Security threat mitigation in enterprise UC environments

1
Security threat mitigation in enterprise UC
environments

• Jonathan Zarkower
• Director, Product Marketing

2
Enterprise contact center transition to IP
interactive communications

• TDM-to-IP transition well underway
• Reduce costs, improve communications efficiency
• Mobility, collaboration, presence and video
  drive IP transition and complexity
• Compliance call recording, emergency services,
  domain separation
• IP PBX extensively deployed but exist as islands
• Unified Communications (UC) is the new focus
• Migrate mission critical applications onto IP
  network
• Integrate chat, voice and video into contact
  center and business applications
• Introduce presence and mobility into application
  delivery process
• Transition call centers to multimedia customer
  care centers
• Enhanced communications efficiency
• Enables intelligent call routing based on
  business rules/processes (cost, availability,
  skills, etc.)
• Integrate remote workers/agents seamlessly
• Distribute call processing to eliminate single
  point of failure

3

• in IP we trustno one!

4
VoIP security in the news

• Bell Canada customers face bills as high as
  220,000 as hackers breach system. (Jan 2009)
• IP PBX hacked for 11,000 calls, 120,000 charges
  (Jan. 2009)
• Skype outage disconnects users, eBay stock price
  dips (Aug. 2007)
• Two men charged with hacking Into VoIP networks,
  pocket 1 million (June 2006)

5
Enterprise security concerns
6
VoIP threats impacts probabilities
Security threat Impact Probability Probability Comments
Security threat Impact VoIP/Internet - free, anonymous Private network Comments
DoS DDoS attacks 10 1 2 Requires sophisticated attack capable of covering tracks Catastrophic - all subscribers are impacted
Overloads 9 4 3 Power outage prone areas susceptible Catastrophic - all subscribers impacted
Viruses malware 3-8 5 5 Impact varies based on service provider infrastructure, enterprise IP PBX or residential PC
Service fraud 5 N/A 5 Requires technical sophistication Impact depends on business model
Identity theft 2-5 8 6 Requires slightly more technical sophistication than SPIT Man-in-the-middle requires same degree of technical capabilities Information used for other attacks with various impacts
Eavesdropping 2 5 3 Requires technical sophistication and access to wiring closets
SPIT 1 10 6 Requires little sophistication Annoying more than harmful
Note probability and impact ratings on 110
scale with 1 being low and 10 being high
7
Four enterprise border points require control
security

• Interconnect border to service provider(s) -
  SIP/H.323 trunking
• Extend IP to IP connectivity
• Reduce costs, increase quality
• Access border trusted
• Interconnect sites and users
• Simplified number plans
• Access border untrusted
• Anywhere connectivity
• Secure and unsecure access
• Hosted services/ASP border
• Expand service and application capabilities
• Create a global reach

1.
Hosted services/ IP contact center ASP
Other IPsubscribers
PSTN
Service providers
Headquarters

MPLS VPN
Internet
SIP
H.323
SIP
BO
Regional office
Branch office
SOHO
Mobile user
Nomadic user
8
Key security threats to enterprise UC

• Denial of Service
• Malicious non-malicious
• Call/registration overload
• Malformed messages (fuzzing)
• Misconfigured devices
• Operator and application errors
• Viruses SPIT
• Viruses attached to SIP messages
• Malware executed through IM sessions
• SPIT annoying, unwanted traffic
• Identity theft eavesdropping
• Service theft
• Unauthorized users and applications

1.
Hosted services/ IP contact center ASP
Other IPsubscribers
PSTN
Service providers
Headquarters

MPLS VPN
Internet
SIP
H.323
SIP
BO
Regional office
Branch office
SOHO
Mobile user
Nomadic user
9
Microsoft OCS 2007 architecture SIP security
risks
10
The key difference between SBC ALG is
back-to-back user agent

• Functional advantages
• Seamlessly addresses the issue of OLIP addresses
• Responds to REDIRECTs, can initiate re-INVITEs
  and BYEs
• Gracefully manages stranded call scenarios
• Provides signaling interworking and protocol
  fix-ups
• Security advantages
• Modifies IP address and SIP UI in every field of
  signaling message for complete anonymization
• Detects protocol anomalies and also fixes
  signaling
• Provides interworking between encrypted and
  non-encrypted elements
• Goes beyond throttling down the rate of signaling
  messages
• Regulatory advantages
• Supports session replication for call recording
• Supports lawful intercept

11
Even high-end firewalls cant defendSIP DoS/DDoS
attacks

• Total of 34 different test cases, using over 4600
  test scripts
• SIP flood tests flood attacks consisting of
  INVITE, REGISTER and Response 100, 180, 200
  messages from thousands of random source
  addresses/ports
• SIP spoof flood tests same as SIP flood tests
  but with spoofing of different headers, fields
  and addresses
• SIP malformed message tests over 4500 Protos
  attack cases
• SIP torture tests IETF draft of 49 malformed
  SIP messages
• RTP attack tests rogue, fraud, and flood
  attacks of RTP packets
• Cisco PIX 535 failed consistently
• Some attacks caused hard failure - needed to be
  powered off/on
• Some attacks were flooded into core and impacted
  proxy
• Even some random RTP floods caused 94 CPU
  utilization

12
SBC DoS/DDoS protection

• Dynamic trust management
• Success based trust model protects resources
• Adjust resources based on real-time events
• Proactive threat mitigation
• Drop malformed sessions
• Block known malicious traffic sources
• Identify automated calling and reject based on
  defined policies

Hosted services/ IP contact center ASP
Other IPsubscribers
PSTN
Service providers
Headquarters


MPLS VPN
Internet
SIP
H.323
SIP
Spammers
BO
SOHO
Mobile user
Nomadic user
Zombie PCs
13
IP PBX, SIP proxy application server DoS/DDoS
prevention

• Comprehensive security
• Topology hiding protects PBX/UC servers from
  external exposure/threats
• Private/public address management ensures user
  privacy
• Real-time session control
• Signaling overload protection via rate limiting,
  load balancing and selective call rejection
• Policy-based admission control

Hosted services/ IP contact center ASP
Other IPsubscribers
PSTN
Service providers
Headquarters

Infected PCs
Rogue devices

MPLS VPN
Internet
SIP
H.323
SIP
Spammers
BO
SOHO
Mobile user
Nomadic user
Zombie PCs
14
Viruses malware can threaten IC endpoints and
service infrastructure

• SIP MIME attachments are powerful tool for richer
  call ID - vcard text, picture or video
• Potential Trojan horse for viruses and worms to
  general-purpose server-based voice platforms
• SIP softswitch, IMS CSCF, SIP servers, app
  servers
• SIP PBX
• SIP phones PCs
• New endpoint vulnerabilities
• Embedded web servers - IP phones
• Java apps liability or asset?
• Solution requirements
• Authentication
• SIP message MIME attachment filtering
• Secure OS environment

Sobig
Code Red
Nimda
Melissa
SQL Slammer
Klez
Michelangelo
LoveBug
15
SPIT will be annoying, possible tool for ID
theft

• Will anonymous, cheap Yahoo subscriber (aka
  SPITTER) be able to call enterprise employee
  via Verizon to solicit - phone sex, penis
  enlargement, Viagra pill purchase?
• Techniques that wont work
• Access control static
• Content filtering
• Charging - /call
• Regulation
• Solution requirements
• Access control dynamic, IDS-like
• Authentication
• Admission control subscriber limits ()
• Trust chains - pre-established technical
  business relationships

16
Viruses, malware and SPIT

• Real-time threat mitigation
• Wire speed Deep Packet Inspection (DPI)
• Signature rule definition and enforcement
• Dynamic behavior learning
• Identifies malicious behavior, e.g. consecutive
  call ID s
• Reduces false positives
• Protocol anomaly detection
• Adaptive resource protection
• Individual device trust classification
• Define call, bandwidth limits
• Per device constraints and authorization

Hosted services/ IP contact center ASP
Other IPsubscribers
PSTN
Service providers
Headquarters


MPLS VPN
Internet
SIP
H.323
SIP
BO
Spammers
Zombie PCs
Malicious users
17
Eavesdropping threat is over hyped

• Less risk than email, who encrypts email?
• Email is information rich (attachments), voice
  not
• Email always stored on servers, only voice mail
• Email always stored on endpoints, voice not
• Who is REALLY at risk?
• Public company execs insider trading
• Bad guys - Osama, drug cartels, pedophiles, etc.
• Good guys - law enforcement
• Other luv moolah scenarios adultery, ID
  theft
• Solution requirements
• Authentication subscriber
• End-to-end encryption
• Signaling (TLS, IPSec)
• Media (SRTP, IPSec)

18
Confidentiality and privacy

• Secure communications
• Encryption protects signaling and/or media
  (IPSec, TLS, SRTP)
• Ability to terminate and originate encrypted
  traffic
• Interworking between SIP/H.323
• Create trusted user environment
• User protection via SIP privacy (RFC 3323 3325)
  support
• Endpoint protection via topology hiding and
  header manipulation

PSTN
Service providers

HQ
Internet (untrusted)

RO
Region
19
Acme Packet SBCsin Microsoft OCS architecture
AcmePacketSBC Bordersecurity Loadbalancer M
ediation (IP PBX IP trunking)
A/V edgeserver(s)
IP PBX
IP PBXendpoints
SIP, H.323,MGCP, SCCP
Proprietaryendpoints
Webconferencingedge server
20
Trust identity

• How do you know you are talking to Bank of
  America?
• Web site techniques dont work for IC - work for
  many-one, not many-many
• Solution requirements
• Authentication, access control
• Trust chains - pre-established technical
  business relationships

21
The future IC net?
22
Net-Net

• Security issues are very complex and
  multi-dimensional
• Security investments are business insurance
  decisions
• Life DoS attack protection
• Health SLA assurance
• Property service theft protection
• Liability SPIT virus protection
• Degrees of risk
• Internet-connected ITSP High
• Facilities-based HIP residential services
• Facilities-based HIP business services
• Peering Low
• NEVER forget disgruntled Milton fromOffice
  Space
• Session border controllers enable enterprises to
  insure their success

23
The leader in session border control

• for trusted, first class interactive
  communications

24
The key difference between SBC ALG is
back-to-back user agent

• Functional advantages
• Seamlessly addresses the issue of OLIP addresses
• Responds to REDIRECTs, can initiate re-INVITEs
  and BYEs
• Gracefully manages stranded call scenarios
• Provides signaling interworking and protocol
  fix-ups
• Security advantages
• Modifies IP address and SIP UI in every field of
  signaling message for complete anonymization
• Detects protocol anomalies and also fixes
  signaling
• Provides interworking between encrypted and
  non-encrypted elements
• Goes beyond throttling down the rate of signaling
  messages
• Regulatory advantages
• Supports session replication for call recording
• Supports lawful intercept