UC Security Roadshow 2011

UC Security
Roadshow 2011

Madrid, 15 de Marzo de 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

UC Security Solutions

Aurelio Martín
Siemens Enterprise Communications Group


Our Customers and the Industry want …

UC
Unified
Communications


Planning for today's business challenges

Business trends Communications trends

Tightened spending due Open standards, SIP, SOA
to difficult economy
Cloud computing and SaaS emerging
Green Enterprise mandates are
emerging “Anywhere” seamless mobility

Continued highly distributed Software-driven communications
organizations
UC approaching mainstream
Blurring of work-life boundaries
Ubiquitous, affordable secure
Speed and collaboration are essential network infrastructures


Se demanda …

UC
Unified
Communications
… Fiable y Segguro !


OpenScape Unified Commmunications
Open Architecture for Integration

OpenSOA
OpenScape

and more …
Applications

OpenScale UC Integration Services
OpenScale IT Service Management
OpenScape OpenScape OpenScape OpenScape OpenScape OpenScape
Voice* Video Messaging UC Application Mobility Contact Center

and more …
OpenScape Unified Communications Server

OpenScale Security
Software
Foundation SIP Session Federated QoS Session Detail Administration Availability
Control Presence Management Reporting & Licensing Management

UC Network Aware Application Interface

Network Services & Management

and more…
Service Performance Embedded Endpoint Alarm and Config
AAA Services
Availability Management Security Location Service Management
Network
Infrastructure

Real time
Communications Mobility Network Data
Infrastructure Infrastructure Infrastructure Center
(Gateways, SBCs) (Wireless LAN) (Switches, Routers) Infrastructure


UC Integration Services & Solutions
Enterprise Grade Service Level Offerings

The OpenScape UC Integration Accessories
deliver pre-packaged UC enhancements for the
OpenScape UC Application

OpenScape UC Based on the Siemens OpenSoA approach the
Integration UC Integration Solutions provide the realization
Accessories of customer-specific UC solutions

UC OpenScape UC The UC Deployment Solutions supports varied
Deployment UC Security customer-specific infrastructure environments
Solutions Solutions
Application
V3.1

The UC Security Solutions address all relevant
security requirements in UC solutions
Customized UC
Integration
Solutions
The Professional Services Suite for UC offers
all relevant professional services for realization UC
projects based on the OpenScape UC Application.


Security Challenges from a UC Perspective

UC Security Challenges … Examples …. The Impact …

Maintain or increase service
Increased productivity
Service availability availability within a converged
and revenue
voice and data infrastructure

Maintain integrity and Prevent loss of
Integrity &
confidentiality of corporate valuable data and
confidentiality data and communications information, reputation

Operational Maintain security while
Reduced operational
reducing operating cost /
efficiency costs
Automate administration tasks

Fulfill legal and regulatory Corporate image, fraud
Compliance prevention
requirements


Customers will demand solutions and services to
mitigate risks in Unified Communications

Infrastructure Applications Business
& Protocols & Users Processes
Flooding Attacks (i.e. Spam Absence of
parser, DNS blocking, ID Theft Risk management
message flows attacks) VOMIT* strategy
Denial of service attacks Denial of service Business continuity
planning
Eavesdropping SQL injection Disaster recovery
(poor) Authentication Bad software strategy
misuse Inconsistency of user Incident
Manipulation data management
Fraud Authentication misuse Ignore compliance
SPIT Social engineering issues
Lack of security No Independent security
awareness assessments

Mitigate risks of Unified Communications
* voice over misconfigured internet telephones

Security defense in a UC environment is a layered
approach

Security measures to consider

Business
Processes
Security Policies Asset Business Information Security
& Processes Classification Continuity Management

Security Audits – Security Testing
Application Antivirus & Data Loss
OpenScape
Security Antimalware Prevention
Applications

Backup & Disaster Recovery
(DNS,web server, databases)
Supporting Services Security

Event Management (SIEM)
Identity Access Single-Sign

Certificate Infrastructure
Management Management On

Security Information &
OpenScape SIP Security VPN
UC Server (TLS/SRTP) (IPSec/TLS)

Session Border Network Authentication
Controllers / Firewalls (802.1x / NAC)
Network
Infrastructure Network Intrusion
Security prevention


Why Siemens Enterprise Communications?

No single-vendor lock-in Complete voice + UC software Portfolio
No proprietary technology stacks Complete mobility + wireless Portfolio
Driven by your goals, not our agenda Complete networks + security Portfolio
Complete global services portfolio

Open
Only provider offering the choice of complete end-to-end, software-driven unified
communications, based on open, secure interoperable standards

Drive cost reduction Solution layers can be multi-vendor
Increase productivity Integrates with Cisco, IBM, Microsoft
Faster decision making and Open Source solutions
Improved collaboration Synergies from our end-to-end solution

Live Demo
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2008. Alle Rechte vorbehalten.
2009. All rights reserved.
Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licenseeder Siemens AG
ist Markenlizenznehmer of Siemens AG.

Prepacked and customized security solutions
to secure a UC environment

Security measures to consider

Business
Processes
Security Policies Asset Business Information Security
& Processes Classification Continuity for UC Management

Security Audits – Security Testing
Application Antivirus & Data Loss
OpenScape
Security Antimalware Prevention
Applications

Backup & Disaster Recovery
IP Network Services for UC

Event Management (SIEM)
Certificate Services for UC
OpenScape Identity Access OpenScape
& Lifecycle Assistant Management SignOn

Security Information &
OpenScape SIP Security VPN
UC Server (TLS/SRTP) (IPSec/TLS)

Secure Communication OpenScape Location and
Infrastructure Identity Assurance
Network
Infrastructure Network Intrusion
Security Prevention

Prepackaged Solutions & Services Customizing Solutions & Services


Automated user administration using

OpenScape
Identity Lifecycle Assistant


Automation of user administration using
OpenScape Identity Lifecycle Assistant

Solution Description

Simplifies user administration within an
OpenScape Voice environment and
complements the administration via the
Common Management Portal
Initial load of user information by
connecting to an authoritative HR data
source (HR system, LDAP service, ODBC
database, etc.)
Continuous update of user information if
user status changes (e.g., leaves
company, moves to other department)
Supply OpenScape Voice with additional
information for billing purposes (e.g. cost
center of the organizational unit)
Delivers a fast an easy implemented
phone book that is accessed via Web or
LDAP


OpenScape Identity Lifecycle Assistant –
Customer Benefits

Relieves IT from duplicate
administration of user
Increase employee Reduce information
productivity by providing Grow
Operating Automates administration
automated, fast access to Revenue tasks (e.g. automatic
communication services Costs subscriber provisioning)

Superior
Security

Reuse existing user
information within systems
Ensure automatic
instead of recreating it Increase Enhance withdrawal of assets and
(e.g. collect information
from HR for billing Asset Corporate access rights (e.g. user
changes role or leaves
purposes) Efficiency Excellence company)


One-click for all application logon using

OpenScape
SignOn


One-click for all application logon using
OpenScape SignOn


OpenScape SignOn improves usability,
and security and reduces administration
effort for UC applications that rely on
OpenScape Voice or Hipath platforms.

OpenScape SignOn:
Facilitates access to applications and
usability
Provides a single login for most voice
applications and access to voice
platforms from SEN
Possibility to automatically generate and
renew passwords for applications on
behalf of the user
Supports strong authentication for access
to sensitive applications
Provides central audit capability that
simplifies compliance reporting


OpenScape SignOn –
Customer Benefits

Increase employee
productivity by enhancing Reduce
user convenience (one- Grow Reduce help desk calls
Operating
click application access, Revenue related to password resets
automated password Costs
renewal)

Superior
Security

Consolidated audit trail for Automatically enforce
application access in one password policy (no
single location Increase Enhance password on a sticky note)
Leverage strong Asset Corporate Simplify compliance
authentication Efficiency Excellence reporting by providing
central audit trail for
mechanisms for a variety
of additional applications application access


Keeping track of moving targets using the

OpenScape
Location and Identity Assurance


Keeping track of moving targets using the
solution OpenScape Location and Identity Assurance

NAC Manager
Physical Hipath DLS
Infrastructure
The solution OpenScape Location and
Import Synchronization Identity Assurance provides several
Database enhancements for an OpenScape or
NAC Appliance
Hipath environment that facilitate and
automate operations and improve
enterprise security.
Core Network
1 Supports adaptation and automation of
OpenScape configuration tasks based on location
Voice information (e.g. configuring speed dial
Mobile User
2
3 lists, emergency numbers, site security)
User moves
Mobile User Is able to automatically assign QoS
Mobile Users
parameters and security profiles (ACLs,
VLAN, Policies) via NAC
Provides automated inventory and
detection of non-compliant end devices
Secure Networks
NAC Features Facilitates troubleshooting of end devices
Access &
Control
Establish &
Enforce
Detect &
Locate
Respond &
Remediate
by providing one consistent view
Policy


OpenScape Location and Identity Assurance –
Customer Benefits

Reduce time to localize IP
Enhance employee Reduce phones within enterprise
productivity by reducing Grow
Operating network
network downtime and Revenue
outages Costs Save administrative cost
for troubleshooting

Superior
Security
Reliable and high-quality
Leverage existing operation of real-time
information of network application through
management and Increase Enhance automatically assigned
communications Asset Corporate QoS- and security profiles
management systems Reduces risk and down-
Efficiency Excellence time due to automatic
assignment of security
settings

The glue between UC applications and your network infrastructure

IP Network Services
for UC


The glue between UC applications and network
infrastructure

Provides IP network services (DNS, DHCP,
NTP) that are crucial for UC applications like
most other business critical applications run
within the enterprise
Assures availability requirements expected
for a UC datacenter deployment
Provides fault tolerance for IP network
services in branch offices
DNS/DHCP as a service are essential for
plug&play installation
Automated IP address management with a
real-time view on the IP addresses


IP Network Services –
Customer Benefits

Consolidate servers from
branch offices
Improve performance of all Reduce
applications (email, Web, Enhance Reduce capital and
VoiP/UC, Intranet..) Operating administration cost
Productivity
Eliminate DNS latency Costs Simplify troubleshooting
Automate monitoring

Superior
Security

Reduced network outages
Leverage existing
infrastructure from Cisco Increase Fast and reliable update
Enhance
or Riverbed in branches Asset Automated failover in case
Availability of services disruption
Efficiency Secure and reliable hard &
software platform


The Swiss-Knife for solving connectivity and security issues within

OpenScape
Session Border Controllers


Solving connectivity and security issues in
OpenScape UC environments

Protects OpenScape UC from being
overloaded by rate limiting traffic
Protects OpenScape UC against attacks or
PSTN
malfunctioning (e.g. Denial-of-Service)
Provides access control for internet
connected uses
Session
VoiP Border Network topology hiding and dynamic pin-
Controller
Provider holing for RTP/SRTP traffic
Solves connectivity issues in customer
networks with overlapping IP addresses
Data Ensure privacy when connecting the
WAN Center
enterprise to a SIP services provider
Provides interworking capabilities for
SIP aware NAT adaptation
heterogeneous vendor environments
protocol adaption when connecting to
SIP services providers
LAN TLS/SRTP termination on network
borders without TLS/SRTP support
(SIP provider)

Session Border Controllers –
Customer Benefits

Consolidate PSTN trunks
and move to SIP trunking
Support of mobility Reduce services
scenarios increases skilled Grow
Operating Economically and flexibly
employee availability and Revenue integrate internet
productivity Costs connected voip users

Superior
Security

Leverage existing internet Protect UC infrastructure
connections by extending against threats
them with SIP services Increase Enhance Enhance availability of UC
Provide interworking
capabilities to
Asset Corporate services

economically integrate Efficiency Excellence Enable voip migration into
acquisitions Next Generation Networks
services

Creating a secure & more agile business

Certificate Services for
Unified Communications


Professional Services for Identity & Access:
Certificate Services for Unified Communications

Service Description
Secure authentication and encryption based on
certificates is the most important way to protect
a UC solution. Conversations on the phone stay
confidential and services, servers and endpoints
are being protected from manipulation.
Certificate services for UC are key portfolio
elements, wherever customers attempt to
implement their own certificate infrastructure for
their UC solution.
Four specific professional service elements
ensure seamless integration in our customer’s
certificate infrastructures and fulfill their policy
requirements:
• Scoping Workshop
• Architecture and Design
• Design Specification
• Customizing and Implementing

Certificate Services for UC –
Customer Benefits

Improve the company’s Protection of the UC
image by ensuring a Reduce services against misuse,
secure and trusted Grow fraud and manipulation
business communication Operating
Revenue Ensuring the availability of
Establish the company as Costs the communication
a trusted business partner services

Superior
Security
Protection of confidential
Create an best in class communication and
security level to protect the business content against
value of the companies Increase Enhance theft
intellectual property Asset Corporate Take into account of all
Ensure the reliability of
digital assets and business
Efficiency Excellence relevant legal policies
processes Allow easy and secure
interworking with partners

Business Continuity
Management for
Unified Communications


Business Continuity Management
for Unified Communications

Service Description
BCM Health Check for UC
The aim of the service is to quickly and
efficiently identify gaps in the existing
Business Continuity provisions in relation to
transforming to UC and produce an
improvement programme
BCM for UC Solutions
This service combines a Business Impact
Assessment and Plan Development to
enable customers to have updated BCM
plans that reflect the new technologies
Incident Management Exercise for UC
This service tests the Incident response
readiness of the business to a
communication failure.
As well as testing the technical recovery it
also tests the senior management response
to managing an incident


Business Continuity Management for UC –
Customer Benefits

Provide reliable access to
Ensure you are getting
systems for staff and
best value from your
customers Reduce suppliers
Grow
Enable resilient
Operating Make sure incidents are
deployment of innovative Revenue
technologies allowing Costs prepared for and handled
with minimum disruption
flexibility of staff working
and costs
practices

Superior
Security

Improve identification
Ensure the reliability and and mitigation of risk
availability of assets Increase Enhance Reassure customers that
Improve utilization of Asset Corporate you won't go under should
there be a disaster
resources and reduce Efficiency Excellence
downtime Handle incidents
professionally

¡Gracias!
Visite nuestra nueva web:
www.siemens-enterprise.com/es

Y nuestra cuenta en Twitter:
@SiemensEnt_SP


Soluciones para Empresas
Ignacio Garcia Calderon – Enterprise Sales Manager

No somos estos!!!!

Acme Packet Page
Acme Packet Enterprise overview
Acme Packet company Overview 37

Acme Packet en 2 Minutos
• Creador categoría Session Border Controller (SBC).
• Líder y Referencia del Mercado, Marketshare + 60% Revenue ($M)
Revenue ($M)
(Fuente: Infonetics)
• +1100 clientes en 105 países. +de 300 en Enterprise

• + 900 Operadores
– Fija, Cable, Móvil
– 91 de los 100 más grandes

• + 300 Empresas & Contact Centers
– 11 de la lista de Fortune 25 guidance

EPS (non-GAAP)
EPS (non-GAAP)
• Empresa Pública (NASDAQ: APKT)

• HeadQuarters en Boston, USA. +500 Empleados en Total
$0,68

• EMEA HQ: Madrid, 30 Empleados $0,35
– Laboratorio Interoperabilidad $0,27
– TAC EMEA
– Training Center EMEA
2008 2009 2010
– Ventas Sur Europa y Benelux guidance
Acme Packet Page
Acme Packet Enterprise Overview
Acme Packet 38

Acme Packet Enterprise & Contact Center
Customers (Diciembre 2010)

Finance/
Other Insurance
24% 18%
Acme Packet customers
Higher Ed
4%
Government
Professional 17%
Services
10%

%Technology
Manufacturing 15
12%

CONFIDENTIAL © 2010 Avaya Inc. All rights
Acme Packet reserved.
Page

Algunos Clientes Enterprise

MIT

Northwestern Mutual

Acme Packet Page
AcmeAcme Packet Enterprise OverviewONLY
Packet Confidential - INTERNAL 40

Retos en Servicios IP Real Time
Seguridad, Interoperabilidad,
Continuidad de Negocio


Retos
• 1: Universalizar Servicios IP Real Time
– Problemas de Interoperabilidad (VoIP, Video).
• De Protocolos (SIP-H.323).
• De Transporte (TCP/UDP)
• Entre Fabricantes y entre Fabricantes y Operadores

– Problemas de Time to Market
• Homologaciones Parciales de Verdors y Versiones en SP
• Meses de Homologación
• Pérdida de Agilidad

2: Asegurar SLAs, Calidad Servicio, Continuidad Negocio,
- CAC. Medida QoS. Troubleshooting
• Asegurar CAC, desde Red o en Cliente por varios Métodos, o Dinámico
• Trabajar a Nivel Sesión en Soluciones HA/DRP con Load Balancing, Routing.
• Si hay Problemas es Necesario un Elemento Externo que Audite la Red: Troubleshooting

3: Seguridad Especializada para VoIP en Cliente.
- Seguridad en Casa del Cliente = Continuidad Negocio
• Amenazas Específicas VoIP que Hay que Tratar de Forma Especializada
• Intentos de Fraude Periódicos, Amenazas Internas Fortuitas
• Es la VoIP Estratégica?. Protegerla ES IMPORTANTE? ES CLAVE.

Acme Packet Page
Acme Packet confidential 42

SBC:Resuelve los Retos
1: La Herramienta de Interoperabilidad Mas Potente
– Interworking Señalización, Transporte, en Cliente y hacia SP
– ROI: Protección Inversión, Integración, Costes, Eficiencia, Agilidad
(Time to Market)

2: Seguridad: Firewall Dedicado y Especializado VoIP
– Interna y Externa, Mantiene Servicio Operativo. Control Fraude.
Encriptación, VPNs. Usuarios Remotos sobre Red Pública.
– ROI: Disponibilidad y Continuidad de Negocio. Privacidad. Seguridad.

3: Control QoS y de Negocio
– CAC, Medida e Informes QoS. Troubleshooting.
– CDRs para Tarificación por Entornos / VPNs
– Alta Disponibilidad, R. Geográfica. Sin Perder Llamadas en Failover.
– ROI: Alta Disponibilidad y Continuidad Negocio. Ahorro y Control
Costes.

Acme Packet Page
Acme Packet confidential

Seguridad en Servicios VoIP/Video/UC
Acme Packet Acme Packet company overview Page

Nuevas Reglas, Nuevas Amenazas

• Ataques a Nivel de Sesión que pueden Arruinar la
Continuidad y Productividad del Negocio
– Ataques DoS/DDoS
– Fraude
– Spam VoIP
– Register / Signalling Overload (Malicioso / Fortuito)

• Las brechas en la Privacidad de las comunicaciones
pueden producir Pérdidas de Negocio y Violaciones
Regulatorias
– Robo Indentidad
– Eavesdropping (escuchas)
– Fraudes

Las Soluciones de Seguridad Deben estar Diseñadas para Proteger
Comunicaciones de Tiempo Real – A nivel Sesión
Acme Packet Beta footer test Page

Herramientas Actuales: No 100% Adecuadas
• Firewalls: No Están Diseñados para Servicios Real Time
– Impactan en Calidad de Servicio (Añadiendo Jitter y Latencia)
– No Pueden Manejar cientos o miles de Sesiones en Tiempo real
– No Trabajan a Nivel de Sesión. No fueron Diseñados para Eso
– No Proporcionan Alta Disponibilidad (p.e. No perder sesiones en Failover)

• Problemas:
– Prevenir Condiciones de Sobrecarga específicas de SIP y Ataques Malintencionados,
– Abrir / Cerrar de Forma Dinámica Puertos RTP Medios en sincronización con la
Señalización SIP.
– Seguir el Estado de la Sesión y Proveer Servicio Ininterrumpido.
– No Seguridad en Sesiones Encriptadas

Acme Packet Acme Packet confidential Page

Acme Packet Net SAFE: Solución Específica
Seguridad para Servicios Real Time
Monitoriza, Informa y Registra Se Protege a Sí Mismo frente
ataques, información de Hackers y ataques DoS o Sobrecargas
provee info para auditorías. Maliciosos/Fortuitos

Auto Control de Acceso
Dinámico y a Nivel de
Previene Malas protección
Prácticas, Fraude y Sesión para
DoS, DDoS Seálización y Medios.
Robo Servicio Control e
Prevención Acceso y
Fraude Separación
VPNs Soporte para
Protege Servicios y
Infraestructura, Privacidad, Seguridad VPN
previene de Prevención Topology de L2 y L3
ataques externos,
internos y limita el DoS Hiding,
impacto Servicio Encriptación
Worm/Virus .
Ocultación
Malicious Completa
SW Infraestructura y
Privacidad
Detección y Eliminación de Virus, Usuarios
Gusanos y Malware

Diferencias Básicas con Otras Soluciones

Dispositivos B2BUA (SBC) Firewall con SIP ALG
Data center Data center
IP PBX IP PBX
UC server UC server
SIP trunk SIP trunk

• Terminan, Inician y Reinician • La Sesión Atraviesa el FW
Señalización y SDP • No puede Terminar, Iniciar y re
• 2 Sesiones, una a Cada Lado del Iniciar Señalización y SDP
Sistema • Trabaja en Capas 2-4
• Capas 2-7 • Solo Inspecciona y Modifica
• Inspecciona y Modifica toda Direccionamiento a Nivel Sesión
información cabeceras de la capa de (SIP, SDP, etc.)
Sesión (SIP, SDP, etc.) • Solo ACLs Estáticas
• ACLs estáticas y Dinámicas • Cierra los Puertos ante Ataques:
• Mantiene Servicio operativo Pérdida Servicio.

Acme Packet Page
Acme PacketPacket confidential 2009
Acme Packet Enterprise -Overview
Acme SE Training July 48

…Soluciones Complementarias
• Control Separado de Aplicaciones de Tiempo
Real (SBC) y Tráfico Tradicional (FW).

• Mantiene Gestión separada si se Requiere

• Sin Cambiar Configuración de Firewalls

• Optimización de Tráfico
– Los pequeños paquetes de Media no
atraviesan en FW

• No Impacta en la QoS de la VoIP
– Sin latency ni jitter adicional introducido por
FW
SIP Carrier
– Latencia SBC en medios menor que 15µs
Carrier Termination Router
• Se recomienda Despliegue en Paralelo
Data SBC
– En Serie Posible en Situaciones en las que
Firewall
IT security impone un modelo con DMZ
Data Network or VLAN

Acme Packet VoIP NetworkPageVLAN
or

Por Qué un SBC sí?
• Solución DoS Basada en Appliance Hardware & Software
– Sin Cuellos de Botella / Colas de elementos Confiables y No Confiables
– Manejo Dinámico de la “Confiabilidad”: Solo replica las Sesiones “confiables” al otro lado
– El resto se queda en la cola de “no Confiables” cuya capacidad es Configurable
– Limitación del tráfico Señalización SIP hacia la red
– Tratamiento separado de Invites y registers. work
• Real-time
– Autoajusta Dinámicamente Niveles Confiabilidad y Apertura / Cierre Puertos
– Bloqueo Automático de usuarios no Confiables: Whitelists/Blacklist Servicios IP/SIP/SDP
– Evita Riesgos de Falsos DoS
• Extiende Privacidad y Confiabilidad a los End Points
– IPsec, TLS, and SRTP


Certificado Por Labs Independientes
• “Flawlessly passed all of CT Labs’ grueling attack tests”
– Total of 34 different test cases, using over 4600 test scripts
– Rate of 300,000 messages / second (approximate)
– No failed or dropped calls, even for new calls made during attacks
– Sourced from over 1 billion randomly generated addresses
– No lost RTP packets during attacks
• Protected the core service
infrastructure equipment
– Stopped flood attacks into core
– Stopped malicious packets at edge
• SBC performance not impacted
during attack
– SBC CPU utilization
- only 10% increase
– Signaling latency - only 2 ms
average increase
– RTP jitter – less than 1 ms increase
(not measurable by test equipment)

Acme Packet Page

Diferencias Funcionales entre un SBC
y Otras Soluciones

Firewall IP PBX + Other UC
with SIP Session security
Function & feature examples SBC ALG Manager Router element
DoS/DDoS protection √ - - - limited
Access control - dynamic & static √ static only - static only -
Topology hiding √ - - - -
Encryption – signaling & media √ IPSec only TLS only IPsec only limited
Malware & SPIT mitigation √ - - - √
Remote NAT traversal √ - - - -
VPN bridging √ - - L3 only -
Header manipulation rules for interop √ - - - -
SIP / H.323 interworking √ - - - -
Overlapping dial plan translations √ - √ - -
Advanced session admission controls √ - √ - -
Load balancing & advanced routing √ - √ - -
Signaling overload control √ - √ - -
QoS marking and reporting √ - - minimal -
Embedded in Avaya Aura System Platform - - √ - -

Acme Packet Page
CONFIDENTIAL © 2010 Avaya Inc. All rights reserved. 52

Escenarios SBC en OpenscapeVoice

SBC scenarios supported by OpenScape Voice

Centralized Users Centralized
Applications OSV Applications OSV
Users

WAN
Centralized Centralized
Main Office SBC SBC Main Office
(Geographically Separated) (Geographically Separated)
Internet
NAT+FW NAT+FW

1. SIP Carrier 1. SIP Carrier
SIP trunking SIP trunking

3a. Branch Office
in corporate/trusted 3b. Branch Office
NAT+FW across untrusted
infrastructure
infrastructure
NAT+FW
OpenScapeBranch OpenScapeBranch
(Proxy mode), (SBC mode)
RG8700

NAT+FW Integrated SBC for NAT+FW Integrated SBC for
Branch SIP trunking Branch SIP trunking
2. Remote User Access
(Planned for OSB V1R3) (User behind NAT FW) (Planned for OSB V1R3)

Acme Packet Page

Escenario 1a: Carrier SIP Trunking

Enterprise Network

SIP Carrier SIP
Internet Trunking PSTN
RTP Service
OpenScape SBC Untrusted
Voice
IP Service

l SBC enables enterprises to use broadband SIP trunking services for inbound /
outbound off-net calls
– Less expensive, IP based alternative to traditional channelized TDM trunking
services
l SBC provides signalling and media security, management and visibility at the
edge of the enterprise network
– Including QoS monitoring/logging for SLA
(not tested as part of the OpenScape Voice solution)
l SBC provides for SIP interoperability between diverse SIP trunking providers and
OpenScape Voice’s normalized SIP Interface to Service Providers.

Acme Packet Page

Scenario 1b: Intra- & Inter-Enterprise SIP Trunking
Federations
Enterprise Network A Enterprise Network B

Internet

OpenScape SBC Untrusted SBC OpenScape
Voice IP Service Voice

SBC enables enterprise to use broadband SIP trunks (SIP or SIP-Q tie lines)
between OpenScape systems over untrusted IP networks.
Eliminates need for carrier SIP trunking services
– Peer-to-peer SIP trunks run over Layer 3 IP services
Provides SIP-aware NAT functions, attack protection, signalling and media
encryption, session detail recording…
Protects communications from attacks based on visibility and mutability of
signalling and media streams (eavesdropping, media injection attacks, call
hijacking, etc)
Provides complete application level security (SIP firewall function)
Bandwidth and QoS based call admission control, QoS mapping, monitoring and
marking, QoS based routing (not tested as part of the OpenScape Voice solution)
Acme Packet Page

Scenario 2: Remote User Access

Enterprise HQ

SIP
NAT
FW RTP
Internet

RTP OpenScape
SBC
SIP Voice
Public IP
Address Corporate IP Address Space
NAT
Space
FW
Security
Encryption, authentication
Media handling, dynamic pin-holing

Application availability
Hosted NAT Traversal
IP-address & VPN management
Media anchoring and release

Acme Packet Page

Scenario 3a:
Branch Office connection
Enterprise HQ Branch Office

Proxy:
OpenScape
Branch,
RG8700
WAN
PSTN
OpenScape SBC
Voice Near + far end Trusted
IP Service PSTN
NAT Gateway

•Security
– Encryption

•Application availability
– Multi-vendor Interworking
– IP-address & VPN management
– Media anchoring and release

•Regulatory compliance
– Domain separation (VPNs)
Acme Packet Page

Scenario 3b:
Branch Office connection
Enterprise HQ Branch Office

Proxy&SBC:
OpenScape
Branch

Internet
PSTN
OpenScape SBC
Voice Untrusted NAT
NAT PSTN
IP Service
Gateway

•Security
– Encryption

•Application availability
– Multi-vendor Interworking •Note:
– IP-address & VPN management De-centralized deployment of Acme Packet
– Media anchoring and release SBCs in branch office locations is not supported.
OpenScape Branch has integrated SBC
•Regulatory compliance functionality, for use in branch offices.
– Domain separation (VPNs)
Acme Packet Page

OpenScape Branch V1 R2 Proxy Operating Mode

Enterprise HQ 1. Branch SIP Users are primarily registered
Centralized
OSV
to the OpenScape Branch.
Users Applications
2. OpenScape Branch operates as a Proxy and
forwards messages from the branch SIP User
to the OSV for call control.
2a

Centralized
SBC Note:
Centralized The LAN infrastructure in the Main Office
GWs
2b can be either
2a) directly connected to the WAN or
PSTN SIP trunking
WAN 2b) connected to the WAN through the SBC
(in case that NAT is required to handle overlapping
Branch Office
private IP address ranges in various Branch Offices).
Users
OpenScape Branch
(Proxy mode) For the event that the OpenScape Branch in Proxy
1
mode fails, the SIP Users also have the OSV SIP
NAT+FW
address as the Backup Server Address and can reach
Optiona
SIP trunking l the OSV with no service disruption.
GW
(Planned for OSB V1R3) PSTN
Acme Packet Page

OpenScape Branch V1 R2 SBC operating mode
Enterprise HQ
Centralized
Applications OSV
Users 1. Branch SIP User are primarily registered
to the OpenScape Branch.

2. Even in the so called “SBC mode” OpenScape Branch
operates as a Proxy and forwards messages from the
Centralized branch SIP User to the OSV for call control.
SBC
Centralized 2 Internet
GWs

PSTN SIP trunking

Branch Office
For OpenScape Branch in SBC Mode, a unit failure is
NAT+FW OpenScape Branch more critical than in Proxy mode.
(SBC mode) No communication to the OSV is then available.
1 One method to avoid this very unlikely condition is to
NAT+F have a redundant OpenScape Branch unit at the branch.
Optiona
W l
GW
SIP trunking PSTN
(Planned for OSB V1R3)

Acme Packet Page

Comunicación Dinámica - Infraestructura automatizada

Javier Abad, jabad@infoblox.com
Javier Abad, jabad@infoblox.com
Francisco Irala, firala@infoblox.com
Francisco Irala, firala@infoblox.com

© 2010 Infoblox Inc. All Rights Reserved.

Sobre Infoblox

Referente en el mercado DNS, DHCP e IPAM (DDI)
Única compañía en obtener la calificación “Strong Positive”
de Gartner

La única solución integral en entornos Network Change &
Configuration Management (NCCM)
Ejemplo de centros de soporte
globales y oficinas

Primera implementación empresarial, multifabricante del • USA • Japón
• Holanda • India
Orchestration Server (IF-MAP) • Australia • China
• Hong Kong • Canada
• Singapur • Más…
Primeros en combinar los entornos DDI, NCCM e IF-MAP

Más de 4,500 clientes y más de 250 de las Fortune 500

Presencia en 30 paises, centros TAC globalea con soporte 24/7,
más de 170 ingenieros

* November 2009 DDI Marketscope Report


La automatización de la Infraestructura es
estratégica

Tamaño y
Usuarios, dispositivos, sistemas,
TAREAS aplicaciones, protocolos, servicios, Complejidad
virtualización, movilidad… de la red
ctura
Hacer la infraestru
más dinámica
riesgo
Sin incrementar el
Cantidad / Tamaño

Pero mejorando la Incrementando
productividad y la Demandas de riesgos,
red
disponibilidad de la nfrastructura costes,
de red retrasos

Personal, recursos
Recursos
en gestión
de la red

Tiempo


Ejemplo de clientes y partners

Clientes Alianzas tecnológicas

Banco de España


¿Cómo complementa Infolbox las soluciones
UC de Siemens?

Disponibilidad para el negocio
Red “always on”
Visibilidad de IPs en tiempo real
Detección proactiva de fallos

Control & Compliance de la red
Switches Routers
Gestión ágil, visibilidad de la infraestructura
dinámica
IPAM & NCCM
Reportes sobre el cumplimiento de normas y
políticas internas Security
Wireless
Apps
Análisis en tiempo real del impacto del
cambio

Eficiencia y automatización
Provisión automática de IPs de dispositivos
finales. Cambios en la red
Eficiencia en entornos virtualizados
Herramientas para identificar, verificar y
remediar problemas rápidamente


Facilitar el entorno UC dinámico

Visibilidad
Y automatización
Aplicaciones

Infoblox DDI
Proporciona servicios DDI
DNS / DHCP / IPAM
Detecta IPs

Comunicar /
Realizar acción Closed Loop
Automation

Infoblox NCCM
Chequeo de infraestructura Routing, Switching…
Reconoce el cambio


Solución DDI de Infoblox

El nexo de unión entre las redes y las aplicaciones

IP address Management (IPAM) Applicaciones

- Planificación
- Reservar-Asignar
- Operación
DNS, DHCP and

Servicios siempre disponibles y IPAM

robustos
- Domain Name System (DNS) Infraestructura

- Dynamic Host Control Protocol (DHCP)
- Otros (Tiempo, TFTP, etc.)

Un bajo rendimiento en DDI es el punto débil de la red


Infoblox DNS, DHCP & IPAM

Automatizar la provisión de IPs y
proporcionar servicios críticos de
red “always-on”

Sustituye las hojas de cálculo
Visibilidad en tiempo real e históricos
de las redes e IPs conectadas
Delegar y automatizar las tareas en la
provisión de IPs y redes
Reportes y auditoría
Infraestructura DNS robusta y
securizada
DHCP Failover mejorado (crítico para
entornos UC)
Gestión DNS/DHCP de Microsoft sin
agentes


Tecnología Grid: Factor diferenciador clave

Conjunto de miembros (appliances Sencillo, Seguro, Fiable
securizados) que ejecutan uno o más
servicios (DNS,DHCP; TFTP, NTP) Grid Master Candidate
at Recovery Site

Coordinados por el Grid Master
Grid Master

Compartiendo una base de datos
distribuida

External DNS
Internal IPAM Grid Member
Grid Members
Comunicándose mediante VPN SSL Insight

Virtual
- Control y visibilidad centralizado Environment
- IPAM & Discovery tiempo real
- Failover automático y DR Branch
Offices

© 2010 Infoblox Inc. All71
Rights Reserved.

Automatización en la gestión de cambios y
configuradiones en la red

Entender la relación
Causa/Efecto

Descubrimiento y visualización de la
infraestructura de red
Colecta y analiza las configuaciones
de la infraestructura de red
Rastrea y automatiza los cambios en
la red
Identifica el no cumplimiento de
“best practices”
Identifica la violación de políticas de
cumplimiento y seguridad (SOX,
HIPAA, PCI, etc.)
Identifica, verifica y remedia las
incidencias proactivamente


Agilidad en el Negocio a través de Infraestructura
Automatizada

Soporta iniciativas de negocio

Incrementa la agilidad
Disminuye el riesgo
Aumenta la productividad
Virtualización y Cloud
Consolidación Data Center
Transición a IPv6
Seguridad y cumplimiento
Fusiones y adquisiciones


Muchas Gracias


Comunicaciones Unificadas
Riesgos Compartidos

Comunicaciones Unificadas: como protegerlas

¿Puedo reducir el
coste de mi
telefonía?


-Inspección profunda SIP/SDP
-Limitacion tasa mensajes SIP,SCCP,SIMPLE
-RTP Pin-Holing
-Stateful SIP dialog tracking
-HA y HA geográfica SIP
-Soporte NAT/NATP
-SIP NAT Tracing
-SIP HNT
-Soporte IPv6
-IPS/IDS
-Etc…


¿Cómo hacer
llegar la nómina a
mis empleados
mensualmente?


¿Cuáles son las
fechas de
vacaciones de mis
técnicos?


¿Cuál es la mejor
forma de compartir
mis documentos?


¿Cómo saber si mi
compañero estará
disponible ahora
mismo o no?


¿Puedo presentar mi
trabajo o producto
remotamente y a una
amplia audiencia
geográficamente
dispersa como si
estuviera presente?


Fortimail: Seguridad SMTP

FortiDB: Seguridad en BB.DD

FortiWeb: Seguridad WAFS


¿Cómo ganar
movilidad?


-Conexiones VPN:
-IPSec
-SSL
-L2TP
-PPTP
-Escritorio Virtual para VPN-SSL
-Portales cautivos
-Internet Browsing & split tunneling
-Chequeo del End-Point (Forticlient,Java,AX)
-Administracion centralizada y seguridad en
Puntos de acceso Wi-Fi (FortiAP)
-One-Time Password (FortiToken)
-Integración auth. Radius, LDAP, AD, e-Diretory
-Integracion auth. Transparente AD, e-Directory
-Seguridad en VPN (AV,IPS,WF….)
-etcétera…


¿Cómo unificar mis
comunicaciones de
forma poco costosa y
efectiva?


FORTINET:
Genuine
swiss army knife

Comunicaciones Unificadas: el qué y el como

“There is nothing more important than our customers”

Seguridad de red y UC
¿Quién lee tus Ims?
Marzo 2011

¿Qué buscamos de la red actual?

USUARIO ADMINISTRADOR EJECUTIVO

Movilidad y Dos redes: LAN & Gastos de capital
seguridad en la WLAN. Data &
red Multimedia
Costes de
instalación de los
Rendimiento y Gestionabilidad sistemas
disponibilidad de
la red
Facilidad de Gastos operativos
diagnóstico
Soporte de
aplicaciones
multimedia

103 ©2011 Enterasys Networks, Inc. – All rights reserved.

Un portfolio completo
Abierto, Seguro, Listo para la movilidad y convergencia

MODULAR APILABLES WIRELESS GESTIÓN SEGURIDAD

Switching y Configuraciones Controladores Gestión de red Aplicaciones
routing fijas para WLAN, con capacidad avanzadas de
modular para switching y Access Points de seguridad,
soluciones routing en y soluciones automatismos, control de
datacenter y acceso y unificadas de visibilidad y acceso a red,
cloud distribución gestión WLAN control prevención de
y LAN intrusión y
agregación y
gestión de
eventos.

Servicios y Soporte Premiados
©2011 Enterasys Networks, Inc. – All rights reserved. 104

Proporcionando Alto Rendimiento, Flexibilidad y
el Menor TCO

Una única interfaz para gestionar WLAN Configuración automática del
y LAN punto de conexión
- Menores costes de operación - La red se adapta rápida y
- Mantiene la integridad de la red eficientemente a las
necesidades del negocio

Servicios y Soporte

Más rendimiento con menor Disponibilidad y QoS
consumo energético Excepcionales
- Ahorra potencia para usarla en - Mayor calidad de Video y Voz
las aplicaciones.


CoreFlow 2 – El motor más potente de inspección
de tráfico

Clasifica tráfico y aplica
políticas mas allá del nivel 4
SAN
- Permite acceso con granularidad de
target iSCSI
- Gestión de ancho de banda y
monitorización a nivel de target iSCSI

Voz IP y Video
- Permite QoS y control de acceso para
flujos de medio o de control RTP

Cloud
- Permite controles de acceso basados en
rol para servicios como
www.salesforce.com
- Monitorización de tráfico por sites como
www.youtube.com


UC Security Roadshow 2011

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (19)

Ähnlich wie UC Security Roadshow 2011

Ähnlich wie UC Security Roadshow 2011 (20)

Mehr von schinarro

Mehr von schinarro (7)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

UC Security Roadshow 2011