Embed Size (px)
DESCRIPTION
As applications move into the multichannel and interconnected world, what are the security concerns you need to consider? Dan York, author of the bestselling book The Seven Deadliest Unified Communication Attacks, will discuss the major risk areas of unified communications, what steps you can take to mitigate/reduce those risks, a checklist of questions to consider in your implementation, and a look at the future in an increasingly interconnected and converged network. Presentation give at SpeechTEK New York 2010. More info at: http://blogs.voxeo.com/events/speechtek-ny-2010/
Citation preview
Securing Communications!
SpeechTEK New York 2010!Dan York, CISSP
Director of Conversations, Voxeo Best Practices Chair, VoIP Security Alliance Author, Seven Deadliest UC Attacks!
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
www.7ducattacks.com
About Dan York!
www.blueboxpodcast.com
www.voipsa.org www.voxeo.com
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
About Voxeo!
Founded in 1999
World’s largest hosted VoiceXML and CCXML platform – Over 82,000 hosted ports globally; hundreds of premise deployments
Over 150,000 developers using Voxeo platforms
The Voxeo difference: Unlocked Communications, Customer Obsession Teams, Communications Passion
www.voxeo.com
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
SIP Proxy
A
Alice Bob Media (RTP, MSRP, etc.)
SIP SIP
SIP Proxy
B SIP
The Change VoIP Brings!
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
Internet
Alice Bob Media
SIP SIP
SIP Proxy
A SIP
SIP Proxy
B
SIP Proxy
N
SIP Proxy
D SIP
SIP Proxy
C SIP SIP
Media Proxy
A
Media Proxy
B Media Media
The Larger Reality!
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
Physical Wiring
PBX
Voicemail
PSTN Gateways
Once Upon A Time!
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
Physical Wiring
IP Network
IP-PBX
Voicemail
PSTN Gateways
Mobile Devices
IM Networks
Web Servers
Email Servers
Desktop PCs
Operating Systems
Firewalls
Internet
Directory Servers
VoIP
CRM Systems
Social Networks
Database Servers
Application Servers
1. Understand Your Ecosystem!
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
2. Understand Your Endpoints!
IP Phones, Smartphones, Softphones
What services are running on them?
Default passwords?
How do you patch/secure them?
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
SIP Proxy
A
Alice Bob
SIP SIP
SIP Proxy
B
SIP Proxy
N SIP SIP
Media Media Eve
3. Secure Your Media!
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
Alice Bob Media
Media Proxy
A
Media Proxy
B Media Media
Internet
Secure Media – Hop By Hop!
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
Alice Bob Media
Media Proxy
A
Media Proxy
B Media Media
Internet
Secure Media – End to End!
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
SIP Proxy
A
Alice Bob
SIP SIP
SIP Proxy
B
SIP Proxy
N SIP
Media
Eve SIP SIP
4. Secure Your Signalling!
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
Signalling Attacks!
Toll Fraud
Identity Theft
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
PBX
Corp HQ
Carrier PSTN
Internet
Traditional Telephony!
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
PBX
Corp HQ
ITSP
Internet
PSTN
IP Communications!
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
PBX
Corp HQ
ITSP
Internet PSTN
PBX
Office A
Failover!
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
PBX
Corp HQ
PSTN
ITSP (Boston)
Internet ITSP (Paris)
ITSP (Tokyo)
Redundancy / Geography!
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
5. Secure Your PSTN Connectivity!
Attacks • Toll Fraud
• Denial of Service
• Spam
Solutions • Encryption
• Strong Authentication
• Transport Security
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
6. Secure Your Identity!
Attacks • Fraud
• Identity Theft
• Social Engineering
Solutions • Education
• Lock Down Spoofing
• Strong Identity
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
UC System
Corp HQ
Internet Firewall WiFi Café
Router
Mobile UC
client
Laptop UC
client
Mobile Data
Network
7. Secure Distributed Systems!
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
UC System
Corp HQ
UC System
Office A
Corporate Network
Company A
UC System
Corp HQ
UC System
Office A
Corporate Network
Company B
Internet
How Do You Securely Federate?!
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
IM
Corp HQ
Corporate Network
Presence
Call Control
IVR IM
Office A
Presence
Call Control
Voicemail IM
Office B
Presence
Call Control
PSTN
Internet
What if the Cloud Isnʼt There?!
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
Questions About the Cloud!
What kind of availability guarantees / Service Level Agreements (SLAs) does the platform vendor provide?
What kind of geographic redundancy is built into the underlying network?
What kind of network redundancy is built into the underlying network?
What kind of physical redundancy is built into the data centers?
What kind of monitoring does the vendor perform?
What kind of scalability is in the cloud computing platform?
What kind of security, both network and physical, is part of the computing platform?
Finally, what will the vendor do if there is downtime? Will the downtime be reflected in your bill?
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
The Way It Used To Be!
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
ITSP
PSTN
ITSP
ITSP ITSP
ITSP
ITSP ITSP ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP ITSP
ITSP
ITSP
ITSP
ITSP ITSP
ITSP ITSP
ITSP
ITSP
Today...!
© Voxeo Corporation © Voxeo Corporation © Voxeo Corporation
Resources!
VoIP Security Alliance • www.voipsa.org • www.voipsa.org/blog
Hacking Exposed: VoIP • www.hackingvoip.com
Seven Deadliest Unified Communications Attacks • www.7ducattacks.com
