©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Securing the UC Network
Terry Pierson
Consulting System Engineer
UC Security - AVAYA
#AvayaATF
©2013 Avaya Inc. All rights reserved
February 26-28, 2013 | Orlando, FL
Agenda
•
•
•
•
UC Security – Why it matters
VIPER Lab
Avaya SBC for Enterprise
Use Cases
• SIP Trunks – Standard License
• Remote Worker – Advanced License
• SBC Update
• Resources
• Q&A
©2013 Avaya Inc. All rights reserved
3
February 26-28, 2013 | Orlando, FL
More Collaboration and Mobile Devices…
More Enterprise Security Threats
• Denial of Service
Enterprise Adoption
of Collaboration Tools
• Call/registration overload
• Malformed messages
aka“fuzzing”
• Configuration errors
• Mis-configured devices
• Operator and application errors
• Theft of service
• Unauthorized users
• Unauthorized media types
• Viruses and SPIT
• Viruses via SIP messages
• Malware via IM sessions
• SPIT – unwanted traffic
Source: Nemertes Research
©2013 Avaya Inc. All rights reserved
4
February 26-28, 2013 | Orlando, FL
Unified Communications Security –
Should You Care?
Credit card privacy rules: other compliance laws require security architecture
specific to VoIP and other UC.1
Increase
‘VoIP hacking at new
levels2
Up to
of attacks
VoIP scanning –
botnets, Cloud used
for VoIP fraud3
Reduce Deployments by
VoIP /UC security
reduces VoIP / UC
deployment time
by one third4
Toll fraud: yearly enterprise losses in Billions
inadequate securing of SIP trunks, UC and VoIP applications5
©2013 Avaya Inc. All rights reserved
5
February 26-28, 2013 | Orlando, FL
OSI Model
7 Layers of Attacks
OSI Model
Think of OSI model as a 7 foot high jump
•
•
Function
7. Application
Network process to
application
6. Presentation
Data representation,
encryption and
decryption, convert
machine dependent
data to machine
independent data
5. Session
Interhost
communication
Segments
4. Transport
End-to-end
connections
and reliability,
flow control
Packet/Datagram
3. Network
Path determination
and logical
addressing
Frame
2. Data Link
Physical addressing
Bit
1. Physical
Media, signal and
binary transmission
Layer 3-4 protection (3 to 4 foot
hurdle)
Data
Email spam filters layer 7 application
specific email firewall
SIP, VoIP, UC layer 4 to layer 7
application
•
•
•
Layer
Typical firewall protection
•
•
Data Unit
Host
Layers
SIP Trunking - a trunk side application
SIP Line (phone) side (internal and
external) access another application
Attackers/Exploiters look for:
•
•
High/growing adoption
Protection not yet available… VoIP/UC
Media
Layers
Wikipedia on 22Jul2011: http://en.wikipedia.org/wiki/OSI_Model
Avaya SBCE provides a VoIP/UC trunk/line side layer 4-7 application protection
©2013 Avaya Inc. All rights reserved
6
February 26-28, 2013 | Orlando, FL
VIPER Lab
Industry Recognized UC Security Experts
Leading Edge UC Security Research
10 Years of extensive research,
using worldwide honeypots,
Enterprise networks, etc.
Recognized UC Security SMEs by Sans,
Dept of Justice, and other US Gov
agencies, external organizations like
DefCon and Infoseek
Experienced audit and assessment team
VIPER is an experienced Security assessment team, having completed over 100
network or application assessments
©2013 Avaya Inc. All rights reserved
7
February 26-28, 2013 | Orlando, FL
Best Practices vs an Assessment
• Best Practices
• A Security Assessment
• Lock your doors at night
• Lock your windows
• Enable your home alarm
system
• You’ve followed best
practices and you’re safe!
Or are you?
• Your locked doors use an
easy to pick lock type
• Your door frame is thin
and one kick could open it
• Your windows can be
unlocked from the outside
with a screwdriver
• Your phone line can be
cut stopping your alarm
from reaching the police
A proper security assessment validates the implementation of a
best practice—and often reveal many weaknesses!
©2013 Avaya Inc. All rights reserved
8
February 26-28, 2013 | Orlando, FL
What does an Audit consist of?
• An audit usually takes the form of a “UC
Penetration Test”
• It typically consists of the following process:
• VIPER will review the business and understand VoIP/UC
application flow
• Will tailor a set of unique security test cases, for penetration
testing, that are unique to that customer’s infrastructure
• Perform network discovery and reconnaissance
• Will spend 1 – 5 weeks doing technical security testing
• Will develop the security report, typically 1 – 2 weeks
©2013 Avaya Inc. All rights reserved
9
February 26-28, 2013 | Orlando, FL
Evolving and Protecting – VIPER Lab
Proactively identifying
and preparing
defenses beyond your
network borders
Vulnerability
Assessments
improve security
architectures and
enhance compliance
State-of-the-art
research facility with
expert vulnerability
assessment
professionals
Open Source
UC Security
Self-Assessment
Tools
©2013 Avaya Inc. All rights reserved
Uncover
vulnerabilities
in next-generation,
multi-vendor
networking
environments
10
February 26-28, 2013 | Orlando, FL
The Solution – Session Border Controller
Security
 Enforce your unique
security policies
 Focus on enterprise
security
 SIP trunk provider’s
own SBC
 Network topology
 Invisible to external
threats
 Limits multivendor
environment
interoperability concerns
©2013 Avaya Inc. All rights reserved
Flexibility
Accountability
 Independence from
Service Provider
 Report on intrusion
attempts
 Normalization point
for signaling / RTP
media streams
 Session recording
 Remote Worker
Safety
 Multiple SIP trunk
provider access points
 Support enterprisespecific call flows
11
February 26-28, 2013 | Orlando, FL
The SBC Protects & Defends the
Avaya Core
• The SBC is not just about SIP Trunks and
Remote Endpoints – it’s about Avaya’s future.
• Acme, Sonus, and most other 3rd party players are
moving into the Enterprise with SBC’s –AND- with
Session Management offerings.
• Allowing 3rd Party wins with SBC deals opens the door
for them to capture the Core with their SM offerings and
sequenced applications before it ever gets to an Avaya
system
• Selling the Avaya SBCE protects Avaya’s Core
Business and extends Avaya Aura solutions with secure
and borderless Enterprise communication applications.
©2013 Avaya Inc. All rights reserved
12
February 26-28, 2013 | Orlando, FL
ASBCE 6.2 System Capacity
Capacity in Simultaneous Sessions
Max Capacity
w/o Encryption
Portwell CAD-0208
Max Capacity
with Encryption
HA
2000
1000
SA
2000
1000
SA
500
250
‘Rules of Thumb’
•SIP trunking usually 5 users per session
• Must account for higher ratio in small
• Remote Worker must consider both
On-net and off-net requirements
• Remember Encryption Services
impact capacity
©2013 Avaya Inc. All rights reserved
• Session Border Controller
capacities are rated in
Simultaneous Sessions
• A simultaneous session = a
communication session
between 2 SIP endpoints
• Can think of it as analogous to a
DSO in the ‘old world’
• Key for engineering is to
understand the numbers of
sessions required in the solution
• For Secure SIP trunking, look at
the number of TDM DSOs
required
• For Remote Worker, calculate
required call volumes
13
February 26-28, 2013 | Orlando, FL
Avaya SBC for Enterprise
1 Software Base:
Avaya Aura SBC for Enterprise
3 HW Platforms:
Dell & HP for Enterprise; Portwell CAD-0208 for IPO
2 Use Cases
SIP Trunking
Remote Worker
CS1000
Avaya SBC
for Enterprise
SIP Trunking
SIP Trunking
©2013 Avaya Inc. All rights reserved
SIP Trunking
Avaya SBC
for Enterprise
Avaya SBC
for Enterprise
SIP Trunking
14
Avaya SBC
for Enterprise
February 26-28, 2013 | Orlando, FL
Avaya SBCE:
SIP Trunking Architecture
Use Case: SIP Trunking to Carrier
 Carrier offering SIP trunks as lower-cost alternative to TDM
 Heavy driver for Enterprise adoption of SBC
Enterprise
Internet
DMZ
SIP Trunks
Avaya
SBCE
Firewall
Firewall
IP PBX
Carrier
Carrier SIP trunks to the Avaya Session Border Controller for Enterprise
 Avaya SBCE is located in a DMZ behind the Enterprise firewall
 Services: security and demarcation device between the IP-PBX and the Carrier
− NAT traversal,
− Securely anchors signaling and media, and can
− Normalize SIP protocol
©2013 Avaya Inc. All rights reserved
15
February 26-28, 2013 | Orlando, FL
Secure Remote Worker with BYOD
Avaya Aura
Conferencing
Aura
Messaging
Session Manager
Avaya
Presence
Server
System
Manager
Communication
Manager
Avaya
SBCE
Aura®
Personal PC, Mac or iPad devices
Avaya Flare®, Avaya one-X® SIP client app
App secured into the organization,
not the device
One number UC anywhere
©2013 Avaya Inc. All rights reserved
16
Untrusted Network
(Internet, Wireless, etc.)
February 26-28, 2013 | Orlando, FL
Avaya SBCE:
Remote Worker Architecture
Use Case: Remote Worker
Extend UC to SIP users remote to the Enterprise
Solution not requiring VPN for UC/CC SIP endpoints
Enterprise
Avaya
SBCE
Firewall
Firewall
IP PBX
Internet
DMZ
Remote Workers
Remote Worker are External to the Enterprise Firewall
Avaya Session Border Controller for Enterprise
− Authenticate SIP-based users/clients to the enterprise
− Securely proxy registrations and client device provisioning
− Securely manage communications without requiring a VPN
©2013 Avaya Inc. All rights reserved
17
February 26-28, 2013 | Orlando, FL
Remote Worker:
How does the SBC proxy endpoint traffic?
DMZ
CM or CS1k
Internal
Firewall
+NAT
SM
FW/NAT
Traversal
Intranet
4. Media RTP
External
Firewall/
Router
1. Encrypted signaling
over TLS
Internet
Avaya
SBCE
3. Encrypted
media SRTP
2. Signaling
over TCP/UDP
Unencrypted Signaling: SIP/TCP
Unencrypted Media: RTP
©2013 Avaya Inc. All rights reserved
Encrypted Signaling: SIP/TLS
Encrypted Media: SRTP (HW 50 usec)
18
February 26-28, 2013 | Orlando, FL
What’s Next?
• “6.2” Product Release now through April 2013
• “Micro” Release for IP Office available now (new market)
• Trunk-side for Enterprise in February ’13
• Applications (inc. Remote Worker) in April ’13
• Re-organized UC Security Team engaging now to build
Sales, Tech Ops, Channel enablement programs and
create wider coverage. Need your support for participation.
• Auto-attach campaign to start in Q2 for IPO, CM/Aura, SM,
others
• Reporting on success will be delivered from UC Security
Ops to Area Ops, Leaders to assist in gap identification,
drive activity
©2013 Avaya Inc. All rights reserved
19
February 26-28, 2013 | Orlando, FL
SBCE Roadmap
Avaya SBCE 6.2
Q1 CY 2013 (Mar)
SIP Trunking
(Avaya Aura, CS1000 & IPO)
Securing Remote Worker
without VPN (Avaya Aura)
 SIP security designed for scalable
cost-effective enterprise use
 Fully supports SIP trunking on Avaya
Aura, CS1K & IPO
 Supports remote and mobile SIP
devices and clients with Avaya Aura
 96x1 R6.2
 One-X Com R6.2
 Flare Exp iPad R1.1
 Extends Avaya Aura® SIP capabilities
outside the enterprise
 Easy and intuitive to deploy and
configure, lowering TCO
©2013 Avaya Inc. All rights reserved
Avaya SBCE 6.2
Feature Pack 1
Q2 CY 2013 (May)
Avaya Interoperability
 Mobile SIP iOS R6.2
 96x0 (SIP) R6.2
 One-X Comm R6.2
 OTV R1.0
 AACC7 support
 HP DL360 Migration Kit
 UCID Generation
20
Avaya SBCE 6.2
Feature Pack 2
Q3 CY 2013
Expanded
Interoperability
 Remote Worker for IPO
 Flare Exp. R1.1
 Flare Comm. R1.0.3
 Radvision Interop
 CS1K R7.6 w/ Collab Pack
 Microsoft Lync trunks
February 26-28, 2013 | Orlando, FL
UC Security Sales Organization
Nick Adams – Global Sales Leader
US Practice Leaders
Dave Mulhern-Northeast
dmulherm@avaya.com
972-679-7809
Brad Bleeck-South
hbleeck@avaya.com
972-679-7809
Ed Williams- Central
ewilliams1@avaya.com
972-322-3791
Shawn Darcy – West
sddarcy@avaya.com
310-748-8803
CANADA Practice Lead
Chuck Pledger
cpledger@avaya.com
614-893-2628
EMEA Practice Lead
Dan Panesar
dpanesar@avaya.com
+44 4477 1566 6078
APAC Practice Lead
David Lloyd
dave@avaya.com
+61 417328435
US Engineering
Global Technical Lead
Addis Hallmark
ahallmark@avaya.com
214-269-2420
Terry Pierson
tpierson1@avaya.com
972-978-2611
Global Channel Lead
Greg Parcell
gparcell1@avaya.com
630-618-0188
CALA Practice Lead
Gus Herrera
herrerag@avaya.com
305-586-2973
Global Operations
Jaime Cooley
jcooley@avaya.com
630-245-2822
©2013 Avaya Inc. All rights reserved
21
February 26-28, 2013 | Orlando, FL
Thank you!
#AvayaATF
©2013 Avaya Inc. All rights reserved
22
February 26-28, 2013 | Orlando, FL