Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing the UC Network

Similar presentations

Presentation on theme: "Securing the UC Network"— Presentation transcript:


2 Securing the UC Network
Terry Pierson Consulting System Engineer UC Security - AVAYA

3 UC Security – Why it matters VIPER Lab Avaya SBC for Enterprise
Agenda UC Security – Why it matters VIPER Lab Avaya SBC for Enterprise Use Cases SIP Trunks – Standard License Remote Worker – Advanced License SBC Update Resources Q & A

4 Enterprise Adoption of Collaboration Tools Source: Nemertes Research
More Collaboration and Mobile Devices… More Enterprise Security Threats Denial of Service Call/registration overload Malformed messages aka“fuzzing” Configuration errors Mis-configured devices Operator and application errors Theft of service Unauthorized users Unauthorized media types Viruses and SPIT Viruses via SIP messages Malware via IM sessions SPIT – unwanted traffic Enterprise Adoption of Collaboration Tools The SIP Market is hot… SIP Trunking projected CAGR thru 2015 is 5x & SIP Trunk Service adoption grew 220% YoY... Enterprises are under constant security threats. Increased usage of collaboration tools means security threats are more of a concern and the these threats are different from in the past. Threats now include Denial of Service attacks including call/registration overload and/or Malformed messages – also called fuzzing Vulnerability from configuration errors such as misconfigured devices or operator and application errors Theft of service via unauthorized users or unauthorized media types Viruses via SIP messages Malware via IM sessions SPIT or unwanted traffic Source: Nemertes Research

5 Unified Communications Security – Should You Care?
Credit card privacy rules: other compliance laws require security architecture specific to VoIP and other UC.1 50% Increase ‘VoIP hacking at new levels2 Up to 25% of attacks VoIP scanning – botnets, Cloud used for VoIP fraud3 Reduce Deployments by 1/3 VoIP /UC security reduces VoIP / UC deployment time by one third4 In recent years, Yankee Group has done an annual survey of the main blocking issues that prevent companies from adopting VoIP and other Unified Communications applications. They have found that concerns over security are at the top of the list again and again. But we now know a lot more about VoIP and UC security, thanks to many examples of successful VoIP deployments that are safe and secure. And we have seen many examples of how attackers look to exploit VoIP and UC applications that are not protected. So we know what we need to defend the infrastructure against. Far and away the biggest concern is around toll fraud, which has seen a big spike in the last couple of years. Basically, very well organized networks of attackers are continuously probing for UC and VoIP servers that are not properly protected. Once they have control of these systems, they use them to resell long distance minutes, or else they place calls to premium rate numbers that they themselves own, running up huge bills for the enterprises. It is really common now for small enterprises to suddenly get a phone bill that is 100 times the size of their typical bill. The FBI estimated that one such ring had hacked the PBXs in 2,200 enterprises in the US and run up charges in excess of $50 million. But the good news is that analysts also say that security is catching up with the VoIP and UC world. In, fact, Aberdeen Group in early 2011 came out with a report that said that an enterprise that recognizes the need for VoIP and UC security will have much greater success at deploying these new applications. In fact, the Aberdeen report found that an enterprise that proactively plans security will cut as much as a third off the deployment time of VoIP and UC. This is because security concerns often end up delaying or derailing projects because they are not anticipated. The enterprise staff deploying VoIP and UC mistakenly believes that that these applications can be protected by the existing firewalls. They cannot, and we will talk more about that in a moment. But an IT staff that does recognize the differences, and plans for them, will remove those roadblocks, and save themselves a lot of time, money and worry. Edited copy: 50% Increase: ‘VoIP hacking hitting new levels; 50% jump in 2010; Halloween Hack Attacks, Romanian toll fraud ring, Cloud SIP attacks.’ Up to 25% of attacks: VoIP scanning attacks now up to 25% of all attacks in the wild – botnets, Cloud used for VoIP fraud 1/3: Analysts at Aberdeen Group found that addressing VoIP and UC security proactively reduces overall VoIP and UC deployment time by one third.4 Toll fraud: Billions lost by enterprises every year; inadequately secured SIP trunks, UC and VoIP applications are the primary cause.5 Toll fraud: yearly enterprise losses in Billions inadequate securing of SIP trunks, UC and VoIP applications5

6 OSI Model 7 Layers of Attacks
Think of OSI model as a 7 foot high jump OSI Model Data Unit Layer Function Host Layers Data 7. Application Network process to application 6. Presentation Data representation, encryption and decryption, convert machine dependent data to machine independent data 5. Session Interhost communication Segments 4. Transport End-to-end connections and reliability, flow control Media Layers Packet/Datagram 3. Network Path determination and logical addressing Frame 2. Data Link Physical addressing Bit 1. Physical Media, signal and binary transmission Typical firewall protection Layer 3-4 protection (3 to 4 foot hurdle) spam filters layer 7 application specific firewall SIP, VoIP, UC layer 4 to layer 7 application SIP Trunking - a trunk side application SIP Line (phone) side (internal and external) access another application Attackers/Exploiters look for: High/growing adoption Protection not yet available… VoIP/UC Think of the OSI model as a 7 foot high jump. A typical firewall provides layer 3-4 protection or a 3 to 4 foot hurdle. spam filters use a layer 7 application-specific firewall. SIP, VoIP, UC are layer 4 to layer 7 applications SIP Trunking is a trunk-side application example SIP line-side access (think of a phone – internal or external) is another type of application example Attackers/Exploiters go where the adoption is high or growing, money is easy, and it is easy to exploit. In other words, where protection is not yet available … Thik of VoIP and UC To protect against these attacks, the Avaya SBCE provides VoIP/UC trunk and line-side layer 4-7 application protection (or in the full 7 foot hurdle). Wikipedia on 22Jul2011: Avaya SBCE provides a VoIP/UC trunk/line side layer 4-7 application protection

7 VIPER Lab Leading Edge UC Security Research
Industry Recognized UC Security Experts Recognized UC Security SMEs by Sans, Dept of Justice, and other US Gov agencies, external organizations like DefCon and Infoseek Leading Edge UC Security Research 10 Years of extensive research, using worldwide honeypots, Enterprise networks, etc. VIPER Lab: 2 primary components of VIPER Lab strategic mission Penetration Testing and VA of UC Networks “field research” to understand real vulnerabilities in client architectures, audit & assessment consulting services (Multi-vendor, vendor agnostic) Proactive identification of client vulnerabilities before real attackers can exploit in wild Experienced penetration testing team, specialized in VoIP R&D security research lab & exploit development Author open source security tools as research (VAST) Software engineering and exploit development with LAVA, a new vulnerability scanner and research tool VoIP Honeypot development, to understand attacks in the Wild Experienced audit and assessment team VIPER is an experienced Security assessment team, having completed over 100 network or application assessments

8 Best Practices vs an Assessment
Lock your doors at night Lock your windows Enable your home alarm system You’ve followed best practices and you’re safe! Or are you? A Security Assessment Your locked doors use an easy to pick lock type Your door frame is thin and one kick could open it Your windows can be unlocked from the outside with a screwdriver Your phone line can be cut stopping your alarm from reaching the police A proper security assessment validates the implementation of a best practice—and often reveal many weaknesses!

9 What does an Audit consist of?
An audit usually takes the form of a “UC Penetration Test” It typically consists of the following process: VIPER will review the business and understand VoIP/UC application flow Will tailor a set of unique security test cases, for penetration testing, that are unique to that customer’s infrastructure Perform network discovery and reconnaissance Will spend 1 – 5 weeks doing technical security testing Will develop the security report, typically 1 – 2 weeks

10 Evolving and Protecting – VIPER Lab
Proactively identifying and preparing defenses beyond your network borders Vulnerability Assessments improve security architectures and enhance compliance State-of-the-art research facility with expert vulnerability assessment professionals Open Source UC Security Self-Assessment Tools Uncover vulnerabilities in next-generation, multi-vendor networking environments The VIPER Lab was acquired by Avaya is focused on proactively identifying and preparing defenses against the ever changing unknowns of the wild beyond your network borders. It is a State-of-the-art research facility with a dedicated team of expert vulnerability assessment professionals that work to uncover vulnerabilities that put communications at risk in next-generation, multi-vendor networking environments. They offer Vulnerability Assessments and other professional services to help clients improve their security architectures and enhance compliance with information security statutes. There are also open source UC security self-assessment tools to enable security practitioners to accurately gauge the risks in their own environments

11 The Solution – Session Border Controller
Security Flexibility Accountability Enforce your unique security policies Focus on enterprise security SIP trunk provider’s own SBC Network topology Invisible to external threats Limits multivendor environment interoperability concerns Independence from Service Provider Normalization point for signaling / RTP media streams Multiple SIP trunk provider access points Support enterprise- specific call flows Report on intrusion attempts Session recording Remote Worker Safety

12 The SBC Protects & Defends the Avaya Core
The SBC is not just about SIP Trunks and Remote Endpoints – it’s about Avaya’s future. Acme, Sonus, and most other 3rd party players are moving into the Enterprise with SBC’s –AND- with Session Management offerings. Allowing 3rd Party wins with SBC deals opens the door for them to capture the Core with their SM offerings and sequenced applications before it ever gets to an Avaya system Selling the Avaya SBCE protects Avaya’s Core Business and extends Avaya Aura solutions with secure and borderless Enterprise communication applications.

13 Capacity in Simultaneous Sessions
ASBCE 6.2 System Capacity Capacity in Simultaneous Sessions Session Border Controller capacities are rated in Simultaneous Sessions A simultaneous session = a communication session between 2 SIP endpoints Can think of it as analogous to a DSO in the ‘old world’ Key for engineering is to understand the numbers of sessions required in the solution For Secure SIP trunking, look at the number of TDM DSOs required For Remote Worker, calculate required call volumes Max Capacity w/o Encryption Max Capacity with Encryption HA 2000 1000 SA 2000 1000 Portwell CAD-0208 SA 500 250 ‘Rules of Thumb’ SIP trunking usually 5 users per session Must account for higher ratio in small Remote Worker must consider both On-net and off-net requirements Remember Encryption Services impact capacity

14 Avaya SBC for Enterprise
1 Software Base: Avaya Aura SBC for Enterprise 3 HW Platforms: Dell & HP for Enterprise; Portwell CAD-0208 for IPO 2 Use Cases SIP Trunking Remote Worker CS1000 Avaya SBC for Enterprise SIP Trunking SIP Trunking Avaya SBC for Enterprise SIP Trunking Avaya SBC for Enterprise Avaya SBC for Enterprise SIP Trunking

15 Avaya SBCE: SIP Trunking Architecture
Use Case: SIP Trunking to Carrier Carrier offering SIP trunks as lower-cost alternative to TDM Heavy driver for Enterprise adoption of SBC Firewall Firewall Enterprise DMZ Internet SIP Trunks IP PBX Carrier Avaya SBCE Carrier SIP trunks to the Avaya Session Border Controller for Enterprise Avaya SBCE is located in a DMZ behind the Enterprise firewall Services: security and demarcation device between the IP-PBX and the Carrier NAT traversal, Securely anchors signaling and media, and can Normalize SIP protocol

16 Secure Remote Worker with BYOD
Presence Server System Manager Communication Manager Avaya Aura Conferencing Aura Messaging Session Manager Avaya Aura® Avaya SBCE Personal PC, Mac or iPad devices Avaya Flare®, Avaya one-X® SIP client app App secured into the organization, not the device One number UC anywhere Untrusted Network (Internet, Wireless, etc.)

17 Avaya SBCE: Remote Worker Architecture
Use Case: Remote Worker Extend UC to SIP users remote to the Enterprise Solution not requiring VPN for UC/CC SIP endpoints Firewall Firewall Enterprise DMZ Internet IP PBX Remote Workers Avaya SBCE Remote Worker are External to the Enterprise Firewall Avaya Session Border Controller for Enterprise Authenticate SIP-based users/clients to the enterprise Securely proxy registrations and client device provisioning Securely manage communications without requiring a VPN

18 Remote Worker: How does the SBC proxy endpoint traffic?
CM or CS1k DMZ Internal Firewall +NAT External Firewall/ Router 1. Encrypted signaling over TLS SM FW/NAT Traversal Intranet Internet 4. Media RTP Avaya SBCE 3. Encrypted media SRTP 2. Signaling over TCP/UDP Unencrypted Signaling: SIP/TCP Unencrypted Media: RTP Encrypted Signaling: SIP/TLS Encrypted Media: SRTP (HW 50 usec)

19 What’s Next? “6.2” Product Release now through April 2013
“Micro” Release for IP Office available now (new market) Trunk-side for Enterprise in February ’13 Applications (inc. Remote Worker) in April ’13 Re-organized UC Security Team engaging now to build Sales, Tech Ops, Channel enablement programs and create wider coverage. Need your support for participation. Auto-attach campaign to start in Q2 for IPO, CM/Aura, SM, others Reporting on success will be delivered from UC Security Ops to Area Ops, Leaders to assist in gap identification, drive activity

20 Avaya Interoperability
SBCE Roadmap Avaya SBCE 6.2 Q1 CY 2013 (Mar) Avaya SBCE 6.2 Feature Pack 1 Q2 CY 2013 (May) Avaya SBCE 6.2 Feature Pack 2 Q3 CY 2013 Avaya Interoperability Mobile SIP iOS R6.2 96x0 (SIP) R6.2 One-X Comm R6.2 OTV R1.0 AACC7 support HP DL360 Migration Kit UCID Generation Expanded Interoperability Remote Worker for IPO Flare Exp. R1.1 Flare Comm. R1.0.3 Radvision Interop CS1K R7.6 w/ Collab Pack Microsoft Lync trunks SIP Trunking (Avaya Aura, CS1000 & IPO) Securing Remote Worker without VPN (Avaya Aura) SIP security designed for scalable cost-effective enterprise use Fully supports SIP trunking on Avaya Aura, CS1K & IPO Supports remote and mobile SIP devices and clients with Avaya Aura 96x1 R6.2 One-X Com R6.2 Flare Exp iPad R1.1 Extends Avaya Aura® SIP capabilities outside the enterprise Easy and intuitive to deploy and configure, lowering TCO

21 UC Security Sales Organization
Nick Adams – Global Sales Leader US Practice Leaders Dave Mulhern-Northeast Brad Bleeck-South Ed Williams- Central Shawn Darcy – West US Engineering Terry Pierson CANADA Practice Lead Chuck Pledger EMEA Practice Lead Dan Panesar APAC Practice Lead David Lloyd Global Technical Lead Addis Hallmark Global Channel Lead Greg Parcell Global Operations Jaime Cooley CALA Practice Lead Gus Herrera


Download ppt "Securing the UC Network"

Similar presentations

Ads by Google