Alcatel-Lucent Enterprise

Cybersecurity / Zero Trust Networking

for U.S. Federal Government
Delivering the market’s most secure switch to enable
zero trust security for mission-critical networks

Solution sheet
In today’s high-tech world, zero trust network security has become a critical concern We enable Federal Government
for federal governments — particularly in light of the recent incursions into U.S. departments and agencies to:
infrastructure by both state and rogue actors. In fact, cybersecurity has become so • Support high technology mission
critical, that the zero trust network security architecture has become the “Gold critical systems:
Standard” for LAN networking. Whether it’s stealing subscriber, employee, customer,
- Alcatel-Lucent OmniSwitch-
or taxpayer data, or holding entire company networks for ransom, the critical nature
based networks are secure,
of network security has exploded before us and with it the recognition that networks
autonomous, self-adaptive,
once thought secure — are probably no longer.
flexible and so durable they
For U.S. government departments and agencies, using the most secure equipment have a lifetime warranty
available, has become not only critical, but is now a matter of survival. For agencies - intelligent Fabric (iFab)
to continue to operate and to support the missions they are assigned, cyber-attacks technology automates the
must be addressed head-on. deployment of the network,
Fortunately, Alcatel-Lucent Enterprise has stepped to the forefront with the network elements and devices
Alcatel-Lucent OmniSwitch® family of products, delivering the capabilities required - IoT containment automatically
to ensure federal networks have the security required to meet today’s challenges. classifies and onboards IoT
devices and places them into
secure containers (virtual
networks) based on their
permitted roles
• Deploy highly secure and zero
trust networks
• Provide resilient connectivity in
harsh environments:
- Long-term reliability and
durability as evidenced by
extended fleet use in navy ships
- Multiple destructive barge tests
confirm continued operability
in extreme conditions and
circumstances
• Support high-quality real-time
video surveillance for security
and operational management
applications
• Support a cost-effective and
easily managed wireless LAN
architecture based on our:
- Alcatel-Lucent OmniAccess®
Wireless LAN
- Alcatel-Lucent OmniAccess®
Stellar Wireless LAN

With more than 100 years in business, 15 years of recognition as a visionary/niche

player in the Gartner Magic Quadrant, and 20 years as a strategic supplier to the U.S.
Department of Defense, the OmniSwitch is certified (TAA, JITC and DOD APL) for
secure networks, secure software, secure supply chain and support for non-carpeted
harsh environments for both Civilian and DOD departments.

Solution sheet
Cybersecurity/Zero Trust Networking for U.S. Federal Government
Security is in ALE’s DNA Why Federal Government
customers choose ALE
Alcatel-Lucent Enterprise switches don’t leave backdoors or other vulnerabilities
open to unprotected network switches or poorly secured Internet of Things (IoT) Alcatel-Lucent Enterprise
devices. Alcatel-Lucent OmniSwitches have been embedded in federal networks for OmniSwitches have been key
more than 20 years without a single reported security incident. The OmniSwitch may components of the Department of
be the most secure switch available today. Defense networks for more than a
decade, providing high performance,
ALE’s multi-layer approach to network security allows federal agencies the flexibility secure, and dependable networks
to incorporate very secure ALE elements into an existing network, providing while ensuring simple deployment
enhanced cybersecurity, and then use these same elements and tools to support an and operations. Presence on the
evolution to micro-segmented zero trust networks. DOD APL ensures a trusted solution
For IoT devices requesting access to the network, ALE’s IoT containment strategy by the Federal Government and is
classifies each device based on predefined parameters in a Universal Network a key reason why the OmniSwitch
Profile (UNP). Based on the permissions in the UNP, IoT containment allows devices is deployed throughout the U.S.
to connect to the network, but within assigned sub-segments of the network called Navy fleet.
‘containers’ (or virtual networks), for an additional layer of security as a way of • Security by default: Remote
preventing or containing potential attacks. access must be enabled by
ALE’s industry-leading intelligent Fabric (iFab) ensures fast scalable and cost-efficient administrator
rollout of services at the edge, saving customers time and money. ALE believes that • OS supports standards-based
the more automation that is built into a network, and the fewer steps or systems protocols: Providing flexibility and
needed to support the network, the more secure the network will be. This is true investment protection
because simplicity reduces the potential for errors which can leave areas vulnerable. • Network automation: Creating
The ALE OmniSwitch takes simplicity to the next level. an easy-to-deploy, easy-to-manage
Additionally, continuous network monitoring is essential. The network monitors network with technologies like IoT
behavior to ensure that the IoT devices and applications are functioning as desired. containment and iFab
Each authorized object is stored in an inventory. This enables IT to know exactly, • Licensing for features and
and instantly, how many devices are connected on the network. It is important to capabilities are included: No
continuously monitor a connected object on the network to take immediate action if software licensing to track
there is a deviation from usual behavior. In the event of unusual activity the network • JITC, NDcPP, FIPS, DOD APL
can take actions such as, disconnecting the faulty device, sending a notification to the approved switches: All switches;
network administrator, or changing the destination of the dedicated IoT container for edge, hardened, core, use the
further verification. same secure level code
For ALE’s network infrastructure OmniSwitch devices, independent verification • Protection from unauthorized
and validation (IV&V) by an independent third-party, as well as software dynamic access: With IOT containment and
memory diversification during each reboot have been implemented in the iFab
operating system. ALE also provides a Secure Supply Chain capability to assure • Multi-Layer security to the
software is delivered over a secure network path only to the intended agency. These device: With macro- and micro-
three elements combine to provide the unique ALE Secure Code solution. segmentation approach to zero
ALE has also been independently certified by many international and U.S. trust security
organizations, offering JITC, NIST, FIPS, NATO, and Common Criteria security • Deep Packet Inspection:
certifications as well as approval for the DOD APL. For customers concerned with Providing application visibility and
the origin of the solution, ALE offers TAA (Trade Agreement Act) compliant switches, management of applications
which include a majority of U.S. content. • Single management system:
Across the entire network,
providing simplicity and flexibility

Solution sheet
Cybersecurity/Zero Trust Networking for U.S. Federal Government
Zero trust networking Alcatel-Lucent Enterprise
Secure Code
Zero trust network architecture, or micro-segmentation, is the next level in network
architecture which operates from the premise, “Never Trust — Always Verify”. This With ALE, network security goes
architecture can either build on an existing network security framework or it can beyond required standards with:
be developed as a green-field deployment. Networks can be segmented in either a • Secure Code: Provides
macro- or micro-segmentation model. independent third-party
In macro-segmentation, the physical network is partitioned into different logical verification and validation source
segments. These segments can be a VLAN, a combination of VLAN + VRF, or it can code analysis, white box, and
also be a VPN when talking about Shortest Path Bridging (SPB), MPLS, or even black box testing searching
VXLAN or GRE tunnels. Any traffic between users or devices on different segments is for vulnerabilities in external
controlled by a physical firewall. interfaces
• Software diversification: ALE
software implements Address
Space Layout Randomization
(ASLR). Each switch boot
dynamically generates a unique
memory layout.
• Secured delivery of products:
The ALE U.S. supply chain
process enables designation
of OmniSwitch models as TAA
Country of Origin (CoO) USA with
all operational software loaded in
a USA-based facility. Additionally,
the company performing the
IVV testing retains the AOS code
after validation testing and, over
a secure connection, is able to
provide the software directly
to specific U.S. Government
In the Alcatel-Lucent OmniSwitch and Alcatel-Lucent OmniAccess® Stellar Wi-Fi, this customers.
segmentation is done dynamically – it is software-defined. When the user or device
connects and authenticates, it is assigned a profile, and the profile provisions the
user or device to the correct segment regardless of the physical location, switch port,
or SSID.

Micro-segmentation takes things one step further. Not all users are the same, and
not all users have a legitimate need to access all resources. The same profile that
maps users to a segment also includes a set of policies that add even greater control
over user/device privileges which may vary by roles such as HR versus Finance. This is
known as role-based access, and directly relates to the principle of least privilege.

These micro-segmented devices are implemented through policies which are part of
the UNP profile and dynamically applied to the device after authentication. Because
neither users nor IoT devices are static (they move, connect, and disconnect) the
policies cannot be tied to a location or to a port. In fact, there is a combination of
factors. It starts with the identity of the user or device, but not only that, time of day,
and location all have an impact.

The combination of these factors determines the profile, and the profile determines
the service, or segment. The policies included in the UNP profile, which include both
security and Quality of Service (QoS) policies, determines the micro-segment. On
the OmniSwitch and OmniAccess Stellar platforms, this is referred to as the User

Solution sheet
Cybersecurity/Zero Trust Networking for U.S. Federal Government
Network or Access Role Profile works as a part of the IoT containment solution. Three zero trust elements
It must be software- or policy-driven and not statically defined, as that would be
unmanageable.

As an example, in a legacy network the “trust” boundary is based on the point of

connection: “Inside” users are implicitly trusted and “outside” users are not. Using an
airport as an analogy, this would be equivalent to allowing any within-country land-
side passengers to go through security unchecked. With trends such as mobility and
IoT, that notion of “trust” is completely outdated. For instance; a BYOD device may
bring malware into the organization; an IoT device may be intrinsically vulnerable and
become an attack vector; even corporate users could be malicious. Authenticate and Segme
assign permissions
The paradigm today is zero trust. No matter where the user or device is connected,
never trust and always verify. Establishing identity is at the core of the zero trust
paradigm. Going back to the airport analogy, the first thing a security officer will do
is check the passenger’s identification (such as a passport or STAR ID). Other checks
such as a visa check or database check are done after the identity is established.
And, since establishing identity is such a fundamental check at the core of the
zero trust paradigm, next-generation networks using leading-edge solutions like
Alcatel-Lucent OmniVista® Unified Policy Authentication Management (UPAM) have
multiple mechanisms for determining identity. The OmniVista UPAM module is a
Authenticate and Segment Monitor
unified access management platform for both Alcatel-Lucent OmniSwitch Ethernet
assign permissions quarant
switches and Alcatel-Lucent OmniAccess Stellar access points. UPAM includes both
a captive portal and a RADIUS server and can implement multiple authentication
methods such as MAC authentication, 802.1x authentication, and captive portal
authentication.

In ALE’s micro-segmentation zero trust security architecture, the already established

OmniSwitch network capabilities of intelligent Fabric and IoT containment allow the
administrator to authenticate, classify, and monitor users and devices based on their
specific roles - defined in a Universal Network Profile - not just their functional group -
Authenticate
providing access to only the specific elements and
in the network Segment
required for their roles. Monitor and
assign permissions quarantine
These key functions are an inherent part of the OmniSwitch DNA and key to
supporting zero trust networks for government agencies and departments.

For more information about ALE Cybersecurity/Zero Trust Networking for the U.S. Federal Government please contact us.

https://www.al-enterprise.com/en/contact-us

https://www.al-enterprise.com/en/industries/government/usa-federal

www.al-enterprise.com The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE. To view
other trademarks used by affiliated companies of ALE Holding, visit: www.al-enterprise.com/en/legal/trademarks-copyright.
All other trademarks are the property of their respective owners. The information presented is subject to change without
notice. Neither ALE Holding nor any of its affiliates assumes any responsibility for inaccuracies contained herein.
© Copyright 2021 ALE International, ALE USA Inc. All rights reserved in all countries. DID21101302EN (November 2021)