KNUEPPEL-NG-9-1-1-Security-What-is-a-BCF - IIT Real

NG 9-1-1 security: What is a BCF
1
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Safe Harbor Statement
The following is intended to outline our general product direction. It is
intended for information purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any material, code, or functionality,
and should not be relied upon in making purchasing decisions. The
development, release, and timing of any features or functionality described
for Oracle’s products remains at the sole discretion of Oracle.
2
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Topics
 What are the features/functions of a BCF?
 What does it mean to provide a highly available BCF?
 How should the BCF handle overload?
 What could DDoS and TDoS do to the ESInet?
 Where does NENA place the BCF into the i3 architecture?
 Interoperability: Isn’t SIP a standard?
3
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Abstract

The BCF (Border Control Function) is an important functional element of the
NENA i3 Solution architecture because it provides the first line of defense
against deliberate attacks and organic events on the Emergency Services
Internet (ESInet.) It is expected that Public Safety Answering Points (PSAPs)
will provide a BCF between their internal networks and the ESInet. The BCF
is intended to provide secure entry into the ESInet for ingress emergency
calls. This Functional Element ensures the smooth processing of
emergency calls/sessions, including signaling protocol normalization and
interworking, codec negotiation, support for QoS/priority markings, media
proxy, and more. As such, there are some baseline, minimum features and
functions that are required to effectively ensure the smooth, secure operation
of NG9-1-1 networks.
4
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Background
 National
-
Sets standards for emergency calls in North America
 Next
-
Emergency Number Association (NENA)
Generation 911 (NG911) project
Complete overhaul of current 911 system
- Initial version of the technical standards known as i3
5
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
What is NG 9-1-1?
 IP-based
-
replacement for E911 features & functions
Supporting all sources of emergency access to appropriate public safety
agencies
-
Operating on managed, multipurpose IP-based session delivery networks
-
Providing expanded multimedia data capabilities for PSAPs
and other emergency communications entities
6
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
IP-based services are easy targets

IP networks are inherently insecure

Developed without security in mind
Organizations rely on IP networks
-
-

Multimodal communications difficult to control (BYOD)
Confidential information freely exchanged by users that don’t understand
how it is transmitted
7
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
What are the risks/vulnerabilities?
Toll fraud, fuzzing, message floods, session hijacking,
eavesdropping, MITM call modification, media injection
Buffer overflows, malware, D/DoS, bugs,
configuration issues
Resource exhaustion, account manipulation,
service poisoning
UDP/TCP floods, ICMP vectors, fuzzing,
D/DoS
Physical access compromise, reboot
Weak passwords, abuse of
services, oversharing, pretexting
8
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
8
Threat landscape
9
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Denial of Service
Many platforms don’t perform well in flooding scenarios
They either have a flawed architecture or all attacks are presented to CPU,
reducing resources available for system/applications (e.g., SIP)
In our experience and field validation, a simple
TCP SYN attack
or INVITE flood is enough to take down many devices
root@bt:# hping3 -S --rand-source --flood -p 5060 <remote_IP>
root@bt:# inviteflood eth0 <user> <domain> <remote_IP> <number of invites>
Reduced feature “good enough” SBCs work great
…until you are under attack!
10
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Wasn’t TDM safer?
 Eavesdropping,
media injection,
and caller impersonation is as easy
as hooking up a lineman’s test set
or “butt set” to wire pairs.
 Toll
Fraud can be as easy as an
open auth code on your PBX or
dial-out of voicemail
 Physical
attacks are always great for DoS, regardless of
technology
11
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
What to do?
 Border
Control Function (BCF)
 Sits
between external networks and the ESInet and between
the ESInet and agency networks
-
All traffic from external networks transits a BCF
-
Acts as a demarc
 Comprises
several distinct elements pertaining to network edge
control and SIP message handling
 Border
Firewall
-
Access control
-
Protect from attacks
 Session
Border Control
-
Prevention
-
Detection
-
Reaction
12
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
BCF: features
 Border
firewall
 Session
border control
-
Signaling B2BUA
-
Media anchoring
 Denial
-
of service
Detection/protection
 Topology
hiding
 Signaling
normalization
 NAPT
traversal
 IPv4/v6
interworking
 Admission
control
 Encryption
anchoring
13
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
SBC – Session Border Controller
 Already
protecting live global real-time IP networks
 Functional
element of BCF
-
DOS/DDOS protection, overload,
resource admission control
-
SIP normalization/interoperability
-
Resolving NAT issues
-
Opening/closing pinholes
-
B2BUA/topology hiding
-
IPv4-IPv6 interworking
-
VPN bridging
-
Transport and encryption
-
QoS marking, priority, reporting
-
Call detail records
-
Transcoding
-
Much, much more
14
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Additional features of BCF/SBC
 Routing
and session management
-
Time-of-day, day-of-week
-
Cost, carrier
-
QoS
-
External policy
 Normalization
-
User-configurable
 Codec
-
management
Stripping, reordering
 QoS
marking
 Reporting
15
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
High availability – vendor dependent


May be limited to media only and not
call control or configuration
-
What good is a call that can’t be put on
hold, hung up or transferred?
-
What’s the use if post-failover route
treatment may be different?
Many cases takes several seconds to
fail over all sessions
-

May use a network carrying traffic for
state replication vs. dedicated links
-

Which leads to users hanging up
Leading to loss in peak periods
Loses CDR info for established calls
16
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
First Class HA:
• Hitless failover
• Media, session, configuration sync
• Retention of critical call data
• Dedicated, redundant HA com links
Placement of BCF in i3, per NENA 08-506
17
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.