Security threat mitigation in enterprise UC environments Jonathan Zarkower Director, Product...
-
Upload
helen-gilmore -
Category
Documents
-
view
215 -
download
2
Transcript of Security threat mitigation in enterprise UC environments Jonathan Zarkower Director, Product...
Security threat mitigation in enterprise UC environments
Jonathan ZarkowerDirector, Product Marketing
2
Enterprise & contact center transition to IP interactive communications
TDM-to-IP transition well underway– Reduce costs, improve communications efficiency – Mobility, collaboration, presence and
video drive IP transition and complexity– Compliance – call recording, emergency services,
domain separation– IP PBX extensively deployed but exist as islands
Unified Communications (UC) is the new focus– Migrate mission critical applications onto IP network – Integrate chat, voice and video into contact center
and business applications– Introduce presence and mobility into application delivery process– Transition call centers to multimedia customer care centers
Enhanced communications efficiency– Enables intelligent call routing based on business rules/processes
(cost, availability, skills, etc.)– Integrate remote workers/agents seamlessly– Distribute call processing to eliminate single point of failure
Voice and data convergence based on IP telephony
will be under way in more than 95 percent of large companies
by 2010
Gartner Group
4
VoIP security in the news
Bell Canada customers face bills as high as $220,000 as hackers breach system. (Jan 2009)
IP PBX hacked for 11,000 calls, $120,000 charges (Jan. 2009)
Skype outage disconnects users, eBay stock price dips (Aug. 2007)
Two men charged with hacking Into VoIP networks, pocket $1 million (June 2006)
VoIP threats – impacts & probabilities
Security threat Impact
Probability
Comments
VoIP/Internet
- free, anonymous
Private network
DoS & DDoS attacks
10 1 2 • Requires sophisticated attack capable of covering tracks
• Catastrophic - all subscribers are impacted
Overloads 9 4 3 • Power outage prone areas susceptible• Catastrophic - all subscribers impacted
Viruses & malware
3-8 5 5 • Impact varies based on service provider infrastructure, enterprise IP PBX or residential PC
Service fraud 5 N/A 5 • Requires technical sophistication• Impact depends on business model
Identity theft 2-5 8 6 • Requires slightly more technical sophistication than SPIT
• Man-in-the-middle requires same degree of technical capabilities
• Information used for other attacks with various impacts
Eavesdropping 2 5 3 • Requires technical sophistication and access to wiring closets
SPIT 1 10 6 • Requires little sophistication• Annoying more than harmful
Note: probability and impact ratings on 1–10 scale with 1 being low and 10 being high
Hosted services/IP contact center ASP
PSTN
Serviceproviders
Other IPsubscribers
Headquarters
Four enterprise border points require control & security
1. Interconnect border to service provider(s) - SIP/H.323 trunking
– Extend IP to IP connectivity– Reduce costs, increase quality
2. Access border – trusted– Interconnect sites and users– Simplified number plans
3. Access border – untrusted– Anywhere connectivity– Secure and unsecure access
4. Hosted services/ASP border
– Expand service and application capabilities
– Create a global reach
1. 4.
UC CC IPT
SIPH.323 SIP
2. 3.
Regionaloffice
Branchoffice
BO
SOHO Mobileuser
Nomadicuser
RO
MPLS VPN Internet
Key security threats to enterprise UC
Denial of Service– Malicious & non-malicious– Call/registration overload– Malformed messages (fuzzing)– Misconfigured devices– Operator and application errors
Viruses & SPIT– Viruses attached to SIP messages – Malware executed through
IM sessions– SPIT – annoying, unwanted traffic
Identity theft & eavesdropping
Service theft– Unauthorized users and applications
Hosted services/IP contact center ASP
PSTN
Serviceproviders
Other IPsubscribers
Headquarters
1. 4.
UC CC IPT
SIPH.323 SIP
2. 3.
Regionaloffice
Branchoffice
BO
SOHO Mobileuser
Nomadicuser
RO
MPLS VPN Internet
Microsoft OCS 2007 architecture – SIP security risks
Conferencing servers (A/V, Data, IM)
IIS servers
Pool
HTTPreverse proxy
Monitoring
MMC MOM
Interactive apps
ExchangeUM
(Voice mail)
Speech server
Identity
Activedirectory MIIS
UC endpoints
MicrosoftCommunicator
MS OC
MS LN
MS CM
MS COE
MicrosoftLive Meeting
MicrosoftCommunicatorMobile
MicrosoftCommunicatorPhone Edition
Public IP
FederatedNetworks
PSTN
MSN
Yahoo
AOL
MS OC
MS OC
Back end SQL servers
Front end servers(Registration
/Presence server)
PoolPassive
Active
Inboundrouter
Outbound routerABS
Inboundrouter
Outbound routerABS
Webconferencingedge server
Lo
ad b
alan
cer
Lo
ad b
alan
cer
Directors(s)
Lo
ad b
alan
cerAccess edge
servers
Lo
ad b
alan
cer
Lo
ad b
alan
cer
CTI server(RCC gateway)
Media gateway
MGW
PBX
FAX
A/V edgeserver(s)
Lo
ad b
alan
cer
Communicator web access
(App server)
Lo
ad b
alan
cer
Lo
ad b
alan
cer
Archiving
IM / CDR
Mediationserver(s)
SIPMediaHTTPPSOMIP PBX-EIP PBX-TPSTNArchiveOther
Legend
External Perimeter Internal
The key difference between SBC & ALG is back-to-back user agent
Functional advantages– Seamlessly addresses the issue of OLIP addresses
– Responds to REDIRECTs, can initiate re-INVITEs and BYEs
– Gracefully manages “stranded call” scenarios
– Provides signaling interworking and protocol fix-ups
Security advantages– Modifies IP address and SIP UI in every field of signaling message for
complete “anonymization”
– Detects protocol anomalies and also fixes signaling
– Provides interworking between encrypted and non-encrypted elements
– Goes beyond throttling down the rate of signaling messages
Regulatory advantages – Supports session replication for call recording
– Supports lawful intercept
Even high-end firewalls can’t defendSIP DoS/DDoS attacks
Total of 34 different test cases, using over 4600 test scripts– SIP flood tests – flood attacks consisting
of INVITE, REGISTER and Response 100, 180, 200 messages from thousands of random source addresses/ports
– SIP spoof flood tests – same as SIP flood tests but with spoofing of different headers, fields and addresses
– SIP malformed message tests – over 4500 Protos attack cases– SIP torture tests – IETF draft of 49 malformed SIP messages– RTP attack tests – rogue, fraud, and flood attacks of RTP packets
Cisco PIX 535 failed consistently– Some attacks caused hard failure
- needed to be powered off/on– Some attacks were flooded
into core and impacted proxy– Even some random RTP floods
caused 94% CPU utilization
NetgearGS724T
L2 Switch
NetgearGS724T
L2 Switch
EmpirixHammer FX-IP
EmpirixHammer FX-IP
GULP & SIPp
SIP Softphone
iptel SIP ExpressRouter
Network ProtocolAnalyzer
Network ProtocolAnalyzer
Public Network Private Network
Device under test
#1 No device
#2 Acme Packet Net-Net SD
#3 Cisco PIX 535
Test bed set-ups
SBC DoS/DDoS protection
Dynamic trust management– Success based trust model
protects resources
– Adjust resources based on real-time events
Proactive threat mitigation– Drop malformed sessions
– Block known malicious traffic sources
– Identify automated calling and reject based on defined policies
Hosted services/IP contact center ASP
PSTN
Serviceproviders
SIPH.323 SIP
Other IPsubscribers
BO
MPLS VPN Internet
SOHO Mobileuser
Nomadicuser
Headquarters
CC IPTUC
RO
Zombie PCs
Spammers
IP PBX, SIP proxy & application server DoS/DDoS prevention
Comprehensive security– Topology hiding protects
PBX/UC servers from external exposure/threats
– Private/public address management ensures user privacy
Real-time session control– Signaling overload protection via
rate limiting, load balancing and selective call rejection
– Policy-based admission control
Hosted services/IP contact center ASP
PSTN
Serviceproviders
SIPH.323 SIP
Other IPsubscribers
BO
MPLS VPN Internet
SOHO Mobileuser
Nomadicuser
Headquarters
CC IPTUC
RO
Zombie PCs
Spammers
Infected PCsRogue devices
Viruses & malware can threaten IC endpoints and service infrastructure
SIP MIME attachments are powerful tool for richer call ID - vcard text, picture or video
Potential Trojan horse for viruses and worms to general-purpose server-based voice platforms– SIP softswitch, IMS CSCF, SIP servers, app servers– SIP PBX– SIP phones & PCs
New endpoint vulnerabilities– Embedded web servers - IP phones – Java apps – liability or asset?
Solution requirements– Authentication– SIP message & MIME attachment filtering– Secure OS environment
SQL Slammer
Melissa
Code Red
Nimda
Sobig
LoveBug
KlezMichelangelo
SPIT will be annoying, & possible tool for ID theft
Will anonymous, cheap Yahoo subscriber (aka SPITTER) be able to call enterprise employee via Verizon to solicit - phone sex, penis enlargement, Viagra pill purchase?
Techniques that won’t work– Access control – static– Content filtering– Charging - $/call– Regulation
Solution requirements– Access control
– dynamic, IDS-like– Authentication– Admission control
– subscriber limits (#) – Trust chains - pre-established
technical & business relationships
Viruses, malware and SPIT
Real-time threat mitigation– Wire speed Deep Packet
Inspection (DPI)– Signature rule definition and
enforcement
Dynamic behavior learning– Identifies malicious behavior,
e.g. consecutive call ID #’s– Reduces false positives– Protocol anomaly detection
Adaptive resource protection– Individual device trust
classification– Define call, bandwidth limits– Per device constraints and
authorization
Hosted services/IP contact center ASP
PSTN
Serviceproviders
SIPH.323 SIP
Other IPsubscribers
BO
MPLS VPN Internet
Malicious users
Headquarters
CC IPTUC
RO
Zombie PCs Spammers
Eavesdropping threat is over hyped
Less risk than email, who encrypts email?– Email is information rich (attachments), voice not– Email always stored on servers, only voice mail– Email always stored on endpoints, voice not
Who is REALLY at risk?– Public company execs
– insider trading– Bad guys - Osama, drug cartels,
pedophiles, etc.– Good guys - law enforcement– Other luv & moolah scenarios
– adultery, ID theft
Solution requirements– Authentication – subscriber – End-to-end encryption
• Signaling (TLS, IPSec)• Media (SRTP, IPSec)
Confidentiality and privacy
Secure communications– Encryption protects signaling
and/or media (IPSec, TLS, SRTP)
– Ability to terminate and originate encrypted traffic
– Interworking between SIP/H.323
Create trusted user environment– User protection via SIP privacy
(RFC 3323 & 3325) support
– Endpoint protection via topology hiding and header manipulation
Serviceproviders
HQ
SOHO RegionRO
BranchBO
Internet(untrusted)
PSTN
RTPSIP/TLSSRTPIPsec STPIPsec SIP/RTP
Acme Packet SBCsin Microsoft OCS architecture
A/V edgeserver(s)
Mediationserver(s)
Conferencing servers (A/V, Data, IM)
IIS servers
Pool
HTTPreverse proxy
CTI server(RCC gateway)
Monitoring
MMC MOM
Archiving
IM / CDR
Interactive apps
ExchangeUM
(Voice mail)
Speech server
Identity
Activedirectory MIIS
Media gateway
MGW
UC endpoints
MicrosoftCommunicator
MS OC
MS LN
MS CM
MS COE
MicrosoftLive Meeting
MicrosoftCommunicatorMobile
MicrosoftCommunicatorPhone Edition
Public IP
FederatedNetworks
PSTN
IPTrunking
MSN
Yahoo
AOL
MS OC
MS OC
Webconferencingedge server
Lo
ad b
alan
cer
PBX
FAX
IP PBXendpoint
sSIP, H.323,
MGCP, SCCP
Lo
ad b
alan
cer
Directors(s)
Lo
ad b
alan
cer
Lo
ad b
alan
cerAccess edge
servers
Lo
ad b
alan
cer
Back end SQL servers
Front end servers
(Registration /Presence server)
PoolPassive
Active
Inboundrouter
Outbound routerABS
Inboundrouter
Outbound routerABS
Proprietaryendpoints
IP PBX
Communicator web access
(App server)
Lo
ad b
alan
cer
SIPMediaHTTPPSOMIP PBX-EIP PBX-TPSTNArchiveOther
Legend
External Perimeter Internal
AcmePacket
SBC
Bordersecurity
Loadbalancer
Mediation(IP PBX &
IP trunking)
Trust & identity
How do you know you are talking to Bank of America?
Web site techniques don’t work for IC - work for many-one, not many-many
Solution requirements– Authentication, access control– Trust chains - pre-established technical & business relationships
Net-Net
Security issues are very complex and multi-dimensional
Security investments are business insurance decisions– Life – DoS attack protection– Health – SLA assurance– Property – service theft protection– Liability – SPIT & virus protection
Degrees of risk– Internet-connected ITSP ` High– Facilities-based HIP residential services – Facilities-based HIP business services– Peering Low
– NEVER forget disgruntled Milton from“Office Space”
Session border controllers enable enterprises to insure their success
The key difference between SBC & ALG is back-to-back user agent
Functional advantages– Seamlessly addresses the issue of OLIP addresses
– Responds to REDIRECTs, can initiate re-INVITEs and BYEs
– Gracefully manages “stranded call” scenarios
– Provides signaling interworking and protocol fix-ups
Security advantages– Modifies IP address and SIP UI in every field of signaling message for
complete “anonymization”
– Detects protocol anomalies and also fixes signaling
– Provides interworking between encrypted and non-encrypted elements
– Goes beyond throttling down the rate of signaling messages
Regulatory advantages – Supports session replication for call recording
– Supports lawful intercept