Akhil Behl - Securing UC Networks - Interop Mumbai 2009

© 2009 Akhil Behl – UC Security Presentation 1

Unified CommunicationsSecurity

Securing UC Networks

AKHIL BEHL

CCIE 19564 (Voice, Security)

Network Consulting Engineer, GDC

Cisco Systems India

[email protected] +919999908169

© 2009 Akhil Behl – UC Security Presentation. 2

UC Security - Session Agenda

� UC Security Introduction – Threats to UC

� Rationale Behind Securing UC Networks

� What To Protect, How To Protect

� Deployment Strategy

� Cost, Complexity, Security

� Q&A


UC Security Introduction

Threats To UC Networks


Unified Communications Threats

� Toll fraud

Unauthorized or unbillableresource utilization

� Eavesdropping

Listening to another’s call

� Gaining private information

Caller ID, password/accounts, calling patterns (Reconnaissance)

� Faking identity

Impersonating others

(spoofing)

� Denying service

DOS attacks, hanging up others’conversations

� Hijacking callsInjecting audio streams, rerouting calls


UC Security

Rationale Behind Securing UC Networks


VoIP Network Attacked / Hacked !

VoIP Network Security: How a Hacker Took Advantage of Vulnerabilities

By Special Correspondent

Miami: The federal government arrested Edwin Andrew Pena, 23, owner of Fortes Telecom Inc. and Miami Tech & Consulting Inc., for hacking into other providers' networks, routing his customer’s calls onto those platforms, then billing those companies and pocketing the proceeds. He reaped more than $1 million.

Small business gets $120,000 phone bill after hackers attack VoIP phone

By Technology Correspondent

Sydney: A small business landed with a $120,000 phone bill after criminals hacked into its internet phone system and used it to make 11,000 international calls in just 46 hours.

Source -http://www.coresecurity.com/content/VoIP-network-security-how-a-hacker-took-advantage

Source -http://www.news.com.au/technology/story/0,28348,24939188-5014239,00.html


Rationale Behind Adoption Of UC Security

� Secure UC infrastructure

Allows securing what is an asset to a company’s or an organization’s daily life operations

� Secure the conversation

Ensures that the business doesn’t suffer any losses due to eavesdropping or hacking of voice calls

� Business continuity

Ensures that the business continuity is maintained and the chances of disruption or losses are minimized

The protection of both voice and data communication is critical to the business


UC Security

What To SecureHow To Secure


UC Security – What To Secure, How To Secure

CUCMUnity VM

Wireless

HQ

Data CenterLarge Branch

Small Branch

Mobile Worker

VPN

PSTN

WAN

Call Center Agents

TLS Proxy


UC Security – Check List, Wish List

� UC Network Security (securing network infrastructure)� Well defined UC security policy� Secured network infrastructure (AAA, IPS, Firewall, L2/L3 Security)� Secure IPT equipment (Physical and Network Security)� IPSec tunnels to remote SOHO sites / Client VPN to mobile workers� Firewall TLS proxy / phone proxy feature support

� UC Network Security (securing UC applications)� Role based administration / multiple level administration� Secure gateway trunks, inter cluster trunks� Secure gatekeeper (RAS) communication (subnet, registration)� 3rd party CA for HTTPS, TLS� Secure endpoints (including Soft Phone) – TLS, 802.1x� Wireless phones use certificate authentication and WPA� Calling restriction (based on role or function)� Secure conference calls� Secure voicemail ports


UC Security

Deployment Strategy


A Tale Of Two Cities

Secure TelephonySecure NetworkSecure Unified

Communications

A secure network is the foundation for a secure Unified Communication network

A secure Unified Communications network is an asset for the organization


UC Security Deployment Strategy

End-To-End UC Security

Approach


End to End UC Security – Demystified

Network Security UC SecurityPhysical Security

� Access Layer Security802.1x Authentication,

L2 filtering, QoS , VLANs

� Core and Distribution Layer Security

ACL’sAuthentication for Routing

� Wireless SecurityWPA, Certificate authentication

� Remote Network SecurityIPSec VPN

� Firewalls and Intrusion Prevention

ALG Firewall (ASA)

� IP PBX Platform SecurityHIPS, Internal Firewall, HTTPS

Access

� Gateway Security, UC Endpoint Security

Secure Conf, Secure SRST,

Secure Trunk , SRTP, TLS for

signaling

� UC Application SecurityUnity VM, UCCX, MPE, etc

� Ecosystem (3rd Party) App Security

Attendant Console, CTI

� Building Security

Badge access for employee

� Data Center Security Access limited to Authorized NOC Personnel Only

� Wiring Closet SecurityAccess limited to Authorized NOC Personnel Only


UC Security

Cost, Complexity, Security


Security: A Balance Between Risk And Cost

Low

Easy ,Default Security, No Additional Cost

Medium

Moderate, Reasonable Security, Nominal Cost

High

Hard, Highly Secure, Cost may go higher

Separate Voice & Data VLANs UC Aware Firewalls Complex Firewalls (ALG)

STP/BPDU Guard, Port Security Catalyst Integrated Security Rate Limiting ACL’s

Basic ACL’s Optional OS Hardening VPN – SOHO/Mobile Worker

Standard Server/OS Hardening CSA NAC / 802.1X

Class of Restriction (Toll Fraud) Encrypted Configs Network Anomaly Detection / IPS

Anti-Virus TLS/SRTP – Phones, Applications Security Event Management

HTTPS access to UC Applications IPSec / SRTP to Gateways TLS / Phone Proxy

Signed Firmware Scavenger QOS

Phone Security Settings

Complexity, Security Level, Cost


Q&A ?


Thank You

Akhil Behl - Securing UC Networks - Interop Mumbai 2009

Technology

Transcript of Akhil Behl - Securing UC Networks - Interop Mumbai 2009