©2013 avaya inc. all rights reservedfebruary 26-28, 2013 | orlando, fl
TRANSCRIPT
![Page 1: ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL](https://reader035.vdocument.in/reader035/viewer/2022062511/551aab8155034656628b4c9e/html5/thumbnails/1.jpg)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
![Page 2: ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL](https://reader035.vdocument.in/reader035/viewer/2022062511/551aab8155034656628b4c9e/html5/thumbnails/2.jpg)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
#AvayaATF
Securing the UC Network
Terry PiersonConsulting System EngineerUC Security - AVAYA
![Page 3: ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL](https://reader035.vdocument.in/reader035/viewer/2022062511/551aab8155034656628b4c9e/html5/thumbnails/3.jpg)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Agenda
• UC Security – Why it matters• VIPER Lab• Avaya SBC for Enterprise• Use Cases
• SIP Trunks – Standard License• Remote Worker – Advanced License
• SBC Update • Resources• Q & A
3
![Page 4: ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL](https://reader035.vdocument.in/reader035/viewer/2022062511/551aab8155034656628b4c9e/html5/thumbnails/4.jpg)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
More Collaboration and Mobile Devices… More Enterprise Security Threats
• Denial of Service• Call/registration overload• Malformed messages
aka“fuzzing”
• Configuration errors• Mis-configured devices• Operator and application errors
• Theft of service• Unauthorized users• Unauthorized media types
• Viruses and SPIT• Viruses via SIP messages • Malware via IM sessions• SPIT – unwanted traffic
4
Source: Nemertes Research
Enterprise Adoptionof Collaboration Tools
![Page 5: ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL](https://reader035.vdocument.in/reader035/viewer/2022062511/551aab8155034656628b4c9e/html5/thumbnails/5.jpg)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Unified Communications Security –Should You Care?
5
Credit card privacy rules: other compliance laws require security architecture specific to VoIP and other UC.1
50% Increase
‘VoIP hacking at new levels2
Up to 25%of attacks
VoIP scanning – botnets, Cloud used
for VoIP fraud3
Reduce Deployments by
1/3
VoIP /UC security reduces VoIP / UC deployment time
by one third4
Toll fraud: yearly enterprise losses in Billions inadequate securing of SIP trunks, UC and VoIP applications5
![Page 6: ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL](https://reader035.vdocument.in/reader035/viewer/2022062511/551aab8155034656628b4c9e/html5/thumbnails/6.jpg)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL6
OSI Model7 Layers of Attacks
• Typical firewall protection • Layer 3-4 protection (3 to 4 foot
hurdle)
• Email spam filters layer 7 application specific email firewall
• SIP, VoIP, UC layer 4 to layer 7 application
• SIP Trunking - a trunk side application • SIP Line (phone) side (internal and
external) access another application
• Attackers/Exploiters look for:• High/growing adoption• Protection not yet available… VoIP/UC
OSI Model
Data Unit Layer Function
Host Layers
Data
7. Application Network process to application
6. Presentation
Data representation, encryption and
decryption, convert machine dependent
data to machine independent data
5. Session Interhost communication
Segments 4. TransportEnd-to-end
connections and reliability,
flow control
Media Layers
Packet/Datagram 3. Network Path determination and logical addressing
Frame 2. Data Link Physical addressing
Bit 1. Physical Media, signal and binary transmission
Wikipedia on 22Jul2011: http://en.wikipedia.org/wiki/OSI_Model
Avaya SBCE provides a VoIP/UC trunk/line side layer 4-7 application protection
Think of OSI model as a 7 foot high jump
![Page 7: ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL](https://reader035.vdocument.in/reader035/viewer/2022062511/551aab8155034656628b4c9e/html5/thumbnails/7.jpg)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL7
VIPER Lab
Industry Recognized UC Security Experts
Recognized UC Security SMEs by Sans, Dept of Justice, and other US Gov agencies, external organizations like DefCon and Infoseek
Leading Edge UC Security Research 10 Years of extensive research, using worldwide honeypots, Enterprise networks, etc.
Experienced audit and assessment team VIPER is an experienced Security assessment team, having completed over 100 network or application assessments
![Page 8: ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL](https://reader035.vdocument.in/reader035/viewer/2022062511/551aab8155034656628b4c9e/html5/thumbnails/8.jpg)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL8
Best Practices vs an Assessment
• Best Practices• Lock your doors at night• Lock your windows• Enable your home alarm
system• You’ve followed best
practices and you’re safe! Or are you?
• A Security Assessment• Your locked doors use an
easy to pick lock type• Your door frame is thin
and one kick could open it• Your windows can be
unlocked from the outside with a screwdriver
• Your phone line can be cut stopping your alarm from reaching the police
A proper security assessment validates the implementation of a best practice—and often reveal many weaknesses!
![Page 9: ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL](https://reader035.vdocument.in/reader035/viewer/2022062511/551aab8155034656628b4c9e/html5/thumbnails/9.jpg)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL9
What does an Audit consist of?
• An audit usually takes the form of a “UC Penetration Test” • It typically consists of the following process:
• VIPER will review the business and understand VoIP/UC application flow
• Will tailor a set of unique security test cases, for penetration testing, that are unique to that customer’s infrastructure
• Perform network discovery and reconnaissance• Will spend 1 – 5 weeks doing technical security testing• Will develop the security report, typically 1 – 2 weeks
![Page 10: ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL](https://reader035.vdocument.in/reader035/viewer/2022062511/551aab8155034656628b4c9e/html5/thumbnails/10.jpg)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL10
Evolving and Protecting – VIPER Lab
Uncover vulnerabilities
in next-generation, multi-vendor networking
environments
Proactively identifyingand preparing
defenses beyond your network borders
Vulnerability Assessments
improve security architectures and
enhance compliance
State-of-the-art research facility with expert vulnerability
assessment professionals
Open Source UC Security
Self-Assessment Tools
![Page 11: ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL](https://reader035.vdocument.in/reader035/viewer/2022062511/551aab8155034656628b4c9e/html5/thumbnails/11.jpg)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL11
The Solution – Session Border Controller
Enforce your unique security policies
Focus on enterprise security
SIP trunk provider’sown SBC
Network topology Invisible to external
threats Limits multivendor
environment interoperability concerns
Independence from Service Provider
Normalization pointfor signaling / RTP media streams
Multiple SIP trunk provider access points
Support enterprise-specific call flows
Report on intrusion attempts
Session recording Remote Worker
Safety
Security Flexibility Accountability
![Page 12: ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL](https://reader035.vdocument.in/reader035/viewer/2022062511/551aab8155034656628b4c9e/html5/thumbnails/12.jpg)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL12
The SBC Protects & Defends the Avaya Core
• The SBC is not just about SIP Trunks and Remote Endpoints – it’s about Avaya’s future.
• Acme, Sonus, and most other 3rd party players are moving into the Enterprise with SBC’s –AND- with Session Management offerings.
• Allowing 3rd Party wins with SBC deals opens the door for them to capture the Core with their SM offerings and sequenced applications before it ever gets to an Avaya system
• Selling the Avaya SBCE protects Avaya’s Core Business and extends Avaya Aura solutions with secure and borderless Enterprise communication applications.
![Page 13: ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL](https://reader035.vdocument.in/reader035/viewer/2022062511/551aab8155034656628b4c9e/html5/thumbnails/13.jpg)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL13
ASBCE 6.2 System Capacity
• Session Border Controller capacities are rated in Simultaneous Sessions• A simultaneous session = a
communication session between 2 SIP endpoints
• Can think of it as analogous to a DSO in the ‘old world’
• Key for engineering is to understand the numbers of sessions required in the solution
• For Secure SIP trunking, look at the number of TDM DSOs required
• For Remote Worker, calculate required call volumes
Portwell CAD-0208
Max Capacityw/o Encryption
Max Capacitywith Encryption
HA
SA
SA
1000
1000
250
2000
2000
500
Capacity in Simultaneous Sessions
‘Rules of Thumb’• SIP trunking usually 5 users per session
• Must account for higher ratio in small• Remote Worker must consider both
On-net and off-net requirements• Remember Encryption Services
impact capacity
![Page 14: ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL](https://reader035.vdocument.in/reader035/viewer/2022062511/551aab8155034656628b4c9e/html5/thumbnails/14.jpg)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL14
Avaya SBC for Enterprise
SIP Trunking Remote Worker
SIP Trunking
Avaya SBCfor
Enterprise SIP TrunkingAvaya SBC
for Enterprise
CS1000
SIP Trunking
Avaya SBCfor
Enterprise
1 Software Base:Avaya Aura SBC for Enterprise
3 HW Platforms:Dell & HP for Enterprise; Portwell CAD-0208 for IPO
2 Use Cases
Avaya SBCfor
Enterprise
SIP Trunking
![Page 15: ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL](https://reader035.vdocument.in/reader035/viewer/2022062511/551aab8155034656628b4c9e/html5/thumbnails/15.jpg)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL15
Avaya SBCE: SIP Trunking Architecture
Use Case: SIP Trunking to Carrier Carrier offering SIP trunks as lower-cost alternative to TDM Heavy driver for Enterprise adoption of SBC
Carrier SIP trunks to the Avaya Session Border Controller for Enterprise Avaya SBCE is located in a DMZ behind the Enterprise firewall Services: security and demarcation device between the IP-PBX and the Carrier
− NAT traversal,− Securely anchors signaling and media, and can− Normalize SIP protocol
Firewall
InternetEnterprise
IP PBX
Avaya SBCE
DMZ
SIP TrunksFirewall
Carrier
![Page 16: ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL](https://reader035.vdocument.in/reader035/viewer/2022062511/551aab8155034656628b4c9e/html5/thumbnails/16.jpg)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL16
Secure Remote Worker with BYOD
Personal PC, Mac or iPad devices Avaya Flare®, Avaya one-X® SIP client app App secured into the organization,
not the device One number UC anywhere
Avaya SBCEAvaya Aura®
PresenceServer
System
Man
ager
Communication Manager
Avaya Aura Conferencing
Aura Messaging
Session Manager
Untrusted Network(Internet, Wireless, etc.)
![Page 17: ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL](https://reader035.vdocument.in/reader035/viewer/2022062511/551aab8155034656628b4c9e/html5/thumbnails/17.jpg)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL17
Avaya SBCE: Remote Worker Architecture
Use Case: Remote Worker Extend UC to SIP users remote to the Enterprise Solution not requiring VPN for UC/CC SIP endpoints
Remote Worker are External to the Enterprise Firewall Avaya Session Border Controller for Enterprise
− Authenticate SIP-based users/clients to the enterprise
− Securely proxy registrations and client device provisioning
− Securely manage communications without requiring a VPN
Firewall
InternetEnterprise
Avaya SBCE
DMZ
Firewall
Remote WorkersIP PBX
![Page 18: ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL](https://reader035.vdocument.in/reader035/viewer/2022062511/551aab8155034656628b4c9e/html5/thumbnails/18.jpg)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL18
Remote Worker: How does the SBC proxy endpoint traffic?
Internet
CM or CS1k
Intranet
Avaya SBCE
External Firewall/Router
Internal Firewall
+NAT
2. Signaling over TCP/UDP
4. Media RTP 3. Encrypted media SRTP
1. Encrypted signaling over TLS
DMZ
FW/NATTraversal
Encrypted Signaling: SIP/TLS
Encrypted Media: SRTP (HW 50 usec)
Unencrypted Signaling: SIP/TCP
Unencrypted Media: RTP
SM
![Page 19: ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL](https://reader035.vdocument.in/reader035/viewer/2022062511/551aab8155034656628b4c9e/html5/thumbnails/19.jpg)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL19
What’s Next?
• “6.2” Product Release now through April 2013• “Micro” Release for IP Office available now (new market)• Trunk-side for Enterprise in February ’13• Applications (inc. Remote Worker) in April ’13
• Re-organized UC Security Team engaging now to build Sales, Tech Ops, Channel enablement programs and create wider coverage. Need your support for participation.
• Auto-attach campaign to start in Q2 for IPO, CM/Aura, SM, others
• Reporting on success will be delivered from UC Security Ops to Area Ops, Leaders to assist in gap identification, drive activity
![Page 20: ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL](https://reader035.vdocument.in/reader035/viewer/2022062511/551aab8155034656628b4c9e/html5/thumbnails/20.jpg)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL20
SBCE Roadmap
SIP security designed for scalable cost-effective enterprise use
Fully supports SIP trunking on Avaya Aura, CS1K & IPO
Supports remote and mobile SIP devices and clients with Avaya Aura
96x1 R6.2 One-X Com R6.2 Flare Exp iPad R1.1
Extends Avaya Aura® SIP capabilities outside the enterprise
Easy and intuitive to deploy and configure, lowering TCO
SIP Trunking (Avaya Aura, CS1000 & IPO)
Securing Remote Worker without VPN (Avaya Aura)
Avaya Interoperability
Mobile SIP iOS R6.2 96x0 (SIP) R6.2 One-X Comm R6.2 OTV R1.0 AACC7 support HP DL360 Migration Kit UCID Generation
Avaya SBCE 6.2Q1 CY 2013 (Mar)
Avaya SBCE 6.2 Feature Pack 1
Q2 CY 2013 (May)
Expanded Interoperability
Remote Worker for IPO Flare Exp. R1.1 Flare Comm. R1.0.3
Radvision Interop CS1K R7.6 w/ Collab Pack Microsoft Lync trunks
Avaya SBCE 6.2 Feature Pack 2
Q3 CY 2013
![Page 21: ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL](https://reader035.vdocument.in/reader035/viewer/2022062511/551aab8155034656628b4c9e/html5/thumbnails/21.jpg)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL21
UC Security Sales Organization
Nick Adams – Global Sales Leader
US Practice Leaders
Dave [email protected] [email protected] Williams- [email protected] Darcy – West [email protected]
US Engineering
Terry [email protected]
CANADA Practice LeadChuck Pledger
CALA Practice LeadGus Herrera
EMEA Practice LeadDan Panesar
[email protected]+44 4477 1566 6078
APAC Practice LeadDavid Lloyd
[email protected]+61 417328435
Global Technical LeadAddis [email protected]
Global Channel LeadGreg [email protected]
Global OperationsJaime [email protected]
![Page 22: ©2013 Avaya Inc. All rights reservedFebruary 26-28, 2013 | Orlando, FL](https://reader035.vdocument.in/reader035/viewer/2022062511/551aab8155034656628b4c9e/html5/thumbnails/22.jpg)
©2013 Avaya Inc. All rights reserved February 26-28, 2013 | Orlando, FL
Thank you!#AvayaATF
22