380 likes | 532 Views
Toll Fraude and how to avoid hacking on SIP Trunking. Remote user (app) access. Michael Pisvin SI/SP System Engineer. So SECURITY IS IMPORTANT. PC / Workstation. SP provider MPLS. PC / Workstation. PC / Workstation. Router. VPN Switch. Internet. A typical enterprise environment.
E N D
Toll Fraude and how to avoid hacking on SIP Trunking. Remote user (app) access Michael Pisvin SI/SP System Engineer
So SECURITY IS IMPORTANT
PC / Workstation SP provider MPLS PC / Workstation PC / Workstation Router VPN Switch Internet A typical enterprise environment Access to Applications Remote User Data Center Storage Application /server Farm Enterprise Remote locations Application Firewall IMS SIP Trunks SP SBC Enterprise remote offices Corporate Wifi Corporate Network BYOD Wifi
PC / Workstation SP provider MPLS PC / Workstation PC / Workstation Router VPN Switch Internet A typical enterprise environmentPossible attacks Access to Applications Remote User Data Center Storage Application /server Farm Enterprise Remote locations Application Firewall IMS SIP Trunks SP SBC Enterprise remote offices Corporate Wifi Corporate Network BYOD Wifi
Application Specific Security Application LevelSecurity Proxy(Policy Application,Threat Protection Privacy,Access Control) Firewall Firewall enterpriseSBC Complements Existing Security Architecture
SIP trunk what is it? • Session Initiation Protocol (SIP) • Controls multimedia communication sessions such as voice, instant messaging, video, etc. • Many types of devices - computers, phones, video equipment, etc. - can exchange data over SIP • SIP is considered a quality protocol with flexibility to support integrated voice & data communications • SIP Trunking • Virtual voice channels (or paths) over an Internet Protocol (IP) network • Delivered over an IP connection • One SIP trunk can support many direct inward dial (DID) extensions
SP provider MPLS PC / Workstation Router SIP Trunk • In almost all the cases you need to have a MPLS access to the Service Provider • Service provider needs to get access to your network to access the • IP PBX • The user • Is MPLS secure? Issue Data Center Storage Application /server Farm IMS SIP Trunks SP SBC Signaling Corporate Wifi Corporate Network BYOD Wifi Voice
MPLS is NOT secure "When looking to move to an MPLS VPN solution, many customers downplay the threats to the security of the transmission path and instead put their full trust in the security of the service provider. The attacks shown in this report make it clear that MPLS VPN customers who need confidentiality and integrity beyond what a public network provides must look to implement some form of encryption at the endpoints to provide complete protection." http://www.certesnetworks.com/newdocs/wp-ians-paper.html
SP provider MPLS PC / Workstation Router SIP Trunk • In almost all the cases you need to have a MPLS access to the Service Provider • Service provider needs to get access to your network to access the • IP PBX • The user • Is MPLS secure? Issue Data Center Solution • Put an SBC in between the MPLS and your network to hide your environment • Can activate Voice encryption Storage Application /server Farm signaling encrypted IMS SIP Trunks SP SBC X X VoIP encrypted Signaling Corporate Wifi Corporate Network BYOD Wifi Voice
Four Reasons you need an SBC Security Privacy Interoperability Demarcation
SIP Interoperability, is it really a problem? Interoperability SIP Provider 1 SIP Provider 1 Multiple ServiceProvider tests Single ServiceProvider test RouterFirewall SBC FMC FMC IVR IVR Recording Recording Telepresence Telepresence SIP PBX SIP PBX Conf Conf Video Video CC WFO CC WFO SIP Signaling
SIP Interoperability, Multiple Service Providers?? Interoperability SIP Provider 2 SIP Provider 1 SIP Provider 2 SIP Provider 1 Multiple ServiceProvider tests Two ServiceProvider tests RouterFirewall SBC FMC FMC Recording IVR IVR Recording Telepresence Telepresence SIP PBX SIP PBX Conf Conf Video Video CC WFO CC WFO SIP Signaling
SIP Privacy, is it really a risk? Privacy SIP Trunks SIP Trunks I can only see the SBC. It is hiding the network topology I can see session information from all these apps &systems RouterFirewall SBC FMC FMC IVR IVR Recording Recording Telepresence Telepresence SIPPBX SIPPBX Conf Conf Video Video CC WFO CC WFO SIP Signaling
An SBC will protect your UC traffic Security SBC Protectingyour UC infrastructure SIP Trunks Demarcation RouterFirewall DOS and Fuzzing not working! SBC protecting The organization SBC SIP PBX SIP Signaling Voice
An SBC will protect your UC traffic Session Border Controller Security Privacy SIP Trunks SIP PBX Interoperability Demarcation Back to Back User Agent
Acme Packet IP PBXUC server IP PBXUC server Comparison SBCs vs. Firewalls with SIP ALGs Firewall with SIP ALG SBC • Back-to-back user agent • Fully state-aware atlayers 2-7 • Inspects and modifies any application layer header info (SIP, SDP, etc.) • Can terminate, initiate,re-initiate signaling & SDP • Static & dynamic ACLs • Maintains single session • Fully state-aware atlayers 3 & 4 only • Inspects and modifies only application layer addresses (SIP, SDP, etc.) • Unable to terminate, initiate, re-initiate signaling & SDP • Static ACLs only Data center Data center SIP trunking SIP trunking
VoIP Security is Different Layer 3 attack Layer 4 attack OS attack Application attack SIP protocol fuzzing SIP denial of service/distributed denial of serviceSIP spoofing SIP advanced toll fraud (call walking, stealth attacks) Remote Worker Media Replication Signaling/Media Encryption SBCE Advanced SBCEStandard Firewall IDS / IPS IP-PBX …requires intimate knowledge of VoIP and call states
PC / Workstation SP provider MPLS PC / Workstation PC / Workstation Router VPN Switch Internet Remote Users Access via VPN Access to Applications Remote User Data Center Storage Application /server Farm Enterprise Remote locations Application Firewall Access via Firewall for applications as Email, etc.. SIP Trunks Access via SIP for SIP users Enterprise remote offices Corporate Wifi Corporate Network BYOD Wifi
PC / Workstation SP provider MPLS PC / Workstation PC / Workstation Router VPN Switch Internet Office Users Access to Applications Remote User Data Center Storage Application /server Farm Enterprise Remote locations signaling encrypted Application Firewall Identity control to put the user in the correct VLAN VoIP encrypted SIP Trunks Enterprise remote offices Corporate Wifi Corporate Network BYOD Wifi
Customers Facing Rapid Technology ChangeMore Collaboration and Mobile Devices… More Enterprise Security Threats 4:1 30% 802 Million 400% 16% Mobile projects will outnumber PC projects Increase in dedicated video soft clients by 2016 Tablets by 2016 Increase in mobile enterprise investments through 2015 Of enterprise will be cloud based by 2015 Source: Gartner
PC / Workstation SP provider MPLS PC / Workstation PC / Workstation Router VPN Switch Internet Office Users (BYOD) Access to Applications Remote User Data Center Storage Application /server Farm Enterprise Remote locations Application Firewall Identity control to put the user in the correct VLAN Check OS etc.. Only access to office application via SBC/firewall SIP Trunks Enterprise remote offices Corporate Wifi Corporate Network BYOD Wifi
PC / Workstation SP provider MPLS PC / Workstation PC / Workstation Router VPN Switch Internet The full secure Network Access to Applications Remote User Data Center Storage Application /server Farm Enterprise Remote locations Application Firewall IMS SIP Trunks SP SBC Enterprise remote offices Corporate Wifi Corporate Network BYOD Wifi
Enterprise Collaboration Platforms MobileClients Video & Conferencing DesktopVideo Client Avaya Messaging Service Clients and Devices Applications & Contact Center Self-Service Collaboration Environment Multi-Channel Avaya Aura Conferencing Speech Analytics Collaboration Platforms Switched Video & Conferencing IP Office Low BandwidthHigh Definition Video ACA Session Border Controller Networking Managed Services & Support Top of Rack High Availability SPB / Fabric Connect Multicast Video Surveillance Identity Engine UC & CCManaged Services SLA MonTechnology Avaya Diagnostic Server AvayaAutomated Chat
Where can Avaya help you? • Avaya Multilayer security in the UC/CC world • Full data network (Edge to Core) • SPB Stealth Network (for LAN and Wan) • Full separated network depending on the organization • Avaya SBC for the enterprise for the full SIP security • Identity Engine (so that every user/device is in the correct secured network)
Secure by Design Security Built-In Secure Communications • Secure deployment strategy • Separates UC applications & servers from enterprise production network • Trusted communications framework with trust relationships for Administration, for Managing Elements, SIP Elements & Enterprise Network • Authentication & Authorization framework • Standard security protocols & trust relationships protects access and transmissions • Encrypted communications protect media, signaling & management traffic • Ensure protection of sensitive information • IP endpoints can authenticate to network infrastructure • Hardened Linux OS with inherent security features • Secures mission-critical applications and protects • Reduces potential Linux “attack surface” by limiting access to ports, services and executable • Security updates • Denial of Service protection mechanisms • Least privileges • Digital certificates • Insecure protocols disabled Use of Avaya’s multilayer security strategy prevents security violations and attacks Avaya’s Multilayer Security Strategy
The full network Architecture • Collaboration Pod • VSP 7000 • VSP 9000 • ERS 8000 • Identity Engine • VSP 8000 • ERS 4000/5000 • WLAN 9100 • VSP 4000 • WLAN 8100 • ERS 3000 Start with Fabric Connect-enabled infrastructure switches Add Fabric Connect access switches Use Fabric Attach for Avaya and 3rd party devices
From Complex, Rigid and Cumbersome Networks Server Access Data Center Core Campus Core Edge X X VLAN VLAN STP VLAN VLAN STP VLAN X VLAN VLAN VLAN VLAN VLAN VLAN VLAN VLAN VLAN VLAN VLAN VLAN VLAN To Simple, Agile and Resilient Networks OSPF Static routes BGP PIM-SM/DVRMP VRF OSPF Static routes BGP PIM-SM/DVRMP VRF SMLT/RSMLT VLACP/SLPP STP MSTP RSTP FlexLink SMLT/RSMLT VLACP/SLPP STP MSTP RSTP FlexLink Server Server Server Server Data Center Core Campus Core Server Access Distribution Edge VLAN VLAN VLAN VLAN VLAN VLAN VLAN VLAN VLAN VLAN VLAN VLAN Fabric Connect: IEEE 802.1aq / RFC 6329
What is a “Stealth” Network • Any network that is enclosed and self contained with no reachability into and/or out of it. It also must be mutable in both services and coverage characteristics • The common comparible terms used are MPLS IP-VPN, Routed Black Hole Network, IP VPN Lite • Avaya’s Fabric Connect based on IEEE 802.1aq provides for fast and nimble private networking circuit based capabilities that are unparalleled in the industry • “Stealth” Networks are private ‘dark’ networks that are provided as services within the Fabric Connect cloud • L2 Stealth • A non-IP addressed L2 VSN environment • L3 Stealth • A L3 VSN IP VPN environment
Competition’s Interdependent legacy protocols Extremely complicated Practically un-scalable Error prone Static model Avaya Fabric Connect Highly scalable Agile configuration Simple troubleshooting Highly dynamic Superior Virtual NetworkingUse Case – Multi-Tenancy: Transportation Industry Financial (PCI) Federal Aviation Luggage System Guest Access
Competition’s Independent Solutions Multi-vendor solutions Manual integration Independent security layers Wired and wireless access Identity Engines with Fabric Connect and Fabric Attach Secure employee and guest access wired and wireless Automatic VLAN / QoS / VSN Assignment Single Sign-on for Aura Applications Reporting and analytics for compliance Secure Guest and BYOD NetworkingUse Case – Unified User Access Identity Engines EmployeeMobile Zone Guest Zone
Access Policies • Identity Engines • Role-basedAccess IF(identity = HR employee) AND IF (device = corp laptop) AND IF (medium = wired) THEN GRANT FULL ACCESS Case 1 Employee withcorporate laptop IF(identity = HR employee) AND IF(device = personal iPad) AND IF (medium = wireless) THEN GRANT LIMITED ACCESS Case 2 Employeewith personal iPad
The Solution – Avaya Session Border Controller for Enterprise Portfolio Industry Leading Enterprise UC Security Price/Performance Optimized for Enterprise & SME Ease of Implementation& Management • Secure VoIPand UC over any network to any device, including smartphones, alternative devices and SIP endpoints • Innovative VPN’lessremote worker offering - enabling true BYOD • Fit for purpose SME / Enterprise solution • Not a repackaged carrier SBC • Scalability – up to 5,000 sessions and more in the near future • High Availability • TCO & ROI • Rapid implementation of safe SIP trunks, remote workers and advanced UC applications • SIP trunks operational in minutes, not months • GUI-based SIP normalization tool • VMWare compatible
Avaya Product Security Support Team – PSSTAssessment / Penetration Testing Avaya’s Product Security Support Team - PSST • Internally-focused Security Assessment / Penetration testing of Avaya products • Penetration test tool kit leveraged across GCS Products • Security Assessment testing includes: • Replicate customer or “attacker” methodology • Find / Resolve issues before the field does • Measure progress against standards e.g., CTO, JITC, Nessus /Retina: “.mil” plug-ins • Unscripted testing • Champion best security practices across Avaya