IP Communications, Secure – By Design

January 23-26, 2007• Ft. Lauderdale, Florida

IP Communications,Secure – By Design

Roger W. Farnsworth


A Bit of Hyperbole?


The IP Conundrum

• The same IP technology that enables IP Communications solutions to:

– Boost productivity– Increase mobility– Enhance flexibility

Also creates additional MANAGEABLE security challenges

• These new challenges exist whether the IP upgrade is incremental or total


The Challenge of Securing IP Voice

• The threats are familiar to both voice and data professionals:

– Eavesdropping– Impersonation– Toll fraud– Denial of service

• Both “phreakers” and “hackers” are lurking

• The protection of both voice and data communication is critical to the business

55


Reality Check

After

Before


Evaluate the Threats Objectively

• Understand the costs of security incidents:

– Measurable: fraud, downtime, man-hours, physical destruction, intellectual property, lawsuits

– Non-measurable: reputation, customer privacy, medical information, loss of life

• Assign risk and quantify the costs

• Determine appropriate levels of protection


The Paradigm Must Change: A Network-Based Systems Approach

• An automated security system is required to address unknown (or “Day Zero”) threats

• Security must be applied at multiple layers of the system to address sophisticated blended threats and defend against multiple avenues of attack

• All elements of the security system must be integrated to initiate a coordinated response


Protect All Levels of IP Communications

INFRASTRUCTUREINFRASTRUCTURE

ENDPOINTSENDPOINTS

CALL CONTROLCALL CONTROL

APPLICATIONSAPPLICATIONS

IP C

OM

MU

NIC

AT

ION

S S

YS

TE

MIP

CO

MM

UN

ICA

TIO

NS

SY

ST

EM

TRANSPORT

Secure, Reliable Communications that Connects All of the Other Components

VALUE-ADDED COMPONENTS

Messaging, Customer Care, and Other Application Software

SYSTEM CONFIG AND OPERATION

Infrastructure and Protocols for Call Management and Operation

IP Phones, Video Terminals, and Other Delivery Devices

USER INTERFACES


Security Preparation -Only as Strong as the Weakest Link

A measured approach to securing the entire network is critical

XXXInfrastructure

XXXCall Control

XXXEndpoints

XXXApplications

CONTROLPROTECTIONPRIVACY


IntranetInternet

Secure IP CommunicationsSystems Approach in Action

InfrastructureVLAN segmentationLayer 2 protectionFirewall / IDSQoS and thresholdsSecure VPNWireless security Gateway SRTP

Call ManagementHardened Windows OSDigital certificatesSigned software imagesTLS signalingIntegrated CSASSL enabled directory

ApplicationsSecure voice messagingLDAP Multi-level adminToll fraud protectionhttps managementHardened platformsh.323 and SIP signaling

EndpointsDigital certificatesAuthenticated phonesGARP protectionTLS protected signalingSRTP media encryptionCentralized management

SiSiSiSi


Standards Bodies in Action

Identity

Media authorization

Keying protocols

Firewall transit

Identity

Media authorization

Keying protocols

Firewall transit

H.235 framework

Signaling protection

Protocol streams

H.235 framework

Signaling protection

Protocol streams

IETFIETF ITUITU SIP ForumSIP Forum

SIPit

Security interoperability

SIP over TLS

Interconnection

SIPit

Security interoperability

SIP over TLS

Interconnection


There is Nothing to Fear Except Fear Itself

• IP Communications solutions can be as secure, or more secure, than traditional PBX systems

– Security remains a top issue of IP Communications customers

– A comprehensive, systems approach is best– The industry is committed to delivering the most

secure, reliable solutions possible– The future holds great promise for new

applications


More Information

• www.nist.gov • www.cert.org • Your vendor or partner

IP Communications, Secure – By Design

Documents

Transcript of IP Communications, Secure – By Design