Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Expo SECURITY Scott Beer Director, Product Support Ingate +1-613-963-0933.

Similar presentations


Presentation on theme: "IT Expo SECURITY Scott Beer Director, Product Support Ingate +1-613-963-0933."— Presentation transcript:

1 IT Expo SECURITY Scott Beer Director, Product Support Ingate scott@ingate.com +1-613-963-0933

2 What is Network Security? Network Security Consists of the provisions and policies adopted by a network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. http://en.wikipedia.org/wiki/Network_security Should Security apply to Voice over IP? YES! ABSOLUTELY!

3 What is Network Security? Why should Security apply to VoIP? VoIP security involves the authorization of access to Voice applications in a network Authenticating information that allows voice access to Call Control and UC Applications VoIP Security covers a variety of computer networks, both public and private, that are used in everyday jobs conducting transactions and communications among businesses, government agencies and individuals.

4 What is Network Security? Why should Security apply to VoIP? (con’t) VoIP can be private, such as within a company, and others which might be open to public access. VoIP security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: It secures the Voice Network, as well as protecting and overseeing operations being done.

5 What is Network Security? Why is VoIP Security Important? End of Geography IP Protocol is an OPEN network system, no longer need to be physically present Any IP Address can connect with any other IP Address. Prevent Fraudulent Activities Identify Theft, Toll Fraud, Spoofing, Misuse, SPAM, SPIT, Vishing, Eavesdropping, Data Mining, Reconnaissance Prevent Disruption of Service Denial of Service, Fuzzing

6 Trusted and Untrusted Policies in Defining Network Security Zones A network zone describes the trust level of a network connection. Trusted Network Security Zone Fully trusted connections. All incoming traffic is allowed. Untrusted Network Security Zone Fully untrusted connections. No incoming traffic is allowed. Administrator defines the services/policies

7 Trusted and Untrusted Examples

8

9

10 Comparing SBCs with Firewalls Summary VoIP and UC are being deployed at an growing rate IP networks provide a highly effective means for enterprises and contact centers to communicate The IP communications network is now a business- critical resource IP-based enterprise communications networks, services and applications must be secured. For successful VoIP/ UC deployments the enterprise must: Maximize communication service and interoperability Assure service availability and quality levels Control costs

11 Comparing SBCs with Firewalls Firewalls with SIP ALG (Application Layer Gateway) Ubiquitous in today’s IP networks—protect IP data networks, servers and applications against a variety of threats through stateful inspection and filtering at layers 3 and 4 of the OSI model. To enable basic VoIP connectivity through the firewall, some firewalls add SIP ALGs that translate embedded SIP addresses allows the firewall to maintain a single end-to- end SIP session between endpoints residing on either side of the firewall.

12 Comparing SBCs with Firewalls Session Border Controllers (SBC) SBC’s implement a SIP back-to-back user agent (B2BUA) as defined in IETF RFC 3261. A B2BUA divides each SIP session into two distinct segments. In doing so, the SBC is able to completely and effectively controls SIP sessions, as well as the associated media flows, in ways that SIP ALGs cannot. This unique capability gives SBCs a clear edge in their ability to securely deliver reliable, high- quality IP-based interactive communications.

13 Comparing SBCs with Firewalls How It Works Firewall with SIP ALG Maintains single SIP session through Firewall Fully state-aware at layer 3 and 4 Only inspects/modifies SIP, SDP addresses Unable to terminate, initiate, re-initiate or respond to SIP signaling messages Only supports static ACLs and policies

14 Comparing SBC with Firewall How It Works Session Border Controllers (SBC) Implements SIP B2BUA for complete control Fully state-aware at layers 2-7 Inspects/modifies all SIP, SDP header info Can terminate, initiate, re-initiate & respond to SIP signaling messages Supports static and dynamic ACLs and policies

15 Security with SBC Session Border Controllers uniquely provide all controls required for delivering trusted, reliable and high-quality IP interactive communications: Security: IP PBX and UC server DoS/DDoS attack protection, SBC self-protection Communications reach maximization: IP PBX and UC protocol interworking, remote NAT traversal SLA assurance: IP PBX & UC server session admission and overload control, data center disaster recovery, remote site survivability, Call Admission Control, SBC high-availability operation Data Firewalls with application layer gateways (FW/ALG) are effective in securing data-oriented application infrastructure (PCs, servers).

16 Successful Delivery of VoIP  Requirements for the successful delivery of enterprise and contact center VoIP/UC services and applications  SBC/FW DoS/DDoS Self-Protection  VoIP Theft of Service  IP PBX & UC SIP Protocol Interoperability  IP PBX/UC Server Session Admission & Overload Control  Remote Site NAT Traversal  High Availability VoIP Operations  Data Center Disaster Recovery  Remote Site Survivability using SBC/FW  Call Admission Control

17 Success Combined  Completely Ubiquitous Voice & Data Security

18 SIP Security is Better  Why is SIP Security Better than PSTN?  Encryption  Transport Layer Security (TLS) – Encryption of SIP Signaling

19 SIP Security is Better  Why is SIP Security Better than PSTN?  Encryption  Secure RTP (SRTP) – Encryption of Media

20 Common SIP Attacks  Intrusion of Services (or Theft of Service)  Devices attempting Register with a IP-PBX in an attempt to look like an IP-PBX extension and gain IP-PBX services  SPIT (SPAM over Internet Telephony)  Toll Fraud  A form of an Intrusion of Service, where malicious attempts to send INVITEs to an IP-PBX to gain access to PSTN Gateways and SIP Trunking to call the PSTN  Denial of Service  INVITE (or any SIP Request) Flood in an attempt to slow services or disrupt services  Or any UDP or TCP traffic directed at a SIP Service on SIP Ports  Indirect Security Breaches

21 Common SIP Attacks  What is Intrusion of Service?  A Third Party attempting to defraud either the Enterprise or the Carrier  Devices attempting “Spoof” a Client device in an attempt to look like an extension (or enterprise) and gain services directly, including Toll Fraud.

22 Common SIP Attacks  What is Denial of Service?  A Third Party attack to make a communications resource unavailable to its intended users  Generally consists of the concerted efforts to prevent SIP communications service from functioning efficiently or at all, temporarily or indefinitely  One common method of attack involves saturating the target (victim) IP-PBX with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable

23 Common SIP Attacks  Prevention of SIP Attacks  Layered Security  Do Not to subject “Mission Critical” Voice applications to SIP Attacks

24 The End Scott Beer Director, Product Support Ingate scott@ingate.com +1-613-963-0933


Download ppt "IT Expo SECURITY Scott Beer Director, Product Support Ingate +1-613-963-0933."

Similar presentations


Ads by Google