1. Manuals
  2. Brands
  3. Alcatel-Lucent Manuals
  4. Server
  5. Security Management Server (SMS) Release 9.4
  6. Technical overview

Alcatel-Lucent Security Management Server (SMS) Release 9.4 Technical Overview

Hide thumbs Also See for Security Management Server (SMS) Release 9.4:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Installation Manual
Alcatel-Lucent Security Management
Server (SMS)
Release 9.4
Technical Overview
260-100-022R9.4
Issue 1
June 2009

Advertisement

Table of Contents
loading

Related Manuals for Alcatel-Lucent Security Management Server (SMS) Release 9.4

Summary of Contents for Alcatel-Lucent Security Management Server (SMS) Release 9.4

  • Page 1 Alcatel-Lucent Security Management Server (SMS) Release 9.4 Technical Overview 260-100-022R9.4 Issue 1 June 2009...
  • Page 2 Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein. Copyright © 2009 Alcatel-Lucent. All Rights Reserved.

  • Page 3: Table Of Contents

    ......................................Reason for reissue ..................................VPN firewall solution components ............................How to comment ................................... ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Basic Physical and Logical Architecture ........................Packet Forwarding - Bridging and Routing ........................IEEE 802.1q VLAN Tag Support ............................
  • Page 4 ..............................Logging 1-30 1-30 ...................................... Capacity/Throughput 1-34 1-34 ................................Certifications 1-35 1-35 .................................... Alcatel-Lucent Security Management Server (SMS) Basic Design ....................................Tiered Model ....................................SMS Policy Objects ................................. Permissions Model ................................... Secure Communications ................................. Log Collection System ................................Compute Servers ..................................

  • Page 5: About This Information Product

    About this information product About this information product Purpose This document is a technical product description and overview of the Alcatel-Lucent VPN Firewall system. It contains descriptions of all system components and features up through and including Release 9.4. Reason for reissue Reissued for Release 9.4...

  • Page 7: A Lcatel-Lucent Vpn Firewall Brick Security Appliance

    The Brick device does not run as an application on top of a commercial operating system ; rather, it runs as the kernel of a small, highly application-specific operating system developed by Alcatel-Lucent. The Brick device operating system is an evolution of Alcatel-Lucent’s Inferno operating system , designed for small embedded security applications.

  • Page 8: Packet Forwarding - Bridging And Routing

    ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Packet Forwarding - Bridging and Routing ..............................................Overview Internally, the Brick device is set up much like a classic Layer-2 Ethernet switch. Each packet inbound to a physical port is assigned to a VLAN, and that packet can bridge to any physical port with membership in that VLAN (or VLAN bridge group).

  • Page 9: Ieee 802.1Q Vlan Tag Support

    ™ Alcatel-Lucent VPN Firewall Brick Security Appliance IEEE 802.1q VLAN Tag Support ..............................................Overview The Brick device supports the use of IEEE 802.1q VLAN tagged Ethernet Frames. Each physical port can be configured to send and/or receive tagged frames, untagged frames, or a combination of both.

  • Page 10: Brick Devices

    ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Brick Devices ..............................................Overview A Brick device can be partitioned into true virtual firewalls. Each virtual firewall has its own routing information, its own set of IP addresses, and its own policy rules, which specify the types of traffic allowed and how that traffic is processed.

  • Page 11: Brick Policy Rules And Zone Rulesets

    A set of pre-configured Brick zone rulesets are installed with the Alcatel-Lucent VPN Firewall solution. These pre-configured zone rulesets consist primarily of pre-defined system rules that allow management and configuration traffic to pass between the SMS and Bricks.
  • Page 12 ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Brick Policy Rules and Zone Rulesets data packet: it passes, drops, tunnels (that is, encrypts/decrypts the packet) or tunnel proxies the packet, and establishes a session cache for every packet session that was passed, dropped, or proxied.
  • Page 13 Brick-specific rules that only apply to a particular Brick in a zone. Rule and ruleset maintenance A full range of editing and maintenance functions is provided by the Alcatel-Lucent Security Management Server (SMS) application to update rules and rulesets to keep pace with ongoing changes in security requirements and traffic routing.
  • Page 14 ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Brick Policy Rules and Zone Rulesets • Renumber a rule by moving it up or down within a ruleset to change the order/priority in which a rule is applied to an incoming/outgoing packet •...

  • Page 15: Stateful Packet Filtering

    ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Stateful Packet Filtering ..............................................Overview Every packet processed by the Brick device is considered part of a ″session″, regardless of IP type or higher-layer protocol. A session is simply a stateful entity tracked in memory on the Brick - a record of a conversation between two or more parties.
  • Page 16 ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Stateful Packet Filtering • Rule Alarms • Source Address Translate • Destination Address Translate • Destination Port Address Translate • Quality of Service parameters • Quality of Service alarms • ToS/DiffServ tag marking It is worthwhile to note that the Brick device processes all packets in a stateful manner.

  • Page 17: Application Filters

    ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Application Filters ..............................................Overview The Brick device has the ability to perform inspection at the application layer of packet-based traffic passing through it using its unique Application Filter architecture. This inspection is performed for different purposes, depending on the application protocol, including to secure the protocol commands themselves, to open dynamic TCP or UDP ports as required by the semantics of the protocol, or to filter specific contents.
  • Page 18 ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Application Filters • Microsoft NetBIOS [address translation] • RPC (Remote Procedure Call) [logging, filter by procedure and program, dynamic channel opening] These Application Filters are customizable for the particular environment in which they are being used.

  • Page 19: Virtual Private Networking (Vpn)

    ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Virtual Private Networking (VPN) ..............................................Overview VPN is a core security component offered by the Brick device . While firewall rules can prevent obviously invalid or malicious traffic from entering a protected perimeter, a VPN can prevent all unauthenticated traffic from entering it.
  • Page 20 However, certain models support an optional hardware VPN encryption acceleration card (EAC). The Alcatel-Lucent Brick device has been certified by the ICSA for VPN and is a member of the ICSA 1.0B VPN reference platform set. Advanced features include the ability to tunnel IPSec traffic (IP type 50 or 51) inside UDP (IP type 17).

  • Page 21: Network Address Translation (Nat)

    ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Network Address Translation (NAT) ..............................................Overview As with many other Brick device features, Network Address Translation and Port Address Translation are performed on the Policy Rule level, within a given Virtual Firewall. Every policy rule may have an Address Translation entry. Each Address Translation entry consists of any of the following three types of translation: •...
  • Page 22 ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Network Address Translation (NAT) of IP addresses, usually on a per-zone basis. Local destination address translation is only used in conjunction with Client VPN and is used to give an inbound client VPN connection a ″local″...

  • Page 23: User Authentication

    ™ Alcatel-Lucent VPN Firewall Brick Security Appliance User Authentication ..............................................Overview Strong user authentication is often a critical component of a security architecture. If a resource must be accessed, perhaps it is reasonable to maintain an audit trail of who accessed it and when, so any malfeasance may be traced back to an individual.
  • Page 24 ™ Alcatel-Lucent VPN Firewall Brick Security Appliance User Authentication Firewall Authentication Firewall authentication is provided via a HTTP or HTTPS/Web Browser access, using a two-step authentication procedure. First, the end user accesses a preconfigured IP address (the Virtual Brick Address of the associated Virtual Firewall) from his web browser.

  • Page 25: Quality Of Service / Bandwidth Management

    ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Quality of Service / Bandwidth Management ..............................................Overview Bandwidth Management features provide the ability to both guarantee service as well as limit overloads, thereby helping to ensure the end-user experience is not compromised, even during an attempted attack. Additionally, these features are designed to help the Service Provider manage individual Customer bandwidth.
  • Page 26 ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Quality of Service / Bandwidth Management The Brick device can also provide IP Type-of-Service field tagging, using either ToS templates or DiffServ codepoints. The IP ToS field can be set to a given value, configurable on both the Virtual Firewall as well as the Firewall Policy Rule level.

  • Page 27: Denial Of Service Protection

    ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Denial of Service Protection ..............................................Overview Denial of Service can be directed at two distinct points in the network: (1) at the protected hosts, such as web servers etc., and (2), at the network elements themselves, with the likely targets being firewalls and routers.
  • Page 28 ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Denial of Service Protection remains half-open beyond the timer will have a TCP reset (RST) packet sent by the Brick device to the affected server, to ensure that associated resources may be cleaned up and reallocated.

  • Page 29: Brick Device Partitions

    ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Brick Device Partitions ..............................................Overview Brick device partitions provide a way to truly share a Brick device among multiple customers, placing no requirements on the customers and their IP space. Brick device partitions are used in conjunction with virtual firewalls to provide true isolation between different logical Brick devices in the same physical device.

  • Page 30: Brick Device Failover/Redundancy & State Sharing

    ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Brick Device Failover/Redundancy & State Sharing ..............................................Overview Brick device failover and state sharing is accomplished by installing two Brick devices, each connected to the same sets of networks on both sides. The Brick devices are bootstrapped identically, even down to the IP addresses and VLANs.
  • Page 31 ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Brick Device Failover/Redundancy & State Sharing their MAC/interface binding. Additionally, the Brick will perform gratuitous ARPs for all entries in its MAC cache, to help ensure that session entries are properly switched as well.

  • Page 32: Dynamic Address Support (Including Dhcp)

    ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Dynamic Address Support (including DHCP) ..............................................Overview The Brick device has the ability to exist in a dynamic address environment. The Brick device can register its public address with its management server when used behind a many-to-one-NAT device.
  • Page 33 ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Dynamic Address Support (including DHCP) PPPoE Support In a DSL network environment, dynamic IP addresses are assigned by DSL modems using PPPoE. The Brick device can operate in such a setting by being assigned an IP address by way of a PPPoE session.

  • Page 34: Snmp Agent On The Brick

    Brick configuration for security reasons. The MIB is an Alcatel-Lucent private enterprise MIB which largely mirrors MIB-II. A private branch of the Brick module provides SNMP access to configuration, statistical, interface statistics, and tunnel endpoint information about the individual Brick, as well as LAN-LAN tunnel information and those Brick objects that map directly to a standard MIB or MIB-II object.

  • Page 35: Port (Link) Aggregation

    ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Port (Link) Aggregation ..............................................Overview This feature allows two or more physical Brick device ports to be combined into one logical, aggregated port. The zone(s) assigned to the aggregated port can now support a higher bandwidth.

  • Page 36: Logging

    ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Logging ..............................................Overview All logging is performed in real-time from the Brick device to its management server (SMS, as described below). Log messages are sent via TCP for reliable delivery, encrypted over a mutually-authenticated channel. This logging mechanism has been empirically tested to range from 0.1% to about 1% of the inband data rate (in...
  • Page 37 ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Logging • Session Termination reason (if applicable) • Dynamic rule creation/usage (if enabled) • Detailed command logging (if enabled) • Application filter disposition (if enabled) Administrative Event Logs Administrative Events are generated by the Brick device for a variety of reasons, ranging from security audit attack information to simple ″re-configuration successful″...
  • Page 38 • a locally attached VGA monitor and PS/2 keyboard • a locally attached RS-232 serial terminal • the Alcatel-Lucent Security Management Server Remote Navigator (Graphical User Interface) The first two access mechanisms are local only, and the third, while remote in-band, is strongly secured.
  • Page 39 ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Logging ® If you are running the SMS application on a Solaris workstation, you will be prompted for the path to the browser software (for example, /usr/sfw/bin/mozilla in order to bring up the browser and view the selected report.

  • Page 40: Capacity/Throughput

    Brick device hardware architecture as well as the speed and model CPU in the Brick device . Overall capacity is largely a function of the amount of physical RAM installed in the device. Important! Please contact the Alcatel-Lucent VPN Firewall team directly for up-to-date performance statistics..............................................

  • Page 41: Certifications

    ™ Alcatel-Lucent VPN Firewall Brick Security Appliance Certifications ..............................................Overview Product safety and emissions certifications depend on the Brick model. Refer to the User’s Guide of the respective Brick device for a list of certifications..............................................260-100-022R9.4 1-35 Issue 1, June 2009...

  • Page 43: Alcatel-Lucent Security Management Server (Sms)

    ..............................................Overview The Alcatel-Lucent Security Management Server (SMS) is a software-based system that is used to manage a network of Brick devices. Currently, up to 1,000 Brick devices may be managed from a given SMS host. The SMS software is designed to ®...

  • Page 44: Tiered Model

    Alcatel-Lucent Security Management Server (SMS) Tiered Model ..............................................Overview The SMS is installed in a central location, with logical access to all Brik devices via an IP network. The SMS is accessed by administrators using a built-in utility called Navigator. SMS can also be accessed remotely using the SMS Remote Navigator, an included component, which may be downloaded from the SMS via HTTP/S and installed locally on multiple management workstations.
  • Page 45 Alcatel-Lucent Security Management Server (SMS) Tiered Model management domains, where each group contains a set of resources. Multiple administrators may have access and the desire to modify the same object simultaneously. This raises the potential for problems caused by simultaneous changes to an object by multiple administrators, or editing of an outdated instance within an object by an administrator.

  • Page 46: Sms Policy Objects

    Alcatel-Lucent Security Management Server (SMS) SMS Policy Objects ..............................................Overview SMS resources are divided into SMS Groups, each containing sets of resources. In a Service Provider model, SMS Groups may be used to designate Customers of that Service Provider. Enterprises can use a single Group or decide to use multiple SMS Groups to delineate geographical regions, operating divisions, etc.

  • Page 47: Permissions Model

    Alcatel-Lucent Security Management Server (SMS) Permissions Model ..............................................Overview Administrators of the SMS have one of two roles: SMS Administrators and Group Administrators. SMS Administrators have full access to all aspects of the SMS, managed devices, security policies, VPN tunnels, and Users. Group Administrators may have configurable Read/Write (full), Read Only (view), or No access over the set of configured SMS Groups.

  • Page 48: Secure Communications

    ..............................................Overview The original purpose of the Alcatel-Lucent Security Management Server (SMS) was to provide a secure mechanism to remotely provision Brick devices. It was designed with 20/20 hindsight of other firewalls at the time that had been compromised due to attacks on the remote provisioning mechanisms.
  • Page 49 Alcatel-Lucent Security Management Server (SMS) Secure Communications Administrators can use either local password authentication or external database authentication with either SecurID or RADIUS servers. The authentication mechanism (which may include a pointer to an external database) is configurable on a per-administrator basis.

  • Page 50: Log Collection System

    Alcatel-Lucent Security Management Server (SMS) Log Collection System ..............................................Overview The SMS is the central point for log collection in the Lucent VPN Firewall system. Audit logs fall into one of the following categories: • Audit Trail Log • Administrative Event Logs •...

  • Page 51: Compute Servers

    The fact that all Brick devices send log information to the centralized SMS could become a bottleneck for an extremely large network with thousands of Brick device or having very high traffic. To further enhance the scalability of the Alcatel-Lucent security solution, a set of additional servers, known as Compute Servers (CSs), expand the logging and data collection capabilities of an SMS.

  • Page 52: Configuration/Change Management

    Alcatel-Lucent Security Management Server (SMS) Configuration/Change Management ..............................................Overview Each object modification performed by an administrator is logged by the SMS in the Administrative Event Log. Additionally, the full and complete state of that object post-modification is stored in an additional Change History folder on the SMS host, in an individual file for each time the object is modified.

  • Page 53: Reporting System

    Alcatel-Lucent Security Management Server (SMS) Reporting System ..............................................Overview The SMS has the ability to generate HTML-based reports, and serve them via its own internal secure web server (HTTP or HTTPS). These reports are basically reformatted versions of the SMS logs, with full filtering and sorting capabilities. Reports may be limited to specific physical devices, Virtual Firewalls, time period ranges, or several other criteria.

  • Page 54: Alarm System

    Alcatel-Lucent Security Management Server (SMS) Alarm System ..............................................Overview The SMS generates alarms based on Brick device log messages, as well as locally generated log messages from the various SMS subsystems. Alarms consist of two parts: triggers and actions. Alarms are configured per-administrator, so each system administrator may configure the alarms in which they are interested, and be notified by methods appropriate to the administrator, as well as the specific alarm.
  • Page 55 Alcatel-Lucent Security Management Server (SMS) Alarm System Notification mechanisms include: • Console Alarm (via the SMS Remote Navigator) • Email • Out-of-band modem-dialed alphanumeric message sent to pager (via the TAP protocol) • SNMP Trap (V1 or V2c) • SYSLOG Message (with configurable SYSLOG level) ..............................................

  • Page 56: Real-Time Display (Status, Graphs, Logs)

    Alcatel-Lucent Security Management Server (SMS) Real-Time Display (Status, Graphs, Logs) ..............................................Overview The SMS Remote Navigator provides multiple mechanisms for reporting real-time information regarding the status of the system. Brick Status Viewers Brick status is provided via real-time windows for each Brick, and overall for aggregate collections of Bricks.
  • Page 57 Alcatel-Lucent Security Management Server (SMS) Real-Time Display (Status, Graphs, Logs) Real-time device status can be synchronized across redundant SMSs or multi-site SMSs. Graphs provide both real-time as well as historical data. Additionally, specific elements of individual Brick devices may be graphed.

  • Page 58: Snmp Agent On The Sms

    SNMPv1 and SNMPv2c are supported, only over User Datagram Protocol (UDP). SNMPv3 is currently not supported. The MIB is an Alcatel-Lucent private enterprise MIB which largely mirrors MIB-II along with selected parts of the bridge and Etherlike MIBs, including DOT3 statistics.

  • Page 59: Redundancy And Availability

    Alcatel-Lucent Security Management Server (SMS) Redundancy and Availability ..............................................Overview Basic redundancy is provided by two SMS servers that are installed in an active/active fashion. These two active SMS servers maintain their configuration databases across the network via real-time database replication. All inter-SMS communication is secured.

  • Page 60: Command-Line Interface

    Alcatel-Lucent Security Management Server (SMS) Command-Line Interface ..............................................Overview The SMS Command Line (CLI) feature is designed to allow administrators the ability to configure many SMS components and policy objects by using a text file-based interface. This CLI is available from the SMS host, from a host running the SMS GUI remotely, or from the Brick serial port console (remote access to the SMS host must be set up by SMS administrator).

  • Page 61: Configuration Assistant

    Alcatel-Lucent Security Management Server (SMS) Configuration Assistant ..............................................Overview The SMS Configuration Assistant, securely available from the SMS Remote Navigator, allow SMS Administrators the ability to edit system-wide parameters, such as login timeouts and log file parameters..............................................260-100-022R9.4 2-19...

  • Page 62: Brick Device Remote Console

    Alcatel-Lucent Security Management Server (SMS) Brick Device Remote Console ..............................................Overview The SMS Remote Navigator Remote Console allows administrators the ability to bring up a secure remote console to a given Brick device and execute Brick debugging/troubleshooting commands using the Brick CLI. This console is both secure from the user’s workstation to the SMS, as well as from the SMS to the Brick.
  • Page 63 Internet. The IPSec Client has been designed to work with the Alcatel-Lucent VPN Firewall system; some features require the use of an SMS or Brick device to function as described herein.

  • Page 64: Alcatel-Lucent Ipsec Client

    • Windows ® Third-party testing has been performed documenting installation of the IPSec Client on a variety of PCs from different vendors. Please contact the Alcatel-Lucent VPN Firewall team directly for this information. Supported standards The IPSec Client supports the following security standards •...
  • Page 65 The IPSec Client has the ability to tunnel IPSec inside of UDP packets, for the explicit purpose of using in a many-to-one NAT/PAT environment. The method of UDP-encapsulation is Alcatel-Lucent proprietary and not designed to interwork with other non Alcatel-Lucent products.
  • Page 66 IPSec Client software on the user’s customization and branding The Alcatel-Lucent IPSec Client contains features to allow an organization to customize the graphical appearance to be customized as desired. This includes images as well as text both in the installation process as well as the runtime software.
  • Page 67 Alcatel-Lucent IPSec Client Platforms and Compatibility Windows tray icon The IPSec Client displays an icon in the Windows Menu Bar Tray (usually lower right corner). This icon indicates status of the tunnel (up/down) with a color change to help the user visually confirm their tunnel status at a glance.

Table of Contents