4.2. Prevention Techniques

Prevention techniques focus primarily on improving component and system reliability in order to reduce the occurrence of faults. Prevention techniques can be technical or nontechnical in nature. Examples of technical prevention techniques are the use of fault-tolerant hardware architectures in switch/router designs, provisioning backup power supplies at network equipment, and predeployment stress testing of software to name a few. Examples of nontechnical prevention techniques [20] are providing physical and electronic security for networking infrastructure, call-before-you-dig regulations to reduce the likelihood of cable cuts, formal training for network maintenance personnel, and regular scheduled maintenance.

The major survivability techniques described in this chapter focus on network design, traffic management and restoration, which are primarily targeted at protecting the network from random failures and accidents like cable cuts and other human errors. However, network resources are vulnerable to malicious attacks and acts of terror by people who are knowledgeable of the network architecture and operational mechanisms. Therefore, any network resource, including routers, software, databases, and traffic along a path should be protected by security measures. For each network resource, the main goals of security are ensuring confidentiality, integrity, availability, non-repudiation and authentication (C-I-A-N-A). Confidentiality means that network resource information is accessible only to those authorized to have access, while integrity means that data can not be created, changed, or deleted without authorization. Here availability express that the network resource information, the resource itself and the other security controls of C-I-A-N-A are all available and functioning correctly when the information is needed. Non-repudiation ensures that a transferred message has been sent and received by the parties claiming to have sent and received the message, and lastly authentication is the verification of the identity of a person, process or element. For example whenever routing updates are exchanged, authentication ensures that a router receives reliable routing information from a trusted source. Actions that can cause the network security to be compromised include attacks on control and management systems, sniffing of data traffic, and denial-of-service (DoS) attacks. In a DoS attack, an attacker tries to make a network resource unavailable by resource exhaustion for example by allocating all link bandwidth and sending more requests to network management and control systems than they can handle. Some examples of techniques to prevent security to be compromised are separation of control and traffic planes, encryption, firewalls, intrusion detection, and intrusion prevention. Chapter 2 gives a detailed discussion on network security.