1 / 40

Making Your IP Communications Implementation Secure and Resilient

Making Your IP Communications Implementation Secure and Resilient. Kevin Flynn Senior Manager March, 2006. Agenda. Issues & Challenges Cisco Self-Defending Network IP Communications Security Getting Started. The Cisco Business Communications Solution.

alodie
Download Presentation

Making Your IP Communications Implementation Secure and Resilient

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Making Your IP Communications Implementation Secure and Resilient Kevin Flynn Senior Manager March, 2006

  2. Agenda • Issues & Challenges • Cisco Self-Defending Network • IP Communications Security • Getting Started

  3. The Cisco BusinessCommunications Solution Business Trans-formation Business Process Productivity Web Application Audio-Conferencing Calendar E-Mail Collaboration SECURITY IP Network Telephone Services Video Conferencing Voice Messaging Instant Messaging Contact Center

  4. A Tale of Two Cities • Secure IPC Secure Network

  5. A Tale of Many Fiefdoms NetOPs SecOps SecureIP Voice BDMs TelOps

  6. Secure IPC – Integrated & Systemic • IP Communications solutions from Cisco can be as secure, or more secure, than traditional PBX systems • Key is integrated approach – IPC + Secure Infrastructure • Cisco is committed to delivering the most secure, reliable solution possible – at all layers of the network • Recent enhancements further increase the security capabilities of the industry leadingCisco Unified Communications system • Independent testing says Cisco provides the most secure IP Communications solution available* *As tested by Miercom Labs and reported by Network World

  7. BUSINESS PROCESSES NETWORKED INFRASTRUCTURE • ACTIVE PARTICIPATION in application and service delivery • A SYSTEMS APPROACH integrates technology layers to reduce complexity • Flexible POLICY CONTROLS adapt this intelligent system to your business though business rules RESILIENT INTEGRATED ADAPTIVE APPLICATIONS AND SERVICES Intelligent Networking:The Foundation CISCO NETWORK STRATEGY UTILIZE THE NETWORK TO UNITE ISOLATED LAYERS AND DOMAINS TO ENABLE BUSINESS PROCESSES CONNECTIVITY CONNECTIVITY INTELLIGENT NETWORKING INTELLIGENT NETWORKING

  8. Benefits of a Systems Approach • Complex environment • Gaps & inconsistency • Lower visibility • More difficult to manage • Higher TCO • Simplified environment • Tighter integration = tighter security • Greater visibility • Easier to deploy & manage • Lower TCO

  9. Integrate Advanced Security Services Where Needed Security Point Products IPSec & SSL VPN IPS Firewall Network Anti-Virus Access Control Secure Network Infrastructure Security Services Integrated into the Network ADVANCED TECHNOLOGIES & SERVICES Automated Threat Response Virtualized Security Services Behavioral-based Protection Integrate Advanced Services Endpoint Posture Control Dynamic DDoS Mitigation Application-Layer Inspection Integrated Collaborative Adaptive Leverage Existing Investment IP NETWORK

  10. The IP Communications Conundrum • The same IP technology that enables IP Communications solutions to: • Boost productivity • Increase mobility • Enhance flexibility Also creates additional MANAGEABLE challenges for information security • These new challenges exist whether the IP upgrade is incremental or total

  11. 11 11 The Challenge of Securing IP Voice • The threats are familiar to both voice and data professionals: • Denial of service • Privacy • Impersonation • Toll fraud • Both “phreakers” (voice) and “hackers” (data) are lurking • The protection of both voice and data communication is critical to the business

  12. Toll fraud Unauthorized or unbillable resource utilization Eavesdropping Listening to another’s call Learning private information caller ID, DTMF password/accounts, calling patterns Session replay Replay a session, such as a bank transaction Fake identity Media tampering Denial of service Hanging up other people's conversations Contributing to other DOS attacks Impersonating others Hijacking calls SPAM SPIM, SPIT, and more SPAM IP Communications Threats

  13. Evaluate the Threats Objectively • Understand the costs of security incidents: • Measurable: fraud, downtime, man-hours, physical destruction, intellectual property, lawsuits • Non-measurable: reputation, customer privacy, medical information, loss of life • Assign risk and quantify the costs • Determine appropriate levels of protection

  14. Before Reality Check After

  15. In many ways PSTN is good with respect to toll fraud Still a very large amount of toll fraud on PSTN No voice crypto Person in wiring closet can listen to calls Anyone willing to poke around can listen to calls Caller ID is bogus Anyone can produce fake caller id for a few hundred dollars Is the security of the PSTN good enough? Will you give you credit card number over the telephone? Discuss a merger? Comparison to PSTN

  16. Comparison: PSTN, E-Mail & IPC

  17. INFRASTRUCTURE ENDPOINTS APPLICATIONS CALL CONTROL Protect All Levels of IP Communications Messaging, Customer Care, and Other Application Software VALUE-ADDED COMPONENTS IP Phones, Video Terminals, and Other Delivery Devices USER INTERFACES IP COMMUNICATIONS SYSTEM Infrastructure and Protocols for Call Management and Operation SYSTEM CONFIG AND OPERATION Secure, Reliable Communications that Connects All of the Other Components TRANSPORT

  18. Security RequirementsIntegrated, Systems Approach Cisco Addresses More Security Issues, at More Layers of the Network, than any other IP Communications Vendor PRIVACY PROTECTION CONTROL Applications X X X Endpoints X X X Call Control X X X Infrastructure X X X

  19. Internet Secure IP CommunicationsSystems Approach in Action Intranet

  20. Infrastructure • VLAN segmentation • Layer 2 protection • Firewall • Intrusion detection • QoS and thresholds • Secure VPN • Wireless security Internet Secure IP CommunicationsSystems Approach in Action Intranet

  21. VLAN and Layer 2 Protection Telephony Servers • Voice and data on separate VLANs • Block PC port access to voice VLAN • Use VACLs to limit traffic • Defend against GARP and DHCP abuse • Use dynamic ARP inspection and IP source guard

  22. PSTN PSTN V3PN and IPsec Disaster Recovery Site Or Distributed Cluster • Use IPSec to protect all traffic, not just voice • Easier to get through FW than defining all ports in an ACL • Terminate in VPN concentrator or large router as needed on inside of FW or ACL • Remember Clustering-Over-The-WAN metrics IPWAN SRST router Branch Office

  23. PSTN Firewall, IDS, and Anomaly Detection Telephony Servers • Stateful, rules-based firewalls control traffic • Intrusion Detection Systems look for signature-based exploits • Anomaly detection looks for unusual events DMZ

  24. Using QoS and Thresholds • Quality of Service enables clear voice connections during congestion • Rate limiting thwarts DoS and DDoS attacks from impacting voice • Processor thresholds protect routers and switches from overload

  25. Infrastructure • VLAN segmentation • Layer 2 protection • Firewall • Intrusion detection • QoS and thresholds • Secure VPN • Wireless security Internet • Call Management • Hardened Windows OS • Digital certificates • Signed software images • TLS signaling • Integrated CSA Secure IP CommunicationsSystems Approach in Action Intranet

  26. Hardened Call Management Platform • Hardened Win2K OS Shipped By Default, and downloadable from Cisco Connection Online • Aggressive Security Patch and Hotfix Policy Critical: Tested and posted to CCO within 24 hours Others: Consolidated and posted once per month New email alias tells you when new patches are available (http://www.cisco.com/warp/public/779/largeent/software_patch.html) • Install McAfee 7.1, Symantec 8.1, or Trend Micro ServerProtect5 Anti-Virus Protection

  27. Integrated Intrusion Prevention • Cisco Security Agent available for all telephony applications • Headless Bundled • Managed Optional • Policy-Based,not signature based • Zero Updates • “Day Zero”support • Centrally administered, with distributed, autonomous policy enforcement • Effective against existing & previously unseen attacks • Stopped Slammer, nimda & code red sight unseen with out-of-the-box policies • CSA Server Protection: • Host-based Intrusion Protection • Buffer Overflow Protection • Network Worm Protection • Operating System Hardening • Web Server Protection • Security for other applications

  28. A WAN Resilience:Secure Survivable Remote Site Telephony • Resiliency for remote IP Telephony users with central Cisco Unified CallManager • Minimizes business impact of WAN link failure: • Cisco router auto-configures, provides local call processing -- no manual intervention required • SRST IP phone calls remain secure • When WAN is available, IP Phones auto-revert back to Cisco Unified CallManager • Calls in progress stay connected during WAN failure/restore Applications Server X X X Cisco Unified CallManager Cluster WAN Cisco 7200 PSTN Cisco 2800 Router with SRST Headquarters

  29. Infrastructure • VLAN segmentation • Layer 2 protection • Firewall • Intrusion detection • QoS and thresholds • Secure VPN • Wireless security Internet • Endpoints • Digital certificates • Authenticated phones • GARP protection • TLS protected signaling • SRTP media encryption • Centralized management • Call Management • Hardened Windows OS • Digital certificates • Signed software images • TLS signaling • Integrated CSA Secure IP CommunicationsSystems Approach in Action Intranet

  30. Authenticated Endpoints • X.509 v.3 certificates in Cisco Unified IP Phones and Cisco Unified CallManager • Certificates ensure reliable device authentication • Scalable solution

  31. Media and Signaling Encryption • Public Key / Private Key Pair • X.509v3 Digital Certificate • Certificate Trust List • Transport Layer Security

  32. Infrastructure • VLAN segmentation • Layer 2 protection • Firewall • Intrusion detection • QoS and thresholds • Secure VPN • Wireless security • Applications • Multi-level administration • Toll fraud protection • Secure management • Hardened platforms • h.323 and SIP signaling Internet • Endpoints • Digital certificates • Authenticated phones • GARP protection • TLS protected signaling • SRTP media encryption • Centralized management • Call Management • Hardened Windows OS • Digital certificates • Signed software images • TLS signaling • Integrated CSA Secure IP CommunicationsSystems Approach in Action Intranet

  33. Secure Private Messaging • Private • Only intended recipients can listen to a private message addressed to them • Messages marked private, if (accidentally or intentionally) forwarded, cannot be listened to • Messages forwarded to internet email addresses or 3rd party voice mail systems (VPIM/AMIS/OctelNet) cannot be listened to • Secure • Actual message content is protected using public-key encryption • Unauthorized users will hear a warning message • Can be set on a per subscriber (all messages from John Chambers) or system-wide (legal firms) basis

  34. Application Platform Protection • Carefully hardened platforms • Control access to admin functions • Cisco Security Agent host-based protection • Secure remote management via https

  35. Infrastructure • VLAN segmentation • Layer 2 protection • Firewall • Intrusion detection • QoS and thresholds • Secure VPN • Wireless security • Applications • Multi-level administration • Toll fraud protection • Secure management • Hardened platforms • h.323 and SIP signaling Internet • Endpoints • Digital certificates • Authenticated phones • GARP protection • TLS protected signaling • SRTP media encryption • Centralized management • Call Management • Hardened Windows OS • Digital certificates • Signed software images • TLS signaling • Integrated CSA Secure IP CommunicationsSystems Approach in Action Intranet

  36. Most Secure Mid-Size IP-PBX Cisco – Independently Recognized as the Secure IP Communications Solution • Cisco is the only vendor to earn Miercom/Network World’s highest security rating—May 2004 • BCR – Most secure Large IP-PBX, January, 2005 • BCR – Most secure Mid-Size IP-PBX, February, 2005 • Only fully IP-PBX system to achieve DoD PBX-1 certification - 2005 Most Secure IP-PBX Large-Size DoD JITC PBX1 Certification

  37. Advanced Integration User and Application Awareness Secure IP Communications Evolution Future Ubiquitous Deployment Extended Platforms, Gateways, Services TODAY Secure Systems Digital Certificates, Hardened Platforms, Privacy Spring ‘04 Secure Foundation Secure Network, Interoperability Base

  38. RISK GAPS ARE REDUCED, COMPLEXITY IS REDUCED, TOTAL COST OF OWNERSHIP IS LOWER PROTECT, OPTIMIZE, AND GROW YOUR BUSINESS Cisco Self-Defending NetworkIntegrated, Collaborative, Adaptive Helping Our Customers Make the Journey From Point Solutions to Proactive, End-to-End Security ENABLING BUSINESS-DRIVEN SECURITY PRACTICES

  39. Resources • Cisco.com/go/security • Cisco.com/go/ipc • Cisco.com/go/ipcsecurity • Cisco.com/go/netpro

More Related