Secure Communications - Alcatel-Lucent Security Management Server (SMS) Release 9.4 Technical Overview

Alcatel-Lucent Security Management Server (SMS)

Secure Communications

...................................................................................................................................................................................................................................
Overview
The original purpose of the Alcatel-Lucent Security Management Server (SMS) was to
provide a secure mechanism to remotely provision Brick devices. It was designed with
20/20 hindsight of other firewalls at the time that had been compromised due to attacks
on the remote provisioning mechanisms.
The foundation for the Brick-to-SMS security is a cryptographic system of digital
signatures and authentication keychains such as to provide a high degree of assurance
that the Brick devices may not be re-provisioned by any individual or system other
than the dedicated SMS.
Each Brick device is allocated a certificate by the SMS. That certificate is used to
verify mutual authenticity, as well as the foundation for confidential, authenticated, and
integrity-verified channel. Diffie-Hellman, DSS, 3DES and SHA-1 are all used to
provide a secure channel between the SMS and the Brick device.
Generally, the Brick device is bootstrapped by configuring its basic parameters via the
SMS and then generating a "boot floppy" disk. Newer models of Brick devices will
use a portable USB storage device in place of the floppy drive or USB flash drive.
This disk is physically inserted into the floppy drive on the Brick, which then copies
its operating system, and basic boot parameters (but NOT its security policy) from the
floppy to the local flash disk. The disk is then removed and destroyed, and the Brick is
booted. When the Brick device boots, it contacts its management server (the SMS) for
a secure transfer of its policy. The physical floppy disk may be created from any
workstation, including one that does not have access to the SMS directly. Additionally,
a Brick device may be bootstrapped via its serial port with a terminal application .
Each administrator is also allocated a certificate by the SMS. That certificate is used to
verify all tasks performed by that administrator. In fact, the policy stored on the
Brick's NVRAM disk is digitally signed by the SMS as well as the administrator who
applied the Virtual Firewall policy to that Brick device. This mechanism alone makes
unauthorized re-provisioning of the Brick device-while not impossible-
cryptographically infeasible.
Since the SMS is a required part of the architecture, it is used to facilitate certain types
of maintenance issues as well. The Brick operating system can be pushed to each Brick
from the SMS system, without physically interacting with the device, and in a secure
fashion. With a failover pair of Bricks, this OS upgrade can even be done with no
downtime, maintaining all sessions.
...................................................................................................................................................................................................................................
2-6
260-100-022R9.4
Issue 1, June 2009