1 / 19

Security Challenges in the Enterprise

Security Challenges in the Enterprise. Panelists. Franchesca Walker , Director Enterprise Solutions Foundry Networks Eric Winsborrow , CMO Sipera Systems Shrikant Latkar , Sr. Mgr. Solutions Marketing Juniper Networks Mark Ricca , Sr. Analyst and Founding Partner IntelliCom Analytics.

leslieraymond
Download Presentation

Security Challenges in the Enterprise

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Challenges in the Enterprise

  2. Panelists • Franchesca Walker, Director Enterprise Solutions Foundry Networks • Eric Winsborrow, CMO Sipera Systems • Shrikant Latkar, Sr. Mgr. Solutions Marketing Juniper Networks • Mark Ricca, Sr. Analyst and Founding Partner IntelliCom Analytics

  3. Security: Continued Strong Growth Integrated Security Solutions Forecast(Global, All Size Businesses) $B 9.2% CAGR Overall $6.0 $5.0 $4.0 $3.0 10.7% CAGR Remote / SoHo $2.0       $1.0 $0 2010 2005 2006 2007 2008 2009

  4. Security Challenges in the Enterprise Franchesca Walker, Marketing Director of Enterprise Solutions Foundry Networks, Inc

  5. Many Malicious Attack Vectors & Vulnerabilities at each Layer Malissa Virus Sasser Worm SQL Slammer Worm Deep Throat SoBig Worm TROJANS VIRUSES WORMS SPAM CodeRed Worm Nimba Virus & Worm MyDoom Worm p2p Traffic Application Attacks Malicious TCP Packets SIP DoS Attack Rogue DHCP & DNS ROGUE SERVICES UDP/TCP DOS ATTACKS UDP/TCP PROTOCOL ATTACKS TCP TTL Attack TCP Ack Flood Attack TCP Timestamp Attack TCP Syn Flood Attack Transport Layer Attacks IP Port Scan False Route Injection ICMP Smurf Attack ICMP Flood Attack NETWORK SERVICE ATTACKS ROUTING PROTOCOL ATTACKS L3 DOS ATTACKS BGP TTL Security Hole DHCP Starvation Network Layer Attacks ARP Poisoning Port Scan MAC Flood Attack Port DoS Attack Rogue Wireless AP VLAN Flood Attack L2 DOS ATTACKS L2 ROGUE SERVICES L2 SERVICE ATTACKS Datalink Layer Attacks CPU Rate Attack Private VLAN Attack VLAN Hopping CAM Table Overflow Attack 5

  6. Converged Voice & Data Security sFlow-based Anomaly + Signature Defense Zero-Day Anomaly IDS Signature IDS Open Source Applications Closed Loop Security Traffic Samples (sFlow) Traffic Samples (sFlow) NMS App & Web Servers ThreatControl Integrated Switch and AP Security Features DoS attack protection CPU protection Rate limiting Hardware-based ACLs DHCP, ARP, IP spoof protection Rogue AP detection & suppression Access policy enforcement Threat control enforcement Embedded sFlow traffic monitoring AccessPolicy Radius, DNS, DHCP Network Switches, Routers, & Access Points Call Manager Multiple endpoints IEEE 802.1x + MAC Authentication 6

  7. Convergence Network Security Allow only authorized users on the network Authentication based on IEEE 802.1x, MAC address Control who has access to specific resources 802.1q VLANs Stop unauthorized traffic without impacting network performance ASIC based, wire-speed ACLs Protect against security threats and DoS attacks Network-wide monitoring (e.g. sFlow) Threat detection and mitigation Rate limiting of known packet types Closed-loop mitigation using centralized IDS equipment and applications 7

  8. Enterprise VoIP Security Challenges Eric Winsborrow, CMO Sipera Systems

  9. VoIP 2.0 (open) Risk Profile VoIP 1.0 (closed) Risk Profile Risk Management approach to Security Lower Risk Profile and Prioritization OptimumPrioritization Point of DiminishingReturns Threat Potential Security Priority and Spending

  10. Remote worker Mobile worker Internet VISP PSTN Branch(es) The Need to Extend VoIP Voice/Data Center(s) IP PBX IP PBX SIP Trunk WAN/VISP Soft phones Headquarters

  11. Hacker Spammer Remote worker Mobile worker Internet VISP PSTN Infected PC Rogue Device Rogue Employee Branch(es) Extending VoIP - Challenges Voice/Data Center(s) IP PBX IP PBX Strong authentication of device & user Policy enforcement & access control Opening wide range of IP/UDP ports violates security policy SIP Trunk Confidentiality/Privacy of signaling & media Refresh UDP pinhole in remote/home firewall Protect IP PBX & phones Phone configuration & management WAN/VISP Soft phones Headquarters

  12. Establish POLICY Assess RISK Implement PROTECTION Manage COMPLIANCE ACCESS Risk Management approach to VoIP/UC • Sipera VIPER Labs • Vulnerability Research • Threat signature development • LAVA Tools • Sipera VIPER Consulting • VoIP/UC vulnerability assessment • Best practices consultation • Security workshops • Comprehensive Protectionfor real-time communications • DoS/Floods prevention • Fuzzing prevention • Anomaly detection/Zero-Day attacks • Stealth attacks • Spoofing prevention • Reconnaissance prevention • VoIP Spam • Policy Compliance • Call routing policies • Whitelists/Blacklists • Fine-Grained Policies by User, Device, Network, ToD • Application controls • IM logging and content filtering • Compliance reporting • Secure Access • Strong User authentication • Call Admission Control • Firewall/NAT traversal • Privacy and Encryption • Secure firewall channel

  13. Conclusion • Benefits of Unified Communications increase if VoIP network is extended • But an enterprise needs to solve many issues • Privacy and authentication; firewall/NAT traversal; policy enforcement; VoIP application layer threats   • A Security Risk Management approach is needed • Elevate VoIP/UC in priority if using SIP or extending VoIP • Engage experts for best practices and risk evaluation • Create policies and protection specific to VoIP/UC

  14. VoIP SecurityIT Expo East 2008Shrikant Latkarshri@juniper.net

  15. Concerns when Deploying VoIP Not enough people to plan, design, implement, and manage VoIP Concerns about interoperability between vendor’s equipment Concerns about security Percentage Lack of budget Systems for managing and troubleshooting VoIP quality Source: 2005/2006 VoIP State of the Market Report, Produced by Webtorials

  16. Evolving SIP Security • Exploits will become more “creative” - Newer exploits are at Layer 7 • Current security doesn’t address all attacks • SBCs cannot defend against many SIP vulnerabilities as the attack levels scale/grow • Need to evolve security to be scalable and more attack aware • Customized attack defenses – specific for your environment • Rapid time between exploit found and defense deployed • Able to handle high volumes of attacking packets Most Attacks Smarter Attacks SmartestAttacks Application Aware Intrusion Prevention Stateful Firewall Protocol ALG Router Filters IP Spoof Detection DOS Filters

  17. Protocols: SIP, H323 (RAS, Q931, H245), MGCP, Skinny • Identification: done by L4 port number (static) • Functions: NAT, State checks, pinhole, anomalies, drop malformed packets • VoIP session correlation (beyond L3/L4) • Application Screening: Flood attacks • Coarser control: enable/disable all checks Firewall • Protocols: SIP, H225RAS, H225SGN, MGCP • Identification: based on application data (PIAI) • Functions: Protocol State, anomalies (more than FW checks); SIP sigs > 50 • Custom signatures can be done • Logging (provides visibility) • Flexibility in enabling signatures driven by policy IPS/IDP

  18. Defense Against VoIP Security Threats VoIP Security Threat Ramifications Defense Technology FW with SIP attack protection IPS with SIP sigs/protocol anom DoS attack on PBX, IP Phone or gateway All voice communications fail Hacker listens to voice mails, accesses call logs, company directories, etc. Unauthorized access to PBX or voice mail system Zones, ALGs, policy-based access control Hacker utilizes PBX for long-distance calling, increasing costs VPNs, encryption (IPSec or other) Toll fraud Eavesdropping or man-in-the-middle attack Voice conversations unknowingly intercepted and altered VPNs, encryption (IPSec or other) Policy based access control IPS with SIP protocol anomaly and stateful signatures Infected PBX and/or phones rendered useless, spread problems throughout network Worms/trojans/viruses on IP phones, PBX FW/ALGs, SIP attack prevention, SIP source IP limitations, UDP Flood Protection IP phone spam Lost productivity and annoyance

  19. Q & A Additional VoIP resources available at www.juniper.net

More Related