© 2005 Avaya Inc. All rights reserved. Avaya Security Overview Andy Zmolek Senior Manager, Security...

© 2005 Avaya Inc. All rights reserved.

Avaya Security OverviewAvaya Security Overview

Andy Zmolek

Senior Manager, Security Planning and Strategy

2© 2005 Avaya Inc. All rights reserved. Proprietary and Confidential: Do NOT distribute

Agenda

Introductions

– Group Overview

Security Strategy & Evolution

“Secure by Default” within Avaya Products

– Advisories: Staying Informed of the latest vulnerabilities

– Product Security

– Product Security Standards


Avaya Product House Security TeamsGCS Security Strategy and Development

Formed in December 04Responsibilities

– Customer Presentations and outbound whitepaper material

– Security Roadmap• Listen to customer input and

incorporate recommendations into future solutions

– Avaya products or security partnerships

– Business Cases

– Drive security alignment across ALL Avaya Products

• Media Servers, Media Gateways, Endpoints, Contact Center, Modular Messaging, etc

– Includes a development organization

• Implement the security roadmap based on market requirements

Product Security Support Team (PSST)Security Advisories

– Information released by Avaya based on potential security vulnerabilities within the products

– http://support.avaya.com/securityOwn Product Vulnerability Threat Management (VTM) for all customersOwn Product Penetration TestingTier IV Security Support

Development

Support

Planning


Avaya StrategyAvaya Strategy


Security Trends and Issues

Business Continuity is impacted by Security VulnerabilitiesSophistication of threats are evolving – severity of vulnerabilities are increasing

– Time of infection is very fast requiring IT to react much faster– The motive and intent is changing – moving from notoriety to

financial gain• Exploit (June 06): “A Miami man allegedly defrauded Internet voice

providers to the tune of $1 million, with a sophisticated hacking scheme. ” 1

– VoIP and Telephony applications as new targets, no longer just collateral damage

Mobility and always-on networks add to propagation of threatsEnterprises are strengthening their security guidelines and policies

– Influence from Government regulations (HIPAA, GLBA, and SOX)

Security must be pervasive (End-to-End)Security must be pervasive (End-to-End)

Note 1: http://www.networkcomputing.com/article/printFullArticle.jhtml?articleID=188702999


Avaya Trusted CommunicationsSecuring the Solution to Ensure Business Continuity

Security spans multiple layers– Each layer needs to ensure

• System & Perimeter Protection

• Authentication, Authorization, and Access control

• Confidentiality and Integrity

• Secure Management

– Application Level Day Zero Protection

Standards based Security

Industry collaboration required to ensure vulnerabilities are exposed

Establish Partnerships with Customers


Trusted Communications Evolution

Early Adopter Converged Communications

• Proof of concept• Limited security

Early Adopter Converged Communications

• Proof of concept• Limited security

Intelligent Application Security

• Intelligent Application Routing

• Trusted Client Security (integrity and authorization)

• (Federated) Identity Access Management

• Digital Rights Mgmt

Intelligent Application Security

• Intelligent Application Routing

• Trusted Client Security (integrity and authorization)

• (Federated) Identity Access Management

• Digital Rights Mgmt

TodayYesterday Tomorrow

Securing Communication Applications

• Media and Signaling Encryption

• Secure Management• Hardened Systems• Denial of Service

Protection• Auditing & Alarming

Securing Communication Applications

• Media and Signaling Encryption

• Secure Management• Hardened Systems• Denial of Service

Protection• Auditing & Alarming


Product Security Functionality

Product Security Functionality


Firewall

Viruses / Worms are a threat to any system on a network…

Internet

Listening on UDP port 1434

User’s PC

“Open this great

screensaver”

“There are about 60,000 viruses known for Windows” Dr. Nic Peeling and Dr Julian Satchell. Linux vs. Windows Viruses, The Register, by Scott Granneman

Slammer Result3 minutes: replication every 8.5 seconds

15 minutes: significant portions of the Internet were unusable

Total cost: estimated at $1 Billion

Melissa

ILOVEYOU

IP Telephony Vendor (July ’05)Triggers an overflow in memory within a critical Server process. This can result in a denial-of-service condition, which will

cause the server to shut down and reboot. Attacker could redirect calls

and eavesdrop on calls


Endpoints

Today’s Problems and Solutions

Hacker

WormZotob.B using “Plug and Play” via

TCP 445

Communications Servers & Gateways

Hacker

EavesdroppingCapture VoIP packets

Voice spoofingInjecting “Hi boss, I quit” into the

conversation

Voicemail spam / SPIT100,000 voicemails in a day

Protocol Anomalylength = 200 when expecting 64

ImpersonationI’m George Bush

Denial of ServiceLoss of dial tone

Protocol Concerns

Server Concerns

Virus / WormMydoom

Media Encryption

Packet Authentication

Buffer Overflow

H.235.5 /Annex H

No Email /Partioning

System Hardening

StatefulFirewall

P-Asserted Identity

Communications

Infrastructure Independent


No Direct ROOT access

Partition/NOEXEC Hard Drives

Separate Physical Interfaces for VoIP, Admin, and Control.

Software upgrades are digitally signed

Backup files encryptedCAST5/AES

Intrusion Detection Checking via

“Tripwire”

Inherent IP Tables Stateful Firewall

Native Red Hat OSKernel SecurityEnhancements

Network Interface Defense

SNMPv3

SSHHTTPS

Log all connection attempts

March 31, 2003 – Denver Post Reported: According to FBI Research and a Survey by the Denver Post: 80% of successful hacking attempts are committed from within a company (Most attempts originate outside the company)

85% Removed

Call Preserving Patch Management

Secured Media Servers


Encryption delivers confidentiality

VomitVoice over Misconfigured IP Telephones (Publicly Available)

– Freely downloadable

– http://vomit.xtdnet.nl/

– Decodes G.711 to .WAV file

AES “Standards Based

Encryption & Foundation for SRTP”

Avaya Encryption Algorithm (AEA) “First to Market”

SRTP“Interoperable Secure

Communications”

2002 2005 2007

Media Encryption Timeline

Voice Recorders

VoipCrakNear Real Time VoIP/RTP Recorder/Decoder

Decodes G.711, G723, G729

Clear VoIPEncrypted

VoIP


Encrypted LinksS8700

IP Phone IP Phone

G700

Servers

Gateways

Endpoints

Private LAN

Public LAN

G350

Encrypted IPSI Control (3DES & AES)

Media Link Encryption

(AES & AEA)

IP H.323 Media Encryption (AES)IP SIP Signaling

Encryption*

Encrypted H.248 (AES)

G650

Can encrypt individual links or the entire path (i.e. doesn’t require 2 encryption enabled phones)

Can encrypt up to a 6 participant conference call

Transparent to other system features– No impact to routers, firewalls, or

media processors– Complementary to VPN configurations


Secure CommunicationsHeadquarters

Branch Office

Extranet Location

S8700

Data + SIP via the

same connectionInternet / MPLS

Broadband Virtual Office

VPN

VPNremote for IP Phone

Avaya NOC

SNMPSyslog

DSL /

Cable

““VPN + VoIP” in a VPN + VoIP” in a single devicesingle device

Communications Gateway

““VPN + VoIP” in a VPN + VoIP” in a single devicesingle device

Hot Spot

Cell

PDA / Laptop with VPNremote® Client and IP Softphone

Firewall / VPN


“Device” & “Extension” Authentication

H.323802.1X*

Extension / PIN via H.235.5

SIP 802.1X*

Extension / PIN Digest Authentication per RFC 3261

• Mutual authentication between server and endpoint based on shared knowledge of user PIN• Authentication of registration (RAS) and call signaling messages• Call signaling privacy• Based on Encrypted Diffie-Hellman Key Exchange

SPIT Protection• Network Asserted Identity (RFC 3325)• SES inserts authenticated identity into SIP signaling messages

*Note: Future Authentication


Anomaly Detection

Understand and Protect:– SYN Flood – Jolt – Jolt2 – Ping Flood – Finger of Death – Packet Storm – Malformed Packets– Fragmented Packets– More…

Server Defense:

– Stateful Firewall

– Red Hat OS Kernel Security Enhancements

Network Interface Defense:

– Anomaly detection drops packets that are suspicious or inconsistent with VoIP traffic

Endpoint Defense:

– Hardening of Embedded OS and Network Stack – better protection against flooding and malformed traffic


Product Security Checklist“Secure by Default”

Blueprint for secure products– Security Functionality that should exist in all of your products

Evolving set of security criteria– “Secure today” does not imply “secure tomorrow”

Functionality Includes– Media & Signaling Encryption– Denial of Service– List Required / Optional Ports– Data Anomaly Detection– SSH / SFTP– Password Complexity– Buffer Overflow attacks– And more…

Security awareness within telephony is lagging

“traditional data”

44% have security policies for voice (90% have security policies

for data)*


Security Partnerships


Security AdvisoriesAvaya provides advisory information on the support web site:

– http://support.avaya.comAvaya provides email notification for new advisories

– Click here for additional information

CERT Microsoft Red Hat HP SCO

Vuln-watch Security Focus –

bugtraq Cisco Sun

Avaya classification for

vulnerability

Target intervals for assessment and

notification from Avaya

If a third party patch is available

Target intervals for remediation action if Avaya software development is required

High < 24 hoursInstructions on

patch installation or remediation

process is included within the

announcement

30 days

Medium < 2 weeks 90 days (first minor release)

Low < 30 days 1 year (first major release)

None At Avaya’s discretion N / A

Groups Monitored

Communication Manager Cisco CallManager

Patch needs over a one-year period:• Two patches (128 MB)• 25 minutes to download

Patch needs over a one-year period:• 19 patches (1375. 574 MB)• 195 minutes to download

Call

Preservi

ng!


Secure by Design

24x7 Ownership

End Goal

SummarySecurity is evolving

– Security Focus needs to expand beyond Infrastructure Security

– Application Security is required

Security is “built in” instead of “bolted on”– Includes standards based Encryption,

Authentication, Denial of Service

Deliver best of breed technology to enable secure communications

Security is a 24x7 responsibility– Short Term Advisories

To

– Long Term Roadmaps

Ensuring that disruption of service and / or theft are Ensuring that disruption of service and / or theft are eliminated as vulnerabilities for IP Communicationseliminated as vulnerabilities for IP Communications

Security Evolution

Partnerships


Thank You!Thank You!

Date post:	25-Dec-2015
Category:	Documents
Upload:	sheila-banks
View:	222 times
Download:	4 times

© 2005 Avaya Inc. All rights reserved. Avaya Security Overview Andy Zmolek Senior Manager, Security...

Documents