Challenges of Enterprise VoIP Security
Download
Report
Transcript Challenges of Enterprise VoIP Security
January, 2006
Challenges of Enterprise VoIP Security
TMC IT Expo VoIP Security Summit
Jonathan Zar
Andrew Norman
Jeff Hicks
Tony Rybczynski
Steve Mank
Ram Ayyakad
Jonathan Zar
+1
(408) 209 0199
VOIPSA (Moderator)
Covergence
NetIQ
NORTEL
Quovia
Ranch Networks
Welcome
• Welcome to the TMC’s January 27th IT Expo
VoIP Security Summit Panel S-02 entitled:
“Challenges of Enterprise VoIP Security”
• I am Jonathan Zar, Secretary and Outreach Chair
for VOIPSA and your moderator today.
• We are excited to have an outstanding panel.
I’ll briefly introduce myself and then each of our
panel member.
Jonathan Zar
+1
(408) 209 0199
Today’s Speakers
Topic: Challenges of Enterprise VoIP Security
NAME
TITLE
AFFILIATION
EMAIL
Jonathan Zar
Secretary / Outreach Chair
VOIPSA - VoIP
Security Alliance
[email protected]
[email protected]
Andrew Norman
Director Solution Engineering
Covergence
[email protected]
Jeff Hicks
Principal Software Architect
NetIQ
[email protected]
Tony Rybczynski
Director- StrategicEnterprise
Technologies
NORTEL
[email protected]
Steve Mank
Chief Operating Officer
Qovia
[email protected]
Ram Ayyakad
Co-founder and CEO
Ranch Networks
[email protected]
Jonathan Zar
+1
(408) 209 0199
Jonathan Zar
Jonathan Zar is Secretary and Outreach Chair for VOIPSA, the
VoIP Security Alliance, the industry’s global coalition to protect
security and privacy in converged media.
More than 50 million units of products have now been sold
based on technologies created and commercialized under his
leadership at companies including Apple Computer.
A member of the IEEE, the ACM, the Licensing Executive
Society and TiE, a global association for entrepreneurs:
Jonathan is a recognized authority in creating valuable brands
for revenue growth. He is a trusted advisor to venture investors
and C-level executives at public corporations.
Jonathan Zar
+1
(408) 209 0199
Jeff Hicks
Jeff Hicks is a Principal Software Architect at
NetIQ Corporation.
Recently, he has led the development teams for
NetIQ’s suite of VoIP products.
Jeff has been active in the development of VoIP
assessment, management, troubleshooting,
and security products for the last 6 years.
He’s a technical advisory board member of the
VoIP Security Alliance (VOIPSA) and co-author
of the Cisco Press book: “Taking Charge of
Your VoIP Project”
Jonathan Zar
+1
(408) 209 0199
Stephen Mank
Stephen Mank is Chief Operating Officer of Quovia, a
growing 2002 start-up that lets IT professionals monitor and
manage IP telephony networks in real time for reliability and
end user satisfaction, enhanced VoIP call quality, IP
telephony asset tracking and improved troubleshooting.
At Quovia, Stephen is responsible for strategic planning,
business development, product management and operations
including support.
Stephen has substantial expertise in networking
performance and optimization, VoIP, and routing
technologies in both enterprise and service provider markets
with over 25 years experience at companies large and small
including: Motorola, Newbridge, Xyplex and Trinagy
Jonathan Zar
+1
(408) 209 0199
Tony Rybczynski
Tony Rybczynski (rib-chin-ski) is Director, Strategic
Enterprise Technologies, in Nortel, reporting to the
enterprise CTO. Tony has over 33 years experience in
packet switching for all forms of media. He now works
with large enterprises assessing the value proposition of
new networking technologies. He has written over 100
articles including an on-going column in Internet
Telephony magazine, on topics ranging from VoIP and
security, to 10 Gigabit Ethernet and optical DWDM
storage, to collaboration and ebusiness applications. He
is a graduate of McGill and University of Alberta, a
Senior Member of IEEE, and a co-author of a protocol
reference book and a contributor to other publications.
Jonathan Zar
+1
(408) 209 0199
Andy Norman
Andy Norman is the Senior Sales Engineer for Covergence,
a 2003 start-up providing a scalable family of policy driven
network appliances based on the Session Initiation Protocol.
Prior to joining Covergence Andy created the Systems
Engineering department at Nextone growing it to over 20
senior SE’s by 2005. Before joining Nextone Andy was a
founder of IBNC, a dial-up and DSL internet service provider
in the Washington DC area, which he help sell in 2000.
A graduate of Old Dominion of Nortfork VA, a leading public
university with a Carnegie/Doctoral Research-Extensive
distinction, Andy is an expert in VoIP, data networking, H.232
focused, security, telephony routing and general carrier
deployments.
Jonathan Zar
+1
(408) 209 0199
Ram Ayyakad
Ram Ayyakad is a founder of Ranch Networks, a VoIP and
networking security start-up. Prior to establishing Ranch
Networks in 2000, Ram played the central role in some of the
most influential products in AT&T/Lucent/Bell Labs. Ram was
part of the architecture team that built the prestigious Lucent’s IP
Switch. Prior to that Ram was part of the architecture team that
built Lucent’s ATM Switch. In recognition of his accomplishments
at Bell Labs, Ram received the 1998 Bell Laboratories
President's Gold Award for his outstanding level of Innovation
and Technical Excellence. Ram is the technical visionary behind
Ranch Networks. He has 20 years of strong experience in
developing carrier class products such as IP Switches and ATM
Switches. Mr. Ram Ayyakad holds a BS in Engineering, MS in
Computer Science and a degree in Business Administration.
Jonathan Zar
+1
(408) 209 0199
VoIP Security Alliance
• VOIPSA is the alliance for
security and privacy of
converged media.
• Provides immediate access
to the worlds leading
security experts and the
thought leaders of more
than 100 major companies
and government groups.
http://www.voipsa.org
• Call to action: Bring yourself
and your company into
VOIPSA
Jonathan Zar
+1
(408) 209 0199
Event Sponsors
Travel and logistical support provided by:
3Com/TippingPoint
Covergence
Jonathan Zar
Ranch Networks
NetIQ
NORTEL
Qovia
Technology Marketing Corporation
VOIPSA, The VoIP Security Alliance
Jonathan Zar
+1
(408) 209 0199
Challenges of Enterprise VoIP
Security
Jeff Hicks
Principal Software Architect, NetIQ Corp
[email protected]
© 2005 NetIQ Corporation. All rights reserved.
Enterprise Challenges
What are Enterprise VoIP customers dealing with?
© 2005 NetIQ Corporation. All rights reserved.
Will any of the following
concerns affect your VoIP rollout?
90%
80%
70%
Performance and
availability of VoIP
services and applications
Fixing problems quickly
60%
50%
40%
The quality of VoIP phone
calls
30%
20%
VoIP Security
10%
0%
Source: NetIQ Survey August 2005
© 2005 NetIQ Corporation. All rights reserved.
Other/NA
Which VoIP Security Threat Scenarios
Has Your Organization Experienced?
35%
30%
25%
20%
15%
10%
5%
0%
Source: NetIQ Survey August 2005
© 2005 NetIQ Corporation. All rights reserved.
Virus or worm
DoS attack
Toll fraud
SPIT
Password vulnerability
Malicious calls
Unauthorized access
SIP compromises
Eavesdropping
Call spoofing
Which VoIP Security Threat Scenarios
Could Have the Most Negative Impact?
70%
60%
50%
40%
30%
20%
10%
0%
Source: NetIQ Survey August 2005
© 2005 NetIQ Corporation. All rights reserved.
DoS attack
Virus or worm
Eavesdropping
Toll fraud
Unauthorized access
Malicious calls
Password vulnerability
Call spoofing
SPIT
SIP Compromises
Who is responsible for VoIP security…?
© 2005 NetIQ Corporation. All rights reserved.
What is the most senior management level
within your organization where VoIP security
is an issue?
Admin
Manager
Director
Exec
Organizational units potentially involved with VoIP
security:
− Telephony
− Data/network/application management
− Security management
− Others
© 2005 NetIQ Corporation. All rights reserved.
The Solution to Ensuring VoIP Security
To address emerging VoIP security issues, a
solution must:
− Integrate both systems and security management products:
securing VoIP must not affect VoIP quality or performance &
availability.
− Address the needs of the entire organization.
− Be easy to use and easy to deploy yet can be integrated in a
modular fashion.
− Have embedded knowledge and best practices that allow you to
better utilize skilled resources as well as to retain core knowhow.
© 2005 NetIQ Corporation. All rights reserved.
VoIP Security Management
© 2005 NetIQ Corporation. All rights reserved.
NetIQ Confidential Information
See, Act, Deliver
Challenges of Enterprise VoIP Security
Presented by: Stephen P
Mank
Starting From a Data Services Network. . .
New York - ENG
Bangalor – SUPPORT
• Uniform service level
• No ToS differentiation
• No real-time constraints
• Firewall ‘border’ protection
Washington - EXEC
Los Angeles - SALES
• Network topology view
… infrastructure must be secure
Now Add VoIP Equipment. . .
New York - ENG
India – SUPPORT
• Differentiated network plan
IOS
T3
PSTN
• VoIP ToS designation
T1
• VLANs for VoIP
PSTN
IOS
Washington - EXEC
• Gateways to PSTNs
• Remote site failover (SRST)
• Additional Infrastructure
PSTN
CS
PSTN
VM
T3
T3
IOS
Los Angeles - SALES
… each component must be secure
Now Add VoIP Services. . .
New York - ENG
Bangalor – SUPPORT
• Dial Plan, hunt groups, etc.
IOS
T3
PSTN
• Voice Mail, Messaging, email
• Forwarding, speed dial, etc.
T1
PSTN
IOS
VoIP
Service
s
• Conferencing
• E911 location, mobility
Washington - EXEC
PSTN
CS
• Soft phones
• Converged IP services
PSTN
VM
T3
T3
IOS
Los Angeles - SALES
… each service must be secure
VoIP Security in Layers. . .
Layer
Use in VoIP
Systems
Vulnerability
Protection
Application
Semantics
Registration, SW
download, call mgmt,
billing, dial plan, email,
conferencing, voice mail,
user identity, contacts list
SPAM, viruses, hijacking,
ease dropping, toll fraud,
Application specific DOS &
Spoofing, identity theft
Very little today.
Session &
Transport
SIP, SCCP, RTP, MGCP,
H323, CDP, AXL
Protocol specific DOS &
spoofing, man-in-themiddle
SRTP, TLS, SSL
Data
Network
IP, UDP, DHCP, DNS, TFTP,
ARP, SNMP, HTTP
Network DOS & Spoofing,
man-in-the-middle, etc.
Standard IPSEC
procedures, Intrusion
Protection
Physical
Devices
Phones, servers and
gateways
MAC spoofing, Rogue
Devices
Control Physical
Access, Rogue
Detection
The Need For a Multi-Tiered Approach
First, Understand VoIP beyond ‘just another App’
Real Time IP service from a functional and performance perspective.
Denial of Service (DoS) may mean unreliable service, not necessarily completely ‘down’.
Business critical applications need to be ‘Five Nines’ available - ‘Five Eights’ will not do.
Second, Basic IPSEC Approach is a Good Start
More than just a ‘good idea’ – without it, you are not ready for VoIP.
Includes the core capability to manage network resources from a global view.
Finally, View VoIP as a multi-layered Application
Physical devices (phones, servers, gateways, switches, proxies)
Transport protocols (UDP, TCP)
Signaling protocols (SIP, SCCP, H.323, MGCP)
Session protocols (vendor and phone proprietary)
Multiple Application Services (Call Server, Signaling Server, Voice Mail Server, Authentication
Server)
Steps Toward Securing VoIP....
Physical Security
If you have a separate VoIP network (or VLANs) make sure only phones are on it
Include phones in your ‘asset tracking’ strategy… know when new ones ‘show up’!
If you need ‘phone mobility’ be sure you can discriminate between valid and ‘rogue’ phones
Transport & Session Security
Enable TLS for encrypting call signaling (not supported by all call managers)
Enable SRTP for encrypting call streams (not supported in all phones)
Caution: some management and monitoring tools do not work well with encryption… check with your vendors first!
Caution: just because the phone thinks the call is encrypted doesn’t mean you are protected end-to-end!
IP Network Security Policies
Caution: Most firewall-based security solutions impose a variable latency on traffic when scanning for content patterns. This can
significantly impact your call quality.
Differentiate traffic by ToS and monitor network performance for VoIP ToS (or CoS if IPv6) with close scrutiny of unusual traffic ‘bursts’
VoIP Application Security
Track Voice Mail usage, with particular focus on rapid increases in mailbox usage
Track Gateway usage, attack scenarios may originate as an external call through your gateways
Use ‘active call testing’ to verify system availability and performance, this is often the first sign of an attack
Make VoIP E911 support part of you security strategy…. If you accurately know the location of every phone you are ahead of the game!
Stephen Mank
[email protected]
301.846.0020
See, Act, Deliver
SECURING CONVERGED
NETWORKS
Tony Rybczynski
Director of Enterprise Strategic Technologies
Office of the Enterprise CTO
The Nortel Difference
Call
Centre
Unique business value
through the intersection
of inter-human
communications and
the network
SIP
Video
Applications
UM
IM
open
Presence
ecosystem Conf Communication
Services
Self
Service
Converged
Infrastructure
L4-7 intelligence
Customer engagement
Secure mobility
IP routing
QoS
Copper/fiber
Unified Communications
Wired/wireless
Security
Thought #1: IP Telephony is Not the
End Game
IP Telephony
Real-time
Converged
Communications
Key metric: Time to X
Thought #2: Creating the New Perimeter
Total Worldwide Shipments
Total Worldwide Shipments
(M)
600
500
400
300
200
100
0
2004
PDA
2008
PC
Mobile Phone
Office Anywhere is becoming a reality
Thought #3: Threats to Real-time
Communications
> Unauthorized access
• IP spoofing or session hijacking as a result of weak authentication and
authorization
> Eavesdrop on voice conversations
• Network sniffers over shared media technologies such as Ethernet of old,
wireless LANs and cable modems.
> Denial of Service (DoS) attacks flood on Communications server
• Prevention of legitimate users from accessing the service.
> Man-in-the-middle assaults
• Public key exchange interception, tricking the original entities/users into
thinking they are communicating with each other.
> Back door entries to access communications servers
• Lack of hardening and procedural oversights.
> Masquerading
• Posing as a subscriber to illicitly get services, or to pose as a valid
administrator or engineer to access the network, often to elevate user
privileges.
Same Threats--- New Environment
Thought #4: User Voice Confidentiality
Concerns*
Users perceptions of degree of confidentiality
>Wired TDM (enterprise and public)
>Public wireless Blackberry
>Public wireless voice
>Enterprise IT infrastructure
>Voice mail access
>Meet me conferencing (TDM and VoIP)
>Voice over the Internet
>Public wireless and Internet data
>Shared media (WLAN, cable modem, shared E’net)
*non-military
Very High
Very High
High
High
Med-High
Med-Low
Low
Very Low
Very Low
IPSec and SSL for remote and WLAN access
TLS and SRTP for end-end security
Visual conferencing controls
Thought #5: Key Principles
> The starting point is always an enterprise security policy
> The IP networking infrastructure must be secured (e.g.
anti-ARP spoofing and VLANs), and to be engineered and
designed to meet the latency and reliability requirements
of telephony.
> Communications Servers and associated signaling and
control systems are business critical and must be
hardened, and protected in multimedia security zone.
> Confidentiality is maintained via IPSec/SSL for remote and
WLAN access, and optionally TLS and SRTP.
> Simplicity and a consistent user experience across
devices and wired and wireless connectivity modes must
be maintained.
> Support for standards to ensure enterprises receive the
functionality and interoperability they require.
Layered Defense Approach To Security
> Open solutions that rely on
strategic partnerships and
adherence to standards
Layered Defense
> Minimized TCO by focusing on
simplicity, efficiency and
proactive response
> Understanding that strong
security involves not only
technology, but also people and
processes — the Unified
Security Framework
Secure Communications, information and
applications, anywhere, anytime
Enterprise Security Panel
Andrew Norman
Director, Solution Engineering – Covergence
[email protected]
+1-703-862-7734
Sip:[email protected]
About Covergence
Founded in 2003
– Headquartered near Boston, Massachusetts
Funded by top-tier venture capital firms
Proven management and engineering teams
– Shiva, Aptis, Cascade, Wellfleet, Bay Networks, Nortel, Macromedia…
– Building subscriber access solutions for the past 15 years
Leading edge product line
– Scalable family of network based appliances providing policy driven, application level
security, control, monitoring and interoperability functions for systems, applications
and services based on the Session Initiation Protocol (SIP)
Benefits
– Enables service providers to deliver secure, manageable, “business class” VOIP and
real-time collaboration services to residential, SMB and enterprise customers
– Accelerates uptake of SIP based hosted service offerings by addressing customer
concerns regarding security, control, monitoring, survivability and compliance
– Enables competitive differentiation between secured and unsecured hosted VOIP
services
– Generates incremental service revenue by enabling deployment of premium SIP based
hosted service offerings
The Covergence Solution Enables a Secure and Manageable SIP Access Network
© 2005 Covergence, Inc.
40
Application Level Security for SIP
Application Level
Security, Control
and Monitoring
Enterprise
Network
Network Level
Security, Control
and Monitoring
Trend Micro
SMTP
Email
Services
Email
Security Proxy
Email Client or
Server
Blue Coat
Check Point
HTTP
Web
Security Proxy
Network
Attacks!
Firewall
SIP
SIP
Security Proxy
Internet
Web
Services
Web Browser or
Server
SIP
Services
SIP Client or
Server
Defense in Depth
Covergence provides application level security, control and monitoring for SIP applications
© 2005 Covergence, Inc.
41
Perimeter Defense Application
SIP Based Business
Systems and Applications
Partners
SIP Based
PBX or Proxy
SIP Phone
SIP Based
Collaboration
System
Collaboration
Client
SIP
SIP
SIP Based
Conferencing
System
Conferencing
Client
IP
SIP
SIP
Customers
Covergence
Eclipse
Perimeter
Employees
Inserts a layer of application-level security at enterprise perimeter for greater depth of defense
Enforces administratively defined security, control and monitoring policies at the enterprise network
boundary
Protects enterprise SIP infrastructure from external attacks, exploits and compromises
Guarantees confidentiality, integrity and authenticity of enterprise’s external SIP based communications
Ensures that the enterprise’s SIP communications are in compliance with corporate policies and external
regulations
Enables enterprise to extend its SIP based business applications to remote employees, customers and
partners
© 2005 Covergence, Inc.
42
Internal Control Application
SIP Application Servers
SIP Client
SIP
Application
Server
SIP
Clients
SIP
SIP
SIP Client
SIP
Application
Server
SIP
SIP
SIP
Covergence
Eclipse
SIP
SIP
Application
Server
SIP Client
Enforces security, control and monitoring policies on internal SIP signaling and media
traffic
–
Session detail recording, instant message recording, audio recording, media control and validation,
virus scanning…
Gives enterprise total visibility and control over its internal SIP traffic
Protects the enterprise SIP infrastructure from internal attacks
Enhances performance and availability of SIP applications by providing load balancing
and failover across a pool of SIP application servers
© 2005 Covergence, Inc.
43
Policy Based Application Management
SIP Proxies and
Application Servers
Eclipse
Management
System
SIP Based
Hosted
Services
Policies
SIP Clients
SIP Signaling
and Media
SIP Phones
SIP Clients
SIP Signaling
and Media
LDAP
Corporate
Directory
SIP Enabled
PDAs
Administrators define policies using Eclipse management interfaces
– CLI, GUI, XML…
Eclipse applies policies to sessions with specific layer 1-7 attributes
– Source/destination network, user, group, department, role…
Gives enterprise total security, visibility and control over SIP based
application traffic
© 2005 Covergence, Inc.
44
Instant Message Content Filtering
LCS 2005
Servers
To:
[email protected]
Bob says:
Ted, my boss is a @#$%^&*
%@#-^$%!
Ted says:
Have you checked out [Inappropriate
URL deleted by CXC]?
Bob says:
Take a look at
http://www.trojansandworms.com
To:
Ted
Bob
[email protected]
Bob says:
Ted, my boss is a [Expletive deleted
by CXC]!
Ted says:
Have you checked out
http://www.pornsite.com?
Bob says:
Take a look at [Malicious URL deleted
by CXC]
Bob sends Ted an IM containing inappropriate, sensitive or dangerous content
–
Inappropriate language, confidential or private information (trademarks, code names, account numbers, social
security numbers…), inappropriate or dangerous URLs…
CXC receives IM, scans it, detects sensitive content and takes a policy based set of actions
–
Delete inappropriate content, create a log entry, generate a management alert…
Content matching based on keyword lists, regular expressions or third-party databases (e.g.
Websense)
CXC enforces corporate IM content control policies
© 2005 Covergence, Inc.
45
Virus Scanning of SIP Based File Transfers
LCS 2005
Servers
To:
[email protected]
Kurt Bertone says:
Dude, check out this file…
Waiting for [email protected] to
accept the file “Infected.doc”. Please
wait for a response or Cancel (Alt+Q)
the file transfer.
To:
Ken
Kurt
Infected.doc
Lorem ipsum dolor sit
amet, consectetuer
adipiscing elit. Duis
dictum pede a sapien.
[email protected]
Kurt Bertone says:
Dude, check out this file…
[email protected] would like to
send you the file “Infected.doc”…Do you
want to Accept (Alt+T) or Decline
(Alt+D) the invitation?
BLOCK!
LOG!
ALERT!
Kurt attempts to transfer infected file to Ken
Eclipse receives file, scans it, detects virus and takes a policy based action
– Destroy, quarantine, repair, log, alert…
Infected files cannot propagate throughout the enterprise
Virus scanning and other file transfer control actions (e.g. block, record)
are enforced in accordance with administratively defined policies
© 2005 Covergence, Inc.
46
Controlling URL’s in Instant Messages
IM Server
To:
[email protected]
To:
Bob says:
Check out http://www.badsite.com
[email protected]
Bob says:
Check out [URL deleted by Eclipse]
badsite.com?
BLOCK
User with SIP IM client sends an IM containing a link to http://www.badsite.com
Covergence proxy intercepts SIP MESSAGE, parses body, finds URL and hands domain badsite.com
off to Websense for policy decision
Websense returns policy disposition BLOCK
Covergence proxy removes URL from instant message and logs the event
Websense customers can apply their EIM policies to SIP based IM traffic
© 2005 Covergence, Inc.
47
Covergence Solution
A family of network based appliances that enable enterprises to:
– Secure, control and monitor their SIP based applications
– Protect the corporate SIP infrastructure from internal and external intrusions and
attacks
– Ensure the confidentiality, authenticity and integrity of SIP based communications
– Interconnect SIP based systems, applications and services from different vendors
– Extend their SIP based applications to remote employees, customers and business
partners who are “outside the firewall” and “off the VPN”
– Bring their SIP applications into compliance with internal and external policies,
regulations and best practices
© 2005 Covergence, Inc.
48
Challenges of Enterprise Security
January 27th, 2006
Ram Ayyakad
Founder
[email protected]
About My Background
• Founder, Ranch Networks
• 20 years experience in the telecom industry
• Part of of architecture team that built the
prestigious IP and ATM switches
• Recipient of the 1998 Bell Laboratories
President’s Gold Award
Page 50
About Ranch Networks
• Ranch Networks offers the first-ever PBX
controlled VoIP appliances that secure,
scale and provide QoS beyond existing
firewall technologies
• Ranch Networks solves the security,
scalability and QoS problems associated
with VoIP implementations
Page 51
Ranch Networks
• Ranch Security code available from Digium
website now
• VoIP appliances that enable service
providers to secure,scale and provide QoS
Page 52
Securing Converged Enterprise Infrastructure
• MUST be the #1 priority
• Converged traffic MUST go pass robust security
infrastructure
• Security at all levels (L2, L3(IP), L4(UDP/TCP)
and application
• Security against DoS attack
– VoIP signaling
– VoIP media
– Data
Page 53
VoIP Security Challenges
• Educating COIs/CTOs that security threats are
real
• Picking the appropriate security appliances
– Future proofing (encryption, protocol changes)
– Security enforcement methodologies
•
•
•
•
Traditional firewalls
SIP firewalls
SBCs
PBX controlled appliances
– VoIP & data traffic on the same physical cable
– Preventing voice quality/call drops due to
viruses/worms
Page 54
Protecting Converged Infrastructure
• Security appliance MUST be able to segregate &
prioritize voice/data traffic
• ALL access to IP PBX MUST go through the
security appliance
• Security appliance MUST raise alerts for ANY
unauthorized access
• Security appliance MUST have the ability to
mirror traffic to an IDS system
• Look for the solutions being promoted by the IP
PBX vendor
• Allocate guaranteed BW for VoIP traffic
Page 55
Thank You
• We will now take Q&A from the
audience.
• We invite your feedback.
• Thank you for attending today. This
meeting is now adjourned.
Jonathan Zar
+1
(408) 209 0199