©2013 avaya inc. all rights reservedfebruary 26-28, 2013 | orlando, fl


#AvayaATF

Securing the UC Network

Terry PiersonConsulting System EngineerUC Security - AVAYA


©2013 Avaya Inc. All rights reserved

February 26-28, 2013 | Orlando, FL

Agenda

• UC Security – Why it matters• VIPER Lab• Avaya SBC for Enterprise• Use Cases

• SIP Trunks – Standard License• Remote Worker – Advanced License

• SBC Update • Resources• Q & A

3




More Collaboration and Mobile Devices… More Enterprise Security Threats

• Denial of Service• Call/registration overload• Malformed messages

aka“fuzzing”

• Configuration errors• Mis-configured devices• Operator and application errors

• Theft of service• Unauthorized users• Unauthorized media types

• Viruses and SPIT• Viruses via SIP messages • Malware via IM sessions• SPIT – unwanted traffic

4

Source: Nemertes Research

Enterprise Adoptionof Collaboration Tools




Unified Communications Security –Should You Care?

5

Credit card privacy rules: other compliance laws require security architecture specific to VoIP and other UC.1

50% Increase

‘VoIP hacking at new levels2

Up to 25%of attacks

VoIP scanning – botnets, Cloud used

for VoIP fraud3

Reduce Deployments by

1/3

VoIP /UC security reduces VoIP / UC deployment time

by one third4

Toll fraud: yearly enterprise losses in Billions inadequate securing of SIP trunks, UC and VoIP applications5



February 26-28, 2013 | Orlando, FL6

OSI Model7 Layers of Attacks

• Typical firewall protection • Layer 3-4 protection (3 to 4 foot

hurdle)

• Email spam filters layer 7 application specific email firewall

• SIP, VoIP, UC layer 4 to layer 7 application

• SIP Trunking - a trunk side application • SIP Line (phone) side (internal and

external) access another application

• Attackers/Exploiters look for:• High/growing adoption• Protection not yet available… VoIP/UC

OSI Model

Data Unit Layer Function

Host Layers

Data

7. Application Network process to application

6. Presentation

Data representation, encryption and

decryption, convert machine dependent

data to machine independent data

5. Session Interhost communication

Segments 4. TransportEnd-to-end

connections and reliability,

flow control

Media Layers

Packet/Datagram 3. Network Path determination and logical addressing

Frame 2. Data Link Physical addressing

Bit 1. Physical Media, signal and binary transmission

Wikipedia on 22Jul2011: http://en.wikipedia.org/wiki/OSI_Model

Avaya SBCE provides a VoIP/UC trunk/line side layer 4-7 application protection

Think of OSI model as a 7 foot high jump

http://en.wikipedia.org/wiki/OSI_Model




VIPER Lab

Industry Recognized UC Security Experts

Recognized UC Security SMEs by Sans, Dept of Justice, and other US Gov agencies, external organizations like DefCon and Infoseek

Leading Edge UC Security Research 10 Years of extensive research, using worldwide honeypots, Enterprise networks, etc.

Experienced audit and assessment team VIPER is an experienced Security assessment team, having completed over 100 network or application assessments




Best Practices vs an Assessment

• Best Practices• Lock your doors at night• Lock your windows• Enable your home alarm

system• You’ve followed best

practices and you’re safe! Or are you?

• A Security Assessment• Your locked doors use an

easy to pick lock type• Your door frame is thin

and one kick could open it• Your windows can be

unlocked from the outside with a screwdriver

• Your phone line can be cut stopping your alarm from reaching the police

A proper security assessment validates the implementation of a best practice—and often reveal many weaknesses!




What does an Audit consist of?

• An audit usually takes the form of a “UC Penetration Test” • It typically consists of the following process:

• VIPER will review the business and understand VoIP/UC application flow

• Will tailor a set of unique security test cases, for penetration testing, that are unique to that customer’s infrastructure

• Perform network discovery and reconnaissance• Will spend 1 – 5 weeks doing technical security testing• Will develop the security report, typically 1 – 2 weeks


©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL10

Evolving and Protecting – VIPER Lab

Uncover vulnerabilities

in next-generation, multi-vendor networking

environments

Proactively identifyingand preparing

defenses beyond your network borders

Vulnerability Assessments

improve security architectures and

enhance compliance

State-of-the-art research facility with expert vulnerability

assessment professionals

Open Source UC Security

Self-Assessment Tools




The Solution – Session Border Controller

Enforce your unique security policies

Focus on enterprise security

SIP trunk provider’sown SBC

Network topology Invisible to external

threats Limits multivendor

environment interoperability concerns

Independence from Service Provider

Normalization pointfor signaling / RTP media streams

Multiple SIP trunk provider access points

Support enterprise-specific call flows

Report on intrusion attempts

Session recording Remote Worker

Safety

Security Flexibility Accountability




The SBC Protects & Defends the Avaya Core

• The SBC is not just about SIP Trunks and Remote Endpoints – it’s about Avaya’s future.

• Acme, Sonus, and most other 3rd party players are moving into the Enterprise with SBC’s –AND- with Session Management offerings.

• Allowing 3rd Party wins with SBC deals opens the door for them to capture the Core with their SM offerings and sequenced applications before it ever gets to an Avaya system

• Selling the Avaya SBCE protects Avaya’s Core Business and extends Avaya Aura solutions with secure and borderless Enterprise communication applications.




ASBCE 6.2 System Capacity

• Session Border Controller capacities are rated in Simultaneous Sessions• A simultaneous session = a

communication session between 2 SIP endpoints

• Can think of it as analogous to a DSO in the ‘old world’

• Key for engineering is to understand the numbers of sessions required in the solution

• For Secure SIP trunking, look at the number of TDM DSOs required

• For Remote Worker, calculate required call volumes

Portwell CAD-0208

Max Capacityw/o Encryption

Max Capacitywith Encryption

HA

SA

SA

1000

1000

250

2000

2000

500

Capacity in Simultaneous Sessions

‘Rules of Thumb’• SIP trunking usually 5 users per session

• Must account for higher ratio in small• Remote Worker must consider both

On-net and off-net requirements• Remember Encryption Services

impact capacity




Avaya SBC for Enterprise

SIP Trunking Remote Worker

SIP Trunking

Avaya SBCfor

Enterprise SIP TrunkingAvaya SBC

for Enterprise

CS1000

SIP Trunking

Avaya SBCfor

Enterprise

1 Software Base:Avaya Aura SBC for Enterprise

3 HW Platforms:Dell & HP for Enterprise; Portwell CAD-0208 for IPO

2 Use Cases

Avaya SBCfor

Enterprise

SIP Trunking



Avaya SBCE: SIP Trunking Architecture

Use Case: SIP Trunking to Carrier Carrier offering SIP trunks as lower-cost alternative to TDM Heavy driver for Enterprise adoption of SBC

Carrier SIP trunks to the Avaya Session Border Controller for Enterprise Avaya SBCE is located in a DMZ behind the Enterprise firewall Services: security and demarcation device between the IP-PBX and the Carrier

− NAT traversal,− Securely anchors signaling and media, and can− Normalize SIP protocol

Firewall

InternetEnterprise

IP PBX

Avaya SBCE

DMZ

SIP TrunksFirewall

Carrier



Secure Remote Worker with BYOD

Personal PC, Mac or iPad devices Avaya Flare®, Avaya one-X® SIP client app App secured into the organization,

not the device One number UC anywhere

Avaya SBCEAvaya Aura®

PresenceServer

System

Man

ager

Communication Manager

Avaya Aura Conferencing

Aura Messaging

Session Manager

Untrusted Network(Internet, Wireless, etc.)



Avaya SBCE: Remote Worker Architecture

Use Case: Remote Worker Extend UC to SIP users remote to the Enterprise Solution not requiring VPN for UC/CC SIP endpoints

Remote Worker are External to the Enterprise Firewall Avaya Session Border Controller for Enterprise

− Authenticate SIP-based users/clients to the enterprise

− Securely proxy registrations and client device provisioning

− Securely manage communications without requiring a VPN

Firewall

InternetEnterprise

Avaya SBCE

DMZ

Firewall

Remote WorkersIP PBX



Remote Worker: How does the SBC proxy endpoint traffic?

Internet

CM or CS1k

Intranet

Avaya SBCE

External Firewall/Router

Internal Firewall

+NAT

2. Signaling over TCP/UDP

4. Media RTP 3. Encrypted media SRTP

1. Encrypted signaling over TLS

DMZ

FW/NATTraversal

Encrypted Signaling: SIP/TLS

Encrypted Media: SRTP (HW 50 usec)

Unencrypted Signaling: SIP/TCP

Unencrypted Media: RTP

SM




What’s Next?

• “6.2” Product Release now through April 2013• “Micro” Release for IP Office available now (new market)• Trunk-side for Enterprise in February ’13• Applications (inc. Remote Worker) in April ’13

• Re-organized UC Security Team engaging now to build Sales, Tech Ops, Channel enablement programs and create wider coverage. Need your support for participation.

• Auto-attach campaign to start in Q2 for IPO, CM/Aura, SM, others

• Reporting on success will be delivered from UC Security Ops to Area Ops, Leaders to assist in gap identification, drive activity



SBCE Roadmap

SIP security designed for scalable cost-effective enterprise use

Fully supports SIP trunking on Avaya Aura, CS1K & IPO

Supports remote and mobile SIP devices and clients with Avaya Aura

96x1 R6.2 One-X Com R6.2 Flare Exp iPad R1.1

Extends Avaya Aura® SIP capabilities outside the enterprise

Easy and intuitive to deploy and configure, lowering TCO

SIP Trunking (Avaya Aura, CS1000 & IPO)

Securing Remote Worker without VPN (Avaya Aura)

Avaya Interoperability

Mobile SIP iOS R6.2 96x0 (SIP) R6.2 One-X Comm R6.2 OTV R1.0 AACC7 support HP DL360 Migration Kit UCID Generation

Avaya SBCE 6.2Q1 CY 2013 (Mar)

Avaya SBCE 6.2 Feature Pack 1

Q2 CY 2013 (May)

Expanded Interoperability

Remote Worker for IPO Flare Exp. R1.1 Flare Comm. R1.0.3

Radvision Interop CS1K R7.6 w/ Collab Pack Microsoft Lync trunks

Avaya SBCE 6.2 Feature Pack 2

Q3 CY 2013




UC Security Sales Organization

Nick Adams – Global Sales Leader

US Practice Leaders

Dave [email protected] [email protected] Williams- [email protected] Darcy – West [email protected]

US Engineering

Terry [email protected]

CANADA Practice LeadChuck Pledger

[email protected]

CALA Practice LeadGus Herrera

[email protected]

EMEA Practice LeadDan Panesar

[email protected]+44 4477 1566 6078

APAC Practice LeadDavid Lloyd

[email protected]+61 417328435

Global Technical LeadAddis [email protected]

Global Channel LeadGreg [email protected]

Global OperationsJaime [email protected]

mailto:[email protected]













Thank you!#AvayaATF

22

©2013 avaya inc. all rights reservedfebruary 26-28, 2013 | orlando, fl

Documents