jonathan zar + 1 (408) 209 0199 january, 2006 challenges of enterprise voip security tmc it expo...
TRANSCRIPT
Jonathan Zar+ 1 (408) 209 0199
January, 2006Challenges of Enterprise VoIP Security
TMC IT Expo VoIP Security Summit
Jonathan Zar VOIPSA (Moderator)
Andrew Norman Covergence
Jeff Hicks NetIQ
Tony Rybczynski NORTEL
Steve Mank Quovia
Ram Ayyakad Ranch Networks
Jonathan Zar+ 1 (408) 209 0199
Welcome
• Welcome to the TMC’s January 27th IT Expo VoIP Security Summit Panel S-02 entitled: “Challenges of Enterprise VoIP Security”
• I am Jonathan Zar, Secretary and Outreach Chair for VOIPSA and your moderator today.
• We are excited to have an outstanding panel. I’ll briefly introduce myself and then each of our panel member.
Jonathan Zar+ 1 (408) 209 0199
Today’s Speakers
NAME TITLE AFFILIATION EMAILJonathan Zar Secretary / Outreach Chair VOIPSA - VoIP
Security [email protected]@ieee.org
Andrew Norman Director Solution Engineering Covergence [email protected]
Jeff Hicks Principal Software Architect NetIQ [email protected]
Tony Rybczynski Director- StrategicEnterpriseTechnologies
NORTEL [email protected]
Steve Mank Chief Operating Officer Qovia [email protected]
Ram Ayyakad Co-founder and CEO Ranch Networks [email protected]
Topic: Challenges of Enterprise VoIP Security
Jonathan Zar+ 1 (408) 209 0199
Jonathan Zar
Jonathan Zar is Secretary and Outreach Chair for VOIPSA, the VoIP Security Alliance, the industry’s global coalition to protect security and privacy in converged media.
More than 50 million units of products have now been sold based on technologies created and commercialized under his leadership at companies including Apple Computer. A member of the IEEE, the ACM, the Licensing Executive Society and TiE, a global association for entrepreneurs:
Jonathan is a recognized authority in creating valuable brands for revenue growth. He is a trusted advisor to venture investors and C-level executives at public corporations.
Jonathan Zar+ 1 (408) 209 0199
Jeff Hicks
Jeff Hicks is a Principal Software Architect at NetIQ Corporation. Recently, he has led the development teams for NetIQ’s suite of VoIP products. Jeff has been active in the development of VoIP assessment, management, troubleshooting, and security products for the last 6 years. He’s a technical advisory board member of the VoIP Security Alliance (VOIPSA) and co-author of the Cisco Press book: “Taking Charge of Your VoIP Project”
Jonathan Zar+ 1 (408) 209 0199
Stephen Mank
Stephen Mank is Chief Operating Officer of Quovia, a growing 2002 start-up that lets IT professionals monitor and manage IP telephony networks in real time for reliability and end user satisfaction, enhanced VoIP call quality, IP telephony asset tracking and improved troubleshooting. At Quovia, Stephen is responsible for strategic planning, business development, product management and operations including support. Stephen has substantial expertise in networking performance and optimization, VoIP, and routing technologies in both enterprise and service provider markets with over 25 years experience at companies large and small including: Motorola, Newbridge, Xyplex and Trinagy
Jonathan Zar+ 1 (408) 209 0199
Tony Rybczynski
Tony Rybczynski (rib-chin-ski) is Director, Strategic Enterprise Technologies, in Nortel, reporting to the enterprise CTO. Tony has over 33 years experience in packet switching for all forms of media. He now works with large enterprises assessing the value proposition of new networking technologies. He has written over 100 articles including an on-going column in Internet Telephony magazine, on topics ranging from VoIP and security, to 10 Gigabit Ethernet and optical DWDM storage, to collaboration and ebusiness applications. He is a graduate of McGill and University of Alberta, a Senior Member of IEEE, and a co-author of a protocol reference book and a contributor to other publications.
Jonathan Zar+ 1 (408) 209 0199
Andy Norman
Andy Norman is the Senior Sales Engineer for Covergence, a 2003 start-up providing a scalable family of policy driven network appliances based on the Session Initiation Protocol. Prior to joining Covergence Andy created the Systems Engineering department at Nextone growing it to over 20 senior SE’s by 2005. Before joining Nextone Andy was a founder of IBNC, a dial-up and DSL internet service provider in the Washington DC area, which he help sell in 2000. A graduate of Old Dominion of Nortfork VA, a leading public university with a Carnegie/Doctoral Research-Extensive distinction, Andy is an expert in VoIP, data networking, H.232 focused, security, telephony routing and general carrier deployments.
Jonathan Zar+ 1 (408) 209 0199
Ram Ayyakad
Ram Ayyakad is a founder of Ranch Networks, a VoIP and networking security start-up. Prior to establishing Ranch Networks in 2000, Ram played the central role in some of the most influential products in AT&T/Lucent/Bell Labs. Ram was part of the architecture team that built the prestigious Lucent’s IP Switch. Prior to that Ram was part of the architecture team that built Lucent’s ATM Switch. In recognition of his accomplishments at Bell Labs, Ram received the 1998 Bell Laboratories President's Gold Award for his outstanding level of Innovation and Technical Excellence. Ram is the technical visionary behind Ranch Networks. He has 20 years of strong experience in developing carrier class products such as IP Switches and ATM Switches. Mr. Ram Ayyakad holds a BS in Engineering, MS in Computer Science and a degree in Business Administration.
Jonathan Zar+ 1 (408) 209 0199
• VOIPSA is the alliance for security and privacy of converged media.
• Provides immediate access to the worlds leading security experts and the thought leaders of more than 100 major companies and government groups.
http://www.voipsa.org
• Call to action: Bring yourself and your company into VOIPSA
VoIP Security Alliance
Jonathan Zar+ 1 (408) 209 0199
Event Sponsors
Travel and logistical support provided by:
3Com/TippingPointCovergenceJonathan ZarRanch NetworksNetIQNORTELQoviaTechnology Marketing CorporationVOIPSA, The VoIP Security Alliance
© 2005 NetIQ Corporation. All rights reserved.
Challenges of Enterprise VoIP Security
Jeff HicksPrincipal Software Architect, NetIQ [email protected]
© 2005 NetIQ Corporation. All rights reserved.
Enterprise Challenges
What are Enterprise VoIP customers dealing with?
© 2005 NetIQ Corporation. All rights reserved.
Will any of the following concerns affect your VoIP rollout?
Source: NetIQ Survey August 2005
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%Performance andavailability of VoIPservices and applications
Fixing problems quickly
The quality of VoIP phonecalls
VoIP Security
Other/NA
© 2005 NetIQ Corporation. All rights reserved.
Which VoIP Security Threat Scenarios Has Your Organization Experienced?
Source: NetIQ Survey August 2005
0%
5%
10%
15%
20%
25%
30%
35%
Virus or worm
DoS attack
Toll fraud
SPIT
Password vulnerability
Malicious calls
Unauthorized access
SIP compromises
Eavesdropping
Call spoofing
© 2005 NetIQ Corporation. All rights reserved.
Which VoIP Security Threat Scenarios Could Have the Most Negative Impact?
Source: NetIQ Survey August 2005
0%
10%
20%
30%
40%
50%
60%
70%
DoS attack
Virus or worm
Eavesdropping
Toll fraud
Unauthorized access
Malicious calls
Password vulnerability
Call spoofing
SPIT
SIP Compromises
© 2005 NetIQ Corporation. All rights reserved.
Who is responsible for VoIP security…?
© 2005 NetIQ Corporation. All rights reserved.
What is the most senior management level within your organization where VoIP security is an issue?
Organizational units potentially involved with VoIP security:−Telephony−Data/network/application management−Security management−Others
Admin
Manager
Director
Exec
© 2005 NetIQ Corporation. All rights reserved.
The Solution to Ensuring VoIP Security
To address emerging VoIP security issues, a solution must:−Integrate both systems and security management products:
securing VoIP must not affect VoIP quality or performance & availability.
−Address the needs of the entire organization. −Be easy to use and easy to deploy yet can be integrated in a
modular fashion. −Have embedded knowledge and best practices that allow you to
better utilize skilled resources as well as to retain core know-how.
© 2005 NetIQ Corporation. All rights reserved.
VoIP Security Management
NetIQ Confidential Information
See, Act, Deliver
Challenges of Enterprise VoIP Security
Presented by: Stephen P Mank
Chief Operating Officer
January 27, 2006
Starting From a Data Services Network. . .
Los Angeles - SALES
New York - ENG
Bangalor – SUPPORT
Washington - EXEC
• Uniform service level
• No ToS differentiation
• No real-time constraints
• Firewall ‘border’
protection
• Network topology view
… infrastructure must be secure
Now Add VoIP Equipment. . .
Los Angeles - SALES
New York - ENGIndia – SUPPORT
Washington - EXEC
IOS
IOS PSTN
T1
PSTN
T3
T3 PSTN
PSTN
T3
VMCS
IOS
• Differentiated network
plan
• VoIP ToS designation
• VLANs for VoIP
• Gateways to PSTNs
• Remote site failover
(SRST)
• Additional Infrastructure… each component must be secure
Now Add VoIP Services. . .
Los Angeles - SALES
New York - ENGBangalor – SUPPORT
Washington - EXEC
IOS
IOS PSTN
T1
PSTN
T3
T3 PSTN
PSTN
T3
VMCS
IOS
VoIPService
s
• Dial Plan, hunt groups,
etc.
• Voice Mail, Messaging,
• Forwarding, speed dial,
etc.
• Conferencing
• E911 location, mobility
• Soft phones
• Converged IP services
… each service must be secure
VoIP Security in Layers. . .
Layer Use in VoIP Systems
Vulnerability Protection
Application Semantics
Registration, SW download, call mgmt, billing, dial plan, email, conferencing, voice mail, user identity, contacts list
SPAM, viruses, hijacking, ease dropping, toll fraud, Application specific DOS & Spoofing, identity theft
Very little today.
Session & Transport
SIP, SCCP, RTP, MGCP, H323, CDP, AXL
Protocol specific DOS & spoofing, man-in-the-middle
SRTP, TLS, SSL
Data Network
IP, UDP, DHCP, DNS, TFTP, ARP, SNMP, HTTP
Network DOS & Spoofing, man-in-the-middle, etc.
Standard IPSEC procedures, Intrusion Protection
Physical Devices
Phones, servers and gateways
MAC spoofing, Rogue Devices
Control Physical Access, Rogue Detection
The Need For a Multi-Tiered Approach
First, Understand VoIP beyond ‘just another App’Real Time IP service from a functional and performance perspective.Denial of Service (DoS) may mean unreliable service, not necessarily completely ‘down’.Business critical applications need to be ‘Five Nines’ available - ‘Five Eights’ will not do.
Second, Basic IPSEC Approach is a Good Start More than just a ‘good idea’ – without it, you are not ready for VoIP.Includes the core capability to manage network resources from a global view.
Finally, View VoIP as a multi-layered ApplicationPhysical devices (phones, servers, gateways, switches, proxies)Transport protocols (UDP, TCP)Signaling protocols (SIP, SCCP, H.323, MGCP)Session protocols (vendor and phone proprietary)Multiple Application Services (Call Server, Signaling Server, Voice Mail Server, Authentication
Server)
Steps Toward Securing VoIP....Physical Security
If you have a separate VoIP network (or VLANs) make sure only phones are on it
Include phones in your ‘asset tracking’ strategy… know when new ones ‘show up’!
If you need ‘phone mobility’ be sure you can discriminate between valid and ‘rogue’ phones
Transport & Session Security Enable TLS for encrypting call signaling (not supported by all call managers)
Enable SRTP for encrypting call streams (not supported in all phones)
Caution: some management and monitoring tools do not work well with encryption… check with your vendors first!
Caution: just because the phone thinks the call is encrypted doesn’t mean you are protected end-to-end!
IP Network Security PoliciesCaution: Most firewall-based security solutions impose a variable latency on traffic when scanning for content
patterns. This can significantly impact your call quality.
Differentiate traffic by ToS and monitor network performance for VoIP ToS (or CoS if IPv6) with close scrutiny of unusual traffic ‘bursts’
VoIP Application SecurityTrack Voice Mail usage, with particular focus on rapid increases in mailbox usage
Track Gateway usage, attack scenarios may originate as an external call through your gateways
Use ‘active call testing’ to verify system availability and performance, this is often the first sign of an attack
Make VoIP E911 support part of you security strategy…. If you accurately know the location of every phone you are ahead of the game!
SECURING CONVERGED NETWORKSTony Rybczynski
Director of Enterprise Strategic Technologies
Office of the Enterprise CTO
Co
nv
erge
dIn
frastru
ctu
re
SIP
openecosystem
Applications
CommunicationServices
CallCentre
Presence
UMIM
Conf
Video
SelfService
The Nortel Difference
Wired/wirelessCopper/fiber
L4-7 intelligence
QoS
IP routing
Customer engagement
Secure mobility
Unified Communications
Security
Unique business value through the intersection of inter-human communications and the network
IP Telephony
Real-time Converged
Communications
Thought #1: IP Telephony is Not the End Game
Key metric: Time to X
Thought #2: Creating the New Perimeter
0
100
200
300
400
500
600T
ota
l W
orl
dw
ide
Sh
ipm
ents
(M)
2004 2008
Total Worldwide Shipments
PDA PC Mobile Phone
Office Anywhere is becoming a reality
Thought #3: Threats to Real-time Communications> Unauthorized access
• IP spoofing or session hijacking as a result of weak authentication and authorization
> Eavesdrop on voice conversations• Network sniffers over shared media technologies such as Ethernet of old,
wireless LANs and cable modems.
> Denial of Service (DoS) attacks flood on Communications server • Prevention of legitimate users from accessing the service.
> Man-in-the-middle assaults• Public key exchange interception, tricking the original entities/users into
thinking they are communicating with each other.
> Back door entries to access communications servers• Lack of hardening and procedural oversights.
> Masquerading • Posing as a subscriber to illicitly get services, or to pose as a valid
administrator or engineer to access the network, often to elevate user privileges.
Same Threats--- New Environment
Thought #4: User Voice Confidentiality Concerns*
Users perceptions of degree of confidentiality
>Wired TDM (enterprise and public)>Public wireless Blackberry>Public wireless voice>Enterprise IT infrastructure>Voice mail access>Meet me conferencing (TDM and VoIP)>Voice over the Internet>Public wireless and Internet data>Shared media (WLAN, cable modem, shared E’net)
Very HighVery High
HighHigh
Med-High Med-Low
LowVery LowVery Low
*non-military IPSec and SSL for remote and WLAN accessTLS and SRTP for end-end securityVisual conferencing controls
Thought #5: Key Principles
> The starting point is always an enterprise security policy> The IP networking infrastructure must be secured (e.g.
anti-ARP spoofing and VLANs), and to be engineered and designed to meet the latency and reliability requirements of telephony.
> Communications Servers and associated signaling and control systems are business critical and must be hardened, and protected in multimedia security zone.
> Confidentiality is maintained via IPSec/SSL for remote and WLAN access, and optionally TLS and SRTP.
> Simplicity and a consistent user experience across devices and wired and wireless connectivity modes must be maintained.
> Support for standards to ensure enterprises receive the functionality and interoperability they require.
Layered Defense Approach To Security
> Open solutions that rely on strategic partnerships and adherence to standards
> Minimized TCO by focusing on simplicity, efficiency and proactive response
> Understanding that strong security involves not only technology, but also people and processes — the Unified Security Framework
Layered Defense
Secure Communications, information and applications, anywhere, anytime
Enterprise Security PanelAndrew NormanDirector, Solution Engineering – Covergence
+1-703-862-7734
© 2005 Covergence, Inc. 40
About Covergence
Founded in 2003– Headquartered near Boston, Massachusetts
Funded by top-tier venture capital firms
Proven management and engineering teams– Shiva, Aptis, Cascade, Wellfleet, Bay Networks, Nortel, Macromedia…– Building subscriber access solutions for the past 15 years
Leading edge product line– Scalable family of network based appliances providing policy driven, application level security,
control, monitoring and interoperability functions for systems, applications and services based on the Session Initiation Protocol (SIP)
Benefits– Enables service providers to deliver secure, manageable, “business class” VOIP and real-
time collaboration services to residential, SMB and enterprise customers– Accelerates uptake of SIP based hosted service offerings by addressing customer concerns
regarding security, control, monitoring, survivability and compliance– Enables competitive differentiation between secured and unsecured hosted VOIP
services– Generates incremental service revenue by enabling deployment of premium SIP based
hosted service offerings
The Covergence Solution Enables a Secure and Manageable SIP Access Network
© 2005 Covergence, Inc. 41
Application Level Security for SIP
Covergence provides application level security, control and monitoring for SIP applications
Internet
Email Client or Server
SMTP
Web Browser or Server
HTTP
SIP Client or Server
SIP
Enterprise Network
Blue Coat
WebSecurity Proxy
WebSecurity Proxy
Trend Micro
EmailSecurity Proxy
EmailSecurity Proxy
Application LevelSecurity, Control and Monitoring
Attacks!
SIPSecurity Proxy
SIPSecurity Proxy
Check Point
NetworkFirewallNetworkFirewall
Email ServicesEmail
Services
WebServices
WebServices
SIPServices
SIPServices
Defense in Depth
Network LevelSecurity, Control and Monitoring
© 2005 Covergence, Inc. 42
Perimeter Defense Application
Inserts a layer of application-level security at enterprise perimeter for greater depth of defense Enforces administratively defined security, control and monitoring policies at the enterprise network boundary Protects enterprise SIP infrastructure from external attacks, exploits and compromises Guarantees confidentiality, integrity and authenticity of enterprise’s external SIP based communications Ensures that the enterprise’s SIP communications are in compliance with corporate policies and external
regulations Enables enterprise to extend its SIP based business applications to remote employees, customers and partners
IP
SIP BasedPBX or Proxy
SIP BasedPBX or Proxy
SIP Based Conferencing
System
SIP Based Conferencing
System
SIP Based Business Systems and Applications
CollaborationClient
SIP Phone
ConferencingClient
Customers
Employees
Partners
SIP Based Collaboration
System
SIP Based Collaboration
System
SIPSIP
SIP
SIP
Perimeter
CovergenceEclipse
© 2005 Covergence, Inc. 43
SIP Client
SIP Client
SIP Client
Internal Control Application
Enforces security, control and monitoring policies on internal SIP signaling and media traffic
– Session detail recording, instant message recording, audio recording, media control and validation, virus scanning…
Gives enterprise total visibility and control over its internal SIP traffic
Protects the enterprise SIP infrastructure from internal attacks
Enhances performance and availability of SIP applications by providing load balancing and failover across a pool of SIP application servers
SIP Application Servers
SIPApplication
Server
SIPApplication
Server
SIPApplication
Server
SIPApplication
Server
SIPApplication
Server
SIPApplication
Server
SIP Clients
SIP
SIP
SIPSIP
SIP
SIP
CovergenceEclipse
© 2005 Covergence, Inc. 44
Policy Based Application Management
Administrators define policies using Eclipse management interfaces– CLI, GUI, XML…
Eclipse applies policies to sessions with specific layer 1-7 attributes– Source/destination network, user, group, department, role…
Gives enterprise total security, visibility and control over SIP based application traffic
EclipseManagement
System
SIP Proxies and Application Servers
SIP Signaling and Media
SIP Signaling and Media
Policies
SIP Based Hosted
Services
SIP Clients
SIP Enabled PDAs
SIP Clients
SIP Phones
CorporateDirectory
LDAP
© 2005 Covergence, Inc. 45
Instant Message Content Filtering
Bob sends Ted an IM containing inappropriate, sensitive or dangerous content– Inappropriate language, confidential or private information (trademarks, code names, account numbers, social
security numbers…), inappropriate or dangerous URLs…
CXC receives IM, scans it, detects sensitive content and takes a policy based set of actions– Delete inappropriate content, create a log entry, generate a management alert…
Content matching based on keyword lists, regular expressions or third-party databases (e.g. Websense)
Bob
Bob says:Ted, my boss is a [Expletive deleted by CXC]!
Ted says:Have you checked out http://www.pornsite.com?
Bob says:Take a look at [Malicious URL deleted by CXC]
Bob says:Ted, my boss is a @#$%^&* %@#-^$%!
Ted says:Have you checked out [Inappropriate URL deleted by CXC]?
Bob says:Take a look at http://www.trojansandworms.com
CXC enforces corporate IM content control policies
LCS 2005 Servers
Ted
© 2005 Covergence, Inc. 46
Virus Scanning of SIP Based File Transfers
Kurt attempts to transfer infected file to Ken
Eclipse receives file, scans it, detects virus and takes a policy based action– Destroy, quarantine, repair, log, alert…
Infected files cannot propagate throughout the enterprise
Virus scanning and other file transfer control actions (e.g. block, record) are enforced in accordance with administratively defined policies
Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Duis dictum pede a sapien.
Infected.doc
Kurt Bertone says: Dude, check out this file…Waiting for [email protected] to accept the file “Infected.doc”. Please wait for a response or Cancel (Alt+Q) the file transfer.
Kurt Bertone says: Dude, check out this file…[email protected] would like to send you the file “Infected.doc”…Do you want to Accept (Alt+T) or Decline (Alt+D) the invitation?
Kurt Ken
LCS 2005 Servers
LOG!
ALERT!
BLOCK!
© 2005 Covergence, Inc. 47
Controlling URL’s in Instant Messages
User with SIP IM client sends an IM containing a link to http://www.badsite.com
Covergence proxy intercepts SIP MESSAGE, parses body, finds URL and hands domain badsite.com off to Websense for policy decision
Websense returns policy disposition BLOCK
Covergence proxy removes URL from instant message and logs the event
Websense customers can apply their EIM policies to SIP based IM traffic
badsite.com? BLOCK
IM Server
Bob says: Check out http://www.badsite.com
Bob says: Check out [URL deleted by Eclipse]
© 2005 Covergence, Inc. 48
Covergence Solution
A family of network based appliances that enable enterprises to:
– Secure, control and monitor their SIP based applications
– Protect the corporate SIP infrastructure from internal and external intrusions and attacks
– Ensure the confidentiality, authenticity and integrity of SIP based communications
– Interconnect SIP based systems, applications and services from different vendors
– Extend their SIP based applications to remote employees, customers and business partners who are “outside the firewall” and “off the VPN”
– Bring their SIP applications into compliance with internal and external policies, regulations and best practices
Page 50
• Founder, Ranch Networks
• 20 years experience in the telecom industry
• Part of of architecture team that built the prestigious IP and ATM switches
• Recipient of the 1998 Bell Laboratories President’s Gold Award
About My Background
Page 51
• Ranch Networks offers the first-ever PBX controlled VoIP appliances that secure, scale and provide QoS beyond existing firewall technologies
• Ranch Networks solves the security, scalability and QoS problems associated with VoIP implementations
About Ranch Networks
Page 52
• Ranch Security code available from Digium website now
• VoIP appliances that enable service providers to secure,scale and provide QoS
Ranch Networks
Page 53
• MUST be the #1 priority• Converged traffic MUST go pass robust security
infrastructure• Security at all levels (L2, L3(IP), L4(UDP/TCP)
and application• Security against DoS attack
– VoIP signaling– VoIP media– Data
Securing Converged Enterprise Infrastructure
Page 54
• Educating COIs/CTOs that security threats are real
• Picking the appropriate security appliances– Future proofing (encryption, protocol changes)– Security enforcement methodologies
• Traditional firewalls• SIP firewalls• SBCs• PBX controlled appliances
– VoIP & data traffic on the same physical cable– Preventing voice quality/call drops due to
viruses/worms
VoIP Security Challenges
Page 55
• Security appliance MUST be able to segregate & prioritize voice/data traffic
• ALL access to IP PBX MUST go through the security appliance
• Security appliance MUST raise alerts for ANY unauthorized access
• Security appliance MUST have the ability to mirror traffic to an IDS system
• Look for the solutions being promoted by the IP PBX vendor
• Allocate guaranteed BW for VoIP traffic
Protecting Converged Infrastructure
Jonathan Zar+ 1 (408) 209 0199
Thank You
• We will now take Q&A from the audience.
• We invite your feedback.
• Thank you for attending today. This meeting is now adjourned.