Upload
kristin-ray
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
Security Challenges in the Enterprise
2January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA www.ITEXPO.com
Panelists
• Franchesca Walker, Director Enterprise Solutions Foundry Networks
• Eric Winsborrow, CMO
Sipera Systems
• Shrikant Latkar, Sr. Mgr. Solutions Marketing
Juniper Networks
• Mark Ricca, Sr. Analyst and Founding Partner
IntelliCom Analytics
3January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA www.ITEXPO.com
Security: Continued Strong Growth
Integrated Security Solutions Forecast(Global, All Size Businesses)
$0
$1.0
$2.0
$3.0
$4.0
$5.0
$6.0
2005 2006 2007 2008 2009 2010
$B
9.2% CAGROverall
10.7% CAGR
Remote / SoHo
4January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA www.ITEXPO.com
Security Challenges in the Enterprise
Franchesca Walker, Marketing Director of Enterprise SolutionsFoundry Networks, Inc
5January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA www.ITEXPO.com5
Many Malicious Attack Vectors & Vulnerabilities at each Layer
ARP Poisoning MAC Flood Attack Port DoS Attack Rogue Wireless AP
ICMP Flood Attack
TCP Syn Flood Attack
SQL Slammer Worm SoBig Worm Malissa Virus Sasser Worm Deep Throat
MyDoom Worm CodeRed Worm Nimba Virus & Worm
ICMP Smurf Attack False Route Injection
BGP TTL Security Hole
TCP TTL Attack TCP Timestamp Attack
Rogue DHCP & DNS
VLAN Flood Attack
SPAM
SIP DoS Attack
Port Scan
IP Port Scan
TCP Ack Flood Attack
Malicious TCP Packets
CPU Rate AttackDatalink Layer Attacks
Network Layer Attacks
p2p Traffic
Transport Layer Attacks
Application Attacks
CAM Table Overflow AttackVLAN Hopping Private VLAN Attack
DHCP Starvation
VIRUSES WORMS TROJANS
UDP/TCP PROTOCOL ATTACKS ROGUE SERVICES UDP/TCP DOS ATTACKS
ROUTING PROTOCOL ATTACKS NETWORK SERVICE ATTACKS
L2 DOS ATTACKS L2 SERVICE ATTACKSL2 ROGUE SERVICES
L3 DOS ATTACKS
6January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA www.ITEXPO.com
6
Converged Voice & Data Security
Network Switches, Routers, & Access Points
Call Manager
App & Web Servers
NMS
Zero-Day Anomaly IDS Signature IDS
Traffic Samples(sFlow)
ThreatControl
Radius, DNS, DHCP
Multiple endpointsIEEE 802.1x + MAC Authentication
Traffic Samples(sFlow)
AccessPolicy
Integrated Switch and AP Security Features DoS attack protection CPU protection Rate limiting Hardware-based ACLs DHCP, ARP, IP spoof protection Rogue AP detection & suppression Access policy enforcement Threat control enforcement Embedded sFlow traffic monitoring
sFlow-based Anomaly + Signature Defense
ClosedLoop
Security
Open SourceApplications
7January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA www.ITEXPO.com7
Convergence Network Security
• Allow only authorized users on the network – Authentication based on IEEE 802.1x, MAC address
• Control who has access to specific resources – 802.1q VLANs
• Stop unauthorized traffic without impacting network performance
– ASIC based, wire-speed ACLs
• Protect against security threats and DoS attacks– Network-wide monitoring (e.g. sFlow)– Threat detection and mitigation
• Rate limiting of known packet types• Closed-loop mitigation using centralized IDS equipment and
applications
Enterprise VoIP Security Challenges
Eric Winsborrow, CMOSipera Systems
9January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA www.ITEXPO.com
Risk Management approach to Security
Lower Risk Profile and Prioritization
OptimumPrioritization
Point of DiminishingReturns
Security Priority and Spending
Th
reat
Po
ten
tial
VoIP 1.0 (closed) Risk Profile
VoIP 2.0 (open) Risk Profile
10January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA www.ITEXPO.com
IP PBX IP PBX
Voice/Data Center(s)
The Need to Extend VoIP
WAN/VISP
Internet
PSTN
VISP
Mobile worker
Headquarters
Remote worker
Branch(es)
Soft phones
SIP Trunk
11January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA www.ITEXPO.com
IP PBX IP PBX
Voice/Data Center(s)
Extending VoIP - Challenges
WAN/VISP
Internet
PSTN
VISP
Mobile worker
Headquarters
Remote worker
Branch(es)
Soft phones
SIP TrunkOpening wide range of IP/UDP ports violates security policy
Confidentiality/Privacy of signaling & media
Strong authentication of device & user
Policy enforcement & access control
Phone configuration & management
Spammer
Hacker
Rogue Device Rogue Employee
InfectedPC
Protect IP PBX & phones
Refresh UDP pinhole in remote/home firewall
12January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA www.ITEXPO.com
Risk Management approach to VoIP/UC
EstablishPOLICY
EstablishPOLICY
AssessRISK
AssessRISK
ImplementPROTECTION
ImplementPROTECTION
ManageCOMPLIANCE
ManageCOMPLIANCE
ACCESSACCESS
Secure Access
• Strong User authentication
• Call Admission Control
• Firewall/NAT traversal
• Privacy and Encryption
• Secure firewall channel
Secure Access
• Strong User authentication
• Call Admission Control
• Firewall/NAT traversal
• Privacy and Encryption
• Secure firewall channel
Sipera VIPER Labs
• Vulnerability Research
• Threat signature development
• LAVA Tools
Sipera VIPER Labs
• Vulnerability Research
• Threat signature development
• LAVA Tools
Sipera VIPER Consulting
• VoIP/UC vulnerability assessment
• Best practices consultation
• Security workshops
Sipera VIPER Consulting
• VoIP/UC vulnerability assessment
• Best practices consultation
• Security workshops
Comprehensive Protectionfor real-time communications
• DoS/Floods prevention
• Fuzzing prevention
• Anomaly detection/Zero-Day attacks
• Stealth attacks
• Spoofing prevention
• Reconnaissance prevention
• VoIP Spam
Comprehensive Protectionfor real-time communications
• DoS/Floods prevention
• Fuzzing prevention
• Anomaly detection/Zero-Day attacks
• Stealth attacks
• Spoofing prevention
• Reconnaissance prevention
• VoIP Spam
Policy Compliance
• Call routing policies
• Whitelists/Blacklists
• Fine-Grained Policies by User, Device, Network, ToD
• Application controls
• IM logging and content filtering
• Compliance reporting
Policy Compliance
• Call routing policies
• Whitelists/Blacklists
• Fine-Grained Policies by User, Device, Network, ToD
• Application controls
• IM logging and content filtering
• Compliance reporting
13January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA www.ITEXPO.com
Conclusion
• Benefits of Unified Communications increase if VoIP network is extended
• But an enterprise needs to solve many issues– Privacy and authentication; firewall/NAT traversal; policy
enforcement; VoIP application layer threats
• A Security Risk Management approach is needed– Elevate VoIP/UC in priority if using SIP or extending VoIP– Engage experts for best practices and risk evaluation– Create policies and protection specific to VoIP/UC
15January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA www.ITEXPO.com
Concerns when Deploying VoIP
0
5
10
15
20
25
30
35
40
45
Security Quality Interoperabililty Resources Budget
Concerns about security
Systems for managing and troubleshooting VoIP
quality
Concerns about interoperability
between vendor’s equipment
Not enough people to plan,
design, implement, and
manage VoIP
Lack of budget
Source: 2005/2006 VoIP State of the Market Report, Produced by Webtorials
Perc
en
tag
e
17January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA www.ITEXPO.com
Evolving SIP Security
• Exploits will become more “creative” - Newer exploits are at Layer 7
• Current security doesn’t address all attacks
– SBCs cannot defend against many SIP vulnerabilities as the attack levels scale/grow
SmartestSmartestAttacksAttacksMost AttacksMost Attacks Smarter AttacksSmarter Attacks
Router FiltersIP Spoof Detection
DOS Filters
Stateful FirewallProtocol ALG
Application AwareIntrusion Prevention
Need to evolve security to be scalable and more
attack aware
• Customized attack defenses – specific for your environment
• Rapid time between exploit found and defense deployed
• Able to handle high volumes of attacking packets
18January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA www.ITEXPO.com
•Protocols: SIP, H323 (RAS, Q931, H245), MGCP, SkinnyProtocols: SIP, H323 (RAS, Q931, H245), MGCP, Skinny•Identification: done by L4 port number (static)Identification: done by L4 port number (static)•Functions: NAT, State checks, pinhole, anomalies, drop Functions: NAT, State checks, pinhole, anomalies, drop malformed packetsmalformed packets•VoIP session correlation (beyond L3/L4)VoIP session correlation (beyond L3/L4)•Application Screening: Flood attacksApplication Screening: Flood attacks•Coarser control: enable/disable all checksCoarser control: enable/disable all checks
•Protocols: SIP, H225RAS, H225SGN, MGCPProtocols: SIP, H225RAS, H225SGN, MGCP•Identification: based on application data (PIAI)Identification: based on application data (PIAI)•Functions: Protocol State, anomalies (more than FW Functions: Protocol State, anomalies (more than FW checks); SIP sigs > 50 checks); SIP sigs > 50 •Custom signatures can be doneCustom signatures can be done•Logging (provides visibility)Logging (provides visibility)•Flexibility in enabling signatures driven by policyFlexibility in enabling signatures driven by policy
IPS
/IDP
Fir
ewal
l
19January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA www.ITEXPO.com
Defense Against VoIP Security Threats
VoIP Security Threat Ramifications Defense Technology
Unauthorized access to PBX or voice mail system
All voice communications failFW with SIP attack protection
IPS with SIP sigs/protocol anomDoS attack on PBX, IP
Phone or gateway
Hacker listens to voice mails, accesses call logs, company
directories, etc.
Zones, ALGs, policy-based access control
Toll fraudHacker utilizes PBX for
long-distance calling, increasing costs
VPNs, encryption (IPSec or other)
VPNs, encryption (IPSec or other)
Eavesdropping or man-in-the-middle
attack
Voice conversations unknowingly intercepted and altered
Worms/trojans/viruses on IP phones, PBX
Infected PBX and/or phones rendered useless, spread
problems throughout network
Policy based access control
IPS with SIP protocol anomaly and stateful signatures
IP phone spam Lost productivity and annoyanceFW/ALGs, SIP attack prevention,
SIP source IP limitations, UDP Flood Protection
20January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA www.ITEXPO.com
Additional VoIP resources available at
www.juniper.net
Q & A