making your ip communications implementation secure and resilient

1© 2005 Cisco Systems, Inc. All rights reserved.JP_GSA0511567_08_2005_c1

Making Your IP Communications Implementation Secure and Resilient

Kevin Flynn Senior Manager

March, 2006


Agenda

• Issues & Challenges

• Cisco Self-Defending Network

• IP Communications Security

• Getting Started


IP Network

The Cisco BusinessCommunications Solution

E-MailE-MailCollaborationCollaboration CalendarCalendar

VideoConferencing

VideoConferencing

Web ApplicationWeb ApplicationAudio-ConferencingAudio-Conferencing

Instant Messaging

Instant Messaging

VoiceMessaging

VoiceMessaging

ContactCenter

ContactCenter

TelephoneServices

TelephoneServices

ProductivityBusiness Process

Business Trans-formation

SECURITY


A Tale of Two Cities

Secure Secure NetworkNetwork

Secure Secure IPCIPC


A Tale of Many Fiefdoms

NetOPsNetOPs SecOpsSecOps

TelOpsTelOpsBDMsBDMs

SecureSecureIPIP

VoiceVoice


Secure IPC – Integrated & Systemic

• IP Communications solutions from Cisco can be as secure, or more secure, than traditional PBX systems

Key is integrated approach – IPC + Secure Infrastructure

Cisco is committed to delivering the most secure, reliable solution possible – at all layers of the network

Recent enhancements further increase the security capabilities of the industry leading Cisco Unified Communications system

Independent testing says Cisco provides the most secure IP Communications solution available*

*As tested by Miercom Labs and reported by Network World


BUSINESS PROCESSES

APPLICATIONS AND SERVICES

NETWORKED INFRASTRUCTURE

• ACTIVE PARTICIPATION in application and service delivery

• A SYSTEMS APPROACH integrates technology layers to reduce complexity

• Flexible POLICY CONTROLS adapt this intelligent system to your business though business rules

Intelligent Networking:The Foundation

CONNECTIVITY INTELLIGENT NETWORKINGCONNECTIVITY INTELLIGENT NETWORKING

UTILIZE THE NETWORK TO UNITE ISOLATED LAYERS AND DOMAINS TO ENABLE BUSINESS PROCESSES

CISCO NETWORK STRATEGY

RESILIENT

INTEGRATED

ADAPTIVE


Benefits of a Systems Approach

• Complex environment

• Gaps & inconsistency

• Lower visibility

• More difficult to manage

• Higher TCO

• Complex environment

• Gaps & inconsistency

• Lower visibility

• More difficult to manage

• Higher TCO

• Simplified environment

• Tighter integration = tighter security

• Greater visibility

• Easier to deploy & manage

• Lower TCO

• Simplified environment

• Tighter integration = tighter security

• Greater visibility

• Easier to deploy & manage

• Lower TCO


Secure Network Infrastructure Security Services Integrated into the Network

ADVANCED TECHNOLOGIES & SERVICESADVANCED TECHNOLOGIES & SERVICES

Virtualized Security Services

Virtualized Security Services

Leverage Existing

Investment

Leverage Existing

Investment

IntegrateAdvancedServices

IntegrateAdvancedServices

IP NETWORKIP NETWORK

Endpoint Posture Control

Endpoint Posture Control

Dynamic DDoS Mitigation

Dynamic DDoS Mitigation

Application-Layer Inspection

Application-Layer Inspection

Behavioral-based Protection

Behavioral-based Protection

Automated Threat Response

Automated Threat Response

Integrate Advanced Security Services Where NeededIntegrate Advanced Security Services Where Needed

IntegratedIntegrated CollaborativeCollaborative Adaptive Adaptive

Security Point Products

Security Point Products

FirewallFirewall Network Anti-VirusNetwork Anti-VirusAccess ControlAccess Control

IPSec & SSL VPNIPSec & SSL VPNIPSIPS


The IP Communications Conundrum

• The same IP technology that enables IP Communications solutions to:

Boost productivity

Increase mobility

Enhance flexibility

Also creates additional MANAGEABLE challenges for information security

• These new challenges exist whether the IP upgrade is incremental or total


The Challenge of Securing IP Voice

• The threats are familiar to both voice and data professionals:

Denial of service

Privacy

Impersonation

Toll fraud

• Both “phreakers” (voice) and “hackers” (data) are lurking

• The protection of both voice and data communication is critical to the business

1111


IP Communications Threats• Toll fraud

Unauthorized or unbillable resource utilization

• Eavesdropping

Listening to another’s call

• Learning private information

caller ID, DTMF password/accounts, calling patterns

• Session replay

Replay a session, such as a bank transaction

• Fake identity

• Media tampering

• Denial of service

Hanging up other people's conversations

Contributing to other DOS attacks

• Impersonating others

• Hijacking calls

• SPAM

SPIM, SPIT, and more SPAM


Evaluate the Threats Objectively

• Understand the costs of security incidents:

Measurable: fraud, downtime, man-hours, physical destruction, intellectual property, lawsuits

Non-measurable: reputation, customer privacy, medical information, loss of life

• Assign risk and quantify the costs

• Determine appropriate levels of protection


Reality Check

After

Before


Comparison to PSTN

• In many ways PSTN is good with respect to toll fraud

Still a very large amount of toll fraud on PSTN

• No voice crypto

Person in wiring closet can listen to calls

Anyone willing to poke around can listen to calls

• Caller ID is bogus Anyone can produce fake caller id for a few hundred dollars

• Is the security of the PSTN good enough?

Will you give you credit card number over the telephone?

Discuss a merger?


Comparison: PSTN, E-Mail & IPCPSTN EMAIL IPC

Hijack protection

OK Good

(relies on DNS)

Excellent

Off path snooping

Good OK Good

On path snooping

Very Bad Bad Good

Fake identity Bad Very bad Bad unless using identity capabilities

Encryption No Good if using VPN

Some use and can be very good


Protect All Levels of IP Communications

INFRASTRUCTUREINFRASTRUCTURE

ENDPOINTSENDPOINTS

CALL CONTROLCALL CONTROL

APPLICATIONSAPPLICATIONS

IP C

OM

MU

NIC

AT

ION

S S

YS

TE

MIP

CO

MM

UN

ICA

TIO

NS

SY

ST

EM

TRANSPORT

Secure, Reliable Communications that Connects All of the Other Components

VALUE-ADDED COMPONENTS

Messaging, Customer Care, and Other Application Software

SYSTEM CONFIG AND OPERATION

Infrastructure and Protocols for Call Management and Operation

IP Phones, Video Terminals, and Other Delivery Devices

USER INTERFACES


Security RequirementsIntegrated, Systems Approach

Cisco Addresses More Security Issues, at More Layers of the Network, than any other IP Communications Vendor

XXXInfrastructure

XXXCall Control

XXXEndpoints

XXXApplications

CONTROLPROTECTIONPRIVACY


IntranetInternet

Secure IP CommunicationsSystems Approach in Action

SiSiSiSi


IntranetInternet


Infrastructure•VLAN segmentation•Layer 2 protection•Firewall•Intrusion detection•QoS and thresholds•Secure VPN•Wireless security

SiSiSiSi


VLAN and Layer 2 Protection

• Voice and data on separate VLANs

• Block PC port access to voice VLAN

• Use VACLs to limit traffic

• Defend against GARP and DHCP abuse

• Use dynamic ARP inspection and IP source guard

Telephony Servers


V3PN and IPsec

• Use IPSec to protect all traffic, not just voice

• Easier to get through FW than defining all ports in an ACL

• Terminate in VPN concentrator or large router as needed on inside of FW or ACL

• Remember Clustering-Over-The-WAN metrics

IP WAN

BranchOffice

SRSTrouter

Disaster Recovery SiteOr

Distributed Cluster

PSTN

PSTN


Firewall, IDS, and Anomaly Detection

• Stateful, rules-based firewalls control traffic

• Intrusion Detection Systems look for signature-based exploits

• Anomaly detection looks for unusual events

Telephony Servers

PSTN

DMZ


Using QoS and Thresholds

• Quality of Service enables clear voice connections during congestion

• Rate limiting thwarts DoS and DDoS attacks from impacting voice

• Processor thresholds protect routers and switches from overload


IntranetInternet



Call Management•Hardened Windows OS•Digital certificates•Signed software images•TLS signaling•Integrated CSA

SiSiSiSi


Hardened Call Management Platform

• Hardened Win2K OS Shipped By Default, and downloadable from Cisco Connection Online

• Aggressive Security Patch and Hotfix Policy

Critical: Tested and posted to CCO within 24 hours

Others: Consolidated and posted once per month

New email alias tells you when new patches are available

(http://www.cisco.com/warp/public/779/largeent/software_patch.html)

• Install McAfee 7.1, Symantec 8.1, or Trend Micro ServerProtect5 Anti-Virus Protection


Integrated Intrusion Prevention

• Cisco Security Agent available for all telephony applications

Headless Bundled

Managed Optional

• Policy-Based, not signature based

• Zero Updates

• “Day Zero” support

• Centrally administered, with distributed, autonomous policy enforcement

• Effective against existing & previously unseen attacks

• Stopped Slammer, nimda & code red sight unseen with out-of-the-box policies

CSA Server Protection:• Host-based Intrusion Protection• Buffer Overflow Protection• Network Worm Protection• Operating System Hardening• Web Server Protection• Security for other applications


Headquarters

A

PSTN

WAN

Cisco 2800 Router with SRST

Cisco 7200

Cisco Unified CallManager Cluster

ApplicationsServer

ApplicationsServer

XXXWAN

Resilience:Secure Survivable Remote Site Telephony

• Resiliency for remote IP Telephony users with central Cisco Unified CallManager

• Minimizes business impact of WAN link failure:

Cisco router auto-configures, provides local call processing -- no manual intervention required

SRST IP phone calls remain secure

When WAN is available, IP Phones auto-revert back to Cisco Unified CallManager

Calls in progress stay connected during WAN failure/restore


IntranetInternet




Endpoints•Digital certificates•Authenticated phones•GARP protection•TLS protected signaling•SRTP media encryption•Centralized management

SiSiSiSi


Authenticated Endpoints

• X.509 v.3 certificates in Cisco Unified IP Phones and Cisco Unified CallManager

• Certificates ensure reliable device authentication

• Scalable solution


Media and Signaling Encryption

• Public Key / Private Key Pair

• X.509v3 Digital Certificate

• Certificate Trust List

• Transport Layer Security


IntranetInternet




Applications•Multi-level administration•Toll fraud protection•Secure management•Hardened platforms•h.323 and SIP signaling


SiSiSiSi


Secure Private Messaging

• Private

Only intended recipients can listen to a private message addressed to them

Messages marked private, if (accidentally or intentionally) forwarded, cannot be listened to

Messages forwarded to internet email addresses or 3rd party voice mail systems (VPIM/AMIS/OctelNet) cannot be listened to

• Secure

Actual message content is protected using public-key encryption

Unauthorized users will hear a warning message

Can be set on a per subscriber (all messages from John Chambers) or system-wide (legal firms) basis


Application Platform Protection

• Carefully hardened platforms

• Control access to admin functions

• Cisco Security Agent host-based protection

• Secure remote management via https


IntranetInternet




Applications•Multi-level administration•Toll fraud protection•Secure management•Hardened platforms•h.323 and SIP signaling


SiSiSiSi


Cisco – Independently Recognized as the Secure IP Communications Solution

Most Secure IP-PBXLarge-Size

DoD JITC PBX1Certification

Most Secure Mid-Size IP-PBX

• Cisco is the only vendor to earn Miercom/Network World’s highest security rating—May 2004

• BCR – Most secure Large IP-PBX, January, 2005

• BCR – Most secure Mid-Size IP-PBX, February, 2005

• Only fully IP-PBX system to achieve DoD PBX-1 certification - 2005


Secure IP Communications Evolution

Advanced IntegrationUser and Application Awareness

Future

Ubiquitous DeploymentExtended Platforms, Gateways, Services

Spring ‘04Secure SystemsDigital Certificates, Hardened Platforms, Privacy

TODAY

Secure FoundationSecure Network, Interoperability

Base


Cisco Self-Defending NetworkIntegrated, Collaborative, Adaptive

RISK GAPS ARE REDUCED, COMPLEXITY IS REDUCED, TOTAL COST OF OWNERSHIP IS LOWER

PROTECT, OPTIMIZE, AND GROW YOUR BUSINESS

ENABLING BUSINESS-DRIVEN SECURITY PRACTICES

Helping Our Customers Make the Journey From Point Solutions to Proactive, End-to-End Security


Resources

• Cisco.com/go/security

• Cisco.com/go/ipc

• Cisco.com/go/ipcsecurity

• Cisco.com/go/netpro

making your ip communications implementation secure and resilient

Documents