uc security roadshow 2011

116
Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved. Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG Madrid, 15 de Marzo de 2011 UC Security Roadshow 2011

Upload: schinarro

Post on 11-May-2015

2.095 views

Category:

Technology


7 download

TRANSCRIPT

Page 1: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

Madrid, 15 de Marzo de 2011

UC Security

Roadshow 2011

Page 2: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

UC Security Solutions

Aurelio MartínSiemens Enterprise Communications Group

Page 3: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

UnifiedCommunications

UC

Our Customers and the Industry want …

Page 4: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

Planning for today's business challenges

Business trends Communications trends

� Tightened spending due to difficult economy

� Green Enterprise mandates are emerging

� Continued highly distributed organizations

� Blurring of work-life boundaries

� Speed and collaboration are essential

� Open standards, SIP, SOA

� Cloud computing and SaaS emerging

� “Anywhere” seamless mobility

� Software-driven communications

� UC approaching mainstream

� Ubiquitous, affordable secure network infrastructures

Page 5: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

UnifiedCommunications

UC

Se demanda …

… Fiable y Segguro !

Page 6: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

OpenScape Unified CommmunicationsOpen Architecture for Integration

SoftwareFoundation

OpenScapeApplications

OpenSOAan

d m

ore …

and

mo

re …

OpenScape Voice*

OpenScapeMobility

OpenScape Video

OpenScapeMessaging

OpenScapeUC Application

OpenScapeContact Center

OpenScape Unified Communications Server

SIP SessionControl

Availability Management

Federated Presence

QoS Management

Session Detail Reporting

Administration & Licensing

Network Services & Management

and

mo

re…

Real timeCommunications

Infrastructure(Gateways, SBCs)

NetworkInfrastructure

(Switches, Routers)

Mobility Infrastructure

(Wireless LAN)

Performance Management

AAA Services EmbeddedSecurity

EndpointLocation Service

Alarm and ConfigManagement

UC Network Aware Application Interface

DataCenter

Infrastructure

Service Availability

NetworkInfrastructure O

pen

Sca

le U

C In

teg

rati

on

Ser

vice

sO

pen

Sca

le IT

Ser

vice

Man

agem

ent

Op

enS

cale

Sec

uri

ty

Page 7: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

The OpenScape UC Integration Accessoriesdeliver pre-packaged UC enhancements for the OpenScape UC Application

Based on the Siemens OpenSoA approach the UC Integration Solutions provide the realization of customer-specific UC solutions

The UC Deployment Solutions supports varied customer-specific infrastructure environments

The UC Security Solutions address all relevant security requirements in UC solutions

The Professional Services Suite for UC offers all relevant professional services for realization UC projects based on the OpenScape UC Application.

UC Integration Services & SolutionsEnterprise Grade Service Level Offerings

Customized UC Integration Solutions

UC Deployment

Solutions

OpenScapeUC

ApplicationV3.1

UC Security

Solutions

OpenScape UCIntegration

Accessories

Page 8: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

Security Challenges from a UC Perspective

UC Security Challenges … Examples …. The Impact …

Service availability

Integrity & confidentiality

Operationalefficiency

Compliance

Increased productivity and revenue

Prevent loss of valuable data and

information, reputation

Reduced operational costs

Corporate image, fraud prevention

Maintain or increase service availability within a converged voice and data infrastructure

Maintain integrity and confidentiality of corporate data and communications

Maintain security while reducing operating cost /

Automate administration tasks

Fulfill legal and regulatoryrequirements

Page 9: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

Customers will demand solutions and services tomitigate risks in Unified Communications

Mitigate risks of Unified Communications

� Flooding Attacks (i.e. parser, DNS blocking, message flows attacks)

� Denial of service attacks� Eavesdropping� (poor) Authentication

misuse� Manipulation� Fraud� SPIT

� Spam� ID Theft� VOMIT*� Denial of service� SQL injection� Bad software� Inconsistency of user

data� Authentication misuse� Social engineering� Lack of security

awareness

� Absence of�Risk management

strategy�Business continuity

planning�Disaster recovery

strategy� Incident

management� Ignore compliance

issues� No Independent security

assessments

* voice over misconfigured internet telephones

Infrastructure& Protocols

Applications & Users

BusinessProcesses

Page 10: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

Security defense in a UC environment is a layered approach

OpenScapeUC Server

NetworkInfrastructure

OpenScapeApplications

BusinessProcesses

Security measures to consider

SIP Security(TLS/SRTP)

NetworkSecurity

Asset Classification

BusinessContinuity

Information Security Management

Security Policies& Processes

Single-SignOn

ApplicationSecurity

Se

cu

rity

Au

dits –

Se

curity

Te

stin

g

Session Border Controllers / Firewalls

Se

cu

rity

In

form

ation

&

Eve

nt

Mana

gem

en

t (S

IEM

)

Intrusionprevention

VPN(IPSec/TLS)

Antivirus &Antimalware

Suppo

rtin

g S

erv

ice

s S

ecu

rity

(DN

S,w

eb

se

rve

r, d

ata

ba

se

s)

Ce

rtific

ate

In

fra

str

uctu

re

Ba

ckup

& D

isa

ste

r R

eco

ve

ry

Data Loss Prevention

AccessManagement

IdentityManagement

Network Authentication (802.1x / NAC)

Page 11: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

Only provider offering the choice of complete end-to-end, software-driven unified communications, based on open, secure interoperable standards

� Complete voice + UC software Portfolio� Complete mobility + wireless Portfolio� Complete networks + security Portfolio� Complete global services portfolio

Why Siemens Enterprise Communications?

� No single-vendor lock-in� No proprietary technology stacks� Driven by your goals, not our agenda

� Solution layers can be multi-vendor� Integrates with Cisco, IBM, Microsoft

and Open Source solutions� Synergies from our end-to-end solution

� Drive cost reduction� Increase productivity� Faster decision making� Improved collaboration

Open

Page 12: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

Live Demo

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2008. Alle Rechte vorbehalten.

Siemens Enterprise Communications GmbH & Co. KG ist Markenlizenznehmer der Siemens AG.

Page 13: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

Prepacked and customized security solutionsto secure a UC environment

OpenScapeUC Server

NetworkInfrastructure

OpenScapeApplications

BusinessProcesses

Security measures to consider

SIP Security(TLS/SRTP)

NetworkSecurity

Asset Classification

Information Security Management

Security Policies& Processes

ApplicationSecurity

Se

cu

rity

Au

dits –

Se

curity

Te

stin

g

Se

cu

rity

In

form

ation

&

Eve

nt

Mana

gem

en

t (S

IEM

)

IntrusionPrevention

VPN(IPSec/TLS)

Antivirus &Antimalware

Ba

ckup

& D

isa

ste

r R

eco

ve

ry

Data Loss Prevention

AccessManagement

BusinessContinuity for UC

OpenScapeSignOn

Secure CommunicationInfrastructure

OpenScape Location andIdentity Assurance

IP N

etw

ork

S

erv

ice

s fo

r U

C

Ce

rtific

ate

Se

rvic

es f

or

UC

Prepackaged Solutions & Services Customizing Solutions & Services

OpenScape Identity & Lifecycle Assistant

Page 14: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

OpenScapeIdentity Lifecycle Assistant

Automated user administration using

Page 15: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

Automation of user administration using OpenScape Identity Lifecycle Assistant

Solution Description

� Simplifies user administration within an

OpenScape Voice environment and

complements the administration via the

Common Management Portal

� Initial load of user information by

connecting to an authoritative HR data

source (HR system, LDAP service, ODBC

database, etc.)

� Continuous update of user information if

user status changes (e.g., leaves

company, moves to other department)

� Supply OpenScape Voice with additional

information for billing purposes (e.g. cost

center of the organizational unit)

� Delivers a fast an easy implemented

phone book that is accessed via Web or

LDAP

Page 16: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

OpenScape Identity Lifecycle Assistant –Customer Benefits

� Ensure automatic withdrawal of assets and access rights (e.g. user changes role or leaves company)

� Increase employee productivity by providing automated, fast access to communication services

� Relieves IT from duplicate administration of user information

� Automates administration tasks (e.g. automatic subscriber provisioning)

� Reuse existing user information within systems instead of recreating it (e.g. collect information from HR for billing purposes)

SuperiorSecurity

EnhanceCorporateExcellence

GrowRevenue

ReduceOperating

Costs

IncreaseAsset

Efficiency

Page 17: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

OpenScapeSignOn

One-click for all application logon using

Page 18: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

One-click for all application logon using OpenScape SignOn

Solution Description

� OpenScape SignOn improves usability, and security and reduces administration effort for UC applications that rely on OpenScape Voice or Hipath platforms.

OpenScape SignOn:� Facilitates access to applications and

usability� Provides a single login for most voice

applications and access to voice platforms from SEN

� Possibility to automatically generate and renew passwords for applications on behalf of the user

� Supports strong authentication for access to sensitive applications

� Provides central audit capability that simplifies compliance reporting

Page 19: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

OpenScape SignOn –Customer Benefits

� Automatically enforce password policy (no password on a sticky note)

� Simplify compliance reporting by providing central audit trail for application access

� Increase employee productivity by enhancing user convenience (one-click application access, automated password renewal)

� Reduce help desk calls related to password resets

� Consolidated audit trail for application access in one single location

� Leverage strong authentication mechanisms for a variety of additional applications

SuperiorSecurity

EnhanceCorporateExcellence

GrowRevenue

ReduceOperating

Costs

IncreaseAsset

Efficiency

Page 20: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

OpenScapeLocation and Identity Assurance

Keeping track of moving targets using the

Page 21: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

Keeping track of moving targets using thesolution OpenScape Location and Identity Assurance

Solution Description

� The solution OpenScape Location and Identity Assurance provides several enhancements for an OpenScape or Hipath environment that facilitate and automate operations and improve enterprise security.

� Supports adaptation and automation of configuration tasks based on location information (e.g. configuring speed dial lists, emergency numbers, site security)

� Is able to automatically assign QoS parameters and security profiles (ACLs, VLAN, Policies) via NAC

� Provides automated inventory and detection of non-compliant end devices

� Facilitates troubleshooting of end devices by providing one consistent viewAccess &

ControlDetect &Locate

Respond &Remediate

Establish &Enforce Policy

Core Network

NAC Appliance

Secure NetworksNAC Features

OpenScape Voice

NAC ManagerHipath DLSPhysical

Infrastructure

Database

Import Synchronization

Mobile User

Mobile UserMobile Users

1

3

2

User moves

Page 22: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

OpenScape Location and Identity Assurance –Customer Benefits

� Reliable and high-quality operation of real-time application through automatically assigned QoS- and security profiles

� Reduces risk and down-time due to automatic assignment of security settings

� Enhance employee productivity by reducing network downtime and outages

� Reduce time to localize IP phones within enterprise network

� Save administrative cost for troubleshooting

� Leverage existing information of network management and communications management systems

SuperiorSecurity

EnhanceCorporateExcellence

GrowRevenue

ReduceOperating

Costs

IncreaseAsset

Efficiency

Page 23: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

IP Network Servicesfor UC

The glue between UC applications and your network infrastructure

Page 24: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

The glue between UC applications and network infrastructure

Solution Description

� Provides IP network services (DNS, DHCP,

NTP) that are crucial for UC applications like

most other business critical applications run

within the enterprise

� Assures availability requirements expected

for a UC datacenter deployment

� Provides fault tolerance for IP network

services in branch offices

� DNS/DHCP as a service are essential for

plug&play installation

� Automated IP address management with a

real-time view on the IP addresses

Page 25: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

IP Network Services –Customer Benefits

� Reduced network outages

� Fast and reliable update

� Automated failover in case of services disruption

� Secure and reliable hard & software platform

� Improve performance of all applications (email, Web, VoiP/UC, Intranet..)

� Eliminate DNS latency

� Consolidate servers from branch offices

� Reduce capital and administration cost

� Simplify troubleshooting

� Automate monitoring

� Leverage existing infrastructure from Cisco or Riverbed in branches

SuperiorSecurity

EnhanceAvailability

EnhanceProductivity

ReduceOperating

Costs

IncreaseAsset

Efficiency

Page 26: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

OpenScapeSession Border Controllers

The Swiss-Knife for solving connectivity and security issues within

Page 27: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

Solving connectivity and security issues in OpenScape UC environments

Solution Description

� Protects OpenScape UC from being overloaded by rate limiting traffic

� Protects OpenScape UC against attacks or malfunctioning (e.g. Denial-of-Service)

� Provides access control for internet connected uses

� Network topology hiding and dynamic pin-holing for RTP/SRTP traffic

� Solves connectivity issues in customer networks with overlapping IP addresses

� Ensure privacy when connecting the enterprise to a SIP services provider

� Provides interworking capabilities for� SIP aware NAT adaptation� heterogeneous vendor environments� protocol adaption when connecting to

SIP services providers� TLS/SRTP termination on network

borders without TLS/SRTP support (SIP provider)

LAN

DataCenter

SessionBorder

Controller

PSTN

VoiPProvider

WAN

Page 28: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

Session Border Controllers –Customer Benefits

� Protect UC infrastructure against threats

� Enhance availability of UC services

� Enable voip migration into Next Generation Networks services

� Support of mobility scenarios increases skilled employee availability and productivity

� Consolidate PSTN trunks and move to SIP trunking services

� Economically and flexibly integrate internet connected voip users

� Leverage existing internet connections by extending them with SIP services

� Provide interworking capabilities to economically integrate acquisitions

SuperiorSecurity

EnhanceCorporateExcellence

GrowRevenue

ReduceOperating

Costs

IncreaseAsset

Efficiency

Page 29: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

Certificate Services for Unified Communications

Creating a secure & more agile business

Page 30: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

Professional Services for Identity & Access:Certificate Services for Unified Communications

Service Description

Secure authentication and encryption based on certificates is the most important way to protect a UC solution. Conversations on the phone stay confidential and services, servers and endpoints are being protected from manipulation.

Certificate services for UC are key portfolio elements, wherever customers attempt to implement their own certificate infrastructure for their UC solution.

Four specific professional service elements ensure seamless integration in our customer’s certificate infrastructures and fulfill their policy requirements:

• Scoping Workshop

• Architecture and Design

• Design Specification

• Customizing and Implementing

Page 31: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

Certificate Services for UC –Customer Benefits

� Protection of confidential communication and business content against theft

� Take into account of all relevant legal policies

� Allow easy and secure interworking with partners

� Improve the company’s image by ensuring a secure and trusted business communication

� Establish the company as a trusted business partner

� Protection of the UC services against misuse, fraud and manipulation

� Ensuring the availability of the communication services

� Create an best in class security level to protect the value of the companies intellectual property

� Ensure the reliability of digital assets and business processes

SuperiorSecurity

EnhanceCorporateExcellence

GrowRevenue

ReduceOperating

Costs

IncreaseAsset

Efficiency

Page 32: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

Business Continuity Management for Unified Communications

Page 33: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

Business Continuity Management for Unified Communications

Service Description

BCM Health Check for UC� The aim of the service is to quickly and

efficiently identify gaps in the existing

Business Continuity provisions in relation to

transforming to UC and produce an

improvement programme

BCM for UC Solutions� This service combines a Business Impact

Assessment and Plan Development to

enable customers to have updated BCM

plans that reflect the new technologies

Incident Management Exercise for UC� This service tests the Incident response

readiness of the business to a

communication failure.

As well as testing the technical recovery it

also tests the senior management response

to managing an incident

Page 34: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

Business Continuity Management for UC –Customer Benefits

� Improve identificationand mitigation of risk

� Reassure customers that you won't go under should there be a disaster

� Handle incidents professionally

� Provide reliable access to systems for staff and customers

� Enable resilient deployment of innovative technologies allowing flexibility of staff workingpractices

� Ensure you are getting best value from your suppliers

� Make sure incidents are prepared for and handledwith minimum disruptionand costs

� Ensure the reliability andavailability of assets

� Improve utilization of resources and reduce downtime

SuperiorSecurity

EnhanceCorporateExcellence

GrowRevenue

ReduceOperating

Costs

IncreaseAsset

Efficiency

Page 35: UC Security Roadshow 2011

Copyright © Siemens Enterprise Communications GmbH & Co. KG 2009. All rights reserved.

Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG

¡Gracias!

Visite nuestra nueva web:

www.siemens-enterprise.com/es

Y nuestra cuenta en Twitter:

@SiemensEnt_SP

Page 36: UC Security Roadshow 2011

Soluciones para EmpresasIgnacio Garcia Calderon – Enterprise Sales Manager

Page 37: UC Security Roadshow 2011

Acme Packet Page

Acme Packet Enterprise Overview 37Acme Packet company overview

No somos estos!!!!

Page 38: UC Security Roadshow 2011

Acme Packet Page

Acme Packet Enterprise OverviewAcme Packet

• Creador categoría Session Border Controller (SBC).

• Líder y Referencia del Mercado, Marketshare + 60%(Fuente: Infonetics)

• +1100 clientes en 105 países. +de 300 en Enterprise

• + 900 Operadores– Fija, Cable, Móvil

– 91 de los 100 más grandes

• + 300 Empresas & Contact Centers– 11 de la lista de Fortune 25

• Empresa Pública (NASDAQ: APKT)

• HeadQuarters en Boston, USA. +500 Empleados en Total

• EMEA HQ: Madrid, 30 Empleados– Laboratorio Interoperabilidad– TAC EMEA– Training Center EMEA– Ventas Sur Europa y Benelux

$0,68

$0,35$0,27

2008 2009 2010

Revenue ($M)Revenue ($M)

EPS (non-GAAP)EPS (non-GAAP)

guidance

guidance

38

Acme Packet en 2 Minutos

Page 39: UC Security Roadshow 2011

Acme Packet PageCONFIDENTIAL © 2010 Avaya Inc. All rights

reserved.

Acme Packet Enterprise & Contact Center Customers (Diciembre 2010)

Acme Packet customers

Finance/Insurance18%

Higher Ed4%

%Technology15

Government17%

Manufacturing12%

ProfessionalServices10%

Other24%

Page 40: UC Security Roadshow 2011

Acme Packet Page

Acme Packet Enterprise Overview 40Acme Packet Confidential - INTERNAL ONLY

Northwestern Mutual

MIT

Algunos Clientes Enterprise

Page 41: UC Security Roadshow 2011

Retos en Servicios IP Real TimeSeguridad, Interoperabilidad, Continuidad de Negocio

Acme Packet Enterprise Overview

Page 42: UC Security Roadshow 2011

Acme Packet Page

Acme Packet Enterprise Overview 42Acme Packet confidential

• 1: Universalizar Servicios IP Real Time– Problemas de Interoperabilidad (VoIP, Video).

• De Protocolos (SIP-H.323). • De Transporte (TCP/UDP)• Entre Fabricantes y entre Fabricantes y Operadores

– Problemas de Time to Market• Homologaciones Parciales de Verdors y Versiones en SP• Meses de Homologación• Pérdida de Agilidad

2: Asegurar SLAs, Calidad Servicio, Continuidad Negocio, - CAC. Medida QoS. Troubleshooting

• Asegurar CAC, desde Red o en Cliente por varios Métodos, o Dinámico

• Trabajar a Nivel Sesión en Soluciones HA/DRP con Load Balancing, Routing.

• Si hay Problemas es Necesario un Elemento Externo que Audite la Red: Troubleshooting

3: Seguridad Especializada para VoIP en Cliente. - Seguridad en Casa del Cliente = Continuidad Negocio

• Amenazas Específicas VoIP que Hay que Tratar de Forma Especializada

• Intentos de Fraude Periódicos, Amenazas Internas Fortuitas

• Es la VoIP Estratégica?. Protegerla ES IMPORTANTE? ES CLAVE.

Retos

Page 43: UC Security Roadshow 2011

Acme Packet Page

Acme Packet confidentialAcme Packet confidential

1: La Herramienta de Interoperabilidad Mas Potente

– Interworking Señalización, Transporte, en Cliente y hacia SP

– ROI: Protección Inversión, Integración, Costes, Eficiencia, Agilidad

(Time to Market)

2: Seguridad: Firewall Dedicado y Especializado VoIP

– Interna y Externa, Mantiene Servicio Operativo. Control Fraude.

Encriptación, VPNs. Usuarios Remotos sobre Red Pública.

– ROI: Disponibilidad y Continuidad de Negocio. Privacidad. Seguridad.

3: Control QoS y de Negocio

– CAC, Medida e Informes QoS. Troubleshooting.

– CDRs para Tarificación por Entornos / VPNs

– Alta Disponibilidad, R. Geográfica. Sin Perder Llamadas en Failover.

– ROI: Alta Disponibilidad y Continuidad Negocio. Ahorro y Control

Costes.

SBC:Resuelve los Retos

Page 44: UC Security Roadshow 2011

Acme Packet PageAcme Packet company overview

Seguridad en Servicios VoIP/Video/UC

Page 45: UC Security Roadshow 2011

Acme Packet PageBeta footer test

Nuevas Reglas, Nuevas Amenazas

• Ataques a Nivel de Sesión que pueden Arruinar la Continuidad y Productividad del Negocio

– Ataques DoS/DDoS

– Fraude

– Spam VoIP

– Register / Signalling Overload (Malicioso / Fortuito)

• Las brechas en la Privacidad de las comunicacionespueden producir Pérdidas de Negocio y ViolacionesRegulatorias

– Robo Indentidad

– Eavesdropping (escuchas)

– Fraudes

Las Soluciones de Seguridad Deben estar Diseñadas para ProtegerComunicaciones de Tiempo Real – A nivel Sesión

Page 46: UC Security Roadshow 2011

Acme Packet PageAcme Packet confidentialAcme Packet confidential

Herramientas Actuales: No 100% Adecuadas• Firewalls: No Están Diseñados para Servicios Real Time

– Impactan en Calidad de Servicio (Añadiendo Jitter y Latencia)

– No Pueden Manejar cientos o miles de Sesiones en Tiempo real

– No Trabajan a Nivel de Sesión. No fueron Diseñados para Eso

– No Proporcionan Alta Disponibilidad (p.e. No perder sesiones en Failover)

• Problemas:

– Prevenir Condiciones de Sobrecarga específicas de SIP y Ataques Malintencionados,

– Abrir / Cerrar de Forma Dinámica Puertos RTP Medios en sincronización con la

Señalización SIP.

– Seguir el Estado de la Sesión y Proveer Servicio Ininterrumpido.

– No Seguridad en Sesiones Encriptadas

Page 47: UC Security Roadshow 2011

Acme Packet PageAcme Packet confidentialAcme Packet confidential

Acme Packet Net SAFE: Solución Específica Seguridad para Servicios Real Time

Se Protege a Sí Mismo frenteataques DoS o Sobrecargas

Maliciosos/Fortuitos

Control de AccesoDinámico y a Nivel de

Sesión paraSeálización y Medios.

OcultaciónCompleta

Infraestructura y PrivacidadUsuarios

Soporte paraServicios y

Seguridad VPN de L2 y L3

ProtegeInfraestructura,

previene de ataques externos, internos y limita el

impacto

Previene MalasPrácticas, Fraude y

Robo Servicio

Monitoriza, Informa y Registraataques, información de Hackers y

provee info para auditorías.

Detección y Eliminación de Virus, Gusanos y Malware

Auto

protección

DoS, DDoSControl e

Acceso y

Separación

VPNs

Privacidad,

Topology

Hiding,

Encriptación

. Worm/Virus

Malicious

SW

Prevención

Fraude

Prevención

DoS

Servicio

Page 48: UC Security Roadshow 2011

Acme Packet Page

Acme Packet Enterprise Overview 48Acme Packet confidentialAcme Packet SE Training - July 2009

Dispositivos B2BUA (SBC)

• Terminan, Inician y ReinicianSeñalización y SDP

• 2 Sesiones, una a Cada Lado del Sistema

• Capas 2-7

• Inspecciona y Modifica todainformación cabeceras de la capa de Sesión (SIP, SDP, etc.)

• ACLs estáticas y Dinámicas

• Mantiene Servicio operativo

Firewall con SIP ALG

• La Sesión Atraviesa el FW

• No puede Terminar, Iniciar y re

Iniciar Señalización y SDP

• Trabaja en Capas 2-4

• Solo Inspecciona y ModificaDireccionamiento a Nivel Sesión(SIP, SDP, etc.)

• Solo ACLs Estáticas

• Cierra los Puertos ante Ataques: Pérdida Servicio.

SIP trunk

IP PBXUC server

Data center

SIP trunk

IP PBXUC server

Data center

Diferencias Básicas con Otras Soluciones

Page 49: UC Security Roadshow 2011

Acme Packet Page

Acme Packet confidentialAcme Packet confidential

…Soluciones Complementarias• Control Separado de Aplicaciones de Tiempo

Real (SBC) y Tráfico Tradicional (FW).

• Mantiene Gestión separada si se Requiere

• Sin Cambiar Configuración de Firewalls

• Optimización de Tráfico

– Los pequeños paquetes de Media no atraviesan en FW

• No Impacta en la QoS de la VoIP

– Sin latency ni jitter adicional introducido porFW

– Latencia SBC en medios menor que 15µs

• Se recomienda Despliegue en Paralelo– En Serie Posible en Situaciones en las que

IT security impone un modelo con DMZ

SIP Carrier

Carrier Termination Router

SBC

VoIP Network or VLAN

Data Network or VLAN

Data Firewall

Page 50: UC Security Roadshow 2011

Acme Packet PageAcme Packet confidentialAcme Packet confidential

Por Qué un SBC sí?• Solución DoS Basada en Appliance Hardware & Software

– Sin Cuellos de Botella / Colas de elementos Confiables y No Confiables

– Manejo Dinámico de la “Confiabilidad”: Solo replica las Sesiones “confiables” al otro lado

– El resto se queda en la cola de “no Confiables” cuya capacidad es Configurable

– Limitación del tráfico Señalización SIP hacia la red

– Tratamiento separado de Invites y registers. work

• Real-time– Autoajusta Dinámicamente Niveles Confiabilidad y Apertura / Cierre Puertos

– Bloqueo Automático de usuarios no Confiables: Whitelists/Blacklist Servicios IP/SIP/SDP

– Evita Riesgos de Falsos DoS

• Extiende Privacidad y Confiabilidad a los End Points

– IPsec, TLS, and SRTP

Page 51: UC Security Roadshow 2011

Acme Packet Page

Acme Packet confidential

Certificado Por Labs Independientes• “Flawlessly passed all of CT Labs’ grueling attack tests”

– Total of 34 different test cases, using over 4600 test scripts

– Rate of 300,000 messages / second (approximate)

– No failed or dropped calls, even for new calls made during attacks

– Sourced from over 1 billion randomly generated addresses

– No lost RTP packets during attacks

• Protected the core serviceinfrastructure equipment

– Stopped flood attacks into core

– Stopped malicious packets at edge

• SBC performance not impacted during attack

– SBC CPU utilization

- only 10% increase

– Signaling latency - only 2 ms

average increase

– RTP jitter – less than 1 ms increase

(not measurable by test equipment)

Page 52: UC Security Roadshow 2011

Acme Packet Page

Acme Packet Enterprise Overview52CONFIDENTIAL © 2010 Avaya Inc. All rights reserved.

Diferencias Funcionales entre un SBC y Otras Soluciones

Function & feature examples SBC

Firewall with SIP

ALG

IP PBX + Session Manager Router

Other UC security element

DoS/DDoS protection √√√√ - - - limited

Access control - dynamic & static √√√√ static only - static only -

Topology hiding √√√√ - - - -

Encryption – signaling & media √√√√ IPSec only TLS only IPsec only limited

Malware & SPIT mitigation √√√√ - - - √

Remote NAT traversal √√√√ - - - -

VPN bridging √√√√ - - L3 only -

Header manipulation rules for interop √√√√ - - - -

SIP / H.323 interworking √√√√ - - - -

Overlapping dial plan translations √√√√ - √ - -

Advanced session admission controls √√√√ - √ - -

Load balancing & advanced routing √√√√ - √ - -

Signaling overload control √√√√ - √ - -

QoS marking and reporting √√√√ - - minimal -

Embedded in Avaya Aura System Platform - - √ - -

Page 53: UC Security Roadshow 2011

Escenarios SBC en OpenscapeVoice

Page 54: UC Security Roadshow 2011

Acme Packet Page

Acme Packet Enterprise Overview

NAT+FW

Integrated SBC forBranch SIP trunking

NAT+FWNAT+FW

OSVCentralized Applications

Users

SIP trunking

OSVCentralized ApplicationsUsers

CentralizedSBC

SIP trunking

WAN

CentralizedSBC

SBC scenarios supported by OpenScape Voice

2. Remote User Access(User behind NAT FW)

1. SIP Carrier 1. SIP Carrier

3a. Branch Officein corporate/trusted

infrastructure

3b. Branch Officeacross untrusted

infrastructure

OpenScapeBranch(Proxy mode),RG8700

NAT+FW

OpenScapeBranch(SBC mode)

Main Office(Geographically Separated)

(Planned for OSB V1R3)

NAT+FW NAT+FW

Main Office(Geographically Separated)

(Planned for OSB V1R3)

Internet

Integrated SBC forBranch SIP trunking

Page 55: UC Security Roadshow 2011

Acme Packet Page

Acme Packet Enterprise Overview

Enterprise Network

Escenario 1a: Carrier SIP Trunking

§ SBC enables enterprises to use broadband SIP trunking services for inbound / outbound off-net calls

– Less expensive, IP based alternative to traditional channelized TDM trunkingservices

§ SBC provides signalling and media security, management and visibility at the edge of the enterprise network

– Including QoS monitoring/logging for SLA (not tested as part of the OpenScape Voice solution)

§ SBC provides for SIP interoperability between diverse SIP trunking providers and OpenScape Voice’s normalized SIP Interface to Service Providers.

SIP

RTP

OpenScapeVoice

SBC

PSTNCarrier SIPTrunkingService

UntrustedIP Service

Internet

Page 56: UC Security Roadshow 2011

Acme Packet Page

Acme Packet Enterprise Overview

Scenario 1b: Intra- & Inter-Enterprise SIP TrunkingFederations

� SBC enables enterprise to use broadband SIP trunks (SIP or SIP-Q tie lines) between OpenScape systems over untrusted IP networks.

� Eliminates need for carrier SIP trunking services

– Peer-to-peer SIP trunks run over Layer 3 IP services

� Provides SIP-aware NAT functions, attack protection, signalling and media encryption, session detail recording…

� Protects communications from attacks based on visibility and mutability of signalling and media streams (eavesdropping, media injection attacks, callhijacking, etc)

� Provides complete application level security (SIP firewall function)

� Bandwidth and QoS based call admission control, QoS mapping, monitoring and marking, QoS based routing (not tested as part of the OpenScape Voice solution)

Enterprise Network A

OpenScapeVoice

SBC

Enterprise Network B

OpenScapeVoice

SBCUntrustedIP Service

Internet

Page 57: UC Security Roadshow 2011

Acme Packet Page

Acme Packet Enterprise Overview

Enterprise HQ

Scenario 2: Remote User Access

SIP

RTP

RTP

SIP

NAT FW

Public IP Address Space

Corporate IP Address Space

OpenScapeVoice

Security� Encryption, authentication

� Media handling, dynamic pin-holing

Application availability� Hosted NAT Traversal

� IP-address & VPN management

� Media anchoring and release

SBC

NAT FW

Internet

Page 58: UC Security Roadshow 2011

Acme Packet Page

Scenario 3a:Branch Office connection

•Security– Encryption

•Application availability– Multi-vendor Interworking

– IP-address & VPN management

– Media anchoring and release

•Regulatory compliance– Domain separation (VPNs)

Enterprise HQ

OpenScapeVoice

SBCNear + far end

NAT

Branch Office

Proxy:OpenScapeBranch,RG8700

PSTNGateway

PSTNWAN

TrustedIP Service

Page 59: UC Security Roadshow 2011

Acme Packet Page

Scenario 3b:Branch Office connection

•Security– Encryption

•Application availability– Multi-vendor Interworking

– IP-address & VPN management

– Media anchoring and release

•Regulatory compliance– Domain separation (VPNs)

•Note:

De-centralized deployment of Acme Packet

SBCs in branch office locations is not supported.

OpenScape Branch has integrated SBC

functionality, for use in branch offices.

Enterprise HQ

OpenScapeVoice

SBCNAT

Branch Office

Proxy&SBC:OpenScapeBranch

PSTNGateway

PSTN

UntrustedIP Service

NAT

Internet

Page 60: UC Security Roadshow 2011

Acme Packet Page

Acme Packet Enterprise Overview

OpenScape Branch(Proxy mode)

SIP trunkingOptionalGW

NAT+FW

OSVCentralized ApplicationsUsers

Centralized GWs

PSTN

CentralizedSBC

SIP trunking WAN

OpenScape Branch V1 R2 Proxy Operating Mode

1. Branch SIP Users are primarily registered

to the OpenScape Branch.

Users

1

2a

2. OpenScape Branch operates as a Proxy and

forwards messages from the branch SIP User

to the OSV for call control.

For the event that the OpenScape Branch in Proxy

mode fails, the SIP Users also have the OSV SIP

address as the Backup Server Address and can reach

the OSV with no service disruption.

PSTN(Planned for OSB V1R3)

Note:

The LAN infrastructure in the Main Office

can be either

2a) directly connected to the WAN or

2b) connected to the WAN through the SBC

(in case that NAT is required to handle overlapping

private IP address ranges in various Branch Offices).

Enterprise HQ

Branch Office

2b

Page 61: UC Security Roadshow 2011

Acme Packet Page

Acme Packet Enterprise Overview

OSVCentralized ApplicationsUsers

Centralized GWs

PSTN

CentralizedSBC

SIP trunking

OpenScape Branch V1 R2 SBC operating mode

1. Branch SIP User are primarily registered

to the OpenScape Branch.

2. Even in the so called “SBC mode” OpenScape Branch

operates as a Proxy and forwards messages from the

branch SIP User to the OSV for call control.

For OpenScape Branch in SBC Mode, a unit failure is

more critical than in Proxy mode.

No communication to the OSV is then available.

One method to avoid this very unlikely condition is to

have a redundant OpenScape Branch unit at the branch.

OpenScape Branch(SBC mode)

OptionalGW

NAT+FW

NAT+FW

SIP trunking

1

2

PSTN

(Planned for OSB V1R3)

Enterprise HQ

Branch Office

Internet

Page 62: UC Security Roadshow 2011
Page 63: UC Security Roadshow 2011

© 2010 Infoblox Inc. All Rights Reserved.

Javier Abad, [email protected] Irala, [email protected]

Javier Abad, [email protected] Irala, [email protected]

Comunicación Dinámica - Infraestructura automatizadaComunicación Dinámica - Infraestructura automatizada

Page 64: UC Security Roadshow 2011

© 2010 Infoblox Inc. All Rights Reserved.

• USA• Holanda• Australia• Hong Kong• Singapur

• Japón• India• China• Canada• Más…

Ejemplo de centros de soporteglobales y oficinas

Sobre Infoblox

� Referente en el mercado DNS, DHCP e IPAM (DDI)

� Única compañía en obtener la calificación “Strong Positive”

de Gartner

� La única solución integral en entornos Network Change & Configuration Management (NCCM)

� Primera implementación empresarial, multifabricante del

Orchestration Server (IF-MAP)

� Primeros en combinar los entornos DDI, NCCM e IF-MAP

� Más de 4,500 clientes y más de 250 de las Fortune 500

� Presencia en 30 paises, centros TAC globalea con soporte 24/7,

más de 170 ingenieros

* November 2009 DDI Marketscope Report

Page 65: UC Security Roadshow 2011

© 2010 Infoblox Inc. All Rights Reserved.

TAREAS

�Hacer la infraestructura

más dinámica

�Sin incrementar el riesgo

�Pero mejorando la

productividad y la

disponibilidad de la red

La automatización de la Infraestructura esestratégica

Personal, recursos

Usuarios, dispositivos, sistemas, aplicaciones, protocolos, servicios, virtualización, movilidad…

Tamaño y Complejidadde la red

Recursosen gestiónde la red

Tiempo

Demandas denfrastructurade red

Incrementandoriesgos, costes, retrasos

Can

tid

ad/ T

amañ

o

Page 66: UC Security Roadshow 2011

© 2010 Infoblox Inc. All Rights Reserved.

Banco de España

Ejemplo de clientes y partners

Clientes Alianzas tecnológicas

Page 67: UC Security Roadshow 2011

© 2010 Infoblox Inc. All Rights Reserved.

¿Cómo complementa Infolbox las solucionesUC de Siemens?

� Disponibilidad para el negocio� Red “always on”

� Visibilidad de IPs en tiempo real

� Detección proactiva de fallos

� Control & Compliance de la red� Gestión ágil, visibilidad de la infraestructura

dinámica

� Reportes sobre el cumplimiento de normas y políticas internas

� Análisis en tiempo real del impacto del cambio

� Eficiencia y automatización� Provisión automática de IPs de dispositivos

finales. Cambios en la red

� Eficiencia en entornos virtualizados

� Herramientas para identificar, verificar y remediar problemas rápidamente

Switches Routers

Wireless SecurityApps

IPAM & NCCM

Page 68: UC Security Roadshow 2011

© 2010 Infoblox Inc. All Rights Reserved.

Facilitar el entorno UC dinámico

Routing, Switching…Routing, Switching…

DNS / DHCP / IPAMDNS / DHCP / IPAM

Infoblox DDI

Infoblox NCCM

Closed LoopAutomation

VisibilidadY automatización

Aplicaciones

Chequeo de infraestructura

Proporciona servicios DDI

Reconoce el cambio

Detecta IPs

Comunicar / Realizar acción

Page 69: UC Security Roadshow 2011

© 2010 Infoblox Inc. All Rights Reserved.

Solución DDI de Infoblox

� IP address Management (IPAM)- Planificación

- Reservar-Asignar

- Operación

� Servicios siempre disponibles y robustos- Domain Name System (DNS)

- Dynamic Host Control Protocol (DHCP)

- Otros (Tiempo, TFTP, etc.)

DNS, DHCP andIPAM

DNS, DHCP andIPAM

Applicaciones

El nexo de unión entre las redes y las aplicaciones

Infraestructura

Un bajo rendimiento en DDI es el punto débil de la red

Page 70: UC Security Roadshow 2011

© 2010 Infoblox Inc. All Rights Reserved.

Infoblox DNS, DHCP & IPAM

Automatizar la provisión de IPs y proporcionar servicios críticos de red “always-on”

�Sustituye las hojas de cálculo

�Visibilidad en tiempo real e históricos

de las redes e IPs conectadas

�Delegar y automatizar las tareas en la

provisión de IPs y redes

�Reportes y auditoría

�Infraestructura DNS robusta y

securizada

�DHCP Failover mejorado (crítico para

entornos UC)

�Gestión DNS/DHCP de Microsoft sin

agentes

Page 71: UC Security Roadshow 2011

© 2010 Infoblox Inc. All Rights Reserved.71

Tecnología Grid: Factor diferenciador clave

Coordinados por el Grid Master

Compartiendo una base de datosdistribuida

Conjunto de miembros (appliances securizados) que ejecutan uno o másservicios (DNS,DHCP; TFTP, NTP)

Comunicándose mediante VPN SSL

- Control y visibilidad centralizado- IPAM & Discovery tiempo real- Failover automático y DR

Sencillo, Seguro, Fiable

External DNSGrid Member

Virtual Environment

Grid Master Candidate at Recovery Site

Internal Grid Members

IPAM Insight

Grid Master

Branch Offices

Page 72: UC Security Roadshow 2011

© 2010 Infoblox Inc. All Rights Reserved.

Automatización en la gestión de cambios y configuradiones en la red

Entender la relación

Causa/Efecto

�Descubrimiento y visualización de la

infraestructura de red

�Colecta y analiza las configuaciones

de la infraestructura de red

�Rastrea y automatiza los cambios en

la red

�Identifica el no cumplimiento de

“best practices”

�Identifica la violación de políticas de

cumplimiento y seguridad (SOX,

HIPAA, PCI, etc.)

�Identifica, verifica y remedia las

incidencias proactivamente

Page 73: UC Security Roadshow 2011

© 2010 Infoblox Inc. All Rights Reserved.

Agilidad en el Negocio a través de InfraestructuraAutomatizada

Soporta iniciativas de negocio

�Incrementa la agilidad

�Disminuye el riesgo

�Aumenta la productividad

�Virtualización y Cloud

�Consolidación Data Center

�Transición a IPv6

�Seguridad y cumplimiento

�Fusiones y adquisiciones

Page 74: UC Security Roadshow 2011

© 2010 Infoblox Inc. All Rights Reserved.

Muchas Gracias

Page 75: UC Security Roadshow 2011

Comunicaciones UnificadasRiesgos Compartidos

Page 76: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

¿Puedo reducir el coste de mi telefonía?

Page 77: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

Page 78: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

-Inspección profunda SIP/SDP-Limitacion tasa mensajes SIP,SCCP,SIMPLE-RTP Pin-Holing-Stateful SIP dialog tracking-HA y HA geográfica SIP-Soporte NAT/NATP-SIP NAT Tracing-SIP HNT-Soporte IPv6-IPS/IDS-Etc…

Page 79: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

¿Cómo hacer llegar la nómina a mis empleados mensualmente?

Page 80: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

¿Cuáles son las fechas de vacaciones de mis técnicos?

Page 81: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

¿Cuál es la mejor forma de compartir mis documentos?

Page 82: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

¿Cómo saber si mi compañero estarádisponible ahora mismo o no?

Page 83: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

¿Puedo presentar mi trabajo o producto remotamente y a una amplia audiencia geográficamente dispersa como si estuviera presente?

Page 84: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

Page 85: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

Page 86: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

Page 87: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

Page 88: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

Page 89: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

Page 90: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

Page 91: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

Page 92: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

Fortimail: Seguridad SMTP

FortiDB: Seguridad en BB.DD

FortiWeb: Seguridad WAFS

Page 93: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

¿Cómo ganar movilidad?

Page 94: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

Page 95: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

-Conexiones VPN:-IPSec-SSL-L2TP-PPTP

-Escritorio Virtual para VPN-SSL-Portales cautivos-Internet Browsing & split tunneling-Chequeo del End-Point (Forticlient,Java,AX)-Administracion centralizada y seguridad en Puntos de acceso Wi-Fi (FortiAP)-One-Time Password (FortiToken)-Integración auth. Radius, LDAP, AD, e-Diretory-Integracion auth. Transparente AD, e-Directory-Seguridad en VPN (AV,IPS,WF….)-etcétera…

Page 96: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

Page 97: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

Page 98: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

Page 99: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

¿Cómo unificar mis comunicaciones de forma poco costosa y efectiva?

Page 100: UC Security Roadshow 2011

Comunicaciones Unificadas: como protegerlas

FORTINET:Genuineswiss army knife

Page 101: UC Security Roadshow 2011

Comunicaciones Unificadas: el qué y el como

Page 102: UC Security Roadshow 2011

“There is nothing more important than our customers”

Seguridad de red y UC¿Quién lee tus Ims?

Marzo 2011

Page 103: UC Security Roadshow 2011

©2011 Enterasys Networks, Inc. – All rights reserved.

� Movilidad y seguridad en la red

� Rendimiento y disponibilidad de la red

� Soporte de aplicacionesmultimedia

� Dos redes: LAN & WLAN. Data & Multimedia

� Gestionabilidad

� Facilidad de diagnóstico

� Gastos de capital

� Costes de instalación de los sistemas

� Gastos operativos

¿Qué buscamos de la red actual?

USUARIO ADMINISTRADOR EJECUTIVO

103

Page 104: UC Security Roadshow 2011

©2011 Enterasys Networks, Inc. – All rights reserved.

Un portfolio completoAbierto, Seguro, Listo para la movilidad y convergencia

� Configuracionesfijas paraswitching y routing en acceso y distribución

� Gestión de red con capacidad de automatismos, visibilidad y control

� Aplicacionesavanzadas de seguridad, control de acceso a red, prevención de intrusión y agregación y gestión de eventos.

APILABLES GESTIÓN SEGURIDAD

� Switching y routing modular parasolucionesdatacenter y cloud

MODULAR

� ControladoresWLAN, Access Points y solucionesunificadas de gestión WLAN y LAN

WIRELESS

104

Servicios y Soporte Premiados

Page 105: UC Security Roadshow 2011

©2011 Enterasys Networks, Inc. – All rights reserved.

El centro de una red inteligente...

Software Hardware

Page 106: UC Security Roadshow 2011

©2011 Enterasys Networks, Inc. – All rights reserved.

Proporcionando Alto Rendimiento, Flexibilidad y el Menor TCO

� Una única interfaz para gestionar WLAN y LAN

- Menores costes de operación

- Mantiene la integridad de la red

� Configuración automática del punto de conexión

- La red se adapta rápida y eficientemente a lasnecesidades del negocio

� Más rendimiento con menorconsumo energético

- Ahorra potencia para usarla en las aplicaciones.

� Disponibilidad y QoSExcepcionales

- Mayor calidad de Video y Voz

Servicios y Soporte

106

Page 107: UC Security Roadshow 2011

©2011 Enterasys Networks, Inc. – All rights reserved.

CoreFlow 2 – El motor más potente de inspecciónde tráfico

� Clasifica tráfico y aplicapolíticas mas allá del nivel 4

� SAN - Permite acceso con granularidad de

target iSCSI

- Gestión de ancho de banda y

monitorización a nivel de target iSCSI

� Voz IP y Video- Permite QoS y control de acceso para

flujos de medio o de control RTP

� Cloud- Permite controles de acceso basados en

rol para servicios como

www.salesforce.com

- Monitorización de tráfico por sites como

www.youtube.com

107

Page 108: UC Security Roadshow 2011

©2011 Enterasys Networks, Inc. – All rights reserved.

Seguridad en UC – El valor de Enterasys

Detección de dispositivo

� 802.1x

� Autenticación MAC

� Convergence End Point (CEP) Detection

- MAC origen

- Dest IP, Layer 4 port

- LLDP-MED

- SIP, H.323, H.245

� Servicios añadidos de localización

Protección de infraestructura UC

� Clasificación de tráfico en el acceso- Prevención de uso no autorizado y ataque al servicio

- 802.1p, DiffServ, ToS

- Limitación de tráfico

- Priorización

- QoS Extremo a extremo

- Bloqueo de protocolos no autorizados

� Bloqueo de MAC de dispositivos VoIP

� Control de ataques DoS- Límite de sesiones

- ARPSpoof

- DHCPSpoof

� Comprobación de vulnerabilidades- IP Phones, Call Manager, Voice Switches

� Detección de intrusiones VoIP – IPS VoIP- Monitoriza ataques en redes de voz

- Decodificadores MGCP/H.323/SIP

- Detección de paquetes mal formados108

Page 109: UC Security Roadshow 2011

©2011 Enterasys Networks, Inc. – All rights reserved.

Autoconfiguración

� Configuración automática de miles de teléfonos o end-points.

� Mantener autoconfiguración, movilidad con seguridad.

� Soporte de cualquier escenario:- PC y teléfono en puertos distintos

- PC y teléfono en el mismo puerto

- PC y softphone

� Asignación de los filtros de seguridad y VLAN en cada caso más…- Quién es Quién – Mapeo de MAC e IP a extensión.

- Quién accede a la red – Protección de conversaciones:

- Detección de SO conectados en la red

- Detección de gusanos UC

- Protección de accesos a las llamadas o la señalización.

- Comprobación del firmware del teléfono antes de permitir su conexión a la red.

109

Page 110: UC Security Roadshow 2011

©2011 Enterasys Networks, Inc. – All rights reserved.

Configuración automática de Servicios UC

110

Provisión dinámica o estática

SourceMAC/DestIP

RTP

User & Softphone

Instant Messaging

MGCP

Low Priority

Filtered

VoIP Service

Highest Priority & Rate Limited

Email Medium Priority

Highest Priority & NOT Rate Limited

SAP High Priority

RTP

IP Phone Privilege

Instant Messaging

MGCP

FilteredUnsupported protocols & ports

VoIP Service

Highest Priority & Rate Limited

Email

Highest Priority & NOT Rate Limited

SAP

Filtered

FilteredVoice

VLAN

Filtered

RTP

Enterprise User Privilege

Instant Messaging

MGCP

Filtered

VoIP Service

Email

SAP DataVLAN

Filtered

Filtered

Basic Services (DNS,DHCP,FTP)

Low PriorityMedium Priority

High Priority

Low Priority

Low Priority

Low Priority

User Auth

Unsupported protocols & ports

Basic Services (DNS,DHCP,FTP)

Unsupported protocols & ports

Basic Services (DNS,DHCP,FTP)

Page 111: UC Security Roadshow 2011

©2011 Enterasys Networks, Inc. – All rights reserved.111

Location Phone IP Address

Switch IP Switch Port

IP Phone MAC

3rd flr Boston 192.168.4.6 10.192.87.5 fe.9 Siemens:10:1d:ff

Location Phone IP Address

Switch IP Switch Port

IP Phone MAC

3rd flr Boston 192.168.4.6 10.192.87.5 fe.9 Siemens:10:1d:ff

12th flr Boston 192.168.8.5 10.192.86.3 fe.18 Siemens:f2:a1:2d

Location Phone IP Address

Switch IP Switch Port

IP Phone MAC

3rd flr Boston 192.168.4.6 10.192.87.5 fe.9 Siemens:10:1d:ff

12th flr Boston 192.168.8.5 10.192.86.3 fe.18 Siemens:f2:a1:2d

12th flr Boston 192.168.8.9 10.192.86.3 fe.21 Siemens:11:a6:5f

Location Phone IP Address

Switch IP Switch Port

IP Phone MAC

3rd flr Boston 192.168.4.6 10.192.87.5 fe.9 Siemens:10:1d:ff

12th flr Boston 192.168.8.5 10.192.86.3 fe.18 Siemens:f2:a1:2d

12th flr Boston 192.168.8.9 10.192.86.3 fe.21 Siemens:11:a6:5f

8th flr LA West 10.253.9.3 10.58.21.8 fe.14 Siemens:20:b8:ff

Location Phone IP Address

Switch IP Switch Port

IP Phone MAC

3rd flr Boston 192.168.4.6 10.192.87.5 fe.9 Siemens:10:1d:ff

12th flr Boston 192.168.8.5 10.192.86.3 fe.18 Siemens:f2:a1:2d

12th flr Boston 192.168.8.9 10.192.86.3 fe.21 Siemens:11:a6:5f

8th flr LA West 10.253.9.3 10.58.21.8 fe.14 Siemens:20:b8:ff

1st flr LA West 10.253.4.4 10.58.26.19 fe.2 Siemens:20:b8:fa

Location Phone IP Address

Switch IP Switch Port

IP Phone MAC

3rd flr Boston 192.168.4.6 10.192.87.5 fe.9 Siemens:10:1d:ff

12th flr Boston 192.168.8.5 10.192.86.3 fe.18 Siemens:f2:a1:2d

12th flr Boston 192.168.8.9 10.192.86.3 fe.21 Siemens:11:a6:5f

8th flr LA West 10.253.9.3 10.58.21.8 fe.14 Siemens:20:b8:ff

1st flr LA West 10.253.4.4 10.58.26.19 fe.2 Siemens:20:b8:fa

8th flr LA West 10.253.9.3 10.58.21.8 fe.19 Siemens:19:ab:ad

Location Phone IP Address

Switch IP Switch Port

IP Phone MACBoston

LA West

Sede central

8th flr LA West 10.253.9.3 10.58.21.8 fe.14 Siemens:20:b8:ff12th flr Boston 192.168.8.6 10.192.86.3 fe.24 Siemens:20:b8:ff

Servicios de localización de teléfonos

NAC Gateway

1st

Floor

8th

Floor

12th

Floor

3rd

Floor

GestiónNetsight

Page 112: UC Security Roadshow 2011

©2011 Enterasys Networks, Inc. – All rights reserved.

Access &Control

Detect &Locate

Respond &Remediate

Establish &Enforce Policy

Core Network

Mgmt Appliance

Secure Networks - NAC Features

OpenScapeVoice

Enterasys NMS OpenScape DLSPhysicalInfrastructure

Database

ImportSynchronizationVia XML/SOAP

Mobile User

Mobile UserMobile Users

1

3

2

Detecta y Localiza Enterasys detecta cadanueva conexión y proporciona información de localización.

Control de acceso Enterasys proporcionacontrol extendido de:- Modo de acceso- Tipo de autenticación- Tipo de dispositivo- Localización: puerto switch, SSID- Momento de la conexión- Estado de seguridad del dispositivo

Establecimiento de Políticas- Autoriza el usuario o el dispositivo (PC, telefóno, impresora)- Permite el acceso a los recursos basados en la identidad y/o el riesgo de seguridad del dispositivo

Respuesta y Remedio

El estado del software se comprueba antes de la conexión y se monitoriza a lo largo de la conexión

OS LIA Seguridad AvanzadaBeneficios específicos de NAC

Page 113: UC Security Roadshow 2011

©2011 Enterasys Networks, Inc. – All rights reserved.

OpenScape DLS:

� Descarga templates a los teléfonos en función de la información obtenida de la red

� ej. Configuración de speed dials

Speed dial

button 7 =

#52065

Templates:

Speed dial-button

configuration

SiemensSiemensSiemensSiemens

OpenScapeOpenScapeOpenScapeOpenScape DLSDLSDLSDLS

Speed dial

button 7 =

#37208

Configuración dinámica

Page 114: UC Security Roadshow 2011

©2011 Enterasys Networks, Inc. – All rights reserved.

OpenScape DLS:

� Actualización automática de inventario despues de cambios

� Localización de los clientes VoIP en la infraestructura IPe.g., Qué dispositivos VoIP están en la 3ª planta

Gestión de activos

Page 115: UC Security Roadshow 2011

©2011 Enterasys Networks, Inc. – All rights reserved.

Capacidades únicas junto con Flexibilidad y Seguridad

� La integración de seguridad WLAN y LAN minimiza el coste de la seguridad en UC- Optimiza la eficiencia y reduce costes

- Mantiene la integridad de la red sin rediseños

� Soporte de cualquier fabricante con APIs de integración- Permite soportar cualquier solución de UC con mínimo esfuerzo

� Seguridad distribuida en la red- Se adapta rápida y eficientemente a las necesidades específicas

� Fiabilidad y QoS únicos- Mejor calidad de voz y video

� Simplicidad y automatización de la configuración- Reduce costes de despliegue, garantiza la seguridad

115

Page 116: UC Security Roadshow 2011

Visit us at: www.enterasys.com