Security Challenges in the Enterprise - PowerPoint PPT Presentation

Loading...

PPT – Security Challenges in the Enterprise PowerPoint presentation | free to download - id: 45cb98-YjQ2O



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Security Challenges in the Enterprise

Description:

Security Challenges in the Enterprise Panelists Franchesca Walker, Director Enterprise Solutions Foundry Networks Eric Winsborrow, CMO Sipera Systems Shrikant ... – PowerPoint PPT presentation

Number of Views:84
Avg rating:3.0/5.0
Slides: 20
Provided by: LMEL
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Security Challenges in the Enterprise


1
Security Challenges in the Enterprise
2
Panelists
  • Franchesca Walker, Director Enterprise Solutions
    Foundry Networks
  • Eric Winsborrow, CMO
  • Sipera Systems
  •  
  • Shrikant Latkar, Sr. Mgr. Solutions Marketing
  • Juniper Networks
  • Mark Ricca, Sr. Analyst and Founding Partner
  • IntelliCom Analytics

3
Security Continued Strong Growth
Integrated Security Solutions Forecast (Global,
All Size Businesses)
B
9.2 CAGR Overall
6.0
5.0
4.0
3.0
10.7 CAGR Remote / SoHo
2.0
?
?
?
?
?
?
1.0
0
2005
2006
2007
2008
2009
2010
4
Security Challenges in the Enterprise
  • Franchesca Walker, Marketing Director of
    Enterprise Solutions
  • Foundry Networks, Inc

5
Many Malicious Attack Vectors Vulnerabilities
at each Layer
Malissa Virus
Sasser Worm
SQL Slammer Worm
Deep Throat
SoBig Worm
TROJANS
VIRUSES
WORMS
CodeRed Worm
Nimba Virus Worm
SPAM
MyDoom Worm
p2p Traffic
Application Attacks
Malicious TCP Packets
SIP DoS Attack
Rogue DHCP DNS
ROGUE SERVICES
UDP/TCP DOS ATTACKS
UDP/TCP PROTOCOL ATTACKS
TCP TTL Attack
TCP Timestamp Attack
TCP Ack Flood Attack
TCP Syn Flood Attack
Transport Layer Attacks
False Route Injection
IP Port Scan
ICMP Smurf Attack
ICMP Flood Attack
NETWORK SERVICE ATTACKS
ROUTING PROTOCOL ATTACKS
L3 DOS ATTACKS
BGP TTL Security Hole
DHCP Starvation
Network Layer Attacks
ARP Poisoning
Port Scan
MAC Flood Attack
Port DoS Attack
Rogue Wireless AP
VLAN Flood Attack
L2 DOS ATTACKS
L2 SERVICE ATTACKS
L2 ROGUE SERVICES
CPU Rate Attack
Datalink Layer Attacks
Private VLAN Attack
VLAN Hopping
CAM Table Overflow Attack
5
6
Converged Voice Data Security
sFlow-based Anomaly Signature Defense
Zero-Day Anomaly IDS
Signature IDS
Open Source Applications
Closed Loop Security
Traffic Samples (sFlow)
Traffic Samples (sFlow)
NMS
App Web Servers
Threat Control
Integrated Switch and AP Security Features DoS
attack protection CPU protection Rate limiting
Hardware-based ACLs DHCP, ARP, IP spoof
protection Rogue AP detection suppression
Access policy enforcement Threat control
enforcement Embedded sFlow traffic monitoring
Access Policy
Radius, DNS, DHCP
Network Switches, Routers, Access Points
Call Manager
Multiple endpoints IEEE 802.1x MAC
Authentication
6
7
Convergence Network Security
  • Allow only authorized users on the network
  • Authentication based on IEEE 802.1x, MAC address
  • Control who has access to specific resources
  • 802.1q VLANs
  • Stop unauthorized traffic without impacting
    network performance
  • ASIC based, wire-speed ACLs
  • Protect against security threats and DoS attacks
  • Network-wide monitoring (e.g. sFlow)
  • Threat detection and mitigation
  • Rate limiting of known packet types
  • Closed-loop mitigation using centralized IDS
    equipment and applications

7
8
Enterprise VoIP Security Challenges
  • Eric Winsborrow, CMO
  • Sipera Systems

9
Risk Management approach to Security
Lower Risk Profile and Prioritization
Optimum Prioritization
Point of Diminishing Returns
Threat Potential
Security Priority and Spending
10
The Need to Extend VoIP
Voice/Data Center(s)
IP PBX
IP PBX
SIP Trunk
WAN/VISP
Soft phones
Headquarters
11
Extending VoIP - Challenges
Voice/Data Center(s)
IP PBX
IP PBX
Strong authentication of device user
Opening wide range of IP/UDP ports violates
security policy
Policy enforcement access control
SIP Trunk
Confidentiality/Privacy of signaling media
Protect IP PBX phones
Refresh UDP pinhole in remote/home firewall
Phone configuration management
WAN/VISP
Soft phones
Headquarters
12
Risk Management approach to VoIP/UC
  • Sipera VIPER Labs
  • Vulnerability Research
  • Threat signature development
  • LAVA Tools
  • Sipera VIPER Consulting
  • VoIP/UC vulnerability assessment
  • Best practices consultation
  • Security workshops
  • Comprehensive Protection for real-time
    communications
  • DoS/Floods prevention
  • Fuzzing prevention
  • Anomaly detection/Zero-Day attacks
  • Stealth attacks
  • Spoofing prevention
  • Reconnaissance prevention
  • VoIP Spam
  • Policy Compliance
  • Call routing policies
  • Whitelists/Blacklists
  • Fine-Grained Policies by User, Device,
    Network, ToD
  • Application controls
  • IM logging and content filtering
  • Compliance reporting
  • Secure Access
  • Strong User authentication
  • Call Admission Control
  • Firewall/NAT traversal
  • Privacy and Encryption
  • Secure firewall channel

13
Conclusion
  • Benefits of Unified Communications increase if
    VoIP network is extended
  • But an enterprise needs to solve many issues
  • Privacy and authentication firewall/NAT
    traversal policy enforcement VoIP application
    layer threats  
  • A Security Risk Management approach is needed
  • Elevate VoIP/UC in priority if using SIP or
    extending VoIP
  • Engage experts for best practices and risk
    evaluation
  • Create policies and protection specific to VoIP/UC

14
VoIP Security IT Expo East 2008 Shrikant
Latkar shri_at_juniper.net
15
Concerns when Deploying VoIP
Not enough people to plan, design, implement, and
manage VoIP
Concerns about interoperability between vendors
equipment
Concerns about security
Percentage
Lack of budget
Systems for managing and troubleshooting VoIP
quality
Source 2005/2006 VoIP State of the Market
Report, Produced by Webtorials
16
Securing Voice is Critical
17
Evolving SIP Security
  • Exploits will become more creative - Newer
    exploits are at Layer 7
  • Current security doesnt address all attacks
  • SBCs cannot defend against many SIP
    vulnerabilities as the attack levels scale/grow
  • Need to evolve security to be scalable and more
    attack aware
  • Customized attack defenses specific for your
    environment
  • Rapid time between exploit found and defense
    deployed
  • Able to handle high volumes of attacking packets

Most Attacks
Smarter Attacks
Smartest Attacks
Application Aware Intrusion Prevention
Router Filters IP Spoof Detection DOS Filters
Stateful Firewall Protocol ALG
18
  • Protocols SIP, H323 (RAS, Q931, H245), MGCP,
    Skinny
  • Identification done by L4 port number (static)
  • Functions NAT, State checks, pinhole, anomalies,
    drop malformed packets
  • VoIP session correlation (beyond L3/L4)
  • Application Screening Flood attacks
  • Coarser control enable/disable all checks

Firewall
  • Protocols SIP, H225RAS, H225SGN, MGCP
  • Identification based on application data (PIAI)
  • Functions Protocol State, anomalies (more than
    FW checks) SIP sigs gt 50
  • Custom signatures can be done
  • Logging (provides visibility)
  • Flexibility in enabling signatures driven by
    policy

IPS/IDP
19
Defense Against VoIP Security Threats
VoIP Security Threat
Ramifications
Defense Technology
FW with SIP attack protection IPS with SIP
sigs/protocol anom
All voice communications fail
DoS attack on PBX, IP Phone or gateway
Hacker listens to voice mails, accesses call
logs, company directories, etc.
Unauthorized access to PBX or voice mail system
Zones, ALGs, policy-based access control
Hacker utilizes PBX for long-distance calling,
increasing costs
VPNs, encryption (IPSec or other)
Toll fraud
Eavesdropping or man-in-the-middle attack
Voice conversations unknowingly intercepted and
altered
VPNs, encryption (IPSec or other)
Policy based access control IPS with SIP protocol
anomaly and stateful signatures
Infected PBX and/or phones rendered useless,
spread problems throughout network
Worms/trojans/viruses on IP phones, PBX
FW/ALGs, SIP attack prevention, SIP source IP
limitations, UDP Flood Protection
IP phone spam
Lost productivity and annoyance
20
Q A
Additional VoIP resources available at
www.juniper.net
About PowerShow.com