330 likes | 678 Views
Securing the UC Network. Terry Pierson Consulting System Engineer UC Security - AVAYA. Agenda. UC Security – Why it matters VIPER Lab Avaya SBC for Enterprise Use Cases SIP Trunks – Standard License Remote Worker – Advanced License SBC Update Resources Q & A.
E N D
Securing the UC Network Terry Pierson Consulting System Engineer UC Security - AVAYA
Agenda • UC Security – Why it matters • VIPER Lab • Avaya SBC for Enterprise • Use Cases • SIP Trunks – Standard License • Remote Worker – Advanced License • SBC Update • Resources • Q & A
More Collaboration and Mobile Devices… More Enterprise Security Threats • Denial of Service • Call/registration overload • Malformed messages aka“fuzzing” • Configuration errors • Mis-configured devices • Operator and application errors • Theft of service • Unauthorized users • Unauthorized media types • Viruses and SPIT • Viruses via SIP messages • Malware via IM sessions • SPIT – unwanted traffic Enterprise Adoptionof Collaboration Tools Source: Nemertes Research
Unified Communications Security –Should You Care? Credit card privacy rules: other compliance laws require security architecture specific to VoIP and other UC.1 50% Increase ‘VoIP hacking at new levels2 Up to 25%of attacks VoIP scanning – botnets, Cloud used for VoIP fraud3 Reduce Deployments by 1/3 VoIP /UC security reduces VoIP / UC deployment timeby one third4 Toll fraud: yearly enterpriselosses in Billions inadequate securing of SIP trunks, UC and VoIP applications5
OSI Model7 Layers of Attacks Think of OSI model as a 7 foot high jump • Typical firewall protection • Layer 3-4 protection (3 to 4 foot hurdle) • Email spam filters layer 7 application specific email firewall • SIP, VoIP, UC layer 4 to layer 7 application • SIP Trunking - a trunk side application • SIP Line (phone) side (internal and external) access another application • Attackers/Exploiters look for: • High/growing adoption • Protection not yet available… VoIP/UC Wikipedia on 22Jul2011: http://en.wikipedia.org/wiki/OSI_Model Avaya SBCE provides a VoIP/UC trunk/line side layer 4-7 application protection
VIPER Lab Leading Edge UC Security Research 10 Years of extensive research, using worldwide honeypots, Enterprise networks, etc. Industry Recognized UC Security Experts Recognized UC Security SMEs by Sans, Dept of Justice, and other US Gov agencies, external organizations like DefCon and Infoseek Experienced audit and assessment team VIPER is an experienced Security assessment team, having completed over 100 network or application assessments
Best Practices vs an Assessment • A Security Assessment • Your locked doors use an easy to pick lock type • Your door frame is thin and one kick could open it • Your windows can be unlocked from the outside with a screwdriver • Your phone line can be cut stopping your alarm from reaching the police A proper security assessment validates the implementation of a best practice—and often reveal many weaknesses! • Best Practices • Lock your doors at night • Lock your windows • Enable your home alarm system • You’ve followed best practices and you’re safe! Or are you?
What does an Audit consist of? • An audit usually takes the form of a “UC Penetration Test” • It typically consists of the following process: • VIPER will review the business and understand VoIP/UC application flow • Will tailor a set of unique security test cases, for penetration testing, that are unique to that customer’s infrastructure • Perform network discovery and reconnaissance • Will spend 1 – 5 weeks doing technical security testing • Will develop the security report, typically 1 – 2 weeks
Evolving and Protecting – VIPER Lab Proactively identifyingand preparing defenses beyond your network borders Vulnerability Assessments improve security architectures and enhance compliance State-of-the-art research facility with expert vulnerability assessment professionals Open Source UC Security Self-Assessment Tools Uncover vulnerabilitiesin next-generation, multi-vendor networking environments
The Solution – Session Border Controller Security Flexibility Accountability • Enforce your unique security policies • Focus on enterprise security • SIP trunk provider’sown SBC • Network topology • Invisible to external threats • Limits multivendor environment interoperability concerns • Independence from Service Provider • Normalization pointfor signaling / RTP media streams • Multiple SIP trunk provider access points • Support enterprise-specific call flows • Report on intrusion attempts • Session recording • Remote Worker Safety
The SBC Protects & Defends the Avaya Core • The SBC is not just about SIP Trunks and Remote Endpoints – it’s about Avaya’s future. • Acme, Sonus, and most other 3rd party players are moving into the Enterprise with SBC’s –AND- with Session Management offerings. • Allowing 3rd Party wins with SBC deals opens the door for them to capture the Core with their SM offerings and sequenced applications before it ever gets to an Avaya system • Selling the Avaya SBCE protects Avaya’s Core Business and extends Avaya Aura solutions with secure and borderless Enterprise communication applications.
ASBCE 6.2 System Capacity • Session Border Controller capacities are rated in Simultaneous Sessions • A simultaneous session = a communication session between 2 SIP endpoints • Can think of it as analogous to a DSO in the ‘old world’ • Key for engineering is to understand the numbers of sessions required in the solution • For Secure SIP trunking, look at the number of TDM DSOs required • For Remote Worker, calculate required call volumes Capacity in Simultaneous Sessions Max Capacity w/o Encryption Max Capacity with Encryption 1000 HA 2000 1000 SA 2000 Portwell CAD-0208 250 SA 500 • ‘Rules of Thumb’ • SIP trunking usually 5 users per session • Must account for higher ratio in small • Remote Worker must consider both • On-net and off-net requirements • Remember Encryption Services • impact capacity
Avaya SBC for Enterprise 1 Software Base: Avaya Aura SBC for Enterprise 3 HW Platforms: Dell & HP for Enterprise; Portwell CAD-0208 for IPO 2 Use Cases SIP Trunking Remote Worker CS1000 Avaya SBCfor Enterprise SIP Trunking SIP Trunking Avaya SBCfor Enterprise SIP Trunking Avaya SBCfor Enterprise SIP Trunking Avaya SBCfor Enterprise
Avaya SBCE: SIP Trunking Architecture • Use Case: SIP Trunking to Carrier • Carrier offering SIP trunks as lower-cost alternative to TDM • Heavy driver for Enterprise adoption of SBC Enterprise Internet DMZ SIP Trunks IPPBX Firewall Firewall Carrier Avaya SBCE • Carrier SIP trunks to the Avaya Session Border Controller for Enterprise • Avaya SBCE is located in a DMZ behind the Enterprise firewall • Services: security and demarcation device between the IP-PBX and the Carrier • NAT traversal, • Securely anchors signaling and media, and can • Normalize SIP protocol
Secure Remote Worker with BYOD Avaya Aura Conferencing Aura Messaging PresenceServer Communication Manager • Avaya Aura® SystemManager Session Manager Avaya SBCE • Personal PC, Mac or iPad devices • Avaya Flare®, Avaya one-X® SIP client app • App secured into the organization,not the device • One number UC anywhere Untrusted Network (Internet, Wireless, etc.)
Avaya SBCE: Remote Worker Architecture • Use Case: Remote Worker • Extend UC to SIP users remote to the Enterprise • Solution not requiring VPN for UC/CC SIP endpoints Enterprise Internet DMZ IPPBX Remote Workers Firewall Firewall Avaya SBCE • Remote Worker are External to the Enterprise Firewall • Avaya Session Border Controller for Enterprise • Authenticate SIP-based users/clients to the enterprise • Securely proxy registrations and client device provisioning • Securely manage communications without requiring a VPN
Unencrypted Signaling: SIP/TCP Encrypted Signaling: SIP/TLS Unencrypted Media: RTP Encrypted Media: SRTP (HW 50 usec) Remote Worker: How does the SBC proxy endpoint traffic? DMZ CM or CS1k Internal Firewall +NAT External Firewall/ Router 1. Encrypted signaling over TLS FW/NAT Traversal SM Intranet Internet 4. Media RTP Avaya SBCE 3. Encrypted media SRTP 2. Signaling over TCP/UDP
What’s Next? • “6.2” Product Release now through April 2013 • “Micro” Release for IP Office available now (new market) • Trunk-side for Enterprise in February ’13 • Applications (inc. Remote Worker) in April ’13 • Re-organized UC Security Team engaging now to build Sales, Tech Ops, Channel enablement programs and create wider coverage. Need your support for participation. • Auto-attach campaign to start in Q2 for IPO, CM/Aura, SM, others • Reporting on success will be delivered from UC Security Ops to Area Ops, Leaders to assist in gap identification, drive activity
SBCE Roadmap Avaya SBCE 6.2 Q1 CY 2013 (Mar) Avaya SBCE 6.2 Feature Pack 1 Q2 CY 2013 (May) Avaya SBCE 6.2 Feature Pack 2 Q3 CY 2013 SIP Trunking (Avaya Aura, CS1000 & IPO) Securing Remote Worker without VPN (Avaya Aura) Avaya Interoperability Expanded Interoperability • SIP security designed for scalable cost-effective enterprise use • Fully supports SIP trunking on Avaya Aura, CS1K & IPO • Supports remote and mobile SIP devices and clients with Avaya Aura • 96x1 R6.2 • One-X Com R6.2 • Flare Exp iPad R1.1 • Extends Avaya Aura® SIP capabilities outside the enterprise • Easy and intuitive to deploy and configure, lowering TCO • Mobile SIP iOS R6.2 • 96x0 (SIP) R6.2 • One-X Comm R6.2 • OTV R1.0 • AACC7 support • HP DL360 Migration Kit • UCID Generation • Remote Worker for IPO • Flare Exp. R1.1 • Flare Comm. R1.0.3 • Radvision Interop • CS1K R7.6 w/ Collab Pack • Microsoft Lync trunks
UC Security Sales Organization Nick Adams – Global Sales Leader CANADA Practice Lead Chuck Pledger cpledger@avaya.com 614-893-2628 US Practice Leaders Dave Mulhern-Northeast dmulherm@avaya.com 972-679-7809 Brad Bleeck-South hbleeck@avaya.com 972-679-7809 Ed Williams- Central ewilliams1@avaya.com 972-322-3791 Shawn Darcy – West sddarcy@avaya.com 310-748-8803 US Engineering Terry Pierson tpierson1@avaya.com 972-978-2611 EMEA Practice Lead Dan Panesar dpanesar@avaya.com +44 4477 1566 6078 APAC Practice Lead David Lloyd dave@avaya.com +61 417328435 Global Technical Lead Addis Hallmark ahallmark@avaya.com 214-269-2420 Global Channel Lead Greg Parcell gparcell1@avaya.com 630-618-0188 Global Operations Jaime Cooley jcooley@avaya.com 630-245-2822 CALA Practice Lead Gus Herrera herrerag@avaya.com 305-586-2973