scap for voip
play

SCAP for VoIP Automating Configuration Compliance 6 th Annual IT - PowerPoint PPT Presentation

Sep 14, 2022 •142 likes •388 views

SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference Presentation Overview 1. The Business Challenge 2. Securing Voice over IP Networks 3. The ISA VoIP Security Project 4. Next Steps With SCAP 5. Summary

  1. SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference

  2. Presentation Overview 1. The Business Challenge 2. Securing Voice over IP Networks 3. The ISA VoIP Security Project 4. Next Steps With SCAP 5. Summary www.isalliance.org Slide 2.

  3. The Business Challenge • Cyber Security Operations: 96% of Breaches Avoidable through Ø Expensive Simple or Intermediate Controls Ø Prone to Failure Verizon 2010 Data Breach Report • Cyber Security Industry is Caught in “Too Busy to Get Better” Trap “I have additional risk to manage. I have capital budget. There are great new solutions. I don’t have more people to manage them.“ Paraphrase of leading CISOs www.isalliance.org Slide 3.

  4. VoIP Enterprise Risk Network convergence and channel consolidation potentially increase vulnerabilities and the consequences of failure in security. Dennis Blair, Former Director of National Intelligence, Feb. 2010 (paraphrase) • Impact of Convergence Ø Silo Approaches to Security Understood Ø Cross-Silo Vulnerabilities and Attacks Ignored Ø VLANs have vulnerabilities • Impact of Channel Consolidation Ø Voice Used as an Out-Of-Band Channel Ø Voice Can be Used to Carry Data www.isalliance.org Slide 4.

  5. VoIP Security Today • Guidance • Assessments & Controls Ø NSA Security Guidance for IPT Ø Pen testing Ø DISA VVoIP Ø Monitoring Ø NIST SP 800-58 Ø Configuration Management Ø Best Practices from Vendors Ø Change Control • Security Devices New Vulnerabilities Ø SBC New Devices Who has time? Ø Firewall New Controls Ø IPS/IDS New Assessments www.isalliance.org Slide 5.

  6. FISMA and FDCC • FISMA VoIP Coverage Ø FIPS 199 and 200 Point to NIST SP-800 Series Ø Implementation of SP-800-53 Controls Required for Compliance Ø SP 800-58 Defines VoIP Controls • FDCC does not Address VoIP Ø SP-800-58 Recommends No Soft Phones Ø Only covers Vista and XP OSs www.isalliance.org Slide 6.

  7. ISA VoIP Charter ISA Mission ISA is to combine advanced technology with the economic realities and help create effective public policy leading to a sustainable system of world-wide cyber security. ISA VoIP Project Objective Increase cyber security posture and reduce operational expense through automated VoIP security configuration and compliance. www.isalliance.org Slide 7.

  8. ISA VoIP Security Project Focus on automation of configuration management and compliance Final Objective 2011 Objective IP Phone IP PBX Soft Phone Call Manager IP PBX Call Manager Session Border Controller And more … 2010 Objective IP Phone Soft Phone NIST SP 800-53, 800-70, 800-126, 800-58, NCP www.isalliance.org Slide 8.

  9. Reference VoIP Network www.isalliance.org Slide 9.

  10. Need To Automate IP Phone Configuration Compliance • Widely Distributed • New Access Vector • Perimeter Security Not Sufficient • Default Configuration Weak • Will Drift from Baseline Ø Changes to phone settings undetected Ø Manual assessment not practical • Convergence with Data Network v At Least One Phone Will Be Altered! www.isalliance.org Slide 10.

  11. Typical Automation For Configuration Compliance Access Methods Issues Ø Telnet / SSH Ø Vendor specific Ø HTTP / HTTPS Ø Inconsistency across data Ø SNMP formats and mechanism Ø Console Ø Lack of open standards Ø Element Manager Ø Incomplete retrieval of ‘running’ Ø LLDP/CDP configuration information / state Ø May conflict with security best practices (i.e., disable protocol) www.isalliance.org Slide 11.

  12. SCAP For VoIP: Today SCAP Description Keyword ‘VoIP’ Keyword ‘Phone’ Component Search Search Common Vulnerability Standard nomenclature and 336 matches, out of which Enumeration (CVE) dictionary of security related 96 matches 102 (Apple iPhone), 27 software flaws (Cisco), 7(Avaya), 6 (Nortel), 5 (Microsoft), 5 (Snom) Common Configuration Standard nomenclature and 0 0 Enumeration (CCE) dictionary of software mis- (under development) (under development) configurations Common Platform Standard nomenclature and 22 matches 146 matches Enumeration (CPE) dictionary of product naming (nortel and cisco) Common Vulnerability Scoring Standard for measuring the 0 0 System (CVSS) impact of vulnerabilities eXtensible Checklist Standard XML for specifying 0 0 Configuration Description checklists and for reporting Format (XCCDF) results of checklist evaluation Open Vulnerability and Standard XML for test Assessment Language (OVAL) procedures 5 matches – cisco (V) 16 matches - 13 (V), 3 (I) www.isalliance.org Slide 12.

  13. SCAP For VoIP: Today • Several CPE IDs available for IP phones • Focus on software flaws / vulnerabilities (CVE) Ø A few systems identify firmware version and do very basic penetration / vulnerability test • No CCE IDs • No Checklists for VoIP in NCP • All configuration settings not accessible for SCAP • Few OVAL test definitions available for VoIP • No OVAL definitions for configuration compliance v Much work remains to SCAP-enable VoIP www.isalliance.org Slide 13.

  14. Status on the VoIP Security Project at ISA • Focus: Configuration Compliance & Validation • IP Phone is First to be Evaluated • Baseline Security Configuration Checklist – Done Ø NIST 800-53 controls mapped to IP phone Ø XCCDF document available Ø In process to submit checklist to National Checklist Program for review • Vendor Specific IP Phone Checklists Under Development www.isalliance.org Slide 14.

  15. IP Phone Baseline Security Checklist • Assure Baseline Security • Signaling Protocol: SIP • Media Protocol: RTP/RTCP • Configuration Controls For Ø 7 Security Principles Ø 3 Traffic Planes • Automated and Manual Rules • Expressed using XCCDF • “One size does not fit all” www.isalliance.org Slide 15.

  16. Challenges With SCAP Enabling The IP Phone • Perpetual Configuration Drift • IP Phone Uses an Embedded OS Ø Today’s authenticated configuration scanners focus on Windows and Unix/Linux • Retrieval of Entire Running State Not Available Ø Use of remote access protocols varies between vendors • No OVAL definition schema available for IP phone configuration compliance www.isalliance.org Slide 16.

  17. Host Based Configuration Scanner Host based agent installed on the phone Ø OVAL definition file to be downloaded to agent Ø Gather, analyze configuration locally Ø Generate and report results Pros Ø Direct access to configuration Ø Standard reporting format available with OVAL Cons Ø Regular updates for IP phones across enterprise Ø Resource consumption could impact call quality www.isalliance.org Slide 17.

  18. Network Based Configuration Scanner Centralized platform probes IP phones for configurations Ø No agent on phone Ø Gather configuration from phone Ø Analyze and generate report on centralized scanner Pros Ø Eliminate need to update agent on all phones Cons Ø Visibility of entire configuration questionable Ø Lack of common data structure & remote access method www.isalliance.org Slide 18.

  19. Hybrid Based Configuration Scanner Lightweight, host based agent installed on each phone Ø Configuration gathered within each phone Ø Centralized assessment platform to analyze/report results Pros Ø Small memory (resource) footprint required for agent Ø Eliminate need to update agent on all phones Ø Direct access to configuration Ø Extensive analysis and reporting available Ø No significant impact to functionality and performance Cons Ø None www.isalliance.org Slide 19.

  20. Next Steps – Automation Using OVAL • Preliminary XCCDF content completed • OVAL definitions for IP phone • Apply OVAL compliance check to static phone configuration file stored on IPT server • Ability to query entire configuration running state • Apply OVAL compliance check to running state configuration on IP phone • Report the results of the assessment www.isalliance.org Slide 20.

  21. Industry Adoption • Using SCAP to automate configuration compliance of IP phone is possible • Vendor support is needed to make this a reality Ø Develop specific product checklists based on an industry developed IP phone baseline checklist (i.e., ISA VoIP checklist). Ø Develop an industry standard interface to query the entire running state of the phone configuration. Ø Possibility of a standard data format structure for IP phone configuration www.isalliance.org Slide 21.

  22. Summary • Challenge today is VoIP configuration compliance rely on manual processes with limited operational resources Ø Numerous VoIP security guidelines but no master list of all security requirements (i.e., IP phone checklist) focus on automation • Adoption of standard based approach using SCAP is right tool to address VoIP configuration compliance challenge • Configuration compliance must be a fundamental capability of an IP phone, not an optional ‘nice-to-have’ feature • NIST 800-70 review & National Checklist Program • VoIP vendor involvement is critical www.isalliance.org Slide 22.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 ISAlliance SCAP VoIP Project Update 12 June 2009 Lawrence G Dobranski, CISSP-ISSAP, CISM, CSSLP

1 ISAlliance SCAP VoIP Project Update 12 June 2009 Lawrence G Dobranski, CISSP-ISSAP, CISM, CSSLP

1 ISAlliance SCAP VoIP Project Update 12 June 2009 Lawrence G Dobranski, CISSP-ISSAP, CISM, CSSLP Leader, Security Architecture & Compliance Carrier VoIP and Applications Solutions Nortel ldobran@nortel.com (613) 763-6866 BUSINESS MADE

304 views • 13 slides
Application of SCAP to Secure Unified Communications www.isalliance.org The ISAlliance Board

Application of SCAP to Secure Unified Communications www.isalliance.org The ISAlliance Board

Application of SCAP to Secure Unified Communications www.isalliance.org The ISAlliance Board www.isalliance.org VoIP Project Leadership www.isalliance.org Government Participants www.isalliance.org Industry Participants www.isalliance.org

575 views • 14 slides
What is VoIP? 1 VoIP What is it and how can it help my business? - VoIP is an acronym for

What is VoIP? 1 VoIP What is it and how can it help my business? - VoIP is an acronym for

Welcome to Business Matters Todays topic: What is VoIP? 1 VoIP What is it and how can it help my business? - VoIP is an acronym for Voice over Internet Protocol - Phone service through your Internet connection 2 Components of

510 views • 29 slides
Voice over IP (VoIP) Technology Services 875-4357 cchelpdesk@ccis.edu What is VoIP? VoIP

Voice over IP (VoIP) Technology Services 875-4357 cchelpdesk@ccis.edu What is VoIP? VoIP

Voice over IP (VoIP) Technology Services 875-4357 cchelpdesk@ccis.edu What is VoIP? VoIP (voice over IP) is an IP telephony term for a set of facilities used to manage the delivery of voice information over the Internet. A major advantage of

1.26k views • 5 slides
Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction

Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction

Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction to STIG SUSE STIG Automation Demo Time Whats next? What is SCAP? The Security Content Automation Protocol is a multi-purpose

684 views • 37 slides
VoIP switching and billing suite Break through your data VoIP switching and billing suite

VoIP switching and billing suite Break through your data VoIP switching and billing suite

VoIP switching and billing suite Break through your data VoIP switching and billing suite components VoIP switch - SIP softswitch based on VoIP switch Opensips significantly re-developed by 5g 5g Future. Future Dynamic or static routing - a

156 views • 11 slides
Warm Welcome Matrix SETU VTEP Single Span VoIP to T1/E1 PRI Gateway Introduction VoIP to T1/E1

Warm Welcome Matrix SETU VTEP Single Span VoIP to T1/E1 PRI Gateway Introduction VoIP to T1/E1

Warm Welcome Matrix SETU VTEP Single Span VoIP to T1/E1 PRI Gateway Introduction VoIP to T1/E1 PRI Gateway Dedicated VoIP-ISDN PRI Gateway Plug-n-Play device VoIP access device for an existing PBX PRI trunking for an

404 views • 27 slides
Transporting Voice by Using IP NTP VoIP Testbed: A SIP-based VoIP Platform Department of CSIE,

Transporting Voice by Using IP NTP VoIP Testbed: A SIP-based VoIP Platform Department of CSIE,

Transporting Voice by Using IP NTP VoIP Testbed: A SIP-based VoIP Platform Department of CSIE, NCTU Quincy Wu Email: solomon@ipv6.club.tw 1 Outline Introduction Voice over IP RTP & SIP NTP VoIP Platform Conclusion

1.02k views • 64 slides
VoIP Hacking Lars Strand PhD student Norwegian Defence Research Establishment (FFI) Jely,

VoIP Hacking Lars Strand PhD student Norwegian Defence Research Establishment (FFI) Jely,

VoIP Hacking Lars Strand PhD student Norwegian Defence Research Establishment (FFI) Jely, 15.-16. January 2009 VoIP? PSTN: 100 year old technology, 99.999% uptime, call anyone anytime can VoIP offer that today? VoIP next

479 views • 15 slides
Introduction (1 of 2) An Empirical Evaluation of VoIP Playout Buffer Dimensioning in VoIP

Introduction (1 of 2) An Empirical Evaluation of VoIP Playout Buffer Dimensioning in VoIP

4/3/2015 Introduction (1 of 2) An Empirical Evaluation of VoIP Playout Buffer Dimensioning in VoIP increasingly important Skype, Google Talk, and MSN Started with inexpensive use at home with friends and family Messenger Now businesses

631 views • 7 slides
SIP- -based Prepaid Mechanism based Prepaid Mechanism SIP on NTP VoIP Platform in on NTP VoIP

SIP- -based Prepaid Mechanism based Prepaid Mechanism SIP on NTP VoIP Platform in on NTP VoIP

LAB 117 & VoIP LAB SIP- -based Prepaid Mechanism based Prepaid Mechanism SIP on NTP VoIP Platform in on NTP VoIP Platform in Taiwan Taiwan 19th APAN Meeting in Bangkok, January 2005 Ines Sok-Ian Sou and Prof. Quincy Wu Dept. of

293 views • 27 slides
Geor Georgia as Hi s High gher er E Education L Landsc scap ape: e: Demograph

Geor Georgia as Hi s High gher er E Education L Landsc scap ape: e: Demograph

Geor Georgia as Hi s High gher er E Education L Landsc scap ape: e: Demograph phics cs, F Fund unding and and Wha hat Stude dents P Pay Jennifer Lee, Policy Analyst jlee@gbpi.org @jjesunlee October 25, 2017 @GaBudget

442 views • 33 slides
A Technique for Classification of VoIP Flows in UDP Media Streams using VoIP Signalling Traffic

A Technique for Classification of VoIP Flows in UDP Media Streams using VoIP Signalling Traffic

A Technique for Classification of VoIP Flows in UDP Media Streams using VoIP Signalling Traffic Tejmani Sinam, Irengbam Tilokchan Singh, Sukumar Nandi Pradeep Lamabam, Ngasham Nandarani Devi Department of Computer Science and Engineering,

231 views • 6 slides
CORPORATE presentation VoIP, SMS, SOFTWARE LICENCED LANDLINE VOIP SMS SOFTWARE TURKEY

CORPORATE presentation VoIP, SMS, SOFTWARE LICENCED LANDLINE VOIP SMS SOFTWARE TURKEY

CORPORATE presentation VoIP, SMS, SOFTWARE LICENCED LANDLINE VOIP SMS SOFTWARE TURKEY OPERATOR DATA MVNO OTTs Services that 100% guarantee reliable and lucrative partnerships lead to absolute success. premier global communications

331 views • 7 slides
FCC Releases VoIP E911 Order Highlights: Providers of Interconnected VoIP Services

FCC Releases VoIP E911 Order Highlights: Providers of Interconnected VoIP Services

GLOBAL TELECOMMUNICATIONS AND MEDIA INDUSTRY GROUP E-NEWS JUNE 8, 2005 FCC Releases VoIP E911 Order Highlights: Providers of Interconnected VoIP Services Required to Supply Enhanced 911 (E911) capabilities. Must File Letters

357 views • 4 slides
SCAP Collection Committee Workshop SWRCB, Region 8 May 12, 2004 9:00 am 12:00 pm Inland

SCAP Collection Committee Workshop SWRCB, Region 8 May 12, 2004 9:00 am 12:00 pm Inland

SCAP Collection Committee Workshop SWRCB, Region 8 May 12, 2004 9:00 am 12:00 pm Inland Empire Utilities Agency 6075 Kimball Avenue, Chino Agenda 1.

1.19k views • 106 slides
Investor Presentation L D M i c r o D av id P a is , C F O Apivio Systems Inc. (TSX: APV.V) D

Investor Presentation L D M i c r o D av id P a is , C F O Apivio Systems Inc. (TSX: APV.V) D

A Global Leader in Voice Technology Solutions Bringing Android, Wi-Fi and VoIP Together Investor Presentation L D M i c r o D av id P a is , C F O Apivio Systems Inc. (TSX: APV.V) D e c e mbe r 6 , 2 0 1 6 www.apivio.com DISCLAIMER THIS

538 views • 23 slides
Presentation by Chris Kirkcaldy Director, DAS March 2018 The United Nations Office at Nairobi

Presentation by Chris Kirkcaldy Director, DAS March 2018 The United Nations Office at Nairobi

Presentation by Chris Kirkcaldy Director, DAS March 2018 The United Nations Office at Nairobi was established with effect from 1 January 1996 as a successor to the United Nations Common Services Unit at Nairobi and two separate divisions of

253 views • 10 slides
Sangoma SBCs Keeping Your VoIP Network Secure Simon Horton Sangoma shorton@sangoma.com

Sangoma SBCs Keeping Your VoIP Network Secure Simon Horton Sangoma shorton@sangoma.com

Sangoma SBCs Keeping Your VoIP Network Secure Simon Horton Sangoma shorton@sangoma.com Inside this Deck About Sangoma/ProVu SIP Market SBCs Demystified Business Applications and Use Cases Portfolio of SBCs Sangoma

723 views • 47 slides
Financial Results Conference Call Wednesday, November 13, 2019 Safe Harbor All statements in

Financial Results Conference Call Wednesday, November 13, 2019 Safe Harbor All statements in

Third Quarter 2019 Financial Results Conference Call Wednesday, November 13, 2019 Safe Harbor All statements in this presentation that are not based on historical fact are "forward looking statements." While management has based any

751 views • 18 slides
BIPCOM Voice and Data Solutions OVERVIEW: o 10 Years managing call centre's o 15 Years in

BIPCOM Voice and Data Solutions OVERVIEW: o 10 Years managing call centre's o 15 Years in

BIPCOM Voice and Data Solutions OVERVIEW: o 10 Years managing call centre's o 15 Years in business providing telecoms services o Now service & support over 100 businesss Call: 01202 069692 Email: info@bipcom.co.uk BIPCOM Voice and Data

637 views • 16 slides
experience with service automation? 7/28/2016 About the Speaker Scott Argue Vice President

experience with service automation? 7/28/2016 About the Speaker Scott Argue Vice President

How You can take cost out of complexity and improve customer experience with service automation? 7/28/2016 About the Speaker Scott Argue Vice President Customer Service BSc Computer Science 25+ Years of Varied IT Experience

424 views • 23 slides
ICANN October 2014 Summary 01 Let me introduce ourselves 02 Internet

ICANN October 2014 Summary 01 Let me introduce ourselves 02 Internet

ICANN October 2014 Summary 01 Let me introduce ourselves 02 Internet Custommers in Brazil 03 ISPs in Brazil 04 Business in Progress 01 //SIENA & VERGANI LET ME INTRODUCE OURSELVES Marcelo Siena

404 views • 15 slides
Clarification meeting date: 17 September 2019 Tender Closing date: 03 October 2019 Commercial

Clarification meeting date: 17 September 2019 Tender Closing date: 03 October 2019 Commercial

CLARIFICATION MEETING FOR CORP4923 Contact Centre Telephony System Solution Implementation Clarification meeting date: 17 September 2019 Tender Closing date: 03 October 2019 Commercial clarification Eskom Representative : Violet Beetha

757 views • 28 slides

More recommend