Toll Fraude and how to avoid
hacking on SIP Trunking. Remote
user (app) access
Michael Pisvin
SI/SP System Engineer
So
SECURITY
IS
IMPORTANT
7
A typical enterprise environment
Access to Applications
Remote User
Data Center
VPN Switch
Application /server Farm
Enterprise
Remote locations
Application
Firewall
Internet
PC / Workstation
Router
SIP Trunks
SP
SBC
IMS
SP provider
MPLS
Enterprise
remote offices
PC / Workstation
Corporate
Network
Corporate
Wifi
BYOD Wifi
PC / Workstation
8
A typical enterprise environment
Access to Applications
Remote User
Possible attacks
Data Center
VPN Switch
Application /server Farm
Enterprise
Remote locations
Application
Firewall
Internet
PC / Workstation
Router
SIP Trunks
SP
SBC
IMS
SP provider
MPLS
Enterprise
remote offices
PC / Workstation
Corporate
Network
Corporate
Wifi
BYOD Wifi
PC / Workstation
9
Application Specific Security
Application Level
Security Proxy
Firewall
(Policy Application,
Threat Protection Privacy,
Access Control)
Firewall
enterprise
SBC
Complements Existing Security Architecture
10
SIP trunk what is it?
 Session Initiation Protocol (SIP)
o Controls multimedia communication sessions such as voice,
instant messaging, video, etc.
o Many types of devices - computers, phones, video equipment, etc.
- can exchange data over SIP
o SIP is considered a quality protocol with flexibility to support
integrated voice & data communications
 SIP Trunking
o Virtual voice channels (or paths) over an Internet Protocol (IP)
network
o Delivered over an IP connection
o One SIP trunk can support many direct inward dial (DID)
extensions
11
 In almost all the cases you need to have
a MPLS access to the Service Provider
SIP Trunk
Issue
 Service provider needs to get access to
your network to access the
Data Center
–
IP PBX
–
The user
 Is MPLS secure?
Application /server Farm
Router
SIP Trunks
SP
SBC
IMS
SP provider
MPLS
PC / Workstation
Signaling
Corporate
Network
Corporate
Wifi
BYOD Wifi
Voice
12
MPLS is NOT secure
"When looking to move to an MPLS VPN
solution, many customers downplay the threats
to the security of the transmission path and
instead put their full trust in the security of the
service provider. The attacks shown in this
report make it clear that MPLS VPN customers
who need confidentiality and integrity beyond
what a public network provides must look to
implement some form of encryption at the
endpoints to provide complete protection."
http://www.certesnetworks.com/newdocs/wp-ianspaper.html
13
 In almost all the cases you need to have
a MPLS access to the Service Provider
SIP Trunk
 Service provider needs to get access to
your network to access the
Issue
Data Center
–
IP PBX
–
The user
 Is MPLS secure?
 Put an SBC in between the MPLS
and your network to hide your
environment
Solution
Application /server Farm
 Can activate Voice encryption
signaling
encrypted
Router
SIP Trunks
SP
SBC
IMS
X
SP provider
MPLS
X
VoIP encrypted
PC / Workstation
Signaling
Corporate
Network
Corporate
Wifi
BYOD Wifi
Voice
14
Four Reasons you need an SBC
Security
Privacy
Interoperability
Demarcation
15
SIP Interoperability, is it really a problem?
SIP
Provider 1
Multiple Service
Provider tests
Interoper
ability
SIP
Provider 1
Single Service
Provider test
Router
Firewall
SBC
FMC
FMC
Recording
SIP PBX
Conf
Video
CC
WFO
IVR
Recording
SIP PBX
Telepresence
SIP Signaling
16
Conf
Video
CC
WFO
IVR
Telepresence
SIP Interoperability, Multiple Service Providers??
Interoper
ability
SIP
Provider 2
SIP
Provider 1
Multiple Service
Provider tests
Two Service
Provider tests
Router
Firewall
SIP
Provider 2
SIP
Provider 1
SBC
FMC
FMC
Recording
SIP PBX
Conf
Video
CC
WFO
Recording
IVR
SIP PBX
Telepresence
SIP Signaling
17
Conf
Video
CC
WFO
IVR
Telepresence
SIP Privacy, is it really a risk?
Privacy
I can see
session
information from
all these apps &
systems
SIP
Trunks
SIP
Trunks
I can only see the
SBC. It is hiding
the network
topology
Router
Firewall
SBC
FMC
FMC
Recording
SIPPBX
Conf
Video
CC
WFO
IVR
Recording
SIPPBX
Telepresence
SIP Signaling
18
Conf
Video
CC
WFO
IVR
Telepresence
An SBC will protect your UC traffic
SBC Protecting
your UC infrastructure
Security
SIP
Trunks
Demarca
tion
Router
Firewall
DOS and Fuzzing not
working!
SBC protecting
The organization
SBC
SIP PBX
SIP Signaling Voice
21
An SBC will protect your UC traffic
Session Border Controller
Security
Privacy
SIP
Trunks
SIP PBX
Interop
erability
Demarcation
Back to Back User Agent
22
Comparison SBCs vs. Firewalls with SIP ALGs
Firewall with SIP ALG
SBC
• Back-to-back user agent
• Maintains single session
̶ Fully state-aware at
layers 2-7
̶ Fully state-aware at
layers 3 & 4 only
̶ Inspects and modifies any
application layer header info
(SIP, SDP, etc.)
̶ Inspects and modifies only
application layer addresses
(SIP, SDP, etc.)
̶ Can terminate, initiate,
re-initiate signaling & SDP
̶ Unable to terminate, initiate,
re-initiate signaling & SDP
̶ Static & dynamic ACLs
̶ Static ACLs only
Data center
Data center
SIP trunking
IP PBX
UC server
SIP trunking
23
Acme Packet
IP PBX
UC server
23
VoIP Security is Different
Layer 3 attack
Layer 4 attack
OS attack
Application attack
SIP protocol fuzzing
SIP denial of service/distributed denial of service
SIP spoofing
SIP advanced toll fraud (call walking, stealth attacks)
Remote Worker
Media Replication
Signaling/Media Encryption
Firewall
SBCE
Standard
IDS / IPS
SBCE
Advanced
IP-PBX
…requires intimate knowledge of VoIP and call states
24
Remote Users
Access via VPN
Access to Applications
Remote User
Data Center
VPN Switch
Application /server Farm
Access via Firewall
for applications as
Email, etc..
Enterprise
Remote locations
Application
Firewall
Internet
PC / Workstation
Router
SIP Trunks
Access via SIP for
SIP users
SP provider
MPLS
Enterprise
remote offices
PC / Workstation
Corporate
Network
Corporate
Wifi
BYOD Wifi
PC / Workstation
25
Office Users
Access to Applications
Remote User
Data Center
VPN Switch
Application /server Farm
signaling
encrypted
Enterprise
Remote locations
Application
Firewall
Internet
PC / Workstation
VoIP
encrypted
Router
SIP Trunks
Identity control to
put the user in the
correct VLAN
SP provider
MPLS
Enterprise
remote offices
PC / Workstation
Corporate
Network
Corporate
Wifi
BYOD Wifi
PC / Workstation
29
Customers Facing Rapid Technology Change
More Collaboration and Mobile Devices…
More Enterprise Security Threats
4:1
Mobile
projects will
outnumber
PC projects
400%
802
30%
16%
Million
Increase in
dedicated
video soft
clients by 2016
Tablets by
2016
Increase in
mobile
enterprise
investments
through
2015
Of enterprise
will be cloud
based by 2015
Source: Gartner
30
Office Users (BYOD)
Access to Applications
Remote User
Data Center
VPN Switch
Application /server Farm
Enterprise
Remote locations
Application
Firewall
Internet
PC / Workstation
Router
SIP Trunks
SP provider
MPLS
Enterprise
remote offices
PC / Workstation
Corporate
Network
Corporate
Wifi
BYOD Wifi
31
Identity control to
put the user in the
correct VLAN
Check OS etc..
Only access to
office application via
SBC/firewall
PC / Workstation
The full secure Network
Access to Applications
Remote User
Data Center
VPN Switch
Application /server Farm
Enterprise
Remote locations
Application
Firewall
Internet
PC / Workstation
Router
SIP Trunks
SP
SBC
IMS
SP provider
MPLS
Enterprise
remote offices
PC / Workstation
Corporate
Network
Corporate
Wifi
BYOD Wifi
PC / Workstation
32
Risk Management: Seeking Balance
33
33
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
Thank You
What can
Avaya
do for you here?
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
36
Enterprise Collaboration Platforms
Mobile
Clients
Video &
Conferencing
Switched Video &
Conferencing
UC & CC
Managed Services
Do not duplicate, publish or distribute further without the express written permission of Avaya.
High
Availability
SPB /
Fabric Connect
SLA Mon
Technology
Avaya Aura
Conferencing
ACA
Low Bandwidth
High Definition Video
IP Office
Top of Rack
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Multi-Channel
Collaboration
Environment
Self-Service
Desktop
Video Client
Multicast Video
Surveillance
Avaya Diagnostic
Server
Avaya Messaging
Service
Speech
Analytics
Session Border
Controller
Identity
Engine
Avaya
Automated Chat
Where can Avaya help you?




Avaya Multilayer security in the UC/CC world
Full data network (Edge to Core)
SPB Stealth Network (for LAN and Wan)
Full separated network depending on the
organization
 Avaya SBC for the enterprise for the full SIP
security
 Identity Engine (so that every user/device is in
the correct secured network)
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
Avaya’s Multilayer Security Strategy
Secure by
Design
• Secure deployment strategy
• Separates UC applications &
servers from enterprise
production network
• Trusted communications
framework with trust
relationships for
Administration, for Managing
Elements, SIP Elements &
Enterprise Network
• Authentication &
Authorization framework
Security
Built-In
• Hardened Linux OS with
inherent security features
• Secures mission-critical
applications and protects
• Reduces potential Linux
“attack surface” by limiting
access to ports, services and
executable
• Security updates
• Denial of Service protection
mechanisms
• Least privileges
• Digital certificates
• Insecure protocols disabled
Secure
Communications
• Standard security protocols &
trust relationships protects
access and transmissions
• Encrypted communications
protect media, signaling &
management traffic
• Ensure protection of sensitive
information
• IP endpoints can authenticate
to network infrastructure
Use of Avaya’s multilayer security strategy prevents security
violations and attacks
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
The full network Architecture
VSP 9000
VSP 7000
ERS 8000
Collaboration
Pod
Identity Engine
VSP 8000
WLAN 9100
VSP 4000
ERS 4000/5000
ERS 3000
 Start with Fabric Connect-enabled infrastructure switches
 Add Fabric Connect access switches
 Use Fabric Attach for Avaya and 3rd party devices
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
WLAN 8100
From Complex, Rigid and Cumbersome Networks
Server
Access
X
Server
Data Center
Core
VLAN
VLAN
VLAN
STP
VLAN
X
VLAN
VLAN
VLAN
VLAN
Campus
Core
VLAN
VLAN
VLAN
VLAN
VLAN
VLAN
VLAN
VLAN
Edge
VLAN
VLAN
VLAN
VLAN
VLAN
VLAN
X
VLAN
STP
VLAN
VLAN
VLAN
Server
STP
SMLT/RSMLT
MSTP
VLACP/SLPP
RSTP
FlexLink
OSPF
OSPF
Static routes
routes
Static
BGP
BGP
PIM-SM/DVRMP
PIM-SM/DVRMP
VRF
VRF
STP
SMLT/RSMLT
MSTP
VLACP/SLPP
RSTP
FlexLink
To Simple, Agile and Resilient Networks
Data Center
Core
Campus
Core
Distribution
Edge
VLAN
Server
Access
VLAN
Server
VLAN
VLAN
Server
Fabric Connect: IEEE 802.1aq / RFC 6329
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
What is a “Stealth” Network
 Any network that is enclosed and self contained with no reachability
into and/or out of it. It also must be mutable in both services and
coverage characteristics
 The common comparible terms used are MPLS IP-VPN, Routed
Black Hole Network, IP VPN Lite
 Avaya’s Fabric Connect based on IEEE 802.1aq provides for fast
and nimble private networking circuit based capabilities that are
unparalleled in the industry
 “Stealth” Networks are private ‘dark’ networks that are provided as
services within the Fabric Connect cloud
 L2 Stealth
 A non-IP addressed L2 VSN environment
 L3 Stealth
 A L3 VSN IP VPN environment
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
43
Superior Virtual Networking
Use Case – Multi-Tenancy: Transportation Industry
 Extremely
complicated
 Practically
un-scalable
 Error prone
 Static model
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
 Highly scalable
 Agile configuration
 Simple
troubleshooting
 Highly dynamic
Secure Guest and BYOD Networking
Use Case – Unified User Access
 Multi-vendor
solutions
 Manual
integration
 Independent
security layers
 Wired and
wireless access
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
Identity Engines
Employee
Mobile Zone
Guest Zone
 Secure employee
and guest access
wired and wireless
 Automatic VLAN /
QoS / VSN
Assignment
 Single Sign-on for
Aura Applications
 Reporting and
analytics for
compliance
Access Policies
Identity Engines
Role-based
Access
IF
(identity = HR employee)
AND IF
(device = corp laptop)
AND IF
(medium = wired)
Case 1
Employee with
corporate laptop
THEN GRANT
FULL ACCESS
IF
(identity = HR employee)
AND IF
(device = personal iPad)
Case 2
Employee
with personal iPad
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
AND IF
(medium = wireless)
THEN GRANT
LIMITED ACCESS
The Solution – Avaya Session Border
Controller for Enterprise Portfolio
Industry Leading
Enterprise UC Security
 Secure VoIP
and UC over any
network to any device,
including smartphones,
alternative devices and
SIP endpoints
 Innovative VPN’less
remote worker offering
- enabling true BYOD
Price/Performance
Optimized for Enterprise
& SME
 Fit for purpose SME /
Enterprise solution
 Not a repackaged carrier
SBC
 Scalability – up to 5,000
sessions and more in the
near future
Ease of Implementation
& Management
 Rapid implementation of
safe SIP trunks, remote
workers and advanced
UC applications
 SIP trunks operational in
minutes, not months
 High Availability
 GUI-based SIP
normalization tool
 TCO & ROI
 VMWare compatible
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
Avaya Product Security Support Team – PSST
Assessment / Penetration Testing
Avaya’s Product Security Support Team - PSST
 Internally-focused Security Assessment / Penetration testing of Avaya products
 Penetration test tool kit leveraged across GCS Products
 Security Assessment testing includes:
 Replicate customer or “attacker” methodology
 Find / Resolve issues before the field does
 Measure progress against standards
e.g., CTO, JITC, Nessus /Retina: “.mil” plug-ins
 Unscripted testing
 Champion best security practices across Avaya
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.