uc security roadshow 2011
TRANSCRIPT
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
Madrid, 15 de Marzo de 2011
UC Security
Roadshow 2011
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
UC Security Solutions
Aurelio MartínSiemens Enterprise Communications Group
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
UnifiedCommunications
UC
Our Customers and the Industry want …
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
Planning for today's business challenges
Business trends Communications trends
� Tightened spending due to difficult economy
� Green Enterprise mandates are emerging
� Continued highly distributed organizations
� Blurring of work-life boundaries
� Speed and collaboration are essential
� Open standards, SIP, SOA
� Cloud computing and SaaS emerging
� “Anywhere” seamless mobility
� Software-driven communications
� UC approaching mainstream
� Ubiquitous, affordable secure network infrastructures
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
UnifiedCommunications
UC
Se demanda …
… Fiable y Segguro !
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
OpenScape Unified CommmunicationsOpen Architecture for Integration
SoftwareFoundation
OpenScapeApplications
OpenSOAan
d m
ore …
and
mo
re …
OpenScape Voice*
OpenScapeMobility
OpenScape Video
OpenScapeMessaging
OpenScapeUC Application
OpenScapeContact Center
OpenScape Unified Communications Server
SIP SessionControl
Availability Management
Federated Presence
QoS Management
Session Detail Reporting
Administration & Licensing
Network Services & Management
and
mo
re…
Real timeCommunications
Infrastructure(Gateways, SBCs)
NetworkInfrastructure
(Switches, Routers)
Mobility Infrastructure
(Wireless LAN)
Performance Management
AAA Services EmbeddedSecurity
EndpointLocation Service
Alarm and ConfigManagement
UC Network Aware Application Interface
DataCenter
Infrastructure
Service Availability
NetworkInfrastructure O
pen
Sca
le U
C In
teg
rati
on
Ser
vice
sO
pen
Sca
le IT
Ser
vice
Man
agem
ent
Op
enS
cale
Sec
uri
ty
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
The OpenScape UC Integration Accessoriesdeliver pre-packaged UC enhancements for the OpenScape UC Application
Based on the Siemens OpenSoA approach the UC Integration Solutions provide the realization of customer-specific UC solutions
The UC Deployment Solutions supports varied customer-specific infrastructure environments
The UC Security Solutions address all relevant security requirements in UC solutions
The Professional Services Suite for UC offers all relevant professional services for realization UC projects based on the OpenScape UC Application.
UC Integration Services & SolutionsEnterprise Grade Service Level Offerings
Customized UC Integration Solutions
UC Deployment
Solutions
OpenScapeUC
ApplicationV3.1
UC Security
Solutions
OpenScape UCIntegration
Accessories
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
Security Challenges from a UC Perspective
UC Security Challenges … Examples …. The Impact …
Service availability
Integrity & confidentiality
Operationalefficiency
Compliance
Increased productivity and revenue
Prevent loss of valuable data and
information, reputation
Reduced operational costs
Corporate image, fraud prevention
Maintain or increase service availability within a converged voice and data infrastructure
Maintain integrity and confidentiality of corporate data and communications
Maintain security while reducing operating cost /
Automate administration tasks
Fulfill legal and regulatoryrequirements
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
Customers will demand solutions and services tomitigate risks in Unified Communications
Mitigate risks of Unified Communications
� Flooding Attacks (i.e. parser, DNS blocking, message flows attacks)
� Denial of service attacks� Eavesdropping� (poor) Authentication
misuse� Manipulation� Fraud� SPIT
� Spam� ID Theft� VOMIT*� Denial of service� SQL injection� Bad software� Inconsistency of user
data� Authentication misuse� Social engineering� Lack of security
awareness
� Absence of�Risk management
strategy�Business continuity
planning�Disaster recovery
strategy� Incident
management� Ignore compliance
issues� No Independent security
assessments
* voice over misconfigured internet telephones
Infrastructure& Protocols
Applications & Users
BusinessProcesses
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
Security defense in a UC environment is a layered approach
OpenScapeUC Server
NetworkInfrastructure
OpenScapeApplications
BusinessProcesses
Security measures to consider
SIP Security(TLS/SRTP)
NetworkSecurity
Asset Classification
BusinessContinuity
Information Security Management
Security Policies& Processes
Single-SignOn
ApplicationSecurity
Se
cu
rity
Au
dits –
Se
curity
Te
stin
g
Session Border Controllers / Firewalls
Se
cu
rity
In
form
ation
&
Eve
nt
Mana
gem
en
t (S
IEM
)
Intrusionprevention
VPN(IPSec/TLS)
Antivirus &Antimalware
Suppo
rtin
g S
erv
ice
s S
ecu
rity
(DN
S,w
eb
se
rve
r, d
ata
ba
se
s)
Ce
rtific
ate
In
fra
str
uctu
re
Ba
ckup
& D
isa
ste
r R
eco
ve
ry
Data Loss Prevention
AccessManagement
IdentityManagement
Network Authentication (802.1x / NAC)
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
Only provider offering the choice of complete end-to-end, software-driven unified communications, based on open, secure interoperable standards
� Complete voice + UC software Portfolio� Complete mobility + wireless Portfolio� Complete networks + security Portfolio� Complete global services portfolio
Why Siemens Enterprise Communications?
� No single-vendor lock-in� No proprietary technology stacks� Driven by your goals, not our agenda
� Solution layers can be multi-vendor� Integrates with Cisco, IBM, Microsoft
and Open Source solutions� Synergies from our end-to-end solution
� Drive cost reduction� Increase productivity� Faster decision making� Improved collaboration
Open
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
Live Demo
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2008. Alle Rechte vorbehalten.
Siemens Enterprise Communications GmbH & Co. KG ist Markenlizenznehmer der Siemens AG.
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
Prepacked and customized security solutionsto secure a UC environment
OpenScapeUC Server
NetworkInfrastructure
OpenScapeApplications
BusinessProcesses
Security measures to consider
SIP Security(TLS/SRTP)
NetworkSecurity
Asset Classification
Information Security Management
Security Policies& Processes
ApplicationSecurity
Se
cu
rity
Au
dits –
Se
curity
Te
stin
g
Se
cu
rity
In
form
ation
&
Eve
nt
Mana
gem
en
t (S
IEM
)
IntrusionPrevention
VPN(IPSec/TLS)
Antivirus &Antimalware
Ba
ckup
& D
isa
ste
r R
eco
ve
ry
Data Loss Prevention
AccessManagement
BusinessContinuity for UC
OpenScapeSignOn
Secure CommunicationInfrastructure
OpenScape Location andIdentity Assurance
IP N
etw
ork
S
erv
ice
s fo
r U
C
Ce
rtific
ate
Se
rvic
es f
or
UC
Prepackaged Solutions & Services Customizing Solutions & Services
OpenScape Identity & Lifecycle Assistant
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
OpenScapeIdentity Lifecycle Assistant
Automated user administration using
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
Automation of user administration using OpenScape Identity Lifecycle Assistant
Solution Description
� Simplifies user administration within an
OpenScape Voice environment and
complements the administration via the
Common Management Portal
� Initial load of user information by
connecting to an authoritative HR data
source (HR system, LDAP service, ODBC
database, etc.)
� Continuous update of user information if
user status changes (e.g., leaves
company, moves to other department)
� Supply OpenScape Voice with additional
information for billing purposes (e.g. cost
center of the organizational unit)
� Delivers a fast an easy implemented
phone book that is accessed via Web or
LDAP
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
OpenScape Identity Lifecycle Assistant –Customer Benefits
� Ensure automatic withdrawal of assets and access rights (e.g. user changes role or leaves company)
� Increase employee productivity by providing automated, fast access to communication services
� Relieves IT from duplicate administration of user information
� Automates administration tasks (e.g. automatic subscriber provisioning)
� Reuse existing user information within systems instead of recreating it (e.g. collect information from HR for billing purposes)
SuperiorSecurity
EnhanceCorporateExcellence
GrowRevenue
ReduceOperating
Costs
IncreaseAsset
Efficiency
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
OpenScapeSignOn
One-click for all application logon using
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
One-click for all application logon using OpenScape SignOn
Solution Description
� OpenScape SignOn improves usability, and security and reduces administration effort for UC applications that rely on OpenScape Voice or Hipath platforms.
OpenScape SignOn:� Facilitates access to applications and
usability� Provides a single login for most voice
applications and access to voice platforms from SEN
� Possibility to automatically generate and renew passwords for applications on behalf of the user
� Supports strong authentication for access to sensitive applications
� Provides central audit capability that simplifies compliance reporting
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
OpenScape SignOn –Customer Benefits
� Automatically enforce password policy (no password on a sticky note)
� Simplify compliance reporting by providing central audit trail for application access
� Increase employee productivity by enhancing user convenience (one-click application access, automated password renewal)
� Reduce help desk calls related to password resets
� Consolidated audit trail for application access in one single location
� Leverage strong authentication mechanisms for a variety of additional applications
SuperiorSecurity
EnhanceCorporateExcellence
GrowRevenue
ReduceOperating
Costs
IncreaseAsset
Efficiency
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
OpenScapeLocation and Identity Assurance
Keeping track of moving targets using the
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
Keeping track of moving targets using thesolution OpenScape Location and Identity Assurance
Solution Description
� The solution OpenScape Location and Identity Assurance provides several enhancements for an OpenScape or Hipath environment that facilitate and automate operations and improve enterprise security.
� Supports adaptation and automation of configuration tasks based on location information (e.g. configuring speed dial lists, emergency numbers, site security)
� Is able to automatically assign QoS parameters and security profiles (ACLs, VLAN, Policies) via NAC
� Provides automated inventory and detection of non-compliant end devices
� Facilitates troubleshooting of end devices by providing one consistent viewAccess &
ControlDetect &Locate
Respond &Remediate
Establish &Enforce Policy
Core Network
NAC Appliance
Secure NetworksNAC Features
OpenScape Voice
NAC ManagerHipath DLSPhysical
Infrastructure
Database
Import Synchronization
Mobile User
Mobile UserMobile Users
1
3
2
User moves
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
OpenScape Location and Identity Assurance –Customer Benefits
� Reliable and high-quality operation of real-time application through automatically assigned QoS- and security profiles
� Reduces risk and down-time due to automatic assignment of security settings
� Enhance employee productivity by reducing network downtime and outages
� Reduce time to localize IP phones within enterprise network
� Save administrative cost for troubleshooting
� Leverage existing information of network management and communications management systems
SuperiorSecurity
EnhanceCorporateExcellence
GrowRevenue
ReduceOperating
Costs
IncreaseAsset
Efficiency
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
IP Network Servicesfor UC
The glue between UC applications and your network infrastructure
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
The glue between UC applications and network infrastructure
Solution Description
� Provides IP network services (DNS, DHCP,
NTP) that are crucial for UC applications like
most other business critical applications run
within the enterprise
� Assures availability requirements expected
for a UC datacenter deployment
� Provides fault tolerance for IP network
services in branch offices
� DNS/DHCP as a service are essential for
plug&play installation
� Automated IP address management with a
real-time view on the IP addresses
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
IP Network Services –Customer Benefits
� Reduced network outages
� Fast and reliable update
� Automated failover in case of services disruption
� Secure and reliable hard & software platform
� Improve performance of all applications (email, Web, VoiP/UC, Intranet..)
� Eliminate DNS latency
� Consolidate servers from branch offices
� Reduce capital and administration cost
� Simplify troubleshooting
� Automate monitoring
� Leverage existing infrastructure from Cisco or Riverbed in branches
SuperiorSecurity
EnhanceAvailability
EnhanceProductivity
ReduceOperating
Costs
IncreaseAsset
Efficiency
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
OpenScapeSession Border Controllers
The Swiss-Knife for solving connectivity and security issues within
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
Solving connectivity and security issues in OpenScape UC environments
Solution Description
� Protects OpenScape UC from being overloaded by rate limiting traffic
� Protects OpenScape UC against attacks or malfunctioning (e.g. Denial-of-Service)
� Provides access control for internet connected uses
� Network topology hiding and dynamic pin-holing for RTP/SRTP traffic
� Solves connectivity issues in customer networks with overlapping IP addresses
� Ensure privacy when connecting the enterprise to a SIP services provider
� Provides interworking capabilities for� SIP aware NAT adaptation� heterogeneous vendor environments� protocol adaption when connecting to
SIP services providers� TLS/SRTP termination on network
borders without TLS/SRTP support (SIP provider)
LAN
DataCenter
SessionBorder
Controller
PSTN
VoiPProvider
WAN
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
Session Border Controllers –Customer Benefits
� Protect UC infrastructure against threats
� Enhance availability of UC services
� Enable voip migration into Next Generation Networks services
� Support of mobility scenarios increases skilled employee availability and productivity
� Consolidate PSTN trunks and move to SIP trunking services
� Economically and flexibly integrate internet connected voip users
� Leverage existing internet connections by extending them with SIP services
� Provide interworking capabilities to economically integrate acquisitions
SuperiorSecurity
EnhanceCorporateExcellence
GrowRevenue
ReduceOperating
Costs
IncreaseAsset
Efficiency
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
Certificate Services for Unified Communications
Creating a secure & more agile business
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
Professional Services for Identity & Access:Certificate Services for Unified Communications
Service Description
Secure authentication and encryption based on certificates is the most important way to protect a UC solution. Conversations on the phone stay confidential and services, servers and endpoints are being protected from manipulation.
Certificate services for UC are key portfolio elements, wherever customers attempt to implement their own certificate infrastructure for their UC solution.
Four specific professional service elements ensure seamless integration in our customer’s certificate infrastructures and fulfill their policy requirements:
• Scoping Workshop
• Architecture and Design
• Design Specification
• Customizing and Implementing
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
Certificate Services for UC –Customer Benefits
� Protection of confidential communication and business content against theft
� Take into account of all relevant legal policies
� Allow easy and secure interworking with partners
� Improve the company’s image by ensuring a secure and trusted business communication
� Establish the company as a trusted business partner
� Protection of the UC services against misuse, fraud and manipulation
� Ensuring the availability of the communication services
� Create an best in class security level to protect the value of the companies intellectual property
� Ensure the reliability of digital assets and business processes
SuperiorSecurity
EnhanceCorporateExcellence
GrowRevenue
ReduceOperating
Costs
IncreaseAsset
Efficiency
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
Business Continuity Management for Unified Communications
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
Business Continuity Management for Unified Communications
Service Description
BCM Health Check for UC� The aim of the service is to quickly and
efficiently identify gaps in the existing
Business Continuity provisions in relation to
transforming to UC and produce an
improvement programme
BCM for UC Solutions� This service combines a Business Impact
Assessment and Plan Development to
enable customers to have updated BCM
plans that reflect the new technologies
Incident Management Exercise for UC� This service tests the Incident response
readiness of the business to a
communication failure.
As well as testing the technical recovery it
also tests the senior management response
to managing an incident
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
Business Continuity Management for UC –Customer Benefits
� Improve identificationand mitigation of risk
� Reassure customers that you won't go under should there be a disaster
� Handle incidents professionally
� Provide reliable access to systems for staff and customers
� Enable resilient deployment of innovative technologies allowing flexibility of staff workingpractices
� Ensure you are getting best value from your suppliers
� Make sure incidents are prepared for and handledwith minimum disruptionand costs
� Ensure the reliability andavailability of assets
� Improve utilization of resources and reduce downtime
SuperiorSecurity
EnhanceCorporateExcellence
GrowRevenue
ReduceOperating
Costs
IncreaseAsset
Efficiency
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG
¡Gracias!
Visite nuestra nueva web:
www.siemens-enterprise.com/es
Y nuestra cuenta en Twitter:
@SiemensEnt_SP
Soluciones para EmpresasIgnacio Garcia Calderon – Enterprise Sales Manager
Acme Packet Page
Acme Packet Enterprise Overview 37Acme Packet company overview
No somos estos!!!!
Acme Packet Page
Acme Packet Enterprise OverviewAcme Packet
• Creador categoría Session Border Controller (SBC).
• Líder y Referencia del Mercado, Marketshare + 60%(Fuente: Infonetics)
• +1100 clientes en 105 países. +de 300 en Enterprise
• + 900 Operadores– Fija, Cable, Móvil
– 91 de los 100 más grandes
• + 300 Empresas & Contact Centers– 11 de la lista de Fortune 25
• Empresa Pública (NASDAQ: APKT)
• HeadQuarters en Boston, USA. +500 Empleados en Total
• EMEA HQ: Madrid, 30 Empleados– Laboratorio Interoperabilidad– TAC EMEA– Training Center EMEA– Ventas Sur Europa y Benelux
$0,68
$0,35$0,27
2008 2009 2010
Revenue ($M)Revenue ($M)
EPS (non-GAAP)EPS (non-GAAP)
guidance
guidance
38
Acme Packet en 2 Minutos
Acme Packet PageCONFIDENTIAL © 2010 Avaya Inc. All rights
reserved.
Acme Packet Enterprise & Contact Center Customers (Diciembre 2010)
Acme Packet customers
Finance/Insurance18%
Higher Ed4%
%Technology15
Government17%
Manufacturing12%
ProfessionalServices10%
Other24%
Acme Packet Page
Acme Packet Enterprise Overview 40Acme Packet Confidential - INTERNAL ONLY
Northwestern Mutual
MIT
Algunos Clientes Enterprise
Retos en Servicios IP Real TimeSeguridad, Interoperabilidad, Continuidad de Negocio
Acme Packet Enterprise Overview
Acme Packet Page
Acme Packet Enterprise Overview 42Acme Packet confidential
• 1: Universalizar Servicios IP Real Time– Problemas de Interoperabilidad (VoIP, Video).
• De Protocolos (SIP-H.323). • De Transporte (TCP/UDP)• Entre Fabricantes y entre Fabricantes y Operadores
– Problemas de Time to Market• Homologaciones Parciales de Verdors y Versiones en SP• Meses de Homologación• Pérdida de Agilidad
2: Asegurar SLAs, Calidad Servicio, Continuidad Negocio, - CAC. Medida QoS. Troubleshooting
• Asegurar CAC, desde Red o en Cliente por varios Métodos, o Dinámico
• Trabajar a Nivel Sesión en Soluciones HA/DRP con Load Balancing, Routing.
• Si hay Problemas es Necesario un Elemento Externo que Audite la Red: Troubleshooting
3: Seguridad Especializada para VoIP en Cliente. - Seguridad en Casa del Cliente = Continuidad Negocio
• Amenazas Específicas VoIP que Hay que Tratar de Forma Especializada
• Intentos de Fraude Periódicos, Amenazas Internas Fortuitas
• Es la VoIP Estratégica?. Protegerla ES IMPORTANTE? ES CLAVE.
Retos
Acme Packet Page
Acme Packet confidentialAcme Packet confidential
1: La Herramienta de Interoperabilidad Mas Potente
– Interworking Señalización, Transporte, en Cliente y hacia SP
– ROI: Protección Inversión, Integración, Costes, Eficiencia, Agilidad
(Time to Market)
2: Seguridad: Firewall Dedicado y Especializado VoIP
– Interna y Externa, Mantiene Servicio Operativo. Control Fraude.
Encriptación, VPNs. Usuarios Remotos sobre Red Pública.
– ROI: Disponibilidad y Continuidad de Negocio. Privacidad. Seguridad.
3: Control QoS y de Negocio
– CAC, Medida e Informes QoS. Troubleshooting.
– CDRs para Tarificación por Entornos / VPNs
– Alta Disponibilidad, R. Geográfica. Sin Perder Llamadas en Failover.
– ROI: Alta Disponibilidad y Continuidad Negocio. Ahorro y Control
Costes.
SBC:Resuelve los Retos
Acme Packet PageAcme Packet company overview
Seguridad en Servicios VoIP/Video/UC
Acme Packet PageBeta footer test
Nuevas Reglas, Nuevas Amenazas
• Ataques a Nivel de Sesión que pueden Arruinar la Continuidad y Productividad del Negocio
– Ataques DoS/DDoS
– Fraude
– Spam VoIP
– Register / Signalling Overload (Malicioso / Fortuito)
• Las brechas en la Privacidad de las comunicacionespueden producir Pérdidas de Negocio y ViolacionesRegulatorias
– Robo Indentidad
– Eavesdropping (escuchas)
– Fraudes
Las Soluciones de Seguridad Deben estar Diseñadas para ProtegerComunicaciones de Tiempo Real – A nivel Sesión
Acme Packet PageAcme Packet confidentialAcme Packet confidential
Herramientas Actuales: No 100% Adecuadas• Firewalls: No Están Diseñados para Servicios Real Time
– Impactan en Calidad de Servicio (Añadiendo Jitter y Latencia)
– No Pueden Manejar cientos o miles de Sesiones en Tiempo real
– No Trabajan a Nivel de Sesión. No fueron Diseñados para Eso
– No Proporcionan Alta Disponibilidad (p.e. No perder sesiones en Failover)
• Problemas:
– Prevenir Condiciones de Sobrecarga específicas de SIP y Ataques Malintencionados,
– Abrir / Cerrar de Forma Dinámica Puertos RTP Medios en sincronización con la
Señalización SIP.
– Seguir el Estado de la Sesión y Proveer Servicio Ininterrumpido.
– No Seguridad en Sesiones Encriptadas
Acme Packet PageAcme Packet confidentialAcme Packet confidential
Acme Packet Net SAFE: Solución Específica Seguridad para Servicios Real Time
Se Protege a Sí Mismo frenteataques DoS o Sobrecargas
Maliciosos/Fortuitos
Control de AccesoDinámico y a Nivel de
Sesión paraSeálización y Medios.
OcultaciónCompleta
Infraestructura y PrivacidadUsuarios
Soporte paraServicios y
Seguridad VPN de L2 y L3
ProtegeInfraestructura,
previene de ataques externos, internos y limita el
impacto
Previene MalasPrácticas, Fraude y
Robo Servicio
Monitoriza, Informa y Registraataques, información de Hackers y
provee info para auditorías.
Detección y Eliminación de Virus, Gusanos y Malware
Auto
protección
DoS, DDoSControl e
Acceso y
Separación
VPNs
Privacidad,
Topology
Hiding,
Encriptación
. Worm/Virus
Malicious
SW
Prevención
Fraude
Prevención
DoS
Servicio
Acme Packet Page
Acme Packet Enterprise Overview 48Acme Packet confidentialAcme Packet SE Training - July 2009
Dispositivos B2BUA (SBC)
• Terminan, Inician y ReinicianSeñalización y SDP
• 2 Sesiones, una a Cada Lado del Sistema
• Capas 2-7
• Inspecciona y Modifica todainformación cabeceras de la capa de Sesión (SIP, SDP, etc.)
• ACLs estáticas y Dinámicas
• Mantiene Servicio operativo
Firewall con SIP ALG
• La Sesión Atraviesa el FW
• No puede Terminar, Iniciar y re
Iniciar Señalización y SDP
• Trabaja en Capas 2-4
• Solo Inspecciona y ModificaDireccionamiento a Nivel Sesión(SIP, SDP, etc.)
• Solo ACLs Estáticas
• Cierra los Puertos ante Ataques: Pérdida Servicio.
SIP trunk
IP PBXUC server
Data center
SIP trunk
IP PBXUC server
Data center
Diferencias Básicas con Otras Soluciones
Acme Packet Page
Acme Packet confidentialAcme Packet confidential
…Soluciones Complementarias• Control Separado de Aplicaciones de Tiempo
Real (SBC) y Tráfico Tradicional (FW).
• Mantiene Gestión separada si se Requiere
• Sin Cambiar Configuración de Firewalls
• Optimización de Tráfico
– Los pequeños paquetes de Media no atraviesan en FW
• No Impacta en la QoS de la VoIP
– Sin latency ni jitter adicional introducido porFW
– Latencia SBC en medios menor que 15µs
• Se recomienda Despliegue en Paralelo– En Serie Posible en Situaciones en las que
IT security impone un modelo con DMZ
SIP Carrier
Carrier Termination Router
SBC
VoIP Network or VLAN
Data Network or VLAN
Data Firewall
Acme Packet PageAcme Packet confidentialAcme Packet confidential
Por Qué un SBC sí?• Solución DoS Basada en Appliance Hardware & Software
– Sin Cuellos de Botella / Colas de elementos Confiables y No Confiables
– Manejo Dinámico de la “Confiabilidad”: Solo replica las Sesiones “confiables” al otro lado
– El resto se queda en la cola de “no Confiables” cuya capacidad es Configurable
– Limitación del tráfico Señalización SIP hacia la red
– Tratamiento separado de Invites y registers. work
• Real-time– Autoajusta Dinámicamente Niveles Confiabilidad y Apertura / Cierre Puertos
– Bloqueo Automático de usuarios no Confiables: Whitelists/Blacklist Servicios IP/SIP/SDP
– Evita Riesgos de Falsos DoS
• Extiende Privacidad y Confiabilidad a los End Points
– IPsec, TLS, and SRTP
Acme Packet Page
Acme Packet confidential
Certificado Por Labs Independientes• “Flawlessly passed all of CT Labs’ grueling attack tests”
– Total of 34 different test cases, using over 4600 test scripts
– Rate of 300,000 messages / second (approximate)
– No failed or dropped calls, even for new calls made during attacks
– Sourced from over 1 billion randomly generated addresses
– No lost RTP packets during attacks
• Protected the core serviceinfrastructure equipment
– Stopped flood attacks into core
– Stopped malicious packets at edge
• SBC performance not impacted during attack
– SBC CPU utilization
- only 10% increase
– Signaling latency - only 2 ms
average increase
– RTP jitter – less than 1 ms increase
(not measurable by test equipment)
Acme Packet Page
Acme Packet Enterprise Overview52CONFIDENTIAL © 2010 Avaya Inc. All rights reserved.
Diferencias Funcionales entre un SBC y Otras Soluciones
Function & feature examples SBC
Firewall with SIP
ALG
IP PBX + Session Manager Router
Other UC security element
DoS/DDoS protection √√√√ - - - limited
Access control - dynamic & static √√√√ static only - static only -
Topology hiding √√√√ - - - -
Encryption – signaling & media √√√√ IPSec only TLS only IPsec only limited
Malware & SPIT mitigation √√√√ - - - √
Remote NAT traversal √√√√ - - - -
VPN bridging √√√√ - - L3 only -
Header manipulation rules for interop √√√√ - - - -
SIP / H.323 interworking √√√√ - - - -
Overlapping dial plan translations √√√√ - √ - -
Advanced session admission controls √√√√ - √ - -
Load balancing & advanced routing √√√√ - √ - -
Signaling overload control √√√√ - √ - -
QoS marking and reporting √√√√ - - minimal -
Embedded in Avaya Aura System Platform - - √ - -
Escenarios SBC en OpenscapeVoice
Acme Packet Page
Acme Packet Enterprise Overview
NAT+FW
Integrated SBC forBranch SIP trunking
NAT+FWNAT+FW
OSVCentralized Applications
Users
SIP trunking
OSVCentralized ApplicationsUsers
CentralizedSBC
SIP trunking
WAN
CentralizedSBC
SBC scenarios supported by OpenScape Voice
2. Remote User Access(User behind NAT FW)
1. SIP Carrier 1. SIP Carrier
3a. Branch Officein corporate/trusted
infrastructure
3b. Branch Officeacross untrusted
infrastructure
OpenScapeBranch(Proxy mode),RG8700
NAT+FW
OpenScapeBranch(SBC mode)
Main Office(Geographically Separated)
(Planned for OSB V1R3)
NAT+FW NAT+FW
Main Office(Geographically Separated)
(Planned for OSB V1R3)
Internet
Integrated SBC forBranch SIP trunking
Acme Packet Page
Acme Packet Enterprise Overview
Enterprise Network
Escenario 1a: Carrier SIP Trunking
§ SBC enables enterprises to use broadband SIP trunking services for inbound / outbound off-net calls
– Less expensive, IP based alternative to traditional channelized TDM trunkingservices
§ SBC provides signalling and media security, management and visibility at the edge of the enterprise network
– Including QoS monitoring/logging for SLA (not tested as part of the OpenScape Voice solution)
§ SBC provides for SIP interoperability between diverse SIP trunking providers and OpenScape Voice’s normalized SIP Interface to Service Providers.
SIP
RTP
OpenScapeVoice
SBC
PSTNCarrier SIPTrunkingService
UntrustedIP Service
Internet
Acme Packet Page
Acme Packet Enterprise Overview
Scenario 1b: Intra- & Inter-Enterprise SIP TrunkingFederations
� SBC enables enterprise to use broadband SIP trunks (SIP or SIP-Q tie lines) between OpenScape systems over untrusted IP networks.
� Eliminates need for carrier SIP trunking services
– Peer-to-peer SIP trunks run over Layer 3 IP services
� Provides SIP-aware NAT functions, attack protection, signalling and media encryption, session detail recording…
� Protects communications from attacks based on visibility and mutability of signalling and media streams (eavesdropping, media injection attacks, callhijacking, etc)
� Provides complete application level security (SIP firewall function)
� Bandwidth and QoS based call admission control, QoS mapping, monitoring and marking, QoS based routing (not tested as part of the OpenScape Voice solution)
Enterprise Network A
OpenScapeVoice
SBC
Enterprise Network B
OpenScapeVoice
SBCUntrustedIP Service
Internet
Acme Packet Page
Acme Packet Enterprise Overview
Enterprise HQ
Scenario 2: Remote User Access
SIP
RTP
RTP
SIP
NAT FW
Public IP Address Space
Corporate IP Address Space
OpenScapeVoice
Security� Encryption, authentication
� Media handling, dynamic pin-holing
Application availability� Hosted NAT Traversal
� IP-address & VPN management
� Media anchoring and release
SBC
NAT FW
Internet
Acme Packet Page
Scenario 3a:Branch Office connection
•Security– Encryption
•Application availability– Multi-vendor Interworking
– IP-address & VPN management
– Media anchoring and release
•Regulatory compliance– Domain separation (VPNs)
Enterprise HQ
OpenScapeVoice
SBCNear + far end
NAT
Branch Office
Proxy:OpenScapeBranch,RG8700
PSTNGateway
PSTNWAN
TrustedIP Service
Acme Packet Page
Scenario 3b:Branch Office connection
•Security– Encryption
•Application availability– Multi-vendor Interworking
– IP-address & VPN management
– Media anchoring and release
•Regulatory compliance– Domain separation (VPNs)
•Note:
De-centralized deployment of Acme Packet
SBCs in branch office locations is not supported.
OpenScape Branch has integrated SBC
functionality, for use in branch offices.
Enterprise HQ
OpenScapeVoice
SBCNAT
Branch Office
Proxy&SBC:OpenScapeBranch
PSTNGateway
PSTN
UntrustedIP Service
NAT
Internet
Acme Packet Page
Acme Packet Enterprise Overview
OpenScape Branch(Proxy mode)
SIP trunkingOptionalGW
NAT+FW
OSVCentralized ApplicationsUsers
Centralized GWs
PSTN
CentralizedSBC
SIP trunking WAN
OpenScape Branch V1 R2 Proxy Operating Mode
1. Branch SIP Users are primarily registered
to the OpenScape Branch.
Users
1
2a
2. OpenScape Branch operates as a Proxy and
forwards messages from the branch SIP User
to the OSV for call control.
For the event that the OpenScape Branch in Proxy
mode fails, the SIP Users also have the OSV SIP
address as the Backup Server Address and can reach
the OSV with no service disruption.
PSTN(Planned for OSB V1R3)
Note:
The LAN infrastructure in the Main Office
can be either
2a) directly connected to the WAN or
2b) connected to the WAN through the SBC
(in case that NAT is required to handle overlapping
private IP address ranges in various Branch Offices).
Enterprise HQ
Branch Office
2b
Acme Packet Page
Acme Packet Enterprise Overview
OSVCentralized ApplicationsUsers
Centralized GWs
PSTN
CentralizedSBC
SIP trunking
OpenScape Branch V1 R2 SBC operating mode
1. Branch SIP User are primarily registered
to the OpenScape Branch.
2. Even in the so called “SBC mode” OpenScape Branch
operates as a Proxy and forwards messages from the
branch SIP User to the OSV for call control.
For OpenScape Branch in SBC Mode, a unit failure is
more critical than in Proxy mode.
No communication to the OSV is then available.
One method to avoid this very unlikely condition is to
have a redundant OpenScape Branch unit at the branch.
OpenScape Branch(SBC mode)
OptionalGW
NAT+FW
NAT+FW
SIP trunking
1
2
PSTN
(Planned for OSB V1R3)
Enterprise HQ
Branch Office
Internet
© 2010 Infoblox Inc. All Rights Reserved.
Javier Abad, [email protected] Irala, [email protected]
Javier Abad, [email protected] Irala, [email protected]
Comunicación Dinámica - Infraestructura automatizadaComunicación Dinámica - Infraestructura automatizada
© 2010 Infoblox Inc. All Rights Reserved.
• USA• Holanda• Australia• Hong Kong• Singapur
• Japón• India• China• Canada• Más…
Ejemplo de centros de soporteglobales y oficinas
Sobre Infoblox
� Referente en el mercado DNS, DHCP e IPAM (DDI)
� Única compañía en obtener la calificación “Strong Positive”
de Gartner
� La única solución integral en entornos Network Change & Configuration Management (NCCM)
� Primera implementación empresarial, multifabricante del
Orchestration Server (IF-MAP)
� Primeros en combinar los entornos DDI, NCCM e IF-MAP
� Más de 4,500 clientes y más de 250 de las Fortune 500
� Presencia en 30 paises, centros TAC globalea con soporte 24/7,
más de 170 ingenieros
* November 2009 DDI Marketscope Report
© 2010 Infoblox Inc. All Rights Reserved.
TAREAS
�Hacer la infraestructura
más dinámica
�Sin incrementar el riesgo
�Pero mejorando la
productividad y la
disponibilidad de la red
La automatización de la Infraestructura esestratégica
Personal, recursos
Usuarios, dispositivos, sistemas, aplicaciones, protocolos, servicios, virtualización, movilidad…
Tamaño y Complejidadde la red
Recursosen gestiónde la red
Tiempo
Demandas denfrastructurade red
Incrementandoriesgos, costes, retrasos
Can
tid
ad/ T
amañ
o
© 2010 Infoblox Inc. All Rights Reserved.
Banco de España
Ejemplo de clientes y partners
Clientes Alianzas tecnológicas
© 2010 Infoblox Inc. All Rights Reserved.
¿Cómo complementa Infolbox las solucionesUC de Siemens?
� Disponibilidad para el negocio� Red “always on”
� Visibilidad de IPs en tiempo real
� Detección proactiva de fallos
� Control & Compliance de la red� Gestión ágil, visibilidad de la infraestructura
dinámica
� Reportes sobre el cumplimiento de normas y políticas internas
� Análisis en tiempo real del impacto del cambio
� Eficiencia y automatización� Provisión automática de IPs de dispositivos
finales. Cambios en la red
� Eficiencia en entornos virtualizados
� Herramientas para identificar, verificar y remediar problemas rápidamente
Switches Routers
Wireless SecurityApps
IPAM & NCCM
© 2010 Infoblox Inc. All Rights Reserved.
Facilitar el entorno UC dinámico
Routing, Switching…Routing, Switching…
DNS / DHCP / IPAMDNS / DHCP / IPAM
Infoblox DDI
Infoblox NCCM
Closed LoopAutomation
VisibilidadY automatización
Aplicaciones
Chequeo de infraestructura
Proporciona servicios DDI
Reconoce el cambio
Detecta IPs
Comunicar / Realizar acción
© 2010 Infoblox Inc. All Rights Reserved.
Solución DDI de Infoblox
� IP address Management (IPAM)- Planificación
- Reservar-Asignar
- Operación
� Servicios siempre disponibles y robustos- Domain Name System (DNS)
- Dynamic Host Control Protocol (DHCP)
- Otros (Tiempo, TFTP, etc.)
DNS, DHCP andIPAM
DNS, DHCP andIPAM
Applicaciones
El nexo de unión entre las redes y las aplicaciones
Infraestructura
Un bajo rendimiento en DDI es el punto débil de la red
© 2010 Infoblox Inc. All Rights Reserved.
Infoblox DNS, DHCP & IPAM
Automatizar la provisión de IPs y proporcionar servicios críticos de red “always-on”
�Sustituye las hojas de cálculo
�Visibilidad en tiempo real e históricos
de las redes e IPs conectadas
�Delegar y automatizar las tareas en la
provisión de IPs y redes
�Reportes y auditoría
�Infraestructura DNS robusta y
securizada
�DHCP Failover mejorado (crítico para
entornos UC)
�Gestión DNS/DHCP de Microsoft sin
agentes
© 2010 Infoblox Inc. All Rights Reserved.71
Tecnología Grid: Factor diferenciador clave
Coordinados por el Grid Master
Compartiendo una base de datosdistribuida
Conjunto de miembros (appliances securizados) que ejecutan uno o másservicios (DNS,DHCP; TFTP, NTP)
Comunicándose mediante VPN SSL
- Control y visibilidad centralizado- IPAM & Discovery tiempo real- Failover automático y DR
Sencillo, Seguro, Fiable
External DNSGrid Member
Virtual Environment
Grid Master Candidate at Recovery Site
Internal Grid Members
IPAM Insight
Grid Master
Branch Offices
© 2010 Infoblox Inc. All Rights Reserved.
Automatización en la gestión de cambios y configuradiones en la red
Entender la relación
Causa/Efecto
�Descubrimiento y visualización de la
infraestructura de red
�Colecta y analiza las configuaciones
de la infraestructura de red
�Rastrea y automatiza los cambios en
la red
�Identifica el no cumplimiento de
“best practices”
�Identifica la violación de políticas de
cumplimiento y seguridad (SOX,
HIPAA, PCI, etc.)
�Identifica, verifica y remedia las
incidencias proactivamente
© 2010 Infoblox Inc. All Rights Reserved.
Agilidad en el Negocio a través de InfraestructuraAutomatizada
Soporta iniciativas de negocio
�Incrementa la agilidad
�Disminuye el riesgo
�Aumenta la productividad
�Virtualización y Cloud
�Consolidación Data Center
�Transición a IPv6
�Seguridad y cumplimiento
�Fusiones y adquisiciones
© 2010 Infoblox Inc. All Rights Reserved.
Muchas Gracias
Comunicaciones UnificadasRiesgos Compartidos
Comunicaciones Unificadas: como protegerlas
¿Puedo reducir el coste de mi telefonía?
Comunicaciones Unificadas: como protegerlas
Comunicaciones Unificadas: como protegerlas
-Inspección profunda SIP/SDP-Limitacion tasa mensajes SIP,SCCP,SIMPLE-RTP Pin-Holing-Stateful SIP dialog tracking-HA y HA geográfica SIP-Soporte NAT/NATP-SIP NAT Tracing-SIP HNT-Soporte IPv6-IPS/IDS-Etc…
Comunicaciones Unificadas: como protegerlas
¿Cómo hacer llegar la nómina a mis empleados mensualmente?
Comunicaciones Unificadas: como protegerlas
¿Cuáles son las fechas de vacaciones de mis técnicos?
Comunicaciones Unificadas: como protegerlas
¿Cuál es la mejor forma de compartir mis documentos?
Comunicaciones Unificadas: como protegerlas
¿Cómo saber si mi compañero estarádisponible ahora mismo o no?
Comunicaciones Unificadas: como protegerlas
¿Puedo presentar mi trabajo o producto remotamente y a una amplia audiencia geográficamente dispersa como si estuviera presente?
Comunicaciones Unificadas: como protegerlas
Comunicaciones Unificadas: como protegerlas
Comunicaciones Unificadas: como protegerlas
Comunicaciones Unificadas: como protegerlas
Comunicaciones Unificadas: como protegerlas
Comunicaciones Unificadas: como protegerlas
Comunicaciones Unificadas: como protegerlas
Comunicaciones Unificadas: como protegerlas
Comunicaciones Unificadas: como protegerlas
Fortimail: Seguridad SMTP
FortiDB: Seguridad en BB.DD
FortiWeb: Seguridad WAFS
Comunicaciones Unificadas: como protegerlas
¿Cómo ganar movilidad?
Comunicaciones Unificadas: como protegerlas
Comunicaciones Unificadas: como protegerlas
-Conexiones VPN:-IPSec-SSL-L2TP-PPTP
-Escritorio Virtual para VPN-SSL-Portales cautivos-Internet Browsing & split tunneling-Chequeo del End-Point (Forticlient,Java,AX)-Administracion centralizada y seguridad en Puntos de acceso Wi-Fi (FortiAP)-One-Time Password (FortiToken)-Integración auth. Radius, LDAP, AD, e-Diretory-Integracion auth. Transparente AD, e-Directory-Seguridad en VPN (AV,IPS,WF….)-etcétera…
Comunicaciones Unificadas: como protegerlas
Comunicaciones Unificadas: como protegerlas
Comunicaciones Unificadas: como protegerlas
Comunicaciones Unificadas: como protegerlas
¿Cómo unificar mis comunicaciones de forma poco costosa y efectiva?
Comunicaciones Unificadas: como protegerlas
FORTINET:Genuineswiss army knife
Comunicaciones Unificadas: el qué y el como
“There is nothing more important than our customers”
Seguridad de red y UC¿Quién lee tus Ims?
Marzo 2011
©2011 Enterasys Networks, Inc. – All rights reserved.
� Movilidad y seguridad en la red
� Rendimiento y disponibilidad de la red
� Soporte de aplicacionesmultimedia
� Dos redes: LAN & WLAN. Data & Multimedia
� Gestionabilidad
� Facilidad de diagnóstico
� Gastos de capital
� Costes de instalación de los sistemas
� Gastos operativos
¿Qué buscamos de la red actual?
USUARIO ADMINISTRADOR EJECUTIVO
103
©2011 Enterasys Networks, Inc. – All rights reserved.
Un portfolio completoAbierto, Seguro, Listo para la movilidad y convergencia
� Configuracionesfijas paraswitching y routing en acceso y distribución
� Gestión de red con capacidad de automatismos, visibilidad y control
� Aplicacionesavanzadas de seguridad, control de acceso a red, prevención de intrusión y agregación y gestión de eventos.
APILABLES GESTIÓN SEGURIDAD
� Switching y routing modular parasolucionesdatacenter y cloud
MODULAR
� ControladoresWLAN, Access Points y solucionesunificadas de gestión WLAN y LAN
WIRELESS
104
Servicios y Soporte Premiados
©2011 Enterasys Networks, Inc. – All rights reserved.
El centro de una red inteligente...
Software Hardware
©2011 Enterasys Networks, Inc. – All rights reserved.
Proporcionando Alto Rendimiento, Flexibilidad y el Menor TCO
� Una única interfaz para gestionar WLAN y LAN
- Menores costes de operación
- Mantiene la integridad de la red
� Configuración automática del punto de conexión
- La red se adapta rápida y eficientemente a lasnecesidades del negocio
� Más rendimiento con menorconsumo energético
- Ahorra potencia para usarla en las aplicaciones.
� Disponibilidad y QoSExcepcionales
- Mayor calidad de Video y Voz
Servicios y Soporte
106
©2011 Enterasys Networks, Inc. – All rights reserved.
CoreFlow 2 – El motor más potente de inspecciónde tráfico
� Clasifica tráfico y aplicapolíticas mas allá del nivel 4
� SAN - Permite acceso con granularidad de
target iSCSI
- Gestión de ancho de banda y
monitorización a nivel de target iSCSI
� Voz IP y Video- Permite QoS y control de acceso para
flujos de medio o de control RTP
� Cloud- Permite controles de acceso basados en
rol para servicios como
www.salesforce.com
- Monitorización de tráfico por sites como
www.youtube.com
107
©2011 Enterasys Networks, Inc. – All rights reserved.
Seguridad en UC – El valor de Enterasys
Detección de dispositivo
� 802.1x
� Autenticación MAC
� Convergence End Point (CEP) Detection
- MAC origen
- Dest IP, Layer 4 port
- LLDP-MED
- SIP, H.323, H.245
� Servicios añadidos de localización
Protección de infraestructura UC
� Clasificación de tráfico en el acceso- Prevención de uso no autorizado y ataque al servicio
- 802.1p, DiffServ, ToS
- Limitación de tráfico
- Priorización
- QoS Extremo a extremo
- Bloqueo de protocolos no autorizados
� Bloqueo de MAC de dispositivos VoIP
� Control de ataques DoS- Límite de sesiones
- ARPSpoof
- DHCPSpoof
� Comprobación de vulnerabilidades- IP Phones, Call Manager, Voice Switches
� Detección de intrusiones VoIP – IPS VoIP- Monitoriza ataques en redes de voz
- Decodificadores MGCP/H.323/SIP
- Detección de paquetes mal formados108
©2011 Enterasys Networks, Inc. – All rights reserved.
Autoconfiguración
� Configuración automática de miles de teléfonos o end-points.
� Mantener autoconfiguración, movilidad con seguridad.
� Soporte de cualquier escenario:- PC y teléfono en puertos distintos
- PC y teléfono en el mismo puerto
- PC y softphone
� Asignación de los filtros de seguridad y VLAN en cada caso más…- Quién es Quién – Mapeo de MAC e IP a extensión.
- Quién accede a la red – Protección de conversaciones:
- Detección de SO conectados en la red
- Detección de gusanos UC
- Protección de accesos a las llamadas o la señalización.
- Comprobación del firmware del teléfono antes de permitir su conexión a la red.
109
©2011 Enterasys Networks, Inc. – All rights reserved.
Configuración automática de Servicios UC
110
Provisión dinámica o estática
SourceMAC/DestIP
RTP
User & Softphone
Instant Messaging
MGCP
Low Priority
Filtered
VoIP Service
Highest Priority & Rate Limited
Email Medium Priority
Highest Priority & NOT Rate Limited
SAP High Priority
RTP
IP Phone Privilege
Instant Messaging
MGCP
FilteredUnsupported protocols & ports
VoIP Service
Highest Priority & Rate Limited
Highest Priority & NOT Rate Limited
SAP
Filtered
FilteredVoice
VLAN
Filtered
RTP
Enterprise User Privilege
Instant Messaging
MGCP
Filtered
VoIP Service
SAP DataVLAN
Filtered
Filtered
Basic Services (DNS,DHCP,FTP)
Low PriorityMedium Priority
High Priority
Low Priority
Low Priority
Low Priority
User Auth
Unsupported protocols & ports
Basic Services (DNS,DHCP,FTP)
Unsupported protocols & ports
Basic Services (DNS,DHCP,FTP)
©2011 Enterasys Networks, Inc. – All rights reserved.111
Location Phone IP Address
Switch IP Switch Port
IP Phone MAC
3rd flr Boston 192.168.4.6 10.192.87.5 fe.9 Siemens:10:1d:ff
Location Phone IP Address
Switch IP Switch Port
IP Phone MAC
3rd flr Boston 192.168.4.6 10.192.87.5 fe.9 Siemens:10:1d:ff
12th flr Boston 192.168.8.5 10.192.86.3 fe.18 Siemens:f2:a1:2d
Location Phone IP Address
Switch IP Switch Port
IP Phone MAC
3rd flr Boston 192.168.4.6 10.192.87.5 fe.9 Siemens:10:1d:ff
12th flr Boston 192.168.8.5 10.192.86.3 fe.18 Siemens:f2:a1:2d
12th flr Boston 192.168.8.9 10.192.86.3 fe.21 Siemens:11:a6:5f
Location Phone IP Address
Switch IP Switch Port
IP Phone MAC
3rd flr Boston 192.168.4.6 10.192.87.5 fe.9 Siemens:10:1d:ff
12th flr Boston 192.168.8.5 10.192.86.3 fe.18 Siemens:f2:a1:2d
12th flr Boston 192.168.8.9 10.192.86.3 fe.21 Siemens:11:a6:5f
8th flr LA West 10.253.9.3 10.58.21.8 fe.14 Siemens:20:b8:ff
Location Phone IP Address
Switch IP Switch Port
IP Phone MAC
3rd flr Boston 192.168.4.6 10.192.87.5 fe.9 Siemens:10:1d:ff
12th flr Boston 192.168.8.5 10.192.86.3 fe.18 Siemens:f2:a1:2d
12th flr Boston 192.168.8.9 10.192.86.3 fe.21 Siemens:11:a6:5f
8th flr LA West 10.253.9.3 10.58.21.8 fe.14 Siemens:20:b8:ff
1st flr LA West 10.253.4.4 10.58.26.19 fe.2 Siemens:20:b8:fa
Location Phone IP Address
Switch IP Switch Port
IP Phone MAC
3rd flr Boston 192.168.4.6 10.192.87.5 fe.9 Siemens:10:1d:ff
12th flr Boston 192.168.8.5 10.192.86.3 fe.18 Siemens:f2:a1:2d
12th flr Boston 192.168.8.9 10.192.86.3 fe.21 Siemens:11:a6:5f
8th flr LA West 10.253.9.3 10.58.21.8 fe.14 Siemens:20:b8:ff
1st flr LA West 10.253.4.4 10.58.26.19 fe.2 Siemens:20:b8:fa
8th flr LA West 10.253.9.3 10.58.21.8 fe.19 Siemens:19:ab:ad
Location Phone IP Address
Switch IP Switch Port
IP Phone MACBoston
LA West
Sede central
8th flr LA West 10.253.9.3 10.58.21.8 fe.14 Siemens:20:b8:ff12th flr Boston 192.168.8.6 10.192.86.3 fe.24 Siemens:20:b8:ff
Servicios de localización de teléfonos
NAC Gateway
1st
Floor
8th
Floor
12th
Floor
3rd
Floor
GestiónNetsight
©2011 Enterasys Networks, Inc. – All rights reserved.
Access &Control
Detect &Locate
Respond &Remediate
Establish &Enforce Policy
Core Network
Mgmt Appliance
Secure Networks - NAC Features
OpenScapeVoice
Enterasys NMS OpenScape DLSPhysicalInfrastructure
Database
ImportSynchronizationVia XML/SOAP
Mobile User
Mobile UserMobile Users
1
3
2
Detecta y Localiza Enterasys detecta cadanueva conexión y proporciona información de localización.
Control de acceso Enterasys proporcionacontrol extendido de:- Modo de acceso- Tipo de autenticación- Tipo de dispositivo- Localización: puerto switch, SSID- Momento de la conexión- Estado de seguridad del dispositivo
Establecimiento de Políticas- Autoriza el usuario o el dispositivo (PC, telefóno, impresora)- Permite el acceso a los recursos basados en la identidad y/o el riesgo de seguridad del dispositivo
Respuesta y Remedio
El estado del software se comprueba antes de la conexión y se monitoriza a lo largo de la conexión
OS LIA Seguridad AvanzadaBeneficios específicos de NAC
©2011 Enterasys Networks, Inc. – All rights reserved.
OpenScape DLS:
� Descarga templates a los teléfonos en función de la información obtenida de la red
� ej. Configuración de speed dials
Speed dial
button 7 =
#52065
Templates:
Speed dial-button
configuration
SiemensSiemensSiemensSiemens
OpenScapeOpenScapeOpenScapeOpenScape DLSDLSDLSDLS
Speed dial
button 7 =
#37208
Configuración dinámica
©2011 Enterasys Networks, Inc. – All rights reserved.
OpenScape DLS:
� Actualización automática de inventario despues de cambios
� Localización de los clientes VoIP en la infraestructura IPe.g., Qué dispositivos VoIP están en la 3ª planta
Gestión de activos
©2011 Enterasys Networks, Inc. – All rights reserved.
Capacidades únicas junto con Flexibilidad y Seguridad
� La integración de seguridad WLAN y LAN minimiza el coste de la seguridad en UC- Optimiza la eficiencia y reduce costes
- Mantiene la integridad de la red sin rediseños
� Soporte de cualquier fabricante con APIs de integración- Permite soportar cualquier solución de UC con mínimo esfuerzo
� Seguridad distribuida en la red- Se adapta rápida y eficientemente a las necesidades específicas
� Fiabilidad y QoS únicos- Mejor calidad de voz y video
� Simplicidad y automatización de la configuración- Reduce costes de despliegue, garantiza la seguridad
115
Visit us at: www.enterasys.com