1© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
Making Your IP Communications Implementation Secure and Resilient
Kevin Flynn Senior Manager
March, 2006
2© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
Agenda
• Issues & Challenges
• Cisco Self-Defending Network
• IP Communications Security
• Getting Started
3© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
IP Network
The Cisco BusinessCommunications Solution
E-MailE-MailCollaborationCollaboration CalendarCalendar
VideoConferencing
VideoConferencing
Web ApplicationWeb ApplicationAudio-ConferencingAudio-Conferencing
Instant Messaging
Instant Messaging
VoiceMessaging
VoiceMessaging
ContactCenter
ContactCenter
TelephoneServices
TelephoneServices
ProductivityBusiness Process
Business Trans-formation
SECURITY
4© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
A Tale of Two Cities
Secure Secure NetworkNetwork
Secure Secure IPCIPC
5© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
A Tale of Many Fiefdoms
NetOPsNetOPs SecOpsSecOps
TelOpsTelOpsBDMsBDMs
SecureSecureIPIP
VoiceVoice
6© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
Secure IPC – Integrated & Systemic
• IP Communications solutions from Cisco can be as secure, or more secure, than traditional PBX systems
Key is integrated approach – IPC + Secure Infrastructure
Cisco is committed to delivering the most secure, reliable solution possible – at all layers of the network
Recent enhancements further increase the security capabilities of the industry leading Cisco Unified Communications system
Independent testing says Cisco provides the most secure IP Communications solution available*
*As tested by Miercom Labs and reported by Network World
7© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
BUSINESS PROCESSES
APPLICATIONS AND SERVICES
NETWORKED INFRASTRUCTURE
• ACTIVE PARTICIPATION in application and service delivery
• A SYSTEMS APPROACH integrates technology layers to reduce complexity
• Flexible POLICY CONTROLS adapt this intelligent system to your business though business rules
Intelligent Networking:The Foundation
CONNECTIVITY INTELLIGENT NETWORKINGCONNECTIVITY INTELLIGENT NETWORKING
UTILIZE THE NETWORK TO UNITE ISOLATED LAYERS AND DOMAINS TO ENABLE BUSINESS PROCESSES
CISCO NETWORK STRATEGY
RESILIENT
INTEGRATED
ADAPTIVE
8© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
Benefits of a Systems Approach
• Complex environment
• Gaps & inconsistency
• Lower visibility
• More difficult to manage
• Higher TCO
• Complex environment
• Gaps & inconsistency
• Lower visibility
• More difficult to manage
• Higher TCO
• Simplified environment
• Tighter integration = tighter security
• Greater visibility
• Easier to deploy & manage
• Lower TCO
• Simplified environment
• Tighter integration = tighter security
• Greater visibility
• Easier to deploy & manage
• Lower TCO
9© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
Secure Network Infrastructure Security Services Integrated into the Network
ADVANCED TECHNOLOGIES & SERVICESADVANCED TECHNOLOGIES & SERVICES
Virtualized Security Services
Virtualized Security Services
Leverage Existing
Investment
Leverage Existing
Investment
IntegrateAdvancedServices
IntegrateAdvancedServices
IP NETWORKIP NETWORK
Endpoint Posture Control
Endpoint Posture Control
Dynamic DDoS Mitigation
Dynamic DDoS Mitigation
Application-Layer Inspection
Application-Layer Inspection
Behavioral-based Protection
Behavioral-based Protection
Automated Threat Response
Automated Threat Response
Integrate Advanced Security Services Where NeededIntegrate Advanced Security Services Where Needed
IntegratedIntegrated CollaborativeCollaborative Adaptive Adaptive
Security Point Products
Security Point Products
FirewallFirewall Network Anti-VirusNetwork Anti-VirusAccess ControlAccess Control
IPSec & SSL VPNIPSec & SSL VPNIPSIPS
10© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
The IP Communications Conundrum
• The same IP technology that enables IP Communications solutions to:
Boost productivity
Increase mobility
Enhance flexibility
Also creates additional MANAGEABLE challenges for information security
• These new challenges exist whether the IP upgrade is incremental or total
11© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
The Challenge of Securing IP Voice
• The threats are familiar to both voice and data professionals:
Denial of service
Privacy
Impersonation
Toll fraud
• Both “phreakers” (voice) and “hackers” (data) are lurking
• The protection of both voice and data communication is critical to the business
1111
12© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
IP Communications Threats• Toll fraud
Unauthorized or unbillable resource utilization
• Eavesdropping
Listening to another’s call
• Learning private information
caller ID, DTMF password/accounts, calling patterns
• Session replay
Replay a session, such as a bank transaction
• Fake identity
• Media tampering
• Denial of service
Hanging up other people's conversations
Contributing to other DOS attacks
• Impersonating others
• Hijacking calls
• SPAM
SPIM, SPIT, and more SPAM
13© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
Evaluate the Threats Objectively
• Understand the costs of security incidents:
Measurable: fraud, downtime, man-hours, physical destruction, intellectual property, lawsuits
Non-measurable: reputation, customer privacy, medical information, loss of life
• Assign risk and quantify the costs
• Determine appropriate levels of protection
14© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
Reality Check
After
Before
15© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
Comparison to PSTN
• In many ways PSTN is good with respect to toll fraud
Still a very large amount of toll fraud on PSTN
• No voice crypto
Person in wiring closet can listen to calls
Anyone willing to poke around can listen to calls
• Caller ID is bogus Anyone can produce fake caller id for a few hundred dollars
• Is the security of the PSTN good enough?
Will you give you credit card number over the telephone?
Discuss a merger?
16© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
Comparison: PSTN, E-Mail & IPCPSTN EMAIL IPC
Hijack protection
OK Good
(relies on DNS)
Excellent
Off path snooping
Good OK Good
On path snooping
Very Bad Bad Good
Fake identity Bad Very bad Bad unless using identity capabilities
Encryption No Good if using VPN
Some use and can be very good
17© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
Protect All Levels of IP Communications
INFRASTRUCTUREINFRASTRUCTURE
ENDPOINTSENDPOINTS
CALL CONTROLCALL CONTROL
APPLICATIONSAPPLICATIONS
IP C
OM
MU
NIC
AT
ION
S S
YS
TE
MIP
CO
MM
UN
ICA
TIO
NS
SY
ST
EM
TRANSPORT
Secure, Reliable Communications that Connects All of the Other Components
VALUE-ADDED COMPONENTS
Messaging, Customer Care, and Other Application Software
SYSTEM CONFIG AND OPERATION
Infrastructure and Protocols for Call Management and Operation
IP Phones, Video Terminals, and Other Delivery Devices
USER INTERFACES
18© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
Security RequirementsIntegrated, Systems Approach
Cisco Addresses More Security Issues, at More Layers of the Network, than any other IP Communications Vendor
XXXInfrastructure
XXXCall Control
XXXEndpoints
XXXApplications
CONTROLPROTECTIONPRIVACY
19© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
IntranetInternet
Secure IP CommunicationsSystems Approach in Action
SiSiSiSi
20© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
IntranetInternet
Secure IP CommunicationsSystems Approach in Action
Infrastructure•VLAN segmentation•Layer 2 protection•Firewall•Intrusion detection•QoS and thresholds•Secure VPN•Wireless security
SiSiSiSi
21© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
VLAN and Layer 2 Protection
• Voice and data on separate VLANs
• Block PC port access to voice VLAN
• Use VACLs to limit traffic
• Defend against GARP and DHCP abuse
• Use dynamic ARP inspection and IP source guard
Telephony Servers
22© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
V3PN and IPsec
• Use IPSec to protect all traffic, not just voice
• Easier to get through FW than defining all ports in an ACL
• Terminate in VPN concentrator or large router as needed on inside of FW or ACL
• Remember Clustering-Over-The-WAN metrics
IP WAN
BranchOffice
SRSTrouter
Disaster Recovery SiteOr
Distributed Cluster
PSTN
PSTN
23© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
Firewall, IDS, and Anomaly Detection
• Stateful, rules-based firewalls control traffic
• Intrusion Detection Systems look for signature-based exploits
• Anomaly detection looks for unusual events
Telephony Servers
PSTN
DMZ
24© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
Using QoS and Thresholds
• Quality of Service enables clear voice connections during congestion
• Rate limiting thwarts DoS and DDoS attacks from impacting voice
• Processor thresholds protect routers and switches from overload
25© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
IntranetInternet
Secure IP CommunicationsSystems Approach in Action
Infrastructure•VLAN segmentation•Layer 2 protection•Firewall•Intrusion detection•QoS and thresholds•Secure VPN•Wireless security
Call Management•Hardened Windows OS•Digital certificates•Signed software images•TLS signaling•Integrated CSA
SiSiSiSi
26© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
Hardened Call Management Platform
• Hardened Win2K OS Shipped By Default, and downloadable from Cisco Connection Online
• Aggressive Security Patch and Hotfix Policy
Critical: Tested and posted to CCO within 24 hours
Others: Consolidated and posted once per month
New email alias tells you when new patches are available
(http://www.cisco.com/warp/public/779/largeent/software_patch.html)
• Install McAfee 7.1, Symantec 8.1, or Trend Micro ServerProtect5 Anti-Virus Protection
27© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
Integrated Intrusion Prevention
• Cisco Security Agent available for all telephony applications
Headless Bundled
Managed Optional
• Policy-Based, not signature based
• Zero Updates
• “Day Zero” support
• Centrally administered, with distributed, autonomous policy enforcement
• Effective against existing & previously unseen attacks
• Stopped Slammer, nimda & code red sight unseen with out-of-the-box policies
CSA Server Protection:• Host-based Intrusion Protection• Buffer Overflow Protection• Network Worm Protection• Operating System Hardening• Web Server Protection• Security for other applications
28© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
Headquarters
A
PSTN
WAN
Cisco 2800 Router with SRST
Cisco 7200
Cisco Unified CallManager Cluster
ApplicationsServer
ApplicationsServer
XXXWAN
Resilience:Secure Survivable Remote Site Telephony
• Resiliency for remote IP Telephony users with central Cisco Unified CallManager
• Minimizes business impact of WAN link failure:
Cisco router auto-configures, provides local call processing -- no manual intervention required
SRST IP phone calls remain secure
When WAN is available, IP Phones auto-revert back to Cisco Unified CallManager
Calls in progress stay connected during WAN failure/restore
29© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
IntranetInternet
Secure IP CommunicationsSystems Approach in Action
Infrastructure•VLAN segmentation•Layer 2 protection•Firewall•Intrusion detection•QoS and thresholds•Secure VPN•Wireless security
Call Management•Hardened Windows OS•Digital certificates•Signed software images•TLS signaling•Integrated CSA
Endpoints•Digital certificates•Authenticated phones•GARP protection•TLS protected signaling•SRTP media encryption•Centralized management
SiSiSiSi
30© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
Authenticated Endpoints
• X.509 v.3 certificates in Cisco Unified IP Phones and Cisco Unified CallManager
• Certificates ensure reliable device authentication
• Scalable solution
31© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
Media and Signaling Encryption
• Public Key / Private Key Pair
• X.509v3 Digital Certificate
• Certificate Trust List
• Transport Layer Security
32© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
IntranetInternet
Secure IP CommunicationsSystems Approach in Action
Infrastructure•VLAN segmentation•Layer 2 protection•Firewall•Intrusion detection•QoS and thresholds•Secure VPN•Wireless security
Call Management•Hardened Windows OS•Digital certificates•Signed software images•TLS signaling•Integrated CSA
Applications•Multi-level administration•Toll fraud protection•Secure management•Hardened platforms•h.323 and SIP signaling
Endpoints•Digital certificates•Authenticated phones•GARP protection•TLS protected signaling•SRTP media encryption•Centralized management
SiSiSiSi
33© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
Secure Private Messaging
• Private
Only intended recipients can listen to a private message addressed to them
Messages marked private, if (accidentally or intentionally) forwarded, cannot be listened to
Messages forwarded to internet email addresses or 3rd party voice mail systems (VPIM/AMIS/OctelNet) cannot be listened to
• Secure
Actual message content is protected using public-key encryption
Unauthorized users will hear a warning message
Can be set on a per subscriber (all messages from John Chambers) or system-wide (legal firms) basis
34© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
Application Platform Protection
• Carefully hardened platforms
• Control access to admin functions
• Cisco Security Agent host-based protection
• Secure remote management via https
35© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
IntranetInternet
Secure IP CommunicationsSystems Approach in Action
Infrastructure•VLAN segmentation•Layer 2 protection•Firewall•Intrusion detection•QoS and thresholds•Secure VPN•Wireless security
Call Management•Hardened Windows OS•Digital certificates•Signed software images•TLS signaling•Integrated CSA
Applications•Multi-level administration•Toll fraud protection•Secure management•Hardened platforms•h.323 and SIP signaling
Endpoints•Digital certificates•Authenticated phones•GARP protection•TLS protected signaling•SRTP media encryption•Centralized management
SiSiSiSi
36© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
Cisco – Independently Recognized as the Secure IP Communications Solution
Most Secure IP-PBXLarge-Size
DoD JITC PBX1Certification
Most Secure Mid-Size IP-PBX
• Cisco is the only vendor to earn Miercom/Network World’s highest security rating—May 2004
• BCR – Most secure Large IP-PBX, January, 2005
• BCR – Most secure Mid-Size IP-PBX, February, 2005
• Only fully IP-PBX system to achieve DoD PBX-1 certification - 2005
37© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
Secure IP Communications Evolution
Advanced IntegrationUser and Application Awareness
Future
Ubiquitous DeploymentExtended Platforms, Gateways, Services
Spring ‘04Secure SystemsDigital Certificates, Hardened Platforms, Privacy
TODAY
Secure FoundationSecure Network, Interoperability
Base
38© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
Cisco Self-Defending NetworkIntegrated, Collaborative, Adaptive
RISK GAPS ARE REDUCED, COMPLEXITY IS REDUCED, TOTAL COST OF OWNERSHIP IS LOWER
PROTECT, OPTIMIZE, AND GROW YOUR BUSINESS
ENABLING BUSINESS-DRIVEN SECURITY PRACTICES
Helping Our Customers Make the Journey From Point Solutions to Proactive, End-to-End Security
39© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1
Resources
• Cisco.com/go/security
• Cisco.com/go/ipc
• Cisco.com/go/ipcsecurity
• Cisco.com/go/netpro
40© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1