WO2006042973A1

WO2006042973A1 - Security device for an autocommutator

Info

Publication number: WO2006042973A1
Application number: PCT/FR2005/002601
Authority: WO
Inventors: Gérard KAAS
Original assignee: Checkphone
Priority date: 2004-10-19
Filing date: 2005-10-19
Publication date: 2006-04-27
Also published as: FR2876855A1; FR2876855B1; EP1803279A1

Abstract

The invention relates to telecommunications and network security. The invention relates more particularly to a firewall system for securing a business autocommutator (200) which is connected to at least one communication network in a commuted mode, type PSTN, and to at least one set of communication peripherals and/or application servers (210), said system comprising a communication analyzer (100) of low levels (1- ) of the OSI model of digital communications in a circuit and analog mode, and a firewall server (110) which is connected to the analyzer (100). The invention is characterized in that the system also comprises a supervision server (120) connected to the run-of-river output (199) of the autocommutator (200) for analysis of communication tickets and application of security rules relating to the high applicative layers (4 - 7) of the OSI model.

Description

SECURITY DEVICE D ⁷ A PBX

The present invention relates to the field of telecommunications and network security.

The present invention more particularly relates to a system and method for securing an enterprise switch by call control.

The corporate PBX is the gateway to a company network. As a result, security must be strongly present, particularly since the convergence of circuit-mode network management and packet mode networks. Too many abuses are currently taking place on branch exchanges where communications are diverted by outsiders to make calls at lower cost.

The prior art already knows, from US Pat. No. 6,687,353 (Securelogix), a system and method for a telephone security system. Illustrated in FIG. 1, the invention consists in controlling and realizing access between terminals of an enterprise to a plurality of sites and their respective circuits in the public switched network. The system and method may include: a discrete line sensor within the sites to determine the nature of the calls, the line sensor not interfering with existing communications. The line sensor may include: a pair of relays for routing the data through the line sensor without altering the data, a pair of transceivers and a processing unit for routing the data through the line sensor by storing and copying the data and transmitting the new data through the sensor line. The system may also include: a PBX in the sites and connected to the line sensor; a central switch connected to the line sensor and the PBX; and a firewall management server. The entirety of known systems for securing enterprise telecommunications networks and more particularly private branch exchanges reproduces an architecture similar to that described in FIG. 1. Namely, an analyzer (sensor 13) is placed on the trunk. (11) between the switched network (10) and the private branch exchange (14). This sensor analyzes the nature of the calls sent to / from the peripherals (16) of the private network (15), then confronts the information obtained with security rules contained in a server (17).

This is particularly the case in US Pat. No. 6,226,372 (Securelogix) which describes a system and a method for implementing a fully integrated cooperating telecommunication firewall / scanner, enabling the implementation of functions enhanced firewall and telecom scanner security, and the implementation of a dedicated enterprise-class security structure, event visibility, and report consolidation in a globally distributed enterprise. In the most basic configuration, the built-in firewall / scanner provides continuous protected access control and control functions, keyword and content control and control functions, and authenticates remote access, coordinated vulnerability assessments as well as automatic synchronous adjustments to the Security Policy, in response to the results of the vulnerability assessment. In addition, operations, evaluation results, and firewall and scanner responses can be consolidated into detailed or synthetic reports for use by security administrators for trend analysis and security decision-making. This solution proposes an analysis of the vulnerabilities of the equipment in order to adapt the security policy according to these.

Also known from US Pat. No. 6,760,421 (Securelogix) is a telephone resource and security management system and method for monitoring and / or controlling and recording access to a public telephone network. switched between end-user stations of a company and their respective circuits. A security policy, constituted for example by a set of security rules, is defined for each of the items, these rules specifying actions to be taken on the basis of at least one attribute of the call on the item. Calls are detected on extensions to determine the attributes associated with each call. The actions are then executed on the selected call based on their attributes according to the security rules defined for these items.

The prior art also knows, by the US patent application US 2004/0161 086 (Securelogix), a system and a method for managing and securing the telephone resources for viewing and controlling the incoming and outgoing calls between the terminals. an enterprise and public switched network in circuit mode and / or public packet switched network. A security policy consists of one or more rules designating at least one action to be performed on the basis of at least one attribute of the incoming or outgoing call. Calls are detected, picked up on the line and analyzed for determine the attributes associated with each of these calls. Actions terminating calls are conducted on the basis of these attributes determined in accordance with the security policy rules. A disadvantage of this solution is the application of call-only type rules when a fraud is detected. Another disadvantage is the analysis only of the low layers of the communication protocols.

The solutions provided by these documents perform an analysis of the "low layers" of the communication protocols (layers 1/2/3 of the OSI model) on a switched telecommunications network by determining the nature of the calls (fax type, voice type, number called , ...). They do not protect the network against possible attacks using features ("high layers" applications, such as call forwarding, conference) offered by the switch and their flaws.

Indeed, the communication analyzers deliver the following information:

- the nature of the call: Fax modem or voice;

- the start and end time of the communication;

- the number of the calling and called party;

- the path and link used for communication.

The communication analyzer does not deliver all the functionalities that have been implemented nor their chaining. The following two examples show the limitations of such a system in detecting "fraudulent" actions.

Example 1

A call from an outside call A to an extension B of the company immediately returned without a ring to a station C outside the company. The analyzer will observe the call from A to B and B to C without observing that it is the same communication. It is only with the analysis of the functionalities implemented for this call that 1 Observation can be established Example 2:

A call from an outside call A to a workstation of the company B can listen to the conversation with a caller C by activating the "unobtrusive entry" feature. Again the communication analyzer will detect only two separate and authorized communications.

In addition, the convergence of switched networks (ISDN for example) and packet mode (IP network) sees the appearance of mixed switches "switched-IP". No solution has yet been provided for the analysis of voice-over-IP (VoIP) communications as input to a mixed exchange.

Document US Pat. No. 6,801,607 and US 2004/0111305 also disclose systems analyzing records transmitted by a switch. These solutions are only oriented for the detection of fraud and find their application on the side of the telephone operators. A disadvantage of these solutions lies in the fact that they do not involve a low layer analysis. Another disadvantage lies in the fact that the information necessary for the analyzes presented in these documents (billing numbers) are only accessible to the operators. The implementation of such solutions is not feasible in companies.

It is an object of the invention to provide a security solution based on both an analysis "Low layers" and an analysis of the application layers (high layers).

The present invention intends to remedy at least one drawback of the prior art by proposing a system and a method for securing a switch, either in switched or mixed "switched-IP" mode, on the basis of an analysis of the "low" (call nature) and "high" layers (PBX features used) implemented during calls.

The method performs, on the one hand, an analysis of the incoming or outgoing calls to determine their nature, and on the other hand, receives information emitted by the switch, information indicating, among other things, the functionalities implemented during the operation. 'call. A comparison is made with a set of network security rules (or scenarios), the method then making it possible to respond to the call or to terminate it.

For this purpose, the system of the invention has a communication analyzer somewhat similar in functional terms to those described in the aforementioned patents, and associated with a server as well as a second server analyzing the information transmitted by the switch. on current calls. The system also proposes a server called "audit" to establish security rules according to the specificities of the network and the switch.

The method and the system according to the present invention respond particularly well to the expectations of companies whose private networks are too many times hacked by the use of one of the 400 or more functions of the switch (for example, the call in conference or conference call). For this purpose, the invention relates in its most general sense to a firewall system for securing an enterprise branch exchange connected, on the one hand, to at least one switched mode communication network, of the PSTN type, and, on the other hand, to a set of communication and / or application server peripherals, said system comprising a low layer communication (1 to 3) of the OSI model of circuit and analog digital communications. , a firewall server connected to said analyzer, characterized in that: said system further comprises a supervision server connected to the "water line" output of the switch for the analysis of the communication tickets and the application of safety rules for the OSI model layers (4 to 7).

Preferably, said switch is further connected to a packet mode communication network of the Internet type; said communication analyzer is placed in parallel lines between the switch and the switched networks and in packet mode; said communication analyzer further analyzes the information of the lower layers of the packet mode communications (incoming and outgoing) of the switch.

Advantageously, said analyzer is a DSP for detecting digital circuit, digital packet and analog communications. According to one embodiment, said supervision server comprises an expert system for learning security rules in the case of an unknown scenario.

According to a particular mode of implementation, said supervision server comprises a database for storing the information sent by said communication analyzer and information relating to the analysis of said tickets.

Preferably, said system further comprises an audit server connected to the supervision server able to analyze the functionalities of the switch, the system architecture and to establish a set of call scenarios.

Advantageously, said audit server comprises an expert system for establishing said scenarios.

According to one embodiment, said firewall server is connected to a plurality of communications analyzers located on various enterprise sites.

According to a particular embodiment, said system further comprises an encrypted backup server of the configurations of the automatic switch.

According to a variant, said system further comprises a call-back modem connected to the remote maintenance port of said automatic switch.

The invention also relates to a method for securing an enterprise switch connected, on the one hand, to at least one switched mode communication network, of the PSTN type, and, on the other hand, to a set of peripherals communications and / or application servers, the method comprising a step of analyzing low layers (layers OSI 1 to 3) communications by a communication analyzer and application of security rules to terminate illegal calls, characterized in that it further comprises: - a recovery step by a communication ticket supervision server issued by the switch, a step of confronting the information contained in said tickets with the security rules containing in the supervision server, a step of applying the security rules according to the information contained therein in said tickets.

Preferably, said method further comprises a step of reporting call information and decisions taken from said communication analyzer to said supervisory server.

Advantageously, said method further comprises a step of self-learning by an expert system in the supervision server scenarios not managed by the security rules.

Preferably, said method comprises, beforehand, a step of determining the possible scenarios by an audit server and a step of establishing the security rules by selecting said scenarios.

According to one embodiment, said scenario determination step comprises:

a step of recovering the circuit architecture files by said audit server from the switch and the files of the system architecture; a step of determining the risks and countermeasures associated with said recovered files.

The invention also relates to a computer program element comprising computer program code means arranged to perform the steps of the method.

The invention will be better understood by means of the description, given below purely for explanatory purposes, of one embodiment of the invention, with reference to the appended figures: FIG. 1 represents the standard architecture of the systems securing PBX on a switched telephone network (prior art); Figure 2 illustrates the architecture of the present invention; Figure 3 illustrates the functional structure of the communication analyzer; Fig. 4 is a logic diagram showing the operation of the communication analyzer; Fig. 5 is a logic diagram illustrating the establishment of the security rules according to the present invention; FIG. 6 illustrates the different initial data tables retrieved by the expert analysis system; FIG. 7 illustrates an example of a matrix of correspondences between the threats and the vulnerabilities of a system of the automatic switch type; FIG. 8 illustrates an example matrix of correspondences between the threats and the functionalities provided by a switch; Fig. 9 logically illustrates the audit and countermeasure module according to the present invention; Figure 10 schematically shows the inference engine for system auditing; FIG. 11 schematically represents the module for establishing countermeasures; FIG. 12 represents a logic diagram of the operation of the security according to the invention; and Figure 13 illustrates an example of packet mode communication.

The invention will be described using exemplary embodiments. It is understood that these examples are not limiting of the invention and that a person skilled in the art would be able to realize this invention in different variants.

ARCHITECTURE AND DESCRIPTION OF THE DIFFERENT MODULES FIG. 2 represents an exemplary embodiment of the system according to the present invention, comprising a switch (200), a communication analyzer (100) and a set of servers (110, 120 and 130) for management. security policy.

The enterprise-class switch (200) is a switch for real-time call processing and switching between private corporate (210) devices and the switched telephone network (300) and / or a network in the real-time mode. packets, for example the Internet (310). The switch (200) provides, in addition, features (sometimes more than four hundred) that can be implemented during calls: for example, the double call, the call forwarding, the conference, ... It presents two dedicated ports, on the one hand, to remote maintenance (198) and, on the other hand, the sending (199) of "tickets" used, among others, billing calls. The latter port (199), also called "over of water "is a serial port of data transmission, tickets. These contain a lot of information about calls dialed by (200). A more detailed description is provided below. The essential functions of a switch are: switching, interfaces with terminals, telephone application. The switch (200) can be PBX (Private Branch eXchange) or PABX (Private Automatic Branch eXchange) dedicated only to a switched network, in which case the analysis of packet communications is not performed, or "mixed For example a centralized IP PBX in which all the functions are implemented except the switching performed by a network switch. In the remainder of the description, we will use non-restrictively the term PBX for the switch (200) that is dedicated to the switched network or "mixed".

The corporate network may be of the LAN (Local Network Area) type and is composed of the PABX (200), the peripherals (210) and the inner lines (220) connecting the peripherals to the PABX.

The peripherals are of the fax type (203), modem (202), telephone (204), IP telephone (205), cordless phone (206), for example DECT, application servers (208) for example voice mail server , billing server,

..., or administration servers (209) of the branch exchanges.

The "telephony" servers (208) and (209) are furthermore connected to the PABX via an isolated IP network (230) dedicated solely to exchanging data between these various entities: controlling the PABX from the server. administration, for example.

Still with reference to FIG. 2, a communication analyzer (100) is placed in parallel with the lines networks (320) between the public switched / packet network (300, 310) and the PABX (200).

A firewall server (110) is connected to the communication analyzer (100) and possibly to other analyzers (100 ', 100' '). The firewall server (HO) contains all the rules or scenarios to be applied on the network and transmits them to the communication analyzers. A more detailed description of such a server may be provided by one of US 6,687,353, US 6,226,372, US 6,760,421 and US 2004/0168686 mentioned above. The server 110 consolidates in real time all the information of all the communication analyzers of the various sites and manages the alerts related to possible malfunctions of these analyzers. A supervisory server (120) is connected to the PABX's "run-of-the-river" port (199), the firewall server (110), and a third audit server (130). This server (120) provides management of communication analyzers (100) and the management of security rules. The servers 110 and 120 must be physically different for reasons of real-time processing and operational safety.

The audit server (130) hosts an expert system for establishing the security rules or scenarios, which it sends to the supervisory server (120) for application thereof.

These different servers are, for example, dedicated computers, comprising a processor, RAM type RAM, an operating system, software for implementing the method of the invention, software executed on this operating system, and network connection means.

The system also includes a backup device (112) and a call-back modem (114). The device (112) makes it possible to perform a backup, preferably encrypted by dynamic key, of the configurations of the automatic switch. The modem (114) provides protection for access to the remote maintenance port (198) by implementing call detection, identification and callback mechanisms depending on the identification. obtained.

COMMUNICATION ANALYZER The functionality of the communication analyzer (100) is illustrated in Figure 3.

For cost reasons, the communication analyzer (100) is implemented as DSP (Digital Signal Processing) with a suitable software. This allows, among other things, to easily coexist a circuit mode network analyzer (ISDN) and a packet network analyzer (IP). The prior art knows these analyzers dedicated to switched networks. In one embodiment of the invention, the analysis of the IP network is done by a filter retrieving the header of the transmitted packets.

The communication analysis method is provided by FIG.

(1): the analyzer (100) receives digital calls in circuit mode (a), packet mode (b) and analog calls (c).

(3): a first module (106) identifies the type of call (voice, data, ...) • This module is based on the recovery of the headers of transmitted packets, on the signaling of the D channel of digital communications switched (ISDN TO and T2) or the carrier value for analogue links.

(4): in a second module (105), the characteristics of the call are compared with the communication rules transmitted by the firewall server (110) through the central unit (108) of the analyzer.

Apart from the generic rules related to the security of the system (decision to authorize or prohibit all calls in the event of failure of the communication analyzer 100), the so-called acknowledged rules are the rules coming only from the server of audit (130) which is in charge of the consistency check of the set of rules. The default behavior allows calls that are not explicitly prohibited, and when one of the rules coincides with the current call, the rule applies.

The set of rules that only involve the information collected by the communications analyzer (100) is resident therein for the site concerned; this is to ensure real-time processing (fast enough for the connection time of communications). These rules are stored either in Flash memory or on hard disk, depending on the number of links to be observed. The security rules are sent by the supervision server (120) via the server (110). An example of a communication analyzer (100) is one of the products of the "Wavetel" range. The firewall server (110) is the guarantor of the 1-2-3 layer rules and periodically checks the integrity of the data of the communication analyzers to prevent any malicious changes to them.

This follows the processing (104) of the call according to these rules. Either the call is allowed, or it is allowed with time zone, number, destination restrictions or it is ended by a hang-up procedure (5). This procedure is carried out, for the different types of links in the following way:

- for digital links "circuits", if there is an API link at the PABX then is generated a command to cut the current communication. Otherwise, a scrambling of the communication is effected by the third party entry announcing the modem of the communication analyzer (100) connected to an analog extension trunk until hung up by the user, - for the digital links " packets ", a" Firewall data "behavior is applied by blocking the call after extraction and analysis of the IP header at the RTP or RTCP level in the case of a communication using an H323 communication protocol. SDP level in the case of a communication using the SIP and / or MGCP communication protocol, these layers enabling the identification of the codes (G711 to G729), the fax protocol (T30, T38) or the modem protocol (G723.1 ). The call will be blocked either by the "Cancel" command at the signaling level for SIP, or by the "Reject" command of the H245 protocol for H323, or by the "DeleteConnection" command for MGCP.

- for analog links, a micro-relay cut is performed. The analysis is looped until the call has ended. Once this call is complete, the call information is sent back (6) to the firewall server (110) and sent through a "communications pipe" to the supervisory server (120) in real time.

The following example is for analyzing packets sent over the network in the H.323 protocol. Example 1: Analysis of the H.323 protocol

FIG. 13 illustrates, on the one hand, the layers on which the H.323 protocol is based and, on the other hand, the format of the Real-time Transfer Protocol (RTP) header used for voice over IP on the protocol. H.323.

The communication analyzer analyzes the RTP header contained in the UDP or TCP frame to determine the nature of the communication by taking into account in this header, the value "Payload Type". In the example provided, it is a G711 communication still called PCMA.

THE AUDIT SERVER

Illustrated by FIG. 5, the auditing server (130) makes it possible to set up the scenarios for securing the network, scenarios that will be chosen by a human operator for setting the security rules. FUNCTIONAL ANALYSIS

A first step is performed before operating the system. It aims to determine the functional characteristics of the PABX (200) that change from one manufacturer to another (1010) and the specificities of the network architecture in place (1020). The operations described below are reproduced after an update of the PBX or after a modification of the network architecture (adding peripherals for example), which is why it is preferable for the audit server (130) not to does not share the same resources as the supervisory server (120).

During a preliminary phase before the system is put into operation, the server (130) is connected to the maintenance port V24 (198) of the PABX to obtain the circuit architecture files (1020) contained in the PABX as well as to the IP network (230) to obtain the system architecture information (1010). NESSUS-type application allows to get through the IP network (230) all the IP information of the network: VLANs, IP addresses, number of application servers, etc.

The circuit architecture files mention the configurations of internal links (directory of telephone numbers) and external links (TO, T2, voice IP for voice).

FIG. 6 represents an example of the configuration databases (1000) obtained by the audit server (130) after analysis of the system (1010) and circuits (1020).

The database of external links informs:

- the nature of the links (ISDN TO or T2, analogue IP);

- if it is an Intranet; - the type of flow (incoming, outgoing, mixed);

- the number of lanes;

- the actual flow.

The database of internal links informs:

- telephone number ; - if he has an SDA (direct selection on arrival) or not;

- the nature of the links (analog, digital, IP); - the type of device (phone, modem, fax). The system database informs: - the elements present (PBX, voicemail, billing server);

- the version of the operating system;

- updates ;

- passwords; - communication ports;

- the logical address;

- the physical address.

The PABX features database provides: - phone numbers; - associated profiles or classes;

- the features open on each of the telephone numbers (forwarding, conference, grouping);

- the associated restrictions.

Beforehand, a step is performed to define the attributes and the corresponding values implemented by the PABX (200) (depending on the manufacturer), for example: associated_services_values: mevo (voicemail), Svi, Acd, charging ...;

Software_Status Values: update, password, open communication ports;

Architecture_values: Vlan, independent, QoS; Values_telephone: sda, password, ip, v24, call back;

Backup_values: encrypted, periodic;

Values_mobility: open terminal, Dect, Wifi;

Values_functionalities: operator, intercom, multi Cco, multi-company, Disa, conference, recording, third-party entry, transfer, forwarding, listening, grouping, Sda ...;

Restriction_values: time, geographic, range numbers, priority access, logical locking ...

Still referring to FIG. 5, an analysis of the various vulnerabilities (1100) of the PABX with respect to these values makes it possible to distinguish three main types of vulnerabilities: access vulnerabilities (possibility of access to the system and to the data contained in FIG. interior), creation / modification / deletion (cms)

(possibility of interacting with the system and the associated data) and those of recovery (possibility of recovering the action that happens). The rules database (1110) contains, for its part, all the security rules applied by the system. This database is usually empty when the system is installed and is enriched at the end of this system audit phase. The rules are in the form:

If (name operator unit value) and ... and (name_of_multiple_words operator value)

Then (name = value) and .. and (name = formula)

Here are two examples of rules:

Example 2

If Associated_services_values = (voicemail, standard password, sda) and Values_features = (automatic callback after message delivery, external number) and Architecture_value = (external links, no restriction)

So risk = (listening)

This example illustrates the risk of being wiretapped using the weaknesses of the system in automatically calling an outside number after the message is placed in voicemail.

Example 3

If value_teleired = (manufacturer password, sda number, no restriction) and value = (external reference) and value = architecture (external links, no restriction) Then risk = (traffic diversion)

This example illustrates the diversion of communication traffic using the external reference of a communication made possible by obtaining the password constructor ...

Also, the EBIOS method makes it possible to establish, independently of the architecture of the corporate network, a matrix characterizing the dependencies between threats and vulnerabilities of the PABX (200), and a matrix characterizing the dependencies between the threats and the functionalities offered by the PABX.

Figure 7 shows an example of a "threats / vulnerabilities" matrix where the threats are of the industrial espionage or hijacking type, and the vulnerabilities may be the ability to directly access a station or the ability to delete or modify programs. . FIG. 8 represents an example of a "threats / functionalities" matrix where the functionalities provided by the PABX (200) can be common abbreviated dialing, forwarding or grouping.

These matrices can be filled manually, that is, dependencies are established based on hardware knowledge and network security.

EXPERT ENGINE - INFERENCE AND COUNTERMEASURES Each of the previously defined system / circuit configurations (1000) is confronted with threat information, vulnerabilities and established rules to assess the risks of this configuration and the appropriate countermeasures against this situation. A schematic representation of this expert system is provided in FIG. 9, of which the SCN1 (1120) and SCN2 modules are illustrated by FIGS. 10 and 11.

This expert system is contained in the server (130).

Forward and backward chaining is performed between the threats and the system vulnerabilities (according to the previously defined matrix) by the SCN1 module (1120). "Forward and backward chaining" is understood to mean analyzing each of the threats (symmetric role of the vulnerabilities) in order to associate the dependent vulnerabilities with them and to complete this analysis by checking the determined vulnerabilities of the threat original. A sequential analysis of access vulnerabilities, creation / modification / deletion vulnerabilities, and recovery vulnerabilities helps identify potential risks to the system from this threat. These risks are stored in a database.

These risks have the following form: "vulnerabilities (access) and vulnerabilities (Mcs) and vulnerabilities (Recover) then Threat (xx)", and make it possible to establish countermeasures. These new countermeasures or scenarios take into account those already existing (countermeasures database 1210) and are made by the SCN2 module illustrated in FIG. 11.

A ranking of the risks makes it possible to determine the cases to be authorized, those to prohibit and finally those to authorize with restriction (time slot, geographical, ...): these are the scenarios. The risks are classified according to two criteria.

A classification according to the four major families of risks:

- the risks related to the diversion of traffic,

- those related to listening,

-such related to the usurpation (the function sqatt, for example, allows to recover all the characteristics of another post including its telephone number),

- those related to the denial of service (scenario allowing the introduction of a malignant element in the system software). Then, within these families, is made a classification in order of facility following the rule: the less a scenario comprises of item more it is easy to implement. Consequently and according to the company's security policy, it will be a question of prohibiting as much as possible what seems most dangerous.

A human intervention makes it possible to choose the countermeasures defining the security policy of the PABX (200): examples concerning the architectural vulnerabilities: to suppress the inactive links, to modify the numbers of remote maintenance if they meet the standards constructors, to reorganize the directory ... considering the proposals made by the expert system; examples concerning the functionalities provided by the PABX: the countermeasures relating to the risk scenarios are in the form of choices, since there can be no question of deleting all the open functionalities, by definition of the role of the PABX. It will limit the scenarios and monitor those that could not be eradicated, for example, delete the scenario by prohibiting the feature (s) involved, allow the features and monitor their use or restrict the features by time slot, by number range, by destination, ...; Device examples: Allow or restrict a device, device group, phone number, ... device type. An iteration of the expert system will be carried out in order to verify, in real time, that the functionality / device pair does not create a new risk scenario; - Logical and update access management according to the recommendations of the "Audit" module or development with iteration of the expert system. This is because, for example, there are a number of open communications logical ports in each component of the enterprise communication system. Some do not serve and it is recommended to close them, even if they are necessary to reopen them. For example, for an Alcatel type PBX, twenty ports are open in standard configuration and half of them are only for system installation.

In addition, the rules databases (1110), vulnerabilities (1100) and countermeasures (1210) are updated when new scenarios are created.

Here is the establishment of countermeasures with reference to the two examples 2 and 3 above. Example 3: Traffic diversion

A hijacking can come from the combination of the following vulnerabilities:

Vulnerability of access concerns the value_telemention (manufacturer's password, SDA number, no restriction)

Vulnerability of "cms" relates to the value_features (external referral, no restrictions)

Recovery vulnerability concerns the architecture_value (external links, no restriction)

The risk rule then established becomes: If value_telemaintenance (manufacturer password, number sda, no restriction) and value_functions (external reference) and value_architecture (external links, no restriction) then risk (diversion of traffic)

This scenario can occur frequently because the external hacker can, through a "war-dialer" (program that allows from a series of telephone numbers to massively launch calls to identify a modem or fax carriers and allow entry into a computer or telecom system), identify the remote maintenance modem, use the Internet to find the manufacturer's passwords, access and activate the forwarding feature or divert the traffic to his account.

To determine these scenarios, the rules engine uses the correspondence matrices mentioned earlier to: - identify all the access vulnerabilities

(Poorly protected maintenance and remote maintenance, unprotected stations, open access features (DISA), etc.), to identify all the vulnerabilities allowing the creation-deletion-modification of the facilities responding to the threats (forwarding, forwarding, DISA, conference, etc.), - to identify all the vulnerabilities allowing to recover the previously implemented action responding to the threat (external links, associated servers, etc.).

Example 2; listening

The vulnerabilities of the system with regard to listening concern:

Access: associated_services_values (voicemail, standard password, nda),

Cms: function_values (automatic callback after message delivery, external number),

Recovery: architecture_value (external links, no restriction).

The risk rule then established becomes:

If Associated_services_values (voicemail, standard password, sda) and Operator_values (automatic callback after message delivery, external number) and value_architecture (external links, no restriction) then risk (listening)

The proposed countermeasures are then:

SECURITY POLICY ANALYSIS AND APPLICATION The audit step allowed to establish the configurations and instructions (rules) necessary for the application of the security of the transactions, communications passing through the PABX.

As illustrated in Figure 12, the established rules are sorted according to their area of application: those concerning the "low layers" of communication (OSI layer 1-3) are transmitted to the database of the firewall server (110) via the supervision server (120), those concerning the "high layers" (OSI applications

4-7) and the features of the PABX are transmitted to the database of the supervision server (120). Some rules permanently affect the

PABX: they are therefore directly set in the PABX database, automatically and / or manually. The other rules are compared on the supervision server

(120) with the communication tickets issued on the "run-of-the-water" port (199) of the PABX.

TICKETS

Each call generates a communication ticket with 128 bytes. These tickets are generally used for billing calls. In the context of the present invention, the ticket provides, inter alia, the following information:

- Calling number

- Called number

- Date -Time of call start

- Call end time

- Intermediate number - Number T2 / T0

- Way

- IP

- Operator - Interface (digital, analog, IP)

- Website

- Features implemented

- Name of the directory

A consistency check between the information contained in the ticket and the PABX database is carried out: an alert is raised in case of inconsistency, and the call can be terminated. This is, for example, the case when during a manual reconfiguration of the PABX, all the new parameters edited by the audit module were not introduced into the PABX (no updating of the directory, forgetting to forbid a feature for a position, etc.). This control makes it possible to limit the calls to the possibilities provided and authorized (the parameters) by the PABX.

The data resulting from this analysis is sent together with the information of the communication tickets to the supervision server (120). The information about the current call is combined with the alerts sent from the firewall server (110) for OSI layer analysis (BDD firewall alerts) and compared to the security rules of the supervisory server (120). Further analysis can be performed; it confronts the data of the current call with a history of the last calls (Tempo File Attacks) to establish if there is an attack or a violation of the security policy (according to models of typical attacks).

This history can be in the form of a file informing the last hundred calls processed by the PABX and their characteristics (called extension, ringing less than 4 shots, no answer, outside calling station, ...). The purpose of this historization is to be able to determine repeated attacks.

The real-time monitoring of the company's communication system is based on traffic ticket analysis, monitoring and monitoring of features implemented by a call and presenting vulnerabilities, monitoring and alerting in the case where a risk scenario is occurring, the self-learning of the scenarios not envisaged and which occur and finally the watch in detection of attacks by the reconciliation of information, for example: o Number of calls lower at 4 and hung up compared to the average. Analysis of the standard deviation with triggering threshold, o Number of calls as above and analysis if the phenomenon takes place in a sequential or random manner, with indication of the times between each call of this nature and triggering threshold, o Number of calls answered through voicemail and detected as modem calls.

A weighting algorithm, based on this information, will establish the presence or absence of an attack and will implement the alert and action procedure previously established.

When an attack, a non-compliance with the security policy, a new risk scenario is detected, a treatment of the appropriate countermeasures is carried out.

Example 4

If an attack occurs, the decision may be made to cut off all outside links if the event occurs. happens during a period during which the business is closed (at night).

Example 5

In case of non-compliance with the security policy, the internal telephone number concerned may be inactivated.

Example 6

If a new risk scenario is updated, the PBX is reconfigured taking this risk into account.

In the case where the configuration of the current call is not supported by any scenario, an expert system, similar to the one described above, allows the self-learning of the system. A new risk is determined, scenarios possibly proposed and a human operator determines the scenarios corresponding to the security policy. This learning is done by fuzzy chaining: we analyze the closest scenarios. For example, a scenario with four out of five criteria identical to the current call is considered close.

- the close scenarios are consistent with each other, and a new scenario is established for the current call,

- Or the scenarios are not consistent between them, in which case an alarm is raised, for example by email or SMS, to request the establishment of a suitable rule.

The system also allows statistical feedback allowing among others to know the number of completed calls, the number of fraudulent access attempts, ...

According to one embodiment, the invention consists of a software running on a "Windows Server" operating system (business name) and the databases implemented are of SQL type and later on more sophisticated platforms such as Oracle (Business Name).

EXAMPLE OF A SCENARIO Here is an example of fraudulent call scenario processing, from its origin to the countermeasures applied by the system.

The situation is as follows:

1. An attacker has introduced himself through the IP data network taking advantage of the fact that:

the logical communication port of the automatic switch is open and no VLAN configuration for the Ethernet network dedicated to the telephone servers,

- the Firewall Data authorizes the port ftp 80 which made it possible to enter the PABX of which this port is also to remain open,

- the hacker then introduced an executable that gives him the hand on the remote maintenance port,

- the password has been corrupted by a "Crackage" tool because the password has been changed and is no longer the password of the manufacturer.

2. The attacker then creates a virtual station in the PABX with the open dialing function (this is a station where the interface has been activated without connecting a station physically and when it is requested dials the area code exit to the network and wait for the number to dial).

3. The hacker has assigned the function DISA (function that allows a position outside the company to be perceived as a position of the company).

4. The hacker then spotted cyclic grouping (a cyclic group is a group of extensions that has a common generic internal number, which does not prevent these items from having an individual number, and who for each new call to this group directs it to the next free post belonging to the group).

5. The hacking community has been notified of the numbers to dial. This community consists of 50 members, one of which has a voice server located in the Bahamas with a billing service (€ 1 per minute paid by the operator to an account in Switzerland).

6. The hacker activated a group forwarding to the Bahamas voice server during non-business hours.

The pirate has at his disposal:

- a DISA station which allows it to be called and to transfer all the calls to the destinations desired by the callers,

- to join the voice server with anonymous mobiles (prepaid cards) and to share the gain related to the overcharged service during the hours not worked thanks to the grouping of post, - to be able to call with the fictitious post at any time n ' any destination without being located because this post is not in the directory.

The bill can be very salty for the company and the bleeding can not be stopped as easily because several actions have been conducted without a clear link.

After installation of the company's PABX security firewall system, according to the present invention:

- the application "audit", thanks to the module SCNl, by the application of the rules of vulnerability / threats / risks, will update the following scenarios: Vulnerabilities access: Software_States = (open communication ports)

Architecture_values ≈ (Vlan) Maintenance_values = (IP)

Vulnerabilities (cms): Values_fonctionnalités = (Disa) Values_fonctionnalités = (return, grouping) Values_fonctionnalités ≈ (dummy place, call outside the outside time delay)

Vulnerabilities (Recover);

Architecture_value = (external links, no restriction)

Rules

A. If SoftwareStatus Values = (open communication ports) and ArchitectureValues = (vlan) and MaintenanceValues = (ip) and Function_Values = (disa) and ArchitectureValue = (external links, no restriction)

So risk = (Traffic diversion)

B. If Software_Status Values = (open communication ports) and Architecture_Values = (vlan) and Maintenance_Values = (ip) and Function_Values = (dummy station, delayed outside call) Then risk = (traffic diversion)

C. If software_status_values = (open communication ports) and architecture_values ≈ (vlan) and Maintenance_values ≈ (ip) and Function_values = (return, grouping) Then risk = (hijacking)

In the SCN2 module, the software classifies these risks: Family: Traffic Diversion Growing Difficulty: A, C, B

Countermeasures retained: Open communication ports: Allowed port 80 because useful for updates and patches,

Vlan: Prohibit the absence of Vlan,

Fictitious workstation: limit the number of workstations that can be created and monitor the numbers authorized by the supervision software through the tickets and display them in the directory,

Timed out call: prohibit, Forward: prohibit outside forwarding for all items belonging to a group on the group number,

Grouping; to allow.

All this data is saved in the "new configuration" database.

The "supervision" application will sort the rules and settings either to the firewall server (110) or to the PABX.

The configuration of the PABX will be done manually because the PABX does not have interface API or IAE in our example: the operation setting up of a Vlan will execute by acquittement of the direction IT and its realization will be checked and noted during the next automatic audit. For the firewall server: no action planned because layers 1 to 3 of the OSI model managed by the communication analyzer are not requested in this example.

The consistency check of the configuration will be done as and when calls and if any of the facilities below above is found for the incriminated posts and does not respond to the adopted countermeasures then an alert is raised for correction.

In the treatment of the "expert module", the current call scenario will be compared with all the scenarios of the database to find a possible new scenario close or original.

The "attack" alert program will not fire in this example.

The call will be stored with its features in the waterwire database.

The invention is described in the foregoing by way of example. It is understood that the skilled person is able to achieve different variants of the invention without departing from the scope of the patent.

Claims

A firewall system for securing a company-wide switch (200) connected to at least one PSTN switched mode communication network and to a set communication and / or application server devices (210), said system comprising a communication analyzer (100) of the low-level layers (1 to 3) of the OSI model of circuit-mode and analog digital communications, a server light (110) connected to said analyzer (100), characterized in that:

said system further comprises a supervisory server (120) connected to the "water line" output (199) of the switch (200) for communication ticket analysis and rule application. secure on the upper layers (4 to 7) of the OSI model.

2. Firewall system according to the preceding claim, characterized in that:

said automatic switch (200) is furthermore connected to a communication network in packet mode, of the Internet type, said communication analyzer (100) is placed in parallel lines between the switch (200) and the networks switched and in packet mode; said communication analyzer (100) further analyzes the information of the lower layers of the packet mode communications (incoming and outgoing) of the switch (200);

3. Firewall system according to claim 1 or 2, characterized in that said analyzer (100) is a DSP for detecting digital communications circuits, digital packets and analog.

4. Firewall system according to one of claims 1 to 3, characterized in that said supervision server (120) comprises an expert system for learning security rules in the case of an unknown scenario.

A firewall system according to any one of the preceding claims, characterized in that said supervisory server (120) comprises a database for storing the information reported by said communication analyzer (100) and the information relating to the analysis of said tickets.

6. Firewall system according to any one of the preceding claims, characterized in that it further comprises an audit server (130) connected to the supervision server (120) able to analyze the functionalities of the switch, the system architecture and to establish a set of call scenarios.

7. Firewall system according to claim 6, characterized in that said audit server (130) comprises an expert system for establishing said scenarios.

A firewall system according to any one of the preceding claims, characterized in that said firewall server (HO) is connected to a plurality of communications analyzers (100, 100 ', 100' ') located on various corporate sites.

9. Firewall system according to any one of claims 1 to 8, characterized in that it further comprises an encrypted backup server (112) configurations of the auto switch.

10. Firewall system according to any one of the preceding claims, characterized in that it further comprises a call-back modem (114) connected to the remote maintenance port (198) of said automatic switch (200).

11. A method for securing a corporate switch (200) connected, on the one hand, to at least one switched mode communication network, of the PSTN type, and, on the other hand, to a set of peripheral devices. communications and / or application servers (210), the method comprising a step of analyzing the low layers (OSI layers 1 to 3) of communications by a communication analyzer (100) and application of security rules for terminating unlawful calls, characterized in that it further comprises:

a step of recovery by a supervision server (120) of the communication tickets issued by the switch (200), a step of comparing the information contained in said tickets with the security rules containing in the supervision server (120),

a step of applying the security rules according to this information contained in said tickets.

12. Securing method according to claim 11, characterized in that it further comprises a step of reporting call information and decisions taken from said communication analyzer (100) to said supervisory server (120). ).

13. Securing method according to claim 11 or 12, characterized in that it further comprises a step of self-learning by an expert system in the supervisory server (120) Scenarios not managed by the security rules.

14. Securing method according to one of the preceding claims, characterized in that it comprises, in advance, a step of determining the possible scenarios by an audit server (130) and a step of establishing the security rules by selection of said scenarios.

15. Securing method according to the preceding claim, characterized in that said step of determining the scenarios comprises:

a step of recovering the circuit architecture files by said auditing server (130) from the switch (200) and files of the system architecture;

a step of determining the risks and countermeasures associated with said recovered files.

A computer program element comprising computer program code means arranged to perform the steps of the method according to any one of claims 11 to 15.