Network

IP security is top priority for IT managers, but many still leave their networks vulnerable to intrusion by way of telecom systems.

Potential threats include access to internal data networks via unauthorized modems, illicit calls

to ISPs via outbound modems, toll fraud and use of unsecured voice or fax lines to transmit data. Perpetrators may be well-intentioned employees setting up remote-control apps or “black hats” looking to exploit telecom security holes.

San Antonio-based SecureLogix Corp. is targeting these telecom security threats. Its ETM (Enterprise Telephony Management) platform is the only product offering an enterprise-level toolset for monitoring and managing in-band security for analog and digital circuits connected to different kinds of PBXs in geographically dispersed locations.

While the ETM suite scales from single-site, singlespan configurations to enterprisewide solutions, the product will most likely be purchased by large organizations facing either a specific security threat or a telecom management challenge. Representative of SecureLogix’s

customer base is the U.S. Air Force, which is looking to SecureLogix to complement the STUs (secure telephone units) it uses for high-level point-to-point communications in domestic and international bases.

Other potential customers include health care and financial companies concerned with patient and customer privacy, and any organization worried about potential “back-door” vulnerabilities via unsecured analog access points, such as service ports on LAN-connected PBXs and VRUs (voice response units) or modem-enabled field equipment, like oil rigs and irrigation controls. Excessive unauthorized toll charges are another motivator.

Back to School

OUR TEST LAB FOR THIS ARTICLE was a production environment in a private boarding school in New England. We installed the SecureLogix equipment in-line on

though the HR and IS departments believed that no remote access was available, according to Gartner. The company had to use war-dialer tools to discover unauthorized dial-up connections to computers, modems, fax machines and other devices.

the ISDN PRI between a production PBX with 400-plus active extensions and the local telecom’s central office. Our Real-World Labs® team then ran the ETM through a rigorous gamut of tests by autogenerating hundreds of thousands of voice calls over a 30-day period, creating large data sets for testing reporting while providing a consistent base level of background activity so our functionality testing would not occur on an idle platform (see “How We Tested,” page 60). We ran all tests with the ETM software version 3.03 (version 4.0 should be hitting the streets now—see “Sneak Peek at ETM 4.0,” page 64).

Note that the SecureLogix ETM environment is a ven- dor-installed product suite. On-site installation and configuration are sold as a part of every contract; time and expense are based on complexity. SecureLogix technicians performed a standard installation of the test equipment under the guidelines normally associated with an enterprise installation. Because our test site had no preinstalled Oracle services, a Microsoft Windows 2000 database server running Oracle 9i was included in the installation. If an existing Oracle solution exists, SecureLogix will integrate the ETM platform within that infrastructure, if desired (the ETM suite plays only with Oracle; SQL shops will need to make the additional investment).

We experienced just a half-second outage as the equipment was connected between our PBX and PRI voice line; the ETM had been set up with our configuration specs prior to connection.

Let us be clear—we could not have completed the installation and base environment setup without on-site support from SecureLogix. While the basic setup of the environment is pretty straightforward, the devil is in the details. To paraphrase the field engineer: “There are just too many weird configurations out in customer sites.”

Product Details

OUR ETM HARDWARE SETUP comprised three rackmounted Dell Windows 2000 servers and two rackmounted ETM hardware appliances (one for analog lines, one for PRI circuits), connected via a private 100-Mbps Ethernet switch. The ETM Applications Suite includes the TeleView Infrastructure Manager client, a user-friendly

PROTOCOLS AND STANDARDS

GUI for monitoring trunk circuits and call activity, controlling security policies and consolidating alerts; the TeleWall Telecom Firewall, a policy-based firewall application; and the TeleAudit Usage Manager call reporting app. An additional ETM component, the TeleSweep Secure Scanner, a war-dialer/vulnerability scanner, was not tested as a part of this review because we focused our efforts on TeleWall functionality.

A typical implementation includes a Linux-based ETM Communications Appliance connected to voice lines and the ETM Management Server providing base application functionality.

SecureLogix provides PC-based training modules to walk admins through the ETM Suite, explaining environmental definitions and clearly leading neophytes through the steps required to set up policies, rules and reporting options. Anyone with a solid understanding of telecom environments and information-protection methodologies should have a very easy time working through the training materials. The modules will even allow less knowledgeable folks to get up to speed on the app (and on security concepts) with four to 10 hours of effort.

The metaphor for the TeleWall component is a traditional IP firewall. The administrator organizes, configures and implements a set of rules/policies to govern what is and is not allowed to occur in the environment. Examples of policies include restriction by:

•Call origin, such as local extension, area code range or international;

•Call destination, such as long-distance, international or 900-number;

Executive Summary

SecureLogix ETM

CConsider the lowly modem. Seems harmless enough, but the reality is that your telecom system could be your company’s Achilles’ heel. All the pricey firewalls and IDSs you’ve set up to guard your data network can be thwarted by one unsecured modem. An intruder who can hack into a legacy PBX could set up an international line and run up big toll charges. Employees may sidestep content filtering by dialing into an ISP using your telephone system.

When the opportunity arose to test SecureLogix’s ETM suite, the only enterprise-level platform for securing analog and digital circuits connected to divergent and dispersed PBX platforms, we jumped at the chance.

The SecureLogix product knocked us out with its scalability, granular control, detailed reporting and top-flight customer service. Except for its steep price, we would have kept the system in a New York minute. If you can justify the cost (see “Calling ROI,” page 65), we recommend the ETM for all but the smallest organizations.

•Call time, with admin-definable business hours or maintenance windows; and

•Call type—voice, data, fax, STU or video. TeleWall provides real-time in-band monitoring of

call content, allowing dynamic monitoring of call type as well. Using a proprietary technique, the ETM continuously monitors the frequency and energy content of audio data on all voice circuits in real time, looking for discrete tones, such as STU-III, fax T.30 or 1,800 hertz. This detected sequencing of audio tones/flags and audio data classification allow the system to derive call type as either voice, fax, STU, modem, wideband (videoconferencing), undetermined (for very brief calls that disconnect before identification) or unanswered. The in-band monitoring will detect call-type change mid-stream.

The TeleWall identified every call by type (though, not being a secured federal facility, we were unable to test STU functionality), and all rules were followed as structured in the policies. For example, a “no voice calls on ext. x” rule terminated a connection in less than a second when we picked up the receiver during a fax transmission and attempted to converse, while a “log inbound voice calls from 212 area code” rule flagged NYC calls.

While voice and fax calls were quickly identified (in 0 to 2 seconds), the ETM had difficulty identifying modem “energy” (often in the 25 to 30 second range). The system essentially waited through the connection “interrogation/negotiation” phase, then identified the call type as “modem” and implemented any appropriate rules as soon as data began to pass (again, in less than 2 seconds). This delay in modem identification raised flags,

TThe ETM system comprised three rackmounted Dell Windows 2000 servers and a pair of rackmounted ETM hardware appliances, connected by a private 100-Mbps Ethernet switch. We used a 1-GHz Intel Celeron processor with 1 GB of RAM to run the ETM client software: TeleView Infrastructure Manager 3.0.3 and TeleAudit Usage Manager 3.0.3. Another 1- GHz Celeron processor with 1 GB of RAM accommodated the ETM Management Server 3.0.3 and TeleAudit Report Server 3.0.3 software. And finally, a 1.13-GHz Intel Pentium III box with 1 GB of SDRAM (Synchronous DRAM) and three 18-GB drives under a hardware RAID 5 controller housed the Oracle 9i Database Server.

We tested the ETM platform using both an existing PRI span connected to an NEC PBX and a simulated PRI span looped through a Spirent Communications Abacus call generator. In the PRI runs, we tested inbound and outbound calls using POTS lines, PCS (Personal Communications Services) and GSM (Global System for Mobile Communications) service (U.S. and European spec), fax, analog modem and voice/fax combination equipment. Both domestic and international calls were logged, monitored and/or terminated. The Abacus simulated heavy volume closed-loop traffic of a variety of call types.

We configured one ETM Communication Appliance (Model 3200) to

support 16 North American ISDN-PRI spans, and a second ETM appliance (Model 1010) to support four analog circuit ports. The appliances run customized versions of Linux.

Counting on Abacus

We would not have been able to thoroughly test the ETM without the generous loan from Spirent of an Abacus Test System. After sorting out our initial configuration and settings (somewhat challenging as we were setting up a closed-loop test environ-

ment), we hammered the ETM with hundreds of thousands of simulated calls from the Abacus in the course of a month.

We configured two ISDN PRI cards (mapping 23 “extensions” each) in the Abacus, one to receive “incoming” calls and one to generate our “outbound” calls, yielding 10-digit source and destination numbers for testing.

We used a staggered test-dialing cycle (Extension 1 direct-dials Extension 24, makes connection, keeps line open as a voice call for 35 seconds, then disconnects. Keep going through Extension 23 dialing Extension 46, repeat ad infinitum).

Note that we did not connect the Abacus to our production PBX; this was a standalone test environment that placed the ETM equipment inline between the two Abacus cards.

We were consistently impressed with the quality and capabilities of the Spirent equipment. The Abacus is the most capable piece of telco testing equipment that our team has worked with, functioning as both a call-load generator and central office emulator. The test system is able to generate a mix of tones, real speech, fax, data or PRBS, while supporting (take a deep breath): analog, T1 CAS (channel associated signaling), E1 CAS, GR-303, SLC-96, V5.1, V5.2, SS7, ISDN PRI on T1, ISDN PRI on E1, ISDN BRA (basic rate access) over U-interface, and ISDN BRA over S- interfaces, with the ability to generate five to 1,023 channels, depending on configuration.

This is a rackmount chassis system that can be configured with from one to 40 cards. Minimum system configurations start at about $10,000; Spirent says the average cost works out to about $200 per port.

but SecureLogix says the problem has been addressed in version 4.0 (see “Sneak Peek at ETM 4.0,” page 64).

As with any firewall product, the site admin must clearly define and verify security policies, call groups, extensions and rules prior to implementation. Policy criteria can be based on direction, call source and/or destination number, call type, time parameters and duration. Available actions include allow/terminate, log call, and

alert via e-mail or pager. The ETM can determine an inbound call’s number via Caller ID, ANI (Automatic Number Identification) or CPN (Calling Party Number).

Good Looks, Too

THE ETM APPLICATION INTERFACE, the TeleView Client, is fairly straightforward, providing a single interface for management of local and remote ETM installa-

The ETM’s TeleView Client GUI displays security, management and real-time visibility functions for all monitored items.

AAll our testing was done against SecureLogix’s ETM version 3.03. But we had the opportunity to play with pending version 4.0, which should be shipping in mid-November, for one day at the end of our testing.

ETM 4.0’s best gee-whiz feature is TeleVPN Call Shield 1.0, a policy-based telecom VPN (PRI only, T1 support pending) proving 3DES (Triple Data Encryption Standard) encryption services to any phone, fax or modem. This lets any two sites with the right ETM equipment encrypt (in real time, thanks to some DSP [digital signal processor] magic) all transmissions between locations. Pretty neat stuff. Also of note is the new AAA for TeleWall Firewall 1.0, an authentication, authorization and accounting services application to assist in maintaining a distributed telecom environment.

ETM 4.0 also addresses faster modem declara- tion—a much better 1-to-2-second time instead of the current version’s 25-to-30-second requirement to identify and apply rules to a detected modem transmission. Finally, version 4.0 delivers a 2.4.19 Linux kernel upgrade and provides a number of interface and performance improvements that users will appreciate.

All current customers under service contract will receive the upgrade free of charge.

The standard built-in reporting tools, which query Oracle, are comprehensive and user-friendly. The “wardialing” report successfully identified all the script-dialing sessions run during our testing, as well as fingering an employee’s ex-boyfriend “love dialing” 73 times in a 12hour run (but that’s another story!). The report-preview function is also handy because, as your data set grows, running detailed reports against Oracle can be time-con- suming. We easily customized a number of canned reports to suit our testing needs; administrators can also design their own reports from scratch.

There Had To Be One Nit

MUCH TO SECURELOGIX’S CHAGRIN, we discovered a software bug in our testing, albeit one unlikely to be encountered in a production environment.

After our initial period of baseline testing, we began to test inbound calls from a wide variety of sources. When setting up rules, call “objects” need to be identified. An object can be as specific as “Bob’s House” or as broad as “All 900 Numbers” or “All Calls to France,” depending on your required level of granularity. All objects are defined by data elements, for example, “description,” “country code,” “area code” or “exchange.”

Rather than creating a unique object for each new outside number tested, we lazily remapped the object “Dean’s Cell Phone” to dozens of different numbers over an afternoon. We soon discovered that the real-time monitor did not clear its display cache, and when one of our children dialed in from a “previous” test number, the monitor reported a call coming in from Dean’s Cell Phone, which was sitting on our test bench! A call to tech support and a few hours of investigating verified the bug, and engineers delivered a patch the next morning. We mention it mainly to highlight SecureLogix’s customer service: We don’t think we got preferential treatment because we were reviewing the product. We feel that any customer would receive the same level of assistance.

All patches, fixes and version upgrades are provided to customers under the support contract. This includes remote installation of patches and on-site installation of major releases. Cost of support is negotiated at time of sale and at close of contract. According to SecureLogix engineers, most customers choose to renew.

Bottom line: The ETM works as advertised. Once installed and configured by the SecureLogix technicians at our location, we could quickly roll up our sleeves and start working with the application to set up and

SECURELOGIX ETM FEATURES

implement security policies on our live and simulated PRIs. We were able to block inbound and outbound calls based on policy settings. The ETM used real-time in-band monitoring of live calls to detect call type (voice, data or fax) and terminated the in-process call when the type changed, for example, passing data during a “voice” session, and policies were violated. We were unable to fool the system.

As a bonus, the ETM raised flags on a number of real problems in our test environment, including QoS concerns (intermittent frame errors) with our ISDN PRI and use of fax lines for outbound data. In all, we were impressed with SecureLogix’s offering and would recommend it to anyone who can justify the cost.

And therein lies the rub: This is not an inexpensive solution. While SecureLogix sets its licensing incrementally per monitored span (T1 or PRI), it would be very difficult for a small firm to justify the expense of the ETM system unless it was already an Oracle shop. Recognizing that pricing is negotiated on a per customer basis, we asked SecureLogix to price out example estimates for us. Pricing for a sin- gle-span setup (atypical for SecureLogix, but what we would want to purchase for our 400-extension environment) would be around $20,000. This would include an ETM 1010 appliance, a single-span license, the ETM software, on-site setup and travel expenses for one technician, a training seat for a four-day Administrator course, and one year of support. Figure in an additional $1,400 for Oracle 9i plus the expense of three Windows NT servers, and service renewals ongoing at less than $2,000 per year.

Calling ROI

SSecureLogix says some of its ETM customers have quickly realized returns on their investments, with savings attained by blocking unauthorized toll calls and identifying underused and unused lines. And by providing central administration of global security management polices, the ETM toolset helps administrators manage proprietary PBXs efficiently across their enterprises.

Examples cited by SecureLogix include:

»a medical complex with a 10-month payback from savings on long-distance and international toll charges;

»a Fortune 500 company that discovered 24,000 “unauthorized” outbound modem calls to ISPs in the first month of installation, equating to thousands of hours of lost productivity plus toll charges, as well as savings from identification of underused lines and reduced administration costs from managing call policies via the centralized ETM console rather than paying vendors PBX by PBX across multiple locations.

At the midpoint of the pricing spectrum is an estimate that SecureLogix describes as a “medium” installation: an ETM environment to monitor 50 spans would run in the neighborhood of $380,000. Service contract renewals would be in the $45,000 to $50,000 per year range. Of course, pricing for enter- prise-scale installations can run into the millions. (For more pricing details, see “SecureLogix Price Estimates” chart, page 62.)

The gist: if you have a large, diverse telecom environment to manage and protect, the SecureLogix ETM solution fills the bill admirably. In fact, we would love to have this equipment installed permanently in our small shop ... but we can’t afford it.

SecureLogix ETM System 3.0, starts at $20,000. SecureLogix Corp., (800) 817-4837, (210) 402-

has 12 years of consulting and project management experience in data and telecom environments. Dean Ellerton, MS.Ed, is the director of for a private New England boarding school. Maj. Jim Wiggs has managed telecom