Veraz Networks Proprietary and Confidential 1 * Veraz proprietary information notice: This document and the contents therein are the property of Veraz Networks Inc. Any duplication, reproduction, or transmission to unauthorized parties without prior written permission of Veraz Networks Inc. is prohibited. The recipient of this document, by its retention and use, agrees to protect the information contained herein from loss, theft, or transfer to third parties.
31
Embed
1 Veraz Networks Proprietary and Confidential * Veraz proprietary information notice: This document and the contents therein are the property of Veraz.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Veraz Networks Proprietary and Confidential
1* Veraz proprietary information notice: This document and the contents therein are the property of Veraz Networks Inc. Any duplication, reproduction, or transmission to unauthorized parties without prior written permission of Veraz Networks Inc. is prohibited. The recipient of this document, by its retention and use, agrees to protect the information contained herein from loss, theft, or transfer to third parties.
Security -The Big Challenge of IP Telephony
February 2003
Yaron Oppenheim
Director – Product Marketing
Veraz Networks Proprietary and Confidential
3
Agenda
The Problem Why is it critical ? It should be protected & it can be protected Vulnerability points Security strategy and measures
MG Control Switch Control protocol - MGCP Inter Control Switch communication The voice itself Management activity
Veraz Networks Proprietary and Confidential
4
Mexico CityMexico City
Hong KongHong Kong
BeijingBeijing
FrankfurtFrankfurt
IsraelIsrael
SingaporeSingapore
LondonLondon
ParisParis
SydneySydney
FortFortLauderdaleLauderdale
IndiaIndiaVirginiaVirginia
RussiaRussia
TurkeyTurkey
South South AfricaAfrica
KoreaKorea
MalaysiaMalaysia
TaiwanTaiwan
SpainSpainJapanJapan
FinlandFinland
MoroccoMorocco
ArgentinaArgentina
BrazilBrazil
ChileChile PhilippinesPhilippines
Mexico CityMexico City
Hong KongHong Kong
BeijingBeijing
FrankfurtFrankfurt
IsraelIsrael
SingaporeSingapore
LondonLondon
ParisParis
SydneySydney
FortFortLauderdaleLauderdale
IndiaIndiaVirginiaVirginia
RussiaRussia
TurkeyTurkey
South South AfricaAfrica
KoreaKorea
MalaysiaMalaysia
TaiwanTaiwan
SpainSpainJapanJapan
FinlandFinland
MoroccoMorocco
ArgentinaArgentina
BrazilBrazil
ChileChile PhilippinesPhilippines
Veraz – An introduction
Veraz is a privately held company formed by the merger of ECI-NGTS and Nexverse Networks
Global provider of end-to-end, carrier-grade Packet Telephony solutions Best-in-Class Integrated Solution Open, Best-of-Breed Softswitch & Media Gateway platforms Driving some of the largest softswitch-based VoIP deployments in the market
Market leader for carrier-class Digital Compression Multiplexing Equipment (DCME) Over $2B installed base Over 700 carrier customers in 140 countries Current & on-going revenue stream
Global Presence and Track Record 20 years of experience in delivering solutions
to carriers worldwide 100% ownership of advanced DSP technology Global sales & support infrastructure
Veraz Networks Proprietary and Confidential
5
The Problem
Attacks on the Internet 38% of the organization’s Web sites suffered unauthorized
access or misuse within the last 12 months Government Web site – thousands of attacks per day
Fraud on the Internet The main obstacle to e-commerce
Money that is lost Money that is invested in securing IT installations
Growing segment in a recessionary period Is IP Telephony much different ?
Veraz Networks Proprietary and Confidential
6
ControlSwitch
MGCP
MGCP
Enterprise
PBXIAD
SIP Proxy/FeatureServer
SIP
MGCP
SIP
FeatureServer
FeatureServer
SIP/H.323/XML/JCC
PSTN
SS7/SCP/STP
H.323
H.323Gateway
H.323Gatekeeper
H.323
IAD
WirelessPSTN
(MSCs)
SS7/SCP/STP/
HLR
Residence/Branch/SMB
MGCPSIP
SIP
SS7 ISUP/TCAP
IS-41
ANSI/ETSI/ITU/UK/Japan SS7 ISUP/TCAP
SIP/H.323/XML/JCC
3GMobile
PDA
IP/ATM Network
SIPDevices
Enterprise
IP Telephony network
I-Gate 4000
I-Gate 4000
Veraz Networks Proprietary and Confidential
7
Potential Threats to Network Security
Intranet and Internet Most of the intruders – from within the organization
Internal threats Disgruntled employees Social engineering Former employees
External threats Hackers Hacking by mistake
Veraz Networks Proprietary and Confidential
8
Unauthorized access Denial of Service - DOS Eavesdropping Masquerade Modification of information
Content modification Sending the information at another time
Information theft
Typical Security Attacks
Veraz Networks Proprietary and Confidential
9
Why is it critical ?
Because : A lot of money can be lost The image of the company
is a high priority
Veraz Networks Proprietary and Confidential
10
It should be protected& it can be protected
IP Telephony will not be widely deployed without a reasonable security solution !
Veraz Networks Proprietary and Confidential
11
Security – you have to protect 360o
The hacker needs only one vulnerability point.
ControlSwitch
MGCP
MGCP
Enterprise
PBXIAD
SIP Proxy/FeatureServer
SIP
MGCP
SIP
FeatureServer
FeatureServer SIP/H.323/
XML/JCC
PSTN
SS7/SCP/STP
H.323
H.323Gateway
H.323Gatekeeper
H.323
IAD
WirelessPSTN
(MSCs)
SS7/SCP/STP/
HLR
Residence/Branch/SMB
MGCPSIP SIP
SS7 ISUP/TCAP
IS-41
ANSI/ETSI/ITU/UK/Japan SS7 ISUP/TCAP
SIP/H.323/XML/JCC
3GMobile
PDA
IP/ATM Network
SIPDevices
Enterprise
I-Gate 4000
I-Gate 4000
Veraz Networks Proprietary and Confidential
12
Vulnerability points
CCP/SG
VerazViewCDR
EC
RE
I-Gate 4000 Pro
I-Gate 4000
I-Gate 4000
IP Network
Internet/IntranetInternet/Intranet
MGCP
CMI
SNMP
HTTP
RTP
CMI
Veraz Networks Proprietary and Confidential
13
You have to protect them all
Call Control Element (CCE) Signaling Gateway (SG) Routing engine (RE) Event Collector (EC) CDR Manager Management Media Gateway (I-Gare 4000/PRO) Management System (VerazView) Links between elements
Veraz Networks Proprietary and Confidential
14
Defense strategy
Access to the IP Telephony Network Element is allowed by using the MANAGEMENT SYSTEM only
The Management System should be highly secured ALL the information traveling from NE to NE (and from the MS
to NE) should be encrypted and authenticated.
Veraz Networks Proprietary and Confidential
15
The only way to access the Media Gateway is by using the management system. Blocking unnecessary protocols
HTTP, Telnet, etc…
Protecting the MG from unauthorized access Firewall functionality
Predefined list of IP's Predefined protocols Application (MGCP) aware
Location of the Firewall
MG security
I-Gate 4000 Pro
I-Gate 4000
IP Network
Veraz Networks Proprietary and Confidential
16
Control Switch elements
Unix-based elements
SG EMS CDRECRE
Access to the IP Telephony Network Element is allowed by using the MANAGEMENT SYSTEM only Block unnecessary protocols Access control Firewall
CCP
Veraz Networks Proprietary and Confidential
17
MGCP, H.248
IPSEC – the de facto standard – Provides protection (encryption & authentication) to each IP packet