Security Challenges in the Enterprise
Download
Report
Transcript Security Challenges in the Enterprise
Security Challenges in
the Enterprise
Panelists
• Franchesca Walker, Director Enterprise Solutions Foundry
Networks
• Eric Winsborrow, CMO
Sipera Systems
• Shrikant Latkar, Sr. Mgr. Solutions Marketing
Juniper Networks
• Mark Ricca, Sr. Analyst and Founding Partner
IntelliCom Analytics
2
January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA
www.ITEXPO.com
Security: Continued Strong Growth
Integrated Security Solutions Forecast
$B
(Global, All Size Businesses)
9.2%
CAGR
$6.0
Overall
$5.0
$4.0
$3.0
10.7%
CAGR
$2.0
$1.0
2008
2009
2010
Remote / SoHo
$0
2005
2006
2007
January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA
3
www.ITEXPO.com
Security Challenges
in the Enterprise
Franchesca Walker, Marketing Director of Enterprise Solutions
Foundry Networks, Inc
4
January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA
www.ITEXPO.com
Many Malicious Attack Vectors &
Vulnerabilities at each Layer
SQL Slammer Worm
Malissa Virus
SoBig Worm
VIRUSES
Application Attacks
SPAM
CodeRed Worm
Transport Layer Attacks
TCP TTL Attack
VLAN Flood Attack
CPU Rate Attack
TCP Syn Flood Attack
False Route Injection
L3 DOS ATTACKS
BGP TTL Security Hole
DHCP Starvation
ARP Poisoning
Datalink Layer Attacks
IP Port Scan
NETWORK SERVICE ATTACKS
ROUTING PROTOCOL ATTACKS
Network Layer Attacks
UDP/TCP DOS ATTACKS
TCP Timestamp Attack
ICMP Smurf Attack
p2p Traffic
SIP DoS Attack
ROGUE SERVICES
TCP Ack Flood Attack
ICMP Flood Attack
Nimba Virus & Worm
Rogue DHCP & DNS
UDP/TCP PROTOCOL ATTACKS
Deep Throat
TROJANS
WORMS
MyDoom Worm
Malicious TCP Packets
Sasser Worm
MAC Flood Attack
Port DoS Attack
Rogue Wireless AP
Port Scan
L2 DOS ATTACKS
L2 ROGUE SERVICES
L2 SERVICE ATTACKS
VLAN Hopping
CAM Table Overflow Attack
Private VLAN Attack
5
5
January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA
www.ITEXPO.com
Converged Voice & Data Security
sFlow-based Anomaly + Signature Defense
Zero-Day Anomaly IDS
Traffic
Samples
(sFlow)
App & Web Servers
Signature IDS
NMS
Open Source
Applications
Closed
Loop
Security
Traffic
Samples
(sFlow)
Threat
Control
Access
Policy
Radius, DNS, DHCP
Network Switches, Routers, & Access Points
Integrated Switch and AP Security Features
DoS attack protection
CPU protection
Rate limiting
Hardware-based ACLs
DHCP, ARP, IP spoof protection
Rogue AP detection & suppression
Access policy enforcement
Threat control enforcement
Embedded sFlow traffic monitoring
Call Manager
Multiple endpoints
IEEE 802.1x + MAC Authentication
6
January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA
www.ITEXPO.com
Convergence Network Security
• Allow only authorized users on the network
– Authentication based on IEEE 802.1x, MAC address
• Control who has access to specific resources
– 802.1q VLANs
• Stop unauthorized traffic without impacting network
performance
– ASIC based, wire-speed ACLs
• Protect against security threats and DoS attacks
– Network-wide monitoring (e.g. sFlow)
– Threat detection and mitigation
• Rate limiting of known packet types
• Closed-loop mitigation using centralized IDS equipment and
applications
7
7
January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA
www.ITEXPO.com
Enterprise VoIP
Security Challenges
Eric Winsborrow, CMO
Sipera Systems
Risk Management approach to Security
Threat Potential
Lower Risk Profile
and
Prioritization
Optimum
Prioritization
Point of
Diminishing
Returns
VoIP 2.0 (open)
Risk Profile
VoIP 1.0 (closed)
Risk Profile
Security Priority and Spending
9
January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA
www.ITEXPO.com
The Need to Extend VoIP
Voice/Data Center(s)
IP PBX
IP PBX
Remote worker
Internet
VISP
SIP Trunk
Mobile worker
WAN/VISP
PSTN
Soft phones
Headquarters
January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA
Branch(es)
10
www.ITEXPO.com
Extending VoIP - Challenges
Hacker
Voice/Data Center(s)
Spammer
IP PBX
IP PBX
Remote worker
Internet
VISP
Strong authentication of
device & user
Confidentiality/Privacy of
signaling & media
MobilePhone
workerconfiguration &
management
Policy enforcement &
access control
Protect IP PBX &
phones
WAN/VISP
Opening wide range of IP/UDP
SIP Trunk
ports violates security policy
Refresh UDP pinhole in
remote/home firewall
PSTN
Infected
PC
Rogue Device
Soft phones
Headquarters
January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA
Rogue Employee
Branch(es)
11
www.ITEXPO.com
Risk Management approach to VoIP/UC
Sipera VIPER Labs
Sipera VIPER Consulting
• Vulnerability Research
• VoIP/UC vulnerability assessment
• Threat signature development
• Best practices consultation
• Security workshops
Establish
POLICY
Manage
COMPLIANCE
Assess
RISK
Implement
PROTECTION
Comprehensive Protection
Policy Compliance
for real-time communications
• Call routing policies
• Whitelists/Blacklists
• LAVA Tools
• DoS/Floods prevention
Secure Access
• Fine-Grained Policies by
User, Device, Network, ToD
• Fuzzing prevention
• Strong User authentication
• Anomaly detection/Zero-Day attacks
• Application controls
• Call Admission Control
• Stealth attacks
• IM logging and content filtering
• Firewall/NAT traversal
• Spoofing prevention
• Compliance reporting
• Privacy and Encryption
• Reconnaissance prevention
• Secure firewall channel
• VoIP Spam
January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA
12
www.ITEXPO.com
Conclusion
• Benefits of Unified Communications increase if VoIP
network is extended
• But an enterprise needs to solve many issues
– Privacy and authentication; firewall/NAT traversal; policy
enforcement; VoIP application layer threats
• A Security Risk Management approach is needed
– Elevate VoIP/UC in priority if using SIP or extending VoIP
– Engage experts for best practices and risk evaluation
– Create policies and protection specific to VoIP/UC
13
January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA
www.ITEXPO.com
VoIP Security
IT Expo East 2008
Shrikant Latkar
[email protected]
Concerns when Deploying VoIP
Concerns about
interoperability
between vendor’s
equipment
Concerns about
security
Not enough people
to plan, design,
implement, and
manage VoIP
45
40
35
30
Percentage
25
20
15
10
5
0
Security
Quality
Interoperabililty
Res ources
Budget
Systems for managing and
troubleshooting VoIP quality
Source: 2005/2006 VoIP State of the Market Report, Produced by Webtorials
January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA
Lack of
budget
15
www.ITEXPO.com
Evolving SIP Security
• Exploits will become
more “creative” Newer exploits are at
Layer 7
• Current security
doesn’t address all
attacks
Need to evolve security
to be scalable and more
attack aware
•Customized attack
defenses – specific for
your environment
•Rapid time between
exploit found and
defense deployed
– SBCs cannot defend
against many SIP
vulnerabilities as the
attack levels scale/grow
Most Attacks
•Able to handle high
volumes of attacking
packets
Smartest
Attacks
Smarter Attacks
Stateful Firewall
Router Filters
Protocol ALG
IP Spoof Detection
January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA
DOS Filters
Application17
Aware
Intrusion Prevention
www.ITEXPO.com
Firewall
IPS/IDP
•Protocols: SIP, H323 (RAS, Q931, H245), MGCP, Skinny
•Identification: done by L4 port number (static)
•Functions: NAT, State checks, pinhole, anomalies, drop
malformed packets
•VoIP session correlation (beyond L3/L4)
•Application Screening: Flood attacks
•Coarser control: enable/disable all checks
•Protocols: SIP, H225RAS, H225SGN, MGCP
•Identification: based on application data (PIAI)
•Functions: Protocol State, anomalies (more than FW
checks); SIP sigs > 50
•Custom signatures can be done
•Logging (provides visibility)
•Flexibility in enabling signatures driven by policy
January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA
18
www.ITEXPO.com
Defense Against VoIP Security Threats
VoIP Security Threat
DoS attack on PBX, IP
Phone or gateway
Unauthorized access to
PBX or voice mail system
Ramifications
All voice communications fail
Defense Technology
FW with SIP attack protection
IPS with SIP sigs/protocol anom
Hacker listens to voice mails,
accesses call logs, company
directories, etc.
Zones, ALGs,
policy-based access control
Hacker utilizes PBX for
long-distance calling, increasing
costs
VPNs, encryption
(IPSec or other)
Eavesdropping or
man-in-the-middle attack
Voice conversations unknowingly
intercepted and altered
VPNs, encryption
(IPSec or other)
Worms/trojans/viruses on
IP phones, PBX
Infected PBX and/or phones
rendered useless, spread
problems throughout network
Toll fraud
IP phone spam
Lost productivity and annoyance
January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA
Policy based access control
IPS with SIP protocol anomaly
and stateful signatures
FW/ALGs, SIP attack prevention,
SIP source IP limitations,
UDP Flood Protection
19
www.ITEXPO.com
Q&A
Additional VoIP resources
available at www.juniper.net
20
January 23-25, 2008 • Miami Beach Convention Center • Miami, Florida USA
www.ITEXPO.com