Your SlideShare is downloading. ×
Securing UC Borders with Acme Packet
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Securing UC Borders with Acme Packet

5,906
views

Published on

Slides from webinar offered by Acme Packet and the SIP School on securing unified communications borders with Acme Packet. To watch recorded webinar or download slides, visit : …

Slides from webinar offered by Acme Packet and the SIP School on securing unified communications borders with Acme Packet. To watch recorded webinar or download slides, visit : http://tiny.cc/securingUC

Published in: Technology, Business

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,906
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. February, 2012Securing yourUnifiedCommunicationsBorders withAcme Packet - inassociation withThe SIP School Patrick McNeil, CISSP Acme Packet Premium Services Graham Francis CEO The SIP School
  • 2. The SIP School• Founded in April 2000• 5500+ Students• Provide the Industry recognised SSCA® SIP Certification program, endorsed by the TIA + more.• eLearning in modular format• Unique as content evolves as SIP evolves• Connected with Acme Packet to provide SIP foundation training• http://www.thesipschool.com / Discount codes later.• Now let’s start by looking at the challenges in securing unified communications. 2
  • 3. The Unified Communications security challengeAdopt enterprise-wide IP communications toimprove collaboration and productivity... …. All without increasing your risk profile 3
  • 4. Unified Communications services are a prominent targetOctober 2010 - SIPVicious port 5060 scanslead to €11 million lossMarch 2011 – Romania - Former employeeheld - Forged VoIP pins createdMay 2011 - Hudson County, New Jersey ManPleads Guilty to $4.4 Million VoIP FraudSchemeNovember 2011 - Philippine phone phreakersarrested after defrauding AT&T out of $2Million to fund terrorists 4
  • 5. UC services are an easy target• IP networks are inherently insecure – Developed without security in mind• Organizations rely on IP networks to conduct business – Multimodal communications difficult to control• Confidential information freely exchanged by users that don’t understand how it is transmitted 5
  • 6. Cybercrime is organized• Knowledge, tools and techniques are shared openly• May have goals motivated by politics or profit• Commoditized sale of both the tools and results of the trade – Computing time on a botnet – “Fake” calling cards – Long distance calling with disposable phones – Number hijacking – Toll / international bypass 6
  • 7. What are the threats?
  • 8. How are UC services established? Items in red might reveal sensitive informationINVITE sip:15559191212@serviceprovider.com SIP/2.0Via: SIP/2.0/UDP 10.1.3.3:5060;branch=z9hG4bKb27061747269636bFrom: “JConnor“ <sip:15554141337@10.1.3.3:5060>;tag=18de4db33fTo: "15559191212" <sip:15559191212@serviceprovider.com>Call-ID: 19424e0d9187654209ed34db33fCSeq: 1 INVITEMax-Forwards: 70User-Agent: BigTelcoVendor/R16.4.1.1 SIPSupported: 100rel,timer,replaces,join,histinfo signalingAllow: INVITE,CANCEL,BYE,ACK,NOTIFY,REFER,OPTIONS,INFO,PUBLISHContact: “JConnor" <sip:15554141337@10.1.3.3:5060;transport=udp>Content-Type: application/sdpContent-Length: 165v=0o=- 1 1 IN IP4 10.1.3.3s=-c=IN IP4 10.1.3.3 SDPb=AS:64t=0 0 Mediam=audio 19001 RTP/AVP 0 127 descriptiona=rtpmap:0 PCMU/8000a=rtpmap:127 telephone-event/8000 8
  • 9. How are your services targeted? Voice or video devices, chat, session recording, web integrated real-time communications applications Application CODECs (DSP) Presentation Session SIP, H323, MGCP, H248, TLS (signaling); RTP, RTCP (media) Session Delivery Targets TCP, UDP, SCTP Transport IPv4, IPv6, NAT, IPsec Network Data link technology that supports the transport of IP Data Link Physical Physical technology that supports the transport of data link framesThe OSI Model LayersExploits focused at the middle layers of the OSI model tend to get aroundtraditional security implementations since the whole point is to allow services 9
  • 10. The penetration campaign Reconnaissance Enumeration Attack Gaining Maintaining Covering access access tracks Port scanning Attack, gain and maintain access, Information gathering OS fingerprinting and cover tracks Service detection • Initial phases of an organized attack can easily go undetected • Stopping or making the early phases of an attack difficult can avoid service outage or fraud 10
  • 11. What are the threats?Threat Potential ResultReconnaissance scan Preparation for targeted denial of service, fraud, or theft of serviceSession overloads Denial of serviceProtocol fuzzing Denial of serviceSPAM over Internet Targeted denial of service, fraud, breach ofTelephony (SPIT) privacyCall Interception or Targeted denial of service, breach ofSession Hijacking privacy, fraud, theftEavesdropping Breach of privacy, fraud, theftMedia injection Denial of service, fraud, theft 11
  • 12. Which threats are seen the most?OverloadResource consumption Attackers InternalAvailability disruption A A DoS/DDoS A Internet Unintentional Overload SIP Provider OR Internal Network 12
  • 13. Which threats are seen the most?Theft of services / fraudLarge phone bills Attackers Internal AInvestigation costs A A Internet SIP Provider OR Internal Network Premium Rate Center 13
  • 14. Which threats are seen the most?SPAM / SPITNuisance Attackers Internal A ASocial Engineering A Internet SIP Provider OR Internal Network A A A Internal Threat 14
  • 15. Not as much…“Man in the middle”Session-hijacking Attacker InternalMedia injection A Remote ControlEavesdropping Internet SIP Provider OR Internal Network A Internal Threat 15
  • 16. A simple example using SIPViciousI just went to your website and got the phone numbers for HR, Support, InvestorRelations, etc., and they all seem to end with 1xxx…Scan the IP range registered to your company as reported by ARINroot@bt:/pentest/voip/sipvicious# ./svmap.py -p5060-5061 192.168.133.0/24| SIP Device | User Agent | Fingerprint |--------------------------------------------------------------------------------| 192.168.133.128:5060 | Asterisk PBX | Asterisk / SJphone/1.60.289a (SJ Labs) |Enumerate extensions …root@bt:/pentest/voip/sipvicious# ./svwar.py -e1000-9999 192.168.133.128------------------------------| 1005 | reqauth || 1004 | reqauth || 1003 | reqauth || 1002 | noauth || 1001 | reqauth |We got one extension without a password! It must be misconfigured.Look for numeric passwords for another extension …root@bt:/pentest/voip/sipvicious# ./svcrack.py -u1001 -r1000-999999192.168.133.128| Extension | Password |------------------------ Now just register a couple of soft phones and make free calls!| 1001 | 1234 | 16
  • 17. BUT, wasn’t analog TDM safer? NO!We still saw:• Eavesdropping• Media injection• Caller impersonation• Toll fraud• Physical attacks 17
  • 18. How does Acme Packet secureUnified Communications services?
  • 19. Net-Net E-SBCs control and securenetwork borders Service Provider IP telephony Conferencing CRM Tele-presence Contact center Enterprise Easy Assured Strong security interoperability reliability • Network • SIP • Quality user border interoperability experience protection • Protocol • Resilient • Privacy interworking services 19
  • 20. Net-SAFE™Session-Aware Filtering & Enforcement • Hardware & Software DoS/DDoS prevention • Hardware-accelerated encryption & authentication • Dynamic and Static Access control lists • Protocol enforcement and interoperability • Topology hiding and NAT • Session overload protection (upstream/downstream) • Regulatory compliance / legal intercept to recorder • Fraud prevention / endpoint trust management • Routing, high availability and load balancingHW DoS policy SW DoS Routing / Session Management Destination + ACLs policy Availability Endpoint Trust Threshold Management Management Discard 20
  • 21. confidentiality securityConfidentiality integrity availabilityEnsure thatinformation is notdisclosed tounauthorized parties
  • 22. Remove identifying data From: JConnor @ my desk To: CustomerObscure the internal structure of your network Via: My PBX Route: PBX, SBCand services so attackers don’t know what or Phone: Brand X Desk Phone, software version x.y.z.1how to attack Send Audio: To my phone Vendor Specific: Location• Back to Back User Agent (B2BUA) - terminates and re-originates all sessions so we can manipulate them• Topology Hiding – modify or strip signaling message parts that might reveal your internal network or telephony topology From: CorpUser @ SBC To: Customer Via: SBC Route: SBC Send Audio: To SBC 22
  • 23. Authorize and encrypt for privacy and control EnterpriseSignaling or media traffic going across anuntrusted network should be encrypted toavoid eavesdropping or hijacking, and assuremessage integrity A• Fast hardware-accelerated Private network Internet encryption• Encryption specified on Campus Branch boundary by boundary basis Legitimate session TLS-encrypted session• Can ensure non-repudiation Sniffing 23
  • 24. confidentiality securityIntegrity integrity availabilityData and systemsare not modified orused maliciously oraccidentally
  • 25. Assure message integrityVerify the integrity of signaling and media that UAS/UAC Sessionenters your network to prevent service disruption Control Function Routing Protocol• Attacks are dropped at the Manipulation network processor and won’t Policing Engine impact the CPU or memory Parser Host Based• Signaling is decomposed and Software analyzed for validity against RFC Traffic Manager requirements Classifier Media Control Network Function Signaling Encryption Network Processor Network Interface Embedded Software Media E-SBC 25
  • 26. Prevent fraudulent callsMonitor violations of call thresholds to spot misbehaving hosts, and analyze calldetail records to detect fraud patterns• Routing rules can refuse traffic to premium or fraudulent rate centers attacker• SNMP traps to management station indicate potential abuse• Call Detail Record (CDR) feeds can be management station sent “off box” for analysis including metrics for call quality 26
  • 27. confidentiality securityAvailability integrity availabilityReliability andaccessibility of dataand resources toauthorizedindividuals in atimely manner
  • 28. Denial of Service (DoS) protectionAssume hosts are untrusted until they verify their identity throughauthentication and/or other actions. Establish thresholds to protect againstcompromised or unintentionally misbehaving hosts• Initial trust level and message thresholds Trusted enforced• Depending on their actions, hosts will be promoted to trusted status or demoted to Untrusted untrusted or denied status• Queues based on trust level make sure services are available even while under Deny DoS attack Dynamic Trust Levels 28
  • 29. Manage service capacitiesUnderstand the capacities of your services and limit access so they do notbecome overwhelmed • Thresholds per session agent Sessions = 500 – Sessions 50% Burst-rate = 10 cps Sustained = 8 cps – Burst rate Sessions = 300 – Sustained rate Burst-rate = 5 cps 30% – Status Sustained = 4 cps • Variable load balancing Sessions = 200 Burst-rate = 4 cps 20% Sustained = 3 cps 29
  • 30. Make UC services resilientImplement hardware and/or site redundancy to minimize the impact of physicalattacks to building, power, network, etc. High Availability Multi-site failover• No loss of active sessions • Multiple SIP trunks improve network• Active / Standby failover in 40ms resiliency in disaster recovery scenarios• Checkpointing configuration, media • SBC enables fast failover without & signaling state operator intervention• Preserves CDRs on failover X sessions 30
  • 31. Security Architecture
  • 32. Trust zones provide flexibility Use the SBC to create a virtual firewall DMZ architecture to create multiple zones with different trust levels Low Trust Routing Internet Core / SIP or H.323 I Backbone Sig n Sig SIP or H.323 media t media e Partner r High Trust SIP or H.323 Sig Sig w media o media r Sig k Sig Outsourcer I Internal media n media SIP or H.323 SIP or H.323 g Medium Trust Medium Trust 32
  • 33. Security for SIP trunking applications SIP / MPLS Provider, Internet, or any Untrusted NetworkRun data firewalls and AcmePacket SBCs in parallel to managedata and communications servicesin the optimal location DMZ Acme Packet SBC HA Pair Data Network or UC Network or VLAN VLAN 33
  • 34. Security for remote worker access Data centersSend remote users to the SBC instead of yourVPN concentrator for message verification,throttling, and best performance without the VPNneed for a VPN client TLS/SRTP to SBC vs VPN Tunnel• SIP message integrity verification• SBC can cache client registration, responding to regular client keep-alives• Confidentiality through signaling and Internet media encryption• Easier connectivity & traversal through local firewalls vs. VPN solutions - VPN especially while travelling Teleworker Teleworker 34
  • 35. Common Questions
  • 36. “Why do I need a SBC when theservice provider has one?”• Integrity: The Service Provider SBC is there to protect themselves from Service Provider you• Availability: Routing to SIP gateways and service providers• Interop / Confidentiality: SIP normalization and topology hiding• Quality of Service: Call routing can Customer 1,2,3 …. be dynamically be driven by call quality 36
  • 37. “What do I tell my securitydepartment?”• 1,525 customers in 107 countries– the industry standard• Processes calls through both general IP and UC specific attacks• Acme Packet Net-Net SBC certified by the U.S. DISA JITC at Ft. Huachuca, AZ for information assurance and interoperability in DoD networks• Can work in a firewall DMZ if best practices are followed 37
  • 38. Summary
  • 39. Don’t forget to think holistically…Physical security – locks, badges, lighting, emergency exitsData security - 802.1x, LLDP, firewalls, ACLs, VLAN strategy,internal encryption, administrative interfaces, QoS marking andmeasurementHost security - Anti-virus, control of third party apps andendpoints, patching and configuration of end devices, assetacquisition and disposalDisaster recovery – redundant hardware, services, networkCompensating controls - CDR analysis to prevent or detect insiderabuse, logging, video surveillance; internal scans or penetrationtestingInternal controls - hiring policies and security reviewsEmployee training programs – best practices guidelines and clearexpectations; educate employees to recognize social engineering 39
  • 40. Additional resourcesAcme Packet services, training, sales, or partnershttp://www.acmepacket.com/The SIP Schoolhttp://www.thesipschool.com/Back | Track Linux VoIP wiki pageshttp://www.backtrack-linux.org/wiki/index.php/Pentesting_VOIPVoice Over IP Security Alliance (VOIPSA)http://voipsa.orgThe SIP Forumhttp://www.sipforum.org/Your service provider 40
  • 41. Questions?
  • 42. Thank you• sales@acmepacket.com• info@thesipschool.com• The SIP School Discount Code = APDC2204• Link to webinar recording will be e-mailed to all registered participants 42