Veraz Networks Proprietary and Confidential * Veraz proprietary information notice: This document and the contents therein are the property of Veraz Networks Inc. Any duplication, reproduction, or transmission to unauthorized parties without prior written permission of Veraz Networks Inc. is prohibited. The recipient of this document, by its retention and use, agrees to protect the information contained herein from loss, theft, or transfer to third parties. Veraz Networks Proprietary and Confidential

Security - The Big Challenge of IP Telephony Yaron Oppenheim Director – Product Marketing February 2003

Agenda The Problem Why is it critical ? It should be protected & it can be protected Vulnerability points Security strategy and measures MG Control Switch Control protocol - MGCP Inter Control Switch communication The voice itself Management activity Veraz Networks Proprietary and Confidential

Veraz – An introduction Veraz is a privately held company formed by the merger of ECI-NGTS and Nexverse Networks Global provider of end-to-end, carrier-grade Packet Telephony solutions Best-in-Class Integrated Solution Open, Best-of-Breed Softswitch & Media Gateway platforms Driving some of the largest softswitch-based VoIP deployments in the market Market leader for carrier-class Digital Compression Multiplexing Equipment (DCME) Over $2B installed base Over 700 carrier customers in 140 countries Current & on-going revenue stream Global Presence and Track Record 20 years of experience in delivering solutions to carriers worldwide 100% ownership of advanced DSP technology Global sales & support infrastructure Veraz Networks Proprietary and Confidential

The Problem Attacks on the Internet Fraud on the Internet 38% of the organization’s Web sites suffered unauthorized access or misuse within the last 12 months Government Web site – thousands of attacks per day Fraud on the Internet The main obstacle to e-commerce Money that is lost Money that is invested in securing IT installations Growing segment in a recessionary period Is IP Telephony much different ? Veraz Networks Proprietary and Confidential

ANSI/ETSI/ITU/UK/Japan SS7 ISUP/TCAP IP Telephony network Feature Server Feature Server SIP/H.323/ XML/JCC SIP/H.323/ XML/JCC ControlSwitch SS7/ SCP/STP/ HLR SS7 ISUP/TCAP ANSI/ETSI/ITU/UK/Japan SS7 ISUP/TCAP SS7/ SCP/STP IS-41 I-Gate 4000 MGCP MGCP I-Gate 4000 MGCP MGCP SIP SIP Wireless PSTN (MSCs) SIP H.323 PSTN IP/ATM Network Enterprise PBX IAD H.323 Gateway Gatekeeper Broadband Local services enable providers to offer existing Class 5 voice services in addition to the new, integrated communications services we can only imagine today. A simple graphical user interface delivers the customized management and control of existing and new services that today's digitally empowered users demand. These Broadband Local services will be delivered to users that are always connected. 3G Mobile PDA IAD SIP SIP Proxy/ Feature Server SIP Devices Enterprise Residence/ Branch/SMB Veraz Networks Proprietary and Confidential

Potential Threats to Network Security Intranet and Internet Most of the intruders – from within the organization Internal threats Disgruntled employees Social engineering Former employees External threats Hackers Hacking by mistake Veraz Networks Proprietary and Confidential

Typical Security Attacks Unauthorized access Denial of Service - DOS Eavesdropping Masquerade Modification of information Content modification Sending the information at another time Information theft Veraz Networks Proprietary and Confidential

Why is it critical ? Because : A lot of money can be lost The image of the company is a high priority Veraz Networks Proprietary and Confidential

It should be protected & it can be protected IP Telephony will not be widely deployed without a reasonable security solution ! Veraz Networks Proprietary and Confidential

Security – you have to protect 360o The hacker needs only one vulnerability point. Feature Server Feature Server SIP/H.323/ XML/JCC SIP/H.323/ XML/JCC ControlSwitch SS7/ SCP/STP/ HLR SS7 ISUP/TCAP ANSI/ETSI/ITU/UK/Japan SS7 ISUP/TCAP SS7/ SCP/STP IS-41 I-Gate 4000 MGCP MGCP I-Gate 4000 MGCP MGCP SIP SIP Wireless PSTN (MSCs) SIP H.323 PSTN IP/ATM Network Enterprise PBX IAD H.323 Gateway Gatekeeper 3G Mobile PDA IAD SIP SIP Proxy/ Feature Server SIP Devices Enterprise Residence/ Branch/SMB Veraz Networks Proprietary and Confidential

Vulnerability points HTTP SNMP CMI CMI IP Network MGCP RTP VerazView Internet/ Internet/ Intranet Intranet CDR HTTP SNMP CMI EC CMI RE CCP/SG IP Network MGCP I-Gate 4000 Pro RTP I-Gate 4000 I-Gate 4000 Veraz Networks Proprietary and Confidential

You have to protect them all Call Control Element (CCE) Signaling Gateway (SG) Routing engine (RE) Event Collector (EC) CDR Manager Management Media Gateway (I-Gare 4000/PRO) Management System (VerazView) Links between elements Veraz Networks Proprietary and Confidential

Defense strategy Access to the IP Telephony Network Element is allowed by using the MANAGEMENT SYSTEM only The Management System should be highly secured ALL the information traveling from NE to NE (and from the MS to NE) should be encrypted and authenticated. Veraz Networks Proprietary and Confidential

MG security The only way to access the Media Gateway is by using the management system. Blocking unnecessary protocols HTTP, Telnet, etc… Protecting the MG from unauthorized access Firewall functionality Predefined list of IP's Predefined protocols Application (MGCP) aware Location of the Firewall IP Network I-Gate 4000 Pro I-Gate 4000 Veraz Networks Proprietary and Confidential

Control Switch elements Unix-based elements RE EC CDR CCP SG EMS Access to the IP Telephony Network Element is allowed by using the MANAGEMENT SYSTEM only Block unnecessary protocols Access control Firewall Veraz Networks Proprietary and Confidential

MG – Call Control Platform channel MGCP, H.248 IPSEC – the de facto standard – Provides protection (encryption & authentication) to each IP packet Authentication, Integrity, Confidentiality IPSEC – Authentication Header (AH) IPSEC – Encapsulation Security Payload (ESP) IKE – Internet Key Exchange (RFC 2409) Session Key Long-term key VerazView Internet/ Internet/ Intranet Intranet CDR EC CCP /SG IP Network RE I-Gate 4000 MGCP I-Gate 4000 Pro I-Gate 4000 Veraz Networks Proprietary and Confidential

IPsec implementation External Boxes Embedded Implementation Check Point Symantec Cisco Embedded Implementation Pros & cons Vulnerability Cost Management Veraz Networks Proprietary and Confidential

Control Switch elements comm. IPsec CMI communication CCP - EC CCP - SG CCP - RE EC - CDR manager EMS Internet/ Internet/ Intranet Intranet CDR EC CCP /SG RE IP Network I-Gate 4000 Pro I-Gate 4000 Veraz Networks Proprietary and Confidential

Voice - RTP SRTP IPsec IP Network Veraz Networks Proprietary and Confidential

Management System Security The Management System is the gate to the system… Veraz Networks Proprietary and Confidential

MS Architecture Management System Server WBM Client Management server Database server Hi-Availability WBM Client Operating System independent Web browser Graphical User Interface Does not require installation PC with Web Browser (Client) PC with Web Browser (Client) PC with Web Browser (Client) WAN VerazView Server I-Gate 4000 I-Gate 4000 Control Switch elements Veraz Networks Proprietary and Confidential

Vulnerability Points Management System – Network Elements channel Eavesdropping Information Theft MS Server Intrusion D.O.S. Masquerade Modification of Information MS WBM client and connection Internet/ Intranet SG IP Network I-Gate 4000 Control SW Mgmt. System Server - VerazView WBM client - - - Vulnerability at one of the VoIP elements can harm the entire IP Telephony network Veraz Networks Proprietary and Confidential

Access Control Prevent repetitive intrusion attempts User ID and Password – much more than that ! Validity of user IDs Password generation Password validity rules Length Structure Time to Live Password History Forced password change Prevent repetitive intrusion attempts Inform the user of the previous login time User’s access levels Etc. etc… Veraz Networks Proprietary and Confidential

Security Administrator Who are the active users ? Force Logout Suspend What are the users doing ? Veraz Networks Proprietary and Confidential

Web-Based Management All you need is a Web browser Low bandwidth OS independent HW independent Can be shared with other applications Low bandwidth WBM – Openness and Vulnerability Mgmt. System WBM client SG SG Internet/ Internet/ Intranet Intranet IP Network IP Network Control SW Mgmt. System Server - VerazView I-Gate 4000 Veraz Networks Proprietary and Confidential - - -

WBM Encryption SSL – Secured Socket Layer Provides encryption, authentication & integrity of data stream. Encryption of the Management Information SSL is the most popular method to secure Internet transport Used by Web browsers and servers The protocol that incorporates SSL and HTTP is HTTPS Powerful encryption method Internet/ Internet/ Intranet Intranet IP Telephony Internet/ network Intranet SSL Veraz Networks Proprietary and Confidential

Separating Internet Server from MS To secure the IP Network from hackers: Internet Server separated from the MS Server MS Internet Server located in demilitarized zone (DMZ) MG WBM Mgmt Server Internet IP NETWORK Secured Protocol The Media Gateway Protection from hackers: Secured Protocol Firewall Control SW Control SW Veraz Networks Proprietary and Confidential

Disaster Recovery MS Servers at two remote locations RAID Array Disk Web Client MS Servers at two remote locations RAID Array Disk No single point of failure Main Location Alternate Location Main Location Veraz Networks Proprietary and Confidential

Questions?

Yaron Oppenheim – Director Yaron.oppenheim@veraznetworks.com Veraz Networks Proprietary and Confidential