Date post: | 25-Dec-2015 |
Category: |
Documents |
Upload: | sheila-banks |
View: | 222 times |
Download: | 4 times |
© 2005 Avaya Inc. All rights reserved.
Avaya Security OverviewAvaya Security Overview
Andy Zmolek
Senior Manager, Security Planning and Strategy
2© 2005 Avaya Inc. All rights reserved. Proprietary and Confidential: Do NOT distribute
Agenda
Introductions
– Group Overview
Security Strategy & Evolution
“Secure by Default” within Avaya Products
– Advisories: Staying Informed of the latest vulnerabilities
– Product Security
– Product Security Standards
3© 2005 Avaya Inc. All rights reserved. Proprietary and Confidential: Do NOT distribute
Avaya Product House Security TeamsGCS Security Strategy and Development
Formed in December 04Responsibilities
– Customer Presentations and outbound whitepaper material
– Security Roadmap• Listen to customer input and
incorporate recommendations into future solutions
– Avaya products or security partnerships
– Business Cases
– Drive security alignment across ALL Avaya Products
• Media Servers, Media Gateways, Endpoints, Contact Center, Modular Messaging, etc
– Includes a development organization
• Implement the security roadmap based on market requirements
Product Security Support Team (PSST)Security Advisories
– Information released by Avaya based on potential security vulnerabilities within the products
– http://support.avaya.com/securityOwn Product Vulnerability Threat Management (VTM) for all customersOwn Product Penetration TestingTier IV Security Support
Development
Support
Planning
5© 2005 Avaya Inc. All rights reserved. Proprietary and Confidential: Do NOT distribute
Security Trends and Issues
Business Continuity is impacted by Security VulnerabilitiesSophistication of threats are evolving – severity of vulnerabilities are increasing
– Time of infection is very fast requiring IT to react much faster– The motive and intent is changing – moving from notoriety to
financial gain• Exploit (June 06): “A Miami man allegedly defrauded Internet voice
providers to the tune of $1 million, with a sophisticated hacking scheme. ” 1
– VoIP and Telephony applications as new targets, no longer just collateral damage
Mobility and always-on networks add to propagation of threatsEnterprises are strengthening their security guidelines and policies
– Influence from Government regulations (HIPAA, GLBA, and SOX)
Security must be pervasive (End-to-End)Security must be pervasive (End-to-End)
Note 1: http://www.networkcomputing.com/article/printFullArticle.jhtml?articleID=188702999
6© 2005 Avaya Inc. All rights reserved. Proprietary and Confidential: Do NOT distribute
Avaya Trusted CommunicationsSecuring the Solution to Ensure Business Continuity
Security spans multiple layers– Each layer needs to ensure
• System & Perimeter Protection
• Authentication, Authorization, and Access control
• Confidentiality and Integrity
• Secure Management
– Application Level Day Zero Protection
Standards based Security
Industry collaboration required to ensure vulnerabilities are exposed
Establish Partnerships with Customers
7© 2005 Avaya Inc. All rights reserved. Proprietary and Confidential: Do NOT distribute
Trusted Communications Evolution
Early Adopter Converged Communications
• Proof of concept• Limited security
Early Adopter Converged Communications
• Proof of concept• Limited security
Intelligent Application Security
• Intelligent Application Routing
• Trusted Client Security (integrity and authorization)
• (Federated) Identity Access Management
• Digital Rights Mgmt
Intelligent Application Security
• Intelligent Application Routing
• Trusted Client Security (integrity and authorization)
• (Federated) Identity Access Management
• Digital Rights Mgmt
TodayYesterday Tomorrow
Securing Communication Applications
• Media and Signaling Encryption
• Secure Management• Hardened Systems• Denial of Service
Protection• Auditing & Alarming
Securing Communication Applications
• Media and Signaling Encryption
• Secure Management• Hardened Systems• Denial of Service
Protection• Auditing & Alarming
© 2005 Avaya Inc. All rights reserved.
Product Security Functionality
Product Security Functionality
9© 2005 Avaya Inc. All rights reserved. Proprietary and Confidential: Do NOT distribute
Firewall
Viruses / Worms are a threat to any system on a network…
Internet
Listening on UDP port 1434
User’s PC
“Open this great
screensaver”
“There are about 60,000 viruses known for Windows” Dr. Nic Peeling and Dr Julian Satchell. Linux vs. Windows Viruses, The Register, by Scott Granneman
Slammer Result3 minutes: replication every 8.5 seconds
15 minutes: significant portions of the Internet were unusable
Total cost: estimated at $1 Billion
Melissa
ILOVEYOU
IP Telephony Vendor (July ’05)Triggers an overflow in memory within a critical Server process. This can result in a denial-of-service condition, which will
cause the server to shut down and reboot. Attacker could redirect calls
and eavesdrop on calls
10© 2005 Avaya Inc. All rights reserved. Proprietary and Confidential: Do NOT distribute
Endpoints
Today’s Problems and Solutions
Hacker
WormZotob.B using “Plug and Play” via
TCP 445
Communications Servers & Gateways
Hacker
EavesdroppingCapture VoIP packets
Voice spoofingInjecting “Hi boss, I quit” into the
conversation
Voicemail spam / SPIT100,000 voicemails in a day
Protocol Anomalylength = 200 when expecting 64
ImpersonationI’m George Bush
Denial of ServiceLoss of dial tone
Protocol Concerns
Server Concerns
Virus / WormMydoom
Media Encryption
Packet Authentication
Buffer Overflow
H.235.5 /Annex H
No Email /Partioning
System Hardening
StatefulFirewall
P-Asserted Identity
Communications
Infrastructure Independent
11© 2005 Avaya Inc. All rights reserved. Proprietary and Confidential: Do NOT distribute
No Direct ROOT access
Partition/NOEXEC Hard Drives
Separate Physical Interfaces for VoIP, Admin, and Control.
Software upgrades are digitally signed
Backup files encryptedCAST5/AES
Intrusion Detection Checking via
“Tripwire”
Inherent IP Tables Stateful Firewall
Native Red Hat OSKernel SecurityEnhancements
Network Interface Defense
SNMPv3
SSHHTTPS
Log all connection attempts
March 31, 2003 – Denver Post Reported: According to FBI Research and a Survey by the Denver Post: 80% of successful hacking attempts are committed from within a company (Most attempts originate outside the company)
85% Removed
Call Preserving Patch Management
Secured Media Servers
12© 2005 Avaya Inc. All rights reserved. Proprietary and Confidential: Do NOT distribute
Encryption delivers confidentiality
VomitVoice over Misconfigured IP Telephones (Publicly Available)
– Freely downloadable
– http://vomit.xtdnet.nl/
– Decodes G.711 to .WAV file
AES “Standards Based
Encryption & Foundation for SRTP”
Avaya Encryption Algorithm (AEA) “First to Market”
SRTP“Interoperable Secure
Communications”
2002 2005 2007
Media Encryption Timeline
Voice Recorders
VoipCrakNear Real Time VoIP/RTP Recorder/Decoder
Decodes G.711, G723, G729
Clear VoIPEncrypted
VoIP
13© 2005 Avaya Inc. All rights reserved. Proprietary and Confidential: Do NOT distribute
Encrypted LinksS8700
IP Phone IP Phone
G700
Servers
Gateways
Endpoints
Private LAN
Public LAN
G350
Encrypted IPSI Control (3DES & AES)
Media Link Encryption
(AES & AEA)
IP H.323 Media Encryption (AES)IP SIP Signaling
Encryption*
Encrypted H.248 (AES)
G650
Can encrypt individual links or the entire path (i.e. doesn’t require 2 encryption enabled phones)
Can encrypt up to a 6 participant conference call
Transparent to other system features– No impact to routers, firewalls, or
media processors– Complementary to VPN configurations
14© 2005 Avaya Inc. All rights reserved. Proprietary and Confidential: Do NOT distribute
Secure CommunicationsHeadquarters
Branch Office
Extranet Location
S8700
Data + SIP via the
same connectionInternet / MPLS
Broadband Virtual Office
VPN
VPNremote for IP Phone
Avaya NOC
SNMPSyslog
DSL /
Cable
““VPN + VoIP” in a VPN + VoIP” in a single devicesingle device
Communications Gateway
““VPN + VoIP” in a VPN + VoIP” in a single devicesingle device
Hot Spot
Cell
PDA / Laptop with VPNremote® Client and IP Softphone
Firewall / VPN
15© 2005 Avaya Inc. All rights reserved. Proprietary and Confidential: Do NOT distribute
“Device” & “Extension” Authentication
H.323802.1X*
Extension / PIN via H.235.5
SIP 802.1X*
Extension / PIN Digest Authentication per RFC 3261
• Mutual authentication between server and endpoint based on shared knowledge of user PIN• Authentication of registration (RAS) and call signaling messages• Call signaling privacy• Based on Encrypted Diffie-Hellman Key Exchange
SPIT Protection• Network Asserted Identity (RFC 3325)• SES inserts authenticated identity into SIP signaling messages
*Note: Future Authentication
16© 2005 Avaya Inc. All rights reserved. Proprietary and Confidential: Do NOT distribute
Anomaly Detection
Understand and Protect:– SYN Flood – Jolt – Jolt2 – Ping Flood – Finger of Death – Packet Storm – Malformed Packets– Fragmented Packets– More…
Server Defense:
– Stateful Firewall
– Red Hat OS Kernel Security Enhancements
Network Interface Defense:
– Anomaly detection drops packets that are suspicious or inconsistent with VoIP traffic
Endpoint Defense:
– Hardening of Embedded OS and Network Stack – better protection against flooding and malformed traffic
17© 2005 Avaya Inc. All rights reserved. Proprietary and Confidential: Do NOT distribute
Product Security Checklist“Secure by Default”
Blueprint for secure products– Security Functionality that should exist in all of your products
Evolving set of security criteria– “Secure today” does not imply “secure tomorrow”
Functionality Includes– Media & Signaling Encryption– Denial of Service– List Required / Optional Ports– Data Anomaly Detection– SSH / SFTP– Password Complexity– Buffer Overflow attacks– And more…
Security awareness within telephony is lagging
“traditional data”
44% have security policies for voice (90% have security policies
for data)*
18© 2005 Avaya Inc. All rights reserved. Proprietary and Confidential: Do NOT distribute
Security Partnerships
19© 2005 Avaya Inc. All rights reserved. Proprietary and Confidential: Do NOT distribute
Security AdvisoriesAvaya provides advisory information on the support web site:
– http://support.avaya.comAvaya provides email notification for new advisories
– Click here for additional information
CERT Microsoft Red Hat HP SCO
Vuln-watch Security Focus –
bugtraq Cisco Sun
Avaya classification for
vulnerability
Target intervals for assessment and
notification from Avaya
If a third party patch is available
Target intervals for remediation action if Avaya software development is required
High < 24 hoursInstructions on
patch installation or remediation
process is included within the
announcement
30 days
Medium < 2 weeks 90 days (first minor release)
Low < 30 days 1 year (first major release)
None At Avaya’s discretion N / A
Groups Monitored
Communication Manager Cisco CallManager
Patch needs over a one-year period:• Two patches (128 MB)• 25 minutes to download
Patch needs over a one-year period:• 19 patches (1375. 574 MB)• 195 minutes to download
Call
Preservi
ng!
20© 2005 Avaya Inc. All rights reserved. Proprietary and Confidential: Do NOT distribute
Secure by Design
24x7 Ownership
End Goal
SummarySecurity is evolving
– Security Focus needs to expand beyond Infrastructure Security
– Application Security is required
Security is “built in” instead of “bolted on”– Includes standards based Encryption,
Authentication, Denial of Service
Deliver best of breed technology to enable secure communications
Security is a 24x7 responsibility– Short Term Advisories
To
– Long Term Roadmaps
Ensuring that disruption of service and / or theft are Ensuring that disruption of service and / or theft are eliminated as vulnerabilities for IP Communicationseliminated as vulnerabilities for IP Communications
Security Evolution
Partnerships