Akhil Behl - Securing UC Networks - Interop Mumbai 2009
-
Upload
interop-mumbai-2009 -
Category
Technology
-
view
635 -
download
0
description
Transcript of Akhil Behl - Securing UC Networks - Interop Mumbai 2009
© 2009 Akhil Behl – UC Security Presentation 1
Unified CommunicationsSecurity
Securing UC Networks
AKHIL BEHL
CCIE 19564 (Voice, Security)
Network Consulting Engineer, GDC
Cisco Systems India
[email protected] +919999908169
© 2009 Akhil Behl – UC Security Presentation. 2
UC Security - Session Agenda
� UC Security Introduction – Threats to UC
� Rationale Behind Securing UC Networks
� What To Protect, How To Protect
� Deployment Strategy
� Cost, Complexity, Security
� Q&A
© 2009 Akhil Behl – UC Security Presentation. 3
UC Security Introduction
Threats To UC Networks
© 2009 Akhil Behl – UC Security Presentation. 4
Unified Communications Threats
� Toll fraud
Unauthorized or unbillableresource utilization
� Eavesdropping
Listening to another’s call
� Gaining private information
Caller ID, password/accounts, calling patterns (Reconnaissance)
� Faking identity
Impersonating others
(spoofing)
� Denying service
DOS attacks, hanging up others’conversations
� Hijacking callsInjecting audio streams, rerouting calls
© 2009 Akhil Behl – UC Security Presentation. 5
UC Security
Rationale Behind Securing UC Networks
© 2009 Akhil Behl – UC Security Presentation. 6
VoIP Network Attacked / Hacked !
VoIP Network Security: How a Hacker Took Advantage of Vulnerabilities
By Special Correspondent
Miami: The federal government arrested Edwin Andrew Pena, 23, owner of Fortes Telecom Inc. and Miami Tech & Consulting Inc., for hacking into other providers' networks, routing his customer’s calls onto those platforms, then billing those companies and pocketing the proceeds. He reaped more than $1 million.
Small business gets $120,000 phone bill after hackers attack VoIP phone
By Technology Correspondent
Sydney: A small business landed with a $120,000 phone bill after criminals hacked into its internet phone system and used it to make 11,000 international calls in just 46 hours.
Source -http://www.coresecurity.com/content/VoIP-network-security-how-a-hacker-took-advantage
Source -http://www.news.com.au/technology/story/0,28348,24939188-5014239,00.html
© 2009 Akhil Behl – UC Security Presentation. 7
Rationale Behind Adoption Of UC Security
� Secure UC infrastructure
Allows securing what is an asset to a company’s or an organization’s daily life operations
� Secure the conversation
Ensures that the business doesn’t suffer any losses due to eavesdropping or hacking of voice calls
� Business continuity
Ensures that the business continuity is maintained and the chances of disruption or losses are minimized
The protection of both voice and data communication is critical to the business
© 2009 Akhil Behl – UC Security Presentation. 8
UC Security
What To SecureHow To Secure
© 2009 Akhil Behl – UC Security Presentation. 9
UC Security – What To Secure, How To Secure
CUCMUnity VM
Wireless
HQ
Data CenterLarge Branch
Small Branch
Mobile Worker
VPN
PSTN
WAN
Call Center Agents
TLS Proxy
© 2009 Akhil Behl – UC Security Presentation. 10
UC Security – Check List, Wish List
� UC Network Security (securing network infrastructure)� Well defined UC security policy� Secured network infrastructure (AAA, IPS, Firewall, L2/L3 Security)� Secure IPT equipment (Physical and Network Security)� IPSec tunnels to remote SOHO sites / Client VPN to mobile workers� Firewall TLS proxy / phone proxy feature support
� UC Network Security (securing UC applications)� Role based administration / multiple level administration� Secure gateway trunks, inter cluster trunks� Secure gatekeeper (RAS) communication (subnet, registration)� 3rd party CA for HTTPS, TLS� Secure endpoints (including Soft Phone) – TLS, 802.1x� Wireless phones use certificate authentication and WPA� Calling restriction (based on role or function)� Secure conference calls� Secure voicemail ports
© 2009 Akhil Behl – UC Security Presentation. 11
UC Security
Deployment Strategy
© 2009 Akhil Behl – UC Security Presentation. 12
A Tale Of Two Cities
Secure TelephonySecure NetworkSecure Unified
Communications
A secure network is the foundation for a secure Unified Communication network
A secure Unified Communications network is an asset for the organization
© 2009 Akhil Behl – UC Security Presentation. 13
UC Security Deployment Strategy
End-To-End UC Security
Approach
© 2009 Akhil Behl – UC Security Presentation. 14
End to End UC Security – Demystified
Network Security UC SecurityPhysical Security
� Access Layer Security802.1x Authentication,
L2 filtering, QoS , VLANs
� Core and Distribution Layer Security
ACL’sAuthentication for Routing
� Wireless SecurityWPA, Certificate authentication
� Remote Network SecurityIPSec VPN
� Firewalls and Intrusion Prevention
ALG Firewall (ASA)
� IP PBX Platform SecurityHIPS, Internal Firewall, HTTPS
Access
� Gateway Security, UC Endpoint Security
Secure Conf, Secure SRST,
Secure Trunk , SRTP, TLS for
signaling
� UC Application SecurityUnity VM, UCCX, MPE, etc
� Ecosystem (3rd Party) App Security
Attendant Console, CTI
� Building Security
Badge access for employee
� Data Center Security Access limited to Authorized NOC Personnel Only
� Wiring Closet SecurityAccess limited to Authorized NOC Personnel Only
© 2009 Akhil Behl – UC Security Presentation. 15
UC Security
Cost, Complexity, Security
© 2009 Akhil Behl – UC Security Presentation. 16
Security: A Balance Between Risk And Cost
Low
Easy ,Default Security, No Additional Cost
Medium
Moderate, Reasonable Security, Nominal Cost
High
Hard, Highly Secure, Cost may go higher
Separate Voice & Data VLANs UC Aware Firewalls Complex Firewalls (ALG)
STP/BPDU Guard, Port Security Catalyst Integrated Security Rate Limiting ACL’s
Basic ACL’s Optional OS Hardening VPN – SOHO/Mobile Worker
Standard Server/OS Hardening CSA NAC / 802.1X
Class of Restriction (Toll Fraud) Encrypted Configs Network Anomaly Detection / IPS
Anti-Virus TLS/SRTP – Phones, Applications Security Event Management
HTTPS access to UC Applications IPSec / SRTP to Gateways TLS / Phone Proxy
Signed Firmware Scavenger QOS
Phone Security Settings
Complexity, Security Level, Cost
© 2009 Akhil Behl – UC Security Presentation. 17
Q&A ?
© 2009 Akhil Behl – UC Security Presentation. 18
Thank You