Real-time Communications Security and SDN

Similar documents
GDPR Update and ENISA guidelines

Ingate SIParator /Firewall SIP Security for the Enterprise

WHITE PAPER. Session Border Controllers: Helping keep enterprise networks safe TABLE OF CONTENTS. Starting Points

White Paper. SIP Trunking: Deployment Considerations at the Network Edge

Preparing your network for the next wave of innovation

Security for SIP-based VoIP Communications Solutions

Communications Transformations 2: Steps to Integrate SIP Trunk into the Enterprise

Firewalls for Secure Unified Communications

IMS, NFV and Cloud-based Services BUILDING INTEGRATED CLOUD COMMUNICATION SERVICES

Achieving End-to-End Security in the Internet of Things (IoT)

ADVANCED SECURITY MECHANISMS TO PROTECT ASSETS AND NETWORKS: SOFTWARE-DEFINED SECURITY

NGN: Carriers and Vendors Must Take Security Seriously

Simple and Secure Micro-Segmentation for Internet of Things (IoT)

Mobile TeleSystems (MTS) Converges Fixed and Mobile Telephony

THE BUSINESS CASE FOR SIP

Networking for a smarter data center: Getting it right

What the BIG TELECOM companies don t want you to know.

NFV and SDN what does it mean to enterprises?

Application Note 3Com VCX Connect with SIP Trunking - Configuration Guide

Why Active Communications and Office 365?

Cyber Security Audit & Roadmap Business Process and

New Digital Business Models Driving the Softwarization of the Network

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Security

The Windstream Enterprise Advantage for Banking

Enterprise D/DoS Mitigation Solution offering

WE SEE YOUR VOICE. SecureLogix We See Your Voice

Verizon Software Defined Perimeter (SDP).

Modern IP Communication bears risks

Vodafone keynote. How smart networks are changing the corporate WAN. Peter Terry Brown Director of Connectivity & UC.

The security challenge in a mobile world

Technical Overview. Mitel MiCloud Telepo for Service Providers 4.0. Key Features

MITIGATE CYBER ATTACK RISK

Net-Net Interactive Session Recorder - recording utility for session delivery networks

BUILDING the VIRtUAL enterprise

Unified Communications Threat Management (UCTM) Secure Communications and Collaborations

10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network

Video-Aware Networking: Automating Networks and Applications to Simplify the Future of Video

SIP Trunking & Security. Dan York, CISSP VOIPSA Best Practices Chair

Networking for a dynamic infrastructure: getting it right.

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

Can the Network be the New Cloud.

Express Monitoring 2019

Next Generation Privilege Identity Management

Never Drop a Call With TecInfo SIP Proxy White Paper

Cisco 5G Now! Product Announcements. February, 2018

FOR FINANCIAL SERVICES ORGANIZATIONS

Dynamic Network Segmentation

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

Why SIP? Time is running out for ISDN. Whitepaper from V1.04

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

CLOUD WORKLOAD SECURITY

Deploying Voice Workloads for Skype for Business Online and Server

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Accelerate Your Enterprise Private Cloud Initiative

Development of IPX: Myth or Reality?

Simplify IP Telephony with System i. IBM System i IP Telephony

Security Assessment Checklist

Build confidence in the cloud Best practice frameworks for cloud security

CHALLENGES GOVERNANCE INTEGRATION SECURITY

21ST CENTURY CYBER SECURITY FOR MEDIA AND BROADCASTING

Simple and secure PCI DSS compliance

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

EXTENSIBLE WIDE AREA NETWORKING

Net-Net enterprise session border controller playbook

Digital Advisory Services Professional Service Description SIP SBC with Field Trial Endpoint Deployment Model

FROM A RIGID ECOSYSTEM TO A LOGICAL AND FLEXIBLE ENTITY: THE SOFTWARE- DEFINED DATA CENTRE

SDN and NFV as expressions of a systemic trend «integrating» Cloud, Networks and Terminals

Deploying Voice Workloads for Skype for Business Online and Server 2015

Security by Default: Enabling Transformation Through Cyber Resilience

Delivering the Full Potential of SIP

5 common concerns about moving to SIP...

DIMETRA X CORE DATA SHEET DIMETRA X CORE

Innovative Solutions. Trusted Performance. Intelligently Engineered. Comparison of SD WAN Solutions. Technology Brief

The office for the anywhere worker!!! Your LCB SOFTPHONE: A powerful new take on the all-in-one for a more immersive experience.

Chapter 5. Security Components and Considerations.

How to Create, Deploy, & Operate Secure IoT Applications

6 KEY SECURITY REQUIREMENTS

Continuously Discover and Eliminate Security Risk in Production Apps

Systems Engineering for Software-Defined Network Virtualisation. John Risson, Solutions Engineering Manager IP and Transport Engineering, Telstra

Delivering Complex Enterprise Applications via Hybrid Clouds

HOSTED VOIP Your guide to next-generation telephony

Reducing Skype for Business Costs via Proactive Management Using management tools cuts SfB operational costs by more than half

Application Note. Microsoft OCS 2007 Configuration Guide

NETWORKING 3.0. Network Only Provably Cryptographically Identifiable Devices INSTANT OVERLAY NETWORKING. Remarkably Simple

Patton Electronics Co Rickenbacker Drive, Gaithersburg, MD 20879, USA tel: fax:

10 Reasons to Choose AudioCodes Enterprise SBC

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

SESSION BORDER CONTROLLERS

ESSENTIAL RECIPES FOR THE DIGITAL JOURNEY OF ENTERPRISES

Secure Telephony Enabled Middle-box (STEM)

The Telephony Denial of Service (TDoS) Threat

SBC Site Survey Questionnaire Forms

Cisco Webex Cloud Connected Audio

Unified Communications Networks Security and Platforms

The Top Five Reasons to Deploy Software-Defined Networks and Network Functions Virtualization

8 Must Have. Features for Risk-Based Vulnerability Management and More

About Your SIP Service Solution

Transcription:

Real-time Communications Security and SDN 2016 [Type here]

Securing the new generation of communications applications, those delivering real-time services including voice, video and Instant Messaging, is a challenge. Enterprises and service providers working with network infrastructures and cyber security policies designed for data driven applications are experiencing this challenge. To add to this, new technologies, Network Function Virtualisation (NFV) and Software Defined Networking (SDN) are now deployed to support the ever growing bandwidth requirements. Will adding these new technologies to networks already struggling to secure the current generation of applications push the goal of an effective cyber security even further away, or can these technologies bolster security for Unified Communication services? The Evolution of Real-Time Communications (VoIP, UC, IOT) For the last 15 or more years, real-time communication services, voice and video calls plus Instant Messaging (IM), have undergone a rapid and dramatic evolution. This evolution started when PBX vendors realised that adopting IP networking as a basis for their core products gave them the ability to enhance their products and to deliver new features more quickly. This triggered the appearance of a range of IP-PBX products using IP networking to connect handsets to the PBX operating within the same location. At this stage telephony services were still provided via ISDN connections, so the benefits stopped at the enterprise network boundary. The next evolutionary step was the introduction of SIP trunks, using IP networking to deliver a company s phone service. This enabled a greater range of services to be delivered at a lower cost. A new set of service providers emerged, Internet Telephony Service Providers, whose agility enabled them to introduce new Voice over IP (VoIP) services and to win business that traditionally would have gone to the incumbent telco. The evolutionary process did not stop there. VoIP services have now matured into Unified Communication (UC) services combining a range of applications into a single integrated communication service. While communications services have developed, the necessary parallel development of security services has not. A significant percentage of operational VoIP and UC systems are operating with a security model that was appropriate when telephony services were provided by national telecom carriers using private networks. Today, VoIP and UC services operate over IP networks including the public Internet. The trust models of the Internet and traditional telecom networks are radically different. The inevitable result is that VoIP and UC networks with their feature applications are under constant attack. A significant number of systems are falling victim to these attacks. The results include expensive call fraud attacks, service loss, leakage of confidential information and failure to meet legal data protection and compliance requirements. Page 2 of 9

If the risk of fraudulent calls racking up tens of thousands of dollars in charges is not a board level problem, then the potential fines imposed by data protection authorities for a security breach certainly are. There have been some attempts to address the VoIP and UC security challenge. In the early millennium a new product category emerged. This was the Session Border Controller (SBC). Although SBC s were at the time a good effort, they owe too much to the telecom security model based around SS7 infrastructure and not enough to the Internet security model. As evidence of this, UM Labs has audited a number of VoIP and UC deployments running wellknown brands of SBC and has found that the security provided, fails on a number of accounts, falling short of the level necessary to operate safely in an IP network. Observed problems include: SBCs providing no effective security other than a simple source IP address check which a $50 router can offer. SBCs, Application Gateways, Proxy Gateways are all failing to implement layered security, deployed there is no interaction between the levels of network, application or content, so that even the basic source IP address controls could be circumvented. SBCs allowing remote users to connect to an enterprise IP-PBX and make calls without positively identifying and authenticating the user. SBCs failing to detect and block a call fraud attack. SBCs unable to provide an encryption services to protect the confidentiality of calls and as a consequence failing to meet legal requirements for compliance. The Need for a Paradigm Shift UM Labs was founded to develop new technologies for securing real-time communications (incl. VoIP and UC systems). It quickly became apparent that the evolutionary approach that had driven the development of UC applications, would not deliver an effective solution. What was needed was a paradigm shift, a new approach to securing VoIP and UC applications. This approach had to recognise the impact of the Internet security model on real-time communications. The architectural approach adopted by UM Labs was based on many years of experience in designing and building IP security products for data applications, but recognising the constraints imposed by the real-time nature of VoIP and UC. Page 3 of 9

It was also apparent that an effective security platform has had to operate within a changing network environment. Data centre technology was moving away from racks full of dedicated hardware and embracing virtualisation. This triggered the need to manage service operation within the virtualised environment. Software Defined Networking (SDN) became the solution to this problem. To quote Techtarget: Software-defined networking (SDN) is an umbrella term encompassing several kinds of network technology aimed at making the network as agile and flexible as the virtualized server and storage infrastructure of the modern data centre. The goal of SDN is to allow network engineers and administrators to respond quickly to changing business requirements. SDN which in turn enables Network Function Virtualisation (NFV) was conceived to enable networks to meet the ever growing demand for more bandwidth. VoIP and UC services providers and enterprises deploying these services clearly need the benefits of SDN. To build an effective set of security controls for VoIP and UC applications, UM Labs have adopted a software architecture able to deliver the level of security needed, and for a set of applications which have evolved from a telecom orientated service, operating safely within the Internet trust model. The same architecture is aligned to the SDN deployment model. Page 4 of 9

UM Labs Architecture The UM Labs real-time communications security platform is built on a layered architecture. The foundation is a hardened operating system configured to run on all popular virtualisation hosts and cloud services. This foundation provides an environment for a set of multi-level security controls. The security platform is controlled by a management layer, which provides a set of management interfaces. The foundation layer and the management layer combine to enable the platform to operate within a SDN environment. SDN Interfaces Management Layer Content Security Layer Application Security Layer Network Security Layer Hardened Operating System UM Labs Platform Host Cloud Secure Foundation A secure foundation is essential for any security system. The UM Labs platform is built on a hardened Linux operating system using design principles derived from building generic IP firewalls and application security systems. These design principles conform to the security constraints needed to meet the Common Criteria EAL4 level of security certification. The Common Criteria scheme is an international security certification scheme. In the USA the Common Criteria scheme is administered by NIAP, a joint venture between the NSA and NIST. EAL4 certification is applicable in those circumstances where developers or users require a moderate to high level of independently assured security. Page 5 of 9

The platform s underlying operating system is configured to enable deployment on all popular visualisation host operating system and cloud services. The platform takes advantage of supporting services provided by the host environment, obtaining essential operating parameter such as network interface configuration details from that environment. Layered Security The security threats facing real-time communications (VoIP and UC systems) are multi-levelled. Securing those systems requires multi-levelled security technology. Network level security addresses the IP level threats faced buy all IP connected applications and systems. The need for IP Network security for data application is well established. There is a whole industry devoted to developing data firewalls to protect against threats at this level. VoIP and UC applications run on the same IP networks as data applications and therefore need the same protection. The security threats at the IP Network level include: Denial of Service attacks (Dos) and distributed DoS attacks. Flooding attacks Malformed packet attacks Port scanning and service enumeration attacks DoS attacks, attacks designed to disrupt a network service, are a growing problem. Businesses with an Internet presence are a common target where the attack can be motivated by a political protest or for financial gain. The obvious question is: if firewalls are designed to protect data applications from DoS attacks, can they do the same for real-time communication (VoIP and UC) applications? The answer is no, because the protocols used for VoIP and UC are not firewall friendly. Configuring a firewall to handle SIP and the related protocol used to handle audio and video streams in calls, the Realtime Transport Protocol (RTP), means opening up a large port range. This reduces the firewall's security to a level where a competent firewall administrator would not want to apply the necessary configuration. The only effective way to implement the necessary IP security controls is as part of a comprehensive real-time communication (VoIP and UC) security product. Page 6 of 9

Application level security controls threats aimed directly at the VoIP, Video, IM (UC) protocols and applications. The complexity of these protocols means that there is a long list of potential threats. These threats can be combated only by implementing a range of security controls directed at the application level. In UC terms this means targeting security controls at the protocol messages responsible for functions such as tracking the status of connecting devices and managing calls. The security threats at the application level include: Denial of Service attacks (Dos) and distributed DoS attacks. Flooding attacks Malformed message attacks Directory harvesting attacks Authentication attacks Call fraud attacks Protocol violation attacks DoS attacks at the application level include flooding attacks, where the targeted system is flooded with requests, and also more subtle attacks where smaller numbers of invalid messages are sent with the aim of disrupting a service. Content level security protects the content delivered by UC applications. This includes voice and video calls, text and other content delivered via Instant Messaging applications and meta content such as presence information indicating the availability status of colleagues. All of these content types are potential attack targets. The most obvious attack is eavesdropping, listening in on voice and video calls or monitoring presence data to gather information on the identity of users. There are also a number of more subtle attacks including: Media injection (replacing or disrupting voice or video streams) Media level denial of service attacks Call Hijacking attacks (taking over one leg of an established call) Page 7 of 9

System Management and SDN The system management layer provides multiple interfaces for installing, configuring and monitoring the UM Labs platform. The primary interfaces are a REST API to enable configuration and monitoring of the platform s real-time communication (VOIP, UC) security policy and integrated SDN support to simplify deployment and to strengthen the security controls. The UM Labs real-time communication (VoIP and UC) Security platform is a complete software package including a hardened operating system and the layered security controls needed to protect VoIP and UC application systems and to ensure that those systems operate within current compliance regulations. The platform will run in all popular virtualisation environments and cloud services. Integrated SDN support ensures that instances of the platform may be installed on demand with each instance using SDN functions or specific functions provided by the cloud service hosting the platform to map the network environment and to apply the appropriate configuration. The UM Labs platform extends the use of SDN beyond simple deployment management. The platform functions by detecting security threats and taking the appropriate blocking action. Threat detection and blocking actions are implemented at multiple levels. In many cases the most efficient method of blocking a threat is to implement the blocking action at a lower level that the threat detection. As an example a call-fraud attack can only be detected at the application level, but the most efficient blocking mechanism is to instruct the network security layer to implement the blocking action. The UM Labs platform includes this level of feed-back between threat detection and blocking action at all 3 security levels. SDN enables this feedback to be extended into the cloud. When a threat is detected, the UM Labs platform is able to use SDN technology via protocols such as Openflow to instruct other network components or systems to block the source of the detected threat. The UM Labs security architecture for real-time communication (VoIP and UC) applications using a new design based on IP security principles and implementing layered security controls as a cloud-deployable software platform is a natural fit for SDN. UM Labs maximise the benefits of SDN by taking advantage of the benefits that SDN offers to simplify deployment and by using SDN functions to ensure that other components in the network are configured to supplement the security for all real-time communication (VoIP and UC) applications. Page 8 of 9

Independent regulation authorities in Europe that direct service providers have stated clearly, security within the SDN paradigm is a challenge, as all layers, sub-layers and components need to communicate according to strict security policies. Some of the new challenges on protecting SDN relies on the main features of this paradigm: centralization, abstraction and programmability. Efforts and advances are being done in order to improve the trust between third party applications and the controller, a better cross domain connection, implementing correct isolation of traffic and resources and integrating and improving the compatibility of legacy protocols. UM-Labs design follows a bottom-up approach by estimating threats that exploit more traditional network components that will be extrapolated to assumed SDN/NFV levels. UM- Labs by design have implemented a rules based stack to work with SDN and the 7-layer OSi model, because of this, the design is not taking any one-layer design and hoping the virtualisation delivers an integrated approach. Page 9 of 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback