Transcript Document
Security in Converging Networks Solutions Deploy a Telecom Firewall • Tasks • Evaluate/Purchase one comprehensive solution • Learn about and Manage one product • Manage all telecommunications from a single point • Benefits • • • • • Better overall visibility and security Low Total Cost of ownership Seamless interworking with existing telecom network Financial ROI TDM-to-IP Migration assistance Telecom Firewall for IP Telephony • IP Telephony Specific Features • • • • • Perimeter Demarcation Point for IP telephony Dynamic Port Assignment and Control High Speed and Dynamic NAT IP Network QoS Monitoring Network Topology Hiding • Plus Telecom Firewall Standard Features • Log and report all call activity • Characterize call type - media inspection (incl. packet rate) Note – Prevents data tunneling through IP Telephony • Enforce generic security/management policy “The Telecom Firewall provides these features simultaneously for both circuit switched and IP Telephony traffic.” Telecom Firewall for IP Telephony • Plus Telecom Firewall Additional Features • Usage Auditing • Infrastructure Management • AAA Services • Plus Voice VPN and Telecom IDS Features • Site-to-Site Encryption Note – Prevents conversation eavesdropping via VOMIT • Real-time Detection of Intrusion with Policy-Based Response • Call Pattern-Based Intrusion Detection • Modem/Fax Recording, Reconstruction, and Content Monitoring “The Telecom Firewall provides these features simultaneously for both circuit switched and IP Telephony traffic.” Campus IP Infrastructure Deployment Dallas Office Telecom Firewall Telecom Firewall PBX & Voicemail Telephones Telephones PSTN Chicago Office PBXs Fax ISP Seattle Office Central Office Modems IDS Telecom Firewall Server Internet/ WAN Modems Servers LAN IP Phone Firewall/ NAT Call Manager Workstations IP Phones “Telephony isn’t a new IP application, it’s an old application that’s new to IP.” Inherited Vulnerabilities • Network Based • Denial of Service – Loss of Phone Service • Packet Spoofing – Toll Fraud • Packet Sniffing – Conversation Eavesdropping/recording • Packet Redirection • Packet Replay Attacks Note - Voice Over Mis-configured Internet Telephones (VOMIT) • Host Based • • • • • Client Application(s) – Virus Vulnerability Operating Systems File Services RPC Services TCP/IP Stacks New Vulnerabilities • New Protocols • SIP, H.323, MGCP, Megaco / H.248, Skinny, etc. • New Products • IP Phones, Soft Phones, Gateways, Call Managers, Proxy Servers, Registrar Servers, Gatekeeper, Presence Servers, etc. • New Network Capabilities • Inline Power, VLANs, DiffServ, MPLS, RSVP, etc. Note - Data tunneling through IP Telephony IP Telephony ...“the next interesting target” QoS & Interoperability Issues • QoS Issues • QoS is Critical to IP Telephony Success • WAN/LAN Bandwidth Reservation and Provisioning • Intolerant of Slow Hops • IP Interworking Issues • Dynamic Port Assignment and Control • NAT Traversal • Protocol Variants • TDM Interworking Issues • Common Usage and Security Policy Enforcement • Common Security Administration • Common Activity Logging and Reporting Traditional Non-secured Calls Dallas Office ETM™ Appliance PBXs PBX & Voicemail Telephones PBX PSTN Chicago Office Fax ISP Seattle Office Central Office Modems IDS ETM™ Server Servers LAN Internet Firewall Workstations Data Network Security Attack PSTN PSTN Without perimeter security, your network can be breached. ISP ISP Servers Servers Intruder Intruder LAN LAN Internet Internet Central Central Office Office Workstations Workstations Perimeter Security Systems Good News – Internet security devices work reasonable well today…enables reasonable perimeter security. Bad News – Most deployed systems are still individually managed, point products…cost of ownership is high. PSTN More Bad News – All of your Internet security deployments can be bypassed by users connected to unauthorized modems. ISP ALERT Servers IDS IDS Intruder Blocked! LAN Internet Central Office Firewall Firewall Workstations Authorized Modem Attack Voicemail Voicemail PSTN PBX PBX PBX Fax Fax Authorized Authorized Modem Modem ISP Telephones Telephones Servers IDS Intruder LAN Internet Firewall Central Office Workstations Unauthorized Modem Attack Voicemail PSTN PBX Fax Telephones Unauthorized Unauthorized Modems Modems ISP Servers IDS Intruder LAN Internet Firewall Central Office After hours scanning – 2%-4% of phone lines have unauthorized modems. Real time monitoring even more modems that are heavily used. Workstations Network Exposure During Modem Usage Voicemail PSTN PBX Fax Telephones Unauthorized Modems ISP Servers IDS Intruder LAN Internet Firewall Central Office Workstations Employees use a modem to dial around the Firewall and IDS. Hacker “piggybacks” off ISP connection to access the Data Network. Voice System Attack Voicemail PSTN PBX Fax Telephones Unauthorized Modems ISP Servers IDS Intruder LAN Internet Firewall Central Office Remote access to PBX for Toll Fraud or Disruption. Workstations Telecom Firewalls Telecom Firewall Deployment ETM™ Firewall Appliance Platform Voicemail PSTN Blocked! PBX Fax ISP ETM™ Server Telephones Modems ALERT IDS Intruder Servers Backend Server LAN Internet Firewall Central Office Workstations Telecom Firewall Core Functionality • Log all Call Activity Information: • Source, destination, time, duration, etc… • Enterprise-wide, real-time, back to central server • Characterize Call Type: • Voice, fax, modem, VTC, STU-III (secure) • Continuous monitoring of call for type changes • Generic Security/Management Policy: • Rule-based analysis of each call • Autonomous execution • Centrally managed push-down policy Additional Functionality Usage Audit and Management saves money on the phone bill Infrastructure Management provides secure, remote management of trunk infrastructure and legacy switching systems AAA Services provides remote user authentication, authorization and access Usage Audit and Management Apps will identify... • • • • • • • • Dead trunks and open/unused lines Unauthorized modems…bandwidth impact General user misuse Trunk utilization efficiencies Operational efficiencies QoS monitoring and reporting Bill reconciliation deficiencies Toll fraud Significant cost savings on phone bill. Infrastructure Management • Telecom Firewall System Management • Simultaneous view of all appliances and servers • On-screen dashboard • Closely integrated tree/alerts/tools • Enterprise-wide Trunk Management • Complete Telecom Trunk Status • Resource Utilization Alerts • Detection of Marginal Operation • Enterprise-wide, Secure PBX and Voice System Mgt • Secure Command Line Interface to PBX’s and Voicemail • Real-time alerts on status • Specialized applications AAA Services for Telecom Firewall Appliance Appliance PSTN AAA Appliance AAA Appliance ISP 1. 2. Central Office 3. IDS Server Server Server LAN Internet Firewall 1. Authorized Modem 2. PBX Maintenance Port Modem 3. Modem to HVAC, Fire Alarm, and other Building Systems AAA Services for Telecom Firewall PIN Authorized Appliance Session PSTN AAA Appliance AAA Appliance ISP Remote Access User Authorized modem Central Office IDS Server Server Server Internet Firewall LAN AAA Services for Telecom Firewall PIN Authorized Session PSTN AAA AAA Appliance Appliance ISP Remote Access User Authorized modem Central Office IDS Server Server Server Internet Firewall LAN Circuit Switched VPNs and Telecom IDS Circuit Switched VPNs ETM™ Platform Dallas Office ETM™ Platform PBX & Voicemail Telephones PSTN Chicago Office PBXs Fax ISP Seattle Office Central Office Modems IDS ETM™ Server Servers LAN Internet Firewall Workstations Based on Policy, calls between enabled sites are encrypted. Telecom Intrusion Detection ETM™ Platform Voicemail PSTN Call Filtered PBX Fax Telephones Modems ISP ALERT Servers IDS Intruder ETM™ Server LAN Internet Firewall Central Office •Real-time Detection of Intrusion with Policy-Based Response •Call Pattern-Based Intrusion Detection •Modem/Fax Recording, Reconstruction, and Content Monitoring Workstations Telecom Firewall technology enables real-time visibility and control over legacy, enterprise level, circuit-switched voice infrastructure…it saves money, secures the network and improves management. Telecom Firewall technology also provides a unique and cost effective migration path to Secure IP Telephony in the future!