SpeechTEK 2009 Dan York, CISSP Director of Conversations, Voxeo Best Practices Chair, VoIP Security Alliance (VOIPSA) [email protected] Securing Cloud Telephony
May 19, 2015
SpeechTEK 2009
Dan York, CISSPDirector of Conversations, VoxeoBest Practices Chair, VoIP Security Alliance (VOIPSA)[email protected]
Securing Cloud Telephony
Security concerns in telephony are not new…
Image courtesy of the Computer History Museum
Nor are our attempts to protect against threats…
Image courtesy of Mike Sandman – http://www.sandman.com/
Privacy
Compliance
Cost Avoidance
Availability
Business Continuity
Confidence
Mobility
TDM security is relatively simple...
TDMSwitch
PSTNGateways
PhysicalWiringVoicemail
IVR
Voicemail PhysicalWiring
DatabasesDirectories
E-mailSystems
WebServers
VoIP security is more complex
OperatingSystems
Firewalls
DesktopPCs
Voice overIP
NetworkSwitches
WirelessDevices
IVR
PSTNGateways
InstantMessaging
Standards
Internet
ConfidentialityIntegrityAvailability
Voice Application Diagram
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
Voice Transport
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?
PHPperl python
Java???
ruby
XMLXML
servlets
VoiceBrowser(on svr)
Phone Audio
Internet/WAN
Internet/WAN
PSTN
Voice TransportVoice
Browser(on svr)
Phone
PSTN PBXPhoneVoice
Browser(on svr)
TDM
PSTN IP-PBXPhoneVoice
Browser(on svr)
SIP
PSTNSIP
ServiceProvider
PhoneVoice
Browser(on svr)
SIP
VoiceBrowser(on svr)
Phone
SIP
Voice Transport - SIP
PSTNVoice
Browser(on svr)
Phone
PSTN PBXPhoneVoice
Browser(on svr)
TDM
Internet/WAN
Internet/WAN
PSTN IP-PBXPhoneVoice
Browser(on svr)
SIP
PSTNSIP
ServiceProvider
PhoneVoice
Browser(on svr)
SIP
VoiceBrowser(on svr)
Phone
SIP
Voice Authentication
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
Who are you talking to?
Voice Biometrics
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
VoiceBiometrics
AuthSvr
Web Transport
PHPperl python
Java???
ruby
XMLXML
servlets
App/DBSvr?Phone Audio
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
VoiceBrowser(on svr)
HTTP
VoiceXMLor
CCXML
App/DB Server Transport
App/DBSvr?Web
Svr
Server Security
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
Management Interfaces
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
APIs
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
Local Storage / Logging
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
Call Recording
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
Web Interaction - Authentication
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone
PHPperl python
Java???
ruby
XMLXML
servlets
WebSvr
Web Interaction - XSS/Injection
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone
PHPperl python
Java???
ruby
XMLXML
servlets
WebSvr
Input validation?
External Interaction
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
App/DBSvr
?
Moving Into The Cloud
Location - Single network/server
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
Location - Distributed
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
Location - Distributed
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
Location - Into the cloud
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
Location - Distributed/Cloud
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
Location - Distributed/Cloud
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
Location - Hybrid
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?
Can You Trust The CloudTo Be There?
Location/network questions
• What level of network connectivity do you have available?• What kind of availability guarantees / Service Level Agreements (SLAs) do
you have in place? • What kind of geographic redundancy is built into your underlying network? • What kind of network redundancy is built into your underlying network? • What kind of physical redundancy is built into your data centers?• What kind of monitoring do you perform? • What kind of scalability is in the cloud computing platform? • What kind of security, both network and physical, is part of the platform? • What kind of security policies and procedures are in place?• What kind of patch management plans?• Will firewall traversal be necessary (for instance, for a SIP trunk) and if so,
how?• How scalable is the solution?• Do you have appropriately-trained and available staff?
Distributed Architectures
VoiceBrowser(on svr)
WebSvr
App/DBSvr
Phone Audio
VoiceBrowser(on svr)
ASR
WebSvr
App/DBSvr
MRCP
App/DBSvr
Geography
ConfidentialityIntegrityAvailability
Thank you!
Dan York, CISSPDirector of Conversations, VoxeoBest Practices Chair, VoIP Security Alliance (VOIPSA)[email protected]