slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Securing the UC Network PowerPoint Presentation
Download Presentation
Securing the UC Network

Loading in 2 Seconds...

play fullscreen
1 / 22

Securing the UC Network - PowerPoint PPT Presentation


  • 153 Views
  • Uploaded on

Securing the UC Network. Terry Pierson Consulting System Engineer UC Security - AVAYA. Agenda. UC Security – Why it matters VIPER Lab Avaya SBC for Enterprise Use Cases SIP Trunks – Standard License Remote Worker – Advanced License SBC Update Resources Q & A.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Securing the UC Network' - darcie


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
securing the uc network
Securing the UC Network

Terry Pierson

Consulting System Engineer

UC Security - AVAYA

agenda
Agenda
  • UC Security – Why it matters
  • VIPER Lab
  • Avaya SBC for Enterprise
  • Use Cases
    • SIP Trunks – Standard License
    • Remote Worker – Advanced License
  • SBC Update
  • Resources
  • Q & A
more collaboration and mobile devices more enterprise security threats
More Collaboration and Mobile Devices… More Enterprise Security Threats
  • Denial of Service
    • Call/registration overload
    • Malformed messages aka“fuzzing”
  • Configuration errors
    • Mis-configured devices
    • Operator and application errors
  • Theft of service
    • Unauthorized users
    • Unauthorized media types
  • Viruses and SPIT
    • Viruses via SIP messages
    • Malware via IM sessions
    • SPIT – unwanted traffic

Enterprise Adoptionof Collaboration Tools

Source: Nemertes Research

unified communications security should you care
Unified Communications Security –Should You Care?

Credit card privacy rules: other compliance laws require security architecture specific to VoIP and other UC.1

50% Increase

‘VoIP hacking at new levels2

Up to 25%of attacks

VoIP scanning – botnets, Cloud used for VoIP fraud3

Reduce Deployments by 1/3

VoIP /UC security reduces VoIP / UC deployment timeby one third4

Toll fraud: yearly enterpriselosses in Billions

inadequate securing of SIP trunks, UC and VoIP applications5

osi model 7 layers of attacks
OSI Model7 Layers of Attacks

Think of OSI model as a 7 foot high jump

  • Typical firewall protection
    • Layer 3-4 protection (3 to 4 foot hurdle)
  • Email spam filters layer 7 application specific email firewall
  • SIP, VoIP, UC layer 4 to layer 7 application
    • SIP Trunking - a trunk side application
    • SIP Line (phone) side (internal and external) access another application
  • Attackers/Exploiters look for:
    • High/growing adoption
    • Protection not yet available… VoIP/UC

Wikipedia on 22Jul2011: http://en.wikipedia.org/wiki/OSI_Model

Avaya SBCE provides a VoIP/UC trunk/line side layer 4-7 application protection

viper lab
VIPER Lab

Leading Edge UC Security Research

10 Years of extensive research, using worldwide honeypots, Enterprise networks, etc.

Industry Recognized UC Security Experts

Recognized UC Security SMEs by Sans, Dept of Justice, and other US Gov agencies, external organizations like DefCon and Infoseek

Experienced audit and assessment team

VIPER is an experienced Security assessment team, having completed over 100 network or application assessments

best practices vs an assessment
Best Practices vs an Assessment
  • A Security Assessment
    • Your locked doors use an easy to pick lock type
    • Your door frame is thin and one kick could open it
    • Your windows can be unlocked from the outside with a screwdriver
    • Your phone line can be cut stopping your alarm from reaching the police

A proper security assessment validates the implementation of a best practice—and often reveal many weaknesses!

  • Best Practices
    • Lock your doors at night
    • Lock your windows
    • Enable your home alarm system
    • You’ve followed best practices and you’re safe! Or are you?
what does an audit consist of
What does an Audit consist of?
  • An audit usually takes the form of a “UC Penetration Test”
    • It typically consists of the following process:
      • VIPER will review the business and understand VoIP/UC application flow
      • Will tailor a set of unique security test cases, for penetration testing, that are unique to that customer’s infrastructure
      • Perform network discovery and reconnaissance
      • Will spend 1 – 5 weeks doing technical security testing
      • Will develop the security report, typically 1 – 2 weeks
evolving and protecting viper lab
Evolving and Protecting – VIPER Lab

Proactively identifyingand preparing defenses beyond your network borders

Vulnerability Assessments improve security architectures and enhance compliance

State-of-the-art research facility with expert vulnerability assessment professionals

Open Source UC Security Self-Assessment Tools

Uncover vulnerabilitiesin next-generation, multi-vendor networking environments

the solution session border controller
The Solution – Session Border Controller

Security

Flexibility

Accountability

  • Enforce your unique security policies
  • Focus on enterprise security
  • SIP trunk provider’sown SBC
  • Network topology
  • Invisible to external threats
  • Limits multivendor environment interoperability concerns
  • Independence from Service Provider
  • Normalization pointfor signaling / RTP media streams
  • Multiple SIP trunk provider access points
  • Support enterprise-specific call flows
  • Report on intrusion attempts
  • Session recording
  • Remote Worker Safety
the sbc protects defends the avaya core
The SBC Protects & Defends the Avaya Core
  • The SBC is not just about SIP Trunks and Remote Endpoints – it’s about Avaya’s future.
  • Acme, Sonus, and most other 3rd party players are moving into the Enterprise with SBC’s –AND- with Session Management offerings.
  • Allowing 3rd Party wins with SBC deals opens the door for them to capture the Core with their SM offerings and sequenced applications before it ever gets to an Avaya system
  • Selling the Avaya SBCE protects Avaya’s Core Business and extends Avaya Aura solutions with secure and borderless Enterprise communication applications.
asbce 6 2 system capacity
ASBCE 6.2 System Capacity
  • Session Border Controller capacities are rated in Simultaneous Sessions
    • A simultaneous session = a communication session between 2 SIP endpoints
    • Can think of it as analogous to a DSO in the ‘old world’
    • Key for engineering is to understand the numbers of sessions required in the solution
  • For Secure SIP trunking, look at the number of TDM DSOs required
  • For Remote Worker, calculate required call volumes

Capacity in Simultaneous Sessions

Max Capacity

w/o Encryption

Max Capacity

with Encryption

1000

HA

2000

1000

SA

2000

Portwell CAD-0208

250

SA

500

  • ‘Rules of Thumb’
    • SIP trunking usually 5 users per session
      • Must account for higher ratio in small
    • Remote Worker must consider both
    • On-net and off-net requirements
    • Remember Encryption Services
    • impact capacity
avaya sbc for enterprise
Avaya SBC for Enterprise

1 Software Base:

Avaya Aura SBC for Enterprise

3 HW Platforms:

Dell & HP for Enterprise; Portwell CAD-0208 for IPO

2 Use Cases

SIP Trunking

Remote Worker

CS1000

Avaya SBCfor Enterprise

SIP Trunking

SIP Trunking

Avaya SBCfor Enterprise

SIP Trunking

Avaya SBCfor Enterprise

SIP Trunking

Avaya SBCfor Enterprise

avaya sbce sip trunking architecture
Avaya SBCE: SIP Trunking Architecture
  • Use Case: SIP Trunking to Carrier
    • Carrier offering SIP trunks as lower-cost alternative to TDM
    • Heavy driver for Enterprise adoption of SBC

Enterprise

Internet

DMZ

SIP Trunks

IPPBX

Firewall

Firewall

Carrier

Avaya SBCE

  • Carrier SIP trunks to the Avaya Session Border Controller for Enterprise
  • Avaya SBCE is located in a DMZ behind the Enterprise firewall
  • Services: security and demarcation device between the IP-PBX and the Carrier
    • NAT traversal,
    • Securely anchors signaling and media, and can
    • Normalize SIP protocol
secure remote worker with byod
Secure Remote Worker with BYOD

Avaya Aura Conferencing

Aura Messaging

PresenceServer

Communication Manager

  • Avaya Aura®

SystemManager

Session Manager

Avaya SBCE

  • Personal PC, Mac or iPad devices
  • Avaya Flare®, Avaya one-X® SIP client app
  • App secured into the organization,not the device
  • One number UC anywhere

Untrusted Network

(Internet, Wireless, etc.)

avaya sbce remote worker architecture
Avaya SBCE: Remote Worker Architecture
  • Use Case: Remote Worker
    • Extend UC to SIP users remote to the Enterprise
    • Solution not requiring VPN for UC/CC SIP endpoints

Enterprise

Internet

DMZ

IPPBX

Remote Workers

Firewall

Firewall

Avaya SBCE

  • Remote Worker are External to the Enterprise Firewall
  • Avaya Session Border Controller for Enterprise
    • Authenticate SIP-based users/clients to the enterprise
    • Securely proxy registrations and client device provisioning
    • Securely manage communications without requiring a VPN
remote worker how does the sbc proxy endpoint traffic

Unencrypted Signaling: SIP/TCP

Encrypted Signaling: SIP/TLS

Unencrypted Media: RTP

Encrypted Media: SRTP (HW 50 usec)

Remote Worker: How does the SBC proxy endpoint traffic?

DMZ

CM or CS1k

Internal

Firewall

+NAT

External

Firewall/

Router

1. Encrypted signaling over TLS

FW/NAT

Traversal

SM

Intranet

Internet

4. Media RTP

Avaya

SBCE

3. Encrypted media SRTP

2. Signaling over TCP/UDP

what s next
What’s Next?
  • “6.2” Product Release now through April 2013
    • “Micro” Release for IP Office available now (new market)
    • Trunk-side for Enterprise in February ’13
    • Applications (inc. Remote Worker) in April ’13
  • Re-organized UC Security Team engaging now to build Sales, Tech Ops, Channel enablement programs and create wider coverage. Need your support for participation.
  • Auto-attach campaign to start in Q2 for IPO, CM/Aura, SM, others
  • Reporting on success will be delivered from UC Security Ops to Area Ops, Leaders to assist in gap identification, drive activity
sbce roadmap
SBCE Roadmap

Avaya SBCE 6.2

Q1 CY 2013 (Mar)

Avaya SBCE 6.2

Feature Pack 1

Q2 CY 2013 (May)

Avaya SBCE 6.2

Feature Pack 2

Q3 CY 2013

SIP Trunking (Avaya Aura, CS1000 & IPO)

Securing Remote Worker without VPN (Avaya Aura)

Avaya Interoperability

Expanded

Interoperability

  • SIP security designed for scalable cost-effective enterprise use
  • Fully supports SIP trunking on Avaya Aura, CS1K & IPO
  • Supports remote and mobile SIP devices and clients with Avaya Aura
    • 96x1 R6.2
    • One-X Com R6.2
    • Flare Exp iPad R1.1
  • Extends Avaya Aura® SIP capabilities outside the enterprise
  • Easy and intuitive to deploy and configure, lowering TCO
  • Mobile SIP iOS R6.2
  • 96x0 (SIP) R6.2
  • One-X Comm R6.2
  • OTV R1.0
  • AACC7 support
  • HP DL360 Migration Kit
  • UCID Generation
  • Remote Worker for IPO
    • Flare Exp. R1.1
    • Flare Comm. R1.0.3
  • Radvision Interop
  • CS1K R7.6 w/ Collab Pack
  • Microsoft Lync trunks
uc security sales organization
UC Security Sales Organization

Nick Adams – Global Sales Leader

CANADA Practice Lead

Chuck Pledger

cpledger@avaya.com

614-893-2628

US Practice Leaders

Dave Mulhern-Northeast

dmulherm@avaya.com

972-679-7809

Brad Bleeck-South

hbleeck@avaya.com

972-679-7809

Ed Williams- Central

ewilliams1@avaya.com

972-322-3791

Shawn Darcy – West

sddarcy@avaya.com

310-748-8803

US Engineering

Terry Pierson

tpierson1@avaya.com

972-978-2611

EMEA Practice Lead

Dan Panesar

dpanesar@avaya.com

+44 4477 1566 6078

APAC Practice Lead

David Lloyd

dave@avaya.com

+61 417328435

Global Technical Lead

Addis Hallmark

ahallmark@avaya.com

214-269-2420

Global Channel Lead

Greg Parcell

gparcell1@avaya.com

630-618-0188

Global Operations

Jaime Cooley

jcooley@avaya.com

630-245-2822

CALA Practice Lead

Gus Herrera

herrerag@avaya.com

305-586-2973