Security Challenges in the Enterprise. January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA 2 Panelists Franchesca Walker,

Security Challenges in the Enterprise

2January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA www.ITEXPO.com

Panelists

• Franchesca Walker, Director Enterprise Solutions Foundry Networks

• Eric Winsborrow, CMO

Sipera Systems

• Shrikant Latkar, Sr. Mgr. Solutions Marketing

Juniper Networks

• Mark Ricca, Sr. Analyst and Founding Partner

IntelliCom Analytics


Security: Continued Strong Growth

Integrated Security Solutions Forecast(Global, All Size Businesses)

$0

$1.0

$2.0

$3.0

$4.0

$5.0

$6.0

2005 2006 2007 2008 2009 2010

$B

9.2% CAGROverall

10.7% CAGR

Remote / SoHo


Security Challenges in the Enterprise

Franchesca Walker, Marketing Director of Enterprise SolutionsFoundry Networks, Inc

5January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA www.ITEXPO.com5

Many Malicious Attack Vectors & Vulnerabilities at each Layer

ARP Poisoning MAC Flood Attack Port DoS Attack Rogue Wireless AP

ICMP Flood Attack

TCP Syn Flood Attack

SQL Slammer Worm SoBig Worm Malissa Virus Sasser Worm Deep Throat

MyDoom Worm CodeRed Worm Nimba Virus & Worm

ICMP Smurf Attack False Route Injection

BGP TTL Security Hole

TCP TTL Attack TCP Timestamp Attack

Rogue DHCP & DNS

VLAN Flood Attack

SPAM

SIP DoS Attack

Port Scan

IP Port Scan

TCP Ack Flood Attack

Malicious TCP Packets

CPU Rate AttackDatalink Layer Attacks

Network Layer Attacks

p2p Traffic

Transport Layer Attacks

Application Attacks

CAM Table Overflow AttackVLAN Hopping Private VLAN Attack

DHCP Starvation

VIRUSES WORMS TROJANS

UDP/TCP PROTOCOL ATTACKS ROGUE SERVICES UDP/TCP DOS ATTACKS

ROUTING PROTOCOL ATTACKS NETWORK SERVICE ATTACKS

L2 DOS ATTACKS L2 SERVICE ATTACKSL2 ROGUE SERVICES

L3 DOS ATTACKS


6

Converged Voice & Data Security

Network Switches, Routers, & Access Points

Call Manager

App & Web Servers

NMS

Zero-Day Anomaly IDS Signature IDS

Traffic Samples(sFlow)

ThreatControl

Radius, DNS, DHCP

Multiple endpointsIEEE 802.1x + MAC Authentication

Traffic Samples(sFlow)

AccessPolicy

Integrated Switch and AP Security Features DoS attack protection CPU protection Rate limiting Hardware-based ACLs DHCP, ARP, IP spoof protection Rogue AP detection & suppression Access policy enforcement Threat control enforcement Embedded sFlow traffic monitoring

sFlow-based Anomaly + Signature Defense

ClosedLoop

Security

Open SourceApplications

7January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA www.ITEXPO.com7

Convergence Network Security

• Allow only authorized users on the network – Authentication based on IEEE 802.1x, MAC address

• Control who has access to specific resources – 802.1q VLANs

• Stop unauthorized traffic without impacting network performance

– ASIC based, wire-speed ACLs

• Protect against security threats and DoS attacks– Network-wide monitoring (e.g. sFlow)– Threat detection and mitigation

• Rate limiting of known packet types• Closed-loop mitigation using centralized IDS equipment and

applications

Enterprise VoIP Security Challenges

Eric Winsborrow, CMOSipera Systems


Risk Management approach to Security

Lower Risk Profile and Prioritization

OptimumPrioritization

Point of DiminishingReturns

Security Priority and Spending

Th

reat

Po

ten

tial

VoIP 1.0 (closed) Risk Profile

VoIP 2.0 (open) Risk Profile


IP PBX IP PBX

Voice/Data Center(s)

The Need to Extend VoIP

WAN/VISP

Internet

PSTN

VISP

Mobile worker

Headquarters

Remote worker

Branch(es)

Soft phones

SIP Trunk


IP PBX IP PBX

Voice/Data Center(s)

Extending VoIP - Challenges

WAN/VISP

Internet

PSTN

VISP

Mobile worker

Headquarters

Remote worker

Branch(es)

Soft phones

SIP TrunkOpening wide range of IP/UDP ports violates security policy

Confidentiality/Privacy of signaling & media

Strong authentication of device & user

Policy enforcement & access control

Phone configuration & management

Spammer

Hacker

Rogue Device Rogue Employee

InfectedPC

Protect IP PBX & phones

Refresh UDP pinhole in remote/home firewall


Risk Management approach to VoIP/UC

EstablishPOLICY

EstablishPOLICY

AssessRISK

AssessRISK

ImplementPROTECTION

ImplementPROTECTION

ManageCOMPLIANCE

ManageCOMPLIANCE

ACCESSACCESS

Secure Access

• Strong User authentication

• Call Admission Control

• Firewall/NAT traversal

• Privacy and Encryption

• Secure firewall channel

Secure Access

• Strong User authentication

• Call Admission Control

• Firewall/NAT traversal

• Privacy and Encryption

• Secure firewall channel

Sipera VIPER Labs

• Vulnerability Research

• Threat signature development

• LAVA Tools

Sipera VIPER Labs

• Vulnerability Research

• Threat signature development

• LAVA Tools

Sipera VIPER Consulting

• VoIP/UC vulnerability assessment

• Best practices consultation

• Security workshops

Sipera VIPER Consulting

• VoIP/UC vulnerability assessment

• Best practices consultation

• Security workshops

Comprehensive Protectionfor real-time communications

• DoS/Floods prevention

• Fuzzing prevention

• Anomaly detection/Zero-Day attacks

• Stealth attacks

• Spoofing prevention

• Reconnaissance prevention

• VoIP Spam

Comprehensive Protectionfor real-time communications

• DoS/Floods prevention

• Fuzzing prevention

• Anomaly detection/Zero-Day attacks

• Stealth attacks

• Spoofing prevention

• Reconnaissance prevention

• VoIP Spam

Policy Compliance

• Call routing policies

• Whitelists/Blacklists

• Fine-Grained Policies by User, Device, Network, ToD

• Application controls

• IM logging and content filtering

• Compliance reporting

Policy Compliance

• Call routing policies

• Whitelists/Blacklists

• Fine-Grained Policies by User, Device, Network, ToD

• Application controls

• IM logging and content filtering

• Compliance reporting


Conclusion

• Benefits of Unified Communications increase if VoIP network is extended

• But an enterprise needs to solve many issues– Privacy and authentication; firewall/NAT traversal; policy

enforcement; VoIP application layer threats

• A Security Risk Management approach is needed– Elevate VoIP/UC in priority if using SIP or extending VoIP– Engage experts for best practices and risk evaluation– Create policies and protection specific to VoIP/UC

VoIP Security

IT Expo East 2008

Shrikant [email protected]


Concerns when Deploying VoIP

0

5

10

15

20

25

30

35

40

45

Security Quality Interoperabililty Resources Budget

Concerns about security

Systems for managing and troubleshooting VoIP

quality

Concerns about interoperability

between vendor’s equipment

Not enough people to plan,

design, implement, and

manage VoIP

Lack of budget

Source: 2005/2006 VoIP State of the Market Report, Produced by Webtorials

Perc

en

tag

e


Evolving SIP Security

• Exploits will become more “creative” - Newer exploits are at Layer 7

• Current security doesn’t address all attacks

– SBCs cannot defend against many SIP vulnerabilities as the attack levels scale/grow

SmartestSmartestAttacksAttacksMost AttacksMost Attacks Smarter AttacksSmarter Attacks

Router FiltersIP Spoof Detection

DOS Filters

Stateful FirewallProtocol ALG

Application AwareIntrusion Prevention

Need to evolve security to be scalable and more

attack aware

• Customized attack defenses – specific for your environment

• Rapid time between exploit found and defense deployed

• Able to handle high volumes of attacking packets


•Protocols: SIP, H323 (RAS, Q931, H245), MGCP, SkinnyProtocols: SIP, H323 (RAS, Q931, H245), MGCP, Skinny•Identification: done by L4 port number (static)Identification: done by L4 port number (static)•Functions: NAT, State checks, pinhole, anomalies, drop Functions: NAT, State checks, pinhole, anomalies, drop malformed packetsmalformed packets•VoIP session correlation (beyond L3/L4)VoIP session correlation (beyond L3/L4)•Application Screening: Flood attacksApplication Screening: Flood attacks•Coarser control: enable/disable all checksCoarser control: enable/disable all checks

•Protocols: SIP, H225RAS, H225SGN, MGCPProtocols: SIP, H225RAS, H225SGN, MGCP•Identification: based on application data (PIAI)Identification: based on application data (PIAI)•Functions: Protocol State, anomalies (more than FW Functions: Protocol State, anomalies (more than FW checks); SIP sigs > 50 checks); SIP sigs > 50 •Custom signatures can be doneCustom signatures can be done•Logging (provides visibility)Logging (provides visibility)•Flexibility in enabling signatures driven by policyFlexibility in enabling signatures driven by policy

IPS

/IDP

Fir

ewal

l


Defense Against VoIP Security Threats

VoIP Security Threat Ramifications Defense Technology

Unauthorized access to PBX or voice mail system

All voice communications failFW with SIP attack protection

IPS with SIP sigs/protocol anomDoS attack on PBX, IP

Phone or gateway

Hacker listens to voice mails, accesses call logs, company

directories, etc.

Zones, ALGs, policy-based access control

Toll fraudHacker utilizes PBX for

long-distance calling, increasing costs

VPNs, encryption (IPSec or other)

VPNs, encryption (IPSec or other)

Eavesdropping or man-in-the-middle

attack

Voice conversations unknowingly intercepted and altered

Worms/trojans/viruses on IP phones, PBX

Infected PBX and/or phones rendered useless, spread

problems throughout network

Policy based access control

IPS with SIP protocol anomaly and stateful signatures

IP phone spam Lost productivity and annoyanceFW/ALGs, SIP attack prevention,

SIP source IP limitations, UDP Flood Protection


Additional VoIP resources available at

www.juniper.net

Q & A

Documents

Security Challenges in the Enterprise. January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA 2 Panelists Franchesca Walker,