Security threat mitigation in enterprise UC environments Jonathan Zarkower Director, Product Marketing

Download Report

Transcript Security threat mitigation in enterprise UC environments Jonathan Zarkower Director, Product Marketing 

Security threat mitigation
in enterprise UC environments
Jonathan Zarkower
Director, Product Marketing
Enterprise & contact center transition
to IP interactive communications
TDM-to-IP transition well underway
– Reduce costs, improve communications efficiency
– Mobility, collaboration, presence and
video drive IP transition and complexity
– Compliance – call recording, emergency services,
domain separation
– IP PBX extensively deployed but exist as islands
Gartner Group
Voice and data convergence
based on IP telephony
will be under way in more than
95 percent of large companies
by 2010
Unified Communications (UC) is the new focus
– Migrate mission critical applications onto IP network
– Integrate chat, voice and video into contact center
and business applications
– Introduce presence and mobility into application delivery process
– Transition call centers to multimedia customer care centers
Enhanced communications efficiency
– Enables intelligent call routing based on business rules/processes
(cost, availability, skills, etc.)
– Integrate remote workers/agents seamlessly
– Distribute call processing to eliminate single point of failure
2
in IP
we trust
no one!
VoIP security in the news
Bell Canada customers face bills
as high as $220,000 as hackers
breach system. (Jan 2009)
IP PBX hacked for 11,000 calls,
$120,000 charges (Jan. 2009)
Skype outage disconnects users,
eBay stock price dips (Aug. 2007)
Two men charged with hacking Into
VoIP networks, pocket $1 million
(June 2006)
4
Enterprise security concerns
5
VoIP threats – impacts & probabilities
Probability
Impact
VoIP/Internet
- free,
anonymous
Private
network
DoS & DDoS
attacks
10
1
2
Overloads
9
4
3
• Power outage prone areas susceptible
• Catastrophic - all subscribers impacted
Viruses &
malware
3-8
5
5
• Impact varies based on service provider
Security threat
Comments
• Requires sophisticated attack capable of
covering tracks
• Catastrophic - all subscribers are impacted
infrastructure, enterprise IP PBX or
residential PC
Service fraud
5
N/A
5
• Requires technical sophistication
• Impact depends on business model
Identity theft
2-5
8
6
• Requires slightly more technical
sophistication than SPIT
• Man-in-the-middle requires same degree of
technical capabilities
• Information used for other attacks with
various impacts
Eavesdropping
2
SPIT
1
5
3
• Requires technical sophistication and
access to wiring closets
10
6
Note: probability and impact ratings on 1–10 scale with 1 being low and 10 being high
• Requires little sophistication
• Annoying more than harmful
Four enterprise border points
require control & security
1. Interconnect border to service
provider(s) - SIP/H.323 trunking
– Extend IP to IP connectivity
– Reduce costs, increase quality
1.
4.
Other IP
subscribers
PSTN
Service
providers
2. Access border – trusted
– Interconnect sites and users
– Simplified number plans
Hosted services/
IP contact center ASP
Headquarters
UC
3. Access border – untrusted
CC
IPT
– Anywhere connectivity
– Secure and unsecure access
4. Hosted services/ASP border
– Expand service and application
capabilities
– Create a global reach
2.
3.
MPLS VPN
H.323
SIP
Internet
SIP
RO
BO
Regional
office
Branch
office
SOHO
Mobile
user
Nomadic
user
Key security threats to enterprise UC
Denial of Service
–
–
–
–
–
Malicious & non-malicious
Call/registration overload
Malformed messages (fuzzing)
Misconfigured devices
Operator and application errors
1.
4.
Other IP
subscribers
Hosted services/
IP contact center ASP
PSTN
Service
providers
Viruses & SPIT
– Viruses attached to SIP messages
– Malware executed through
IM sessions
– SPIT – annoying, unwanted traffic
Headquarters
UC
CC
IPT
Identity theft & eavesdropping
Service theft
– Unauthorized users and applications
2.
3.
MPLS VPN
H.323
SIP
Internet
SIP
RO
BO
Regional
office
Branch
office
SOHO
Mobile
user
Nomadic
user
Public IP
Yahoo
Load balancer
Access edge
servers
Directors(s)
UC endpoints
(App server)
MS
OC
Microsoft
Communicator
MS
LN
MS
CM
Microsoft
Communicator
Mobile
MS
COE
Identity
Microsoft
Live Meeting
Microsoft
Communicator
Phone Edition
Pool
Passive
Inbound
router
Outbound
router
ABS
Active
directory
MIIS
Interactive apps
Active
Front end
servers
Back end SQL
servers
(Registration
/Presence server)
A/V edge
server(s)
Exchange Speech
UM
server
(Voice mail)
Archiving
Pool
IM / CDR
Web
conferencing
edge server
Load balancer
Load balancer
Federated
Networks
Load balancer
MS
OC
Load balancer
AOL
Communicator
web access
Load balancer
MSN
HTTP
reverse proxy
Load balancer
MS
OC
Load balancer
Microsoft OCS 2007 architecture
– SIP security risks
IIS servers
Conferencing
servers (A/V, Data, IM)
Monitoring
MMC
MOM
Mediation
server(s)
Legend
Media gateway
PBX
FAX
PSTN
External
MGW
Perimeter
Internal
CTI server
(RCC gateway)
SIP
Media
HTTP
PSOM
IP PBX-E
IP PBX-T
PSTN
Archive
Other
The key difference between SBC &
ALG is back-to-back user agent
Functional advantages
–
–
–
–
Seamlessly addresses the issue of OLIP addresses
Responds to REDIRECTs, can initiate re-INVITEs and BYEs
Gracefully manages “stranded call” scenarios
Provides signaling interworking and protocol fix-ups
Security advantages
– Modifies IP address and SIP UI in every field of signaling message for
complete “anonymization”
– Detects protocol anomalies and also fixes signaling
– Provides interworking between encrypted and non-encrypted elements
– Goes beyond throttling down the rate of signaling messages
Regulatory advantages
– Supports session replication for call recording
– Supports lawful intercept
Even high-end firewalls can’t defend
SIP DoS/DDoS attacks
Total of 34 different test cases, using over 4600 test scripts
– SIP flood tests – flood attacks consisting
of INVITE, REGISTER and Response 100,
180, 200 messages from thousands of
random source addresses/ports
– SIP spoof flood tests – same as SIP flood tests
but with spoofing of different headers, fields and addresses
– SIP malformed message tests – over 4500 Protos attack cases
– SIP torture tests – IETF draft of 49 malformed SIP messages
– RTP attack tests – rogue, fraud, and flood attacks of RTP packets
Cisco PIX 535 failed consistently
– Some attacks caused hard failure
- needed to be powered off/on
– Some attacks were flooded
into core and impacted proxy
– Even some random RTP floods
caused 94% CPU utilization
Test bed set-ups
#1 No device
#2 Acme Packet Net-Net SD
Public Network
Private Network
#3 Cisco PIX 535
Empirix
Hammer FX-IP
Empirix
Hammer FX-IP
Device
under test
GULP & SIPp
Netgear
GS724T
L2 Switch
Netgear
GS724T
L2 Switch
SIP Softphone
Network Protocol
Analyzer
Network Protocol
Analyzer
iptel SIP Express
Router
SBC DoS/DDoS protection
Dynamic trust management
– Success based trust model
protects resources
– Adjust resources based on realtime events
Proactive threat mitigation
– Drop malformed sessions
– Block known malicious traffic
sources
– Identify automated calling and
reject based on defined policies
Hosted services/
IP contact center ASP
Other IP
subscribers
PSTN
Service
providers
Headquarters
UC
CC
MPLS VPN
H.323
IPT
Internet
SIP
SIP
RO
Spammers
BO
Zombie PCs
SOHO
Mobile
user
Nomadic
user
IP PBX, SIP proxy & application server
DoS/DDoS prevention
Comprehensive security
– Topology hiding protects
PBX/UC servers from external
exposure/threats
– Private/public address
management ensures user
privacy
Hosted services/
IP contact center ASP
Other IP
subscribers
PSTN
Service
providers
Headquarters
Infected PCs
Rogue devices
Real-time session control
– Signaling overload protection via
rate limiting, load balancing and
selective call rejection
– Policy-based admission control
CC
UC
MPLS VPN
H.323
IPT
Internet
SIP
SIP
RO
Spammers
BO
Zombie PCs
SOHO
Mobile
user
Nomadic
user
Viruses & malware can threaten IC
endpoints and service infrastructure
SIP MIME attachments are powerful tool for richer call ID
- vcard text, picture or video
Potential Trojan horse for viruses and worms to generalpurpose server-based voice platforms
– SIP softswitch, IMS CSCF, SIP servers, app servers
– SIP PBX
Sobig
– SIP phones & PCs
Code Red
New endpoint vulnerabilities
Nimda
– Embedded web servers - IP phones
– Java apps – liability or asset? SQL
Melissa
Klez
Slammer
Solution requirements
Michelangelo
– Authentication
Love
– SIP message & MIME attachment filtering
Bug
– Secure OS environment
SPIT will be annoying,
& possible tool for ID theft
Will anonymous, cheap Yahoo subscriber (aka SPITTER)
be able to call enterprise employee via Verizon to solicit
- phone sex, penis enlargement, Viagra pill purchase?
Techniques that won’t work
–
–
–
–
Access control – static
Content filtering
Charging - $/call
Regulation
Solution requirements
– Access control
– dynamic, IDS-like
– Authentication
– Admission control
– subscriber limits (#)
– Trust chains - pre-established
technical & business relationships
Viruses, malware and SPIT
Real-time threat mitigation
– Wire speed Deep Packet
Inspection (DPI)
– Signature rule definition and
enforcement
PSTN
Service
providers
Dynamic behavior learning
– Identifies malicious behavior,
e.g. consecutive call ID #’s
– Reduces false positives
– Protocol anomaly detection
Hosted services/
IP contact center ASP
Other IP
subscribers
Headquarters
UC
CC
IPT
Adaptive resource protection
– Individual device trust
classification
– Define call, bandwidth limits
– Per device constraints and
authorization
MPLS VPN
H.323
Internet
SIP
SIP
RO
BO
Zombie PCs
Spammers
Malicious users
Eavesdropping threat is over hyped
Less risk than email, who encrypts email?
– Email is information rich (attachments), voice not
– Email always stored on servers, only voice mail
– Email always stored on endpoints, voice not
Who is REALLY at risk?
– Public company execs
– insider trading
– Bad guys - Osama, drug cartels,
pedophiles, etc.
– Good guys - law enforcement
– Other luv & moolah scenarios
– adultery, ID theft
Solution requirements
– Authentication – subscriber
– End-to-end encryption
• Signaling (TLS, IPSec)
• Media (SRTP, IPSec)
Confidentiality and privacy
Secure communications
– Encryption protects signaling
and/or media (IPSec, TLS, SRTP)
– Ability to terminate and originate
encrypted traffic
– Interworking between SIP/H.323
Create trusted user environment
PSTN
Service
providers
HQ
– User protection via SIP privacy
(RFC 3323 & 3325) support
– Endpoint protection via topology
hiding and header manipulation
Internet
(untrusted)
RTP
SIP/TLS
SRTP
IPsec STP
IPsec SIP/RTP
BO
SOHO Branch
RO
Region
Acme Packet SBCs
in Microsoft OCS architecture
AOL
Federated
Networks
Border
security
UC endpoints
MS
OC
Microsoft
Communicator
MS
LN
MS
CM
Microsoft
Communicator
Mobile
MS
COE
Microsoft
Live Meeting
Microsoft
Communicator
Phone Edition
IP PBX
endpoints
Directors(s)
Passive
MIIS
Interactive apps
Active
Front end
servers
Back end SQL
servers
(Registration /Presence
server)
A/V edge
server(s)
Exchange Speech
UM
server
(Voice mail)
Archiving
Pool
IM / CDR
IP PBX
Mediation
IIS servers
Conferencing
servers (A/V, Data, IM)
Monitoring
(IP PBX &
IP trunking)
Load balancer
Proprietary
endpoints
Web
conferencing
edge server
MMC
Legend
PBX
FAX
PSTN
MGW
Perimeter
MOM
Mediation
server(s)
Media gateway
External
Pool
Inbound
router
Outbound
router
ABS
Load
balancer
SIP, H.323,
MGCP, SCCP
IP
Trunking
Active
directory
Access edge
servers
Acme
Packet
SBC
Load balancer
MS
OC
(App server)
Load balancer
Public IP
Yahoo
Identity
Communicator
web access
Load balancer
Load balancer
MSN
HTTP
reverse proxy
Load balancer
MS
OC
Internal
CTI server
(RCC gateway)
SIP
Media
HTTP
PSOM
IP PBX-E
IP PBX-T
PSTN
Archive
Other
Trust & identity
How do you know you are talking to Bank of America?
Web site techniques don’t work for IC
- work for many-one, not many-many
Solution requirements
– Authentication, access control
– Trust chains - pre-established technical & business relationships
The future IC net?
The Internet
The Federnet
F
F
F
I
F
F
Net-Net
Security issues are very complex and multi-dimensional
Security investments are business insurance decisions
–
–
–
–
Life – DoS attack protection
Health – SLA assurance
Property – service theft protection
Liability – SPIT & virus protection
Degrees of risk
–
–
–
–
Internet-connected ITSP
`
Facilities-based HIP residential services
Facilities-based HIP business services
Peering
High
Low
– NEVER forget disgruntled Milton from
“Office Space”
Session border controllers enable enterprises
to insure their success
The leader
in session border control
for trusted, first class
interactive communications
The key difference between SBC &
ALG is back-to-back user agent
Functional advantages
–
–
–
–
Seamlessly addresses the issue of OLIP addresses
Responds to REDIRECTs, can initiate re-INVITEs and BYEs
Gracefully manages “stranded call” scenarios
Provides signaling interworking and protocol fix-ups
Security advantages
– Modifies IP address and SIP UI in every field of signaling message for
complete “anonymization”
– Detects protocol anomalies and also fixes signaling
– Provides interworking between encrypted and non-encrypted elements
– Goes beyond throttling down the rate of signaling messages
Regulatory advantages
– Supports session replication for call recording
– Supports lawful intercept