Securing Enterprise Voice

Download Report

Transcript Securing Enterprise Voice

for trusted, first class
interactive communications
Securing enterprise VOIP
Firewall pinhole/ACL are not enough
– Open signaling ACL
– Full range of RTP ports open
Data IDS not sufficient for SIP and H323
– Not inline of signaling and media
– Rely on triggers of other network elements that do not have call
awareness
Session Border Controllers ARE VOIP security
– Track record of 5+ years of securing next gen VOIP networks
– Inline for signaling and media
– Call state
• clean up transactions and dialogs
• Verify valid users/devices
– Hardware based policing/filtering is most affective for DoS/DDoS
atacks
– Protection against malicious software attacks
– Fraud prevention
Acme Packet Confidential
2
Solution: enterprise SIP peering
Enterprise site, MPLS VPN
or private network
Enterprise Migration

Eliminate access charges per site

Fully converge voice/data over MPLS VPN

Data Center PBX model (centralization) drives
SIP peering capacity
H.323 or
SIP PBX
Security
SIP endpoints
/server
SIP
Regional PBX

Hardware based signaling overload policing

Full topology hiding (NAT) of signaling and
media

Session based RTP pin-holing (Rogue
Protection)

IP PBX/endpoint DoS prevention

IPSec, TLS, SRTP
Signaling

SIP Header Manipulation-vendor interop

CAC- bandwidth and session based

Routing-
Service Provider

Local and ENUM

Load balancing, failure based re-route

Outbound to carriers

Inbound- to users PBX
Acme Packet Confidential
IP access to PSTN,
hosted services,
IP extranet,
other IP subscribers
3
Solution: enterprise SIP station side
Enterprise site, MPLS VPN
or private network
Enterprise Migration

Virtualizes the office and contact center

Remote worker/ traveling worker

small sites without MPLS connectivity
H.323 or
SIP PBX
Security

Hardware based signaling overload policing
per user

Full topology hiding (NAT) of signaling and
media

Session based RTP pin-holing (Rogue
Protection)

IP PBX/endpoint DoS prevention

IPSec, TLS, SRTP

Registration overload protection

SIP Registration Based ACLs- only invites
pass from Registered users
SIP endpoints
/server
SIP
Regional Data
Center PBX
Signaling
Internet

SIP Header Manipulation-vendor interop

CAC- bandwidth and session based

Per User CAC

SBC Virtualization allows for Access and
Peering on same SBC
NAT
NAT
Service
Provider
Teleworkers
Acme Packet Confidential
4
Solution: IP contact centers
Enterprise Migration

Reduces Transfer and Connect costs

Increases visibility for transferred calls

Tie in teleworkers to virtualize the Contact
Center
Contact center - SIP/G.711
Site A
Site B
Security

Hardware based signaling overload policing
per user

Full topology hiding (NAT) of signaling and
media

Session based RTP pin-holing (Rogue
Protection)

IP PBX/endpoint DoS prevention

IPSec, TLS, SRTP

Registration overload protection

SIP Registration Based ACLs- only Invites
pass from Registered users
CSR1
CSR2
CSR3
CSR4
MPLS
CSR5
Signaling

SIP Header Manipulation-vendor interop

Routing/ Failure re-routing

CAC- bandwidth and session based

SBC Virtualization allows for Access and
Peering on same SBC

Packet Replication to call recording devices
Internet
Managed
SIP/H.323, codec X
Customers
Acme Packet Confidential
5
Acme Packet market-leading
Net-Net product family
Security
Service reach
Revenue & profit protection
Net-Net OS
Multi-protocol
Management
SLA assurance
Regulatory compliance
High availability
Net-Net 9000
Net-Net 4000 PAC
Net-Net 4000
Integrated & decomposed SBC configurations
Net-Net EMS
6
Acme Packet Net-Net platform
performance & capacity
Net-Net 4000
series PAC
Net-Net 9000
series
Net-Net 4000
series
SD Signaling
performance
1200 SIP mps
85 SIP calls/sec
9600 mps
680 SIP calls/sec
2100-8000 SIP mps
150 – 570 SIP calls/sec
SR Signaling
performance
Up to 500 calls/sec
N/A
TBD
32K - 128K
256K -1million
32K – 128K
NA
NA
0 – 16,000
(2 or 4) 1000 Mbps
or (8) 10/100 Mbps
(32) 1000 Mbps
(8 or 16) 1000 Mbps
Inter-system
1x1 or Nx1
Intra-system
1U / 2 slots
10U or 18U
7U / 13 slots
Media sessions *
Transcoded sessions
Network interfaces
(active)
High availability
Package size/slots
* Actual achievable session capacity is based on signaling performance
Acme Packet Confidential
7
Net-Net OS architecture
Routing, Policy & Accounting
Session Routing
Number
Manipulation
Session
Control
Subsystem
Admission
Control
Route
Policy
DNS/
ENUM
Load
Balancing
Signaling Services
SIP
B2BUA
H323
B2B
GK
GW
SIP
H323
IWF
Resource and
Bandwidth Control
Security
Front End
MGCP/
NCS
H248
Traffic
Controls
Accounting &
QoS Reporting
Management &
Configuration
NAT Relay
CLI
NAT
ALG
XML
HTTP
TFTP
DNS
ALG
Bandwidth Policy Enforcement
QoS
Stats
RADIUS
SNMP
SYSLOG
SNMP
Bearer Resource Management
Access Control
Traffic Management
Denial of Service Protection
Signaling Flow Policing
SYSLOG
Redundancy
Management
Encryption Engine
Network
Processor
Subsystem
Media Control
Dynamic Access Control
Bandwidth Policing
Dynamic NAPT Relay
QoS Measurements
HNT / RTP Latching
QoS Marking
Media Supervision Timers
Lawful Intercept (CCC)
Transcoding
DTMF Extraction
Acme Packet Confidential
Redundancy
Management
Configuration
Repository
Configuration
Repository
8
SIP protocol repair and normalization
SIP header and parameter manipulation per realm and session agent
–
–
–
Stripping
Insertion
Modification
Configurable SIP status code mapping per session agent
Inbound/outbound number manipulation rules per realm and session agent
Configurable SIP timers and counters per realm
Configurable Q.850-to-SIP status mapping
Configurable TCP/UDP transport per realm
Configurable option tag handling per realm
Configurable FQDN-IP / IP-FQDN mapping
SIP route header stripping
Malformed signaling packet filtering
Many SIP options for vendor and version inter-working
E.164 number normalization
Acme Packet Confidential
9
Acme Packet hosted NAT traversal
Basic operation
– SIP client sends REGISTER to Net-Net SD’s address; SD forwards to registrar
– Net-Net auto-detects NATed clients
– In OK, SD instructs SIP client to refresh registration periodically to keep NAT
binding open
– Net-Net SD provides to client SDP for media relay
– Media relay latches on first RTP packet. All packets relayed to destination client
4.4.4.4
Net-Net SD
Signaling
Media
1.1.1.1
Client
B2BUA
2.2.2.2
3.3.3.3
Media
Relay
5.5.5.5
Client
Firewall/NAT
7.7.7.7
Acme Packet Confidential
10
Business continuity / redundancy
sd0.co.jp
Redundant Net-Net product
configurations offer non-stop
performance
Supports new calls, no loss of
active sessions (media and
signaling) including capabilities
(protocol dependent)
Preserves CDRs on failover
1:1 Active Standby architecture
Shared virtual IP/Mac addresses
Failover for node failure, network
failure, poor health, manual
intervention
–
Active
Standby
10.0.0.1
Find SD through DNS round-robin or configured proxy
X
40 ms failover time
sd0.fc.co.jp
Active
10.0.0.1
New call
Checkpointing of configuration,
media & signaling state
Software option – requires no
additional hardware
All sessions stay up. Process new sessions immediately
Acme Packet Confidential
11
Service virtualization
Net-Net
Session Director
Interconnect
Services
SOHO
Multi-Service
Backbone
Business
Services
Acme Packet Confidential
12
Realms and realm groups
Session routing and interworking
Policies
Resources
Number translation tables
Realm group
Packet Marking policy
Signaling
service
Media
resources
Bandwidth CAC policy
Media release policy
Virtual IP
Virtual IP
Signaling access control & DoS
Realm
Realm
Realm
Realm
Realm
Realm
Acme Packet Confidential
Realm
13
SIP-H.323 interworking
Enterprise SIP & H.323 Interworking
– Supports all popular H.323 IP PBX
vendors - Cisco, Avaya, Nortel etc.
– Maximizes investments made in
legacy IP PBX
– reduces termination costs
as high capacity SP trunking is SIP
PBX & SIP-based services integration
– Transport services - 1+ dialing
– SIP Centrex-PBX integration with
unified dial plan management
– Supports Cisco CM & other H.323
PBXs; H.323 gateway to TDM PBX
Voice ASP (calling card, directory, etc.)
– Enables connections with
SIP & H.323 service providers
PSTN
PSTN origination & termination
SIP
SIP
Voice ASP (SIP)
Data Center IP
services
Enterprise Core
SIP
SIP
H.323 or
SIP
Legacy PBX
with GW
Acme Packet Confidential
H.323 or
SIP
IP PBX
14
SD routing overview
Acme Packet’s Session Director has several “types” of
routing mechanisms
– Local policies
• Extremely flexible; based on previous-hop, previous-realm, req-URI,
From, cost, time/day, media-type, etc.
– ENUM
• Actually a subset of local-policies, so has that flexibility too
– Trunk-group-URI selection of next-hop or group of next-hops
• Per IETF draft-ietf-iptel-trunk-group, and for some proprietary TGIDs
– Request-URI matching cached registered endpoints
• For requests from core to dynamic subscribers
– Request-URI hostname resolution
– Route-header routing per RFC 3261
– Static 1:1 mapping
• For simple cases only needing security and protocol repair
Acme Packet Confidential
15
Local-Route-Table – technical details
Sub-features
– Supports 200k+ routes
– Supports multiple, distinct local-route-tables
– Decision of whether and which local-route-table to use is based on the
result of local-policies, so can do hybrid routing configs
– Supports regular expression results, similar to ENUM results
– Used to replace Request-URI with new value based on regex
– Route-tables are in XML format, gzipped
– Provides support for rn/cic-specific lookups, and user-defined prefix
lengths
Useful for peering applications:
– Can choose which peer to send calls to based on it
– Can choose which core softswitch/gateway to send inbound calls to
Supports both proxy and b2bua modes
Acme Packet Confidential
16
Traffic load balancing
Load balance multiple SIP/H.323 softswitches, application servers or
gateways
Load balancing options
–
–
–
–
–
Hunt
Round Robin
Least busy
Lowest sustained rate
Proportional
Session Agent Group
Detect & route around element
failures
Session Agent Stats for
H.323 & SIP
destinations
Common
Session Agent
constraints
–
–
–
–
–
Max sessions
Max outbound sessions
Max burst rate
Max sustained rate
Session Agent unavailable
or unresponsive
name= acme_group
strategy = proportional
destinations =
gateway1.acme.com
gateway2.acme.com
gateway3.acme.com
50% Traffic
20% of Traffic
SA-1
30% of Traffic
SA1
hostname=gateway1.acme.com
ip-address=192.168.1.50
realm-id = backbone
max-sessions =500
max-outbound sessions=500
max-burst-rate=10cps
max-sustained rate=8cps
allow-next-hop-lp=enabled
carriers= mci, att, sprint
SA2
hostname=gateway2.acme.com
ip-address=192.168.1.51
realm-id = backbone
max-sessions =200
max-outbound sessions=200
max-burst-rate=5cps
max-sustained rate=4cps
allow-next-hop-lp=enabled
carriers= mci, att, sprint
SA3
hostname=gateway3.acme.com
ip-address=192.168.1.52
realm-id = backbone
max-sessions =300
max-outbound sessions=300
max-burst-rate=6cps
max-sustained rate=5cps
allow-next-hop-lp=enabled
carriers= mci, att, sprint
Acme Packet Confidential
17
Session admission control
Realm based – access networks or transit links
– Realm and realm group bandwidth constraints
Session Agent based – call controllers or app servers
– Session Agent constraints (capacity, rate, availabilty, etc.)
– Softswitch, etc. – signaling rate limiting or “call gapping”
Per-user CAC
– Based on AOR or IP address
Address based
– Code gapping constraints based on destination address/phone #
Policy Server-based
– TISPAN RACS and Packet Cable Multimedia Policy Server interface
Overload protection
– Signaling
• Session border controller - rejects sessions gracefully when
host processor >=90% load (default). This is a configurable option
Acme Packet Confidential
18
Net-Net Session Director lawful
intercept for hosted communications
Law enforcement
agencies
(LEAF & CF)
Legal intercept independent
of softswitch for both
IP-PSTN and IP-IP calls
Supports SIP, MGCP and H.323
Call content - media flows
replicated and forwarded
to DF over Call Content
Connection (CCC)
Call data - sent to DF
over Call Data Connection
(CDC)
Lawful
intercept
server
(DF &
SPAF)
Service
infrastructure
A
CDC
CCC
SIP
MGCP
Net-Net SD
(AF)
SIP
PSTN
Edge router
H.323
MGCP
Subscribers
Signaling
Acme Packet Confidential
Media
19
Net-SAFE™
The net-net
Security issues are very complex and multi-dimensional
– Attack sophistication is growing while intruder knowledge is decreasing
Security investments are business insurance decisions
–
–
–
–
Life – DoS attack protection
Health – SLA assurance
Property – service theft protection
Liability – SPIT & virus protection
Degrees of risk
–
–
–
–
–
Misconfigured devices
Operator and Application Errors
Peering
`
Growing CPE exposure to Internet threats
NEVER forget disgruntled Malcom, OfficeSpace
High
Low
Only purpose-built Session border controllers protect enterprise assets
Acme Packet Confidential
21
Riding the bull
Threat mitigation represents staying “ahead” of security threats
– Attacker don’t publish their methods 
As data attack models have matured they have dramatically
increased in number
– Putting pressure on security defense scale
The requirements of real-time services such as VoIP and
multimedia are different from those of data
– Similar trends, different devices
Statefull, service-aware, and dynamic policy application
– Endpoints may be authenticated, but their intentions may not be
– Protocol messages may be valid, but how they’re used may not be
Acme Packet Confidential
22
Net-SAFE
Access
Control &
VPN Separation
Worm/Virus
& Malicious
SW
Acme Packet Confidential
23
Three goals of Net-SAFE
Protect the Service
Service
Provider
Peer
Protect the Enterprise’s Infrastructure
Protect the SBC
Enterprise
Access
Enterprise
Contact Center
DoS attacks remain the #1 security threat  the security element must first defend itself!
Acme Packet Confidential
24
The SD is architected to secure…
Hardware and software-based DoS protection
– Trust and untrust queues with wire-speed packet classification and dynamic
trust management integration
Smart Border DPI
– Security gateway fully terminates session traffic for signaling deep packet
inspection
– Passive DPI is unable to function on the ever-growing amount of
encrypted/compressed traffic flows
Real-time IDP
– Dynamic Trust Management leverages smart DPI and monitors traffic behavior
patterns making trust level adjustments without administrator intervention
– Avoids harmful false-positive DoS risks
Extending trust to the endpoint
– IPsec, TLS, and SRTP
Acme Packet Confidential
25
Hardware- and software-based DoS
protection
Acme Packet multi-processor
hardware architecture
Session
Control
Function
Signaling
processors
Media
Control
Function
Intelligent
traffic
manager
Signaling
Security
processors
Network
processor
Network
processor
Security Engine
Security Engine
Media
Acme Packet Confidential
27
Acme Packet multi-processor
hardware
architecture
Enlarged View
Session
Control
Function
Signaling
processors
Media
Control
Function
Intelligent
traffic
manager
Security
processors
Network
processor
Network
processor
Security Engine
Security Engine
Acme Packet Confidential
28
DoS logical hardware path
CAMs
Perform ACL lookup
and packet
classification:
chooses trusted,
untrusted, or denied
path
Acme Hardware DoS Protection
Classifier
chose
specific
Trusted
queue
Each Trusted queue can be set for
average policed rates
Trusted
Path
W
RR
Total rate can
be configured
W
RR
To CPU
Deny
Classifier
chose 1 of
1k hash
buckets
Untrusted
Path
1k Untrusted queues
Discard
Tail Drop
Acme Packet Confidential
RR
Total Untrusted pipe can be
reserved a minimum amount
of bandwidth, and a max if
more is available
29
Software DoS policy
SW DoS Decisions on SD
Check if below local CPU load threshold
Check for legal message format (parse it)
Reject It
Reject Call
Check previous-hop is authorized
Check if below constraints limit
Allow
Must pass HW
DoS policy + ACLs
Must pass SW
DoS policy
Discard
Acme Packet Confidential
30
SBC DoS protection features
Protect SBC from DoS and other attacks
– Both malicious and unintentional attacks
– Self-limiting ceiling check (%CPU) with graceful call rejection
– Automatically promotes/demotes device trust level based on behavior
– Enforced max aggregate rate for all traffic
– Separate, policed queues for management + control protocols
– Hardware capacity of NP subsystem is greater than all interfaces
combined
– Reverse path forwarding checked for signaling + media
– Hardware-policed queues for control packets (ICMP, ARP, Telnet, etc.),
separate from Trusted traffic
Acme Packet Confidential
31
Smart Border DPI
Session DPI models
Full Protocol Termination via Security Gateway
– Breaks session into two segments for complete control
– Terminates and reinitiates signaling message & SDP with unique
session IDs
– Simplifies traffic anomaly detection
– Able to inspect encrypted and compressed packets
Segment 1
Segment 2
Passive DPI via In-Line Security Appliance
– Maintains single session through system
– Modifies addresses in signaling messages & SDP as they pass thru
system
– Unable to inspect encrypted and compressed packets
ALG
Acme Packet Confidential
33
SD DPI - the broadest set of protocols
on the market
Over 80 known threats involving the following protocols
–
–
–
–
–
–
SIP, H.323 – H.225, H.323 – H.245
H.248, MGCP, NCS
RTP
TCP, UDP
IP
ICMP, ARP
SD DPI capabilities are coupled with scaleable
decryption/encryption processing to stand up against the
strongest security defenses
Acme Packet Confidential
34
Real-time IDP
Dynamic trust management
Dynamic trust level binds to hardware classification
Individual device trust classification
Provides fair access opportunity for new and unknown
devices
Multi-queue access fairness for unknown traffic
Automatically promotes/demotes device trust level based on
behavior
Per-device constraints and authorization
Acme Packet Confidential
36
Promotion and demotion of users
Demotion to untrusted user - SIP
Promotion to trusted user - SIP
200 OK forREG
Register
200 OK
UA1
Demotion occurs in stages
REG
– Trusted to Untrusted then
– Untrusted to Denied
200 OK
Registrar
Promotion UA1
Trusted to untrusted when:
200 OK for Invite
INVITE
200 OK
UA1
ACK
Promotion UA1
– Registration timeout
– Excessive signaling messages
– Excessive malformed packets
INVITE
200 OK
UA2
ACK
Promotion UA2
Untrusted to denied demotion:
Promotion to trusted user - MGCP
200 OK for RSIP
RSIP
200 OK
GW1
Promotion GW1
RSIP
Example (TP = time period)
200 OK
Promotion softswitch
Soft Switch
200 OK for CRCX
CRCX
200 OK
GW1
Promotion GW1
– Excessive signaling messages
– Excessive malformed packets
– Different from trusted to untrusted
thresholds
CRCX
200 OK
Soft Switch
– max-signal-threshold: 20
– untrusted-signal-threshold: 4
– Up to 4 messages / TP to become trusted
– If device sends >20 messages / TP,
demoted to untrusted
– If can’t become trusted in 4 messages /
TP, demoted to denied
Acme Packet Confidential
37
Extending trust to the endpoint
TLS (Transport Layer Security)
Required elements
– SD populated with Signaling Security Module (SSM) + 2GB memory
– TLS user agent (UA) on endpoint
– TLS server on SD
– Trusted Certificate Authority
TLS handshake between TLS UA and TLS server
– Using either single-sided (server authentication) OR
– Mutual authentication
SIP signaling only after successful TLS setup
Mix encrypted / unencrypted signaling
TCP / UDP / TLS interworking
Intra-network
Inter-network
TLS
Access
TLS
TLS
SIP
Acme Packet Confidential
39
TLS DoS protection
DoS protection for TLS (C4.1.1 / D6.0)
Benefit – prevent encryption starvation attacks
Problem overcome
– too many TLS conns to endpoint
TLS
sessions
– too many TLS conns to SIP interface
– too many quiet TLS connections
Application – SIP-TLS access
How it works - if a response to a SIP transaction
is not received to within a configurable period of
time, TLS connection is torn down
Timer
Acme Packet Confidential
40
IPsec (IP Security)
Manual keying
– Same key both ends IPSec tunnel
– Manual input of key
Selective encryption (2 SDs)
– All traffic (for peering)
– Signaling only
– Ia interface between SC and BG
Selection encryption: SD to UE
– Signaling only (Gm interface)
– Signaling and media
Encryption ciphers
– DES, 3DES-CBC, AES-CBC (128 bit
and 256 bit), or NULL cipher
Data integrity hashes
– HMAC-MD5 or HMAC-SHA1
Inter-network
Intra-network
IPSec
Access
Select two modes for operation:
– Tunnel (entire IP packet) or
transport (payload only) mode
– AH (anti-tampering) or ESP
(encrypt + anti-tamper) mode
IPSec
IPSec
SIP
Acme Packet Confidential
41
SRTP (Secure Real-Time
Transport Protocol )
SRTP key derivation
– 12 different options, including:
– SDES (Session Description Protocol Security Descriptions) – RFC 4568.
Many customers asking for this
– MIKEY (Multimedia Internet KEYing) – we probably won’t do this
Using SDES
– Secure signaling (IPSec or TLS)
– Key exchanged in SDP (privacy provided by IPSec or TLS)
Inter-network
Intra-network
TLS
SRTP
Access
TLS
SRTP
TLS
SRTP
Availability
SIP
Acme Packet Confidential
NN9
200:
1H /
42
Net-Net EMS
Net-Net EMS
Configuration
– Configure, provision,
upgrade, inventory
– Multiple networks, multiple
systems
Fault - manage and filter
events, alarms and logs
Performance
– Monitor performance
Security
– Control EMS, system and
function access by user or
administrator group
– Per user audit trail
EMS management
– EMS configuration &
management (back-up,
upgrade, licensing, etc.)
Acme Packet Confidential
44
Net-Net management
Net-Net 4250/9200 management interfaces and protocols
Interfaces
• Fault interface
– SNMPv2 (current), SNMPv3 (future), TL-1 (future)
• Configuration
– XML (current), CORBA (future)
• Accounting
– RADIUS CDRs
• Performance
– SNMPv2 (current), SNMPv3 (future), XML (future)
• Security
– RADIUS server (AAA), IPSec (future)
Protocols:
• TMF814
– This is the same as CORBA (future).
• SNMP
– SNMPv2 (current), SNMPv3 (future)
Acme Packet Confidential
45
Why Acme Packet in the enterprise?
Full enterprise adoption of end-to-end real time IP
communications in the call and data center
Proven Interoperability with Service Providers
Mediation of IP address spaces, codecs, signaling,
transport, and encryption protocols
Scale for centralized, and solutions for decentralized
architectures
Border trust and security
Revenue, cost and quality assurance
Regulatory and business compliance
Acme Packet brings financial strength and market leading
experience, partners, support, and technology to the Enterprise
market.
Acme Packet Confidential
46