Professional Documents
Culture Documents
2
In addition, the Core Infrastructure
• A unified view of the network with the • Robust storage capability to meet the Security Solution features powerful,
ability to perform real-time analysis storage requirements of historical flexible mitigation options that network
of all the traffic on the network while and trend analysis operators can use to take action and
simultaneously understanding the enforce policy either manually or
underlying infrastructure through a • Scalability to meet the demands automatically. This solution is scalable
combination of discovery and event of large, highly distributed carrier to meet the demands of large, highly
collection networks distributed carrier networks.
• Both macro and granular visibility • Flexibility and customization that The solution features three core
of traffic and network elements for includes configurable reporting, a components. IBM Tivoli® Security
monitoring the behavior of the configurable user interface that can Operations Manager provides the
network as a single entity while also interface with any network element, monitoring and correlation of the
providing full-packet capture and and the ability to create custom elements found in the network while
forensics capabilities down to a algorithms to detect any type of NarusInsight™ Secure Suite (NSS)
single IP address anomaly provides similar monitoring and
correlation of the network traffic itself.
• Full correlation that can span all IBM Telecom Core Infrastructure IBM Tivoli Netcool® then acts as the
traffic and network elements with Security Solution manager of the managers by providing
the ability to detect even the most The IBM Telecom Core Infrastructure an additional tier of correlation between
distributed of attacks with extremely Security Solution monitors and Tivoli Security Operations Manager
high accuracy and very low false manages the health of network and NSS. User interfaces for reporting
positives or negatives elements (or the cloud) and the actual and portal access are provided by
traffic itself from a single, integrated Netcool Impact and Webtop.
• Flexible attack mitigation to support system. It features a powerful
both manual and automatic forms of combination of technology designed • Complete monitoring of both IP traffic
attack mitigation, providing access to detect virtually any malicious threat and network elements
control similar to a circuit-switch or network anomaly, no matter where it With the Tivoli Netcool Precision
network for the operator originates. component, the Core Infrastructure
Security Solution can provide flexible,
• Superior reporting and management From worms and viruses propagating automated discovery of all Layer 1, 2,
capabilities with a management from outside the network perimeter to and 3 devices in the IP network from
console that can provide a single, insider threats emanating from within the transport layer optical devices to
unified view of the health of all traffic the network, this solution can detect routers, switches, and IP addresses.
and network elements, flexible pre- these threats early and accurately. Netcool Precision generates an
configured reports, and real-time, accurate up to date inventory of
dashboard-style reports devices, systems, and applications
within an infrastructure.
3
Tivoli Netcool Precision also provides a network behavior. Using this multi- • Unique analytics and forensics
snapshot of the network topology and tiered correlation capability, the With the solution, users have access
a basic mapping of applications to their solution detects the widest possible to a top-down, macro view and the
underlying servers. This view is critical range of attacks with significantly granular, IP-address specific view of
to monitoring the health of network increased accuracy. both traffic and network elements. With
elements and is the first line of defense this “zoomable” view, operators can
against attacks in or originating from The NSS component correlates traffic rapidly investigate detected anomalies
the network. features across multiple sophisticated and make mitigation decisions in
security algorithms that are based on near real time. NSS is not visible to
To monitor and detect threats from Signal Processing and Information the installed security infrastructure
outside the network, the solution Entropy. In this way, it can monitor even (for example, firewalls, IDS/IPS) and
uses the NSS component, which can the largest network as a single entity. can immediately enable full-packet
analyze and profile live IP traffic in real capture on the traffic after an anomaly
time and inspect packets from layer In addition to detecting changes is detected.
2 to layer 7. The NSS Semantic Traffic in traffic volume or known worm
Analyzer monitors traffic directly as a signatures, NSS can use the NSS provides real-time analysis of
“smart probe” by passively tapping Information Entropy technology questionable traffic with powerful
the network. Alternatively, using a to detect minute shifts in features forensics capabilities. It can quickly
software agent, NSS can interface with such as “traffic randomness” that identify the nature of the anomaly, its
any network element such as a router are the precursor warning signs of source IP address, and its propagation
(Cisco Netflow or Juniper cflowd), malicious threats. This leads to much path and create a signature for the
IDS/IPS/Firewall, RADIUS server, earlier detection of even the lowest- threat. NSS can also distinguish
SNMP MIB or DBMS. NSS is typically volume, most-distributed attacks, malicious threats (for example, worms
deployed in carrier networks close to such as DDoS, Zero-day worms, and viruses) from benign ones (for
the core (between the gateway router and Polymorphic worms. NSS can example, a mis-configured router).
and the backbone router) and can also detect an entire class of attacks
monitor traffic at speeds up to 10 Gb/ directed at layer 7 applications (such NSS analyzes packet headers and
sec (OC 192). as VoIP, DNS, http, and SMTP) and the payloads for behavioral signs of
Border Gateway Protocol (BGP) routing malicious activity, and it can detect
• Multi-tiered correlation capability infrastructure found at Layer 3. many classes of attack that IDS/IPS
The Tivoli Security Operations Manager systems might not see (such as
and NSS components offer correlation Tivoli Security Operations Manager fragmented or “TearDrop” attacks, for
between network elements and IP can also provide infrastructure feature example). Moreover, NSS can detect
traffic features. It also offers correlation correlation between data generated by these traffic-based attacks as they
between its software components to both discovery and event collection. occur, providing faster response and
provide the most complete picture of It offers several correlation methods, even mitigation.
including event reduction and device-
level, policy, and service correlation.
4
Tivoli Security Operations Manager mitigation. A reporting interface that Historical data analysis can drive
uses network infrastructure logs that can be customized displays reports a wide range of decision support
include events that have actually and dashboard alerts. In addition, systems. Now operators can access
occurred, so it can detect attacks operators can access the solution historical data to decide in real time
outside the flow of the traffic itself. In using a portal that they can define. which actions to take based on
other words, it can monitor not only successful actions taken in the past. In
device event records, but also user and For automatic mitigation, the solution addition, trend analysis can facilitate
file access activity. This means that it interfaces directly with any third- many business decisions such as
can track changes to file permissions, party device such as IBM Tivoli capacity forecasting, bandwidth
attempts to install new executables, or Provisioning Manager and Cisco SCE usage, and revenue forecasting.
attempts to access privileged services. for automated, real-time traffic shaping
and blocking. For automatic quarantine • Scalability
• Powerful reporting and mitigation: “the and infected traffic cleansing, the The Core Infrastructure Security
manager of managers” solution interfaces with products such Solution offers scalability in the
Tivoli Security Operations Manager as Cisco Guard. monitoring of network elements,
and NSS have been integrated with network links, and sheer volume of
IBM Tivoli Netcool®/OMNIbus and • Integrated storage featuring traffic. From the network element
Netcool Impact so that the solution significant capacity perspective, Tivoli Security Operations
has flexible reporting and mitigation IBM Telecom Core Infrastructure Manager supports 200 different
capabilities. The solution supports a Security Solution offers significant devices such as routers, IDS/IPS, and
wide range of reporting and mitigation storage facilities for historical data firewalls. Netcool/OMNIbus supports
options, from manual notifications analysis. The solution can archive most even more devices, which means the
that guide human decisions to fully types of data—from finely granular solution can scale to Tier-1 carrier
automated device-level clearing and information to summarized metadata— traffic. Meanwhile, NSS offers real-
diagnostics to direct interfaces to into most database management time traffic monitoring and analysis
3rd party traffic shaping, blocking, or systems (such as DB2, MySQL, and at speeds up to 10 Gb/ sec. Currently
quarantine products. Tivoli Security Oracle) and retrieve it at the time it is monitoring Tier-1 carrier networks that
Operations Manager and NSS both needed with negligible latency. pass over 2.5 petabytes of traffic each
use Tivoli Netcool as the common day, NSS is designed to support an
policy management engine for unlimited number of network links on a
manual notification and automatic carrier network (including high-speed
peering links).
5
Core Infrastructure Security Solution
data flow
The IBM Core Infrastructure Security
Solution consists of IBM software and
systems and NSS. Figure 1 illustrates
the data flow of the solution. The role
each of the products plays is as follows:
Figure 2: NSS detects the Sasser worm as soon as the first machine (192.1.1.2) is infected.
6
sessions from a significant number of
hosts, but it always requests the same
port number. This subtle change in the
randomness of the traffic is detected
well before any significant change
in traffic volume is noticed, and well
before it reaches the enterprise network
running Netcool.
7
Core Infrastructure Security How IBM can help
components IBM has a long history of working with
telecommunications companies to
© Copyright IBM Corporation 2007
Key professional services: make them more efficient and secure, IBM Corporation
• Security consulting for carriers which makes us an ideal partner for New Orchard Road
Armonk, NY 10504
• Secure solution design for core infrastructure security. IBM is
U.S.A.
telecommunications a leader in the application software,
• Pilot/proof-of-concept implementation hardware, and services critical for Produced in the United States of America 03-07.
• Solution implementation for telecom monitoring and managing the health of All Rights Reserved
Technology platform: IBM helps plan and design core DB2, System Storage, Tivoli, Netcool, and Tivoli
• IBM systems infrastructure security solutions for Security Operations Manager are trademarks or
• IBM System Storage™ telecom carriers. We have the broad registered trademarks of International Business
• IBM BladeCenter capability, industry expertise, leading- Machine Corporation in the United States, other
• IBM Tivoli Security Operations To learn more about IBM, contact your
Manager IBM representative. Other company, product, or service names may
operates.
Summary
• IBM Telecom Core Infrastructure Security Solution monitors and manages the
health of network elements and the actual traffic itself from a single, integrated
system.
• Built with world-class, best-of-breed technology, the solution is able to detect a much
wider range of threats early.
• The solution has multi-tiered correlation capability. It can provide much greater
detection accuracy and better data points, so that telecoms can make faster and
better decisions.
• Powerful analytics, forensics, and reporting capabilities help you target and
mitigate threats as quickly as possible.
• Carriers can take advantage of integrated data storage with capacity, which
supports historical analysis, faster attack detection, greater network capacity, more
bandwidth, and revenue forecasting.
• Because the solution is designed to scale from the enterprise to the largest carrier
network, carriers can now obtain a comprehensive, integrated “security protection”
solution from a single vendor.