End to End Security in a Hosted Collaboration Environment



Similar documents
Allstream Hosted Collaboration Solution

Securing SIP Trunks APPLICATION NOTE.

Recommended IP Telephony Architecture

Tim Bovles WILEY. Wiley Publishing, Inc.

How To Extend Security Policies To Public Clouds

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

IINS Implementing Cisco Network Security 3.0 (IINS)

Implementing Cisco IOS Network Security

Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP

SIP Trunking Configuration with

TLS and SRTP for Skype Connect. Technical Datasheet

OpenScape Session Border Controller Delivering security, interoperability and cost savings to the enterprise network border

Session Border Controllers in Enterprise

SOFTWARE DEFINED NETWORKING: INDUSTRY INVOLVEMENT

Upgrade and Migration Strategy

Cisco Virtual Office Express

Microsoft Office Communications Server 2007 & Coyote Point Equalizer Deployment Guide DEPLOYMENT GUIDE

SIP Trunking. Cisco Press. Christina Hattingh Darryl Sladden ATM Zakaria Swapan. 800 East 96th Street Indianapolis, IN 46240

Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release

VPLS lies at the heart of our Next Generation Network approach to creating converged, simplified WANs.

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Securing Networks with PIX and ASA

Load Balancing for Microsoft Office Communication Server 2007 Release 2

IIUC Implementing Cisco IOS Unified Communications (IIUC) Version: Demo. Page <<1/9>>

Cisco. A Beginner's Guide Fifth Edition ANTHONY T. VELTE TOBY J. VELTE. City Milan New Delhi Singapore Sydney Toronto. Mc Graw Hill Education

Implementing Cisco IOS Network Security v2.0 (IINS)

NEFSIS DEDICATED SERVER

Certes Networks Layer 4 Encryption. Network Services Impact Test Results

Government of Canada Managed Security Service (GCMSS) Annex A-1: Statement of Work - Firewall


SIP Trunking with Microsoft Office Communication Server 2007 R2

Introducing Cisco Voice and Unified Communications Administration Volume 1

Implementing Cisco Collaboration Applications **Part of the CCNP Collaboration certification track**

Voice over IP Security

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Cisco Networks (ONT) 2006 Cisco Systems, Inc. All rights reserved.

Cisco Intercloud Fabric Security Features: Technical Overview

Outline VLAN. Inter-VLAN communication. Layer-3 Switches. Spanning Tree Protocol Recap

Live Communications Server 2005 SP1 Office Communications Server Matt Newton Network Engineer MicroMenders, Inc

New aspects of Cisco UC Interoperability. #CiscoPlus

Cisco Virtual Office Flexibility and Productivity for the Remote Workforce

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Ingate Firewall/SIParator SIP Security for the Enterprise

TrustNet Group Encryption

Whitepaper: Microsoft Office Communications Server 2007 R2 and Cisco Unified Communications Manager Integration Options

Network Virtualization Network Admission Control Deployment Guide

TROUBLESHOOTING CISCO IP TELEPHONY & VIDEO V1.0 (CTCOLLAB)

Network Simulation Traffic, Paths and Impairment

SEC , Cisco Systems, Inc. All rights reserved.

Lecture 02b Cloud Computing II

Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide. Revised February 28, :32 pm Pacific

SIP Trunking Steps to Success, Part One: Key Lessons from IT Managers Who ve Been There

Configuring the Sonus SBC 2000 with Cisco Unified Call Manager 10.5 for Verizon Deployment

Best Practices for Securing IP Telephony

Network Architecture Validated designs utilizing MikroTik in the Data Center

IP Implementation in Private Branch Exchanges From 9:30 a.m until 4:30 p.m (7 hrs./day) 5 days / week

ENTERPRISE IT SECURITY ARCHITECTURE SECURITY ZONES: NETWORK SECURITY ZONE STANDARDS. Version 2.0

Voice Over IP and Firewalls

Implementing Cisco IP Telephony & Video, Part 2 CIPTV2 v1.0; 5 Days; Instructor-led

White Paper. Using VLAN s in Network Design. Kevin Colo

2- Technical Training (9 weeks) 3- Applied Project (3 weeks) 4- On Job Training (OJT) (4 weeks)

Campus LAN at NKN Member Institutions

OfficeMaster Gate (Virtual) Enterprise Session Border Controller for Microsoft Lync Server. Quick Start Guide

Configuring the Transparent or Routed Firewall

Cisco WebEx Meetings Server

IP Telephony Management

CCNA DATA CENTER BOOT CAMP: DCICN + DCICT

An outline of the security threats that face SIP based VoIP and other real-time applications

Threats to be considered (1) ERSTE GROUP

SIP Security Controllers. Product Overview

Cisco Medical-Grade Network: Build a Secure Network for HIPAA Compliance

Security of the MPLS Architecture

(d-5273) CCIE Security v3.0 Written Exam Topics

Latest IT Exam Questions & Answers

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Curso de Telefonía IP para el MTC. Sesión 1 Introducción. Mg. Antonio Ocampo Zúñiga

OVERLAYING VIRTUALIZED LAYER 2 NETWORKS OVER LAYER 3 NETWORKS

CCIE Exam Certification CCIE Routing and Switching Exam Certification Guide dec-2009

PROPRIETARY CISCO. Cisco Cloud Essentials for EngineersV1.0. LESSON 1 Cloud Architectures. TOPIC 1 Cisco Data Center Virtualization and Consolidation

Cisco Certified Security Professional (CCSP)

Cisco Integrated Services Routers Performance Overview

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

Transform Your Business and Protect Your Cisco Nexus Investment While Adopting Cisco Application Centric Infrastructure

On-Demand Call Center with VMware View

MPLS Layer 3 and Layer 2 VPNs over an IP only Core. Rahul Aggarwal Juniper Networks. rahul@juniper.net

Aerohive Networks Inc. Free Bonjour Gateway FAQ

CCNA Cisco Associate- Level Certifications

RA-MPLS VPN Services. Kapil Kumar Network Planning & Engineering Data. Kapil.Kumar@relianceinfo.com

KISUMU LAW COURTS: SPECIFICATIONS FOR A UNIFIED COMMUNICATION SYSTEM / VOICE OVER INTERNET PROTOCOL (VOIP) SOLUTION. Page 54 of 60

CVOICE - Cisco Voice Over IP

VoIP Security regarding the Open Source Software Asterisk

Lab Developing ACLs to Implement Firewall Rule Sets

Managed Services: Taking Advantage of Managed Services in the High-End Enterprise

NATIONAL SECURITY AGENCY Ft. George G. Meade, MD

Configuration Guide for Cisco Unified Communications Environments

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

Transcription:

End to End Security in a Hosted Collaboration Environment 2

Agenda Hosted Collaboration Solution What Does Security Mean for HCS Customer Network Isolation Storage Isolation Securing Inter-Cluster Communication Securing UC Applications 3

Hosted Collaboration Solution Unified Communications in the Cloud TELEPRESENCE CUSTOMER CARE CONFERENCING IP COMMUNICATIONS MESSAGING MOBILE APPLICATIONS ENTERPRISE SOCIAL SOFTWARE * 4

HCS Architecture Elements Unified Communication & Collaboration Applications Deliver a unparalleled user experience HCS Management System Zero-touch automation & proactive system assurance Optimized Virtualization Platform Provides hardware efficiency, customization, & scaling Scalable System Architecture Aggregation, Security, Network Integration &CBSA 5

Cisco HCS Applications Voice & Video Services Voice Mail & Integrated Messaging Presence & Instant Messaging Product Unified Communications Manager, Unified IP Phones, Jabber Unity Connection Unified Presence, Jabber Same as Premises Deployed App Yes Yes Yes Mobility Services Unified Mobility, Mobile Clients Yes Web Collaboration WebEx Meeting Center Yes Attendant Console Cisco Unified Enterprise Attendant Console Yes

Cisco UC End Point Portfolio Advanced Professional Advanced Collaborative Mobile Collaborative Basic Business Advanced Business Voice Communications Media Communications 8

HCS Data Center Design Customer Premises Service Provider Core DC Core DC Aggregation UCS Computing Storage Area Network ASR1k ASR1k MDS Service Provider MPLS/IP Core MDS ASR1k ASR1k 10

HCS Telephony Architecture PGW AS5400 PSTN/SIP Network Service Provider Network Aggregation Layer CUBE-SP (ASR 1000) Mobile Network Emergency Services UC Layer (DC) HCS WAN HCS WAN Customer A Customer B Customer C Law Enforcement Agency Customer Premise (CPE) 11

What does security mean? Within the context of HCS Everybody is using the same shared DC resources Customers require isolation External traffic is untrusted 12

Generic Security Best Practices Always Applicable HTTPS AAA and TACACS+ for device access and authentication Disable telnet on all devices, use only SSH Physical Security: Lock and key What are the implications of virtual machines? Passwords such as 12345 are common on people s luggage 13

Agenda Hosted Collaboration Solution What Does Security Mean for HCS Customer Network Isolation Storage Isolation Securing Inter-Cluster Communication Securing UC Applications 14

Customer Network Isolation

Customer Network Isolation HCS Security Layers Application and Signaling Storage Area Network Virtual Access Data Center SP Core Customer Access TLS, Authentication Zoning VLAN, VSG VRF-Lite, VLAN VRF VLAN 16

Customer Access Customer Premises and Service Provider Access VLAN for Network Isolation Firewall at the customer edge Private VLANs on SP Access UNI and NNI ports on SP Access 17

BGP Service Provider Core IP/MPLS Core L3VPN per Customer Provider Edge implements VRF and MP-BGP MPLS transport across core MPLS PE BGP MPLS PE MPLS P Nexus 7000 Enterprise Customer OSPF and MPLS BGP Data Center Enterprise CPE SP Access MPLS P Nexus 7000 MPLS PE BGP MPLS PE 18

Data Center Core and Aggregation Network Per Customer VRF-Lite continues on the Nexus Core Nexus Aggregation deposits traffic back onto VLANs Nexus 7000 Nexus 7000 SP IP/MPLS Core VRF across 802.1q Sub-Interfaces VRF across 802.1q Sub-Interfaces VLAN Computing And Storage Nexus 7000 Nexus 7000 DC Core DC Aggregation 19

Data Center Virtual Device Context (VDC) Virtualization of the control, data, and management planes Each VDC is a logically separate device Can have unique access, data, and management policies. VDC Prod VDC Extranet VDC DMZ Different network islands virtualized onto common data center networking infrastructure 20

Data Center Adaptive Security Appliance (ASA) Firewall VPN Concentrator Intrusion Prevention System (IPS) 21

Data Center ASA Routed Mode All "flavors" of NAT available Data traffic is routed Does not pass Multicast traffic Interfaces can be shared between contexts Transparent Mode Two interfaces per context NAT support for transparent mode Data traffic is bridged Passes Multicast traffic No shared interfaces 22

Data Center ASA Placement Options Customer Premises Protect the CPE DC Aggregation/UCS Access Protect UCS and UC Applications DC Aggregation/Extranet NAT Any external traffic Extranet Management 23

Data Center ASA Traffic Flow 24

Virtual Access Nexus 1000v Virtual Switch VLANs for Customer Separation ACL for Server to Server Filtering 25

Virtual Access on the Nexus 1000 Virtual Security Gateway (VSG) Customer Separation within a VLAN Block Application to Application traffic Grant subset of resources to one branch Application Server VLAN 100 Web Server Database 26

Storage Isolation

Storage Area Network How a Virtual Machine keeps its data separate VSANs associate to a host but not to a VM All VMs on a host belong to the same VSAN The VSAN is mapped to an FC Zone Zones provide isolation on per-host basis 28

Storage Area Network Fiber Channel Zones Hard Zoning Physical switch ports are associated with a zone Soft zoning HBA WWN is associated with a zone LUN Masking Classes of attacks against SANs: Snooping: Mallory reads data Alice sent to Bob in private-allows access to data. Spoofing: Mallroy fools Alice thinking that he is Bob-Allows access to or destruction of data. DoS: Mallroy crashes or floods Bob or Alice-Reduces availability. 29

Storage Area Network Other SAN Security Measures VMFS lock Storage Media Encryption (SME) on the MDS-9000 30

Agenda Hosted Collaboration Solution What Does Security Mean for HCS Customer Network Isolation Storage Isolation Securing Inter-Cluster Communication Securing UC Applications 31

Securing Inter-Cluster Communication

Signaling Securing the Communication and Collaboration of HCS SIP Trunks IP Phones CUBE-SP TLS Signaling Authentication TLS Signaling Authentication CAC per CUCM adjacency SIP Trunk TLS + Secure RTP SIP Trunk with Digest Authentication TLS + SRTP media encryption Secure indication tones Event forwarding and blocking (Whitelist/Blacklist) Digest Authentication 33

HCS Call Flows Customer 1 Enterprise A Enterprise A CUCM, UnityCx, CUP, CUPM, CUOM PE CPE Offnet Customer 2 PE CUBE(SP) PGW CPE PE Media flow for inter-enterprise on-net call Signaling flow for inter-enterprise on-net call Signaling flow for Off-net call Media flow for Off-net call Enterprise B Enterprise B CUCM, UnityCx, CUP, CUPM, CUOM 34

SIP Security Protocol Transport Layer Security (TLS) Cryptographic Ensures data is both consistent and correct Provides endpoint authentication and privacy Three key phase Authentication Security Agent Key Distribution Security Agent Confirmation 35

SIP TCP Signaling Not Secure 36

SIP TLS Signaling Secure 37

Mean Call Setup Time Comparison Chart 38

Mean CPU Utilization Comparison Chart 39

Mean Memory Comparison Chart 40

TLS Analysis There have to be drawbacks SIP Mean Call Setup Time increased by 30-40% CPU Utilization increased 28-35% Memory Utilization increased by 35% 41

Agenda Hosted Collaboration Solution What Does Security Mean for HCS Customer Network Isolation Storage Isolation Securing Inter-Cluster Communication Securing UC Applications 42

Securing UC Applications

Security Deployments All the Possibilities Presence Large Branch CUCM CUBE CUBE Cisco Unity HQ SP VoIP PSTN Med Branch Wireless Network Home Office VPN 44

Securing UC Applications SIP endpoint Digest Authentication SIP endpoint TLS Encryption for signaling and srtp Certification exchange between CUCM and CUCxn 45

Securing CUCM/Phone Settings Restricting the Settings Access to the phone Keeps a phone from displaying network information Call Managers IP, VLAN ID, etc. Usually enabled by default 46

CUCM/Phone TLS Transport Layer Security for SIP and SCCP signaling encryption The certificates are exchanged in a TLS handshake TLS Session Keys for AES-128 encryption are generated The phone encrypts the two session keys using the CUCM s public RSA key and sends them to the CUCM The CUCM decrypts the message and now the phone and CUCM can exchange AES-encrypted packets C IP Phone Phone Hello CUCM Hello CUCM Cert Phone Cert Challenge & Response Key Exchange CUCM 47

CUCM/Phone SRTP Encryption and Message Integrity for RTP traffic HMAC-SHA1 for message authentication AES-128 in Counter Mode for encryption Requires signaling encryption The symmetric session keys are generated by the CUCM and distributed to the phones Keys are exchanged in the clear in the SDP, needs TLS for signaling encryption V P X CC M PT sequence number timestamp synchronization source (SSRC) identifier contributing sources (CCRC) identifiers Authenticated portion Encrypted portion RTP payload Authentication tag -- 4 bytes for voice 48

Securing Applications Credential Policy options Length Complexity Lockout Expiration History etc. Default Policy can be modified to meet customer s Security Policy requirements 49

Summary Hosted Collaboration Solution What Does Security Mean for HCS Customer Network Isolation Storage Isolation Securing Inter-Cluster Communication Securing UC Applications 50

Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. Don t forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com. 51

Final Thoughts Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042 Come see demos of many key solutions and products in the main Cisco booth 2924 Visit www.ciscolive365.com after the event for updated PDFs, ondemand session videos, networking, and more! Follow Cisco Live! using social media: Facebook: https://www.facebook.com/ciscoliveus Twitter: https://twitter.com/#!/ciscolive LinkedIn Group: http://linkd.in/ciscoli 52