Presentation is loading. Please wait.

Presentation is loading. Please wait.

Toll Fraude and how to avoid hacking on SIP Trunking. Remote user (app) access Michael Pisvin SI/SP System Engineer.

Similar presentations


Presentation on theme: "Toll Fraude and how to avoid hacking on SIP Trunking. Remote user (app) access Michael Pisvin SI/SP System Engineer."— Presentation transcript:

1

2 Toll Fraude and how to avoid hacking on SIP Trunking. Remote user (app) access Michael Pisvin SI/SP System Engineer

3 2 FBI warning VoIP attacks TDoS attacks allow thieves to loot bank account information (May 2010) Hackers phone home on our coin Stolen calls - in just 15 days, over $30,000 in calls made globally (February 2012) VoIP Attacks on The Rise! Secure Your VoIP Servers – blog.sipvicious.org Cloud-initiated wave of SIPVicious port 5060 scans lead to €11 million loss (October 2010) Hacker toured dozens of global conference rooms using common videoconferencing equipment. Easily hacked several top venture capital, law firms, pharmaceutical and oil companies…(and) the Goldman Sachs boardroom. Videoconferencing systems were designed with visual and audio clarity in mind, not security (January 2012) Massive DDoS attack crashes TelePacific VoIP system. Average 34 million SIP traffic VoIP connections requests… shot up to 69 million [in 1 day] flooding their systems (March 2011) 65% of Organizations Experience Three DDoS Attacks a Year, But Majority are Unprepared to Mitigate Attacks (November 2012) FBI finds Philippine hackers compromised AT&T business customers used their phone systems to call phone numbers - revenues to hackers. Scheme cost AT&T $2.0 million (November 2011) Communications Fraud Control Association survey shows 34 respondents with $2.0 billion in telecom fraud losses (2011) Could This Be Your Network?

4 3 Internal versus External Security Computer Security Institute (CSI) has done a survey on security attacks ̶ 70% of the companies faced a security breach ̶ 60% of these breaches came from the inside Company networks are often compared to candy bars that are hard on the outside and soft and chewy on the inside

5 4 Credit card privacy rules: other compliance laws require security architecture specific to VoIP and other UC. 1 Unified Communications Security – Should You Care? Toll fraud: yearly enterprise losses in Billions inadequate securing of SIP trunks, UC and VoIP applications 5 Toll fraud: yearly enterprise losses in Billions inadequate securing of SIP trunks, UC and VoIP applications 5 1 Payment Card Industry Data Security Standard (PCI DSS) 2 VIPER LAB Honeypot research 3 VIPER LAB Honeypot research 4 Aberdeen Group Communications Fraud Control Association (CFCS) 2008 Survey

6 5 Some interesting findings 2013 Global Fraud loss estimation ̶ 46.3 Billion US Dollar anually 94% global fraud loss increase from 2011 Top 5 fraud methods ̶ Subscription Fraud 5.22 $B ̶ PBX Hacking 4.42$B ̶ Account Take over / Identity theft 3.26 $B ̶ VoIP hacking 3.62 $B ̶ Dealer Fraud 3.35 $B For more information please visit: Top 5 fraud Types ̶ Roaming Fraud 6.11 $B ̶ Wholesale Fraud 5.32$B ̶ Premium Rate Service 4.73 $B ̶ Cable and Satellite Signal Theft 3.55 $B ̶ Hardware Reselling 2.96 $B

7 6 How many Fraud Incidents per month For more information please visit:

8 7 So SECURITY IS IMPORTANT

9 8 A typical enterprise environment IMS SIP Trunks SP provider MPLS Enterprise remote offices SP SBC Enterprise Remote locations Access to Applications Remote User Application /server Farm Data Center BYOD Wifi Corporate Wifi Corporate Network Application Firewall Router PC / Workstation Internet PC / Workstation VPN Switch

10 9 A typical enterprise environment Possible attacks IMS SIP Trunks SP provider MPLS Enterprise remote offices SP SBC Enterprise Remote locations Access to Applications Remote User Application /server Farm Data Center BYOD Wifi Corporate Wifi Corporate Network Application Firewall Router PC / Workstation Internet PC / Workstation VPN Switch

11 10 Application Specific Security Complements Existing Security Architecture Firewall enterprise SBC Application Level Security Proxy (Policy Application, Threat Protection Privacy, Access Control)

12 11 SIP trunk what is it?  Session Initiation Protocol (SIP) o Controls multimedia communication sessions such as voice, instant messaging, video, etc. o Many types of devices - computers, phones, video equipment, etc. - can exchange data over SIP o SIP is considered a quality protocol with flexibility to support integrated voice & data communications  SIP Trunking o Virtual voice channels (or paths) over an Internet Protocol (IP) network o Delivered over an IP connection o One SIP trunk can support many direct inward dial (DID) extensions

13 12 SIP Trunk IMS SIP Trunks SP provider MPLS SP SBC Application /server Farm Data Center BYOD Wifi Corporate Wifi Corporate Network Router PC / Workstation Signaling Voice  In almost all the cases you need to have a MPLS access to the Service Provider  Service provider needs to get access to your network to access the –IP PBX –The user  Is MPLS secure? IssueIssue

14 13 MPLS is NOT secure "When looking to move to an MPLS VPN solution, many customers downplay the threats to the security of the transmission path and instead put their full trust in the security of the service provider. The attacks shown in this report make it clear that MPLS VPN customers who need confidentiality and integrity beyond what a public network provides must look to implement some form of encryption at the endpoints to provide complete protection." paper.html

15 14 SIP Trunk IMS SIP Trunks SP provider MPLS SP SBC Application /server Farm Data Center BYOD Wifi Corporate Wifi Corporate Network Router PC / Workstation Signaling Voice  Put an SBC in between the MPLS and your network to hide your environment  Can activate Voice encryption X X VoIP encrypted signaling encrypted SolutionSolution  In almost all the cases you need to have a MPLS access to the Service Provider  Service provider needs to get access to your network to access the –IP PBX –The user  Is MPLS secure? IssueIssue

16 15 Four Reasons you need an SBC Security Privacy Interoperability Demarcation

17 16 Router Firewall SIP Interoperability, is it really a problem? SIP Signaling SIP PBX SIP Provider 1 SIP PBX SIP Provider 1 Multiple Service Provider tests Conf CC WFO Video Telepresence Recording IVR FMC SBC Telepresence Recording IVR FMC Conf CC WFO Video Single Service Provider test Interoper ability

18 17 Router Firewall SIP Interoperability, Multiple Service Providers?? SIP Signaling SIP PBX SIP Provider 1 SIP PBX SIP Provider 1 Multiple Service Provider tests Conf CC WFO Video Telepresence Recording IVR FMC SBC Telepresence Recording IVR FMC Conf CC WFO Video Two Service Provider tests Interoper ability SIP Provider 2

19 18 Router Firewall SIP Privacy, is it really a risk? SIP Signaling SIPPBX SIP Trunks SIPPBX SIP Trunks Conf CC WFO Video Telepresence Recording IVR FMC SBC Telepresence Recording IVR FMC Conf CC WFO Video Privacy I can see session information from all these apps & systems I can only see the SBC. It is hiding the network topology

20 19 Router Firewall Why do I need an SBC? Here is one reason: SIP Refer SIP Trunks UK SIP PBXUK SIP Signaling SIP PBXUSA SIP Trunks USA SIP Trunks USA Voice SBC £ ? £ ? $ ? Privacy Demarca tion

21 20 Router Firewall Are Routers & Firewalls protecting your UC traffic? SIP Signaling SIP PBX SIP Trunks SIP PBX SIP Trunks SIP Denial of Service SIP Protocol Fuzzing Security Let’s keep ringing them up! Or send bad SIP requests! Router Firewall

22 21 Router Firewall An SBC will protect your UC traffic SIP SignalingVoice SIP PBX SIP Trunks SBC Protecting your UC infrastructure Security DOS and Fuzzing not working! SBC protecting The organization Demarca tion SBC

23 22 An SBC will protect your UC traffic Security SIP Trunks Back to Back User Agent Session Border Controller SIP PBX Privacy Interop erability Demarcation

24 23 Firewall with SIP ALG Comparison SBCs vs. Firewalls with SIP ALGs Back-to-back user agent ̶ Fully state-aware at layers 2-7 ̶ Inspects and modifies any application layer header info (SIP, SDP, etc.) ̶ Can terminate, initiate, re-initiate signaling & SDP ̶ Static & dynamic ACLs Maintains single session ̶ Fully state-aware at layers 3 & 4 only ̶ Inspects and modifies only application layer addresses (SIP, SDP, etc.) ̶ Unable to terminate, initiate, re-initiate signaling & SDP ̶ Static ACLs only 23 Acme Packet SIP trunking Data center IP PBX UC server SIP trunking Data center IP PBX UC server SBC

25 24 SBCE Advanced FirewallIP-PBX …requires intimate knowledge of VoIP and call states IDS / IPS Layer 3 attack Layer 4 attack Layer 3 attack Layer 4 attack SBCE Standard OS attack Application attack OS attack Application attack SIP protocol fuzzing SIP denial of service/distributed denial of service SIP spoofing SIP advanced toll fraud (call walking, stealth attacks) SIP protocol fuzzing SIP denial of service/distributed denial of service SIP spoofing SIP advanced toll fraud (call walking, stealth attacks) Remote Worker Media Replication Signaling/Media Encryption Remote Worker Media Replication Signaling/Media Encryption VoIP Security is Different

26 25 Remote Users SIP Trunks SP provider MPLS Enterprise remote offices Enterprise Remote locations Access to Applications Remote User Application /server Farm Data Center BYOD Wifi Corporate Wifi Corporate Network Application Firewall Router PC / Workstation Internet PC / Workstation VPN Switch Access via VPN Access via Firewall for applications as , etc.. Access via SIP for SIP users

27 26 Access Control: X.509 Certificate Based Mutual Authentication Internet IP PBX Intranet Remote Phone Root Certificate Issuer: XYZ Subject: XYZ Certificate Issuer: XYZ Subject: Company-name SIP IPCS Root Certificate Issuer: XYZ Subject: XYZ Certificate Issuer: XYZ Subject: DeviceName Step 1 Install CA Root and Certificates from each side Validate SIP Domain, Certificate Subject Name 2a. Send Cert & Cert Request 2b. Send Cert 3. SIP Request 4. Validated SIP Request

28 27 Remote Worker: VPN vs VPNless Endpoints VPN Endpoint VPN Headers add additional size to traffic. In aggregate reduces bandwidth. Encrypts traffic, yet does not validate it. (Encrypting and distributing a virus isn’t helpful) No ability at VPN head-end to distinguish between voice and data traffic. Ultimately voice quality suffers. Cumbersome user experience for real-time communication application VPNless Endpoint TLS/SRTP encrypts the traffic with a smaller bandwidth footprint than VPN Signaling and media are unencrypted at the SBC and inspected at Layer 7 to validate the traffic before it is allowed through Numerous policies allow Enterprise control of endpoints. Consistent user experience for applications

29 28 Remote Users SIP Trunks SP provider MPLS Enterprise remote offices Enterprise Remote locations Access to Applications Remote User Application /server Farm Data Center BYOD Wifi Corporate Wifi Corporate Network Application Firewall Router PC / Workstation Internet PC / Workstation VPN Switch Access via VPN Secure WiFi via VPN Secure Remote users

30 29 Office Users SIP Trunks SP provider MPLS Enterprise remote offices Enterprise Remote locations Access to Applications Remote User Application /server Farm Data Center BYOD Wifi Corporate Wifi Corporate Network Application Firewall Router PC / Workstation Internet PC / Workstation VPN Switch VoIP encrypted signaling encrypted Identity control to put the user in the correct VLAN

31 30 Customers Facing Rapid Technology Change More Collaboration and Mobile Devices… More Enterprise Security Threats Tablets by Million Mobile projects will outnumber PC projects 4:1 Increase in dedicated video soft clients by % Increase in mobile enterprise investments through % Of enterprise will be cloud based by % Source: Gartner

32 31 Office Users (BYOD) SIP Trunks SP provider MPLS Enterprise remote offices Enterprise Remote locations Access to Applications Remote User Application /server Farm Data Center BYOD Wifi Corporate Wifi Corporate Network Application Firewall Router PC / Workstation Internet PC / Workstation VPN Switch Identity control to put the user in the correct VLAN Check OS etc.. Only access to office application via SBC/firewall

33 32 The full secure Network IMS SIP Trunks SP provider MPLS Enterprise remote offices SP SBC Enterprise Remote locations Access to Applications Remote User Application /server Farm Data Center BYOD Wifi Corporate Wifi Corporate Network Application Firewall Router PC / Workstation Internet PC / Workstation VPN Switch

34 33 Risk Management: Seeking Balance 33

35 © 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya.

36 Thank You

37 © 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. What can Avaya do for you here? 36

38 © 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. Enterprise Collaboration Platforms Switched Video & Conferencing IP Office Low Bandwidth High Definition Video ACA Session Border Controller Top of Rack High Availability Multicast Video Surveillance Identity Engine SPB / Fabric Connect UC & CC Managed Services SLA Mon Technology Avaya Diagnostic Server Avaya Automated Chat Video & Conferencing Avaya Messaging Service Mobile Clients Desktop Video Client Collaboration Environment Speech Analytics Multi-Channel Self-Service Avaya Aura Conferencing

39 © 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. Where can Avaya help you?  Avaya Multilayer security in the UC/CC world  Full data network (Edge to Core)  SPB Stealth Network (for LAN and Wan)  Full separated network depending on the organization  Avaya SBC for the enterprise for the full SIP security  Identity Engine (so that every user/device is in the correct secured network)

40 © 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. Secure deployment strategy Separates UC applications & servers from enterprise production network Trusted communications framework with trust relationships for Administration, for Managing Elements, SIP Elements & Enterprise Network Authentication & Authorization framework Hardened Linux OS with inherent security features Secures mission-critical applications and protects Reduces potential Linux “attack surface” by limiting access to ports, services and executable Security updates Denial of Service protection mechanisms Least privileges Digital certificates Insecure protocols disabled Standard security protocols & trust relationships protects access and transmissions Encrypted communications protect media, signaling & management traffic Ensure protection of sensitive information IP endpoints can authenticate to network infrastructure Avaya’s Multilayer Security Strategy Secure by Design Security Built-In Secure Communications Use of Avaya’s multilayer security strategy prevents security violations and attacks

41 © 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. Protect all UC / CC components to ensure optimal uptime and protection of sensitive information System Hardening Input Validation Firewall & Denial-of-Service Protection Standards Based Encryption Avaya Security Advisories Integrate securely into the customer network to minimize infrastructure expense, maximize efficiency and transparently enable unified communications RADIUS / LDAP Integration (AAA) Network Firewall / SBC Interoperability Endpoint Authentication Certificate Mgmt / PKI Validate product functionality & facilitate secure UC implementation Common Criteria, JITC Vulnerability Assessment Security Documentation Government Regulations: HIPAA, GLBA, SOX, PCI Avaya’s Product Security Strategy Product Security Secure Customer Integration Certification and Assurance Internal Security Standard reflects “Secure By Design” consistent protection across Avaya products

42 © 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. The full network Architecture WLAN 8100 ERS 3000 ERS 8000 VSP 7000 VSP 4000 VSP 8000  Start with Fabric Connect-enabled infrastructure switches  Add Fabric Connect access switches  Use Fabric Attach for Avaya and 3rd party devices VSP 9000 WLAN 9100 Identity Engine

43 © 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. From Complex, Rigid and Cumbersome Networks Edge Campus Core Data Center Core Server Access Server STP MSTP RSTP FlexLink STP MSTP RSTP FlexLink OSPF Static routes BGP PIM-SM/DVRMP VRF X STP Edge Distribution Campus Core Data Center Core Server Access Server To Simple, Agile and Resilient Networks Fabric Connect: IEEE 802.1aq / RFC 6329 STP X X SMLT/RSMLT VLACP/SLPP SMLT/RSMLT VLACP/SLPP OSPF Static routes BGP PIM-SM/DVRMP VRF

44 © 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. What is a “Stealth” Network  Any network that is enclosed and self contained with no reachability into and/or out of it. It also must be mutable in both services and coverage characteristics  The common comparible terms used are MPLS IP-VPN, Routed Black Hole Network, IP VPN Lite  Avaya’s Fabric Connect based on IEEE 802.1aq provides for fast and nimble private networking circuit based capabilities that are unparalleled in the industry  “Stealth” Networks are private ‘dark’ networks that are provided as services within the Fabric Connect cloud  L2 Stealth  A non-IP addressed L2 VSN environment  L3 Stealth  A L3 VSN IP VPN environment 43

45 © 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. Superior Virtual Networking Use Case – Multi-Tenancy: Transportation Industry  Extremely complicated  Practically un-scalable  Error prone  Static model  Highly scalable  Agile configuration  Simple troubleshooting  Highly dynamic Financial (PCI) Federal Aviation Luggage System Guest Access

46 © 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. Use Case Requirements for “Stealth” Networks  Networks that require isolation and security  PCI compliance  HIPAA compliance  Financial Exchanges  Video Surveillance (Unicast or Multicast)  SCADA control networks  Networks that require Services Separation  Multicast - particularly video surveillance  Bonjour  SCADA 45

47 © 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. Anatomy of a Layer 2 Stealth Network  A SPB I-SID that is associated with End VLAN’s  No IP addresses assigned*  Provides for a closed non-IP or single subnet IP based network  Typically when used within the Data Center for PCI-DSS systems (IP addresses can be used behind security perimeter*) VLAN I-SID Secure L2 “Stealth” Network No IP Fabric Connect Cloud 46

48 © 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. Anatomy of a Layer 3 Stealth Network (IP VPN)  A SPB I-SID that is associated with End VRF’s  Multiple IP subnets – completely separate & private IP forwarding environment  Provides for a closed IP internet environment VLAN I-SID Secure L3 “Stealth” Network (IP VPN) Subnet ASubnet B VRF Fabric Connect Cloud 47

49 © 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. Secure Guest and BYOD Networking Use Case – Unified User Access  Multi-vendor solutions  Manual integration  Independent security layers  Wired and wireless access  Secure employee and guest access wired and wireless  Automatic VLAN / QoS / VSN Assignment  Single Sign-on for Aura Applications  Reporting and analytics for compliance

50 © 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. Controlling Access and Security Secure LANGuest VLAN Firewall Controller or Switching Point Wireless Access Point Corporate Laptop Guest Tablet Identity Engines  Leverage common Identity and Network access Control capabilities  Identify each device that enters network and apply rules based on user ID, device ID, device type, connection media, etc.  Then apply policies for specific network access needed  BYOD devices may not need full access – protected app access  Apply security standards and encryption  Include rich and flexible options for “guest access” Captive Portal

51 © 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. Access Policies IF (identity = HR employee) AND IF (device = corp laptop) AND IF (medium = wired) THEN GRANT FULL ACCESS IF (identity = HR employee) AND IF (device = personal iPad) AND IF (medium = wireless) THEN GRANT LIMITED ACCESS Case 1 Employee with corporate laptop Case 2 Employee with personal iPad Identity Engines Role-based Access

52 © 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. Authenticated Network Architecture NETWORK ABSTRACTION LAYER DIRECTORY ABSTRACTION LAYER Reporting & Analytics Posture Assessment Guest Access Mgmt Identity Engines Access Portal CASE Wizard Policy Enforcement Point Policy Decision Point Policy Information Point

53 © 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. The Solution – Avaya Session Border Controller for Enterprise Portfolio  Secure VoIP and UC over any network to any device, including smartphones, alternative devices and SIP endpoints  Innovative VPN’less remote worker offering - enabling true BYOD  Fit for purpose SME / Enterprise solution  Not a repackaged carrier SBC  Scalability – up to 5,000 sessions and more in the near future  High Availability  TCO & ROI  Rapid implementation of safe SIP trunks, remote workers and advanced UC applications  SIP trunks operational in minutes, not months  GUI-based SIP normalization tool  VMWare compatible Industry Leading Enterprise UC Security Price/Performance Optimized for Enterprise & SME Ease of Implementation & Management

54 © 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. Avaya’s Product Security Support Team - PSST  Internally-focused Security Assessment / Penetration testing of Avaya products  Penetration test tool kit leveraged across GCS Products  Security Assessment testing includes:  Replicate customer or “attacker” methodology  Find / Resolve issues before the field does  Measure progress against standards e.g., CTO, JITC, Nessus /Retina: “.mil” plug-ins  Unscripted testing  Champion best security practices across Avaya Avaya Product Security Support Team – PSST Assessment / Penetration Testing

55


Download ppt "Toll Fraude and how to avoid hacking on SIP Trunking. Remote user (app) access Michael Pisvin SI/SP System Engineer."

Similar presentations


Ads by Google