . . . . . . . . . . . . 19
BEST PRACTICES FOR SECURING 3
RD
GENERATION MOBILE DATA NETWORKS . . .20
BEST PRACTICES FOR SECURING SERVICE PROVIDER DATA CENTERS . . . . 22
4 JUNIPER NETWORKS SECURITY PRODUCT PORTFOLIO . . . . . . . . . . 24
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Firewalls and IDP . . . . . . . . . . . . . . . . . . . . . . . . 25
Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Intrusion Detection and Prevention . . . . . . . . . . . . . . . . . 26
Session Border Controller . . . . . . . . . . . . . . . . . . . . . 26
Identity and Policy Management . . . . . . . . . . . . . . . . . . 27
5 CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . 27
1
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
Network Strategy Partners, LLC (NSP) — Management Consultants to the networking
industry — helps service providers, enterprises, and equipment vendors around the globe
make strategic decisions, mitigate risk, and affect change through custom consulting
engagements. NSP’s consulting includes business case and ROI analysis, go-to-market
strategies, development of new service offerings, pricing and bundling as well as
infrastructure consulting. NSP’s consultants are respected thought-leaders in the
networking industry and inuence its direction through condential engagements for
industry leaders and through public appearances, white papers, and trade magazine
articles. Contact NSP at www.nspllc.com.
Juniper Networks high-performance network infrastructure helps businesses accelerate the
deployment of services and applications to take advantage of opportunities to innovate,

grow, and strengthen their business. With Juniper, businesses can answer the challenge of
complicated, legacy networks with high-performance, open, and exible solutions.
Jointly published by Juniper Networks
and Network Strategy Partners, LLC:
2
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
1. Executive Summary
The telecommunications industry is in the midst of a major paradigm shift. In
the 1990s, most major service providers maintained separate networks for
wireline voice, mobile voice, data, and TV. Today, many service providers are
migrating all of their network services to IP packet switched networks. Voice
services are still a major component of service provider revenue. As voice
moves from circuit switched to VoIP packet switched networks (see Figure 1),
service providers will have a major incentive to wind down operations on their
expensive, legacy circuit switched infrastructure.

By converging network services to integrated IP networks, service providers
reduce capital and operations expenses while dramatically improving network
scalability and service exibility. Furthermore, the migration to IP is increasing
competition in the telecommunications market. Cable TV providers are
offering traditional voice services, telephone companies are offering Internet
and IPTV, and new entrants are building broadband wireless networks with Wi-Fi
and WiMax technology. As increased competition is accelerating the migration
to IP, service providers operating legacy networks risk shrinking revenues and
operating margins.
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
3
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS

Figure 1 - Forecast of VoIP Subscribers Worldwide
Service provider migration to IP networks has signicant benets and is, in fact,
necessary for long term survival. However, the rapid growth in the Internet is
also driving rapid growth in network security threats, which are escalating both
in numbers and level of severity. Threats come from a myriad of sources that
are distributed around the world. In the early days of the Internet, most threats
were created by hackers who were just causing trouble for fun. Today, threats
come from independent hackers as well as highly organized crime syndicates
focused on proting from Internet criminal activities. Some of the potential
threats to service provider networks include:
Distributed denial of service attacks (DDoS)
•
Bots and botnets attacking servers and network infrastructure•
Worms propagating throughout the network•
Attacks on Domain Name System (DNS)•
Attacks on IP routing protocols•
Zero day attacks (these are new attacks which are unpredictable in nature) •
0
50
100
150
200
CY04 CY05 CY06 CY07 CY08 CY09 CY10 CY11
Asia Pacic EMEA North America CALA
r
75.3M VoIP Subs Worldwide in 2007, +62% Year over Year
r
Worldwide: 185.7M by CY11, a 5 - year CAGR of 25% >22M net new subs/year
2008 Infonetics Research, Inc.
Millions

Worldwide VoIP Subscribers
4
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
The ramications of such attacks on service provider networks include:
Service outages
•
Lost, damaged, or stolen customer data•
Lost, damaged, or stolen service provider data (usage data, billing records, •
passwords, and so on)
Global telecommunications revenues are expected to reach $2 trillion by the
end of 2008
1
, therefore as network services migrate to IP, it is essential that
service providers and telecommunications equipment vendors be vigilant
about security. Network infrastructure must defend itself from attacks, and
operators must implement network security best practices. This network
security handbook provides service providers with an anatomy of network
security threats and a set of best practices for protecting the network. Best
practices for network security architecture are dened for some of the most
important services, applications, and network infrastructure including:
Voice services
•
TV and multimedia services•
Mobile networks•
Service provider data centers•
2. The Importance of Network Security
The convergence of voice, data, TV, and mobile telecommunications on IP
networks has elevated the importance of network security. For many service
providers, IP network security presents new technical challenges because

legacy networks are fundamentally more secure than IP networks. The legacy
phone network is based on a closed, circuit switching model. Call signaling
uses the SS7 packet network which is not connected to the Internet or any
other data network. Legacy television service is delivered using broadcast over
digital or analog cable; specialized equipment which is not connected to any
external packet networks is used for video service delivery. Many legacy data
networks are based on Frame Relay and ATM; these technologies use secure
layer 2 protocols with little or no connectivity outside the private network.
Similarly, second-generation mobile networks are closed, circuit switching
1
Gartner
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
5
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
architectures with limited and controlled gateways to the Internet and other
data networks. In general, legacy telecommunications networks:
Implement service-specic networks
•
Are based on closed and proprietary architectures•
Utilize end-to-end management by service providers•
Have no customer controls•
Have no external exposure•
The migration to IP next-generation networks (NGNs) offers many strategic
advantages to service providers, however, the open, exible architecture of IP
networks also pose a complex set of security threats. Multiple services, including
wireline voice, video, data, and mobile voice and data are converging on a single
IP network. This means that IP network attacks could affect all network services
and, therefore, all network revenue. Also, threats that emerge from one service
(for example the Internet) could affect other services like TV that were previously

isolated. The IP network is based on an open, standards-based architecture
that allows for rapid and massive worldwide growth. The open nature of the IP
protocols, however, has also allowed intruders to easily access the tools needed
for network intrusions. Everyone has access to RFC documents explaining the
technical details of Internet protocols. In addition, extensive technical knowledge
is not required because there is easy access to open source tools on the Web for
creating network attacks and stealing valuable data.
IP networks use open standards for network management, operations, and
provisioning. Protocols and standards such as SNMP, XML, and the newer Web
services management model enhance the power and exibility of operations
support systems (OSS), but they also create opportunities for intruders to access
the most sensitive and critical areas of the telecommunications network—the
network management and control plane.
Another dimension of the problem is that business users, residential users, and
mobile users are sharing the same IP network. Each of these customers has
different security requirements that need to be addressed in the service offerings
provided to them.
Attacks on IP networks can have serious and potentially devastating
consequences. Attacks can result in:
Service outages
•
Lost, damaged, or stolen customer data•
Lost, damaged, or stolen service provider data (usage data, billing records, •
passwords, and so on)
6
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
Service outages can result in loss of revenue, payment of penalties for violated
service-level agreements (SLAs), and increased customer churn. There are
serious liabilities associated with lost or stolen customer data; lawsuits often

result in high payments of damages as well as a tarnished public image. Lost
or stolen service provider data can result in compromised networks and billing
systems, or other serious problems.
As network services converge to IP, service availability of the IP network is critical.
Downtime, as a result of network attacks, software errors, or conguration errors,
often result in high costs. The cost of downtime is highly variable based on the
business and applications, but in all cases is quite high. Estimates of downtime
costs for various industries and applications
2
are presented in Table 1.
INDUSTRY APPLICATION AVERAGE COST/
HOUR OF DOWNTOWN
Transportation Airline Reservations $ 89,500
Retail Catalog Sales $ 90,000
Media Pay-per-view $ 1,150,000
Financial
Credit Card Sales $ 2,600,000
Financial Brokerage Operations $ 6,500,000
Table 1 - Downtime Cost Estimates in Different Vertical Markets
Downtime in service provider networks results in lost revenue due to SLA
penalties and, to add insult to injury, results in increased customer churn. Table
2 depicts some estimates
3
for hourly revenue loss for service provider network
outages in small metro areas where 100,000 residential customers and 2,000
business customers are affected by an outage. In these small areas, residential
losses are estimated to be over $8,333 per hour and business losses almost
$6,944 per hour.
While revenue loss is problematic, the potentially more serious problem (espe-
cially in markets where there are competitive offerings) is customer churn due to

poor service. Table 3 presents a scenario for a small metro area with 100,000
customers, an increased churn rate of 5 percent due to dissatisfaction with
network service availability, and an average cost of churn of $400 per subscriber
4
.

2
See “Storage Virtualization and the full impact of Storage Disruptions: Relief and ROI”, Computer Technology Review,
February 2002, Volume XX11 Number 2.
3
These estimates are based on an ROI model developed by Network Strategy Partners, LLC.
4
The churn projections were based on an ROI model developed by Network Strategy Partners, LLC
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
7
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
In this scenario the average cost of churn for this small metro area would be
$2,000,000 per year. Clearly, network reliability and availability is a critical
business requirement for enterprises and service providers.
RESIDENTIAL BUSINESS
Number of Customers 100,000 2,000
Average Revenue per Customer $60.00 $2,500
Hourly Lost Revenue in an Outage $8,333 $6,944
Table 2 - Service Provider Hourly Lost Revenue for
Business and Residential Network Outages
RESIDENTIAL
Number of Residential Subscribers 100,0000
Increase Rate of Churn 5%
Total Cost of Churn per Year $400

Total Cost of Churn per Year
$2,000,000

Table 3 - Service Providers Costs of Increased Churn Due to Network Outages
Corporate executives, furthermore, are now legally responsible for the security
of their corporate information systems. There are multiple federal and state
government regulatory requirements requiring executives and companies to
comply with government mandated security requirements.
These regulations include:
Sarbanes-Oxley (SOX)
•
Cyber Security Critical Infrastructure Protection (CIP)•
Gramm-Leach-Bliley Act (GLBA)•
California Senate Bill Number 1386 (SB1386)•
Health Insurance Portability and Accounting Act (HIPAA)•
Payment Card Industry Data Security Standard (PCI DSS) •
Network security, clearly, is one of the highest priorities in IP NGNs, and
service providers need to be educated and vigilant to prevent devastating
network attacks.
8
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
Anatomy of Network Threats
The open IP architecture presents a myriad of threats from many sources to
all parts of the network. The following paragraphs give an overview of some
common threats, threat sources, and components of the network that could
be affected.
Overview of Security Threats
There are many types of security threats and they continue to grow, develop,
and mutate over time. A high level distribution of network security threats is

presented in Figure 2, and a brief description of security threats is given in
the following subsections of this paper. This is not meant to be an exhaustive
description of network threats, but rather an overview of some common threats
and terminology.
Figure 2 - Distribution of Network Security Threats
Distributed Denial of Service Attack (DDoS)
A distributed denial of service (DDoS) attack is an attempt to make a computer
resource unavailable to its intended users. Perpetrators of DDoS attacks
typically target sites or services hosted on high-prole Web servers such as
banks, credit card payment gateways, and even DNS root servers. One common
method of attack involves saturating the target (victim) machine with external
communications requests such that it cannot respond to legitimate trafc,
or responds so slowly as to be rendered unavailable. In general terms, DDoS
attacks are implemented by either forcing the targeted network elements or
servers to reset, consuming their resources so that they can no longer provide
their intended service, or obstructing the communication media between the
0
5
10
15
20
25
30
35
40
45
50
DDoS Bots and
Botnets
Worms Compromised

Infrastructure
DNS BGP Route
Hijacking
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
9
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
intended users and the victim devices so that they can no longer
communicate adequately.
Bots and Botnets
Bots are computer programs that secretly install themselves on machines and
run in the background often hidden from view of users, administrators, and even
the operating system. A botnet is a group of bots that can propagate across
the Internet and can be controlled by a malicious hacker or criminal. Once bots
install themselves on machines, they scan for system vulnerabilities and collect
information such as passwords and user names. The bots in a botnet can
communicate with each other and the central controller to steal information,
exploit system weaknesses, send spam, and execute DDoS attacks.
Bots can result in network service outages or loss of critical customer or service
provider data. This is especially serious if passwords and user names are
compromised. For this reason, botnets have become one of the most serious
threats on the Internet.
The majority of botnets are used by cyber criminals to send spam and also to
illegally seek nancial information. According to shadowserver.org, an organization
that tracks botnets, the number of bots measured in September 2008 peaked at
a half million infected computers. Because bots are hard to detect, the numbers
could be much larger.
One example of a current botnet is Kraken. The Kraken malware infects victims’
PCs and uses encrypted communications between bots. It also has the ability
to move command and control functionality around the botnet. And, like many

botnets, the purpose of the Kraken network seems to be the propagation of
massive amounts of spam. Individual machines infected with Kraken could send
as many as 500,000 spam messages in a single day.
Bots are rampant throughout the world as illustrated in Figure 3, and they are
growing in number and severity levels. Service providers need to understand the
nature and dynamics of botnets in order to adequately secure their networks.
Active BOTS per Day
BOT infected Computers By Country*
(*Source: Symantec)
Active BOT Infected Computers
100,000
90,000
80,000
70,000
60,000
50,000
40,000
30,000
20,000
10,000
0
Jan. 01,
2006
Apr. 11,
2006
Jul. 20,
2006
Oct. 28,
2006
Feb. 05,

2007
May 16,
2007
Canada
(10)2%
United States
(2)14%
Key
(X) = Current rank
% = Current proportion
China
(1) 26%
Taiwan
(7) 4%
United
Kingdom
(6) 4%
Brazil
(9) 3%
Germany
(4) 6%
Spain
(5) 5%
France
(3) 6%
Poland
(8) 3%
Figure 3 - Worldwide Statistics on Bots
10
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS

NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
Worms
5

There are a large variety of Internet worms. The common characteristic
of worms is that they:
Exploit vulnerabilities in a computer’s operating system or application software
•
to launch malicious software that runs on the machine
Find information in the computer (such as email lists or lists of IP addresses)
•
to propagate between different machines
Cause signicant damage and nancial losses to large numbers of companies
•
worldwide in a short period of time
One example of a well known Internet worm is Code Red. This worm exploited
•
a vulnerability in the indexing software distributed with IIS
6
for which a patch
had been available a month earlier. The worm spread itself using a common
type of vulnerability known as a buffer overow. It did this by using a long
string of the repeated character “N” to overow a buffer, allowing the worm
to execute arbitrary code infecting the machine. The worm spread by probing
random IP addresses and infecting all hosts vulnerable to the IIS exploit.

Another example of a well known worm is the Love Bug Virus. This virus arrived
in email boxes on May 4, 2000, with the simple subject of “ILOVEYOU” and an
attachment “LOVE-LETTER-FOR-YOU.TXT.vbs”. Upon opening the attachment, the
virus sent a copy of itself to everyone in the user’s address list, posing as the

user. It also made a number of malicious changes to the user’s system.
Two aspects of the virus made it effective:
It relied on user curiosity to entice users to open the attachment and ensure
•
its continued propagation.
It exploited the weakness of the email system design that an attached
•
program could be run by simply opening the attachment.
Worms come in many forms and varieties, and they can result in network
service outages and loss of customer and service provider data.
Zero Day Attacks
Fundamentally, there are two types of attacks on networks: 1) known attacks
and 2) zero day attacks. The rst is a known attack on a known vulnerability
which can be identied in an intrusion prevention system (IPS) by a signature.
5
Worms and viruses are closely related - this discussion addresses both types of threats.
6
Internet Information Services (IIS)—formerly called Internet Information Server—is a Microsoft-produced set of
Internet-based services for servers using Microsoft Windows.
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
11
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
In contrast, zero day attacks are new and therefore have no attack signatures
to identify them. To defend against zero day attacks, the IPS requires more
sophistication such as protocol anomalies. This topic will be covered more fully
later in the paper.
Vulnerable Network Components
Many parts of an IP network are vulnerable to threats including:
End user equipment—PCs, servers, mobile phones,

•
PDAs, and so on
Network equipment—routers, Ethernet switches, and so on
•
Control and signaling—network management plane, softswitches, and so on•
Applications and services—network and application servers•
OSS—network management, billing and operations •
management
Attacks to any of the network components above can result in loss of service
or loss of data.
3. Best Practices for Service Provider Security
Every network is unique and requires the attention of professional network
architects and designers to ensure that the network is defensible. The
principles used by network designers to secure networks are based on a set
of industry best practices. This section of the security handbook provides a
network security best practice overview which is summarized in Table 4. We
start by providing a summary of general best practices that can be applied to
any service provider network.
General Best Practices and Tools for Service Provider Network Security
This section provides an overview of some of the devices and technologies
for securing service provider networks. The devices that provide network
security are:
Router
•
Network rewall•
Intrusion Protection Systems (IPS)•
Application servers•
Identity and policy management•
12
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS

NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
Routers
Network routers are core components in the IP network infrastructure. As such,
it is critical that routers implement security technologies to protect networks
from intruders.
Some of the security technologies implemented in routers are:
VLANs
•
MPLS VPN•
Network Address Translation (NAT)•
Access Control Lists (ACLs)•
Virtual LANs (VLANs)
A VLAN is a layer 2 segmentation technology that allows for a group of end
stations to be grouped together into a logical LAN, even if they are not located
on the same network switch. It can also be used to segment trafc, such as
segmenting VoIP trafc from regular data trafc. The segmentation of users
and/or trafc provides a level of security by creating a virtual network, making it
difcult to intercept trafc or access a trafc segment.
MPLS VPN
The MPLS virtual private network (VPN) is a common method of securing IP
communications. The basic concept of the MPLS VPN is that a common
physical routing infrastructure hosts multiple logical routing networks. Each
logical network appears to hosts and users to be a separate IP network.
The logical network, or MPLS VPN, can use a set of private IP addresses, run
independent routing protocols local to the VPN, and remain isolated from the
Internet and all other MPLS VPNs, unless the network administrator
intentionally provides routing connectivity between networks. An MPLS VPN
therefore is equivalent to building a physically separate IP routing network.
This logical separation of IP networks provides a cost-effective approach to
securing subscriber and service-specic networks from attacks that emanate

from the Internet or other private IP networks.
Network Address Translation (NAT)
NAT is a common mechanism for mapping private IP addresses to public
addresses. The process is simple: a private IP address and TCP port is
mapped to a public address using an NAT server. One of the additional benets
of NAT is that malicious users on the Internet cannot see the true IP source
address of the host. Without knowing the IP source address, it is more difcult
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
13
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
to attack hosts. This is especially important for network servers that are a focal
point for many attacks.
Access Control Lists (ACLs)
The ACL is a list of permissions that species who or what is allowed to access
the router or device, and what operations they are allowed to perform. In an
ACL-based security model, when a subject requests to perform an operation
on an object, the system rst checks the list for an applicable entry in order
to decide whether to proceed with the operation. Depending on the ACL, the
request may be accepted or denied. ACLs provide router protection by denying
unauthorized users or packets from accessing the router.
Network Firewall
A network rewall is a dedicated appliance which inspects network trafc and
denies or permits passage based on a set of rules. The primary objective of the
rewall is to regulate trafc ows between computer networks of different trust
levels. Typical examples are the Internet, which is a zone with no trust, and an
internal network, which is a zone of higher trust. A zone with an intermediate
trust level, situated between the Internet and a trusted internal network, is
often referred to as a “perimeter network” or demilitarized zone (DMZ).
The classes of rewalls are:

Stateless rewalls
•
Stateful rewalls•
Stateless rewalls are usually implemented in routers and switches as ACLs
that lter packets based on parameters in layer 3 IP headers and layer 4
TCP headers. For instance, packets can be ltered based on IP source and
destination address and TCP ports.
Stateful rewalls extend simple packet ltering to create rules based on
sessions. Filtering rules can account for the history of a session as opposed to
working on individual packets. For example, if an Internet user accesses a Web
site from an internal network, a stateful rewall will let the return packets into
the network from the Web site based on the state of the session. This is not
possible with stateless rewalls.
Intrusion Protection System (IPS)
IPS is used to detect and prevent network attacks. IPS analyzes network trafc
for threats and takes some action to mitigate the threat when one is detected.
14
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
IPS typically uses deep packet inspection (DPI) technology to look at all layers
of network protocols from layer 2 to layer 7.
There are two fundamental mechanisms for detecting network intrusions:
Signatures
•
Protocol and application anomaly detection •
Signatures are patterns of known network attacks that could operate at any
level of the protocol stack. The IPS monitors network trafc and matches
trafc with known signatures. If a sequence of packets in a session matches a
signature, then the IPS detects a known attack and takes action on the session
based on a set of user policies.

The weakness of IPS signatures is that only known attacks are detected. In
order to detect zero day attacks, IPS uses protocol, application, and trafc
pattern anomaly analysis. This method of detection uses behavior monitoring
at all layers of the stack and detects packet sequences that appear to be
abnormal. The IPS then takes action on the trafc based on a set of user
dened network policies.
Application Servers
Application servers should also be able to defend against certain security
threats. The defense should include antivirus and other anti-malware software.
This ensures that if a virus or worm does penetrate the network layer defenses,
the application server has the means to defend itself.
Identity and Policy Management
The identication and authentication of users is essential for securing the
network. Knowledge about who is accessing the network, what they are
trying to access, and when is critical to the security of the overall network.
Implementing an identity and policy management solution adds a level of
intelligence to the network, and can provide security defenses in cases
where unauthorized users try to access the network, or a legitimate user
attempts to access an application that they are not authorized to access.
In addition, identity and policy management can help to manage user sign-on by
implementing a single sign-on (SSO) system; allowing users to access multiple
networks or applications with a single sign-on. Table 4 provides a summary of
some of the best practices service providers employ to protect their networks.
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
15
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
FUNCTION DESCRIPTION
L2/3 Trafc
Segmentation

Routers and switches can segment trafc into
virtual networks using L2 VLANs or L3 MPLS VPNs.
L3/4 Stateless
Filtering
Access Control Lists (ACLs) are used to permit or
deny trafc based on parameters in L3 and L4
packet headers.
L3/4 Stateful
Firewall
Firewalls maintain information regarding a session,
and permit or deny sessions based on L3 and L4
parameters. The difference between stateless
ltering and stateful rewalls is that rules apply to
sessions, not individual packets.
L7 Intrusion
Detection
+ Prevention
Deep packet inspection (DPI) is used to analyze
L7 application content in sessions, and rules
for processing trafc or alerting network
administrators to attacks are made based on
L7 application analysis.
Application
Layer
Security
Antivirus, anti-malware, and other application layer
security models are implemented on servers.

Table 4 - Best Practices for Service Provider Security
Best Practices for Securing VoIP Networks

Mobile and xed voice services still dominate service provider revenue
worldwide. As voice services migrate to VoIP, security challenges increase in
complexity and criticality.
Figure 4 represents a typical service provider VoIP network architecture. In a
VoIP network, there are two fundamental forms of transport:
A control plane using either Session Initiation Protocol (SIP), H.323, or some
•
other VoIP signaling protocol
A data plane transporting VoIP packets
•
VoIP signaling is completely separate from VoIP data plane. IP phones set
up calls using a VoIP signaling protocol which communicates with IP PBX, IP
Centrex services, or network softswitches to establish VoIP sessions. Calls
can be routed across the service provider IP network, across the Internet, or to
the Public Switched Telephone Network (PSTN) via a VoIP gateway. After VoIP
sessions are set up by network softswitches, VoIP sessions are established
between the VoIP endpoints, and Real Time Transport Protocol (RTP) is used to
transport VoIP between VoIP endpoints over the IP network.
16
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
Figure 4 - Representative Network Architecture of a Typical VoIP Network
The VoIP network architecture offers a myriad of security vulnerabilities. DDoS
attacks are a primary area of concern, as they can come in many shapes and
forms. Typically executed by botnets, the result of a DDoS attack could be a
telephone network service outage. Some of the network elements that are
vulnerable to DDoS attacks are:
VoIP media gateways
•
Softswitches•

VoIP application servers•
IP PBX•
Session border controllers (SBCs)•
Fraud and theft of services is another type of security threat. If network
criminals are able to penetrate network softswitches, media gateways, or OSS
systems, they can steal services by making free calls, modifying or deleting
billing records, or transferring false settlements to other carriers.
An overview of the best practices for network security is provided in the
following subsections for transport network elements, IP edge elements, data
center, and Internet peering points.
SME
Enterprise
SOHO/Residential
Carrier to Carrier
Wholesale VoIP Peering
Other
Carrier
VoIP Service Provider
Switch
SS7 IN
Network
PSTN
POTS
Class 5
Switch
Router
Switch
Gateway
VoIP
Switch

Gateway
VoIP
Softswitch
Media
Gateway
Internet
or IP NW
Softswitch
Media
Gateway
OSS
Application
Server
Media
Server
Apps
Video
Switch
Gateway
VoIP
Internet
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
17
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
Securing the IP Edge of the VoIP Network
The primary mechanisms for controlling trafc and securing the edge of the VoIP
network are Session Border Controllers (SBCs) and IPS. SBCs are specialized
network devices designed to perform specic services in VoIP networks. They
are inserted into the signaling and/or media paths between calling and called

parties in a VoIP call. In some cases, the SBC masquerades as the called
VoIP phone and places a second call to the called party. The effect of this
behavior is that signaling trafc and media trafc (voice, video, and so on) can
be monitored and controlled by the SBC. The SBC also has the ability to modify
control signaling, allowing service providers to restrict or redirect certain calls
and helping them overcome potential problems caused by rewalls and NAT.
There are multiple security benets to SBCs. They monitor trafc, help prevent
DDoS attacks, and they provide a mechanism for lawful intercept of VoIP calls.
SBCs also create a general framework for monitoring malicious VoIP usage and
shutting down offending users or bots.
SBCs, however, are also subject to attacks, and don’t typically have the
capability to quickly update and defend against new security threats.
IPS is designed to quickly load new signatures in defense of newly found
security threats. These signatures can be created and loaded within hours,
providing the necessary response for stopping new threats. For this reason,
many networks deploy IPS in front of SBCs to prevent attacks on the SBC.
Securing VoIP Elements in the Data Center
There are multiple servers and network elements in the data center that
support VoIP services. Servers must be regularly patched, and antivirus and
anti-spyware must be kept up to date. In addition, VoIP MPLS VPNs can be
extended to the data center to provide network isolation for VoIP application
and media servers. Standard rewall/IPS congurations can result in SIP
signaling problems, therefore these elements must be congured to support
VoIP transport and defend the data center from intruders. Firewalls should
utilize Application Layer Gateways (ALGs) to open and close pinholes to allow
the VoIP trafc to traverse the rewall. ALG support is required for the VoIP
signaling protocol (SIP, H.323, other) used in the network.
Securing Internet Peering Points for VoIP
For obvious reasons, Internet peering points are high risk locations. It is a best
practice to use SBCs at peering points to protect from DDoS and other attacks.

Firewalls and IPS are also a must at peering points and should be used in
conjunction with SBCs to ensure adequate security, while minimizing service
SME
Enterprise
SOHO/Residential
Carrier to Carrier
Wholesale VoIP Peering
Other
Carrier
VoIP Service Provider
Switch
SS7 IN
Network
PSTN
POTS
Class 5
Switch
Router
Switch
Gateway
VoIP
Switch
Gateway
VoIP
Softswitch
Media
Gateway
Internet
or IP NW
Softswitch

Media
Gateway
OSS
Application
Server
Media
Server
Apps
Video
Switch
Gateway
VoIP
Internet
18
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
disruptions due to NAT or other protocol problems associated with VoIP
signaling and network rewalls.

FUNCTION DESCRIPTION
Securing the IP Edge SBCs and IPS systems are used to
secure the edge of the network from
external threats.
Securing VoIP Elements
in the Data Center
Use rewalls and IPS to secure VoIP
servers in the data center.
Securing Internet Peering
Points for VoIP
Peering points should be secured with

SBCs, rewalls, and IPS.

Table 5 - Summary of VoIP Network Security Best Practices
Best Practices for Securing TV and Multimedia Services
Traditional telephone companies are entering the TV and multimedia
entertainment markets by leveraging IPTV and video on demand (VOD)
technology. Delivering video entertainment services over IP networks creates
the opportunity for new and enhanced services that provide competitive
advantages over incumbents. Figure 5 depicts a typical network architecture for
IPTV and VOD.
Figure 5 - Internet TV and Multimedia Architecture
DSLAM
VoD
Home
Broadcast TV
(Multicast
Replication)
RG
Access
Switch
Aggregation
Customer
VLAN
Video
Video/Hub
Serving
Ofce
IP Edge
T-series
T-series

T-series
Internet
M-
series
Head-End
Global
Streams
E-series
SDX-300
Policy
Manager
Video
Head-End
Video
Video
M-
series
Middleware
& VoD Servers
Video/Super
Head-End Ofce
M-
series
Head-End
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
19
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
Security vulnerabilities exist throughout the IPTV architecture. Virtually all IP
network devices are subject to DDoS attacks, and prevention mechanisms

should be put into place. In addition, IP routers should utilize ACLs, NAT, MPLS
VPNs, and VLANs to secure routers and trafc. In addition, the IPTV architecture
provides some additional challenges at the network peering points, head-end
and/or the video serving ofce.
Securing External Network Peering Points
At all points where the video IP network interconnects with external IP networks
(the Internet or any other third-party network), stateful rewalls with IPS should
be used to prevent external attacks. Firewalls should also use NAT to shield
internal IP addresses from the outside world. This limits the information that
can be collected by an intruder for the purposes of an attack.
Securing the Video/Super Head-End
The video/super head-end is a critical component of the network that must be
secured. Network rewalls and IPS should be used to control access to the
head-end. This is also a point where digital rights management needs to be
enforced. Encryption technology combined with IPSec tunnels can be used to
ensure privacy and prevent unauthorized access to video content.
Securing the Video/Hub Serving Ofce
The video/hub serving ofce is another critical location in the network that
needs protection. Best practices include inline IDP protection with custom
signatures to detect DDoS and other attacks on video networks. Digital rights
management also needs to be enforced at these locations using encryption.
FUNCTION DESCRIPTION
Securing External
Network Peering Points
Stateful rewalls and routers should
secure external peering points. NAT
should be used to shield internal IP
addresses. IPS should be used for
intrusion protection.
Securing the Video/

Super Head-End
Routers, rewalls, and IPS should secure
the video head-end.
Securing the Video/
Hub Serving Ofce
Routers, rewalls, and IPS should secure
the video/hub serving ofce.

Table 6 - Summary of Best Practices for Securing an IP Video Network
20
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
Best Practices for Securing 3
rd
Mobile Data Networks
The rapid growth of wireless data service riding on third-generation networks
has increased the need for security in the mobile packet core. Figure 6
presents a high level overview of the third-generation packet architecture.
Figure 6 - High Level Overview of Third-Generation Network Architecture
The threats on the third-generation network are similar in nature to the threats
discussed earlier. Protection is needed from DDoS attacks, botnets, worms,
and intruders attempting to hijack services and illegally monitor voice or data
communications. One of the differences in the third-generation networks is
that the Serving General Packet Radio Service (GPRS) Support Node (SGSN),
gateway GPRS support node (GGSN), and packet data serving node (PDSN) (for
CDMA2000) packet control nodes are used to manage and control all wireless
data. Since all data trafc passes through these controllers, any attack
on these systems will cause network-wide service outages. It is therefore
imperative to defend these network elements.
The key areas in the third-generation network that must be defended are

highlighted in Figure 7. Starting from the edge of the network, security must
be maintained on mobile handsets. It is the responsibility of the handset
manufacturer to install and maintain virus protection, intrusion detection, and
rewall software on the handset to defend against attacks. Handsets must also
be capable of encrypting data using SSL clients to maintain privacy.
Internet
RAN
Roaming Partner
Network (GRX)
IP/MPLS
Mobile Packet Core
PSTN
Critical Servers
like HLR/VLR
Apps
Billing
Data
SGSN
GGSN
PDSN
RNC
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
21
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
In the data core network, the methods of protection are similar to those
discussed earlier. Firewalls, IPS, and encrypted tunnels should be used to
secure interfaces to external networks. MPLS VPNs should also be used to
isolate the third-generation core network from any other IP trafc on the
network. For example, if the IP core network is supporting many services,

including third-generation mobile, Internet, wireline voice, IPTV, and business
services, an MPLS VPN can create a secure virtual IP network to support the
third-generation core packet network. Security must also be provided for all
servers, billing systems, and packet control nodes. This can be done with
rewalls, IPS, antivirus and anti-malware software running on servers. Some
specic requirements for third-generation networks are that rewalls must be
capable of passing GPRS tunnels (GTP), which are commonly used to pass data
trafc securely across the network.
Figure 7 - Best Practices for Securing 3
rd
Packet Core Networks
Internet
RAN
Roaming Partner
Network (GRX)
PSTN
Critical Servers
like HLR/VLR
Apps
Billing
Data
GGSN
SGSN
RNC
IP/MPLS
Mobile Packet
Core
PDSN
Security on the
Mobile-Handset

(Mandatory in
FMC/UMA)
1.
2.
3.
4.
5.
6.
7.
Roaming Partner
Protection
Protecting
Access nodes
(UNC, RNC, etc.)
GTP/Gp-Attacks
PSTN
Connection
Protection
PSTN
Connection
Protection
Application
Servers Protection
(potentially compromises
LIG, HLR, VLR)
Protecting
IP nodes
(SGSN, GGSN)
22
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS

NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
FUNCTION DESCRIPTION
Securing the PSTN
Connections
Firewalls and IPS protect interfaces to
PSTN gateways.
Securing the SGSN,
GGSN, and/or PDSN
MPLS VPNs isolate mobile IP network
from other service provider IP networks.
Firewalls and IPS protect SGSN, GGSN,
and PDSN.
Securing the OSS, Billing
Systems, and Application
Servers
MPLS VPNs isolate mobile IP network
from other service provider IP networks.
Firewalls and IPS protect data center
OSS and billing systems.

Table 7 - Summary of Best Practices for Securing an IP Mobile Network
Best Practices for Securing Service Provider Data Centers
Rollout of new data services has led to an explosive growth in data centers.
Figure 8 presents an overview of how data centers t into the typical service
provider network architecture. Network services are provided by multiple data
centers and application servers. These could be metro data centers or national
and regional data centers. Additionally, some services are provided by third
parties with applications hosted in remote data centers across the Internet.

Figure 8 - Architecture of Service Provider Data Centers




Super Core

Metro Core









Application
or Content Provider


Residential
Business
Wireless
Access IP Edge
Metro or Market
Serving Center
Internet
Metro Core
Peered
Partner
Hosting or

Content Delivery
Operator

Super Core
Data Center
Application
or Content Provider
Application
or Content Provider

Data Center
National or
Regional
Serving Center

Data Center

Data Center
Data Center
MX-
series
MX-
series
MX-
series
MX-
series
MX-
series
E320

MX-
series
084XM
AN
J-series
STB
RG




MX-
series
MX-
series
E320
E320




MX-
series
MX-
series
E320
E320





MX-
series
MX-
series
E320
E320




MX-
series
MX-
series
E320
E320




MX-
series
MX-
series
E320
E320
Data Center





NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
23
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
NETWORK SECURITY HANDBOOK FOR SERVICE PROVIDERS
Data centers are the brains running the network services and therefore are a
focal point for network criminals attacking service providers. There are a
complex set of systems and services running in the data center with
vulnerabilities in each layer. These include:
Server and OS vulnerabilities
•
Application layer vulnerabilities•
Network switching vulnerabilities•
Network routing vulnerabilities•
Storage network vulnerabilities•
Data center management and control vulnerabilities •
An important trend in modern data center design is system virtualization. LANs,
storage area networks (SANs), and servers are virtualized such that a single
physical network or system element can run multiple logical elements. This
has helped improve scalability, reduced operations expenses such as power
consumption and cooling, and improved data center security by isolating
components of the network and system infrastructure. In designing a secure
data center networking infrastructure, the virtualization and security defenses
in the network must correctly map to the virtualization models deployed across
the data center as a whole.
Figure 9 - Establishing a Security Perimeter in a Virtualized Data Center
Apps
069XM
069XM

069XM
069XM
Data Center
L3 Area
“Untrusted
Zone”
Tiered
Virual
Perimeter
069XM
069XM
L3/L4 Stateless
L7 Signature
L3/L4 Stateful
Data Center
L2 Area

Fixed
Configuration

Fixed
Configuration

Fixed
Configuration

Fixed
Configuration

Fixed

Configuration

Fixed
Configuration
“Trusted
Zone”
Apps
Apps
Apps
Apps
Apps
Apps
Apps