Securing the SIP Trunk

Download Report

Transcript Securing the SIP Trunk

Securing the SIP Trunk
Ravi Varanasi
Vice President, Engineering
Sipera Systems.
[email protected]
SIP trunk
 Definition:
• SIP Trunk: Service offered by
an ITSP (Internet Telephony
Service Provider) that
connects a company's IPPBX to the telephone system
(PSTN) via Internet using the
SIP VoIP standard.
 Extending VoIP:
• With IP-PBX enterprise’s
have converged data and
Voice over LAN, SIP trunk
allows enterprises to do the
same over WAN/Internet
Enterprise
PSTN
MGW
PBX
SIP Trunk
ITSP
ISP
LAN
Internet
SIP Trunk Benefits for Enterprises
Internet
PSTN
ITSP
ISP
SIP Trunk
PBX
MGW
Head-Quarters
 Cost Savings: Operational
and Capital
 Allows for Consolidation:
One ISP/ITSP, One Data
Center
PBX
PBX
MGW
MGW
Branches
 Simplicity: works with
installed IP-PBX and
telephones

Efficiency: Bandwidth, least
cost ITSP route selection.
Functions of SIP trunk components
Soft Switch
SIP Trunk
IP-PBX
Enterprise
Remote SBC
ITSP
Remote SBC
• NAT traversal
• Protocol Interworking
• RFC compliance, handling IOT
• Encryption termination.
Soft Switch
• Interfacing with IP-PBX’es from multiple vendors
• MGW connectivity for PSTN
• CDRs, Billing, Payment services
• Call routing, Dial plans
MGW
PSTN
SIP IP-PBX: Trunk vs Line side functions
• Call delivery
– One switch (IP-PBX) to another
– Basis: Routing rules, domain
preferences, dial-plans,
configuration.
– Trunk reconfig/rerouting needed
in case user moves.
• Call establishment
– Local IP-PBX to Ext-network
– Between ITSPs
– Inter-site communication over
public domain.
• Specific functions
–
–
–
–
Admission control
Policies: Services offered
Billing, CDRs
Options for keepalive messages
• Call delivery
– End-user to IP-PBX
– Basis: Registration, Contact info
driven.
– Mobility control: call delivered
based on SIP:Contact
• Call establishment
– Call leg1: End-user to IP-PBX.
– Call leg2:
• IP-PBX to end-user (local)
• IP-PBX to Trunk
• Specific functions
– Phone registration
– Admission control
– VPN connectivity
Call establishment: Line side vs Trunk
SIP Trunk
IP-PBX
REGISTER
200 OK
INVITE SDP
200 OK SDP
IP-PBX
REGISTER
200 OK
200 OK SDP
Media to endpoint
Via IP-PBX- SIP trunk
if anchored
REINVITE
REFER
BYE
200 OK
Route
lookup
INVITE SDP
Media to endpoint
Via IP-PBX if anchored
Optional
IP-PBX
Optional
BYE
200 OK
REFER/REINV
Multiple VoIP protocol environment
Soft Switch
SIP Trunk
SIP
Enterprise
H.323 or Skinny or SIP
Remote SBC
ITSP
Enterprise IP-PBX
• Supports H.323/SIP/Skinny on line side
• Converts signaling to SIP. Initiates INVITE
• Protocol Interworking (SIP others)
• Ex: NT CS1000: H323/Unistim -> SIP
•
Cisco CCM: Skinny line side -> SIP
•
Avaya CM: H.323 -> SIP
• RFC compliance, handling IOT
Soft Switch
• Interfacing with IP-PBX’es from multiple vendors
• MGW connectivity for PSTN
• CDRs, Billing, Payment services
• Call routing, Dial plans
MGW
PSTN
“Bank” Case Study
Internet
ITSP
PSTN
SIP Trunk
PBX
MGW
Head-Quarters

About “Bank”
•
•

•

Replace TDM Trunks with SIP Trunks to
carrier to reduce costs
Consolidate distributed PBXs to 1 datacenters and remove from 3 branches
Solution:
•
•
Global Bank; 25000 Employees
PBX Vendor: Avaya
Business Needs:
•
Branches

Secure SIP Trunks to HQ
Secure SIP Trunks to branches
Results:
•
•
•
$ 70,000 per month on long distance cost
$ 15,000 per month saving for two branch
(PBX/MGW maintenance)
First year saving of $1.1 million
Security and Enablement
Proliferation of Unified Communications over IP
 Need for Granular control, Realtime application level security
 Confidentiality, Integrity of communications
 QoS requirements for latency sensitive applications
Need for a comprehensive application-layer security approach
enable pervasive, real-time unified communications
Comprehensive
VPN, Firewall, IPS, DPI & Anti-Spam for UC
Application-Layer
VoIP protocols, call-state, services, subscriber aware
Pervasive
Soft Phones, Remote Users, SIP Trunks, Click-to-Talk
Real-time
Deterministic, very low latency; Not store and forward
Unified
Communications
VoIP, IM, Video, Multimedia, Presence, Collaboration
Over SIP, SCCP, Microsoft OCS, IMS …
Policy enforcement: Key to security
Granular rules based on match criteria
Can partners call partners?
Is video allowed in this domain?
IM is ok, no IM with attachments.
Actions based on a vulnerability pattern
Proactive Security model
Reactive Security model
Forensics
Detect “Bad behavior”
Traditional IDS/IPS approach
Signature/Pattern detection
Enforce corporate admission policies
Device/User level auth
Deep packet inspection firewall
Policy violation  Security Breach
Application aware, L7 corporate granular admission control, authentication policies
Secure *ALL* open communication channels
Centralized
Configuration Server
X.509 Certificate Server
SIP
Personal Profile Manager
SIP Enablement Server
SIP Phone
Corporate Directory Server
Web Server
SIP Phone
Defense in Depth
Real-time, VoIP call state aware,
signature and behavior-based
signaling & media protection
(Including encrypted traffic)
Attacks blocked by
IPS
Attacks blocked by
Firewall
Layer 3
Layer 4
L3 Security is now a commodity market
Microsoft/ HTTP
Attacks moving towards L7 as hackers
target applications and services.
SIP/SCCP Fuzzing
SCCP/SIP/RTP Floods
Network is a platform rather than a pipe.
SCCP/SIPSpoofing
Need of the hour: Inline, reliable, lowlatency deep packet inspection, stateaware security devices.
SCCP/SIP Stealth Attacks
VoIP SPAM
Legitimate Traffic
Firewall
IDS/IPS
UC security
function/device
Call Server
SIP security use cases
Soft Clients
IP Phones
IP PBX
Rogue Device
VoIP VLAN
► SIP IM Compliance
► IP PBX Security
WiFi/Dual Mode Phones
Data VLAN ► Remote User Security
► WiFi/Dual-mode Phone
Security
► Secure Proxy
► Click-to-Talk Security
DMZ
► SIP Trunk Security
Crumbling Enterprise
perimeter:
Extension from trusted to untrusted domains
• Soft clients
• Remote users
• SIP trunks
• Mobility
• Click-to-talk
Rogue Employee
Infected PC
Service Provider
Customer pain pointsInternet
• Secure remote UC enablement
• Security threats from external and internal clients
• Multiple exceptions on secure firewalls to enable UC
Infected PC
Partner
Click-to-Talk Hard Phone Dual-mode Phone
Spammer
Bad Guys
Security Gaps with SIP Trunks
Rogue Device
PSTN
• Security policy
– ITSP vs. enterprise policy
– Firewall for layer 3-4
– ? for VoIP layer
• Threat protection
– PBX open to ITSP
misconfigurations
– 1 TDM PRI = 23 calls
– 1 Mb IP connectivity = 100 to
1000 INVITE
• Privacy
– Encryption over my LAN but
not over ITSP WAN?
Enterprise
SIP Trunk
PBX
ITSP
Internet
LAN
UC Security Solution for SIP Trunks
Rogue Device
PSTN
• Security policy
– Control your own
policies
– Demark VoIP layer
Enterprise
SIP Trunk
PBX
• Threat protection
– Flood protection
– Signatures for UC
vulnerabilities
• Privacy
– TLS/SRTP
ITSP
Internet
LAN
Holistic Approach for UC Security
• Establish policy
– Define security policies based
on needs of organization
• Assess risk
– Perform VoIP vulnerability
assessment
• Implement protection
– Deploy comprehensive, realtime UC security solution
• Manage compliance
– Policy enforcement and
reporting
– Ongoing, periodic assessments
UC Security Best Practices
• Perform UC vulnerability
assessment
– Identify risks and potential
vulnerabilities
• Implement strong UC
policies
– Enforce signaling, media and
application rules
• Police UC security zones
– Control access based on
network, user AND device
• Apply UC-specific threat
protection
– Backed by dedicated VoIP and
UC security research
– Understand user behavior to
eliminate false +/-
• Access control for UC
– Strong two-factor
authentication
• Enforce strong encryption
– All signaling and media must
be encrypted for privacy
• Address all dimensions
of UC
• Not just networks
• Not just users
• Device mobility
– Wi-Fi
phones/Softphones
• User mobility
– Shared office spaces
User
Multi-Dimensional UC Policies
Network
ôh;ù’°–¹q€IP‡m
Confidentiality and Privacy
SSN: 123-45-6789
•
•
•
•
•
SSN: 123-45-6789
Signaling encryption – TLS
Media encryption – SRTP
User privacy – Caller ID hiding
Network privacy – Topology hiding
Blocking reconnaissance scans
$1000_sha
$10000_sha
$1000_sha
Integrity and Access Control
X
$10000_sha
• Strong authentication
– X.509 Certificates, 2-Factor Authentication, SIP Digest Authentication
• Integrity protection
– TLS with SHA1, SRTP with SHA1, SIP Digest with auth_int
• Blocking spoofing, caller ID fraud, rogue devices and rogue media packets
• Configuration and patch enforcement, quarantine
Availability and Threat Protection
X
•
•
•
•
Blocking application layer DoS floods
Blocking distributed denial of service (DDoS)
Blocking stealth DoS
Blocking malformed or fuzzed messages
SIP Trunk Security & Enablement
ISP/Operator
Network
Bad Guys
SIP Server
Enterprise D
Routers
Enterprise C
Enterprise B
• VoIP VPN
• TLS proxy
• SRTP proxy
• VoIP Firewall
• FW/NAT traversal
• Whitelist/Blacklist
• Call admission control
• Domain Policies
• Call Routing Policies
• VoIP Intrusion Prevention
• VoIP Anti-spam
DMZ
External
FW/NAT
Internal
FW
Enterprise A
IP PBX
Soft Clients &
IP Phones
Comprehensive, Real-time UC Security
Mobile Workspaces
Hacker
• Define security policies
– What UC applications you are
planning to use and rules that
govern UC?
Internet
• Address risks and gaps
Rogue Device
– Understand new risks due to UC
in your deployment
– Understand new gaps introduced
in current security
• Address special needs for UC
• Deploy UC security solution
–
–
–
–
Threat protection
Policy enforcement
Access control
Privacy
ITSP
SIP
Trunks
Enterprise
– Real-time
– Peer-to-peer
– UC security zones
PBX
PSTN
Infected
PC
IP PBX & VLANs
SIP Trunk requirements
Enablement
• Will it work?
• Changes, upgrades to installed VoIP
• Voice Quality
• Visibility QoS/SLA
• Need to change FW policy?
Control
• Who, from where, when?
• Control services and features
Protection
• What about toll fraud, SPAM, DoS?
• Who has access to my PBX?
• Monitoring of security incidences
• Who has access to my private
communications?
SIP Trunk security device functionality
Secure UC Access
• Keep PBX, phones, numbering
• Enforce voice quality
• Visibility in voice quality SLAs
• Topology hiding of internal network
• Standards based encryption TLS/SRTP
• X.509 Certificate, digest authentication, AAA
UC Policy Enforcement
• Enhance security policies
• Control real-time services
• Black list domains/users
• Control access based on network, device, user,
SIP domain, time of day
UC Threat Prevention
• Block DoS/DDoS
• Block malicious traffic
• Block spoofed devices
• Zero day protection
Access Control: X.509 Certificate Based Mutual
Authentication
Step 1
Install CA Root and
Certificates from each side
Root Certificate
Issuer: XYZ
Subject: XYZ
Root Certificate
Issuer: XYZ
Subject: XYZ
Certificate
Issuer: XYZ
Subject: DeviceName
Certificate
Issuer: XYZ
Subject: Company-name SIP IPCS
IP PBX
Remote Phone
2a. Send Cert & Cert Request
Internet
Intranet
4. Validated
SIP Request
2b. Send Cert
Validate SIP Domain,
Certificate Subject Name
3. SIP Request
Privacy: TLS/SRTP Encryption
DMZ
IP PBX
Intranet
Internal
External
Firewall
Firewall/
+NAT
Router
FW/NAT Traversal
Soft Switch
1. Encrypted signaling
over TLS
Internet
4. Media RTP
3. Encrypted
media SRTP
2. Signaling
over TCP/UDP
Unencrypted Signaling: SIP/TCP
Unencrypted Media: RTP
Encrypted Signaling: SIP/TLS
Encrypted Media: SRTP (HW 50 usec)
SRTP vs IPSEC: Overhead, latency, setup and routing considerations
NAT & Topology Hiding
User2
Info from SIP headers that can expose topology
• Internal domains, application servers
• Hops in network (record-route option)
• L3-L4 info
• Call-id, Contact, Refer-to, Call-info, Geolocation, P-Asserted-Id …
192.168.1.188
FINANCE.COMPANY.COM
192.168.1.198
PHONE
192.168.1.199
COMPANY.COM
ITSP
202.201.200.199
EXTERNAL.COM
192.168.1.197
202.201.200.198
FINANCE.COMPANY.COM
user
192.168.1.187
INVITE
From: [email protected]
To: [email protected]
SDP:192.168.1.187
INVITE
From: [email protected]
To: [email protected]
SDP:192.168.1.199
INVITE
From: [email protected]
To: [email protected]
SDP:202.201.200.199
INVITE
From: [email protected]
To: [email protected]
SDP:202.201.200.198
Privacy: User Identity privacy
user
PHONE
COMPANY.COM
COMPANY.COM
INVITE
From: [email protected]
To: [email protected]
ITSP
EXTERNAL.COM
INVITE
From: [email protected]
To: [email protected]
P-Asserted-Id: [email protected]
Privacy: Id
Fuzzing Protection: Protocol Scrubbing
//Valid
REGISTER sip:ss2.wcom.com SIP/2.0
Call Servers
//Fuzzed
%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S sip:ss2.wcom.com SIP/2.0
Valid
Fuzzed
Via: SIP/2.0/UDP there.com:5060
From: LittleGuy <sip:[email protected]>
To: LittleGuy <sip:[email protected]>
Call-ID: [email protected]
CSeq: 2 REGISTER
Contact: <sip:[email protected]>
Authorization: Digest username="UserB", realm="MCI WorldCom SIP",
nonce="ea9c8e88df84f1cec4341ae6cbe5a359", opaque="",
uri="sip:ss2.wcom.com", response="dfe56131d1958046689cd83306477ecc"
Content-Length: 0
• PROTOS and SIP torture signatures
– Need to check signal messages against proper formatting, field
length, content, etc.
– Regex based flexible rules, per UA type based rules
• Signatures updatable constantly
Spoofing Prevention
3. Phone moves to
new location
IP PBX
5. Phone re-registration
complete
6. IPCS updates fingerprint
4b. Fingerprint mismatch,
SIP Challenge,
Response
4a. Phone tries to
re-register
Internet
Intranet
1. Phone registers
2. IPCS learns fingerprint
IP, Src: 172.16.1.10, Dst: 172.16.1.20
TCP, Src Port: 4925, Dst Port: 5060
REGISTER sip:ss2.wcom.com SIP/2.0
Via: SIP/2.0/UDP there.com:5060
From: LittleGuy <sip:[email protected]>
Call-ID: [email protected]
Contact: <sip:[email protected]>
7. Attacker script tries
to spoof register
8. Fingerprint mismatch,
SIP Challenge, No
response, Registration
disallowed
IP, Src: 172.16.1.11, Dst: 172.16.1.20
TCP, Src Port: 4933, Dst Port: 5060
REGISTER sip:ss2.wcom.com SIP/2.0
Via: SIP/2.0/UDP there.com:5060
From: LittleGuy <sip:[email protected]>
Call-ID: [email protected]
Contact: <sip:[email protected]>
Zero-Day Attacks with Behavior Learning
IP PBX
1. Observe non conformant rate
of traffic to protected endpoint
6. Allow call
Intranet
4. New call
Internet
5. Challenge, Valid Response
2. Attacker makes call
Protected Endpoint
3. Challenge,
No response,
Source Blocked
Remote user enablement:
VoIP/Video, OCS, Telepresence
RADIUS
AAA server
Token Auth
Server
• Encrypted Signaling & Media
• Voice/Video optimized
• Built in security
IP PBX
3. Authenticate
incoming user
DMZ
Internal
Firewall
+NAT
External
Firewall
+NAT
Intranet
5060 always open
2. TLS Setup
Internet
4. Signaling over TLS
5. SRTP/ERTP Media
3. Media RTP
100 - 1000 media ports
4. Signaling
over TCP/UDP
1.
Static Firewall Channel:
to enable secure channel
between two IPCS
4. Fingerprint Verification
DoS/DDoS and Fuzzing Prevention
Anomaly Detection and Prevention
Behavior Learning
Voice SPAM Prevention
5. Media Anomaly Detection and Prevention
Security Policy
• Before one can be secure,
define what it means to be
secure
• Security policy defines the
constraints with which all
UC is governed
–
–
–
–
What? (phones, servers)
Whom? (users)
Where? (networks, domains)
When? (time of day, day of
week)
– What level of security?
Policy?
L7 granular policies
Criteria
IP PBX
Functionality
VoIP Firewall: Block
Network: Data VLAN
User:
Support
Device:
Nokia E61
Mobile Phone
Rogue
Device
Data VLAN
VoIP VLAN
Criteria
Network: Data VLAN
User:
Support
Device:
Mobile Phone
Functionality
VoIP VPN:
No crypto
VoIP Firewall: G711, No NAT
VoIP IPS:
Protect against
stealth attacks on
phone
Anti-spam:
Protect against Spam
Internet
Functionality
Criteria
Network: Internet
User:
Support
Device:
Nokia E61
35 © 2007 Sipera Systems, Inc. All Rights Reserved.
Remote/Mobile Users
VoIP VPN:
TLS/SRTP
VoIP Firewall: Low BW, Remote NAT
Block Video
VoIP IPS:
Protect against
stealth attacks on
phone
Anti-spam:
Protect against Spam
Corporate Overview
Policy Enforcement: Centralized UC Policies
Enterprise
IP PBX
IP Phones
Soft Clients
VoIP VLAN
WiFi/Dual Mode
Phones
Data VLAN
Internet
SP
Partner
Click-to-Talk Hard Phone Dual-mode Phone
Request
S
O
U
R
C
E
F
L
O
W




Network
Device
User
Time of Day
S
O
U
R
C
E
P
O
L
I
C
Y





App
Media
Routing
Security
Signaling
Apply
Routing
D
E
S
T

F
L 
O 
W
Network
Device
User
Time of Day
D
E
S
T
P
O
L
I
C
Y




App
Media
Security
Signaling
Policy Control: Network, Device, User, ToD
Enterprise
IP PBX
Determine Network
IP Phones
Soft Clients
WiFi/Dual Mode
Phones
VoIP VLAN
Data VLAN
VoIP VLAN
Data VLAN
Internet
Flow Criteria
Determine
Network
Internet
SP
Partner
Hard Phone
Determine
Device
Determine
User
Determine
ToD
Determine Device
Soft Clients
Click-to-Talk
Hard Phone Dual-mode Phone
WiFi/Dual Mode
Policy Enforcement
Application, Signaling, Security, Media
• Application
Rules
• Media Rules
• Routing Rules
• Security Rules
• Signaling Rules
Media Rule
Codec Prioritization
Application Rule
Low
Voice
High
Video
Encryption
IM
SRTP
RTP
Mobility and Remote User
Enterprise
Flow Criteria
Network: Data VLAN
User-Grp: Support
Device:
Nokia E61
IP PBX
Mobile Phone
Data VLAN
VoIP VLAN
Service
Media:
Signaling:
Security:
RTP, G711, No NAT
TCP, No NAT
Protect against
stealth attacks on
phone
Flow Criteria
Network: Internet
User-Grp: Support
Device:
Nokia E61
Internet
Service
Media:
Signaling:
Security:
SRTP, G729, NAT
TLS, Remote NAT
Protect against
stealth attacks on
phone
SIP Trunk Least Cost Routing
Enterprise
IP Phones
IP PBX
Flow Criteria
Network:
User:
Device:
ToD:
Flow Criteria
Service
Network:
User:
Device:
ToD:
Application:
Media:
Signaling:
Routing:
Security:
VoIP VLAN
VoIP VLAN
Support
Avaya 4602
Day
No IM, No Video
SRTP, G729
TLS
SP1
Protect floods
Data VLAN
VoIP VLAN
Support
Avaya 4602
Night
Service
Application:
Media:
Signaling:
Routing:
Security:
IM, Video
RTP, G711
TCP
SP2
Protect floods
SP 1
SP 2
ToD and Priority Routing allows overall lower operation costs
UC vs Data Security
VoIP/Video
Data
Voice, Video, IM, Collaboration
Remote UC enablement, IP-PBX
security, Mobility control, Toll fraud,
mutual-auth, centralized
management, TLS, SRTP, ERTP
L7 services, Security
Web Services, IM, File Transfer,
Network Mgmt., Authentication,
Directory Services, Name Services,
SSL, IPSEC, SRTP
Real time Voice/Video security
Message security
Call flow/state aware, behavioral
AD, signatures, semantic protocol
scrubbing, fingerprinting, VoIP
SPAM, false +ve free drop actions
SIP, SCCP, IMS, UMA
L7 protocol proxy
Regex based, hierarchical policy
Statistical AD, IPS, AV signatures
Full/cut-through TCP proxy
HTTP, P2P, IM, SMTP, XML
VoIP DoS/DDoS Protection
Data DoS/DDoS Protection
SIP (Avaya, Cisco, Msft Nortel),
SCCP (Skinny), IMS, UMA, OCS
HTTP, FTP, ESMTP, TFTP
Protocol Inspection and RFC Compliance
SIP, SCCP (Skinny), MGCP, TFTP, H.323, RTP/RTCP/RTSP, TAPI/JTAPI
HTTP, FTP, SMTP, TFTP, SMTP/ESMTP, DNS/EDNS, LDAP, NTP, RPC
Network Protection
TCP, UDP, IP, ICMP, DHCP
THANK YOU!!
Ravi Varanasi
Vice President, Engineering
Sipera Systems.
[email protected]
214-269-2437.