How To Protect Freespeech From Attack From A Hacker Attack

Transcription

1 customer care solutions from Nuance enterprise white paper :: Nuance FreeSpeech Security Overview Version 7.0

2 NUANCE :: customer care solutions Contents About this Document...3 Nuance FreeSpeech Security Overview...3 Architecture & System Components...3 System Components...4 Product infrastructure...6 Authentication...7 Web Server Access...7 Database Access...7 LDAP Server Access...7 File System Access...7 Authorization...7 System Authorization...7 Audit...8 Audit levels...8 Audit Protection...9 Audited operations and entities...9 Log viewer...10 Administration...10 Web based administration applications...10 FSMCLI...13 SNMP...14 Data Security Data manipulation...14 Data Integrity & Encryption...14 Custom Encryption Plug-in...14 Multi-tenancy...14 Network Security...15 Interface protection...15 Inter-Process Communication security...15 About Nuance

3 About this Document Nuance FreeSpeech is a unique biometric speaker verification system that transparently verifies speakers and/or identifies known fraudsters in the background of a natural conversation. FreeSpeech is the most comprehensive, natural language speaker verification system available today, enabling customers to utilize the biometric power of voice to provide secure, efficient and convenient access to contact centers. New features available in FreeSpeech 7.0 ensure end-to-end security, meeting the most stringent IT security requirements. This document provides an overview of FreeSpeech product security. As an authentication product, FreeSpeech implements a wide range of security measures to protect its resources against diversified threats. This document is intended for sales engineers and for IT security personnel who need to evaluate the use FreeSpeech in their protected IT environments. Nuance FreeSpeech Security Overview FreeSpeech is a voice biometrics system which is implemented in security-sensitive environments. As such, it must adhere to strict security requirements and comply with privacy and additional industry-specific regulations. FreeSpeech is protected at both the application level and the infrastructure level using the standard Four A s of enterprise security: Administration, Authentication, Authorization, and Audit. FreeSpeech s security design is based on the Common Criteria Protection Profile for biometric speaker verification systems and has successfully passed third-party security audits and penetration attacks performed by customers. FreeSpeech supports integrated Windows security and role based authorization (RBA). Together with the security mechanisms provided by the system infrastructure, the system can be configured to meet the security requirement of financial services, government agencies, healthcare service providers and other securitysensitive organizations. The following diagram provides an overview of FreeSpeech security architecture and mechanisms. Integrated Windows Security CTI Gateway Web Service SSL Buffer Overflow & SQL Injection Check Admin Apps File System Hashed Audio File Names NTFS IIS FreeSpeech TM Processing Server LDAP Authentication, Authorization, Audit Active Directory/ ADAM.NET Reporting LDAP FreeSpeech TM Processing Server FreeSpeech TM DB Oracle / SQL Server / Sybase / DB2 Full System Audit Authorization Manager Role-Based Authorization 3

4 NUANCE :: customer care solutions Architecture & System Components FreeSpeech includes a set of applications, services and tools that work together in order to provide voice biometrics services. System Components The FreeSpeech system is comprised of three main logical components the Processing Server, the Data Repository Server, and the Audio Acquisition Server. These components can reside on a single machine or be distributed among multiple machines. A system can be comprised of multiple instances of each component. Processing Server The Processing Server is the main processing component of the FreeSpeech system. Multiple Processing Servers can optionally be used in a redundancy scheme for high availability purposes, or in a load balancing scheme for scalability. The Processing Servers run the FreeSpeech application that provides the following functions: Service control The Processing Server exposes a set of Web Services (SOAP/HTTP) which are used by calling applications as well as by the system s administration tools and Web-based GUI Applications. Algorithmic processing This is the core biometric functionality of FreeSpeech. Each Processing Server includes two web applications that run under Microsoft IIS: FreeSpeech Web Services Provides a set of API methods accessed through SOAP and HTTP. FreeSpeech Web Applications These web applications are used by Administrators, IT managers, Security Officers and helpdesk agents. In addition, the FreeSpeech system includes a set of utilities/desktop administration applications. These are typically installed with each Processing Server. Data Repository Server The Data Repository Server is the logical name of the component which is responsible for handling and storing persistent data. Each data repository server contains the following components: SQL Database The Database is used to store audit information, log messages and other information used for reports. FreeSpeech supports most of the leading Databases. LDAP Directory LDAP directory is used to securely store sensitive persistent data related to speakers, groups, voiceprints, and configurations. FreeSpeech supports multiple LDAP directories. Audio Files folder A shared folder used for storing audio files. Persistent Data Replicator (PDR) Nuance s replication service, responsible for duplicating database records and audio files between two data repository servers (Optional). Logger Service This service queues log messages and saves them in the background to the database. A FreeSpeech system must include at least one Data Repository Server. Two Data Repository Servers can be used in an active-active configuration for redundancy. 4

5 Audio Acquisition Server The FreeSpeech Audio Acquisition Server acquires audio for processing and streams it to the Processing Server. The Audio Acquisition Server can be one of two types: The Time Division Multiplexing Acquisition Server (TAS), or the VoIP Acquisition Server (VAS). The TAS is physically connected to the telephony trunks or extensions and acquires audio directly from them. This solution requires telephony cards. The VAS acquires audio by sniffing RTP packets which are directed to a known IP through standard network cards. This solution is totally software based. The following diagram outlines FreeSpeech components and architecture. FreeSpeech Web Applications FreeSpeech Native Web Service API s Technical Management Platform Admin Voiceprint Helpdesk Security Console Processing Server (FreeSpeech Application Pool) Biometric Engines Text Dependent Utterance Validation Processing Server (N+1) IIS Algorithmic Engines Voice/ DTMF/Tone Detection Liveness Detection FreeSpeech Web Applications Enrollment Consistency Check Playback Detection Crosstalk Cancelation ASR (Optional) Tools and Services Logger Service SNMP Agent Custom Encryption Hooks Authorization Manager Bit (Quick Test) Calibration Wizard Management Command Line Interface (MCLI) Hashed Audio Files File system Data Repository Server (1+1) User Group Database LDAP Directory Audit, Reports,Logs (Oracle, SQL Server, DB2 Voiceprint, Speakers MySQL, Sybase,Informix) Configuration, Roles, Scopes (Microsoft, AD, IBM Tivoli TDS) Tools and Services PDR - Nuance Data Replicator DB/Audio Sync Logger Service SNMP Agent TAS TDM Acquisition Server (N+1) Technical Monitoring Speaker Separation Audio Acquisition Boards VAS VOIP Acquisition Server (N+1) Technical Monitoring Speaker Separation VOIP Sniffing and Port Tracking 5

6 NUANCE :: customer care solutions Product infrastructure Operation System FreeSpeech is based on.net framework 4.0 and as such it can run only on Windows machines. Currently the product supports the following OS: Windows XP Windows 2003 Server Windows 2008 Server Windows7 Database A Database is used to store audit information and log messages. The database may be installed on the same machine as the Data Repository or on a remote machine. FreeSpeech utilizes common ADO.NET infrastructure to access the database. FreeSpeech supports the following databases: Microsoft SQL Server 2005 Microsoft SQL server 2000 Oracle 10g with RAC support Oracle 11g with RAC support DB2 MySQL 5.5 SQL Express LDAP Directory LDAP is an application protocol for reading and editing directories over an IP network. The LDAP Directory is used to securely store the application s persistent data entities such as speakers, voiceprints, and configuration. The supported LDAP Directories are: ADAM Active Directory Application Mode - This lightweight version of Microsoft Active Directory runs as a service on the data repository server - this is the default directory for installations on Windows XP and Win2003 Server operating systems. AD LDS Active Directory Lightweight Directory Services - This lightweight version of Microsoft Active Directory runs as a service on the data repository server - this is the default directory for installations on Windows 7 and Win2008 Server operating systems. Active Directory Microsoft s Directory Services product - The domain s active directory can be used as the LDAP directory. When used, an extension of the Active Directory Schema is required in order to support FreeSpeech entities. TDS IBM Tivoli Directory Server. Web Server The FreeSpeech system uses IIS (Internet Information Services) as its web server and is based on the IIS ASP.NET 4.0 extension. FreeSpeech 7.0 offers an enhanced, open, and flexible Web service APIs, ensuring smooth, platform-independent integration using any programming environment. In addition, the FreeSpeech 6

7 Web Applications enable easy access to tools and information needed for successful deployment. FreeSpeech utilizes IIS web server security mechanisms (i.e. application session timeout, limiting access to specific IPs etc. are supported). Authentication Web Server Access FreeSpeech authenticates users based on Windows Integrated Security. This ensures that system policies regarding passwords are handled according to the local domain policies (enforced by the Domain Controller). FreeSpeech does not store passwords in its database or in any other application s data store. Users accessing the system, whether by programmatically calling the system s web service API, by using one of the administration applications, or by accessing a web page, are authenticated by the IIS using the Domain Controller. By setting a designated configuration parameter, the system can ensure exclusive log-in to the web applications. Note: Authentication policies supported by Microsoft IIS, such as certificates and passports are also supported by FreeSpeech. The FreeSpeech Web Applications can be configured to enable Single Sign On which eliminates the need to re-enter user-name and password when accessing the application. Database Access Credentials to the system s database are provided as part of the connection string used by FreeSpeech. By default, FreeSpeech uses Windows integrated security as the database authentication method. This means that the application s identity is used when accessing the database. Another alternative is to specify a username and password in the connection string. When this is done, this identity is used by all components accessing the database and must be managed manually. When this option is used, the password is saved encrypted in the system s configuration file. LDAP Server Access The applications access the LDAP Server using Windows Integrated Security. Note that the application s identity is used when accessing the LDAP Server. File System Access File system access is controlled by the operating system. Every access to the file system by the FreeSpeech application will be performed under the credentials of the application user. Authorization System Authorization Role-based Authorization (RBA) FreeSpeech utilizes Microsoft Authorization Manager (AZMAN) for managing roles and operations. AZMAN is general-purpose role-based security architecture for Windows. Using roles, the operating system determines whether a process or a user is privileged to perform an operation. 7

8 NUANCE :: customer care solutions Roles are defined in the Authorization Store of FreeSpeech s LDAP Directory. Each role can be granted permission to perform operations (a basic activity unit that the system performs). Every API method has a corresponding operation. Windows users and groups can be assigned a role, and be authorized to perform operations according to the role s definition. The system is installed with the following predefined roles. These roles can be customized and additional roles can be defined. ClientApplication HelpDesk PlatformAdmin MainScope Security Every access to the Database, the LDAP Server, or the file system by the FreeSpeech application is performed using the credentials of the application user. Once the application validates that the network user is permitted to perform a certain operation, the application user serves as a delegate for the network user. This means that in order to allow an application user to perform an operation that will delete a file from the file system for example, it is not required to add write privileges to the network user. Audit FreeSpeech Audit is composed of the following elements: Every API method is logged in the system s database. Other standard system infrastructure components (such as the OS, IIS, DB) have their own auditing tools and capabilities that needs to be enabled. Audio files used for Enrollment/Verification may be saved for Audit purposes. Audit levels FreeSpeech allows the system administrator to control the level of audit info detail that will be saved by the system. There are three audit levels: Alg Debug Specifies whether to audit detailed algorithmic outputs (mainly used for algorithmic troubleshooting). Operational Specifies whether to save operation level audit information (such as Enroll/Verify/Identify/ Fraudsters detection etc.). There are three options of saving operational level audit information: Always the system saves all audit information. Conditional the system saves audit information only for delete operations and in case of an error in other operations. Never the system does not save operational-level audit information. System Specifies whether to save system level audit information. There are three options of saving system level audit information: Always the system saves all system level audit information. Conditional the system saves audit information only for system level write operations and in case of an error in read operations. Never the system does not save system-level audit information. 8

9 In addition, a configuration parameter named log level enables selecting the desired log level, enabling the system to keep different levels of log messages for different applications, services or scopes. Audit Protection FreeSpeech audit information is stored securely in the system s database. Besides the system specific audit trail, FreeSpeech system infrastructure (IIS, LDAP Directory, Database) logs are protected in diversified (standard) ways. Audited operations and entities Auditing Audio Files FreeSpeech support auditing audio files used in the system using two configuration parameters: SaveEnrollAudio - Specifies whether to save enrollment audio. Always Enrollment audio is always saved UntilTrained Enrollment audio is saved temporarily and deleted as soon as the voiceprint is trained. Never Enrollment audio is never saved. SaveOperationalAudio Specifies whether to save operational audio (the audio associated with Verify, Identify, and Fraudsters Detection operations). LDAP Server Audit LDAP Server supports audit capabilities and enables flexible audit configuration. For more information refer to API Audit Every call to an API method is logged in the system s database. The API record includes the following details: Request ID A 64bit unique identifier assigned to each API call. This ID is unique across all the system s servers and can be used to reference other details stored in the database about the request such as verification score, or failure details. Method Name The API method name. Input Parameters The values of the API method parameters. Finish Status An error or success code. Timestamp The exact time of the request execution. Server name The name of the processing server that handled the request. Client ID The IP address of the client. User name The windows username of the client. Data repository server name The name of the data repository server on which the data was originally stored. Session ID A token which is received from the StartSession command that launched the current session. Scope The scope which is the context of the current API operation. 9

10 NUANCE :: customer care solutions Log viewer FreeSpeech saves log messages in the database based on the LogLevel parameter in the system configuration. Log messages can be accessed using the Log Viewer which enables online or offline viewing of an application s log messages. The Log Viewer is available as a Windows application or as a Web page in the Technical Management application. Use the Log functionality to troubleshoot the system or analyze past system activity. The log section is divided into two views: History Log View which enables auditing past system activities. Log information retrieval can be controlled by dates and log level. Once retrieved, log information can be saved, sorted, filtered or saved to a file. Online Log View is used to monitor system activities in real time. The Online Log View displays systemwide log messages as they are recorded in the FreeSpeech data base, enabling isolating faults and communicating them with the vendor. Log messages can be saved to a file. Administration Web based administration applications FreeSpeech provides a set of web-based administration applications allowing management of all system aspects. The following applications are provided out-of-the-box: Technical Management Platform Admin FreeSpeech Platform Admin is a web based Application that provides a variety of tools for properly setting up the system and its biometric functionality as well as managing speakers, voiceprints and groups. Use this application to configure FreeSpeech, perform queries and reports, and monitor the system usage. Voiceprint Helpdesk FreeSpeech Voiceprint Helpdesk provides a set of tools enabling auditing and reviewing a speaker s interactions with the system. Use the Helpdesk functions to audit verification results and decisions, edit speaker information, delete a speaker, edit a voiceprint and more. Security Console The FreeSpeech Security Console enables security personnel to audit FreeSpeech operation and analyze specific verification and identification processes. The application provides tools for managing fraudsters voiceprints and groups. In addition, the security console collects and presents diversified security alerts. FreeSpeech Technical Management Application enables technical personnel, who are in charge of the systems health, to monitor FreeSpeech system s component status, audit system-wide logs, schedule administrative tasks such as audio purging, upload and view system licenses, and more. Access to these applications is controlled by Windows Integrated Security and FreeSpeech s role based authorization. 10

11 The Web-based Security Console Application The FreeSpeech Security Console Application enables security personnel to audit FreeSpeech operation and analyze specific verification and identification processes. The application provides tools for managing voiceprints as well as all aspects of user authorization. The Security Console Application is divided into four functionalities: Authorization Manager, Voiceprint Helpdesk, Configuration, and Log. The following screenshot presents this functionality: 1. Authorization Manager Functionality Allows managing all aspects of User Authorization. Using roles, the system can make determinations, such as whether a process is privileged to perform an action. FreeSpeech utilizes Microsoft s Authorization Manager Infrastructure to manage user authorization in the system. Authorization Manager functionality is divided into three sections: a. Scope Management Used adding scopes (tenancies) in a multi-tenant system b. User Management Used for assigning roles to users and groups c. Role Management Used for defining, creating and customizing roles The following screenshots depict the User Management page and the role customization functionality of the Security Console. 11

12 NUANCE :: customer care solutions 2. Voiceprint Helpdesk Functionality Provides a set of tools enabling auditing and reviewing of a speaker s interactions with the system, editing voiceprint audio and adapting voiceprints with audio used for verification. Voiceprint Helpdesk is divided into two section: a. Audit Speaker Interactions Used for reviewing a specific speaker s interactions with the system. Information available includes session information as well as information regarding each and every operation within the session (i.e. Enrolment, Verification etc.). Verification statistics and scores are displayed including decision reasons and extended scoring information. Speaker audit information can be filtered, sorted and grouped for better analysis. Audit information also includes the speaker s audio. This audio can be played back and/or downloaded assuming the system audit configuration is set to store it and the proper security privileges are set. b. Review Voiceprint Enables reviewing of a speaker s voiceprints. This is used to listen to audio used for enrollment, and edit it if necessary, removing unrelated or faulty audio. The Edit Voiceprint page enables removing and adding audio segments from/to a speaker s voiceprint and adapting 12

13 it with verification audio segments if available. Use the Edit Voiceprint page to fix problematic voiceprints that deliver high false rejection rate as well as to enhance the quality of existing voiceprints via manual adaptation. 3. Configuration Functionality - Enables the system administrator to control and manipulate the system configuration and operation. The FreeSpeech system supports multiple concurrent configurations that are used to control the system s diversified functionality and multi-engine infrastructure. Use the configuration functionality to comply with diversified requirements (i.e. Security, Audit), optimize the system performance, and adjust its functionality to accommodate for a specific call/verification flow. Configuration is divided into two sections: a. Edit Configuration Sets Enables creating, editing, uploading, downloading, and comparing Configuration Sets. A Configuration Set is a set of parameters and their corresponding values that controls the operation of FreeSpeech in a specific context which can be an application or a specific operation. Configuration Sets inherit parameters values from the system s Default configuration set and enable the user to overwrite specific ones as necessary. b. Configuration Audit Used to track all of the system s configuration changes. Use this page to review configuration changes and filter them by dates, parameter category, and more. Information retrieved includes parameters values, timestamp, change initiator, IP and host name. The Configuration Audit page can be used by the system administrator as well as by Nuance support to isolate system problems caused by configuration errors. 13

14 NUANCE :: customer care solutions 4. Log functionality Enables viewing history and on-line system log information. Use the Log functionality to troubleshoot the system or analyze past system activity. Log is divided into two sections: a. The History Log View is used to audit past system activities. Log information retrieval can be controlled by dates and log level. Once retrieved, log information can be saved, sorted or filtered. b. The Online Log View is used to monitor system activities in real time. The Online Log View displays system-wide log messages as they are recorded in the FreeSpeech data base, enabling isolating faults and communicating them to the vendor. Log messages can be saved to a file. FSMCLI FreeSpeech includes a command line utility that enables administrators to perform various administration tasks such as: retraining voiceprints or deleting history records from the database. A system administrator using the FSMCLI must have the proper credentials and authorization to use the various functionality provided by this utility. SNMP FreeSpeech s SNMP agent receives SNMP requests and sends SNMP traps to standard network monitoring consoles complying with SNMPv2 standard. Each Processing Server has an SNMP agent service that handles SNMP Get/Set requests and sends SNMP traps when important system events occur. FreeSpeech monitoring can be easily added to standard SNMP-based consoles. Data Security Data manipulation FreeSpeech checks every input against data manipulations such as: SQL injection, LDAP injection, Buffer overflow and Cross-Site Scripting (XSS). Data Integrity & Encryption Voiceprints are stored in a proprietary format in the system s LDAP directory and cannot be reverse engineered. Voiceprints are signed with the speaker ID and the customer ID (system ID) which is a unique key assigned to each installation. This signing protects the system voiceprints from being manipulated by authorized users. Voiceprints cannot be used outside the specific system as well as in other FreeSpeech systems. Customer Related Information (Speaker IDs, Group IDs), is encrypted by FreeSpeech by default using 128 bit encryption mechanism (Rijndel). Customer-specific encryption mechanisms are supported. Audio Files stored in the files system can be encrypted using standard OS encryption mechanisms. The names of the saved audio files are hashed so that they cannot be associated directly with a specific speaker. LDAP Directory Store is used by FreeSpeech (Provided by Microsoft/IBM) and encrypted by default using proprietary encryption mechanisms. Database is used by FreeSpeech and can be configured to encrypt stored information. 14

15 Custom Encryption Plug-in Nuance supplies a built in encryption mechanism which uses Rijndael symmetric encryption (AES) 128bit. In case the customer wishes to control the system s encryption method, he may do so through the encryption plug-in. The encryption plug-in enables customized encryption, giving the customer full control over the encryption algorithm and key. A configuration parameter which points to the encryption software must be set to enable custom encryption. Multi-tenancy Multi-tenancy enables logical partitioning of the entire system in an effortless manner through the use of scopes. This allows a clear cut separation of the system s data, configuration, audit, roles, etc. within an organization, enabling a single enterprise to use FreeSpeech for multiple/distinct applications in different business units. Multi-tenancy is ideal for a hosted solution, enabling a service provider to offer FreeSpeech as a service to multiple enterprises. The benefits are both from a practical aspect and from a security aspect. Regardless of what system tool is used or what API method is called, everything is performed in the context of a specific scope. Scopes are assigned to users by the system security administrator. Each session is associated with a certain scope, the configuration set specified when calling an API method is used to determine the desired scope. Network Security Interface protection FreeSpeech web service interface access is controlled using IIS6 or IIS7 security supporting SSL encryption. All authentication schemes are supported: Integrated, Basic, Digest, and Certificates. Inter-Process Communication security FreeSpeech Processes The different components which compose the FreeSpeech system communicate with each other over TCP using WCF (Windows Communication Foundation). Windows Communication Foundation is the technology used for inter-process communication between different components of FreeSpeech. More information regarding WCF refer to All ports used for inter-process communication are configurable. This allows System Administrators to specify which ports will be used in their specific site. The component used for inter-process communications is NET. TCP. This standard component secures TCP communications in various ways. Processing Server LDAP Directory Communication Security FreeSpeech communicates with the LDAP directory via a.net component (Microsoft Directory Entry) as part of Microsoft Directory Services which is part of.net Framework. The component supports LDAPS for secure LDAP communication. Processing Server SQL Database Communication Security FreeSpeech communicates with the SQL Server using a database-specific ADO.Net provider. The provider communication security is proprietary and database-specific. 15

16 NUANCE :: customer care solutions About Nuance Communications, Inc. Nuance is a leading provider of speech and imaging solutions for businesses and consumers around the world. Its technologies, applications and services make the user experience more compelling by transforming the way people interact with information and how they create, share and use documents. Every day, millions of users and thousands of businesses experience Nuance s proven applications and professional services. For more information, please visit: Nuance Communications, Inc. All rights reserved. Nuance, the Nuance logo, The experience speaks for itself, SpeakFreely, and FreeSpeech are trademarks and/or registered trademarks of Nuance Communications, Inc., and/or its subsidiaries in the United States and/or other countries. All other trademarks are the properties of their respective owners. WP NUCC1094 NUANCE COMMUNICATIONS, INC. one wayside road burlington ma nuance.com