1. Michael Pisvin SI/SP System Engineer
4/13/2017
Toll Fraude and how to avoid hacking on SIP Trunking. Remote user (app) access
Michael Pisvin
SI/SP System Engineer

2. Could This Be Your Network?
FBI warning VoIP attacks
TDoS attacks allow thieves to loot bank account information
(May 2010)
Communications Fraud Control Association survey shows 34 respondents with $2.0 billion in telecom fraud losses
(2011)
Hackers phone home on our coin
Stolen calls - in just 15 days, over $30,000 in calls made globally (February 2012)
65% of Organizations Experience Three DDoS Attacks a Year, But Majority are Unprepared to Mitigate Attacks (November 2012)
Massive DDoS attack crashes TelePacific VoIP system. Average 34 million SIP traffic VoIP connections requests… shot up to 69 million [in 1 day] flooding their systems (March 2011)
FBI finds Philippine hackers compromised AT&T business customers used their phone systems to call phone numbers - revenues to hackers. Scheme cost AT&T $2.0 million
(November 2011)
VoIP Attacks on The Rise! Secure Your VoIP Servers – blog.sipvicious.org
Cloud-initiated wave of SIPVicious port 5060 scans lead to €11 million loss (October 2010)
Attacks on networks happen. How prepared are you?
In May of 2010, the FBI warned about TDoS attacks used to help thieves loot bank account information
Let’s look at some other examples.
In March of 2011, a massive DDoS attack crashed the VoIP system of TelePacific Communications, affecting thousands of customers for several days. The service provider reported its normal level of 34 million SIP traffic registration requests for VoIP connections “…suddenly shot up to 69 million and ‘flooded our systems’”
In June of 2009, an International Phone Fraud Ring was busted. Eight people were indicted for stealing calls totaling over 12 million minutes and resulting in phone bills of more than $55 million (June 2009)
In December of 2010 a major VoIP fraud gang was dismantled in Romania. In this case, 50 individuals use the “Zoiper” program to route calls to premium rate numbers through hacked VoIP accounts in exchange for commission
at their companies
In November of 2009, the FBI finds hackers from the Philippines compromised AT&T business customers using their phone systems to call phone numbers that passed on revenues to hackers. The scheme cost AT&T more than $2.0 million
A 2011 survey conducted by the Communications Fraud Control Association (CFCA) revealed 34 respondents alone reported a total of $2.0 billion in telecom fraud losses
In an article from ComputerWorld in 2012 the following hack occurred a small European company …
At issue: A small office in Europe discovers that someone has hacked its IP telephony router. Action plan:: Update the operating system to prevent toll fraud, and assess the IP telephony setups at offices around the world. A small development office in Western Europe was informed by the local telephone company that a high number of calls were being made from the office's IP telephony setup to a Middle Eastern country. When we looked into it, we found that in just 15 days, over $30,000 in calls had been made to several Middle Eastern countries, as well as Russia, China and a couple of Central American nations.
Despite the increasing sophistication and severity of cyber attacks, a survey of more than 700 senior IT professionals reveals that organizations are surprisingly unarmed to deal with today's threat landscape. In a new report titled "Cyber Security on the Offense: A Study of IT Security Experts," the Ponemon Institute and Radware®, (NASDAQ: RDWR), a leading provider of application delivery and application security solutions for virtual and cloud data centers, found that while 65 percent of organizations experienced an average of three distributed denial-of-service (DDoS) attacks in the past 12 months, less than half reported being vigilant in monitoring for attacks – much less putting into practice proactive and preventative measures to protect their organizations.
November 2012
In a new report from Radware and Ponemon Institute Survey it is Revealed 65% of Organizations Experience Three DDoS Attacks a Year, But Majority are Unprepared to Mitigate Attacks - FierceEnterpriseCommunications
Finally, in January of 2012, the New York Times reported on a hacker who “…took a tour of a dozen conference rooms around the globe via equipment that most every company has in those rooms; videoconferencing equipment.” The hacker asserted “… it (was) easy to get into several top venture capital and law firms, pharmaceutical and oil companies…(and) the Goldman Sachs boardroom.” The story went on to explain these videoconferencing systems were designed with visual and audio clarity in mind, not security.
Hacker toured dozens of global conference rooms using common videoconferencing equipment. Easily hacked several top venture capital, law firms, pharmaceutical and oil companies…(and) the Goldman Sachs boardroom. Videoconferencing systems were designed with visual and audio clarity in mind, not security (January 2012)

3. Internal versus External Security
Computer Security Institute (CSI) has done a survey on security attacks
70% of the companies faced a security breach
60% of these breaches came from the inside
Company networks are often compared to candy bars that are hard on the outside and soft and chewy on the inside

4. Unified Communications Security – Should You Care?
Credit card privacy rules: other compliance laws require security architecture specific to VoIP and other UC.1
50% Increase
‘VoIP hacking at new levels2
Up to 25% of attacks
VoIP scanning – botnets, Cloud used for VoIP fraud3
Reduce Deployments by 1/3
VoIP /UC security reduces VoIP / UC deployment time by one third4
In recent years, Yankee Group has done an annual survey of the main blocking issues that prevent companies from adopting VoIP and other Unified Communications applications. They have found that concerns over security are at the top of the list again and again.
But we now know a lot more about VoIP and UC security, thanks to many examples of successful VoIP deployments that are safe and secure. And we have seen many examples of how attackers look to exploit VoIP and UC applications that are not protected. So we know what we need to defend the infrastructure against.
Far and away the biggest concern is around toll fraud, which has seen a big spike in the last couple of years. Basically, very well organized networks of attackers are continuously probing for UC and VoIP servers that are not properly protected. Once they have control of these systems, they use them to resell long distance minutes, or else they place calls to premium rate numbers that they themselves own, running up huge bills for the enterprises.
It is really common now for small enterprises to suddenly get a phone bill that is 100 times the size of their typical bill. The FBI estimated that one such ring had hacked the PBXs in 2,200 enterprises in the US and run up charges in excess of $50 million.
But the good news is that analysts also say that security is catching up with the VoIP and UC world. In, fact, Aberdeen Group in early 2011 came out with a report that said that an enterprise that recognizes the need for VoIP and UC security will have much greater success at deploying these new applications. In fact, the Aberdeen report found that an enterprise that proactively plans security will cut as much as a third off the deployment time of VoIP and UC. This is because security concerns often end up delaying or derailing projects because they are not anticipated. The enterprise staff deploying VoIP and UC mistakenly believes that that these applications can be protected by the existing firewalls. They cannot, and we will talk more about that in a moment.
But an IT staff that does recognize the differences, and plans for them, will remove those roadblocks, and save themselves a lot of time, money and worry.
Edited copy: 50% Increase: ‘VoIP hacking hitting new levels; 50% jump in 2010; Halloween Hack Attacks, Romanian toll fraud ring, Cloud SIP attacks.’
Up to 25% of attacks: VoIP scanning attacks now up to 25% of all attacks in the wild – botnets, Cloud used for VoIP fraud
1/3:
Analysts at Aberdeen Group found that addressing VoIP and UC security proactively reduces overall VoIP and UC deployment time by one third.4
Toll fraud: Billions lost by enterprises every year; inadequately secured SIP trunks, UC and VoIP applications are the primary cause.5
Toll fraud: yearly enterprise losses in Billions
inadequate securing of SIP trunks, UC and VoIP applications5
1 Payment Card Industry Data Security Standard (PCI DSS)
2 VIPER LAB Honeypot research
3 VIPER LAB Honeypot research
4 Aberdeen Group 2011
5 Communications Fraud Control Association (CFCS) 2008 Survey

5. Some interesting findings
2013 Global Fraud loss estimation
46.3 Billion US Dollar anually
94% global fraud loss increase from 2011
Top 5 fraud methods
Subscription Fraud 5.22 $B
PBX Hacking 4.42$B
Account Take over / Identity theft $B
VoIP hacking 3.62 $B
Dealer Fraud 3.35 $B
Top 5 fraud Types
Roaming Fraud 6.11 $B
Wholesale Fraud 5.32$B
Premium Rate Service 4.73 $B
Cable and Satellite Signal Theft $B
Hardware Reselling 2.96 $B
For more information please visit:

6. How many Fraud Incidents per month
For more information please visit:

7. So SECURITY IS IMPORTANT

8. A typical enterprise environment
Access to Applications Remote User
VPN Switch
Data Center
Storage
Application /server Farm
Internet
Enterprise
Remote locations
Application
Firewall
PC / Workstation
Router
SIP Trunks SP
SBC
IMS
SP provider
MPLS
Enterprise
remote offices
PC / Workstation
PC / Workstation
Corporate
Network
Corporate
Wifi
BYOD Wifi

9. A typical enterprise environment Possible attacks
Access to Applications Remote User
VPN Switch
Data Center
Storage
Application /server Farm
Internet
Enterprise
Remote locations
Application
Firewall
PC / Workstation
Router
SIP Trunks SP
SBC
IMS
SP provider
MPLS
Enterprise
remote offices
PC / Workstation
PC / Workstation
Corporate
Network
Corporate
Wifi
BYOD Wifi

10. Application Specific Security
Application Level Security Proxy (Policy Application, Threat Protection Privacy, Access Control)
Firewall
Firewall
enterprise SBC
When we talk about comprehensive application-layer security, you can relate to it by looking at the other types of applications being secured in the enterprise.
For example, enterprises deploy proxies to scan all traffic entering the enterprise, looking for viruses and security threats.
Similarly, web traffic is often secured via a proxy, that is looking for unsafe traffic or enforcing corporate policies on web traffic.
In both those examples, the proxy function can introduce slight delays in the forwarding of traffic because neither application is expected to perform in strict real time.
Just like a proxy is used for those applications, the Unified Communications and VoIP applications also need a proxy function to be properly secured. And unlike those other functions, the appliance performing that proxy function must operate in real-time, because UC applications like VoIP, video conferencing, telepresence, instant messaging and collaboration cannot be delayed in any significant way.
The Avaya Session Border Controller Advanced for Enterprise appliance serves as that proxy for UC. With the Avaya SBCE architecture and platform specifications, key security functions can be performed on traffic with only 10 milliseconds of latency for signaling and 50 microseconds of latency for media.
It is important to note that the Avaya SBCE does not replace your existing firewalls or data and network layer security devices. Instead, it augments and complements them. For example, if your firewalls have ports opened to allow VoIP and UC traffic to proceed through unimpeded. But this means nothing is actively scanning that traffic to look for threats or intrusion. Avaya SBCE fills that gap by conducting active, real-time proxying, IDS, and firewalling on the traffic that your network firewall just passes through.
Complements Existing Security Architecture

11. SIP trunk what is it? Session Initiation Protocol (SIP) SIP Trunking
Controls multimedia communication sessions such as voice, instant messaging, video, etc.
Many types of devices - computers, phones, video equipment, etc. - can exchange data over SIP
SIP is considered a quality protocol with flexibility to support integrated voice & data communications
SIP Trunking
Virtual voice channels (or paths) over an Internet Protocol (IP) network
Delivered over an IP connection
One SIP trunk can support many direct inward dial (DID) extensions

12. Application /server Farm
SIP Trunk
In almost all the cases you need to have a MPLS access to the Service Provider
Service provider needs to get access to your network to access the
IP PBX
The user
Is MPLS secure?
Issue
Data Center
Storage
Application /server Farm
Router
SIP Trunks SP
SBC
IMS
SP provider
MPLS
PC / Workstation
Signaling
Corporate
Network
Corporate
Wifi
BYOD Wifi
Voice

13. MPLS is NOT secure
"When looking to move to an MPLS VPN solution, many customers downplay the threats to the security of the transmission path and instead put their full trust in the security of the service provider. The attacks shown in this report make it clear that MPLS VPN customers who need confidentiality and integrity beyond what a public network provides must look to implement some form of encryption at the endpoints to provide complete protection."

14. Application /server Farm
SIP Trunk
In almost all the cases you need to have a MPLS access to the Service Provider
Service provider needs to get access to your network to access the
IP PBX
The user
Is MPLS secure?
Issue
Data Center
Solution
Put an SBC in between the MPLS and your network to hide your environment
Can activate Voice encryption
Storage
Application /server Farm
signaling encrypted
Router
SIP Trunks SP
SBC
IMS X
SP provider
MPLS X
PC / Workstation
VoIP encrypted
Signaling
Corporate
Network
Corporate
Wifi
BYOD Wifi
Voice

15. Four Reasons you need an SBC
Security
Privacy
Interoperability
Demarcation
Session Border Controllers perform a number of functions. Organizations are not always clear on why they are required. Here are 4 critical functions an SBC performs. These may look like technical requirements but they are critical to your business.
Security is always applied to other electronic communications technologies. You always have a firewall, and Web proxies. Why would VoIP be different. To ensure your organization is secure and operating within its compliance requirements you need to ensure security policy is applied to UC which is another form of electronic communication. Your reputation, intellectual property, staff and customer records depend on it.
Privacy, eavesdropping is the common view on UC and Privacy, however keeping your applications and systems hidden from the outside is equally critical
Demarcation. If you have a loose border where does your network end and another begin. How do you police access and capabilities across your network. Who accesses what, when and how? In conjunction with Privacy it clearly defines your sphere of control
Interoperability. In an ideal world vendors would support SIP in a rigid and fixed way, ensuring seamless interoperability. Unfortunately this is not the world we live in. The SBC provides a single common interface to the outside world and your internal systems. Interfaces on both sides can be configured to support many different flavors of SIP and translate between them. An interoperability demarcation point.

16. SIP Interoperability, is it really a problem?
SIP Provider 1
SIP Provider 1
Multiple Service Provider tests
Single Service Provider test
Router Firewall
SBC
FMC
FMC
How complex and risky would you like your SIP trunk implementation to be. As new applications and capabilities are added to your organisation, many will benefit from SIP connectivity. Do you want to test every application to make sure it works well with your SP? Do you really want to make bespoke configurations for every application. Then the SP needs to update their core SBC. Will all the applications still work? Will they have the same capabilities?
What happens if your IVR needs to be upgraded for new features or security fixes. Will it work with the SP SBC? How do you test that? what happens if it doesn't’t work?
The SBC acts as a key enabler to interoperability. It has the relationship with the SP and you have control over how your applications talk to the SBC. You can easily test your applications with the SBC in a controlled or lab environment.
Recording
IVR
Recording
IVR
SIP PBX
Telepresence
SIP PBX
Telepresence
Conf
Video
Conf
Video CC
WFO CC
WFO
SIP Signaling

17. SIP Interoperability, Multiple Service Providers??
SIP Provider 2
SIP Provider 1
SIP Provider 1
SIP Provider 2
Multiple Service Provider tests
Two Service Provider tests
Router Firewall
SBC
FMC
FMC
How complex and risky would you like your SIP trunk implementation to be. As new applications and capabilities are added to your organisation, many will benefit from SIP connectivity. Do you want to test every application to make sure it works well with your SP? Do you really want to make bespoke configurations for every application. Then the SP needs to update their core SBC. Will all the applications still work? Will they have the same capabilities?
What happens if your IVR needs to be upgraded for new features or security fixes. Will it work with the SP SBC? How do you test that? what happens if it doesn't’t work?
The SBC acts as a key enabler to interoperability. It has the relationship with the SP and you have control over how your applications talk to the SBC. You can easily test your applications with the SBC in a controlled or lab environment.
Recording
IVR
Recording
IVR
SIP PBX
Telepresence
SIP PBX
Telepresence
Conf
Video
Conf
Video CC
WFO CC
WFO
SIP Signaling

18. SIP Privacy, is it really a risk?
SIP Trunks
I can see session information from all these apps & systems
SIP Trunks
I can only see the SBC. It is hiding the network topology
Router Firewall
SBC
FMC
FMC
A router/Firewall combination will pass any traffic it thinks is valid. It may fix up some NAT issues but the sessions are still connecting applications directly to the SP SBC. If an unsavoury person were to gain access to the network they would be able to see the session information, devices and applications being used. This information can then be used to exploit vulnerabilities in those applications and devices. This can allow a hacker to gain further access into your networks. The SBC controls access and importantly hides the topology of the network behind it. Ensuring that hackers cannot identify individual components and users.
Recording
IVR
Recording
IVR
SIPPBX
Telepresence
SIPPBX
Telepresence
Conf
Video
Conf
Video CC
WFO
SIP Signaling CC
WFO

19. Why do I need an SBC? Here is one reason: SIP Refer
Demarcation
Privacy
SIP Trunks UK
SIP Trunks
USA
£ ?
£ ?
$ ?
Router Firewall
Router Firewall
SBC
This slide shows a sequence of call scenarios
Without SBC
1. Inbound call arrives and the ASM tells the SIP provider to pass the RTP stream to a specific phone. Phone is connected directly to external media stream
2. User wishes to transfer to a colleague in the same office. Transfer request sent to ASM which asks the SP to redirect media to another phone. SP now knows more about organisation and call.
3. Second call decides that it needs to be transferred to someone in USA. Presses transfer and keys in USA number. ASM signals across to USA phone and asks SP to redirect media to USA phone. SP makes routing decision and passes call to USA phone. At best SP knows you have sent call to another country, at worst it may charge for the service.
With SBC
4. Inbound call reaches SBC which checks and secures information. Opens socket for media. Media arrives at SBC which it anchors and sends to Phone.
5. User decides to transfer to USA. Signalling between ASM’s call setup. ASM asks SBC to redirect media to USA phone across internal network. SP has no knowledge of this transfer, cannot charge or has no idea of internal topology.
6. Signalling to ASM/CM secured by SBC. Media secured from SP to phone.
SIP PBXUSA
SIP PBXUK
SIP Signaling
Voice

20. Are Routers & Firewalls protecting your UC traffic?
SIP Denial of Service
Security
SIP Protocol Fuzzing
SIP Trunks
Let’s keep ringing them up! Or send bad SIP
requests!
SIP Trunks
Router Firewall
Router Firewall
With no SBC a Firewall may be SIP aware and be able to deal with NAT issues inside the SIP headers and deliver the signalling and media to the endpoints. However the call server has to have a direct SIP session relationship with the Service Provider. The handset is getting RTP or SRTP direct from the SP. Yes the firewall can inspect some aspects of the packet but not the detail.
SIP PBX
SIP PBX
SIP Signaling

21. An SBC will protect your UC traffic
Security
SBC Protecting your UC infrastructure
SIP Trunks
Demarcation
Router Firewall
DOS and Fuzzing not working!
SBC protecting
The organization
SBC
With no SBC a Firewall may be SIP aware and be able to deal with NAT issues inside the SIP headers and deliver the signalling and media to the endpoints. However the call server has to have a direct SIP session relationship with the Service Provider. The handset is getting RTP or SRTP direct from the SP. Yes the firewall can inspect some aspects of the packet but not the detail.
SIP PBX
SIP Signaling
Voice

22. An SBC will protect your UC traffic
Session Border Controller
Security
Privacy
SIP Trunks
SIP PBX
Interop erability
With no SBC a Firewall may be SIP aware and be able to deal with NAT issues inside the SIP headers and deliver the signalling and media to the endpoints. However the call server has to have a direct SIP session relationship with the Service Provider. The handset is getting RTP or SRTP direct from the SP. Yes the firewall can inspect some aspects of the packet but not the detail.
Demarcation
Back to Back User Agent

23. Comparison SBCs vs. Firewalls with SIP ALGs
Firewall with SIP ALG
Back-to-back user agent
Fully state-aware at layers 2-7
Inspects and modifies any application layer header info (SIP, SDP, etc.)
Can terminate, initiate, re-initiate signaling & SDP
Static & dynamic ACLs
Maintains single session
Fully state-aware at layers 3 & 4 only
Inspects and modifies only application layer addresses (SIP, SDP, etc.)
Unable to terminate, initiate, re-initiate signaling & SDP
Static ACLs only
Data center
Data center
IP PBX UC server
SIP trunking
IP PBX UC server
SIP trunking
Acme Packet

24. VoIP Security is Different
Layer 3 attack
Layer 4 attack
OS attack
Application attack
SIP protocol fuzzing
SIP denial of service/distributed denial of service SIP spoofing
SIP advanced toll fraud (call walking, stealth attacks)
Remote Worker
Media Replication
Signaling/Media Encryption
So when we say that VoIP and UC security are different, what do we mean?
Very simply, the security architecture that is designed for the IP network and the data applications that came before does not have the performance capabilities or the application awareness needed to properly secure VoIP and UC.
For example, VoIP and UC are real-time, and so no lengthy processing of the signaling or content can take place without affecting performance. In contrast, and web traffic can be subjected to relatively lengthy security scans and not create a problem for users.
UC is converging multiple applications that used to be separate into a single infrastructure. Users don’t even realize in many cases that their voice traffic is no longer riding a separate, segregated network, but is mingling with all manner of applications.
UC and VoIP often utilize untrusted networks for transport, especially the Internet for connecting remote offices or employees on the go.
It is trivially easy for someone to hop from one application to another in this new converged infrastructure. Tools for jumping VLANs can be found all over the Internet for free download.
A benefit of UC and VoIP is that it dramatically reduces communication costs both internally and externally, and it makes it easier to adopt new devices and new applications. But this flexibility also makes it a lot easier for attackers to mask their identities, gain access to corporate resources, and also for new and unknown risks to be introduced by these new smart devices.
Edited copy:
UC security must operate in real-time to maintain performance … unlike , web or other application-layer security functions
Users believe from habit that applications are already secure; guard is down, open to attack
Enterprise information is exposed to third-party systems, open Internet, Cloud-based applications out of the enterprise’s control; compliance violations
Easy to “hop” and use one application vector to attack other systems
Easy and cheap to mask identity, spoof another identity, trick unsuspecting users
Corporate information can be compromised on smartphones, tablets, other devices; employees increasingly use personal devices; smarter end-point devices are malware targets
VoIP security is different:
Real-time vs. Store-and-forward
State-based vs. State-less
Behavior attacks vs. Discrete attacks
Data firewall and Intrusion Detection / Prevention are great for data security, but not for real-time UC traffic
SBCE provides SIP specific enterprise UC security
SBCE Advanced means the advanced features of SBCE which are remote worker, media replication, signaling/media encryption
Other SBC vendors do not have VoIP vulnerability research organizations
SBCE Standard
SBCE Advanced
Firewall
IDS / IPS
IP-PBX
…requires intimate knowledge of VoIP and call states

25. Remote Users SP provider MPLS Application Firewall Access via VPN
Access to Applications Remote User
VPN Switch
Data Center
Storage
Application /server Farm
Access via Firewall for applications as , etc..
Internet
Enterprise
Remote locations
Application
Firewall
PC / Workstation
Router
SIP Trunks
Access via SIP for SIP users
SP provider
MPLS
Enterprise
remote offices
PC / Workstation
PC / Workstation
Corporate
Network
Corporate
Wifi
BYOD Wifi

26. Access Control: X.509 Certificate Based Mutual Authentication
Step 1
Install CA Root and Certificates from each side
Root Certificate
Issuer: XYZ
Subject: XYZ
Root Certificate
Issuer: XYZ
Subject: XYZ
Certificate
Issuer: XYZ
Subject: DeviceName
Certificate
Issuer: XYZ
Subject: Company-name SIP IPCS
IP PBX
Remote Phone
2a. Send Cert & Cert Request
2b. Send Cert
4. Validated
SIP Request
3. SIP Request
What’s the issue
Only authorized users/devices should be allowed access.
Why does it matter
Once device is authenticated, validating the user identity associated with the device is the key or it can be exploited
What is unique
IPCS is the only product which integrates in large vendor (Avaya, Cisco) certificate/trust/PK infrastructure
IPCS validates SIP application identity with the certificate identity unlike VPNs
How does it work
For different vendors there are different technologies,
IPCS integrates with Cisco CTL infrastructure with Alladin SAST tokens
IPCS integrates with Avaya infrastructure by installing certificates and proxying SCEP to a CA (such as Microsoft)
Intranet
Internet
Validate SIP Domain, Certificate Subject Name

27. Remote Worker: VPN vs VPNless Endpoints
VPN Endpoint
VPNless Endpoint
VPN Headers add additional size to traffic. In aggregate reduces bandwidth.
Encrypts traffic, yet does not validate it. (Encrypting and distributing a virus isn’t helpful)
No ability at VPN head-end to distinguish between voice and data traffic. Ultimately voice quality suffers.
Cumbersome user experience for real-time communication application
TLS/SRTP encrypts the traffic with a smaller bandwidth footprint than VPN
Signaling and media are unencrypted at the SBC and inspected at Layer 7 to validate the traffic before it is allowed through
Numerous policies allow Enterprise control of endpoints.
Consistent user experience for applications

28. Remote Users SP provider MPLS Application Firewall Access via VPN
Secure WiFi via VPN
Secure Remote users
Access to Applications Remote User
VPN Switch
Data Center
Storage
Application /server Farm
Internet
Enterprise
Remote locations
Application
Firewall
PC / Workstation
Router
SIP Trunks
SP provider
MPLS
Enterprise
remote offices
PC / Workstation
PC / Workstation
Corporate
Network
Corporate
Wifi
BYOD Wifi

29. Office Users SP provider MPLS Application Firewall
Access to Applications Remote User
VPN Switch
Data Center
signaling encrypted
Storage
Application /server Farm
Internet
Enterprise
Remote locations
Application
Firewall
Identity control to put the user in the correct VLAN
PC / Workstation
Router
VoIP
encrypted
SIP Trunks
SP provider
MPLS
Enterprise
remote offices
PC / Workstation
PC / Workstation
Corporate
Network
Corporate
Wifi
BYOD Wifi

30. Customers Facing Rapid Technology Change More Collaboration and Mobile Devices… More Enterprise Security Threats
Tablets by 2016
802
Million
Mobile projects will outnumber PC projects
4:1
Increase in dedicated video soft clients by 2016
400%
Increase in mobile enterprise investments through 2015
30%
Of enterprise will be cloud based by 2015
16%
Source: Gartner
Why Now Is the Time for Unified Communications?
The growing demand for unified communications and collaboration (UC&C) solutions is a key part of the overall rebound in technology spending since the financial turndown. According to the technology research firm IDG, UC&C solutions are “poised to become ubiquitous.”2 In a survey of over 1,000 IT and business professionals, IDG found 60% of them planning to implement or upgrade existing UC&C solutions within the next three years. Another analyst projects an 11.2% growth rate in enterprise investments in UC&C through Mobility is a huge factor in the growth of UC&C: the growing presence of smartphones, tablets and other mobile devices in the enterprise took place despite the historically challenging economic environment.
But other factors are also playing a major role:
Business is virtual: The four walls of the enterprise no longer come even close to defining it. Your employees, partners, suppliers and customers can be anywhere. How easy you make it to connect and collaborate increasingly defines who and what you are as a business.
Generational shift: The exit of the Baby Boomers and the rise of the Millennials means more and more people who expect the latest mobile and social networking solutions.
Global competition: New marketplace entrants in Asia and Latin America, unencumbered by legacy systems, take UC&C for granted.
Being green: UC&C solutions have demonstrated proven performance in reducing commuting and business travel.
Video: Video has moved out of dedicated facilities and across the enterprise through casual, cost-effective use on the desktop and on the go, delivering on an expectation that has been talked about for decades.
As a result of these and other factors, while enterprises may differ in the timing of their move to UC&C (according to IDG, the larger the organization, the faster the move), it’s no longer a question of “if” but “when.”
Enterprises are under constant security threats. Increased usage of collaboration tools means security threats are more of a concern and the these threats are different from in the past.
Threats now include
Denial of Service attacks including call/registration overload and/or Malformed messages – also called fuzzing
Vulnerability from configuration errors such as misconfigured devices or operator and application errors
Theft of service via unauthorized users or unauthorized media types
Viruses via SIP messages
Malware via IM sessions
SPIT or unwanted traffic

31. Office Users (BYOD) SP provider MPLS Application Firewall
Access to Applications Remote User
VPN Switch
Data Center
Storage
Application /server Farm
Internet
Enterprise
Remote locations
Application
Firewall
PC / Workstation
Router
SIP Trunks
SP provider
MPLS
Enterprise
remote offices
PC / Workstation
PC / Workstation
Identity control to put the user in the correct VLAN
Check OS etc..
Only access to office application via SBC/firewall
Corporate
Network
Corporate
Wifi
BYOD Wifi

32. The full secure Network
Access to Applications Remote User
VPN Switch
Data Center
Storage
Application /server Farm
Internet
Enterprise
Remote locations
Application
Firewall
PC / Workstation
Router
SIP Trunks SP
SBC
IMS
SP provider
MPLS
Enterprise
remote offices
PC / Workstation
PC / Workstation
Corporate
Network
Corporate
Wifi
BYOD Wifi

33. Risk Management: Seeking Balance33

35. 4/13/2017
Thank You

36. What can Avaya do for you here?

37. Enterprise Collaboration Platforms
Clients and Devices
Video & Conferencing
Avaya Messaging Service
Mobile Clients
Desktop Video Client
Applications & Contact Center
Collaboration Environment
Speech Analytics
Multi-Channel
Self-Service
Avaya Aura Conferencing
Collaboration Platforms
Switched Video & Conferencing
IP Office
Low Bandwidth High Definition Video
ACA
Session Border Controller
Networking
Top of Rack
High Availability
Multicast Video Surveillance
Identity Engine
SPB / Fabric Connect
Managed Services & Support
UC & CC Managed Services
SLA Mon Technology
Avaya Diagnostic Server
Avaya Automated Chat

38. Where can Avaya help you?
Avaya Multilayer security in the UC/CC world
Full data network (Edge to Core)
SPB Stealth Network (for LAN and Wan)
Full separated network depending on the organization
Avaya SBC for the enterprise for the full SIP security
Identity Engine (so that every user/device is in the correct secured network)

39. Avaya’s Multilayer Security Strategy
Secure by
Design
Security
Built-In
Secure Communications
Secure deployment strategy
Separates UC applications & servers from enterprise production network
Trusted communications framework with trust relationships for Administration, for Managing Elements, SIP Elements & Enterprise Network
Authentication & Authorization framework
Hardened Linux OS with inherent security features
Secures mission-critical applications and protects
Reduces potential Linux “attack surface” by limiting access to ports, services and executable
Security updates
Denial of Service protection mechanisms
Least privileges
Digital certificates
Insecure protocols disabled
Standard security protocols & trust relationships protects access and transmissions
Encrypted communications protect media, signaling & management traffic
Ensure protection of sensitive information
IP endpoints can authenticate to network infrastructure
Use of Avaya’s multilayer security strategy prevents security violations and attacks 39

40. Avaya’s Product Security Strategy
Secure Customer Integration
Certification and Assurance
Protect all UC / CC components to ensure optimal uptime and protection of sensitive information
System Hardening
Input Validation
Firewall & Denial-of-Service Protection
Standards Based Encryption
Avaya Security Advisories
Integrate securely into the customer network to minimize infrastructure expense, maximize efficiency and transparently enable unified communications
RADIUS / LDAP Integration (AAA)
Network Firewall / SBC Interoperability
Endpoint Authentication
Certificate Mgmt / PKI
Validate product functionality & facilitate secure UC implementation
Common Criteria, JITC
Vulnerability Assessment
Security Documentation
Government Regulations: HIPAA, GLBA, SOX, PCI
Internal Security Standard reflects “Secure By Design” consistent protection across Avaya products 40

41. The full network Architecture
Collaboration Pod
VSP 9000
VSP 7000
ERS 8000
Identity Engine
VSP 8000
ERS 4000/5000
WLAN 9100
VSP 4000
WLAN 8100
ERS 3000
We’ve covered a lot in a short amount of time
Let me just recap the formula for a foundational infrastructure for next generation applications and services
First, start with a fabric Connect-enabled core infrastructure
Second, Add Fabric Connect Access switches
Third, use Fabric Attach for Avaya and 3rd party devices
We are confident that you will have the same great experiences that our customers that have done this have.
Have a great show
Start with Fabric Connect-enabled infrastructure switches
Add Fabric Connect access switches
Use Fabric Attach for Avaya and 3rd party devices

42. From Complex, Rigid and Cumbersome Networks
Server Access
Data Center Core
Campus Core
Edge
Server
STP X
VLAN
VLAN
VLAN
VLAN
VLAN
VLAN X
STP
VLAN
VLAN
VLAN
Server
VLAN
VLAN
VLAN
VLAN
VLAN
VLAN
VLAN
VLAN
VLAN
VLAN
VLAN
VLAN
VLAN
STP
MSTP
RSTP
FlexLink
OSPF
Static routes
BGP
PIM-SM/DVRMP
VRF
SMLT/RSMLT
VLACP/SLPP
OSPF
Static routes
BGP
PIM-SM/DVRMP
VRF
Edge
Distribution
Campus Core
Data Center Core
Server Access
Server
VLAN
To Simple, Agile and Resilient Networks
Fabric Connect: IEEE 802.1aq / RFC 6329
This slide shows visually the points that we’ve been making – the huge suite of protocols in today’s networks and how this can be streamlined into one technology with Avaya Fabric Connect. It also shows that instead of having to provision hop by hop the services – which is time consuming and error prone, when we evolve to our Fabric Connect private cloud network - the core of the network is essentially invisible as services are enabled at the edge only. You build the core one time and then you don’t touch it. This is of huge value to the customer because a configuration error in their core can be catastrophic – impacting multiple applications and multiple users. Also designing the network is much easier you can place services whereever you need them rather than being limited to strict design rules.
If we talk specifically about multicast, multicast can be complex to configure you have to configure boot strap routers, rendezvous points… with Fabric Connect all services including multicast are enabled at the edge only. And because we’ve eliminated traditional multicast protocols we eliminate the need for the complex additional configuration.
2010 Avaya Inc. All rights reserved.

43. What is a “Stealth” Network
Any network that is enclosed and self contained with no reachability into and/or out of it. It also must be mutable in both services and coverage characteristics
The common comparible terms used are MPLS IP-VPN, Routed Black Hole Network, IP VPN Lite
Avaya’s Fabric Connect based on IEEE 802.1aq provides for fast and nimble private networking circuit based capabilities that are unparalleled in the industry
“Stealth” Networks are private ‘dark’ networks that are provided as services within the Fabric Connect cloud
L2 Stealth
A non-IP addressed L2 VSN environment
L3 Stealth
A L3 VSN IP VPN environment
Avaya’s Fabric Connect is an enhanced implementation of IEEE 802.1aq Shortest Path Bridging. Fabric Connect can offer a series of ‘circuit’ based services that can be either layer two or layer three depending on requirements. These circuits are contructs known as I-SID’s or I-Component Service Identifiers. If these services are used in the proper fashion they can yield what are termed as Stealth Networking Services. A Stealth network is any network that is enclosed and self contained with no reachability into and/or out of it. It also must be mutable in both services and coverage characteristics.
The common comparible terms used are MPLS IP-VPN, Routed Black Hole Networks, IP VPN Lite.
Avaya’s Fabric Connect based on IEEE 802.1aq provides for fast and nimble private networking circuit based capabilities that are unparalleled in the industry and do not require complex mixes of protocols or design practices.
Hence, “Stealth” Networks are private ‘dark’ networks that are provided as services within the Fabric Connect cloud. They come in two different forms:
A layer 2 Stealth
A non-IP L2 VSN environment
A layer 3 Stealth
A L3 VSN IP VPN environment

44. Competition’s Interdependent legacy protocols
Superior Virtual Networking Use Case – Multi-Tenancy: Transportation Industry
Extremely complicated
Practically un-scalable
Error prone
Static model
Highly scalable
Agile configuration
Simple troubleshooting
Highly dynamic
Financial (PCI)
Federal Aviation
Luggage System
Guest Access
Presentation Dialogue:
Beyond security, companies have great need to separate services. Think of an airport. Traffic from vendors, the Federal Aviation Administration, individual airlines, baggage, and guests MUST be isolated. Think of a hospital, a university, or government agencies. A fairly common way that this has been done in the past, is to build separate infrastructures for each. Another way to do it is [click x 4 – for each configured legacy pathway] to configure separate paths all the way through the network. As you can see, this would get complicated, wouldn’t scale, and error prone really easily. [click]
However, what if provisioning a virtual network was as simple as (in most cases) one command per Switch? What if you didn’t have to worry about anything else? Scaling is no problem, troubleshooting is simplified, and now the vision of robust virtual networking can be met.
We have our own great case study for this. In 2013, Avaya was the provider for one of the largest temporary networks in the world, InteropNet for Interop, the leading networking technology show in the world. With only 4 engineers and in three days the network was set up in 1/10 the time from the two prior years with other vendors.
InteropNet Case Study Claim Information: “Four system engineers completed the network installation in three days -- 1/10 the resources of previous events.” Wall Street Journal press release: “InteropNet 2013: Unbreakable! Avaya Fabric Connect Delivers on All Fronts” May 15,
Competition’s Interdependent legacy protocols
Avaya Fabric Connect

45. Use Case Requirements for “Stealth” Networks
Networks that require isolation and security
PCI compliance
HIPAA compliance
Financial Exchanges
Video Surveillance (Unicast or Multicast)
SCADA control networks
Networks that require Services Separation
Multicast - particularly video surveillance
Bonjour
SCADA
There are many uses for Stealth networks, but they basically fall into two category types. First, networks that require security and isolation. Examples are PCI & HIPPA compliance, financial and trading applications, video surveillance and process flow control environments such as those facilitated by SCADA type protocols.
Second, network that require services separation such as multicast, Bonjour and SCADA.
As an additional note Stealth networks effectively provide for both requirements categories. While this presentation is focused on PCI-DSS, these services can be used for other closed, service separated networking requirements such as those for HIPPA (Health Care) and CIP/NERC (Energy Regulatory)

46. Anatomy of a Layer 2 Stealth Network
A SPB I-SID that is associated with End VLAN’s
No IP addresses assigned*
Provides for a closed non-IP or single subnet IP based network
Typically when used within the Data Center for PCI-DSS systems (IP addresses can be used behind security perimeter*)
No IP
No IP
Fabric Connect Cloud
I-SID
VLAN
VLAN
The anatomy of a layer 2 stealth network is also very simple. It is nothing more than an I-SID that is associated with VLAN’s. The VLAN’s are not given IP addresses however. As such, a stand alone layer two network is created where nothing can enter or exit. These are extremely useful to extend secure Layer two protocol environments such as SCADA. Layer two Dark horse networks allow for the easy and secure distribution of such protocol environments. Additionally, IP can run inside the Layer two dark horse network. But it is a self contained IP subnet that is not routed to the outside world. It is in essence invisible. As a result they can be used for Secure Data Center usage where IP reachability is not nessecarily desireable.
Finally, a comparible service in MPLS, known as Layer 2 VPLS requires roughly 30 to 40 command lines of code to execute whereas a Layer 2 Stealth network in Fabric Connect is in essence one command.
Secure L2 “Stealth” Network

47. Anatomy of a Layer 3 Stealth Network (IP VPN)
A SPB I-SID that is associated with End VRF’s
Multiple IP subnets – completely separate & private IP forwarding environment
Provides for a closed IP internet environment
Fabric Connect Cloud
VRF
VRF
I-SID
VLAN
VLAN
Subnet A
Subnet B
Let’s take a moment and talk about the anatomy of these circuit based services. The anatomy of a layer three stealth network is actually very simple. It is nothing more than an I-SID (which is short for I-Component Service ID – Basically a SPB circuit) that is associated with VRF’s. The VLAN’s attached to the VRF’s are given IP addresses, however none of the IP subnets are reachable outside of the IP VPN environment. As such, a stand alone layer three IP internet is created where nothing can enter or exit. It is in essence invisible to the outside world.
This service type is useful for any secure layer three protocol environment such as PCI DSS networks, but are also useful to provide for service separation of possible conflicting protocol environments such as in the case of multiple multicast domains.
Secure L3 “Stealth” Network (IP VPN)

48. Secure Guest and BYOD Networking Use Case – Unified User Access
Identity Engines
Multi-vendor solutions
Manual integration
Independent security layers
Wired and wireless access
Secure employee and guest access wired and wireless
Automatic VLAN / QoS / VSN Assignment
Single Sign-on for Aura Applications
Reporting and analytics for compliance
Presentation Dialogue
To enable a unified access experience for users today, a multi-vendor collection of various technologies are needed. Most common are: Collaboration applications like desktop conferencing, network access control, guest access, and a network security layer. [click] Although, this combination can work for many companies, their seems to be tradeoffs for each combination. [click]
Avaya’s unified access is robust and includes collaboration applications and an elegant automated network-wide security architecture. [click] With Fabric Connect as the foundation, both the user experience and the IT burden can be positive. [click] In this example, a user logs into the network. Based upon her device, medium, and corporate relationship, Identity Engines assigned her to a virtual network, in this case the employee mobile zone. Later, a guest [click] selects the corporate SSID and Identity Engines asks for a mobile number or address where their customized password can be sent. The user logs on and gets internet access, but no corporate services.
10 Second Case Study claim information: Case study in progress – claim is based off actual user experience at EBC’s.
More solution information:
One of only 2 vendors offering complete collaboration BYOD solution
Truly vendor-agnostic and unified wired & wireless solution
Granular policies – easy provisioning – guest access in less than 10 seconds
Manage access of any user, any device and Aura application with single sign-on
Optimized and automated end-to-end across Fabric Connect
WLAN 8100 delivers industry leading voice and video scalability over Wi-Fi
Employee Mobile Zone
Guest Zone
Competition’s Independent Solutions
Identity Engines with Fabric Connect and Fabric Attach

49. Controlling Access and Security
Leverage common Identity and Network access Control capabilities
Identify each device that enters network and apply rules based on user ID, device ID, device type, connection media, etc.
Then apply policies for specific network access needed
BYOD devices may not need full access – protected app access
Apply security standards and encryption
Include rich and flexible options for “guest access”
Identity
Engines
Firewall
Secure LAN
Guest VLAN
Controller or Switching Point
Captive Portal
Wireless Access Point
Corporate
Laptop
Guest
Tablet

50. Access Policies Case 1 Case 2 Identity Engines Role-based Access
IF (identity = HR employee)
AND IF
(device = corp laptop)
(medium = wired)
THEN GRANT
FULL ACCESS
Case 1
Employee with corporate laptop
IF (identity = HR employee)
AND IF (device = personal iPad)
AND IF
(medium = wireless)
THEN GRANT
LIMITED ACCESS
Case 2
Employee with personal iPad

51. Authenticated Network Architecture
NETWORK ABSTRACTION LAYER
DIRECTORY ABSTRACTION LAYER
Reporting & Analytics
Posture Assessment
Guest Access Mgmt
Identity Engines
Access Portal
CASE Wizard
Policy Enforcement Point
Policy Decision Point
Policy Information Point

52. The Solution – Avaya Session Border Controller for Enterprise Portfolio
Industry Leading Enterprise UC Security
Price/Performance Optimized for Enterprise & SME
Ease of Implementation & Management
Secure VoIP and UC over any network to any device, including smartphones, alternative devices and SIP endpoints
Innovative VPN’less remote worker offering - enabling true BYOD
Fit for purpose SME / Enterprise solution
Not a repackaged carrier SBC
Scalability – up to 5,000 sessions and more in the near future
High Availability
TCO & ROI
Rapid implementation of safe SIP trunks, remote workers and advanced UC applications
SIP trunks operational in minutes, not months
GUI-based SIP normalization tool
VMWare compatible
The technical solution to these challenges is a Session Border controller. These are the types of things you expect to see in an SBC and why you chose one over, say, a firewall or the other border protecting devices of which you may be aware.
As enterprises are moving rapidly to adopt Session Initiation Protocol (SIP) for connection to service providers (SIP Trunks), hosted application providers, extranet partners and remote workers, a common question is: ‘Since the SIP trunk provider already has an SBC in their network, why does a customer of that provider require an SBC on their premise as well ?
Security An enterprise SBC provides essential SIP security regardless of whether the public SIP trunk service is delivered as a dedicated connection from the SIP trunk provider or via a shared MPLS network. VoIP is a service that runs on IP, just like and web browsing. Enterprises do not rely on their Internet Service Providers to protect those services using a central, communal firewall. An enterprise SBC enforces the customer’s unique VoIP security policies – just like an enterprise firewall does for data – and ensures that any regulatory requirements for data security are met. It provides the enterprise complete network topology hiding, up to Layer 7, meaning all extra-enterprise SIP signaling and RTP media are anchored through the enterprise SBC, mitigating the risk of exposing large ranges of private IP addresses to an externally controlled foreign entity and the associated possibilities of intentional or unintentional (misconfiguration) attack. Unlike an enterprise firewall, an enterprise SBC is specifically designed to parse each SIP message via deep packet inspection and manipulate the SIP headers if necessary to ensure protocol compliant formatting. The SBC is able to enforce signalling rate limiting and media bandwidth policing and reduce the impact of DoS attacks by using dynamic access lists triggered by behavioral analysis of users and traffic.
Flexibility Without an enterprise SBC, certain configuration changes may need to be done at the central SBC by the service provider. The service providers network operations processes preclude rapid and frequent changes to the central SBC platform configuration – primarily for stability reasons. Most service providers only offer one enterprise-facing configuration and will not change it. Those who will make changes will only do so after extensive regression testing – and this takes place very infrequently – at most 1 or 2 times a year. This means that it is often very difficult to meet the changing needs of customers and/or meet a customer’s specific needs for interfacing their particular communication infrastructure and associated security policy requirements. By installing an enterprise SBC, the customer’s specific communications requirements can be fully addressed, insulating the service providers SBC from any changes. This means that the specific business needs of the customer can be met in a quick and easy way. Also, any adaptation costs are specific to that customer and do not impact the on-going network operations costs. The enterprise SBC provides an ideal reference interface for network border interoperability testing by normalizing the signaling and RTP streams into the enterprise.
Additionally, an enterprise may wish to work with multiple SIP trunk providers. The SBC is an enabler if more than 1 SIP trunk provider is terminating to the enterprise, providing common demarcation point for normalization.
Finally, an enterprise’s business requirements, now or in the future, will drive enterprise specific call flows that may not necessarily be supported or directly interoperable with a SIP trunk provider. A premise SBC can be configured to meet an enterprise’s specific requirements.
Accountability An enterprise SBC can generate per-call statistics including QoS measurements for independent SLA monitoring. It can also provide reports on intrusion attempts (IDT) and provide session replication for call recording to meet industry or regulatory requirements.
Edited copy: Enforces a customer’s unique security policies
Focused on the Enterprise’s security
SIP trunk provider’s own SBC (if private SIP trunk service) focuses on the providers security concerns
Complete network topology
invisible to external threats
Limits interoperability concerns
within multivendor
Environments
Providers layer of independence from Service Provider –
make changes more quickly
vs. negotiating / relying on
Service Provider
Normalization point for signaling
and RTP media streams
Allows for multiple SIP trunk
provider access points (now or in
future)
Support of enterprise-specific call
flows that may not be directly
supported by SIP trunk provider
The solution is the Avaya Session Border Controller for Enterprise or SBCE.
It provides industry-leading enterprise UC Security including secure VoIP and UC over any network to any device, including smartphones and alternative devices. The SBCE also provides an Innovative VPN’less remote worker offering - enabling true BYOD without the administrative overhead of a VPN solution.
The SBCE is Price/Performance Optimized for both large Enterprise & small/mid sized locations. It’s a fit for purpose SME / Enterprise solution that isn’t simply a repackaged carrier SBC. While not a carrier SBC, it still has plenty of scale with up to 2,000 sessions and a high availability option.
Just because it’s a premise-based solution, doesn’t mean it is difficult to manage. With rapid implementation of safe SIP trunks, remote workers and advanced UC applications are operational in minutes, not months

53. Avaya Product Security Support Team – PSST Assessment / Penetration Testing
Avaya’s Product Security Support Team - PSST
Internally-focused Security Assessment / Penetration testing of Avaya products
Penetration test tool kit leveraged across GCS Products
Security Assessment testing includes:
Replicate customer or “attacker” methodology
Find / Resolve issues before the field does
Measure progress against standards
e.g., CTO, JITC, Nessus /Retina: “.mil” plug-ins
Unscripted testing
Champion best security practices across Avaya