Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL.

Similar presentations


Presentation on theme: "©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL."— Presentation transcript:

1 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL

2 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL #AvayaATF Securing the UC Network Terry Pierson Consulting System Engineer UC Security - AVAYA

3 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Agenda UC Security – Why it matters VIPER Lab Avaya SBC for Enterprise Use Cases SIP Trunks – Standard License Remote Worker – Advanced License SBC Update Resources Q & A 3

4 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL More Collaboration and Mobile Devices… More Enterprise Security Threats Denial of Service Call/registration overload Malformed messages aka“fuzzing” Configuration errors Mis-configured devices Operator and application errors Theft of service Unauthorized users Unauthorized media types Viruses and SPIT Viruses via SIP messages Malware via IM sessions SPIT – unwanted traffic 4 Source: Nemertes Research Enterprise Adoption of Collaboration Tools

5 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Unified Communications Security – Should You Care? 5 Credit card privacy rules: other compliance laws require security architecture specific to VoIP and other UC. 1 Toll fraud: yearly enterprise losses in Billions inadequate securing of SIP trunks, UC and VoIP applications 5 Toll fraud: yearly enterprise losses in Billions inadequate securing of SIP trunks, UC and VoIP applications 5

6 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL OSI Model 7 Layers of Attacks Typical firewall protection Layer 3-4 protection (3 to 4 foot hurdle) spam filters layer 7 application specific firewall SIP, VoIP, UC layer 4 to layer 7 application SIP Trunking - a trunk side application SIP Line (phone) side (internal and external) access another application Attackers/Exploiters look for: High/growing adoption Protection not yet available… VoIP/UC 6 Wikipedia on 22Jul2011: Avaya SBCE provides a VoIP/UC trunk/line side layer 4-7 application protection Think of OSI model as a 7 foot high jump

7 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL VIPER Lab 7 Industry Recognized UC Security Experts Recognized UC Security SMEs by Sans, Dept of Justice, and other US Gov agencies, external organizations like DefCon and Infoseek Leading Edge UC Security Research 10 Years of extensive research, using worldwide honeypots, Enterprise networks, etc. Experienced audit and assessment team VIPER is an experienced Security assessment team, having completed over 100 network or application assessments

8 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Best Practices vs an Assessment Best Practices Lock your doors at night Lock your windows Enable your home alarm system You’ve followed best practices and you’re safe! Or are you? A Security Assessment Your locked doors use an easy to pick lock type Your door frame is thin and one kick could open it Your windows can be unlocked from the outside with a screwdriver Your phone line can be cut stopping your alarm from reaching the police 8 A proper security assessment validates the implementation of a best practice—and often reveal many weaknesses!

9 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL What does an Audit consist of? An audit usually takes the form of a “UC Penetration Test” It typically consists of the following process: VIPER will review the business and understand VoIP/UC application flow Will tailor a set of unique security test cases, for penetration testing, that are unique to that customer’s infrastructure Perform network discovery and reconnaissance Will spend 1 – 5 weeks doing technical security testing Will develop the security report, typically 1 – 2 weeks 9

10 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Evolving and Protecting – VIPER Lab 10 Uncover vulnerabilities in next-generation, multi-vendor networking environments Proactively identifying and preparing defenses beyond your network borders Vulnerability Assessments improve security architectures and enhance compliance State-of-the-art research facility with expert vulnerability assessment professionals Open Source UC Security Self-Assessment Tools

11 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL The Solution – Session Border Controller 11  Enforce your unique security policies  Focus on enterprise security  SIP trunk provider’s own SBC  Network topology  Invisible to external threats  Limits multivendor environment interoperability concerns  Independence from Service Provider  Normalization point for signaling / RTP media streams  Multiple SIP trunk provider access points  Support enterprise- specific call flows  Report on intrusion attempts  Session recording  Remote Worker Safety SecuritySecurity FlexibilityFlexibilityAccountabilityAccountability

12 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL The SBC Protects & Defends the Avaya Core The SBC is not just about SIP Trunks and Remote Endpoints – it’s about Avaya’s future. Acme, Sonus, and most other 3rd party players are moving into the Enterprise with SBC’s –AND- with Session Management offerings. Allowing 3rd Party wins with SBC deals opens the door for them to capture the Core with their SM offerings and sequenced applications before it ever gets to an Avaya system Selling the Avaya SBCE protects Avaya’s Core Business and extends Avaya Aura solutions with secure and borderless Enterprise communication applications. 12

13 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL ASBCE 6.2 System Capacity Session Border Controller capacities are rated in Simultaneous Sessions A simultaneous session = a communication session between 2 SIP endpoints Can think of it as analogous to a DSO in the ‘old world’ Key for engineering is to understand the numbers of sessions required in the solution For Secure SIP trunking, look at the number of TDM DSOs required For Remote Worker, calculate required call volumes 13 Portwell CAD-0208 Max Capacity w/o Encryption Max Capacity with Encryption HA SA Capacity in Simultaneous Sessions ‘Rules of Thumb’ SIP trunking usually 5 users per session Must account for higher ratio in small Remote Worker must consider both On-net and off-net requirements Remember Encryption Services impact capacity

14 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Avaya SBC for Enterprise 14 SIP Trunking Remote Worker Avaya SBC for Enterprise CS1000 Avaya SBC for Enterprise 1 Software Base: Avaya Aura SBC for Enterprise 1 Software Base: Avaya Aura SBC for Enterprise 3 HW Platforms: Dell & HP for Enterprise; Portwell CAD-0208 for IPO 3 HW Platforms: Dell & HP for Enterprise; Portwell CAD-0208 for IPO 2 Use Cases Avaya SBC for Enterprise

15 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Avaya SBCE: SIP Trunking Architecture 15 Use Case: SIP Trunking to Carrier  Carrier offering SIP trunks as lower-cost alternative to TDM  Heavy driver for Enterprise adoption of SBC Carrier SIP trunks to the Avaya Session Border Controller for Enterprise  Avaya SBCE is located in a DMZ behind the Enterprise firewall  Services: security and demarcation device between the IP-PBX and the Carrier −NAT traversal, −Securely anchors signaling and media, and can −Normalize SIP protocol InternetEnterprise IP PBX Avaya SBCE DMZ SIP Trunks Carrier

16 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Secure Remote Worker with BYOD 16  Personal PC, Mac or iPad devices  Avaya Flare ®, Avaya one-X ® SIP client app  App secured into the organization, not the device  One number UC anywhere Avaya SBCE Avaya Aura ® Presence Server System Manager Communication Manager Avaya Aura Conferencing Aura Messaging Session Manager Untrusted Network (Internet, Wireless, etc.)

17 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Avaya SBCE: Remote Worker Architecture 17 Use Case: Remote Worker  Extend UC to SIP users remote to the Enterprise  Solution not requiring VPN for UC/CC SIP endpoints Remote Worker are External to the Enterprise Firewall  Avaya Session Border Controller for Enterprise −Authenticate SIP-based users/clients to the enterprise −Securely proxy registrations and client device provisioning −Securely manage communications without requiring a VPN InternetEnterprise Avaya SBCE DMZ Remote Workers IP PBX

18 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Remote Worker: How does the SBC proxy endpoint traffic? 18 Internet CM or CS1k Intranet Avaya SBCE External Firewall/ Router Internal Firewall +NAT 2. Signaling over TCP/UDP 4. Media RTP 3. Encrypted media SRTP 1. Encrypted signaling over TLS DMZ FW/NAT Traversal Encrypted Signaling: SIP/TLS Encrypted Media: SRTP (HW 50 usec) Unencrypted Signaling: SIP/TCP Unencrypted Media: RTP SM

19 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL What’s Next? “6.2” Product Release now through April 2013 “Micro” Release for IP Office available now (new market) Trunk-side for Enterprise in February ’13 Applications (inc. Remote Worker) in April ’13 Re-organized UC Security Team engaging now to build Sales, Tech Ops, Channel enablement programs and create wider coverage. Need your support for participation. Auto-attach campaign to start in Q2 for IPO, CM/Aura, SM, others Reporting on success will be delivered from UC Security Ops to Area Ops, Leaders to assist in gap identification, drive activity 19

20 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL SBCE Roadmap 20  SIP security designed for scalable cost-effective enterprise use  Fully supports SIP trunking on Avaya Aura, CS1K & IPO  Supports remote and mobile SIP devices and clients with Avaya Aura  96x1 R6.2  One-X Com R6.2  Flare Exp iPad R1.1  Extends Avaya Aura ® SIP capabilities outside the enterprise  Easy and intuitive to deploy and configure, lowering TCO SIP Trunking (Avaya Aura, CS1000 & IPO) Securing Remote Worker without VPN (Avaya Aura) SIP Trunking (Avaya Aura, CS1000 & IPO) Securing Remote Worker without VPN (Avaya Aura) Avaya Interoperability  Mobile SIP iOS R6.2  96x0 (SIP) R6.2  One-X Comm R6.2  OTV R1.0  AACC7 support  HP DL360 Migration Kit  UCID Generation Avaya SBCE 6.2 Q1 CY 2013 (Mar) Avaya SBCE 6.2 Q1 CY 2013 (Mar) Avaya SBCE 6.2 Feature Pack 1 Q2 CY 2013 (May) Avaya SBCE 6.2 Feature Pack 1 Q2 CY 2013 (May) Expanded Interoperability Expanded Interoperability  Remote Worker for IPO  Flare Exp. R1.1  Flare Comm. R1.0.3  Radvision Interop  CS1K R7.6 w/ Collab Pack  Microsoft Lync trunks Avaya SBCE 6.2 Feature Pack 2 Q3 CY 2013 Avaya SBCE 6.2 Feature Pack 2 Q3 CY 2013

21 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL UC Security Sales Organization 21 Nick Adams – Global Sales Leader US Practice Leaders Dave Mulhern-Northeast Brad Bleeck-South Ed Williams- Central Shawn Darcy – West US Engineering Terry Pierson CANADA Practice Lead Chuck Pledger CALA Practice Lead Gus Herrera EMEA Practice Lead Dan Panesar APAC Practice Lead David Lloyd Global Technical Lead Addis Hallmark Global Channel Lead Greg Parcell Global Operations Jaime Cooley

22 ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL Thank you! #AvayaATF 22


Download ppt "©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL."

Similar presentations


Ads by Google