Nortel Networks Portfolio Summary CERT Advisory CA … · Nortel Networks Portfolio Summary in...

23
Overview Simple Network Management Protocol (SNMP) is a widely deployed protocol commonly used to monitor and manage a wide range of network equipment. Finland’s Oulu University Secure Programming Group (OUSPG) has performed an extensive study on potential SNMP v1 vulnerabilities (http://www .ee.oulu.fi/r esear ch/ouspg/) . The findings were recently made public knowledge through CERT Security Bulletin CA-2002-03 (http:// www.cert.org/advisories/CA-2002- 03.html) (“SNMP Advisory”). The widespread utilization of SNMP v1 combined with public availability of a “test suite” that could be used to exploit SNMP vulnerabilities has led the infor- mation technology industry to respond to these potential vulnerabilities. Product/Service Bulletin Nortel Networks Portfolio Summary in response to CERT ® SNMP vulnerabilities Advisory CA-2002-03 Version 1.0—February 18, 2002 General description of CERT Advisory On February 12, 2002, CERT, a US federally funded Internet security watchdog organization, issued a global security advisory concerning SNMP v1. The advisory states that network equipment—including switches, routers, hubs, printers, and operating systems—may be vulnerable to an SNMP-related attack that could cause equipment to fail or allow unautho- rized users to take control of it. Simple Network Management Protocol (SNMP) serves as the basis for software tools that enable administrators to monitor the status and performance, as well to configure, network systems. For example, enabling prioritization of traffic and network traffic flow control by managing the various elements of the network. It is important to keep in mind that the information technology industry faces security issues regularly and has devel- oped common means of dealing with such issues. Nortel Networks recom- mends that network owners and opera- tors continue to use currently employed best practices or adopt those available from many public sources such as CERT ® . A risk analysis should be the first step undertaken in dealing with this issue and be a key factor in considering the prior- ity in which mitigating actions are taken. In instances such as this, a network operator will typically have to install and test software patches from many differ- ent vendors of network equipment and computing platforms. This process takes time to complete. There are many strate- gies that can be employed to protect the network during this interval to provide a safer environment in which to complete network upgrades. Nortel Networks works with several groups, both private and public, to develop and communicate practices and methods for securing net- works. A high-level strategy is outlined below as an example for our customers on how to deal with the potential SNMP vulnerabilities detailed in the SNMP Advisory.

Transcript of Nortel Networks Portfolio Summary CERT Advisory CA … · Nortel Networks Portfolio Summary in...

OverviewSimple Network Management Protocol(SNMP) is a widely deployed protocolcommonly used to monitor and managea wide range of network equipment.Finland’s Oulu University SecureProgramming Group (OUSPG) has performed an extensive study on potential SNMP v1 vulnerabilities(http://www.ee.oulu.fi/research/ouspg/).The findings were recently made publicknowledge through CERT SecurityBulletin CA-2002-03 (http://www.cert.org/advisories/CA-2002-03.html) (“SNMP Advisory”). Thewidespread utilization of SNMP v1combined with public availability of a“test suite” that could be used to exploitSNMP vulnerabilities has led the infor-mation technology industry to respondto these potential vulnerabilities.

Product/Service Bulletin

Nortel Networks Portfolio Summary in response to CERT® SNMP vulnerabilities

Advisory CA-2002-03Version 1.0—February 18, 2002

General description of CERT AdvisoryOn February 12, 2002, CERT, a US federally funded Internet security watchdog organization, issued a global security advisory concerning SNMP v1. The advisory states that network equipment—including switches, routers, hubs, printers, and operating systems—may be vulnerable to an SNMP-related attack that could cause equipment to fail or allow unautho-rized users to take control of it. Simple Network Management Protocol (SNMP) serves as thebasis for software tools that enable administrators to monitor the status and performance,as well to configure, network systems. For example, enabling prioritization of traffic andnetwork traffic flow control by managing the various elements of the network.

It is important to keep in mind that theinformation technology industry facessecurity issues regularly and has devel-oped common means of dealing withsuch issues. Nortel Networks recom-mends that network owners and opera-tors continue to use currently employedbest practices or adopt those availablefrom many public sources such asCERT®.

A risk analysis should be the first stepundertaken in dealing with this issue andbe a key factor in considering the prior-ity in which mitigating actions are taken.In instances such as this, a networkoperator will typically have to install andtest software patches from many differ-ent vendors of network equipment and

computing platforms. This process takestime to complete. There are many strate-gies that can be employed to protect thenetwork during this interval to provide asafer environment in which to completenetwork upgrades. Nortel Networksworks with several groups, both privateand public, to develop and communicatepractices and methods for securing net-works. A high-level strategy is outlinedbelow as an example for our customerson how to deal with the potentialSNMP vulnerabilities detailed in theSNMP Advisory.

Mitigation strategyIn reading the portfolio-specific productsections of this document, please notethat the vast majority of potentialvulnerabilities exist only in parts of theproduct that should not be accessible tothe public or by untrusted parties. Thatis, the potential vulnerabilities exist inthe private management network. Thismeans that the risk associated with thepotential SNMP vulnerability needs to be analyzed in the context of thepotential vulnerability of externalnetwork protection mechanisms such asfirewalls or other packet filtering mecha-nisms, the option to disable SNMP, the use of more secure managementsystems, and the number of employeesand management stations allowed to bepresent in the network.

Step 1 Secure the network

CERT®, a center of Internet securityexpertise, has produced information thatcan be useful to diminish the effects of these potential SNMP vulnerabilitiesat the network level. For detailed guide-lines on these actions, specifically relatedto the SNMP Advisory v1 vulnerability,refer to the following Web site:http://www.cert.org/advisories/CA-2002-03.html Section III. Solution.

CERT® recommends these solutions befollowed as part of an overall networkrisk assessment and network protectionplan. Implementing strategies as out-lined by CERT® should provide a risk-reduced environment in which toconduct the patching process.

Step 2 Apply patches

• Ensure that software patches from vendors are applied to any affected equipment.

• Perform testing to ensure propernetwork operation.

Step 3 Review and extend security architecture—example actions

• Revisit actions performed in Step 1 to determine if these steps should remain as part of permanent securitypolicy, e.g. can services turned off remain so permanently?

• Review the network architecture to mitigate future security vulnera-bilities.

• Protect domains of interest and critical computing assets by establishing isolated subnets with firewalls or packet filtering routers.

• Secure the management traffic with encryption technologies or by employing secure management protocols

Nortel Networks Commitment to CustomersOn February 12, 2002 CERT issuedthe SNMP Advisory. Nortel Networkswas advised of this issue earlier andimmediately created an internal taskforce that has been operating under theconfidentiality requirements of CERTand the U.S. Government. The NortelNetworks team has been evaluating thepotential vulnerabilities outlined in theSNMP Advisory and has been one ofthe companies working closely withCERT in developing a strategy for

dealing with this issue. At the request ofCERT and the U.S. Government,Nortel Networks has necessarily keptthis matter very confidential.

Our task force continues its efforts toassess the SNMP Advisory and developan appropriate response plan. We haveundertaken a thorough review of ourproduct portfolio so that appropriateremedies may be put in place to addressthe potential vulnerabilities highlightedin the SNMP Advisory. We have madesignificant progress and have developedthis comprehensive plan outlining on a product-by-product basis whether ornot each product is potentially vulnera-ble to the issues outlined in the SNMPAdvisory. For each product requiringaction, an appropriate action plan—including an expected patch release date when applicable—as well as bestpractice guidelines for increasing theproduct’s security are included.

Nortel Networks product-by-productplan to the SNMP Advisory follows.This plan will be updated as necessary.

2

Product Portfolio Index

Optical Long Haul 4

Metro Optical 5

Wireless 6

Enterprise 10

Circuit Switching 12

ATM/IP Products 14

Intelligent Internet 14

Carrier Voice over Packet 17

Miscellaneous Products 21

3

Product Affected Status Mitigating practices Software fix available

4

Product

- OPTera Connect DX Connection Manager

- S/DMS TransportNode OC-192- S/DMS TransportNode OC-48- S/DMS TransportNode TN-64X- S/DMS TransportNode TN-16X- S/DMS TransportNode OC-12 TBM

- S/DMS TransportNode OC-48 OPTeraPacket Edge (OPE)

- OPTera Connect HDX Connection Manager

- OPTera Connect PX Connection Manager

- Preside Site Manager- Preside Application Platform- Preside Trail Manager- Preside Multiterabit Element

Manager- Preside Optical Applications- Preside Configurable Surveillance

Adapter- Preside Configurable Trail Adapter

- Preside IP Device Adapter

Reason not impacted

For these products, the SNMP software is delivered as part of a third-party operating system on the OPC (OPerationsController) but it is not used, and it is dis-abled by default. Tests showed that therewas no impact.

The OPTera Packet Edge (OPE) containsSNMP agent software. The OPE card onthe S/DMS TransportNode OC-48 hasbeen tested and passed.

This product does not use SNMP.

This product has not been deployed andthere are no customer impacts.

These software products do not use an SNMP agent. Even though thethird-party platforms on which they run may be equipped with SNMP agent software, the server platform environment is controlled by the customer. Nortel Networks recommends customers contact thethird-party vendors for recommendedcorrective action.

Product uses SNMP. All tests have passed.

Optical Long Haul Optical Long Haul summaryThe impact of the SNMP potential vulnerability on the Optical Long Haulproducts is very limited as most of theseproducts do not use SNMP. The CERTapproved test suite as per the SNMPAdvisory (“Test Suite”) was utilized. At this time, the only product found to be impacted via the Test Suite is theOPTera Long Haul 4000. The riskposed by the potential vulnerability to the OPTera Long Haul 4000 is lowas the SNMP agent for this product ison the private side of the networkconnected to the customer DCN.

Products not affected Enclosed is an initial listing of NortelNetworks Optical Long Haul productsnot impacted by the potential vulnera-bilities outlined in the SNMP Advisory.We are continuing to test and evaluateour remaining products and will be pro-viding updates to this document.Additional products may be added tothis list as further product testing iscompleted.

Optical Long Haul—potentially affected products

Product Affected Status Mitigating practices Software fix available

Yes

Product is currently underinvestigation but the expectation is that therewill be no impact.Product currently underinvestigation but the expectation is that therewill be no impact.

Impact has been established; in contactwith third-party software vendor regarding a patch.

Waiting for investiga-tion/test status.

Waiting for investiga-tion/test status.

- OPTera Long Haul 4000Optical Line System

- S/DMS TransportNodeOC-48 LITE

- OPTera Long Haul 1600 Optical Line System

SNMP is on the privateside of the network con-nected to the customer-controlled DCN, whichreduces the risk posed bythis potential vulnerability.On the private side of thenetwork, connected to thecustomer-controlled DCN.

On the private side of thenetwork, connected to thecustomer-controlled DCN.

Requested patch fromthird-party vendor.

Test results pending.

Test results pending.

Optical Long Haul—products not affected

Yes.

Yes.

Product is currentlyunder investigation butthe expectation is thatthere will be no impact.

Impact has been estab-lished; in contact withthird-party vendorregarding a patch.

Impact has been estab-lished; in contact withthird-party vendorregarding a patch.

Waiting for investiga-tion/test status.

5

Metro Optical—potentially affected products

Product Affected Status Mitigating practices Software fix available

Product

- OPTera Metro 3300/3400/3500

Next-generation SONET Multi-service

platform (all versions)

- OPTera Metro 4100 Multi-service platform

(without OPE 100 card)

- OPTera Metro 4200 Multi-service platform

- S/DMS TransportNode TN-1X,

- S/DMS TransportNode TN-1P

- S/DMS TransportNode TN-1C

- S/DMS TransportNode OC-48

- S/DMS TransportNode OC-12 TBM

- OPTera Connect DX Connection

Manager

- S/DMS TransportNode OC-48

OPTera Packet Edge

- OPTera Metro 3400/3500 OPTera

Packet Edge

- Preside Site Manager

- Preside Application Platform

- Preside Trail Manager

- Preside Manager for OPTera Metro

- Preside Optical Applications

- Preside Configurable Surveillance

Adapter

- Preside Configurable Trail Adapter

Reason Not Impacted

Products do not use SNMP.

Product does not use SNMP.

Product does not use SNMP.

Products do not use SNMP.

For these products, the SNMP software is

delivered as part of a third-party operating

system on the OPC (OPerations Controller),

but it is not used and it is disabled by

default. Tests showed that there was

no impact.

The OPTera Packet Edge (OPE) contains

SNMP agent software. The OPE cards on

the S/DMS TransportNode OC-48/S/DMS

TransportNode 3400/3500 OPTera Packet

Edge have passed the Test Suite.

These software products do not use an

SNMP agent. Even though the third-party

platforms on which they run may be

equipped with SNMP agent software, the

server platform environment is controlled

by the customer. Nortel Networks recom-

mends customers contact the third-party

vendors for recommended corrective

action.

Metro OpticalMetro Optical SummaryThe impact of the SNMP potential vul-nerability on the Metro Optical productsis very limited as most of these productsdo not use SNMP. At this time, the onlyproduct that was found to be impacted isthe OPTera Metro 5000, but the impactis not traffic-affecting.

Products not affectedEnclosed is an initial listing of NortelNetworks products not impacted by the potential vulnerabilities outlined inthe SNMP Advisory. We are continuingto test and evaluate our remaining prod-ucts and will be providing updates to this document. Additional products may be added to this list as further producttesting is completed.

Requested patch fromthird-party vendor.

Requested patch fromthird-party vendor.

Test results pending.

- OPTera Metro 5000 series

- OPTera System Manager (for OPTera Metro 5000)

- OPTera Packet Edge 100 (for OPTera Metro 4100 systems)

SNMP is on the private sideof the network connectedto the customer controlledDCN, which reduces thepotential risk posed by thisvulnerability.Failures found are not traffic-affecting. See mitigation strategy at the beginning of this document.See mitigation strategy at the beginning of this document.

Metro Optical—products not affected

CDMA Access- CDMA: Enhanced

Base Station Controller (eBSC)Passport -based BSC

GSM OA&M- GSM OMC-R

(GSM element manager, all versions)

CDMA Core- SDM/FT

(SDMX09/10.x)- Shasta PDSN

(Shasta 5000 BSN)

6

Wireless—potentially affected products

Product Affected Status Mitigating practices Software fix available

Product

CDMA/TDMA/AMPS Access- CDMA: Base Station (BTS)

(all versions and all subsystems)- CDMA: Base Station Controller

(BSC)—all versions and all subsystems, except Passport

- TDMA: Intelligent Cellular Peripheral —all versions and subsystems

- TDMA: Intelligent Cellular Radio Module (ICRM)—all versions and subsystems

GSM\GPRS\UMTS Access- GSM: S8000 Base Transceiver Station

(S8000 BTS)—all versions- GSM: Base Station Controller 12000

and 6000 (BSC12000, BSC6000)—all versions

- GSM: e-cell Base Transceiver Station—all versions

- GSM: S2000 Base Transceiver Station (S2000 BTS)—all versions

- GSM: e3 Base Station Controller -(BSCe3)—all versions

- UMTS: Node B—all versions - UMTS: iRNC (excluding MDP/MDM

OA&M device for Passport)CDMA\TDMA\AMPS Core- MDS- Adept- Wireless Pre-paid

Reason not impacted

Products do not use SNMP.

Products do not use SNMP.

Products do not use SNMP.

Wireless Wireless summaryThe majority of Nortel NetworksWireless products do not use SNMP.The components that use SNMP areintended for deployment on protectableinternal network nodes. These nodestypically use third-party software forwhich patches are available or are beingdeveloped and will be available shortly.

Products not affectedEnclosed is an initial listing of NortelNetworks Wireless products notimpacted by the potential vulnerabilitiesoutlined in the SNMP Advisory. We are continuing to test and evaluate ourremaining products and will be providingupdates to this document. Additionalproducts may be added to this list as fur-ther product testing is completed.

Product does not use SNMP.SNMP stack containedwithin third-party computeplatform (base platform) notinstantiated within OMC-Renvironment.

Product does not useSNMP. SNMP stack contained within baseplatform not instanti-ated within OMC-R environment.To be determined.

Yes

SNMP is not used within thecontext of CDMA networkmanagement. SNMP is notaccessible from the CDMAnetwork management environment.

In order to eliminate or miti-gate the risk, the Shasta BSNcan be configured with SNMPaccess disabled.

The anti-spoofing capabili-ties should be enabled as wellfor all inbound and outboundtraffic from Shasta BSN.

Currently under investigation.

See Intelligent Internetsection.

See Passport informa-tion in IntelligentInternet section.

Patches available.

Wireless—products not affected

Wireless—potentially affected products (continued)

Product Affected Status Mitigating practices Software fix available

7

- Shasta HA (Shasta 5000 BSN)

- Preside Radius

- TDMA CS Data —IWF Passport

CDMA/TDMA/AMPSOA&M- CDMA BSSM—

all versions

- MDM

- PDSN OAM&P SCS Server

- PDSN OAM&P SRS Server

- NSM—TDMA Site Manager

- WVAD (Wireless Voice Activated Dial) /NAV Platform

- SMA (Smart Mobile Access) WIN Platform

CDMA / TDMA OEM- CDMA CS Data IWF

- SMS

- Lawful Intercept

Yes

To be determined.

Yes

Product does not useSNMP. SNMP stack contained within basecompute platform notinstantiated withinBSSM environment.Contains SNMP stack(for Passport 15000).

Yes

Yes

Yes

Procedure to turn offSNMP daemon.

To be determined.

To be determined.

To be determined.

Product uses SNMP.

In order to eliminate ormitigate the potential risk,the Shasta BSN can beconfigured with SNMPaccess disabled.

The anti-spoofing capa-bilities should be enabledas well for all inbound andoutbound traffic fromShasta BSN.

See Intelligent Internet section.

SNMP is not used withinthe context of CDMA net-work management. SNMPis not accessible from theCDMA network manage-ment environment.See Note 1.

See Note 1.

Procedure to turn off SNMP.

Product currently underinvestigation.

Product currently underinvestigation.Product currently underinvestigation.Product currently underinvestigation.

See Intelligent Internetsection.

Product currently under investigation. See Intelligent Internetsection.

See Intelligent Internetsection.

Depending on third-partyvendor, patch is eitheravailable or pending.Patch available.

Product currently underinvestigation and under-going testing.Turn off SNMP.

Product currently underinvestigation.

Product currently underinvestigation.Product currently underinvestigation.Requested update fromthird-party vendor.

Patches available.

See Intelligent Internetsection.

See Intelligent Internetsection.

Patch available.

Patch available.

New software release targeted within 90 days.

8

Wireless—potentially affected products

Product Affected Status Mitigating practices Software fix available

Disable agent (follow supplier instructions).

Disable agent, or installpatch.Disable agent, or installpatch.In order to eliminate or mitigate the potential risk,the WG product set can beconfigured with SNMP access disabled. SNMP functions are not currently used. In order to eliminate or mit-igate the potential risk, theWG product set can be con-figured with SNMP accessdisabled. In order to eliminate ormitigate the potential risk,the SGSN product set canbe configured with SNMPaccess disabled. SNMPfunctions are not currentlyused. See Note 1.

Pending on third-partyannouncement.

Patch available.

Patch available.

See Intelligent Internetsection.

See Intelligent Internetsection.

See Intelligent Internetsection.

Vendor contacted, waiting for reply.

Third-party vendor isworking on a patch.

Patch available.

See Intelligent Internetsection.

See Intelligent Internetsection.

See Intelligent Internetsection.

Depending on third-partyvendor, patch is eitheravailable or pending.

To be determined.

Not as shipped fromthird-party vendor butcustomer might haveinstalled by themselves.Yes—(for all releases)

Yes—(for all releases)

Yes

Yes

Yes

Yes

GSM/GPRS /UMTS Core- SDM/FT (all deployed

GEM release)

- OMCs Browser (PC)

- CIPC

- GBMD

- WG (Passport 15000, Passport 7000)

- Passport 8600

- SGSN GPRS (Passport 15000, Passport 7000)

- SIG

See Note 1.

See Note 1.

See Note 1.

See Note 1.

9

Wireless—potentially affected products (continued)

Product Affected Status Mitigating practices Software fix available

- Shasta GGSN (Shasta 5000 BSN)

- Contivity GGSN (Contivity)

- Contivity Border Gateway

- Contivity 600

- Wireless Preside OAM&P Main Server

- Wireless Preside OAM&P Performance Server

- OAM&P SCS Server

- OAM&P SRS Server

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

See Intelligent Internetsection.

See Intelligent Internetsection.

See Intelligent Internetsection.

See Intelligent Internetsection.

Depending on third-partyvendor, patch is eitheravailable or pending.

Patch available.

Depending on third-partyvendor, patch is eitheravailable or pending.Third-party vendor is currently testing.

See Intelligent Internetsection.

See Intelligent Internetsection.

See Intelligent Internetsection.

See Intelligent Internetsection.

Requested patch fromthird-party vendor.

Patch available.

Requested patch fromthird-party vendor.

Vendor contacted, waitingfor reply.

Notes

1. See Step 1. Secure the Network in theMitigation Strategy section at the beginning of this document.

10

EnterpriseEnterprise summaryThis section provides a summary of the impact on the Enterprise portfolio, including Meridian, SL-100, Messaging, and OTM products.

The Enterprise team is in the process ofcompleting the CERT Test Suite to identify potential vulnerabilities, andworking to provide appropriate fixes to identified potential vulnerabilities.Plans for these fixes will be updated below as they are finalized.

While many of the Enterprise products do support SNMP and are theoretically potentially vulnerable under the SNMPAdvisory, typical deployment scenarios,capabilities inherent in the product line,as well as good security practices signifi-cantly mitigate this potential risk.

Products not affected Enclosed is an initial listing of NortelNetworks Enterprise products notimpacted by the potential vulnerabilities outlined in the SNMP Advisory. We are continuing to test and evaluate our remaining products and will be providing updates to this document.Additional products may be added tothis list as further product testing iscompleted.

Product

Meridian Integrated Applications (MIXX)

- Meridian Integrated Call Assistant

(MICA)

- Meridian Integrated Conference

Bridge (MICB)

- Meridian Integrated Voice Services

(MIVS)

- Meridian Integrated Personal Call

Director (MIPCD)

DMS (Enhanced) Intelligent Peripheral

Equipment (IPE/EIPE)

DMS Link Peripheral Processor/Ethernet

Interface Unit (LPP/EIU)

Digital Phones

- M3900 Series

- M2000 Series

- M3000 Executive Telephone

Analog Telephones

- M8000/M9000 series

- 500/2500 type

Fibre Remote products

Reason not impacted

Products do not use SNMP.

Products do not use SNMP.

Product uses SNMP but passed

the Test Suite.

Products do not use SNMP.

Products do not use SNMP.

Enterprise—products not affected

11

Enterprise—potentially affected products

Product Affected Status Mitigating practices Software fix available

- Meridian 1 (M1)

- M1—Internet Telephony Gateway (M1-ITG)

- Succession Communication Server for Enterprise 1000 (CSE-1000)

- Meridian Stored Logic (SL)-100

- Meridian SL-100—ITG

- International Gateway Terminal Proxy Server (IGW TPS)

- International Gateway Gatekeeper (IGW GK)

- International Gateway (IGW GW)

- International Gateway (IGW PMT)

- International Gateway Microsoft (IGW Microsoft)

- CallPilot

- MeridianMail

- Optivity Telephony Manager for M1 (OTM M1)

- Optivity Telephony Manager for SL-100 (OTM SL-100)

- Optivity Telephony Manager for Digital European Cordless Telecommunications (OTM DECT)

- Meridian Administration Tools (MAT)

Internet Telephones- i2004- i2005Meridian IntegratedRecorded Announcement(MIRAN)

Yes

Yes

Still under investigation.

Still under investigation.

Potential

Yes

Yes

Still under investigation.

Yes

Still under investigation.

Yes

Still under investigation.

Yes

Yes

Still under investigation.

Still under investigation.

Potential

Potential

Product impacted underTest Suite, working onplan to provide fix.Product impacted underTest Suite, working onplan to provide fix.

Completing Test Suite.

Completing Test Suite.

Confirming product notimpacted.Testing third-party vendorpatch to provide fix.

Testing third-party vendorpatch to provide fix.Completing Test Suite.

Testing third-party vendorpatch to provide fix.Completing Test Suite.

Product impacted underTest Suite, working onplan to provide fix.Completing Test Suite.

Product impacted underTest Suite, working onplan to provide fix.Testing third-party vendorpatch to provide fix.

Completing Test Suite.

Completing Test Suite.

Confirming productnot impacted.

Confirming productnot impacted.

See notes.

See notes.

See notes.

See notes.

See notes.

See notes.

See notes.

See notes.

See notes.

See notes.

See notes.

See notes.

See notes.

See notes.

See notes.

See notes.

See notes.

See notes.

To be determined.

To be determined.

To be determined.

To be determined.

To be determined.

To be determined.

To be determined.

To be determined.

To be determined.

To be determined.

To be determined.

To be determined.

To be determined.

To be determined.

To be determined.

To be determined.

To be determined.

To be determined.

12

Circuit SwitchingCircuit Switching summaryThe majority of Circuit Switching products, including DMS, which havesignificant field deployment and missioncriticality, are not impacted by thepotential vulnerability outlined in theSNMP Advisory.

Products not affected Enclosed is an initial listing of NortelNetworks Circuit Switching productsnot impacted by the potential vulnera-bilities outlined in the SNMP Advisory. We are continuing to test and evaluateour remaining products and will be providing updates to this document.Additional products may be added tothis list as further product testing iscompleted.

Product

- DMS ENET- DMS Message Switch- DMS-10- NETOnline- Spectrum Peripheral Module (SPM)- Extended Peripheral Module (XPM)- DMS Input Output Module (DMS IOM)- DMS TOPS- Real Time 1000 (RT-1000)

- DMS Series 70 Core- DMS XA-Core- DMS-100- DMS-200- DMS-250- DMS-300- DMS-500- DMS Custom Specific Variants- DMS MMP- DMS LPP/EIU (see note 1)

Reason not impacted

These products do not use SNMP.

Runs on a compute platform which is not provided by Nortel Networks. NortelNetworks recommends customers contactthe vendor of the compute platform forrecommended corrective action.These products—when configured withan LPP/EIU—have SNMP resident, buthave been tested to ensure no serviceaffecting impacts when subjected to the Test Suite.See Note 1.

Notes:

1. See Step 1. Secure the Network in theMitigation Strategy section at the beginning of this document.

2. Separate Management Traffic: This portfolio utilizes a separateManagement VLAN—Managementinterfaces that are unique and notpublished. With the appropriatesecurity practices, this significantlymitigates the potential riskidentified.

3. Private Enterprise Deployment: This portfolio is typically deployedwithin a Private Enterprise network.Standard security practice—includingFirewalls and Intrusion Detection sys-tems which restrict external access—significantly mitigate the potential riskof these products being impacted bythe potential vulnerabilities outlinedin the SNMP Advisory.

4. Secure OAM Access: OAM accesscan be further secured through tech-nologies such as VPN which stronglyauthenticate access as well as encryptmanagement traffic over the network.

This is more common when access is required across a publicnetwork, but can also be used withinan Enterprise Network to guardagainst internal attacks.

5. Third-party Platform SNMP Agent:Applications such as OTM, CallPilot,MeridianMail, and i2050 reside onthird-party platforms which haveinherent SNMP Agent capability. It isrecommended that this agent be dis-abled if possible in order to mitigatethis potential risk. Some platform vendors have stated this capability is off by default.

1. LPP/EIU use in DMS FamilyProducts—DMS is based on a flexiblearchitecture that allows integration of anumber of unique products in diverseconfigurations. The DMS LPP/EIU is acomponent within the architecture thatprovides Ethernet connectivity to

DMS switches. The LPP/EIU compo-nent contains an SNMP stack that hasbeen tested to ensure no service-affectingimpacts occur when subjected to theTest Suite.

Circuit Switching—products not affected

13

Circuit Switching—potentially affected products

Product Affected Status Mitigating practices Software fix available

DCR runs on Nortel Networks-supplied third-party computingplatform that is impacted underthe Test Suite. A patch is underdevelopment to disable theSNMP stack in DCR.NOAA runs on a NortelNetworks-supplied third-partycomputing platform that isimpacted under the Test Suite. A patch is under development todisable the SNMP stack in NOAA.Intelligent Workstation portionof the TOPS Product runs on aNortel Networks-supplied third-party computing platform that is impacted under the Test Suite. SDM is implemented using athird-party operating system.The vendor has stated throughCERT that the current version of the operating system is notimpacted under the Test SuiteHowever, SDM runs on an olderversion. Nortel Networks is incontact with the vendor toobtain Test Suite assessmentsfor the versions in use. A manualprocedure has been identified todisable the SNMP stack on SDM. TOPS-IP has two third-partySNMP stacks. Both stacks havebeen tested. The stack on the7X07AA passed the Test Suite.The stack on the SX05DA isimpacted under the Test Suite.A patch is under developmentand a release is still to bedetermined.

NA Centrex-IP contains a third-party SNMP stack.Potential vulnerability is underinvestigation.Potential vulnerability is underinvestigation.

- DCR

- NOAA

- TOPS—IWS

- SuperNode Data Manager (SDM)

- TOPS-IP

- NA Centrex-IP

- International Centrex-IP

Yes

Yes

Yes

Under investigation.

Yes

Under investigation.

Under investigation.

See Note 1 below.

See Note 1 below.

See Note 1 below.

See Note 1 below.

See Note 1 below.

Patch availability targetedwithin 30 days.

Patch availability targetedwithin 30 days.

A bulletin describing theprocedure to disable SNMPon IWS will be issued byFeb. 22, 2002.

A bulletin describing theprocedure to disable SNMPon SDM will be issued byFeb. 22, 2002 if no confir-mation is received beforethat date.

To be determined.

To be determined.

To be determined.

Notes

1. See Step 1. Secure the Network in theMitigation Strategy section at the beginning of this document.

14

ATM/IP productsIntelligent Internet product summarySome Intelligent Internet IP productshave a potential vulnerability under theissues identified in the SNMP Advisory.Nortel Networks is in the process oftesting and evaluating the variousproducts to determine the level of vul-nerability. The fixes for all potentiallyvulnerable products are forthcoming.For those products that are potentiallyvulnerable, the potential vulnerabiliy isfrom the network management side ofthe network. These potential vulnera-bilities are confined to the managementplane. Please follow the recommendationsin the Mitigating Practices column ofthe matrix below to further protect thesedevices from the potential vulnerability.

Products not affected Enclosed is an initial listing of NortelNetworks products not impacted by thepotential vulnerabilities outlined in theSNMP Advisory.

We are continuing to test and evaluateour remaining products and will be providing updates to this document.Additional products may be added tothis list as further product testing iscompleted.

Intelligent Internet—potentially affected products

Targeted before 2Q02.

Targeted before 2Q02.

Targeted before 2Q02.

Targeted before 2Q02.

Targeted before 2Q02.Targeted before 2Q02.

See Mitigation Strategy sectionat beginning of document.

See Note 1.

See Note 1.

See Note 1.

See Note 1.See Mitigation Strategy sectionat beginning of document.

See Note 1.

See Note 1.

See Note 1.

See Note 1.

Reason not impacted

Product does not use SNMP.

Product does not use SNMP.

Product does not use SNMP.

Product does not use SNMP.

Product includes SNMP but passed

Test Suite.

Product includes SNMP but passed

Test Suite.

Product includes SNMP but passed

Test Suite.

Product includes SNMP but passed

Test Suite.

Product includes SNMP but passed

Test Suite.

MDP does not receive SNMP messages and

therefore is not impacted by the potential

vulnerabilities.

Product

Alteon Content Manager (ACM)

DPN-100 Portfolio

NetID 4.X

Optivity Policy Services 1.1

Java Device Manager

Optivity Network Configuration System

(NCS) 3.X

Optivity Switch Manager (OSM)

Alteon iSD Secure Socket

Layer (SSL) Accelerator

Alteon 180 and ACE Director

Web Switches (Web OS) Releases 8.X, 9.0

Preside Magellan Data Provider (MDP)

Intelligent Internet—products not affected

Product Affected Status Mitigating practices Software fix available

Yes

Yes

Yes

Yes

YesYes

- Alteon Content Director (ACD)

- Alteon Switched Fire Wall (ASF)

- Alteon 180 and ACE Director Web Switch (WebOS) Release 10.0

- Bay Access Stack Node (ASN)

- Bay Backbone Concentrator Node (BCN)

- Bay Backbone Link Node (BLN)

- BayStack (420/ 450)- Business Policy Switch

(BPS)

15

Intelligent Internet—potentially affected products (continued)

Product Affected Status Mitigating practices Software fix available

Yes

Yes

YesYes

Yes

Yes

Yes

Yes

Yes

YesYes

YesYes

Yes

Yes

Yes

Yes

Yes

Yes

See Note 2. See Note 2.

See Note 1.

See Note 1.

See Note 1.

See Mitigation Strategy section atbeginning of document.See Note 2. See Note 2

See Mitigation Strategy section atbeginning of document.In order to eliminate or mitigate the potential risk, SNMP can bedisabled in the policy server so thatthe policy server is not impacted.See Mitigation Strategy section atbeginning of document.See Mitigation Strategy section atbeginning of document.See Note 1.

See Mitigation Strategy section atbeginning of document.See Note 1.See Mitigation Strategy section atbeginning of document.See Note 1.See Mitigation Strategy section atbeginning of document.See Mitigation Strategy section atbeginning of document.See Mitigation Strategy section atbeginning of document.See Mitigation Strategy section atbeginning of document.See Mitigation Strategy section atbeginning of document.See Mitigation Strategy section atbeginning of document.In order to eliminate or mitigate thepotential risk, the Shasta BSN can beconfigured with SNMP access disabled.

The anti-spoofing capabilitiesshould be enabled as well for allinbound and outbound traffic fromShasta BSN.

Targeted before 2Q02.

TBDTBD

TBDTargeted before 2Q02.

Targeted before 2Q02.

Targeted before 2Q02.

Targeted before 2Q02.

Targeted before 2Q02.

Targeted before 2Q02.

Targeted before 2Q02.Targeted before 2Q02.

Targeted before 2Q02.TBD

TBD

TBD

TBD

TBD

TBD

TBD

- Centillion 100

- Contivity 100- Contivity 400- Contivity 600- Contivity 1600- Contivity 2600- Contivity 4600- Contivity Configuration Manager- Optivity NMS 9.2.X

- Optivity Policy Services 2.X

- OPTera Metro 8000

- OPTera Metro 1200 Ethernet Switch Module (ESM)

- Passport Advanced Remote Node (ARN)

- Passport 1100/ 1200 Routing Switch

- Passport 2430 - Router- Passport 4430/ 4450/ 4455/ 4460

- Passport 5430 - Router- Passport 6400

- Passport 7400

- Passport 8600 Routing Switch

- Passport 15000

- Preside MDM

- Shasta Service Creation System (SCS)

- Shasta Broadband Service Node (BSN) 5000

NotesStatus1. The BayRS product line is not vulnerable to

the SNMP v 1.0 trap attacks described. TheBayRS product line may be vulnerable toSNMP v 1.0 request attacks, but it is notpossible for an intruder to gain unauthorizedaccess to the product.

Mitigating PracticesIn order to eliminate or mitigate the risk, theBayRS product can be configured withSNMP access disabled.

Status2. a. The Contivity product line is not vulnerable to the SNMP V1 trap attacks described.

b. The Contivity product line may be vulnerable to SNMP V1 request attacks. It is not possible foran intruder to use this attack to gain unauthorized access to the product. The Contivity productset is only vulnerable from the management network side.

Mitigating PracticesIn order to eliminate or mitigate the potential risk, the Contivity product set can be configured withSNMP access disabled. If SNMP service is required, further mitigation can be achieved by allowingSNMP traffic only over control tunnels (IPSEC client). This configuration will block all non-encrypted SNMP traffic.

The anti-spoofing capabilities should be enabled as well. This will block attempts at spoofingthe source IP address of a packet.

16

Carrier Voice over Packet Carrier Voice over Packet summaryCarrier VoIP includes carrier telephonyIP/ATM-based products consisting ofCall Servers, Media Gateways, and associated components.

Some Carrier Voice over IP productshave a risk to the potential vulnerabilityoutlined in the SNMP Advisory. Themajority of these products are deployedon the Central Office (CO) LAN, andtherefore the risk of vulnerability is lowdue to the inherent security provided bythe CO LAN. The CO LAN preventspublic access to the SNMP ports thatare active. Nortel Networks has identi-fied a number of fixes for productspotentially impacted and will be provid-ing these fixes shortly. In addition, weare working closely with third-partysoftware suppliers whose products areresident in Nortel Networks products tohave a fix made available.

Products not affected Enclosed is an initial listing of NortelNetworks Carrier Voice over Packetproducts not impacted by the potentialvulnerabilities outlined in the SNMPAdvisory. We are continuing to test andevaluate our remaining products andwill be providing updates to thisdocument. Additional products may be added to this list as further producttesting is completed.

Product

Succession Multi-service Gateway 4000

Reason not impacted

Product does not use SNMP.

Carrier Voice over Packet—products not affected

17

Carrier Voice over Packet products—potentially affected products

Product Sub-component Affected Status Mitigating practices Software fix available

- Succession Communication Server 2000 (CS2000)

and

- Succession Communication Server 2000—compact (CS2000-compact)

Sub-componentdoes not use SNMP.

Proprietary SNMPstack—evaluationunder Test Suite to becompleted.

Applying SNMP stackvendor's patches.

Sub-component doesnot use SNMP. Fix available; patchesbeing generated.

Fix for the SAM21 EM inprogress.

Sub-component doesdoes not use SNMPSDM runs on operatingsystems. Vulnerabilityassessment is inprogress.

Sub-component doesnot use SNMP.SDM runs on operatingsystems. Impact underTest Suite is inprogress.

No

Product currently underInvestigation.

Yes

No

Yes

Yes

Yes

No

Product cur-rently underinvestigation.

Not applicable.

To be determined.

Expected in ReleaseSN04 (April ‘02).Previous releasepatch availability to be determined.

Not applicable.

Expected in ReleaseSN04 (April ‘02).Previous releasepatch availability to be determined.

Expected in ReleaseSN04 (April ‘02).Previous releasepatch availability to be determined.Expected in ReleaseSN04 (April ‘02).Previous releasepatch availability to be determined.

Not applicable.

Third-Party Core-Call Agent (3PC)(CS2000—compact only)Control Module

Gateway Controller(GWC)

STORM StorageManager(CS2000-compact only)Service Application 21(SAM21) (ShelfController)

SuperNode DataManager (SDM)SAM21 ElementManagement System(EMS)SSPFS (common platformfor element manager)Including NPM GWC EMS,UAS EMS, EMS, MG9K EMS,MG9K Mid-Tier Server, OSSGATE (Servord+, Nodesconfiguration), LMM, TMM,LTM, V5.2 Config-urationand Maintenance. (SeeNote 4 for acronyms.)IP-IW-SPM

SuperNodeDataManager (SDM)third-party platform

Not applicable.

This interface is not normally accessiblefrom the access network,thus limiting the extentof the potential vulnerability.See Note 1 below.Packet filtering ruleson the CO LAN switchcan prevent SNMPtraffic from reachingthe GWC from theaccess networkSee Note 1 below.Not applicable.

Packet filtering ruleson the CO LAN switchcan prevent SNMPtraffic from reachingthe SAM 01 from theaccess network.See Note 1 below.See Note 2 below.

SSPFS and elementmanagement applica-tions running on theSSPFS platform are normally not accessiblefrom the access network.

Not applicable.

See Notes 2 and 3.

18

Carrier Voice over Packet products—potentially affected products (continued)

Product Affected Status Mitigating practices Software fix available

- Universal Audio Server (UAS)

- Audio Provisioning Server

- Succession Media Gateway 9000

- Succession Communication Server 3000 (CS3000)

- Succession Communication Server 3000 (CS3000) Element Manager

- Interactive Multimedia Server (IMS)

- Interactive Multimedia Server (IMS) Element Manager

- Universal Signaling Point (USP)

- Universal Signaling Point (USP) Element Manager

- Passport Packet Voice Gateway (PVG)

- Telepath

- i2004 Etherset- Softphone i2050,

SIP Client

- Passport Products- Preside Multi-Service

Data Manager - Passport 7000/15000 and Passport PVG Element Manager

- Shasta 5000 BSN

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Under investigation.Under investigation.Does not run SNMP withinthe application (Note:Subscriber desktop plat-form may be vulnerable if subscriber is runningvulnerable software).VariesVaries

Varies

Fix in SN04—patches pending.

Fix in SN04—patches pending.

Under investigation.

SNMP stack vendor's patchesapplied and being tested.

SNMP stack vendor’s patchesapplied and being tested.

SNMP stack vendor's patchesapplied and being tested.

SNMP stack vendor’s patchesapplied and being tested.

Fix is pending.

Applying SNMP stack vendors’ patches.

Passport 7000/15000 See Passport 15000Fix is pending.

To be determined.

See Intelligent Internet section.See Intelligent Internet section.

See Intelligent Internet section.

Deploy UAS within CO LAN.See Note 1 below.

See Note 1 below.

See Note 1 below.

SNMP interfaces on CS3000 should be runover a private networkSNMP stack vendor’sSNMP interfaces onCS3000 EMS should berun over a VLAN network.See Note 2 below.See Note 1 below.

See Note 2 below.

USP is normallydeployed within COLAN—See Note 1.See Note 2 below.

See Note 1 below.

See Note 2 below.

Under investigation.

See Note 1 below.See Note 2 below.

Expected in Release SN04(April ‘02).Previous release patch avail-ability to be determined.Expected in Release SN04(April ‘02).Previous release patch avail-ability to be determined.To be determined.

CS 3000 MGC 2.0 (Q4’02).Previous release patchavailability (MGC 1.6) TBD.CS 3000 MGC 2.0 (Q4’02)Previous release patchavailability (MGC 1.6) to be determined.

Expected in release IMS 1.1 (August ‘02).Patch availability for previous release (IMS 1.0) to be determined.Expected in release IMS 1.1(August ’02).Patch availability for previous release (IMS 1.0) to be determined.To be determined.

To be determined.

To be determined.

Patch available for Telepathon Feb 22. Patches fromthird-party platform supplier are available. To be determined.

19

Notes:

1. Private LAN MitigationProducts indicated by this note inthe above table are operated on separate private LANs in normalcustomer configurations. Isolation of these products, through use andproper configuration of routers andfirewalls to create a private network,provides significant reduction in thepotential vulnerability of the systems. See Step 1. Secure the Network in theMitigation Strategy section at the beginning of this document.

2. Management VLAN MitigationProducts indicated by this note inthe above table are operated on aManagement VLAN in normal cus-tomer configurations. The VLANsetup protects products in the PrivateLAN (see note 1) while allowingaccess to Management applicationsfrom the Customer’s Intranet. VLANproducts should be properly pro-tected by routers and firewalls from

Customer Internet, Extranet andSubscriber Access Network Access.Protection of Management productsin the VLAN provides significantreduction in the potential vulnerabil-ity of the systems. See Step 1. Securethe Network in the MitigationStrategy section at the beginning of this document.

3. SDM SDM is implemented using a third-party platform. The third-party sup-plier has stated through CERT thatthe current version of the operatingsystem is not vulnerable. However,SDM runs on older versions of theOperating System. Nortel Networksis in contact with the third-partysupplier for further assessment onthis issue.

4. SSPFS acronymsWC EM—Gateway Controller

Element ManagerUAS EM—Universal Audio

Server Element ManagerAPS EM—Audio Provisioning

Server Element ManagerMG9K EM—Media Gateway 9000

Element ManagerMG9K Mid-Tier Server—Media

Gateway 9000 Mid-Tier ServerOSSGATE—OSS Gateway-

provided Lines Configuration (Servord+), Trunk Configuration and Nodes configuration (XML interface)

LMM—Line Maintenance ManagerLTM—Line Trunk ManagerTMM—Trunk Maintenance

ManagerV5.2—Configuration and

Maintenance ToolNPM—Network Patch Manager

20

Miscellaneous productsMiscellaneous products summaryWhile the miscellaneous products in thissection do support SNMP and are theo-retically potentially vulnerable. Theseproducts are typically deployed in private

- One Meg Modem (1MM) for DMS

- One Meg Modem (1MM) for AccessNode Express

- sEMS (Element Management System)

Miscellaneous—potentially affected products

Product Affected Status Mitigating practices Software fix available

See Notes 1 and 2 below.

See Notes 1 and 2 below.

See Notes 1 and 2 below.

- Investigation underway.- The 1Meg Modem EMS

runs on a NortelNetworks third-partyvendor’s operating system that has beenshown to be potentiallyvulnerable. A patch hasbeen provided by thethird-party vendor,which is being incorpo-rated into the xEMS.

- Investigation of embed-ded software underway.

- The 1Meg Modem EMSruns on a NortelNetworks bundledthird-party vendor’soperating system thathas been shown to bepotentially vulnerable.A patch has been pro-vided by the third-partyvendor, which is beingincorporated into thexEMS.

The sEMS runs on a Nortel Networks bundled third-party vendor’s operating system that has been shown to be potentially vulnerable. A patch has been provided by the third-party vendor, which is being incorporated into the sEMS.

Yes

Yes

Yes

Targeted Q202.EMS Management systempatches targeted Q102.

Targeted Q202.EMS Management systempatches targeted Q102.

EMS Management systempatches targeted Q102.

enterprise networks with the ManagementLAN separated from the Telephony LAN,and good security practices mitigate therisk significantly. Fixes for products foundto be potentially vulnerable will be avail-able per the schedule enclosed.

21

Miscellaneous—potentially affected products (continued)

Product Affected Status Mitigating practices Software fix available

- SNMP solution will beincorporated into a futurerelease 2.2 of the embeddedsystem.

- The uEMS runs on a NortelNetworks bundled third-party vendor’s operatingsystem that has beenshown to be potentially vul-nerable. A patch has beenprovided by the third-partyvendor, which is beingincorporated into theuEMS.

- No impact to trafficsystem.

- UE3K Element Managerunder investigation.

The Preside element runs on a Nortel Networks bun-dled third-party vendor’s operating system that has been shown to be poten-tially vulnerable. A patch has been provided by the third-party vendor, which is being incorporated into Preside.Product is currently under investigation. NortelNetworks is in dialogue withthe third-party softwarevendors. The entire SNMP portrange should normally be blocked on the traffic side. FWA element runs on a Nortel Networks bundled third-party vendor’s operat-ing system that has been shown to be potentiallyvulnerable. A patch hasbeen provided by the third-party vendor, which is beingincorporated into FWA.

The RMC SNMP agent has been shown to be poten-tially vulnerable.

Refer to Preside MDM for guidance.

- Universal Edge 9000 International (UE9Ki)

- Universal Edge 3000 (UE3K)

- Preside for Telephony Networks (PfTN)

- Carrier Vehicle Next Generation (CVX)

- CVX Policy Manager (CPM)

- CVX SS7 Gateway (CSG)Universal Network Management (UNM)

- Fixed Wireless Access (FWA)

Broadband WirelessAccess (BWA) - Remote Management

Center (RMC) stand alone

Broadband WirelessAccess (BWA) - Remote Management

Center (RMC) with Preside Multiservice Data Manager (MDM)

See Notes 1 and 2.

See Notes 1 and 2.

See Notes 1 and 2.

See Notes 1, 2, and 3.

See Notes 1 and 2.

See Note 1.

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Targeted Q202.

Under review.

Targeted Q102.

Targeted Q102.

Targeted Q102

Under review.

Under review.

22

Directory services—potentially affected products

Broadband WirelessAccess (BWA)- Network Node

Equipment (Base Transceiver Station) and Network Interface Unit (Customer Premises Equipment)

Directory ServicesNetworking - Bay Access Stack Node

(ASN)- Backbone

Concentrator Node (BCN)

- Baystack450- Billing and Access

Services (B&AS)- TOPS DMS/IWS

networking- Directory One

databaseDirectory ServicesDatabase - Directory One

Assistance Database- Line Information for

Open Systems (LION)- Reference and Rater

(NTR))Directory ServicesAudio - Global Server- Network Application

Vehicle)

Product Affected Status Mitigating practices Software fix available

See Note 3.Enable IP filtering for cus-tomers with 1.5.2. For thosewith other releases, a fire-wall would be required (ifnot already present) at boththe CPE and the BTS. Also,see Notes 1 and 2.See Notes 2 and 3.

Investigation underway,preliminary informationindicates no issue.

See Notes 1 and 2 below.

Product currently under investigation.

Implementing mitigating practices at customer sites.

Product currently under investigation with third-party vendor.

Implementing mitigating practices at customer sites.

Yes

Yes

Yes

Yes

Under review.

Permanent fix under review.

Under review.

Permanent fix under review.

Notes

1. Private LAN MitigationAll products in the above table areoperated on separate private LANs incustomer configurations. Isolationof these products through the routersand firewalls employed to create theprivate networks provides significantreduction due to potential vulnera-bilities under the SNMP Advisoryoutlined above. See Step 1. Secure theNetwork in the Mitigation Strategysection at the beginning of thisdocument.

2. Disabling Computing PlatformSNMP StackThird-party platforms can have theirSNMP abilities disabled throughmanual configuration changes.Customers who are concerned thatPrivate LAN Migration is insuffi-cient to address the security riskshould contact their respective product support teams for informa-tion on how to disable the stacks.Additionally, see CERT AdvisoryCA-2002-03 section on "Disablestack execution."

3. Ingress FilteringIt may be possible to limit the scopeof potential vulnerabilities by block-ing access to SNMP services at thenetwork perimeter through ingressfiltering. See CERT Advisory CA-2002-03 section on “Ingress filtering.”

Obtaining fixed software Nortel Networks will deliver or installpatches through the normal patchprocess that is currently in place.

UpdatesUpdates to the Nortel Networks SNMPVulnerability Portfolio Summary will be issued as additional information onproduct areas becomes available.

Nortel Networks is an industry leader and innovator focused on transforming how the world com-municates and exchanges information. The company is supplying its service provider and enterprisecustomers with communications technology and infrastructure to enable value-added IP data, voice and multimedia services spanning Metro Networks, Wireless Networks, and OpticalLong Haul Networks. As a global company, Nortel Networks does business in more than 150 countries.More information about Nortel Networks can be found on the web at:

www.nortelnetworks.comFor more information, contact your Nortel Networks representative, or

call 1-800-4 NORTEL or 1-800-466-7835 from anywhere in North America.

*Nortel Networks, the Nortel Networks logo, the globemark design, OPTera, Passport, CVX, Shasta, DMS, TransportNode, Contivity, Optivity, Meridian, Alteon and Preside are trademarks of Nortel Networks. All other trademarks are the property of their owners.

Copyright © 2002 Nortel Networks. All rights reserved. Information in this document is subject to change without notice. Nortel Networks assumes no responsibility for any errors that may appear in this document.

In the United States:Nortel Networks35 Davis Drive Research Triangle Park, NC 27709USA

In Canada:Nortel Networks8200 Dixie Road,Suite 100Brampton, Ontario L6T 5P6Canada

In Europe:Nortel NetworksMaidenhead Office ParkWestacott WayMaidenhead Berkshire SL6 3QHUK

In Asia:Nortel Networks Singapore Pte Ltd151 Lorong Chuan #02-01New Tech Park,Singapore 556741

In Australia:Nortel Networks Australia Pty Limited380 St. Kilda Road4th Floor3004 Melbourne, VictoriaAustralia