Lucent Technologies Release 8.2 manual Network Security Issues, Access control network topology

Access control — network topology

A second line of defense can be thought of as damage control — how to limit the amount of damage that can be done if someone does gain unauthorized access to the system? Damage control can be provided by application restrictions.

Each of these control methods is described below.

Network topology refers to how the DEFINITY ECS network is connected to the customer’s network.

Private network

One option to restrict access is to make sure that the DEFINITY ECS network is not connected to any other network; that is, the DEFINITY ECS network is private. This topology clearly solves all three access security concerns mentioned above. However, a private network is not an option for all customers.

Access control — network administration

Access control — authentication

Open network

One other topology that may be chosen is a completely open network, where DEFINITY ECS nodes are placed on the customer network just like any other piece of data networking equipment. An open network topology addresses none of the three security concerns above, and other methods of access control must be used for these installations.

Network administration refers to how a DEFINITY ECS (specifically, the C-LAN circuit pack) is administered in terms of dial-up PPP ports and routing information. A carefully administered system has only dialup ports in service for DCS and adjunct sessions that will be established at boot time. This means that normally there will not be any ports available for a hacker to dial into. Additionally, the C-LAN circuit pack should be administered only with routes specific to the DCS and adjunct nodes. This ensures that anyone getting into a DEFINITY ECS can only get to other DCS or adjunct nodes, not anywhere else on the customer network. Careful administration will address concerns #1 and #2 above.

Note that no new access to the system access terminal (SAT), such as network-based SAT, is introduced in Release 7. As in earlier releases of DEFINITY ECS, all port and route administration can be done only via the SAT, and all changes are logged.

Authentication also plays a role in providing access control to dial-up PPP ports. All of these ports can be protected by Challenge Handshake Authentication Protocol (CHAP). This provides an extra level of assurance that no unauthorized user will be able to connect to a PPP port on C-LAN.