The Voice Security CompanyThe Voice Security Company

Kirk VaughanKirk VaughanProduct Director –VoIPProduct Director –VoIPkvaughan@securelogix.comkvaughan@securelogix.com

SIP Application SecuritySIP Application Security

VoIP security is a big deal

Why? Fear of the Unknown

Everyone talks about VoIP security threats

DoS Attacks Eavesdropping Theft-of-service

These are the obvious ones!And they are manageable.

Theft-of-identity

What is scary is what is around the corner that we can’t see

Hacker’s hate Billy Gates….will John Chambers be next?

Disgruntled employees can wreak havoc with internal access

IT security “Best Practices”

Stay off of Billy’s platforms

Secure Backdoors

Enterprises are easy targets – too little voice security

Some current VoIP Security Recommendations help

Strict Authentication

Enterprises are not early adopters

                       

Business case is necessary Proven reliability and security ROI calculation includes cost of management

Build applications with this in mind from day one

Data Networking History taught us

Network security requires lots of tools – not one single answer- Firewalls

- IPS/IDS- Anti-viral software

Modem and fax lines create a huge security backdoor

- Some enterprises have hundreds which are unmonitored thus creating an insecure voice and data network!

LAN

Servers

Workstations

Internet

CentralOffice

ISP

Intruder

PSTN

IDS

Firewall

PBX

Voicemail

TelephonesFax

UnauthorizedModems

LAN

Servers

Workstations

Internet

CentralOffice

ISP

Intruder

PSTN

IDS

Firewall

PBX

Voicemail

TelephonesFax

UnauthorizedModems

LAN

Servers

Workstations

Internet

CentralOffice

ISP

Intruder

PSTN

IDS

Firewall

PBX

Voicemail

TelephonesFax

UnauthorizedModems

LAN

Servers

Workstations

Internet

CentralOffice

ISP

Intruder

PSTN

IDS

Firewall

PBX

Voicemail

TelephonesFax

UnauthorizedModems

After hours scanning – 2%-4% of phone lines have unauthorized modems.

Unauthorized Modem Unauthorized Modem AttackAttack

LAN

Servers

Workstations

Internet

CentralOffice

ISP

Intruder

PSTN

IDS

Firewall

PBX

Voicemail

TelephonesFax

UnauthorizedModems

LAN

Servers

Workstations

Internet

CentralOffice

ISP

Intruder

PSTN

IDS

Firewall

PBX

Voicemail

TelephonesFax

UnauthorizedModems

LAN

Servers

Workstations

Internet

CentralOffice

ISP

Intruder

PSTN

IDS

Firewall

PBX

Voicemail

TelephonesFax

UnauthorizedModems

Employees use a modem to dial around the Firewall and IDS.

Hacker “piggybacks” off ISP connection to access the Data Network.

ISP Modem AttackISP Modem Attack

LAN

Servers

Workstations

Internet

CentralOffice

ISP

Intruder

PSTN

IDS

Firewall

PBX

Voicemail

TelephonesFax

Modems

LAN

Servers

Workstations

Internet

CentralOffice

ISP

Intruder

PSTN

IDS

Firewall

PBX

Voicemail

TelephonesFax

Modems

TelecomFirewall

MgmtServer

Blocked!

Alert!

Unauthorized calls are blocked by a Security Appliance called aTelecom Firewall

The SolutionThe Solution

The backdoor modem is the Data Security Manager’s “Achilles Heel”

My message to the SIP Application Development world….

Don’t become the Achilles Heel Don’t become the Achilles Heel to the VoIP worldto the VoIP world

Before you write 1 line of code, ask how the operations manager will..

- Have Visibility and Control of user behavior on your service

- Simply and effectively manage the service Configuration of applications User database Security policy

- Authorize use of approved applications (hopefully yours!)

- Accurately account and report on performance, usage and charging

- Guarantee the security of the application

Are you in the business of writing applications for enterprise users?

Integrated voice service platforms (MS RTC Server - Greenwich)

SIP-enabled web applications

Embedded services via API

Don’t be naïve – enterprises won’t allow new communication services into their networks without appropriate management,

visibility and security

Enterprise use of Public IM services (MS Messenger, AIM, Yahoo)

Created market for IM gateways

Access to SIP services over the internet (VONAGE, FWD)

Application Layer Gateways and VoIP-aware Firewalls

LAN

Servers

Workstations

Internet

CentralOffice

ISP

PSTN

IDS

Firewall

PBX

Voicemail

TelephonesFax

Modems

Telecom Firewall

VoIPSecurityManager

Mgmt.Server

Router

IP Phone

Accept the fact that you will be monitored and managed…..Accept the fact that you will be monitored and managed…..

3rd Party AS

VoIP Security Manager secures the data and voice network

external threats over the internet or WAN

TDM Security (Telecom Firewall) secures the data and voice network

external threats over unmonitored analog modem and fax lines

internal threats from trusted or unknown sources

Both devices provide management, reporting, and security policy tools

No need for two separate management and security tools…

Combine them!!

LAN

Servers

Workstations

Internet

CentralOffice

ISP

PSTN

IDS

Firewall

PBX

Voicemail

TelephonesFax

Modems

Mgmt.Server

Router

IP Phone

The CPE providing TDM and VoIP security becomes one…..The CPE providing TDM and VoIP security becomes one…..

3rd Party AS

RTMMFirewall

Real-Time Mixed Media FirewallReal-Time Mixed Media Firewall

The Real-Time Mixed Media Firewall

- Provides real-time Visibility and Control of user behavior

- Combines the security and monitoring features of several platforms

Application-Layer Gateway Telecom Firewall Call-Accounting System IM Gateway Client Registrar (DHCP) Presence Manager Security policy manager with reporting Bandwidth and routing policy manager

- Manages access to both on-net and off-net VoIP services

Simplifies the management of mixed mediaapplication platforms and secures the entire network!!!

- Secures TDM Voice Network against attack and misuse

The Real-Time Mixed Media Firewall

- Aids in the management and provisioning of SIP Services

Secures backdoor modem threats Restricts use of unapproved rogue clients and applications Prevents hacker attacks by controlling content across network borders Detects signaling anomalies and IPS signatures relating to VoIP

Single User database simplifies management of user profiles

Single GUI interface for setting up policies, reporting, and permissions

Graphical depiction of application/network usage stats in real-time

Application layer security

- Secures mixed media VoIP and TDM network resources

We have to secure both networks while we migrate

Security and Management of applications is key

Enterprises are suspicious of what they can’t control

They have been burned by the back-door modems

Can they be certain that you aren’t the next back-door?

Design apps for use with a CPE-based RTMM firewall

Even the great “killer app” needs security

Thank you!!!Thank you!!!