Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Veraz Networks Proprietary and Confidential * Veraz proprietary information notice: This document and the contents therein are the property of Veraz.

Similar presentations


Presentation on theme: "1 Veraz Networks Proprietary and Confidential * Veraz proprietary information notice: This document and the contents therein are the property of Veraz."— Presentation transcript:

1

2 1 Veraz Networks Proprietary and Confidential * Veraz proprietary information notice: This document and the contents therein are the property of Veraz Networks Inc. Any duplication, reproduction, or transmission to unauthorized parties without prior written permission of Veraz Networks Inc. is prohibited. The recipient of this document, by its retention and use, agrees to protect the information contained herein from loss, theft, or transfer to third parties.

3 Security - The Big Challenge of IP Telephony February 2003 Yaron Oppenheim Director – Product Marketing

4 3 Veraz Networks Proprietary and Confidential Agenda The Problem Why is it critical ? It should be protected & it can be protected Vulnerability points Security strategy and measures MG Control Switch Control protocol - MGCP Inter Control Switch communication The voice itself Management activity

5 4 Veraz Networks Proprietary and Confidential Veraz – An introduction Veraz is a privately held company formed by the merger of ECI-NGTS and Nexverse Networks Global provider of end-to-end, carrier-grade Packet Telephony solutions Best-in-Class Integrated Solution Open, Best-of-Breed Softswitch & Media Gateway platforms Driving some of the largest softswitch-based VoIP deployments in the market Market leader for carrier-class Digital Compression Multiplexing Equipment (DCME) Over $2B installed base Over 700 carrier customers in 140 countries Current & on-going revenue stream Global Presence and Track Record 20 years of experience in delivering solutions to carriers worldwide 100% ownership of advanced DSP technology Global sales & support infrastructure

6 5 Veraz Networks Proprietary and Confidential The Problem Attacks on the Internet 38% of the organizations Web sites suffered unauthorized access or misuse within the last 12 months Government Web site – thousands of attacks per day Fraud on the Internet The main obstacle to e-commerce Money that is lost Money that is invested in securing IT installations Growing segment in a recessionary period Is IP Telephony much different ?

7 6 Veraz Networks Proprietary and Confidential ControlSwitch MGCP Enterprise PBX IAD SIP Proxy/ Feature Server SIP MGCP SIP Feature Server Feature Server SIP/H.323/ XML/JCC PSTN SS7/ SCP/STP H.323 Gateway H.323 Gatekeeper H.323 IAD Wireless PSTN (MSCs) SS7/ SCP/STP/ HLR Residence/ Branch/SMB MGCP SIP SS7 ISUP/TCAP IS-41 ANSI/ETSI/ITU/UK/Japan SS7 ISUP/TCAP SIP/H.323/ XML/JCC 3G Mobile PDA IP/ATM Network SIP Devices Enterprise IP Telephony network I-Gate 4000

8 7 Veraz Networks Proprietary and Confidential Potential Threats to Network Security Intranet and Internet Most of the intruders – from within the organization Internal threats Disgruntled employees Social engineering Former employees External threats Hackers Hacking by mistake

9 8 Veraz Networks Proprietary and Confidential Unauthorized access Denial of Service - DOS Eavesdropping Masquerade Modification of information Content modification Sending the information at another time Information theft Typical Security Attacks

10 9 Veraz Networks Proprietary and Confidential Why is it critical ? Because : A lot of money can be lost The image of the company is a high priority

11 10 Veraz Networks Proprietary and Confidential It should be protected & it can be protected IP Telephony will not be widely deployed without a reasonable security solution !

12 11 Veraz Networks Proprietary and Confidential Security – you have to protect 360 o The hacker needs only one vulnerability point. ControlSwitch MGCP Enterprise PBX IAD SIP Proxy/ Feature Server SIP MGCP SIP Feature Server Feature Server SIP/H.323/ XML/JCC PSTN SS7/ SCP/STP H.323 Gateway H.323 Gatekeeper H.323 IAD Wireless PSTN (MSCs) SS7/ SCP/STP/ HLR Residence/ Branch/SMB MGCP SIP SS7 ISUP/TCAP IS-41 ANSI/ETSI/ITU/UK/Japan SS7 ISUP/TCAP SIP/H.323/ XML/JCC 3G Mobile PDA IP/ATM Network SIP Devices Enterprise I-Gate 4000

13 12 Veraz Networks Proprietary and Confidential Vulnerability points CCP/SG VerazView CDR EC RE I-Gate 4000 Pro I-Gate 4000 IP Network Internet/ Intranet Internet/ Intranet MGCP CMI SNMP HTTPRTP CMI

14 13 Veraz Networks Proprietary and Confidential You have to protect them all Call Control Element (CCE) Signaling Gateway (SG) Routing engine (RE) Event Collector (EC) CDR Manager Management Media Gateway (I-Gare 4000/PRO) Management System (VerazView) Links between elements

15 14 Veraz Networks Proprietary and Confidential Defense strategy Access to the IP Telephony Network Element is allowed by using the MANAGEMENT SYSTEM only The Management System should be highly secured ALL the information traveling from NE to NE (and from the MS to NE) should be encrypted and authenticated.

16 15 Veraz Networks Proprietary and Confidential The only way to access the Media Gateway is by using the management system. Blocking unnecessary protocols HTTP, Telnet, etc… Protecting the MG from unauthorized access Firewall functionality Predefined list of IP's Predefined protocols Application (MGCP) aware Location of the Firewall MG security I-Gate 4000 Pro I-Gate 4000 IP Network

17 16 Veraz Networks Proprietary and Confidential Control Switch elements Unix-based elements SG EMS CDRECRE Access to the IP Telephony Network Element is allowed by using the MANAGEMENT SYSTEM only Block unnecessary protocols Access control Firewall CCP

18 17 Veraz Networks Proprietary and Confidential MGCP, H.248 IPSEC – the de facto standard – Provides protection (encryption & authentication) to each IP packet Authentication, Integrity, Confidentiality IPSEC – Authentication Header (AH) IPSEC – Encapsulation Security Payload (ESP) IKE – Internet Key Exchange (RFC 2409) Session Key Long-term key MG – Call Control Platform channel CCP /SG VerazView CDR EC RE I-Gate 4000 Pro I-Gate 4000 IP Network Internet/ Intranet Internet/ Intranet MGCP I-Gate 4000

19 18 Veraz Networks Proprietary and Confidential IPsec implementation External Boxes Check Point Symantec Cisco Embedded Implementation Pros & cons Vulnerability Cost Management

20 19 Veraz Networks Proprietary and Confidential Control Switch elements comm. CMI communication CCP - EC CCP - SG CCP - RE EC - CDR manager CCP /SG EMS CDR EC RE I-Gate 4000 Pro I-Gate 4000 IP Network Internet/ Intranet Internet/ Intranet

21 20 Veraz Networks Proprietary and Confidential Voice - RTP IP Network SRTP IPsec

22 21 Veraz Networks Proprietary and Confidential Management System Security The Management System is the gate to the system…

23 22 Veraz Networks Proprietary and Confidential MS Architecture Management System Server Management server Database server Hi-Availability WBM Client Operating System independent Web browser Graphical User Interface Does not require installation WAN PC with Web Browser (Client) VerazView Server I-Gate 4000 Control Switch elements

24 23 Veraz Networks Proprietary and Confidential Vulnerability Points Management System – Network Elements channel Eavesdropping Information Theft MS Server Intrusion D.O.S. Masquerade Modification of Information MS WBM client and connection Eavesdropping Intrusion Information Theft Vulnerability at one of the VoIP elements can harm the entire IP Telephony network ---

25 24 Veraz Networks Proprietary and Confidential Access Control User ID and Password – much more than that ! Validity of user IDs Password generation Password validity rules Length Structure Time to Live Password History Forced password change Prevent repetitive intrusion attempts Inform the user of the previous login time Users access levels Etc. etc…

26 25 Veraz Networks Proprietary and Confidential Security Administrator Who are the active users ? Force Logout Suspend What are the users doing ?

27 26 Veraz Networks Proprietary and Confidential Web-Based Management All you need is a Web browser OS independent HW independent Can be shared with other applications Low bandwidth WBM – Openness and Vulnerability --- Internet/ Intranet SG IP Network Internet/ Intranet I-Gate 4000 Control SW IP Network Mgmt. System Server - VerazView Mgmt. System WBM client

28 27 Veraz Networks Proprietary and Confidential WBM Encryption SSL – Secured Socket Layer Provides encryption, authentication & integrity of data stream. Encryption of the Management Information SSL is the most popular method to secure Internet transport Used by Web browsers and servers The protocol that incorporates SSL and HTTP is HTTPS Powerful encryption method Internet/ Intranet Internet/ Intranet Internet/ Intranet IP Telephony network SSL

29 28 Veraz Networks Proprietary and Confidential Separating Internet Server from MS To secure the IP Network from hackers: Internet Server separated from the MS Server MS Internet Server located in demilitarized zone (DMZ) MG WBM Mgmt Server Internet Server IP NETWORK Secured Protocol The Internet Media Gateway Protection from hackers: Secured Protocol Firewall Control SW

30 29 Veraz Networks Proprietary and Confidential Disaster Recovery MS Servers at two remote locations RAID Array Disk No single point of failure Alternate Location Web Client Main Location

31 Questions?

32 31 Veraz Networks Proprietary and Confidential Yaron Oppenheim – Director


Download ppt "1 Veraz Networks Proprietary and Confidential * Veraz proprietary information notice: This document and the contents therein are the property of Veraz."

Similar presentations


Ads by Google