Information Security begins with Network Management

NMS for Security

There is no doubt that information security is one of the main objectives of every organization that rely on an ICT infrastructure. For some organizations, the task of maintaining information security is assigned to dedicated teams not concerned with keeping the network up and running or delivering IT services. However, it is crucial that the network, IT, and security teams collaborate to protect the organization’s information assets. One area where the ICT team can support the security team is by implementing proper network management functions.

Network management best practices require following the ISO Telecommunications Management Network (TMN) framework. This framework splits the network management functions into five key areas referred to by the acronym FCAPS. It can be argued that, efficient information security starts after the five functions are put in place and used properly. To elaborate, here are some of the areas where the FCAPS play vital roles in securing the data assets of the organization:

Fault Management Functions

Active/Passive Monitoring

Organizations’ security concerns are often focused on protecting their data and ensuring its integrity and confidentiality. Availability of the service provided by the IT infrastructure is also an important aspect of information security as cyber attacks may target the infrastructure by denial of services (DoS) attacks in an attempt to prevent the organization from conducting its normal operations. For instance, a DoS attack may aim at preventing the organization from collecting toll fees and generating revenue.

Fault Alerts

Active and passive monitoring of network devices or network services (such as the organization online sales portal) for continued activity will provide the network administrators with alerts when these devices or services stop functioning properly. Whether the outage is caused by a malfunction or a cyber attack, restoring the services and resuming normal operations is the responsibility of both network management and information security roles.

Configuration Management Functions

Information security relies on Configuration Management in many aspects, including configuration monitoring, change‐control, and auditing. For example, the organization can use the following configuration management functions within the information security context:

Topology Discovery

Topology discovery and device inventory tools will be able to detect devices that are connected to the network without authorization. As the organization’s infrastructure covers a large area, this capability is necessary to enforce change management controls as well as detecting malicious attempts to infiltrate the infrastructure through devices located in remote areas.

Configuration Audit

Regular configuration audit provides the ability to detect any change to the configuration that may weaken network security. As many organizations rely on various contractors to provide technical services and support, the ability to detect and track configuration change in network devices made by contractors will provide the means to assess the change from the security point of view by the organization staff. Also, if an attacker manages to break into the network and change device configuration to pursue an advanced attack, a comparison with older configuration will detect the change and recover from the attack by restoring the proper configuration.

Equipment Hardening

Equipment hardening is basic best practice that the organization should follow to maintain network security. The practice includes restricting physical and logical access to the network infrastructure to authorized personnel, disabling protocols that are not needed or are considered unsecure (such as http and telnet) and shutting down unused ports to prevent unauthorized access. Security protocol (e.g. 802.1X) can be implemented to limit wired and wireless access to only devices with known MAC addresses.

Accounting Management Functions

Although accounting management functions are largely ignored in organizations that do not track usage or charge fees for using ICT resources, tracking these resources may serve security purposes. Restricting and monitoring resource usage by quotas (such as disk space) can protect the organization from the abuse of these resources by employees or outsiders who manage to gain access to these resources.

Performance Management Functions

Performance monitoring tools can gather information to satisfy security and compliance requirements. Performance analysis tools can generate security reports directly or export the data to a dedicated security tools for further analysis and reporting. Network management teams can use performance monitoring to support information security in these areas:

Utilization Monitoring

Monitoring the utilization of certain resources or some events (Internet bandwidth, disk space, number of failed login attempts, etc.) and setting thresholds for normal values can assist in identifying security incidents. Sudden surge in Internet traffic may signal that an upload of large amount of data is in progress, or the onset of distributed denial of service attack (DDoS).

Event Correlation

Correlating traffic anomalies and other events to detect security incidents is a function that sophisticated security tools provide. Similar results are also possible using performance management tools that use trend monitoring and correlation functions to detect and isolate network problems. For instance, a surge in upstream traffic that is accompanied by a drop in failed login attempts could be a sign that an attacker is successful in gaining access to the network.

Traffic Analysis

Awareness of the type of data traffic flowing in and out of the network can be gained by using protocols such as NetFlow (or IPFIX) and its analysis tools. NetFlow provides the security administrator with information such as main traffic sources and destinations of traffic, protocols and applications. This information will provide clues about suspicious activity such as traffic going to uncommon destinations as a result of various infections or “botnets”.

Security Management Functions

The ‘S’ in the FCAPS model focuses in securing the network infrastructure and controlling access to devices. To achieve the goal of securing access to the ICT assets, the organization needs:

Centralized Authentication

Controlling access to devices in the infrastructure using a centralized authentication server (e.g. RADIUS). Such service allows the network manager to create access policies based on user profiles and track usage.

Multitier Access Privileges

Developing different access and authorization levels for various groups of users who may need access to the infrastructure (network administrators, engineers, operations, security personnel, vendors, contractors, etc.)

Access Logging

Configuring and feeding device-generated logs to a centralized server. In addition to their value in troubleshooting problems, the logs can be used to detect anomalous behavior that can be a symptom of a malicious security attack.

Conclusions

There are several ways by which the implementation of network management’s FCAPs can support the objectives of information security. For this reason, network management and security should be treated as two complementary functions in an organization. In fact, for many SMB organizations, there can be only one ICT team and information security must begin with proper network management.