Security Challenges in the Enterprise

January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA 2 Panelists Franchesca Walker, Director Enterprise Solutions Foundry Networks Eric Winsborrow, CMO Sipera Systems Shrikant Latkar, Sr. Mgr. Solutions Marketing Juniper Networks Mark Ricca, Sr. Analyst and Founding Partner IntelliCom Analytics

January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA 3 Security: Continued Strong Growth Integrated Security Solutions Forecast (Global, All Size Businesses) $0 $1.0 $2.0 $3.0 $4.0 $5.0 $ $B 9.2% CAGR Overall 10.7% CAGR Remote / SoHo

January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA 4 Security Challenges in the Enterprise Franchesca Walker, Marketing Director of Enterprise Solutions Foundry Networks, Inc

January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA Many Malicious Attack Vectors & Vulnerabilities at each Layer ARP Poisoning MAC Flood AttackPort DoS AttackRogue Wireless AP ICMP Flood Attack TCP Syn Flood Attack SQL Slammer Worm SoBig Worm Malissa VirusSasser Worm Deep Throat MyDoom Worm CodeRed WormNimba Virus & Worm ICMP Smurf Attack False Route Injection BGP TTL Security Hole TCP TTL Attack TCP Timestamp Attack Rogue DHCP & DNS VLAN Flood Attack SPAM SIP DoS Attack Port Scan IP Port Scan TCP Ack Flood Attack Malicious TCP Packets CPU Rate Attack Datalink Layer Attacks Network Layer Attacks p2p Traffic Transport Layer Attacks Application Attacks CAM Table Overflow Attack VLAN Hopping Private VLAN Attack DHCP Starvation VIRUSESWORMS TROJANS UDP/TCP PROTOCOL ATTACKS ROGUE SERVICESUDP/TCP DOS ATTACKS ROUTING PROTOCOL ATTACKS NETWORK SERVICE ATTACKS L2 DOS ATTACKS L2 SERVICE ATTACKSL2 ROGUE SERVICES L3 DOS ATTACKS

January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA Converged Voice & Data Security Network Switches, Routers, & Access Points Call Manager App & Web Servers NMS Zero-Day Anomaly IDSSignature IDS Traffic Samples (sFlow) Threat Control Radius, DNS, DHCP Multiple endpoints IEEE 802.1x + MAC Authentication Traffic Samples (sFlow) Access Policy Integrated Switch and AP Security Features DoS attack protection CPU protection Rate limiting Hardware-based ACLs DHCP, ARP, IP spoof protection Rogue AP detection & suppression Access policy enforcement Threat control enforcement Embedded sFlow traffic monitoring sFlow-based Anomaly + Signature Defense Closed Loop Security Open Source Applications

January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA Convergence Network Security Allow only authorized users on the network –Authentication based on IEEE 802.1x, MAC address Control who has access to specific resources –802.1q VLANs Stop unauthorized traffic without impacting network performance –ASIC based, wire-speed ACLs Protect against security threats and DoS attacks –Network-wide monitoring (e.g. sFlow) –Threat detection and mitigation Rate limiting of known packet types Closed-loop mitigation using centralized IDS equipment and applications

Enterprise VoIP Security Challenges Eric Winsborrow, CMO Sipera Systems

January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA 9 Risk Management approach to Security Lower Risk Profile and Prioritization Optimum Prioritization Point of Diminishing Returns Security Priority and Spending Threat Potential VoIP 1.0 (closed) Risk Profile VoIP 2.0 (open) Risk Profile

January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA 10 IP PBX Voice/Data Center(s) The Need to Extend VoIP WAN/VISP Internet PSTN VISP Mobile worker Headquarters Remote worker Branch(es) Soft phones SIP Trunk

January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA 11 IP PBX Voice/Data Center(s) Extending VoIP - Challenges WAN/VISP Internet PSTN VISP Mobile worker Headquarters Remote worker Branch(es) Soft phones SIP Trunk Opening wide range of IP/UDP ports violates security policy Confidentiality/Privacy of signaling & media Strong authentication of device & user Policy enforcement & access control Phone configuration & management Spammer Hacker Rogue Device Rogue Employee Infected PC Protect IP PBX & phones Refresh UDP pinhole in remote/home firewall

January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA 12 Risk Management approach to VoIP/UC Establish POLICY Establish POLICY Assess RISK Assess RISK Implement PROTECTION Implement PROTECTION Manage COMPLIANCE Manage COMPLIANCE ACCESS Secure Access Strong User authentication Call Admission Control Firewall/NAT traversal Privacy and Encryption Secure firewall channel Sipera VIPER Labs Vulnerability Research Threat signature development LAVA Tools Sipera VIPER Consulting VoIP/UC vulnerability assessment Best practices consultation Security workshops Comprehensive Protection for real-time communications DoS/Floods prevention Fuzzing prevention Anomaly detection/Zero-Day attacks Stealth attacks Spoofing prevention Reconnaissance prevention VoIP Spam Policy Compliance Call routing policies Whitelists/Blacklists Fine-Grained Policies by User, Device, Network, ToD Application controls IM logging and content filtering Compliance reporting

January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA 13 Conclusion Benefits of Unified Communications increase if VoIP network is extended But an enterprise needs to solve many issues –Privacy and authentication; firewall/NAT traversal; policy enforcement; VoIP application layer threats A Security Risk Management approach is needed –Elevate VoIP/UC in priority if using SIP or extending VoIP –Engage experts for best practices and risk evaluation –Create policies and protection specific to VoIP/UC

VoIP Security IT Expo East 2008 Shrikant Latkar

January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA 15 Concerns when Deploying VoIP Concerns about security Systems for managing and troubleshooting VoIP quality Concerns about interoperability between vendor’s equipment Not enough people to plan, design, implement, and manage VoIP Lack of budget Source: 2005/2006 VoIP State of the Market Report, Produced by Webtorials Percentage

January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA 16 Securing Voice is Critical

January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA 17 Evolving SIP Security Exploits will become more “creative” - Newer exploits are at Layer 7 Current security doesn’t address all attacks –SBCs cannot defend against many SIP vulnerabilities as the attack levels scale/grow Smartest Attacks Most Attacks Smarter Attacks Router Filters IP Spoof Detection DOS Filters Stateful Firewall Protocol ALG Application Aware Intrusion Prevention Need to evolve security to be scalable and more attack aware Customized attack defenses – specific foryour environment Rapid time between exploit found anddefense deployed Able to handle high volumes of attackingpackets

January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA 18 Protocols: SIP, H323 (RAS, Q931, H245), MGCP, Skinny Protocols: SIP, H323 (RAS, Q931, H245), MGCP, Skinny Identification: done by L4 port number (static) Identification: done by L4 port number (static) Functions: NAT, State checks, pinhole, anomalies, drop malformed packets Functions: NAT, State checks, pinhole, anomalies, drop malformed packets VoIP session correlation (beyond L3/L4) VoIP session correlation (beyond L3/L4) Application Screening: Flood attacks Application Screening: Flood attacks Coarser control: enable/disable all checks Coarser control: enable/disable all checks Protocols: SIP, H225RAS, H225SGN, MGCP Protocols: SIP, H225RAS, H225SGN, MGCP Identification: based on application data (PIAI) Identification: based on application data (PIAI) Functions: Protocol State, anomalies (more than FW checks); SIP sigs > 50 Functions: Protocol State, anomalies (more than FW checks); SIP sigs > 50 Custom signatures can be done Custom signatures can be done Logging (provides visibility) Logging (provides visibility) Flexibility in enabling signatures driven by policy Flexibility in enabling signatures driven by policy IPS/IDP Firewall

January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA 19 Defense Against VoIP Security Threats VoIP Security ThreatRamificationsDefense Technology Unauthorized access to PBX or voice mail system All voice communications fail FW with SIP attack protection IPS with SIP sigs/protocol anom DoS attack on PBX, IP Phone or gateway Hacker listens to voice mails, accesses call logs, company directories, etc. Zones, ALGs, policy-based access control Toll fraud Hacker utilizes PBX for long-distance calling, increasing costs VPNs, encryption (IPSec or other) Eavesdropping or man-in-the-middle attack Voice conversations unknowingly intercepted and altered Worms/trojans/viruses on IP phones, PBX Infected PBX and/or phones rendered useless, spread problems throughout network Policy based access control IPS with SIP protocol anomaly and stateful signatures IP phone spam Lost productivity and annoyance FW/ALGs, SIP attack prevention, SIP source IP limitations, UDP Flood Protection

January 23-25, 2008 Miami Beach Convention Center Miami, Florida USA 20 Additional VoIP resources available at Q & A