Avaya Technology Forum Breakout
Download
Report
Transcript Avaya Technology Forum Breakout
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Securing the UC Network
Terry Pierson
Consulting System Engineer
UC Security - AVAYA
#AvayaATF
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Agenda
•
•
•
•
UC Security – Why it matters
VIPER Lab
Avaya SBC for Enterprise
Use Cases
• SIP Trunks – Standard License
• Remote Worker – Advanced License
• SBC Update
• Resources
• Q&A
©2013 Avaya Inc. All rights reserved
3
February 26-28, 2013 | Orlando, FL
More Collaboration and Mobile Devices…
More Enterprise Security Threats
• Denial of Service
Enterprise Adoption
of Collaboration Tools
• Call/registration overload
• Malformed messages
aka“fuzzing”
• Configuration errors
• Mis-configured devices
• Operator and application errors
• Theft of service
• Unauthorized users
• Unauthorized media types
• Viruses and SPIT
• Viruses via SIP messages
• Malware via IM sessions
• SPIT – unwanted traffic
Source: Nemertes Research
©2013 Avaya Inc. All rights reserved
4
February 26-28, 2013 | Orlando, FL
Unified Communications Security –
Should You Care?
Credit card privacy rules: other compliance laws require security architecture
specific to VoIP and other UC.1
Increase
‘VoIP hacking at new
levels2
Up to
of attacks
VoIP scanning –
botnets, Cloud used
for VoIP fraud3
Reduce Deployments by
VoIP /UC security
reduces VoIP / UC
deployment time
by one third4
Toll fraud: yearly enterprise losses in Billions
inadequate securing of SIP trunks, UC and VoIP applications5
©2013 Avaya Inc. All rights reserved
5
February 26-28, 2013 | Orlando, FL
OSI Model
7 Layers of Attacks
OSI Model
Think of OSI model as a 7 foot high jump
•
•
Function
7. Application
Network process to
application
6. Presentation
Data representation,
encryption and
decryption, convert
machine dependent
data to machine
independent data
5. Session
Interhost
communication
Segments
4. Transport
End-to-end
connections
and reliability,
flow control
Packet/Datagram
3. Network
Path determination
and logical
addressing
Frame
2. Data Link
Physical addressing
Bit
1. Physical
Media, signal and
binary transmission
Layer 3-4 protection (3 to 4 foot
hurdle)
Data
Email spam filters layer 7 application
specific email firewall
SIP, VoIP, UC layer 4 to layer 7
application
•
•
•
Layer
Typical firewall protection
•
•
Data Unit
Host
Layers
SIP Trunking - a trunk side application
SIP Line (phone) side (internal and
external) access another application
Attackers/Exploiters look for:
•
•
High/growing adoption
Protection not yet available… VoIP/UC
Media
Layers
Wikipedia on 22Jul2011: http://en.wikipedia.org/wiki/OSI_Model
Avaya SBCE provides a VoIP/UC trunk/line side layer 4-7 application protection
©2013 Avaya Inc. All rights reserved
6
February 26-28, 2013 | Orlando, FL
VIPER Lab
Industry Recognized UC Security Experts
Leading Edge UC Security Research
10 Years of extensive research,
using worldwide honeypots,
Enterprise networks, etc.
Recognized UC Security SMEs by Sans,
Dept of Justice, and other US Gov
agencies, external organizations like
DefCon and Infoseek
Experienced audit and assessment team
VIPER is an experienced Security assessment team, having completed over 100
network or application assessments
©2013 Avaya Inc. All rights reserved
7
February 26-28, 2013 | Orlando, FL
Best Practices vs an Assessment
• Best Practices
• A Security Assessment
• Lock your doors at night
• Lock your windows
• Enable your home alarm
system
• You’ve followed best
practices and you’re safe!
Or are you?
• Your locked doors use an
easy to pick lock type
• Your door frame is thin
and one kick could open it
• Your windows can be
unlocked from the outside
with a screwdriver
• Your phone line can be
cut stopping your alarm
from reaching the police
A proper security assessment validates the implementation of a
best practice—and often reveal many weaknesses!
©2013 Avaya Inc. All rights reserved
8
February 26-28, 2013 | Orlando, FL
What does an Audit consist of?
• An audit usually takes the form of a “UC
Penetration Test”
• It typically consists of the following process:
• VIPER will review the business and understand VoIP/UC
application flow
• Will tailor a set of unique security test cases, for penetration
testing, that are unique to that customer’s infrastructure
• Perform network discovery and reconnaissance
• Will spend 1 – 5 weeks doing technical security testing
• Will develop the security report, typically 1 – 2 weeks
©2013 Avaya Inc. All rights reserved
9
February 26-28, 2013 | Orlando, FL
Evolving and Protecting – VIPER Lab
Proactively identifying
and preparing
defenses beyond your
network borders
Vulnerability
Assessments
improve security
architectures and
enhance compliance
State-of-the-art
research facility with
expert vulnerability
assessment
professionals
Open Source
UC Security
Self-Assessment
Tools
©2013 Avaya Inc. All rights reserved
Uncover
vulnerabilities
in next-generation,
multi-vendor
networking
environments
10
February 26-28, 2013 | Orlando, FL
The Solution – Session Border Controller
Security
Enforce your unique
security policies
Focus on enterprise
security
SIP trunk provider’s
own SBC
Network topology
Invisible to external
threats
Limits multivendor
environment
interoperability concerns
©2013 Avaya Inc. All rights reserved
Flexibility
Accountability
Independence from
Service Provider
Report on intrusion
attempts
Normalization point
for signaling / RTP
media streams
Session recording
Remote Worker
Safety
Multiple SIP trunk
provider access points
Support enterprisespecific call flows
11
February 26-28, 2013 | Orlando, FL
The SBC Protects & Defends the
Avaya Core
• The SBC is not just about SIP Trunks and
Remote Endpoints – it’s about Avaya’s future.
• Acme, Sonus, and most other 3rd party players are
moving into the Enterprise with SBC’s –AND- with
Session Management offerings.
• Allowing 3rd Party wins with SBC deals opens the door
for them to capture the Core with their SM offerings and
sequenced applications before it ever gets to an Avaya
system
• Selling the Avaya SBCE protects Avaya’s Core
Business and extends Avaya Aura solutions with secure
and borderless Enterprise communication applications.
©2013 Avaya Inc. All rights reserved
12
February 26-28, 2013 | Orlando, FL
ASBCE 6.2 System Capacity
Capacity in Simultaneous Sessions
Max Capacity
w/o Encryption
Portwell CAD-0208
Max Capacity
with Encryption
HA
2000
1000
SA
2000
1000
SA
500
250
‘Rules of Thumb’
•SIP trunking usually 5 users per session
• Must account for higher ratio in small
• Remote Worker must consider both
On-net and off-net requirements
• Remember Encryption Services
impact capacity
©2013 Avaya Inc. All rights reserved
• Session Border Controller
capacities are rated in
Simultaneous Sessions
• A simultaneous session = a
communication session
between 2 SIP endpoints
• Can think of it as analogous to a
DSO in the ‘old world’
• Key for engineering is to
understand the numbers of
sessions required in the solution
• For Secure SIP trunking, look at
the number of TDM DSOs
required
• For Remote Worker, calculate
required call volumes
13
February 26-28, 2013 | Orlando, FL
Avaya SBC for Enterprise
1 Software Base:
Avaya Aura SBC for Enterprise
3 HW Platforms:
Dell & HP for Enterprise; Portwell CAD-0208 for IPO
2 Use Cases
SIP Trunking
Remote Worker
CS1000
Avaya SBC
for Enterprise
SIP Trunking
SIP Trunking
©2013 Avaya Inc. All rights reserved
SIP Trunking
Avaya SBC
for Enterprise
Avaya SBC
for Enterprise
SIP Trunking
14
Avaya SBC
for Enterprise
February 26-28, 2013 | Orlando, FL
Avaya SBCE:
SIP Trunking Architecture
Use Case: SIP Trunking to Carrier
Carrier offering SIP trunks as lower-cost alternative to TDM
Heavy driver for Enterprise adoption of SBC
Enterprise
Internet
DMZ
SIP Trunks
Avaya
SBCE
Firewall
Firewall
IP PBX
Carrier
Carrier SIP trunks to the Avaya Session Border Controller for Enterprise
Avaya SBCE is located in a DMZ behind the Enterprise firewall
Services: security and demarcation device between the IP-PBX and the Carrier
− NAT traversal,
− Securely anchors signaling and media, and can
− Normalize SIP protocol
©2013 Avaya Inc. All rights reserved
15
February 26-28, 2013 | Orlando, FL
Secure Remote Worker with BYOD
Avaya Aura
Conferencing
Aura
Messaging
Session Manager
Avaya
Presence
Server
System
Manager
Communication
Manager
Avaya
SBCE
Aura®
Personal PC, Mac or iPad devices
Avaya Flare®, Avaya one-X® SIP client app
App secured into the organization,
not the device
One number UC anywhere
©2013 Avaya Inc. All rights reserved
16
Untrusted Network
(Internet, Wireless, etc.)
February 26-28, 2013 | Orlando, FL
Avaya SBCE:
Remote Worker Architecture
Use Case: Remote Worker
Extend UC to SIP users remote to the Enterprise
Solution not requiring VPN for UC/CC SIP endpoints
Enterprise
Avaya
SBCE
Firewall
Firewall
IP PBX
Internet
DMZ
Remote Workers
Remote Worker are External to the Enterprise Firewall
Avaya Session Border Controller for Enterprise
− Authenticate SIP-based users/clients to the enterprise
− Securely proxy registrations and client device provisioning
− Securely manage communications without requiring a VPN
©2013 Avaya Inc. All rights reserved
17
February 26-28, 2013 | Orlando, FL
Remote Worker:
How does the SBC proxy endpoint traffic?
DMZ
CM or CS1k
Internal
Firewall
+NAT
SM
FW/NAT
Traversal
Intranet
4. Media RTP
External
Firewall/
Router
1. Encrypted signaling
over TLS
Internet
Avaya
SBCE
3. Encrypted
media SRTP
2. Signaling
over TCP/UDP
Unencrypted Signaling: SIP/TCP
Unencrypted Media: RTP
©2013 Avaya Inc. All rights reserved
Encrypted Signaling: SIP/TLS
Encrypted Media: SRTP (HW 50 usec)
18
February 26-28, 2013 | Orlando, FL
What’s Next?
• “6.2” Product Release now through April 2013
• “Micro” Release for IP Office available now (new market)
• Trunk-side for Enterprise in February ’13
• Applications (inc. Remote Worker) in April ’13
• Re-organized UC Security Team engaging now to build
Sales, Tech Ops, Channel enablement programs and
create wider coverage. Need your support for participation.
• Auto-attach campaign to start in Q2 for IPO, CM/Aura, SM,
others
• Reporting on success will be delivered from UC Security
Ops to Area Ops, Leaders to assist in gap identification,
drive activity
©2013 Avaya Inc. All rights reserved
19
February 26-28, 2013 | Orlando, FL
SBCE Roadmap
Avaya SBCE 6.2
Q1 CY 2013 (Mar)
SIP Trunking
(Avaya Aura, CS1000 & IPO)
Securing Remote Worker
without VPN (Avaya Aura)
SIP security designed for scalable
cost-effective enterprise use
Fully supports SIP trunking on Avaya
Aura, CS1K & IPO
Supports remote and mobile SIP
devices and clients with Avaya Aura
96x1 R6.2
One-X Com R6.2
Flare Exp iPad R1.1
Extends Avaya Aura® SIP capabilities
outside the enterprise
Easy and intuitive to deploy and
configure, lowering TCO
©2013 Avaya Inc. All rights reserved
Avaya SBCE 6.2
Feature Pack 1
Q2 CY 2013 (May)
Avaya Interoperability
Mobile SIP iOS R6.2
96x0 (SIP) R6.2
One-X Comm R6.2
OTV R1.0
AACC7 support
HP DL360 Migration Kit
UCID Generation
20
Avaya SBCE 6.2
Feature Pack 2
Q3 CY 2013
Expanded
Interoperability
Remote Worker for IPO
Flare Exp. R1.1
Flare Comm. R1.0.3
Radvision Interop
CS1K R7.6 w/ Collab Pack
Microsoft Lync trunks
February 26-28, 2013 | Orlando, FL
UC Security Sales Organization
Nick Adams – Global Sales Leader
US Practice Leaders
Dave Mulhern-Northeast
[email protected]
972-679-7809
Brad Bleeck-South
[email protected]
972-679-7809
Ed Williams- Central
[email protected]
972-322-3791
Shawn Darcy – West
[email protected]
310-748-8803
CANADA Practice Lead
Chuck Pledger
[email protected]
614-893-2628
EMEA Practice Lead
Dan Panesar
[email protected]
+44 4477 1566 6078
APAC Practice Lead
David Lloyd
[email protected]
+61 417328435
US Engineering
Global Technical Lead
Addis Hallmark
[email protected]
214-269-2420
Terry Pierson
[email protected]
972-978-2611
Global Channel Lead
Greg Parcell
[email protected]
630-618-0188
CALA Practice Lead
Gus Herrera
[email protected]
305-586-2973
Global Operations
Jaime Cooley
[email protected]
630-245-2822
©2013 Avaya Inc. All rights reserved
21
February 26-28, 2013 | Orlando, FL
Thank you!
#AvayaATF
©2013 Avaya Inc. All rights reserved
22
February 26-28, 2013 | Orlando, FL