SIP, Unified Communications (UC) and Security
-
Upload
dan-york -
Category
Technology
-
view
2.745 -
download
1
description
Transcript of SIP, Unified Communications (UC) and Security
![Page 1: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/1.jpg)
Dan York, CISSP VOIPSA Best Practices Chair
October 4, 2010
![Page 2: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/2.jpg)
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA andOwners as Marked
![Page 3: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/3.jpg)
© 2010 VOIPSA and Owners as Marked
PBX
Voicemail Physical Wiring
PSTN Gateways
![Page 4: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/4.jpg)
© 2010 VOIPSA and Owners as Marked
Physical Wiring
IP Network
IP-PBX
Voicemail
PSTN Gateways
Mobile Devices
IM Networks
Web Servers
Email Servers
Desktop PCs
Operating Systems
Firewalls
Internet
Directory Servers
VoIP
CRM Systems
Social Networks
Database Servers
Application Servers
![Page 5: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/5.jpg)
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
![Page 6: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/6.jpg)
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
![Page 7: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/7.jpg)
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
![Page 8: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/8.jpg)
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
![Page 9: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/9.jpg)
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
Geography
![Page 10: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/10.jpg)
© 2010 VOIPSA and Owners as Marked
UC System
Corp HQ
Internet Firewall
Home Firewal
l
IP Phone
PC
Home
![Page 11: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/11.jpg)
© 2010 VOIPSA and Owners as Marked
UC System
Corp HQ
Internet Firewall WiFi Café
Router
Mobile UC
client
Laptop UC
client
Mobile Data
Network
![Page 12: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/12.jpg)
© 2010 VOIPSA and Owners as Marked
IM
Corp HQ
Corporate Network
Presence
Call Control
IVR IM
Office A
Presence
Call Control
Voicemail IM
Office B
Presence
Call Control
PSTN
Conferencing
Internet
![Page 13: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/13.jpg)
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
Internet LAN
![Page 14: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/14.jpg)
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
Can you trust “the Cloud” to be there?
![Page 15: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/15.jpg)
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
Carrier
PSTN
Carrier
Carrier Carrier
Carrier
Carrier Carrier
![Page 16: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/16.jpg)
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
ITSP
PSTN
ITSP
ITSP ITSP
ITSP
ITSP ITSP ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP
ITSP ITSP
ITSP
ITSP
ITSP
ITSP ITSP
ITSP ITSP
ITSP
ITSP
![Page 17: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/17.jpg)
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
![Page 18: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/18.jpg)
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
![Page 19: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/19.jpg)
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
![Page 20: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/20.jpg)
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
![Page 21: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/21.jpg)
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
![Page 22: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/22.jpg)
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
• What does a traditional telemarketer need? • Makes for great headlines, but not yet a significant threat • Fear is script/tool that:
– Iterates through calling SIP addresses: • [email protected], [email protected], … • Opens an audio stream if call is answered (by person or voicemail)
– Steals VoIP credentials and uses account to make calls
• Reality is that today such direct connections are generally not allowed
• This will change as companies make greater use of SIP trunking and/or directly connect IP-PBX systems to the Internet (and allow incoming calls from any other IP endpoint)
• Until that time, PSTN is de facto firewall
SPAM
![Page 23: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/23.jpg)
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
Security Vendors
“The Sky Is Falling!” (Buy our products!)
VoIP Vendors
“Don’t Worry, Trust Us!” (Buy our products!)
![Page 24: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/24.jpg)
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
Classification!Taxonomy of!
Security Threats!
Security!Research!
Best Practices!for VoIP!Security!
Security!System!Testing!
Outreach!Communication!
of Findings!
Market and Social!Objectives and!
Constraints!
Published Active Now Ongoing LEGEND
• www.voipsa.org – 100 members from VoIP and security industries • VOIPSEC mailing list – www.voipsa.org/VOIPSEC/ • “Voice of VOIPSA” Blog – www.voipsa.org/blog • Blue Box: The VoIP Security Podcast – www.blueboxpodcast.com • VoIP Security Threat Taxonomy • Best Practices Project underway now
![Page 25: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/25.jpg)
© 2010 VOIPSA and Owners as Marked
www.voipsa.org/Resources/tools.php
© 2010 VOIPSA and Owners as Marked
![Page 26: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/26.jpg)
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
![Page 27: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/27.jpg)
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
• VoIP Security Alliance - http://www.voipsa.org/ – Threat Taxonomy - http://www.voipsa.org/Activities/taxonomy.php – VOIPSEC email list - http://www.voipsa.org/VOIPSEC/ – Weblog - http://www.voipsa.org/blog/ – Security Tools list - http://www.voipsa.org/Resources/tools.php – Blue Box: The VoIP Security Podcast - http://www.blueboxpodcast.com
• NIST SP800-58, “Security Considerations for VoIP Systems” – http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf
• Network Security Tools – http://sectools.org/
• Hacking Exposed VoIP site and tools – http://www.hackingvoip.com/
• Seven Deadliest Unified Communications Attacks – http://www.7ducattacks.com/
![Page 28: SIP, Unified Communications (UC) and Security](https://reader034.fdocuments.us/reader034/viewer/2022051412/54843219b4af9f690d8b4b06/html5/thumbnails/28.jpg)
© 2010 VOIPSA and Owners as Marked © 2010 VOIPSA and Owners as Marked
VoIP can be more secure than the PSTN if it is properly deployed.