1 / 24

Security threat mitigation in enterprise UC environments

Security threat mitigation in enterprise UC environments. Jonathan Zarkower Director, Product Marketing. Gartner Group. Voice and data convergence based on IP telephony will be under way in more than 95 percent of large companies by 2010.

crete
Download Presentation

Security threat mitigation in enterprise UC environments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security threat mitigation in enterprise UC environments Jonathan Zarkower Director, Product Marketing

  2. Gartner Group Voice and data convergence based on IP telephony will be under way in more than 95 percent of large companies by 2010 Enterprise & contact center transition to IP interactive communications • TDM-to-IP transition well underway • Reduce costs, improve communications efficiency • Mobility, collaboration, presence and video drive IP transition and complexity • Compliance – call recording, emergency services, domain separation • IP PBX extensively deployed but exist as islands • Unified Communications (UC) is the new focus • Migrate mission critical applications onto IP network • Integrate chat, voice and video into contact center and business applications • Introduce presence and mobility into application delivery process • Transition call centers to multimedia customer care centers • Enhanced communications efficiency • Enables intelligent call routing based on business rules/processes (cost, availability, skills, etc.) • Integrate remote workers/agents seamlessly • Distribute call processing to eliminate single point of failure

  3. in IP we trustno one!

  4. VoIP security in the news • Bell Canada customers face bills as high as $220,000 as hackers breach system. (Jan 2009) • IP PBX hacked for 11,000 calls, $120,000 charges (Jan. 2009) • Skype outage disconnects users, eBay stock price dips (Aug. 2007) • Two men charged with hacking Into VoIP networks, pocket $1 million (June 2006)

  5. Enterprise security concerns

  6. VoIP threats – impacts & probabilities Note: probability and impact ratings on 1–10 scale with 1 being low and 10 being high

  7. 4. 2. 3. UC CC IPT RO Four enterprise border points require control & security • Interconnect border to service provider(s) - SIP/H.323 trunking • Extend IP to IP connectivity • Reduce costs, increase quality • Access border – trusted • Interconnect sites and users • Simplified number plans • Access border – untrusted • Anywhere connectivity • Secure and unsecure access • Hosted services/ASP border • Expand service and application capabilities • Create a global reach 1. Hosted services/ IP contact center ASP Other IPsubscribers PSTN Service providers Headquarters MPLS VPN Internet H.323 SIP SIP BO Regional office Branch office SOHO Mobile user Nomadic user

  8. 4. 2. 3. UC CC IPT RO Key security threats to enterprise UC • Denial of Service • Malicious & non-malicious • Call/registration overload • Malformed messages (fuzzing) • Misconfigured devices • Operator and application errors • Viruses & SPIT • Viruses attached to SIP messages • Malware executed through IM sessions • SPIT – annoying, unwanted traffic • Identity theft & eavesdropping • Service theft • Unauthorized users and applications 1. Hosted services/ IP contact center ASP Other IPsubscribers PSTN Service providers Headquarters MPLS VPN Internet H.323 SIP SIP BO Regional office Branch office SOHO Mobile user Nomadic user

  9. Communicator web access (App server) Passive Public IP Active Pool Yahoo Pool Directors(s) FederatedNetworks Load balancer Front end servers(Registration /Presence server) AOL MSN Conferencing servers (A/V, Data, IM) IIS servers Back end SQL servers A/V edgeserver(s) Mediationserver(s) HTTPreverse proxy Interactive apps Identity Archiving Monitoring UC endpoints MS LN ExchangeUM(Voice mail) Speech server Activedirectory MS OC MS OC MS OC Microsoft Live Meeting Microsoft Communicator MIIS Access edge servers IM / CDR MMC MOM Legend Webconferencingedge server MS CM Microsoft Communicator Mobile Microsoft Communicator Phone Edition MS COE Load balancer Load balancer Load balancer Load balancer Load balancer Media gateway SIP Media HTTP PSOM IP PBX-E IP PBX-TPSTN Archive Other Load balancer Load balancer MGW PBX FAX PSTN CTI server(RCC gateway) Internal External Perimeter Microsoft OCS 2007 architecture – SIP security risks

  10. The key difference between SBC & ALG is back-to-back user agent • Functional advantages • Seamlessly addresses the issue of OLIP addresses • Responds to REDIRECTs, can initiate re-INVITEs and BYEs • Gracefully manages “stranded call” scenarios • Provides signaling interworking and protocol fix-ups • Security advantages • Modifies IP address and SIP UI in every field of signaling message for complete “anonymization” • Detects protocol anomalies and also fixes signaling • Provides interworking between encrypted and non-encrypted elements • Goes beyond throttling down the rate of signaling messages • Regulatory advantages • Supports session replication for call recording • Supports lawful intercept

  11. Even high-end firewalls can’t defendSIP DoS/DDoS attacks • Total of 34 different test cases, using over 4600 test scripts • SIP flood tests – flood attacks consisting of INVITE, REGISTER and Response 100, 180, 200 messages from thousands of random source addresses/ports • SIP spoof flood tests – same as SIP flood tests but with spoofing of different headers, fields and addresses • SIP malformed message tests – over 4500 Protos attack cases • SIP torture tests – IETF draft of 49 malformed SIP messages • RTP attack tests – rogue, fraud, and flood attacks of RTP packets • Cisco PIX 535 failed consistently • Some attacks caused hard failure - needed to be powered off/on • Some attacks were flooded into core and impacted proxy • Even some random RTP floods caused 94% CPU utilization

  12. UC CC IPT RO SBC DoS/DDoS protection • Dynamic trust management • Success based trust model protects resources • Adjust resources based on real-time events • Proactive threat mitigation • Drop malformed sessions • Block known malicious traffic sources • Identify automated calling and reject based on defined policies Hosted services/ IP contact center ASP Other IPsubscribers PSTN Service providers Headquarters MPLS VPN Internet H.323 SIP SIP Spammers BO SOHO Mobile user Nomadic user Zombie PCs

  13. CC IPT UC RO IP PBX, SIP proxy & application server DoS/DDoS prevention • Comprehensive security • Topology hiding protects PBX/UC servers from external exposure/threats • Private/public address management ensures user privacy • Real-time session control • Signaling overload protection via rate limiting, load balancing and selective call rejection • Policy-based admission control Hosted services/ IP contact center ASP Other IPsubscribers PSTN Service providers Headquarters Infected PCs Rogue devices MPLS VPN Internet H.323 SIP SIP Spammers BO SOHO Mobile user Nomadic user Zombie PCs

  14. Viruses & malware can threaten IC endpoints and service infrastructure • SIP MIME attachments are powerful tool for richer call ID - vcard text, picture or video • Potential Trojan horse for viruses and worms to general-purpose server-based voice platforms • SIP softswitch, IMS CSCF, SIP servers, app servers • SIP PBX • SIP phones & PCs • New endpoint vulnerabilities • Embedded web servers - IP phones • Java apps – liability or asset? • Solution requirements • Authentication • SIP message & MIME attachment filtering • Secure OS environment Sobig Code Red Nimda Melissa SQL Slammer Klez Michelangelo LoveBug

  15. SPIT will be annoying, & possible tool for ID theft • Will anonymous, cheap Yahoo subscriber (aka SPITTER) be able to call enterprise employee via Verizon to solicit - phone sex, penis enlargement, Viagra pill purchase? • Techniques that won’t work • Access control – static • Content filtering • Charging - $/call • Regulation • Solution requirements • Access control – dynamic, IDS-like • Authentication • Admission control – subscriber limits (#) • Trust chains - pre-established technical & business relationships

  16. UC CC IPT RO Viruses, malware and SPIT • Real-time threat mitigation • Wire speed Deep Packet Inspection (DPI) • Signature rule definition and enforcement • Dynamic behavior learning • Identifies malicious behavior, e.g. consecutive call ID #’s • Reduces false positives • Protocol anomaly detection • Adaptive resource protection • Individual device trust classification • Define call, bandwidth limits • Per device constraints and authorization Hosted services/ IP contact center ASP Other IPsubscribers PSTN Service providers Headquarters MPLS VPN Internet H.323 SIP SIP BO Spammers Zombie PCs Malicious users

  17. Eavesdropping threat is over hyped • Less risk than email, who encrypts email? • Email is information rich (attachments), voice not • Email always stored on servers, only voice mail • Email always stored on endpoints, voice not • Who is REALLY at risk? • Public company execs – insider trading • Bad guys - Osama, drug cartels, pedophiles, etc. • Good guys - law enforcement • Other luv & moolah scenarios – adultery, ID theft • Solution requirements • Authentication – subscriber • End-to-end encryption • Signaling (TLS, IPSec) • Media (SRTP, IPSec)

  18. RTP SIP/TLS SRTP IPsec STP IPsec SIP/RTP BO Branch SOHO Confidentiality and privacy • Secure communications • Encryption protects signaling and/or media (IPSec, TLS, SRTP) • Ability to terminate and originate encrypted traffic • Interworking between SIP/H.323 • Create trusted user environment • User protection via SIP privacy (RFC 3323 & 3325) support • Endpoint protection via topology hiding and header manipulation PSTN Service providers HQ Internet (untrusted) RO Region

  19. Access edge servers Communicator web access (App server) Passive Public IP Active Pool Yahoo Pool Directors(s) FederatedNetworks Load balancer Front end servers(Registration /Presence server) AOL MSN Conferencing servers (A/V, Data, IM) IIS servers Back end SQL servers Mediationserver(s) HTTPreverse proxy Interactive apps Identity Archiving Monitoring UC endpoints MS LN ExchangeUM(Voice mail) Speech server Activedirectory MS OC MS OC MS OC Microsoft Live Meeting Microsoft Communicator MIIS IM / CDR MMC MOM Legend MS CM Microsoft Communicator Mobile Microsoft Communicator Phone Edition MS COE Load balancer Load balancer IPTrunking Media gateway SIP Media HTTP PSOM IP PBX-E IP PBX-TPSTN Archive Other Load balancer Load balancer Load balancer MGW PBX FAX PSTN CTI server(RCC gateway) Internal External Perimeter Acme Packet SBCsin Microsoft OCS architecture AcmePacketSBC Bordersecurity Loadbalancer Mediation (IP PBX &IP trunking) A/V edgeserver(s) IP PBX IP PBXendpoints SIP, H.323,MGCP, SCCP Proprietaryendpoints Webconferencingedge server

  20. Trust & identity • How do you know you are talking to Bank of America? • Web site techniques don’t work for IC - work for many-one, not many-many • Solution requirements • Authentication, access control • Trust chains - pre-established technical & business relationships

  21. The Internet The Federnet F F F I F F The future IC net?

  22. Net-Net • Security issues are very complex and multi-dimensional • Security investments are business insurance decisions • Life – DoS attack protection • Health – SLA assurance • Property – service theft protection • Liability – SPIT & virus protection • Degrees of risk • Internet-connected ITSP ` High • Facilities-based HIP residential services • Facilities-based HIP business services • Peering Low • NEVER forget disgruntled Milton from“Office Space” • Session border controllers enable enterprises to insure their success

  23. The leader in session border control for trusted, first class interactive communications

  24. The key difference between SBC & ALG is back-to-back user agent • Functional advantages • Seamlessly addresses the issue of OLIP addresses • Responds to REDIRECTs, can initiate re-INVITEs and BYEs • Gracefully manages “stranded call” scenarios • Provides signaling interworking and protocol fix-ups • Security advantages • Modifies IP address and SIP UI in every field of signaling message for complete “anonymization” • Detects protocol anomalies and also fixes signaling • Provides interworking between encrypted and non-encrypted elements • Goes beyond throttling down the rate of signaling messages • Regulatory advantages • Supports session replication for call recording • Supports lawful intercept

More Related