Securing the Open Access Network: Best Practices
Mark Williams 2007
The Open Access Network (OAN) is essentially a shared network infrastructure provided by a core networking team that supports service delivery for a variety of user groups and applications across an enterprise. In an OAN, each user group and/or application has its own access control requirements and enforces those access policies with their own mechanisms OANs are most commonly required in multi-subsidiary enterprises like large manufacturing entities and financial institutions, state and local governmental agencies, and research and education organisations.
A key property of an open access network is the assumption at the network border to the Internet that, unless something is forbidden, it is allowed. There will be some overarching security policy that denies some kinds of traffic, but in general, access is allowed to and from the Internet. This poses some special challenges for the NOC personnel in terms of protecting the network while maintaining a relatively permissive edge, but it also focuses the perimeter task to one of: first providing high availability and manageability and robustness in the face of equipment failure and all kinds of DoS attacks; second, removing any undeniably unwanted traffic such as network worms, obvious attempts to breach security, network scans, etc; and third, instrumentation and logging of activity so that it is possible to determine when the network is behaving normally and when it is behaving abnormally.
This presentation outlines some current best practices in network baselining, DoS mitigation, building an intelligent redundant perimeter and realistic layer 7 security hardening at the perimeter of the open access network.
About Mark Williams
Mark Williams joined Juniper Networks in October 2003 as the research and education business development manager for the Asia-Pacific region. Williams has been working across the Asia-Pacific region in telecommunications from his base in China since June, 1998 and in that time has worked on the development of data networking solutions for both enterprise and carrier customers.
Before moving to China, Williams spent more than 10 years working as a network engineer in the academic community, where he contributed to the architecture of both the first Internet backbone in Australia, AARNET, and its successor, AARNET-II and filled various roles in the design and operation of the University of Queensland data network.
Williams previously worked for The University of Queensland, Siemens, The University of Stuttgart, Bay Networks and Nortel Networks. He graduated with Honours in Electrical Engineering, Computer Science and Asian Languages from The University of Queensland in Australia.