1 Veraz Networks Proprietary and Confidential * Veraz proprietary information notice: This document and the contents therein are the property of Veraz

Veraz Networks Proprietary and Confidential

1* Veraz proprietary information notice: This document and the contents therein are the property of Veraz Networks Inc. Any duplication, reproduction, or transmission to unauthorized parties without prior written permission of Veraz Networks Inc. is prohibited. The recipient of this document, by its retention and use, agrees to protect the information contained herein from loss, theft, or transfer to third parties.

Security -The Big Challenge of IP Telephony

February 2003

Yaron Oppenheim

Director – Product Marketing


3

Agenda

The Problem Why is it critical ? It should be protected & it can be protected Vulnerability points Security strategy and measures

MG Control Switch Control protocol - MGCP Inter Control Switch communication The voice itself Management activity


4

Mexico CityMexico City

Hong KongHong Kong

BeijingBeijing

FrankfurtFrankfurt

IsraelIsrael

SingaporeSingapore

LondonLondon

ParisParis

SydneySydney

FortFortLauderdaleLauderdale

IndiaIndiaVirginiaVirginia

RussiaRussia

TurkeyTurkey

South South AfricaAfrica

KoreaKorea

MalaysiaMalaysia

TaiwanTaiwan

SpainSpainJapanJapan

FinlandFinland

MoroccoMorocco

ArgentinaArgentina

BrazilBrazil

ChileChile PhilippinesPhilippines

Mexico CityMexico City

Hong KongHong Kong

BeijingBeijing

FrankfurtFrankfurt

IsraelIsrael

SingaporeSingapore

LondonLondon

ParisParis

SydneySydney

FortFortLauderdaleLauderdale

IndiaIndiaVirginiaVirginia

RussiaRussia

TurkeyTurkey

South South AfricaAfrica

KoreaKorea

MalaysiaMalaysia

TaiwanTaiwan

SpainSpainJapanJapan

FinlandFinland

MoroccoMorocco

ArgentinaArgentina

BrazilBrazil

ChileChile PhilippinesPhilippines

Veraz – An introduction

Veraz is a privately held company formed by the merger of ECI-NGTS and Nexverse Networks

Global provider of end-to-end, carrier-grade Packet Telephony solutions Best-in-Class Integrated Solution Open, Best-of-Breed Softswitch & Media Gateway platforms Driving some of the largest softswitch-based VoIP deployments in the market

Market leader for carrier-class Digital Compression Multiplexing Equipment (DCME) Over $2B installed base Over 700 carrier customers in 140 countries Current & on-going revenue stream

Global Presence and Track Record 20 years of experience in delivering solutions

to carriers worldwide 100% ownership of advanced DSP technology Global sales & support infrastructure


5

The Problem

Attacks on the Internet 38% of the organization’s Web sites suffered unauthorized

access or misuse within the last 12 months Government Web site – thousands of attacks per day

Fraud on the Internet The main obstacle to e-commerce

Money that is lost Money that is invested in securing IT installations

Growing segment in a recessionary period Is IP Telephony much different ?


6

ControlSwitch

MGCP

MGCP

Enterprise

PBXIAD

SIP Proxy/FeatureServer

SIP

MGCP

SIP

FeatureServer

FeatureServer

SIP/H.323/XML/JCC

PSTN

SS7/SCP/STP

H.323

H.323Gateway

H.323Gatekeeper

H.323

IAD

WirelessPSTN

(MSCs)

SS7/SCP/STP/

HLR

Residence/Branch/SMB

MGCPSIP

SIP

SS7 ISUP/TCAP

IS-41

ANSI/ETSI/ITU/UK/Japan SS7 ISUP/TCAP

SIP/H.323/XML/JCC

3GMobile

PDA

IP/ATM Network

SIPDevices

Enterprise

IP Telephony network

I-Gate 4000

I-Gate 4000


7

Potential Threats to Network Security

Intranet and Internet Most of the intruders – from within the organization

Internal threats Disgruntled employees Social engineering Former employees

External threats Hackers Hacking by mistake


8

Unauthorized access Denial of Service - DOS Eavesdropping Masquerade Modification of information

Content modification Sending the information at another time

Information theft

Typical Security Attacks


9

Why is it critical ?

Because : A lot of money can be lost The image of the company

is a high priority


10

It should be protected& it can be protected

IP Telephony will not be widely deployed without a reasonable security solution !


11

Security – you have to protect 360o

The hacker needs only one vulnerability point.

ControlSwitch

MGCP

MGCP

Enterprise

PBXIAD

SIP Proxy/FeatureServer

SIP

MGCP

SIP

FeatureServer

FeatureServer SIP/H.323/

XML/JCC

PSTN

SS7/SCP/STP

H.323

H.323Gateway

H.323Gatekeeper

H.323

IAD

WirelessPSTN

(MSCs)

SS7/SCP/STP/

HLR

Residence/Branch/SMB

MGCPSIP SIP

SS7 ISUP/TCAP

IS-41

ANSI/ETSI/ITU/UK/Japan SS7 ISUP/TCAP

SIP/H.323/XML/JCC

3GMobile

PDA

IP/ATM Network

SIPDevices

Enterprise

I-Gate 4000

I-Gate 4000


12

Vulnerability points

CCP/SG

VerazViewCDR

EC

RE

I-Gate 4000 Pro

I-Gate 4000

I-Gate 4000

IP Network

Internet/IntranetInternet/Intranet

MGCP

CMI

SNMP

HTTP

RTP

CMI


13

You have to protect them all

Call Control Element (CCE) Signaling Gateway (SG) Routing engine (RE) Event Collector (EC) CDR Manager Management Media Gateway (I-Gare 4000/PRO) Management System (VerazView) Links between elements


14

Defense strategy

Access to the IP Telephony Network Element is allowed by using the MANAGEMENT SYSTEM only

The Management System should be highly secured ALL the information traveling from NE to NE (and from the MS

to NE) should be encrypted and authenticated.


15

The only way to access the Media Gateway is by using the management system. Blocking unnecessary protocols

HTTP, Telnet, etc…

Protecting the MG from unauthorized access Firewall functionality

Predefined list of IP's Predefined protocols Application (MGCP) aware

Location of the Firewall

MG security

I-Gate 4000 Pro

I-Gate 4000

IP Network


16

Control Switch elements

Unix-based elements

SG EMS CDRECRE

Access to the IP Telephony Network Element is allowed by using the MANAGEMENT SYSTEM only Block unnecessary protocols Access control Firewall

CCP


17

MGCP, H.248

IPSEC – the de facto standard – Provides protection (encryption & authentication) to each IP packet

Authentication, Integrity, Confidentiality IPSEC – Authentication Header (AH) IPSEC – Encapsulation

Security Payload (ESP)

IKE – Internet Key Exchange (RFC 2409) Session Key Long-term key

MG – Call Control Platform channel

CCP/SG

VerazViewCDR

EC

RE

I-Gate 4000 Pro

I-Gate 4000

IP Network


MGCP

I-Gate 4000


18

IPsec implementation

External Boxes Check Point Symantec Cisco

Embedded Implementation Pros & cons

Vulnerability Cost Management


19

Control Switch elements comm.

CMI communication CCP - EC CCP - SG CCP - RE EC - CDR manager

CCP/SG

EMSCDR

EC

RE

I-Gate 4000 Pro

I-Gate 4000

IP Network



20

Voice - RTP

IP Network

SRTPIPsec


21

Management System Security

The Management System is the gate to the system…


22

MS Architecture

Management System Server Management server Database server Hi-Availability

WBM Client Operating System

independent Web browser Graphical User Interface Does not require installation

WAN

PC with Web Browser

(Client)

PC with Web Browser

(Client)

PC withWeb Browser

(Client)

VerazView Server

I-Gate4000

I-Gate4000 Control Switch

elements


23

Vulnerability Points

Management System – Network Elements channel Eavesdropping Information Theft

MS Server Intrusion D.O.S. Masquerade Modification of Information

MS WBM client and connection Eavesdropping Intrusion Information Theft

Vulnerability at one of the VoIP elements can harm the entire IP Telephony network

---

Internet/Intranet

SGSG

IP Network

Internet/Intranet

I-Gate 4000

Control SWIP Network

Mgmt. SystemServer - VerazView

Mgmt. System WBM client


24

Access Control

User ID and Password – much more than that ! Validity of user IDs Password generation Password validity rules

Length Structure Time to Live Password History

Forced passwordchange

Prevent repetitive intrusion attempts

Inform the user of the previous login time User’s access levels Etc. etc…


25

Security Administrator

Who are the active users ? Force Logout Suspend

What are the users doing ?


26

Web-Based Management

All you need is a Web browser OS independent HW independent Can be shared

with other applications

Low bandwidth WBM – Openness

and Vulnerability

---

Management System

VerazView

Management SystemManagement System

VerazView

Internet/Intranet

SGSG

IP Network

Internet/Intranet

I-Gate 4000

Control SWIP Network

Mgmt. SystemServer - VerazView

Mgmt. System WBM client


27

WBM Encryption

SSL – Secured Socket Layer Provides encryption, authentication

& integrity of data stream. Encryption of the Management

Information SSL is the most popular method to

secure Internet transport Used by Web browsers and servers The protocol that incorporates SSL

and HTTP is HTTPS Powerful encryption method

Internet/IntranetInternet/Intranet Internet/

IntranetIP Telephony

network

SSL


28

Separating Internet Server from MS

To secure the IP Network from hackers: Internet Server separated from the MS Server MS Internet Server located in demilitarized zone (DMZ)

MG

WBM

Mgmt

ServerInternet Server

IPNETWORK

SecuredProtocol

TheInternet

MediaGateway

Protection from hackers: Secured Protocol Firewall

Control SW

Control SW


29

Disaster Recovery

MS Servers at two remote locations

RAID Array Disk

No single point offailure

Alternate Location

Web Client

Main Location

Main Location

Questions?


31

Yaron Oppenheim – Director

[email protected]

Documents

1 Veraz Networks Proprietary and Confidential * Veraz proprietary information notice: This document and the contents therein are the property of Veraz