Changing the Lagging Face of Public Safety with Smart Networking Solutions (Part 4)

In part I of this series, Avaya Vice President and Chief Technologist for Software-Defined Architecture Jean Turgeon opened up a much-needed conversation about the current state of public safety and E911. My colleagues Mark Fletcher and Markus Bornheim followed up with pieces on E911 response times, lack of location data and the technology available to solve these issues. Today, we’ll explore specific solutions that can change the game for public safety and emergency services.

I recently went for my annual physical and had a conversation with the resident doctor about how technology is being used within the healthcare industry. After a few minutes, she made a comment that resonated with me, “I can’t believe in today’s digital age, we still use phones to make and confirm appointments.” You may be wondering what this has to do with public safety. Well, not surprisingly, this resident doctor (who is also a millennial) uses her smart device and data channels to interact with the world, and expects to use it for communicating with Emergency Services.

Given our world is moving rapidly toward more mobile-based smart devices and away from fixed phones, the big question everyone should ask themselves is, “What happens when I contact Emergency Services (911, 999, 112, etc.)?” Today, about 80% of calls coming into Emergency Services are from mobile or smart devices, yet the sad reality is Emergency Services doesn’t have the ability to interact with its citizens using data channels. Its voice channels only, which in 2016 is unacceptable!

Many PSAPs (Public Safety Access Points) are doing upgrades and modernization, but without the proper infrastructure and data networks much of it could be worthless. It’s time to start thinking about enabling robust end-to-end data networks within Emergency Services. These new data networks can be used for Inter Networked Agencies, allowing for overflow and interflow in order to handle mass call incidents and interact with smart devices or citizens.

Today only voice and telephones are used to interact with citizens as carriers are only providing a voice-based network to support calls to Emergency Services. PSAPs have no means to interact using data channels and apps like email, SMS, Web Services and more.

From a data perspective within many PSAPs today, you’ll find dispatchers and call takers likely having two separate systems on their desks, or a single system running a self-contained VDI (virtual desktop) software environment creating a virtual system. The main reason for keeping these two systems separate is because of the use of legacy architectures and the need for physical segregation of the systems and its respective data. One system (physical or virtual) is used for Emergency Services and is based on voice networks. A separate system (physical or virtual) uses a data network for internal communications like email, Internet, database access and more.

Now imagine a dispatcher speaking over the voice network to a citizen. If the dispatcher wants to interact with this person using the data network, they can’t because that system is strictly for internal use. The only channel they have available to interact with the citizen is voice on a dedicated network. The dispatcher (or call taker) can’t perform simple tasks like sending an SMS or email, or sharing a Web link or video showing the citizen how they might help themselves. So while they do have an internal system connected to a data network where they can browse the web, send emails and lookup information—it’s not on the PSAP Internet.

Moving forward, maintaining physical segregation of these networks through virtual services can be easy if leveraging technology like Avaya’s all-new end-to-end segmentation solution #EverywherePerimeter and its core capabilities of hyper-segmentation, stealth and elasticity (Jean Turgeon recently kicked off a three-part blog series that dives into each pillar. Read part I and part II). This new, all standards based, networking architecture can help address issues and provide the level of support and security required in a simplistic, yet secure fashion to bring technology to the PSAP.

ESINets are starting to be developed in parts of the U.S. as separate, parallel data networks within the PSAP, but this means potentially adding more costs, duplicating equipment/networks and adding complexity through firewalls and network administration. Additionally, long lead times are incurred when it comes to changes, adds and moves, ensuring there’s no disruption to the network services requiring long maintenance windows.

The ESINet, an IP based core network, still has security challenges because IP is the No. 1 hacked networking protocol in the world. Using Avaya stealth networking architecture to construct the ESINet allows you to build a single physical core data networking infrastructure for a greenfield network or to integrate with existing networks. With fabric, this network would be secure and invisible to IP hacking as the use of IP in the core isn’t required.

Using SPB (Shortest Path Bridging – the IEEE 802.1aq standard), once the Avaya core is built a multiple traditional core network infrastructures would not be needed. As Avaya uses a mesh-based architecture, full redundancy is achieved. Avaya’s hyper-segmentation technology can be used to create new VSNs (Virtual Service Networks). These VSNs are similar to creating virtual independent wires or networks. Since IP is not being used in the core, they can’t be seen by one another, which means data can’t be moved between each VSN independently, making them secure.

If required, the data networking administrator could create IP based shortcuts between VSNs, if they choose to allow data to flow between specific virtual networks. Administrators may want to do this for a migration or in the case of call overflow scenarios, such as a mass call event. Once the ESINet core is built, we can essentially leverage this secure environment and dynamically create separate networks as needed. As an example, multiple virtual networks running over this single core can also provide services like:

  • Internal Secure Data Network
  • Video Network
  • Local PSAP Network
  • Regional Network
  • District Network
  • Even a Voice Network being carried over the Data Network

Each of these services can be protected at the perimeter using a firewall for an extra layer of security and would all look and operate like independent networks.

This provides PSAP operators with the two separate secure networks they need, saving tremendous amounts of money and complexity in the backend. All of this together, makes it less scary to staff who may not be networking savvy. Leveraging Avaya Fabric Extend or SD-WAN (wide area networking) solutions provides the benefit of using a single Avaya Fabric to extended beyond just a local agency. You can leverage these services to extend beyond a local data center or campus network to other locations around the globe with the look and feel of a single fabric.

Related Articles:

As Consumer Tech Remakes the Workplace, a Thoughtful Security Strategy Is the Best Defense

I think we’d all agree the business landscape has changed dramatically over the past two decades. Think back to the last time you wrote a paper memo or sent a card inviting a colleague to a meeting. It’s been a long while.

For the most part, we’ve enthusiastically embraced this technology revolution in business, but recently it’s evolved to a point where consumer technology is now reshaping the workplace. In this blog series, we’ll discuss this phenomenon, how it’s made us more vulnerable to cyber-attacks and what measures and solutions we can employ to protect against security breaches.

Think about it. We carry multiple devices to stay connected both professionally and personally. These devices have become our modern day Filofaxes or Franklin Planners. So much so, that we’ve blurred the lines between these two worlds—once separate and distinct. We have one calendar, one set of contacts, one laptop and, for many of us, our social networks are a mix of work and play.

So when we hear about the latest cyber-attack or hack, the question we always ask ourselves is, “Can I be affected?”

The fact is our growing dependence on consumer technology puts our companies and us at higher risk to become victims. We become more vulnerable with every new tech toy, gadget or app we place at our fingertips … and we’re not talking just smartphones. Look at Smart TV (connected to the Internet), home automation devices (e.g., Nest or Hues), even the cars we drive. Everything is becoming connected, delivering real-time information to our smart devices, whenever and wherever we are.

Our demands have also extended to where we use these smart devices. We want connectivity in Starbucks, a shopping mall, a sports stadium … we want to remain in touch, irrespective of location. This presents a challenge for many, but especially for our CIOs who not only have to secure corporate information but also weigh potential exposure as a result of our hyper-connected world.

Also consider the increasing number of employees working from remote locations … the CIO, who once had total visibility of what we’re doing and using during business hours, now has only a glimpse of what’s deployed in our homes or coffee shops. And let’s not forget collaboration tools and apps that allow for real-time connectivity and electronic file sharing between anyone with internet access, from anywhere and from any device. While these capabilities have enabled us to work smarter and more efficiently, with those benefits comes the increased risk of enterprise security issues and data breaches.

For most organizations, it’s not a question of if a security breach is going to occur, it’s when will it occur. And when a company is attacked, so too are the people affiliated with it (think customers, employees, vendors and partners).

Perhaps we need to consider how hackers go about their work to understand why the decisions we make (or don’t make) today could have immediate and devastating consequences.

For starters, hackers look to identify a point of entry that will allow them to establish a command and control base. Remember if it has a processor, memory and connectivity, it’s a target. All the examples I cited above fall into this criteria.

Once they’ve established a control point, they explore their surroundings. Imagine for a moment a hacker gaining access to your home automation, then having the ability to eavesdrop on all your communications: banking services, business services, media content … potentially watching your every move. Now all your personal and business activities are compromised. It’s a frightening thought, right? But it’s one that can be proactively addressed.

There are two common methodologies for eliminating or greatly minimizing security breaches. The easiest is to say “No, you can’t do that” (seldom effective). We recommend a more thoughtful, practical, and deliberate approach that involves both active and passive security measures.

The Avaya approach is complementary to your existing security measures, not a rip and replace approach but one that supports your business operations. Whilst other solutions will address vulnerabilities on the devices, or only allow certain traffic to pass a specific point in the network, Avaya adds to your security posture by eliminating the ability of the hacker to move around your network at will. This is commonly referred to as lateral movement, and with the use of Avaya SDN Fx hyper-segmentation capability, we’re able to prevent this exploration. We have more than 16 million service identifiers to use—it’s like trying to find a needle in a haystack.

If you can’t see it, then you can’t hack it! Avaya also has the ability to run these services in stealth mode, the ability to convey these services in a manner that is quiet and careful in order not to be seen or heard.

This provides you with security that’s based upon the services you support on your network, not focused on the routes that traffic may pass through. This dynamic approach to security is elastic in nature: as the demands for your network change, the ability to expand and contract these services follows the natural rhythm of your network. (Avaya Chief Technologist for SDA Jean Turgeon wrote a three-part blog series exploring these three core pillars. Read about hyper-segmentation, native stealth and automatic elasticity.)

In addition to this, we expand our capability to the edge of the work, the access layer. Here through the use of standards-based approaches, we’ll examine not only the device coming onto the network, the credentials it’s presenting, its location, but we’ll also examine its behavior on the network—its digital fingerprint.

Through years of experience in real-time apps, we’ve been able to capture, identify, quantify and then react to a whole range of activities. The same is also true for the emerging world of the IoT (Internet of Things) and the explosion in connected devices. Through the innovative use of Avaya Breeze™, we’re able to blend the worlds of infrastructure and apps, keeping a watchful eye on everything that passes through the network, and when something does catch our eye, having the ability to react, in real-time, to circumvent that anomaly.

The Avaya capability plugs the gaps that so many hackers exploit, and through our use of innovative technologies, we allow the network infrastructure to support the business in a dynamic, elastic, and secure manner, giving business the agility to use what it needs, when it wants to, and where it wants to use it.

An Exploration of End-to-End Network Segmentation—Part II: Native Stealth

As I’ve said before, no one provider can completely eliminate network security risks. There is, however, a proven way to reduce risk and network exposure: end-to-end segmentation, which is comprised of hyper-segmentation, native stealth, and automated elasticity. In part I of this series, I explored the concept of hyper-segmentation. In a nutshell, hyper-segmentation involves using SPB (Shortest Path Bridging–802.1aq) to quickly and easily create virtual network segments that are completely isolated from one another. This enables network security tools to perform with greater efficiency, offering businesses full transparency into network activity.

Now imagine if you could create these virtual segments on the fabric infrastructure itself, meaning the topology used to carry the traffic would be completely invisible to any IP discovery or hacking. That’s exactly what we’re going to discuss here in part II: delivering a stealth network that keeps hackers in the dark. Let’s jump right in.

The Risk of IP Hopping

If you still rely on IP hopping, it’s likely a matter of time before someone enters your network and quickly discovers your full network topology, potentially without you knowing (if someone hasn’t already). I understand it can be difficult to grasp how a method that’s been in practice for nearly 30 years can be so unsecure, but remember: just because a methodology has been around for a long time doesn’t mean it’s conducive to today’s business requirements.

The problem with IP hopping is simple: once someone successfully enters a network using any kind of automated or reasonably sophisticated tool, they can begin discovering IP hop routes. These tools, when in the wrong hands, can allow attackers to gain full visibility into an organization’s IP architecture.

This means if a hacker successfully penetrates your firewall, they will within minutes be able to see all of your network topology and devices (and you thought Halloween was scary!). With this level of transparency, attackers can effortlessly detect where video surveillance is, for example, or where patient records are stored in order to begin impacting those devices, databases, nodes or systems.

This is one of the reasons so many companies hesitate to offer guest Wi-Fi services. It’s one of the easiest and lowest-risk ways for hackers to penetrate a company’s firewall and begin gaining network visibility. Remember, RF leaks out of building/walls; sit in parking lot near a building and et voilà!

Stealth Networks: Invisible to Hackers, Invincible for Companies

If you recall in part I, we discussed the importance of provisioning the network only at the point of services where offered and where that service is consumed by the end-user or device (IoT, as an example). In provisioning only at points of services—using an IP shortcut—the rest of the network essentially becomes a transport because we make use of Ethernet Switch Paths (ESPs) instead of typical IP hopping from node to node. This eliminates hackers’ dependencies on IP routes and allows them to only see entry and exit points. Everything else becomes stealth or invisible.

Remember the above example about penetrating the firewall through a Wi-Fi network? Let’s say this happens to a company that’s implemented an end-to-end segmentation solution. The hacker may successfully connect to the company’s physical infrastructure but, because of native stealth, they will only be able to see as far as that one segment. The attackers can’t hack what they can’t see. Meanwhile, organizations gain more controlled insight into where attackers are trying to do damage.

At the end of the day, you can’t stop hackers from penetrating your network, firewall, or gaining access to your building. If they do, however, end-to-end hyper-segmentation allows you to control what hackers see with peace of mind so that your customer databases, credit card numbers, etc. are securely isolated and undiscoverable. Hence, don’t expose your customer’s credit card information (PCI), patient records or others. Isolate that critical data in a secure virtual segment and run it over that ONE converged infrastructure. No more need for a separate physical network to meet your business security needs when you implement the right solution.

We’re almost done exploring the core of end-to-end segmentation. Elasticity is the final capability that completes this network security trifecta, and I dig into it in part III next week.

How to Make the Most of IoT While Minimizing Security Risks

I was in London yesterday for IP Expo 2016. I had the pleasure of speaking with many customers and presenting a keynote about the security concerns raised by the Internet of Things (IoT). Below is a summary of what we discussed for those who weren’t able to join me or who did but need a refresh.

Adding millions of new devices, hardware endpoints, and billions of lines of code, along with more infrastructure to cope with this load is, unsurprisingly, creating a vast set of security challenges across all areas of the IoT—a set of challenges the scale of which we haven’t seen before.

Fortunately, the technology industry is working hard to address these issues, and from the network side there are many lessons we can apply from the Internet and BYOD-ready networks.

Let’s face it: the days of a fixed network edge, defined by office and a few home workers using corporate laptops is long gone. And we’ve been living the last several years with the borderless network—or as I like to call it, the Everywhere Perimeter. At Avaya, we’ve built on our fabric networking technology to create a solution that addresses this challenge, providing a layer that seamlessly manages segmentation, stealth and elasticity across the organization. (I recently introduced a series that talks at length about these three core pillars.) This approach makes securing the everywhere perimeter much more practical.

If all this sounds like gobbledygook, I can assure you it isn’t. Here’s an example of how it works: if an IP phone is plugged in, the voice network is automatically and securely extended. If a video surveillance camera is plugged in, the surveillance network is extended. When devices and objects are unplugged, the network retracts, eliminating potential back door entry points to the network. What this means is that organizations can hide much of their networks while protecting those elements that remain visible. The end result: you can’t hack what you can’t see, so businesses can avoid many of the conventional hooks and tools that hackers seek to exploit, while at the same time engaging with their customers and employees in an agile and timely manner via the IoT.

I invite you to learn more about elements of the IoT security that are beginning to impact businesses of all sizes. Take a look at this white paper, which offers a roadmap for implementing smart, multilevel security capabilities.