Securing Enterprise Voice
advertisement
for trusted, first class interactive communications Securing enterprise VOIP Firewall pinhole/ACL are not enough – Open signaling ACL – Full range of RTP ports open Data IDS not sufficient for SIP and H323 – Not inline of signaling and media – Rely on triggers of other network elements that do not have call awareness Session Border Controllers ARE VOIP security – Track record of 5+ years of securing next gen VOIP networks – Inline for signaling and media – Call state • clean up transactions and dialogs • Verify valid users/devices – Hardware based policing/filtering is most affective for DoS/DDoS atacks – Protection against malicious software attacks – Fraud prevention Acme Packet Confidential 2 Solution: enterprise SIP peering Enterprise site, MPLS VPN or private network Enterprise Migration Eliminate access charges per site Fully converge voice/data over MPLS VPN Data Center PBX model (centralization) drives SIP peering capacity H.323 or SIP PBX Security SIP endpoints /server SIP Regional PBX Hardware based signaling overload policing Full topology hiding (NAT) of signaling and media Session based RTP pin-holing (Rogue Protection) IP PBX/endpoint DoS prevention IPSec, TLS, SRTP Signaling SIP Header Manipulation-vendor interop CAC- bandwidth and session based Routing- Service Provider Local and ENUM Load balancing, failure based re-route Outbound to carriers Inbound- to users PBX Acme Packet Confidential IP access to PSTN, hosted services, IP extranet, other IP subscribers 3 Solution: enterprise SIP station side Enterprise site, MPLS VPN or private network Enterprise Migration Virtualizes the office and contact center Remote worker/ traveling worker small sites without MPLS connectivity H.323 or SIP PBX Security Hardware based signaling overload policing per user Full topology hiding (NAT) of signaling and media Session based RTP pin-holing (Rogue Protection) IP PBX/endpoint DoS prevention IPSec, TLS, SRTP Registration overload protection SIP Registration Based ACLs- only invites pass from Registered users SIP endpoints /server SIP Regional Data Center PBX Signaling Internet SIP Header Manipulation-vendor interop CAC- bandwidth and session based Per User CAC SBC Virtualization allows for Access and Peering on same SBC NAT NAT Service Provider Teleworkers Acme Packet Confidential 4 Solution: IP contact centers Enterprise Migration Reduces Transfer and Connect costs Increases visibility for transferred calls Tie in teleworkers to virtualize the Contact Center Contact center - SIP/G.711 Site A Site B Security Hardware based signaling overload policing per user Full topology hiding (NAT) of signaling and media Session based RTP pin-holing (Rogue Protection) IP PBX/endpoint DoS prevention IPSec, TLS, SRTP Registration overload protection SIP Registration Based ACLs- only Invites pass from Registered users CSR1 CSR2 CSR3 CSR4 MPLS CSR5 Signaling SIP Header Manipulation-vendor interop Routing/ Failure re-routing CAC- bandwidth and session based SBC Virtualization allows for Access and Peering on same SBC Packet Replication to call recording devices Internet Managed SIP/H.323, codec X Customers Acme Packet Confidential 5 Acme Packet market-leading Net-Net product family Security Service reach Revenue & profit protection Net-Net OS Multi-protocol Management SLA assurance Regulatory compliance High availability Net-Net 9000 Net-Net 4000 PAC Net-Net 4000 Integrated & decomposed SBC configurations Net-Net EMS 6 Acme Packet Net-Net platform performance & capacity Net-Net 4000 series PAC Net-Net 9000 series Net-Net 4000 series SD Signaling performance 1200 SIP mps 85 SIP calls/sec 9600 mps 680 SIP calls/sec 2100-8000 SIP mps 150 – 570 SIP calls/sec SR Signaling performance Up to 500 calls/sec N/A TBD 32K - 128K 256K -1million 32K – 128K NA NA 0 – 16,000 (2 or 4) 1000 Mbps or (8) 10/100 Mbps (32) 1000 Mbps (8 or 16) 1000 Mbps Inter-system 1x1 or Nx1 Intra-system 1U / 2 slots 10U or 18U 7U / 13 slots Media sessions * Transcoded sessions Network interfaces (active) High availability Package size/slots * Actual achievable session capacity is based on signaling performance Acme Packet Confidential 7 Net-Net OS architecture Routing, Policy & Accounting Session Routing Number Manipulation Session Control Subsystem Admission Control Route Policy DNS/ ENUM Load Balancing Signaling Services SIP B2BUA H323 B2B GK GW SIP H323 IWF Resource and Bandwidth Control Security Front End MGCP/ NCS H248 Traffic Controls Accounting & QoS Reporting Management & Configuration NAT Relay CLI NAT ALG XML HTTP TFTP DNS ALG Bandwidth Policy Enforcement QoS Stats RADIUS SNMP SYSLOG SNMP Bearer Resource Management Access Control Traffic Management Denial of Service Protection Signaling Flow Policing SYSLOG Redundancy Management Encryption Engine Network Processor Subsystem Media Control Dynamic Access Control Bandwidth Policing Dynamic NAPT Relay QoS Measurements HNT / RTP Latching QoS Marking Media Supervision Timers Lawful Intercept (CCC) Transcoding DTMF Extraction Acme Packet Confidential Redundancy Management Configuration Repository Configuration Repository 8 SIP protocol repair and normalization SIP header and parameter manipulation per realm and session agent – – – Stripping Insertion Modification Configurable SIP status code mapping per session agent Inbound/outbound number manipulation rules per realm and session agent Configurable SIP timers and counters per realm Configurable Q.850-to-SIP status mapping Configurable TCP/UDP transport per realm Configurable option tag handling per realm Configurable FQDN-IP / IP-FQDN mapping SIP route header stripping Malformed signaling packet filtering Many SIP options for vendor and version inter-working E.164 number normalization Acme Packet Confidential 9 Acme Packet hosted NAT traversal Basic operation – SIP client sends REGISTER to Net-Net SD’s address; SD forwards to registrar – Net-Net auto-detects NATed clients – In OK, SD instructs SIP client to refresh registration periodically to keep NAT binding open – Net-Net SD provides to client SDP for media relay – Media relay latches on first RTP packet. All packets relayed to destination client 4.4.4.4 Net-Net SD Signaling Media 1.1.1.1 Client B2BUA 2.2.2.2 3.3.3.3 Media Relay 5.5.5.5 Client Firewall/NAT 7.7.7.7 Acme Packet Confidential 10 Business continuity / redundancy sd0.co.jp Redundant Net-Net product configurations offer non-stop performance Supports new calls, no loss of active sessions (media and signaling) including capabilities (protocol dependent) Preserves CDRs on failover 1:1 Active Standby architecture Shared virtual IP/Mac addresses Failover for node failure, network failure, poor health, manual intervention – Active Standby 10.0.0.1 Find SD through DNS round-robin or configured proxy X 40 ms failover time sd0.fc.co.jp Active 10.0.0.1 New call Checkpointing of configuration, media & signaling state Software option – requires no additional hardware All sessions stay up. Process new sessions immediately Acme Packet Confidential 11 Service virtualization Net-Net Session Director Interconnect Services SOHO Multi-Service Backbone Business Services Acme Packet Confidential 12 Realms and realm groups Session routing and interworking Policies Resources Number translation tables Realm group Packet Marking policy Signaling service Media resources Bandwidth CAC policy Media release policy Virtual IP Virtual IP Signaling access control & DoS Realm Realm Realm Realm Realm Realm Acme Packet Confidential Realm 13 SIP-H.323 interworking Enterprise SIP & H.323 Interworking – Supports all popular H.323 IP PBX vendors - Cisco, Avaya, Nortel etc. – Maximizes investments made in legacy IP PBX – reduces termination costs as high capacity SP trunking is SIP PBX & SIP-based services integration – Transport services - 1+ dialing – SIP Centrex-PBX integration with unified dial plan management – Supports Cisco CM & other H.323 PBXs; H.323 gateway to TDM PBX Voice ASP (calling card, directory, etc.) – Enables connections with SIP & H.323 service providers PSTN PSTN origination & termination SIP SIP Voice ASP (SIP) Data Center IP services Enterprise Core SIP SIP H.323 or SIP Legacy PBX with GW Acme Packet Confidential H.323 or SIP IP PBX 14 SD routing overview Acme Packet’s Session Director has several “types” of routing mechanisms – Local policies • Extremely flexible; based on previous-hop, previous-realm, req-URI, From, cost, time/day, media-type, etc. – ENUM • Actually a subset of local-policies, so has that flexibility too – Trunk-group-URI selection of next-hop or group of next-hops • Per IETF draft-ietf-iptel-trunk-group, and for some proprietary TGIDs – Request-URI matching cached registered endpoints • For requests from core to dynamic subscribers – Request-URI hostname resolution – Route-header routing per RFC 3261 – Static 1:1 mapping • For simple cases only needing security and protocol repair Acme Packet Confidential 15 Local-Route-Table – technical details Sub-features – Supports 200k+ routes – Supports multiple, distinct local-route-tables – Decision of whether and which local-route-table to use is based on the result of local-policies, so can do hybrid routing configs – Supports regular expression results, similar to ENUM results – Used to replace Request-URI with new value based on regex – Route-tables are in XML format, gzipped – Provides support for rn/cic-specific lookups, and user-defined prefix lengths Useful for peering applications: – Can choose which peer to send calls to based on it – Can choose which core softswitch/gateway to send inbound calls to Supports both proxy and b2bua modes Acme Packet Confidential 16 Traffic load balancing Load balance multiple SIP/H.323 softswitches, application servers or gateways Load balancing options – – – – – Hunt Round Robin Least busy Lowest sustained rate Proportional Session Agent Group Detect & route around element failures Session Agent Stats for H.323 & SIP destinations Common Session Agent constraints – – – – – Max sessions Max outbound sessions Max burst rate Max sustained rate Session Agent unavailable or unresponsive name= acme_group strategy = proportional destinations = gateway1.acme.com gateway2.acme.com gateway3.acme.com 50% Traffic 20% of Traffic SA-1 30% of Traffic SA1 hostname=gateway1.acme.com ip-address=192.168.1.50 realm-id = backbone max-sessions =500 max-outbound sessions=500 max-burst-rate=10cps max-sustained rate=8cps allow-next-hop-lp=enabled carriers= mci, att, sprint SA2 hostname=gateway2.acme.com ip-address=192.168.1.51 realm-id = backbone max-sessions =200 max-outbound sessions=200 max-burst-rate=5cps max-sustained rate=4cps allow-next-hop-lp=enabled carriers= mci, att, sprint SA3 hostname=gateway3.acme.com ip-address=192.168.1.52 realm-id = backbone max-sessions =300 max-outbound sessions=300 max-burst-rate=6cps max-sustained rate=5cps allow-next-hop-lp=enabled carriers= mci, att, sprint Acme Packet Confidential 17 Session admission control Realm based – access networks or transit links – Realm and realm group bandwidth constraints Session Agent based – call controllers or app servers – Session Agent constraints (capacity, rate, availabilty, etc.) – Softswitch, etc. – signaling rate limiting or “call gapping” Per-user CAC – Based on AOR or IP address Address based – Code gapping constraints based on destination address/phone # Policy Server-based – TISPAN RACS and Packet Cable Multimedia Policy Server interface Overload protection – Signaling • Session border controller - rejects sessions gracefully when host processor >=90% load (default). This is a configurable option Acme Packet Confidential 18 Net-Net Session Director lawful intercept for hosted communications Law enforcement agencies (LEAF & CF) Legal intercept independent of softswitch for both IP-PSTN and IP-IP calls Supports SIP, MGCP and H.323 Call content - media flows replicated and forwarded to DF over Call Content Connection (CCC) Call data - sent to DF over Call Data Connection (CDC) Lawful intercept server (DF & SPAF) Service infrastructure A CDC CCC SIP MGCP Net-Net SD (AF) SIP PSTN Edge router H.323 MGCP Subscribers Signaling Acme Packet Confidential Media 19 Net-SAFE™ The net-net Security issues are very complex and multi-dimensional – Attack sophistication is growing while intruder knowledge is decreasing Security investments are business insurance decisions – – – – Life – DoS attack protection Health – SLA assurance Property – service theft protection Liability – SPIT & virus protection Degrees of risk – – – – – Misconfigured devices Operator and Application Errors Peering ` Growing CPE exposure to Internet threats NEVER forget disgruntled Malcom, OfficeSpace High Low Only purpose-built Session border controllers protect enterprise assets Acme Packet Confidential 21 Riding the bull Threat mitigation represents staying “ahead” of security threats – Attacker don’t publish their methods As data attack models have matured they have dramatically increased in number – Putting pressure on security defense scale The requirements of real-time services such as VoIP and multimedia are different from those of data – Similar trends, different devices Statefull, service-aware, and dynamic policy application – Endpoints may be authenticated, but their intentions may not be – Protocol messages may be valid, but how they’re used may not be Acme Packet Confidential 22 Net-SAFE Access Control & VPN Separation Worm/Virus & Malicious SW Acme Packet Confidential 23 Three goals of Net-SAFE Protect the Service Service Provider Peer Protect the Enterprise’s Infrastructure Protect the SBC Enterprise Access Enterprise Contact Center DoS attacks remain the #1 security threat the security element must first defend itself! Acme Packet Confidential 24 The SD is architected to secure… Hardware and software-based DoS protection – Trust and untrust queues with wire-speed packet classification and dynamic trust management integration Smart Border DPI – Security gateway fully terminates session traffic for signaling deep packet inspection – Passive DPI is unable to function on the ever-growing amount of encrypted/compressed traffic flows Real-time IDP – Dynamic Trust Management leverages smart DPI and monitors traffic behavior patterns making trust level adjustments without administrator intervention – Avoids harmful false-positive DoS risks Extending trust to the endpoint – IPsec, TLS, and SRTP Acme Packet Confidential 25 Hardware- and software-based DoS protection Acme Packet multi-processor hardware architecture Session Control Function Signaling processors Media Control Function Intelligent traffic manager Signaling Security processors Network processor Network processor Security Engine Security Engine Media Acme Packet Confidential 27 Acme Packet multi-processor hardware architecture Enlarged View Session Control Function Signaling processors Media Control Function Intelligent traffic manager Security processors Network processor Network processor Security Engine Security Engine Acme Packet Confidential 28 DoS logical hardware path CAMs Perform ACL lookup and packet classification: chooses trusted, untrusted, or denied path Acme Hardware DoS Protection Classifier chose specific Trusted queue Each Trusted queue can be set for average policed rates Trusted Path W RR Total rate can be configured W RR To CPU Deny Classifier chose 1 of 1k hash buckets Untrusted Path 1k Untrusted queues Discard Tail Drop Acme Packet Confidential RR Total Untrusted pipe can be reserved a minimum amount of bandwidth, and a max if more is available 29 Software DoS policy SW DoS Decisions on SD Check if below local CPU load threshold Check for legal message format (parse it) Reject It Reject Call Check previous-hop is authorized Check if below constraints limit Allow Must pass HW DoS policy + ACLs Must pass SW DoS policy Discard Acme Packet Confidential 30 SBC DoS protection features Protect SBC from DoS and other attacks – Both malicious and unintentional attacks – Self-limiting ceiling check (%CPU) with graceful call rejection – Automatically promotes/demotes device trust level based on behavior – Enforced max aggregate rate for all traffic – Separate, policed queues for management + control protocols – Hardware capacity of NP subsystem is greater than all interfaces combined – Reverse path forwarding checked for signaling + media – Hardware-policed queues for control packets (ICMP, ARP, Telnet, etc.), separate from Trusted traffic Acme Packet Confidential 31 Smart Border DPI Session DPI models Full Protocol Termination via Security Gateway – Breaks session into two segments for complete control – Terminates and reinitiates signaling message & SDP with unique session IDs – Simplifies traffic anomaly detection – Able to inspect encrypted and compressed packets Segment 1 Segment 2 Passive DPI via In-Line Security Appliance – Maintains single session through system – Modifies addresses in signaling messages & SDP as they pass thru system – Unable to inspect encrypted and compressed packets ALG Acme Packet Confidential 33 SD DPI - the broadest set of protocols on the market Over 80 known threats involving the following protocols – – – – – – SIP, H.323 – H.225, H.323 – H.245 H.248, MGCP, NCS RTP TCP, UDP IP ICMP, ARP SD DPI capabilities are coupled with scaleable decryption/encryption processing to stand up against the strongest security defenses Acme Packet Confidential 34 Real-time IDP Dynamic trust management Dynamic trust level binds to hardware classification Individual device trust classification Provides fair access opportunity for new and unknown devices Multi-queue access fairness for unknown traffic Automatically promotes/demotes device trust level based on behavior Per-device constraints and authorization Acme Packet Confidential 36 Promotion and demotion of users Demotion to untrusted user - SIP Promotion to trusted user - SIP 200 OK forREG Register 200 OK UA1 Demotion occurs in stages REG – Trusted to Untrusted then – Untrusted to Denied 200 OK Registrar Promotion UA1 Trusted to untrusted when: 200 OK for Invite INVITE 200 OK UA1 ACK Promotion UA1 – Registration timeout – Excessive signaling messages – Excessive malformed packets INVITE 200 OK UA2 ACK Promotion UA2 Untrusted to denied demotion: Promotion to trusted user - MGCP 200 OK for RSIP RSIP 200 OK GW1 Promotion GW1 RSIP Example (TP = time period) 200 OK Promotion softswitch Soft Switch 200 OK for CRCX CRCX 200 OK GW1 Promotion GW1 – Excessive signaling messages – Excessive malformed packets – Different from trusted to untrusted thresholds CRCX 200 OK Soft Switch – max-signal-threshold: 20 – untrusted-signal-threshold: 4 – Up to 4 messages / TP to become trusted – If device sends >20 messages / TP, demoted to untrusted – If can’t become trusted in 4 messages / TP, demoted to denied Acme Packet Confidential 37 Extending trust to the endpoint TLS (Transport Layer Security) Required elements – SD populated with Signaling Security Module (SSM) + 2GB memory – TLS user agent (UA) on endpoint – TLS server on SD – Trusted Certificate Authority TLS handshake between TLS UA and TLS server – Using either single-sided (server authentication) OR – Mutual authentication SIP signaling only after successful TLS setup Mix encrypted / unencrypted signaling TCP / UDP / TLS interworking Intra-network Inter-network TLS Access TLS TLS SIP Acme Packet Confidential 39 TLS DoS protection DoS protection for TLS (C4.1.1 / D6.0) Benefit – prevent encryption starvation attacks Problem overcome – too many TLS conns to endpoint TLS sessions – too many TLS conns to SIP interface – too many quiet TLS connections Application – SIP-TLS access How it works - if a response to a SIP transaction is not received to within a configurable period of time, TLS connection is torn down Timer Acme Packet Confidential 40 IPsec (IP Security) Manual keying – Same key both ends IPSec tunnel – Manual input of key Selective encryption (2 SDs) – All traffic (for peering) – Signaling only – Ia interface between SC and BG Selection encryption: SD to UE – Signaling only (Gm interface) – Signaling and media Encryption ciphers – DES, 3DES-CBC, AES-CBC (128 bit and 256 bit), or NULL cipher Data integrity hashes – HMAC-MD5 or HMAC-SHA1 Inter-network Intra-network IPSec Access Select two modes for operation: – Tunnel (entire IP packet) or transport (payload only) mode – AH (anti-tampering) or ESP (encrypt + anti-tamper) mode IPSec IPSec SIP Acme Packet Confidential 41 SRTP (Secure Real-Time Transport Protocol ) SRTP key derivation – 12 different options, including: – SDES (Session Description Protocol Security Descriptions) – RFC 4568. Many customers asking for this – MIKEY (Multimedia Internet KEYing) – we probably won’t do this Using SDES – Secure signaling (IPSec or TLS) – Key exchanged in SDP (privacy provided by IPSec or TLS) Inter-network Intra-network TLS SRTP Access TLS SRTP TLS SRTP Availability SIP Acme Packet Confidential NN9 200: 1H / 42 Net-Net EMS Net-Net EMS Configuration – Configure, provision, upgrade, inventory – Multiple networks, multiple systems Fault - manage and filter events, alarms and logs Performance – Monitor performance Security – Control EMS, system and function access by user or administrator group – Per user audit trail EMS management – EMS configuration & management (back-up, upgrade, licensing, etc.) Acme Packet Confidential 44 Net-Net management Net-Net 4250/9200 management interfaces and protocols Interfaces • Fault interface – SNMPv2 (current), SNMPv3 (future), TL-1 (future) • Configuration – XML (current), CORBA (future) • Accounting – RADIUS CDRs • Performance – SNMPv2 (current), SNMPv3 (future), XML (future) • Security – RADIUS server (AAA), IPSec (future) Protocols: • TMF814 – This is the same as CORBA (future). • SNMP – SNMPv2 (current), SNMPv3 (future) Acme Packet Confidential 45 Why Acme Packet in the enterprise? Full enterprise adoption of end-to-end real time IP communications in the call and data center Proven Interoperability with Service Providers Mediation of IP address spaces, codecs, signaling, transport, and encryption protocols Scale for centralized, and solutions for decentralized architectures Border trust and security Revenue, cost and quality assurance Regulatory and business compliance Acme Packet brings financial strength and market leading experience, partners, support, and technology to the Enterprise market. Acme Packet Confidential 46
