Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Akhil Behl - Securing UC Networks - Interop Mumbai 2009


Published on

With the increasing adoption of Unified Communication (UC) tools, it is imperative for organizations to understand the key security threats, and the solutions they can adopt to mitigate the same. This presentation will focus on how UC security can be made robust using underlying network and tools/services available in standard UC applications

Published in: Technology
  • Be the first to comment

Akhil Behl - Securing UC Networks - Interop Mumbai 2009

  1. 1. Unified Communications Security Securing UC Networks AKHIL BEHL CCIE 19564 (Voice, Security) Network Consulting Engineer, GDC Cisco Systems India +919999908169 © 2009 Akhil Behl – UC Security Presentation 1
  2. 2. UC Security - Session Agenda UC Security Introduction – Threats to UC Rationale Behind Securing UC Networks What To Protect, How To Protect Deployment Strategy Cost, Complexity, Security Q&A © 2009 Akhil Behl – UC Security Presentation. 2
  3. 3. UC Security Introduction Threats To UC Networks © 2009 Akhil Behl – UC Security Presentation. 3
  4. 4. Unified Communications Threats Toll fraud Faking identity Impersonating others Unauthorized or unbillable resource utilization (spoofing) Eavesdropping Denying service Listening to another’s call DOS attacks, hanging up others’ conversations Gaining private Hijacking calls information Injecting audio streams, rerouting Caller ID, password/accounts, calls calling patterns (Reconnaissance) © 2009 Akhil Behl – UC Security Presentation. 4
  5. 5. UC Security Rationale Behind Securing UC Networks © 2009 Akhil Behl – UC Security Presentation. 5
  6. 6. VoIP Network Attacked / Hacked ! VoIP Network Security: How Small business gets a Hacker Took Advantage of $120,000 phone bill after Vulnerabilities hackers attack VoIP phone By Special Correspondent By Technology Correspondent Miami: The federal government Sydney: A small business landed arrested Edwin Andrew Pena, 23, with a $120,000 phone bill after owner of Fortes Telecom Inc. and criminals hacked into its internet Miami Tech & Consulting Inc., for phone system and used it to hacking into other providers' make 11,000 international calls in networks, routing his customer’s just 46 hours. calls onto those platforms, then billing those companies and pocketing the proceeds. He reaped more than $1 million. Source - Source - oIP-network-security-how-a-hacker- story/0,28348,24939188- took-advantage 5014239,00.html © 2009 Akhil Behl – UC Security Presentation. 6
  7. 7. Rationale Behind Adoption Of UC Security Secure UC infrastructure Allows securing what is an asset to a company’s or an organization’s daily life operations Secure the conversation Ensures that the business doesn’t suffer any losses due to eavesdropping or hacking of voice calls Business continuity Ensures that the business continuity is maintained and the chances of disruption or losses are minimized The protection of both voice and data communication is critical to the business © 2009 Akhil Behl – UC Security Presentation. 7
  8. 8. UC Security What To Secure How To Secure © 2009 Akhil Behl – UC Security Presentation. 8
  9. 9. UC Security – What To Secure, How To Secure Large Branch Data Center CUCM Unity VM HQ PSTN TLS Proxy WAN Wireless Small Branch VPN Call Center Agents Mobile Worker © 2009 Akhil Behl – UC Security Presentation. 9
  10. 10. UC Security – Check List, Wish List UC Network Security (securing network infrastructure) Well defined UC security policy Secured network infrastructure (AAA, IPS, Firewall, L2/L3 Security) Secure IPT equipment (Physical and Network Security) IPSec tunnels to remote SOHO sites / Client VPN to mobile workers Firewall TLS proxy / phone proxy feature support UC Network Security (securing UC applications) Role based administration / multiple level administration Secure gateway trunks, inter cluster trunks Secure gatekeeper (RAS) communication (subnet, registration) 3rd party CA for HTTPS, TLS Secure endpoints (including Soft Phone) – TLS, 802.1x Wireless phones use certificate authentication and WPA Calling restriction (based on role or function) Secure conference calls Secure voicemail ports © 2009 Akhil Behl – UC Security Presentation. 10
  11. 11. UC Security Deployment Strategy © 2009 Akhil Behl – UC Security Presentation. 11
  12. 12. A Tale Of Two Cities Secure Unified Secure Network Communications Secure Telephony A secure network is the foundation for a secure Unified Communication network A secure Unified Communications network is an asset for the organization © 2009 Akhil Behl – UC Security Presentation. 12
  13. 13. UC Security Deployment Strategy End-To-End UC Security Approach © 2009 Akhil Behl – UC Security Presentation. 13
  14. 14. End to End UC Security – Demystified Physical Security Network Security UC Security Building Security Access Layer Security IP PBX Platform Security Badge access for employee 802.1x Authentication, HIPS, Internal Firewall, HTTPS L2 filtering, QoS , VLANs Access Data Center Security Access limited to Authorized Core and Distribution Gateway Security, UC NOC Personnel Only Layer Security Endpoint Security ACL’s Authentication for Routing Secure Conf, Secure SRST, Secure Trunk , SRTP, TLS for Wiring Closet Security signaling Access limited to Authorized Wireless Security NOC Personnel Only WPA, Certificate authentication UC Application Security Unity VM, UCCX, MPE, etc Remote Network Security IPSec VPN Ecosystem (3rd Party) Firewalls and Intrusion App Security Prevention Attendant Console, CTI ALG Firewall (ASA) © 2009 Akhil Behl – UC Security Presentation. 14
  15. 15. UC Security Cost, Complexity, Security © 2009 Akhil Behl – UC Security Presentation. 15
  16. 16. Security: A Balance Between Risk And Cost Complexity, Security Level, Cost Low Medium High Easy ,Default Security, No Moderate, Reasonable Hard, Highly Secure, Cost Additional Cost Security, Nominal Cost may go higher Separate Voice & Data VLANs UC Aware Firewalls Complex Firewalls (ALG) STP/BPDU Guard, Port Security Catalyst Integrated Security Rate Limiting ACL’s Basic ACL’s Optional OS Hardening VPN – SOHO/Mobile Worker Standard Server/OS Hardening CSA NAC / 802.1X Class of Restriction (Toll Fraud) Encrypted Configs Network Anomaly Detection / IPS Anti-Virus TLS/SRTP – Phones, Applications Security Event Management HTTPS access to UC Applications IPSec / SRTP to Gateways TLS / Phone Proxy Signed Firmware Scavenger QOS Phone Security Settings © 2009 Akhil Behl – UC Security Presentation. 16
  17. 17. Q&A ? © 2009 Akhil Behl – UC Security Presentation. 17
  18. 18. Thank You © 2009 Akhil Behl – UC Security Presentation. 18