VoIP Security and Mitel IP Telephony Solutions. Dan York Chair, Mitel Product Security Team February 2006

Similar documents
SIP Trunking & Security. Dan York, CISSP VOIPSA Best Practices Chair

Ingate SIParator /Firewall SIP Security for the Enterprise

Security for SIP-based VoIP Communications Solutions

Security Assessment Checklist

Chapter 11: It s a Network. Introduction to Networking

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Education Network Security

Children s Health System. Remote User Policy

Modern IP Communication bears risks

NETWORK THREATS DEMAN

Chapter 11: Networks

Wireless LAN Security. Gabriel Clothier

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

Standard For IIUM Wireless Networking

Chapter 4. Network Security. Part I

Gigabit SSL VPN Security Router

Ingate Firewall & SIParator Product Training. SIP Trunking Focused

Securing Wireless LANs with Certificate Services

Understanding Cisco Unified Communications Security

Designing Polycom SpectraLink VoWLAN Solutions to Comply with Payment Card Industry (PCI) Data Security Standard (DSS)

MIVOICE BORDER GATEWAY PLATFORM

CCNA Exploration Network Fundamentals

Cisco Desktop Collaboration Experience DX650 Security Overview

Wireless Network Security

Authentication and Security: IEEE 802.1x and protocols EAP based

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Voysis Cloud Implementation

CompTIA Network+ Study Guide Table of Contents

Layer 2 authentication on VoIP phones (802.1x)

Chapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.

A Security Model for Space Based Communication. Thom Stone Computer Sciences Corporation

Klaudia Bakšová System Engineer Cisco Systems. Cisco Clean Access

WHITE PAPER. Session Border Controllers: Helping keep enterprise networks safe TABLE OF CONTENTS. Starting Points

Exam : PW Title : Certified wireless security professional(cwsp) Version : DEMO

Fundamentals of Information Systems Security Lesson 8 Mitigation of Risk and Threats to Networks from Attacks and Malicious Code

Cyber Security Audit & Roadmap Business Process and

Advanced iscsi Management April, 2008

TestsDumps. Latest Test Dumps for IT Exam Certification

Security+ Practice Questions Exam Cram 2 (Exam SYO-101) Copyright 2004 by Que Publishing. International Standard Book Number:

NETWORKING &SECURITY SOLUTIONSPORTFOLIO

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

CTS2134 Introduction to Networking. Module 08: Network Security

Networks and Communications MS216 - Course Outline -

Firewalls for Secure Unified Communications

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

ClearPath OS 2200 System LAN Security Overview. White paper

White Paper. SIP Trunking: Deployment Considerations at the Network Edge

Security and Authentication

Symantec Client Security. Integrated protection for network and remote clients.

Communications Transformations 2: Steps to Integrate SIP Trunk into the Enterprise

Wireless Network Security Fundamentals and Technologies

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

TestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified

802.1x. ACSAC 2002 Las Vegas

Cisco 5921 Embedded Services Router

Secure Communications on VoIP Networks

TestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified

CISCO SHIELDED OPTICAL NETWORKING

Network Security. Thierry Sans

BYOD: BRING YOUR OWN DEVICE.

Cyber Security Guidelines for Public Wi-Fi Networks

Security and Lawful Intercept In VoIP Networks. Manohar Mahavadi Centillium Communications Inc. Fremont, California

Real-time Communications Security and SDN

Selling the Total Converged Solution Module #1: Nortel Enterprise Networking Overview of the 4 Pillars and Why Nortel Tom Price Nortel HQ Sales

Security+ SY0-501 Study Guide Table of Contents

Designing Workspace of the Future for the Mobile Worker

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Voice over IP. What You Don t Know Can Hurt You. by Darren Bilby

Unified Communications Networks Security and Platforms

Security SSID Selection: Broadcast SSID:

Chapter 24 Wireless Network Security

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Grandstream Networks, Inc. UCM6100 Security Manual

Your wireless network

Grandstream Networks, Inc. UCM series IP PBX Security Manual

Add a Wireless Network to an Existing Wired Network using a Wireless Access Point (WAP)

Ready Theatre Systems RTS POS

COPYRIGHTED MATERIAL. Contents

Digital Advisory Services Professional Service Description SIP SBC with Field Trial Endpoint Deployment Model

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

2. Firewall Management Tools used to monitor and control the Firewall Environment.

NGN: Carriers and Vendors Must Take Security Seriously

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Vendor: Cisco. Exam Code: Exam Name: Cisco Sales Expert. Version: Demo

SIP security and the great fun with Firewall / NAT Bernie Höneisen SURA / ViDe, , Atlanta, GA (USA)

HikCentral V.1.1.x for Windows Hardening Guide

Unified Communications Threat Management (UCTM) Secure Communications and Collaborations

Net-Net enterprise session border controller playbook

Wireless Attacks and Countermeasures

Chapter 5. Security Components and Considerations.

PSTN Security. Sougat Ghosh Security Services Leader Asia, Nortel Delhi / September 29, 2008 BUSINESS MADE SIMPLE

Frequently Asked Questions (Dialogic BorderNet 500 Gateways)

Agile Controller-Campus V100R002C10. Permission Control Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Abstract. Avaya Solution & Interoperability Test Lab

CISCO EXAM QUESTIONS & ANSWERS

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

VPN Routers DSR-150/250/500/1000AC. Product Highlights. Features. Overview. Comprehensive Management Capabilities. Web Authentication Capabilities

Wireless and Network Security Integration Solution Overview

Transcription:

VoIP Security and Mitel IP Telephony Solutions Dan York Chair, Mitel Product Security Team February 2006

Agenda The Challenge of Security Understanding VoIP Security Threats Mitel Security Solutions Tools, Contacts, Help Summary Questions / Answers Mitel Confidential 8/24/2009 slide 2

The Challenge of Security

The Implications are Clear Ensure privacy and appropriate access to information Maximize service availability Cost avoidance Confidence to extend services to broadest group of users: Local, remote, mobile Legal ramifications in some regions Security is strategic Mitel Confidential 8/24/2009 slide 4

The Noise is Deafening Everyone is issuing security advisories! Manufacturers of software and hardware Security research firms Vendors of security products / training / services Government (or quasi-government) entities Computer Emergency Response Team (CERT) CERT Coordination Center http://www.cert.org/ U.S. Computer Emergency Readiness Team http://www.us-cert.gov/ U.K. s National Infrastructure Security Coordination Center (NISCC) http://www.niscc.gov.uk AUS-CERT http://www.auscert.org.au/ Each day brings more to your inbox and news! Mitel Confidential 8/24/2009 slide 5

The Problem is Complex Multiple vendors and applications Competing vendor and internal priorities Responsibilities spread among internal groups Comprehensive defense involves many layers Operating Systems Desktop PCs Network Switches Web Servers E-mail Systems PDAs Standards Firewalls Instant Messaging Voice over IP Internet Wireless Devices Gateways Mitel Confidential 8/24/2009 slide 6

What is Mitel Doing Specifically? Extensive portfolio of secure solutions available for you today Member of VoIP Security Alliance Connected to industry security groups including: CERT and US-CERT NISCC (National Infrastructure Security Co-ordination Center) Security portal: Public - http://www.mitel.com/security Mitel Online Technical Support -> Security at Work Ongoing security vigilance Mitel Confidential 8/24/2009 slide 7

What is the Industry Doing to Help? VOIPSA s mission is to promote the current state of VoIP security research, VoIP security education and awareness, and free VoIP testing methodologies and tools. Membership includes: Mitel, Avaya, Nortel, Siemens, Alcatel, Extreme Networks, etc. Now over 100 members on the Technical Board of Advisors Committees: Security Requirements, Security Research, Best Practices, Testing Public VOIPSEC mailing list for discussion of VoIP security issues http://www.voipsa.org/voipsec/ (and yes, it s all CAPS) VoIP Security Threat Taxonomy released in late 2005 Next project - industry-wide Best Practices http://www.voipsa.org/ So what are the actual threats to IP Telephony? Mitel Confidential 8/24/2009 slide 8

Understanding IP Telephony Security Threats

Before We Begin Nobody is 100 percent secure and never has been! Employ best practices from an organization perspective Be sensitive to operation and cost Security concerns are not new: Mitel offers extensive TDM defenses Mitel Confidential 8/24/2009 slide 10

Security Challenges CIA Confidentiality Integrity Availability Confidentiality Protect the voice and data stream including call control signaling Prevent eavesdropping on conversations, toll fraud, impersonation Integrity Ensure that information is protected from unauthorized modification Prevent discovery of a user, system or application password Availability Ensure that communication services are available to users Avoid any adverse effects resulting from a denial of service (DoS) attack or computer worm Mitel Confidential 8/24/2009 slide 11

Security Aspects of IP Telephony Media / Voice Manage ment TCP/IP Network Call Control Policy Mitel Confidential 8/24/2009 slide 12

Media / Voice The Media Path Manage ment TCP/IP Network Call Control Real-Time Protocol (RTP) Packets Policy Threats: Eavesdropping particularly if over wireless or open Internet (sniffing) IP phones Application Servers Degraded voice quality through Denial of Service (DoS) attack SOHO Defense Strategies: Encryption of voice path WPA, WPA2 for wireless Call Controller TDM IP Private Enterprise IP Network Internet VLANs Packet filtering 802.11 wireless IP phones Softphone Mitel Confidential 8/24/2009 slide 13

Media / Voice The Signalling Path Manage ment TCP/IP Network Call Control SIP, H.323, MiNet Policy Threats: Denial of Service Impersonation IP phones Application Servers Snooping account codes Toll fraud SOHO Defense Strategies: Signalling path encryption Encrypted desktop load on 3300 ICP Call Controller Private Enterprise IP Network Internet Proper system programming 802.11 wireless IP phones Softphone Mitel Confidential 8/24/2009 slide 14

Media / Voice The Management Path Examples Telnet, HTTP, FTP, SNMP, XML, TAPI Manage ment TCP/IP Network Policy Call Control Threats: Snooping passwords Denial of service Application Impersonation Remote Service Remote Service Monitoring call patterns Malicious system modifications Internet Defense Strategies: DoS defenses in network infrastructure Changing default passwords Call Controller Enterprise IP Network Ensure physical security Authentication secure port access! NMS System Secure Socket Layer (SSL) Application Server System Admin Mitel Confidential 8/24/2009 slide 15

Media / Voice and Legacy Devices Manage ment TCP/IP Network Call Control Analog LS, ISDN, Q.SIG, DPNSS Policy Threats: Toll fraud via public network attack IP phones Application Servers Impersonation Feature access SOHO Defense Strategies: Class of Restriction (COR) Call Controller Private Enterprise IP Network Internet Class of Service (COS) Account Codes Analog Gateway Trunk Restrictions Interconnect Restrictions Existing PBX 802.11 wireless Analog to IP media and signaling conversion Softphone Mitel Confidential 8/24/2009 slide 16

Mitel Security Solutions

Mitel Security Today Secure Voice / Media Secure Call Control / Signalling Secure Management Interfaces Secure against legacy threats Secure against common network attacks Manage ment Media / Voice TCP/IP Network Policy Call Control Mitel Confidential 8/24/2009 slide 18

Mitel 3300 ICP Encryption Manage ment Media / Voice TCP/IP Network Call Control Encryption across full Mitel desktop portfolio Voice Stream: Secure RTP using 128 bit Advanced Encryption Standard (AES) Call control encrypted using Mitel s Secure MiNet (AES) Full support for all current and recent sets Mitel 5201, 5207, 5010, 5020, 5212, 5215, 5220, 5224, 5230, 5235, 5240, Navigator IP Phones Mitel Your Assistant Softphone Encryption of signaling and media path between multiple ICPs (clusters) Policy Mitel Confidential 8/24/2009 slide 19

Secure Management Interfaces Manage ment Media / Voice TCP/IP Network Call Control Web management interfaces for systems and applications implement SSL Authenticated access to provisioning, administrative user interfaces Different levels of access with different passwords Mitel 7100 Management Access Point: Secure remote admin for VPN or Dial-up access XML APIs All traffic encrypted using standard SSL Strong certificate-based authentication required Live Business Gateway Uses SSL/TLS-encrypted SIP for communication to Microsoft Live Communication Server Policy Mitel Confidential 8/24/2009 slide 20

Secure against legacy/ threats Manage ment Media / Voice TCP/IP Network Call Control Extensive Class of Restriction avoids misuse of communications resources Well-proven toll fraud restrictions: Traditional TDM COS/COR Account codes Restrictions on trunk-to-trunk connections SMDR records Ability to flag calls as malicious Feature access restrictions Policy Mitel Confidential 8/24/2009 slide 21

Secure against common network attacks Manage ment Media / Voice TCP/IP Network Call Control Denial of Service protection within 3300 ICP and desktops Performance may be reduced but system doesn t shut down Sets include micro-firewall and rate throttling to fend off DoS attacks Support for VLANs to segregate voice and data traffic Core Platform OS, VxWorks, is not susceptible to Windows OS viruses / attacks Application operating systems hardened against attack Mitel is IP infrastructure agnostic giving our customers choice HP, Foundry, Cisco, or others Set authentication requires unique association of MAC address, IP and user entered PIN registration number Set software downloads are encrypted and tamper-proof to ensure sets cannot be spoofed Sets in MiNet mode do not include a web browser or other services that can be attacked Policy Mitel Confidential 8/24/2009 slide 22

Support for 802.1x Manage ment Media / Voice TCP/IP Network Call Control How do you know who is plugging into your network jacks? Network device must be authenticated before switch port is opened 802.1x Authentication for Desktops Support for Extensible Authentication Protocol (EAP) EAP-MD5 challenge Support for authentication via EAP to a RADIUS (or other similar) server Username and password entered through the phone interface Supported on dual mode 5212, 5215, 5220, 5224, 5235 and Navigator IP Phones Policy Mitel Confidential 8/24/2009 slide 23

Wireless Security Manage ment Media / Voice TCP/IP Network Call Control Encryption and enhanced authentication for SpectraLink Telephones using Wi-Fi Protected Access (WPA) and WPA2 WLAN Stand supports WPA, WPA2 IP-DECT sets (EMEA & AP) include native DECT encryption Policy Mitel Confidential 8/24/2009 slide 24

Secure traversal of firewalls Manage ment Media / Voice TCP/IP Network Call Control Teleworker Solution allows secure use of remote extension anywhere there is an IP address Works with standard Mitel IP sets no special sets to purchase Policy Teleworker Solution 3300 ICP TO LEGACY SYSTEMS VIA Q.SIG, DPNSS, PRI Your Corporate Network Integrating with existing corporate firewall Internet Home router/ NAT/ firewall HOME/ REMOTE OFFICE Mitel Confidential 8/24/2009 slide 25

SIP Security Manage ment Media / Voice TCP/IP Network Call Control Mitel SIP desktops support Secure RTP Today: dual mode 5212, 5215, 5220, 5224, 5235, Navigator IP Phone SIP sets satisfy challenging PROTOS test suite for CERT advisory CA-2003-06 (http://www.cert.org/advisories/ca-2003-06.html) Support for traversal of firewalls including STUN SSL/TLS-encrypted SIP planned for calendar Q2, 2006 Also will support HTTPS and SSL-encrypted telnet SIP sets support 802.1x SIP trunking in 3300 Rel 7.0 will support SSL/TLS for signaling Mitel continually monitors evolving SIP security standards Policy Mitel Confidential 8/24/2009 slide 26

Protection Beyond Product to Process Manage ment Media / Voice TCP/IP Network Call Control Mitel focus on security Broad based internal security team encompassing R&D, test, product management, product support, product verification Internal process to ensure compliance with vendor security bulletins (such as Microsoft) Escalation process for reported security vulnerabilities Email sent to security@mitel.com Triage by product security team Escalation to appropriate product groups as necessary As needed security advisories posted to www.mitel.com/security Ongoing vigilance throughout customer / product lifecycle Policy Mitel Confidential 8/24/2009 slide 27

Mitel Tools, Contacts, Help

Where to Go for More Information http://www.mitel.com/security Advisories, Security white papers, FAQ Mitel OnLine Security at Work portal Webinar and customer presentations Security Technology Brief 3300 ICP Security White Paper 3300 ICP Security FAQ 3300 Engineering Guidelines More documents coming soon If you have more questions: Engage your SE To report a suspected security vulnerability email security@mitel.com Mitel Confidential 8/24/2009 slide 29

Security Links VoIP Security Alliance http://www.voipsa.org Computer Emergency Response Team (CERT) http://www.cert.org/ U.S. Computer Emergency Readiness Team http://www.us-cert.gov/ U.K. s National Infrastructure Security Coordination Center (NISCC) http://www.niscc.gov.uk AUS-CERT http://www.auscert.org.au/ Internet Storm Center http://isc.sans.org/ Mitel Confidential 8/24/2009 slide 30

Mitel Security Solutions Summary

Mitel Security Today Secure Voice / Media Secure Call Control / Signalling Secure Management Interfaces Secure against legacy threats Secure against common network threats Manage ment Media / Voice TCP/IP Network Policy Call Control More information at http://www.mitel.com/security Mitel Confidential 8/24/2009 slide 32

Thank you Dan York Chair, Mitel Product Security Team dan_york@mitel.com Report security issues to security@mitel.com Mitel Confidential 8/24/2009 slide 33

Backup Slides

Addressing Security Threats 3300 ICP 2 Admin 3, 4 LAN 1 WAN/ Internet 5 3, 4 Attack Points 1) Denial Of Service 2) Password Sniffing 3) Eavesdropping 4) Spoofing, Assuming Identity 5) Spoofing, APIs Apps Server Security Implementations 1) Hardening of Call Control and OS 2) Implement Secure Socket Layer 3) Employ Encryption of Media Streams 4) Implement SSL on Signaling Streams 5) Authentication with Policy Based Access Mitel Confidential 8/24/2009 slide 35

Security Threats Confidentiality Confidentiality Integrity Availability Voice Threat Eavesdropping, man-in-the-middle attacks Consequences confidentiality breach between called and calling parties which can be used for personal or company gain Call Control Threat fraudulent use of telephony resources toll fraud, impersonation Consequences increased costs and / or malicious usage Defense Strategies Physical protection (wiring closets, equipment rooms) Use of Ethernet switching instead of shared media Use VLANs, VPNs where applicable (just like your data network!) Encrypt conversations and call control, secure the media stream SRTP Ensure routing tables, instructions, account codes are well maintained and password protected Mitel Confidential 8/24/2009 slide 36

Security Threats Integrity Confidentiality Integrity Availability Passwords Threat discovery of a user, system or application password Consequences unlimited, depending on the role and function of the discovered password Defense Strategies: Change default password, minimum length, enforce periodic change Never exchange passwords in clear text Password maintenance, delete ex-employees, security codes Use SSL for secure communications Mitel Confidential 8/24/2009 slide 37

Security Threats Availability Confidentiality Integrity Availability Denial of Service: Threat Teardrop, SMURF or Ping of Death Consequences partial or total loss of telephony or related services Defense Strategies: Rigorous virus updates and OS patches Intrusion detection systems Protect access from external sources (firewall) Limit access from internal sources (firewall) Use of 802.1 p/q (VLAN) to isolate and protect voice domain bandwidth from data domain Denial of Service (DoS) floods Mitel Confidential 8/24/2009 slide 38

802.1X handshake Set, PC, endpoint LAN Switch RADIUS Server Exact format unique to each Extensible Autentication Protoal (EAP) method EAP-MD5, EAP-TLS, EAP-TTLS, PEAP, EAP-FAST, others Mitel Confidential 8/24/2009 slide 39

How Can VLANs Solve My Security Problems? Switch Switch Green VLAN data VLAN Black VLAN aka Voice VLAN Virus permeates network Mitel Confidential 8/24/2009 slide 40 *

A Few Security Terms Denial of Service (DoS) Repetitive attacks that limit normal access to services Spam for Internet Telephony (SPIT) Worm Move through a network quickly from device to device Both intranet and Internet Virus Attached to a program and propagates when that program is executed Replication and activation Trojan horse Viruses and worms hide in other programs hence the name Spoofing Changing your MAC or IP address to impersonate another device Phishing Mitel Confidential 8/24/2009 slide 41

Security Considerations of CX vs CXi Platforms CXi provides internal switch and firewall Integrated package VLAN support upon initial release Mitel 3300 CXi Controller (SX-200 ICP VLAN support will follow) Can use either internal firewall or firewall of choice Position for smaller organizations or standalone sites CX Controller package requires external switch Add switch and firewall to suit architecture requirements Position for organizations with strong security focus Mitel Confidential 8/24/2009 slide 42

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback