View
225
Download
6
Category
Tags:
Preview:
Citation preview
Securing the SIP Trunk
Ravi VaranasiVice President, Engineering
Sipera Systems.ravi@sipera.com
SIP trunk
LAN
PSTN
Internet
ISPITSPSIP Trunk
PBXMGW
Enterprise
Definition: • SIP Trunk: Service offered
by an ITSP (Internet Telephony Service Provider) that connects a company's IP-PBX to the telephone system (PSTN) via Internet using the SIP VoIP standard.
Extending VoIP: • With IP-PBX enterprise’s
have converged data and Voice over LAN, SIP trunk allows enterprises to do the same over WAN/Internet
SIP Trunk Benefits for Enterprises
ISPPSTNInternet
PBX MGW
ITSP
SIP Trunk
PBX MGW PBX MGW
Simplicity: works with installed IP-PBX and telephones
Efficiency: Bandwidth, least cost ITSP route selection.
Cost Savings: Operational and Capital
Allows for Consolidation: One ISP/ITSP, One Data Center
Head-Quarters Branches
Functions of SIP trunk components
SIP Trunk
Enterprise
IP-PBX
Remote SBC• NAT traversal• Protocol Interworking• RFC compliance, handling IOT• Encryption termination.
Soft Switch• Interfacing with IP-PBX’es from multiple vendors• MGW connectivity for PSTN• CDRs, Billing, Payment services• Call routing, Dial plans
Remote SBC• NAT traversal• Protocol Interworking• RFC compliance, handling IOT• Encryption termination.
Soft Switch• Interfacing with IP-PBX’es from multiple vendors• MGW connectivity for PSTN• CDRs, Billing, Payment services• Call routing, Dial plans
PSTN
Remote SBC
MGW
Soft Switch
ITSP
SIP IP-PBX: Trunk vs Line side functions
• Call delivery– One switch (IP-PBX) to another– Basis: Routing rules, domain
preferences, dial-plans, configuration.
– Trunk reconfig/rerouting needed in case user moves.
• Call establishment– Local IP-PBX to Ext-network– Between ITSPs– Inter-site communication over
public domain.• Specific functions
– Admission control– Policies: Services offered– Billing, CDRs– Options for keepalive messages
• Call delivery– End-user to IP-PBX– Basis: Registration, Contact info
driven.– Mobility control: call delivered
based on SIP:Contact
• Call establishment– Call leg1: End-user to IP-PBX.– Call leg2:
• IP-PBX to end-user (local)• IP-PBX to Trunk
• Specific functions– Phone registration– Admission control– VPN connectivity
Call establishment: Line side vs Trunk
IP-PBX IP-PBX IP-PBX
SIP Trunk
INVITE SDP
BYE
REGISTERREGISTER
REINVITE
200 OK
200 OK SDP
Media to endpointVia IP-PBX if anchored
Optional
200 OK BYE
REFER
200 OK SDP
Media to endpointVia IP-PBX- SIP trunk if anchored
200 OK
200 OK
INVITE SDP
Route lookup
REFER/REINV Optional
Multiple VoIP protocol environment
SIP Trunk
Enterprise
PSTN
Remote SBC
MGW
Soft Switch
ITSP
H.323 or Skinny or SIPH.323 or Skinny or SIP
SIPSIP
Enterprise IP-PBX• Supports H.323/SIP/Skinny on line side• Converts signaling to SIP. Initiates INVITE• Protocol Interworking (SIP others)
• Ex: NT CS1000: H323/Unistim -> SIP• Cisco CCM: Skinny line side -> SIP• Avaya CM: H.323 -> SIP
• RFC compliance, handling IOT
Soft Switch• Interfacing with IP-PBX’es from multiple vendors• MGW connectivity for PSTN• CDRs, Billing, Payment services• Call routing, Dial plans
Enterprise IP-PBX• Supports H.323/SIP/Skinny on line side• Converts signaling to SIP. Initiates INVITE• Protocol Interworking (SIP others)
• Ex: NT CS1000: H323/Unistim -> SIP• Cisco CCM: Skinny line side -> SIP• Avaya CM: H.323 -> SIP
• RFC compliance, handling IOT
Soft Switch• Interfacing with IP-PBX’es from multiple vendors• MGW connectivity for PSTN• CDRs, Billing, Payment services• Call routing, Dial plans
“Bank” Case Study
PSTNInternet
PBX MGW
ITSP
SIP Trunk
Head-Quarters Branches
Solution:• Secure SIP Trunks to HQ• Secure SIP Trunks to branches
Results:• $ 70,000 per month on long distance cost• $ 15,000 per month saving for two branch
(PBX/MGW maintenance)• First year saving of $1.1 million
About “Bank”• Global Bank; 25000 Employees• PBX Vendor: Avaya
Business Needs: • Replace TDM Trunks with SIP Trunks to
carrier to reduce costs• Consolidate distributed PBXs to 1 data-
centers and remove from 3 branches
Security and Enablement
Comprehensive VPN, Firewall, IPS, DPI & Anti-Spam for UC
Application-Layer VoIP protocols, call-state, services, subscriber aware
Pervasive Soft Phones, Remote Users, SIP Trunks, Click-to-Talk
Real-time Deterministic, very low latency; Not store and forward
Unified Communications
VoIP, IM, Video, Multimedia, Presence, CollaborationOver SIP, SCCP, Microsoft OCS, IMS …
Need for a comprehensive application-layer security approach
enable pervasive, real-timereal-time unified communications
Proliferation of Unified Communications over IP Need for Granular control, Realtime application level security Confidentiality, Integrity of communications
QoS requirements for latency sensitive applications
Reactive Security modelForensics
Detect “Bad behavior”
Traditional IDS/IPS approachSignature/Pattern detection
Policy enforcement: Key to security
Proactive Security modelEnforce corporate admission policies
Device/User level authDeep packet inspection firewall
Policy violation Security Breach
Granular rules based on match criteriaCan partners call partners?
Is video allowed in this domain? IM is ok, no IM with attachments.
Actions based on a vulnerability pattern
Application aware, L7 corporate granular admission control, authentication policies
HTTP(S)HTTP(S)
SCEPSCEP
SOAPSOAP
SIPSIP
LDAPLDAP
HTTP(S)HTTP(S)
(S)RTP(S)RTP
Secure *ALL* open communication channels
Centralized Configuration Server
X.509 Certificate Server
Personal Profile Manager SIP Enablement Server
Corporate Directory Server
Web Server
SIP PhoneSIP Phone
SIP PhoneSIP Phone
Defense in Depth
FirewallUC security
function/deviceCall Server
Layer 3
Attacks blocked by Firewall
IDS/IPS
Legitimate Traffic
Microsoft/ HTTP
Layer 4
Attacks blocked by IPS
SIP/SCCP Fuzzing
SCCP/SIP Stealth Attacks
SCCP/SIPSpoofing
VoIP SPAM
SCCP/SIP/RTP Floods
Real-time, VoIP call state aware, signature and behavior-based signaling & media protection(Including encrypted traffic)
L3 Security is now a commodity market
Attacks moving towards L7 as hackers target applications and services.
Network is a platform rather than a pipe.
Need of the hour: Inline, reliable, low-latency deep packet inspection, state-aware security devices.
Internet
Soft Clients
SIP security use cases
Data VLANVoIP VLAN
IP PhonesIP PBX
WiFi/Dual Mode Phones
DMZ
Crumbling Enterprise perimeter:Extension from trusted to un-trusted domains
• Soft clients • Remote users• SIP trunks• Mobility• Click-to-talk
Service Provider
Partner
Click-to-Talk Hard Phone Dual-mode Phone
► Remote User Security► WiFi/Dual-mode Phone
Security► Click-to-Talk Security► SIP Trunk Security
► Secure Proxy
Rogue Device Rogue EmployeeInfected PC
Bad Guys
Spammer
Infected PC
► SIP IM Compliance► IP PBX Security
Customer pain points• Secure remote UC enablement• Security threats from external and internal clients• Multiple exceptions on secure firewalls to enable UC
Security Gaps with SIP Trunks
• Security policy– ITSP vs. enterprise policy– Firewall for layer 3-4– ? for VoIP layer
• Threat protection– PBX open to ITSP
misconfigurations– 1 TDM PRI = 23 calls– 1 Mb IP connectivity = 100 to
1000 INVITE• Privacy
– Encryption over my LAN but not over ITSP WAN?
LAN
PSTN
Internet
ITSPSIP Trunk
PBX
Enterprise
Rogue Device
UC Security Solution for SIP Trunks
• Security policy– Control your own
policies– Demark VoIP layer
• Threat protection– Flood protection– Signatures for UC
vulnerabilities
• Privacy– TLS/SRTP
LAN
PSTN
Internet
ITSPSIP Trunk
PBX
Enterprise
Rogue Device
Holistic Approach for UC Security
• Establish policy– Define security policies based
on needs of organization
• Assess risk– Perform VoIP vulnerability
assessment
• Implement protection– Deploy comprehensive, real-
time UC security solution
• Manage compliance– Policy enforcement and
reporting– Ongoing, periodic assessments
UC Security Best Practices
• Perform UC vulnerability assessment– Identify risks and potential
vulnerabilities
• Implement strong UC policies– Enforce signaling, media and
application rules
• Police UC security zones– Control access based on
network, user AND device
• Apply UC-specific threat protection– Backed by dedicated VoIP
and UC security research– Understand user behavior to
eliminate false +/-• Access control for UC
– Strong two-factor authentication
• Enforce strong encryption– All signaling and media must
be encrypted for privacy
Multi-Dimensional UC Policies
• Address all dimensions of UC
• Not just networks• Not just users• Device mobility
– Wi-Fi phones/Softphones
• User mobility– Shared office spaces
NetworkDevice
Use
r
ToD
Confidentiality and Privacy
• Signaling encryption – TLS• Media encryption – SRTP• User privacy – Caller ID hiding• Network privacy – Topology hiding• Blocking reconnaissance scans
SSN: 123-45-6789 SSN: 123-45-6789
ôh
;ù’°
–¹q
€IP
‡m
Integrity and Access Control
• Strong authentication– X.509 Certificates, 2-Factor Authentication, SIP Digest Authentication
• Integrity protection– TLS with SHA1, SRTP with SHA1, SIP Digest with auth_int
• Blocking spoofing, caller ID fraud, rogue devices and rogue media packets• Configuration and patch enforcement, quarantine
$1000_sha
$1
00
0_
sh
a
$10000_sha
$1
00
00
_s
ha
X
Availability and Threat Protection
• Blocking application layer DoS floods• Blocking distributed denial of service (DDoS)• Blocking stealth DoS• Blocking malformed or fuzzed messages
X
SIP Trunk Security & Enablement ISP/Operator
Network
Enterprise A
DMZ
InternalFW
ExternalFW/NAT
Bad Guys
• VoIP VPN• TLS proxy• SRTP proxy
• VoIP Firewall• FW/NAT traversal• Whitelist/Blacklist• Call admission control• Domain Policies• Call Routing Policies
• VoIP Intrusion Prevention• VoIP Anti-spam
Enterprise B
Enterprise C
Enterprise D
Soft Clients &IP PhonesIP PBX
SIP Server Routers
Comprehensive, Real-time UC Security
• Define security policies– What UC applications you are
planning to use and rules that govern UC?
• Address risks and gaps– Understand new risks due to UC
in your deployment– Understand new gaps introduced
in current security• Address special needs for UC
– Real-time– Peer-to-peer– UC security zones
• Deploy UC security solution– Threat protection– Policy enforcement– Access control– Privacy
PSTN
Internet
ITSP
SIP Trunks
En
terp
rise
PBX
Mobile Workspaces
IP PBX & VLANs
Hacker
Rogue Device
InfectedPC
Enablement
• Will it work?
• Changes, upgrades to installed VoIP
• Voice Quality
• Visibility QoS/SLA
• Need to change FW policy?
Control
• Who, from where, when?
• Control services and features
Protection
• What about toll fraud, SPAM, DoS?
• Who has access to my PBX?
• Monitoring of security incidences
• Who has access to my private communications?
SIP Trunk requirements
Secure UC Access
• Keep PBX, phones, numbering
• Enforce voice quality
• Visibility in voice quality SLAs
• Topology hiding of internal network
• Standards based encryption TLS/SRTP
• X.509 Certificate, digest authentication, AAA
UC Policy Enforcement
• Enhance security policies
• Control real-time services
• Black list domains/users
• Control access based on network, device, user, SIP domain, time of day
UC Threat Prevention
• Block DoS/DDoS
• Block malicious traffic
• Block spoofed devices
• Zero day protection
SIP Trunk security device functionality
Access Control: X.509 Certificate Based Mutual Authentication
Internet
IP PBX
Intranet
Remote Phone
Root CertificateIssuer: XYZSubject: XYZ
CertificateIssuer: XYZSubject: Company-name SIP IPCS
Root CertificateIssuer: XYZSubject: XYZ
CertificateIssuer: XYZSubject: DeviceName
Step 1Install CA Root and Certificates from each side
Validate SIP Domain, Certificate Subject Name
2a. Send Cert & Cert Request
2b. Send Cert
3. SIP Request
4. Validated SIP Request
Internet
IP PBX
Intranet
Privacy: TLS/SRTP Encryption
External Firewall/Router
Internal Firewall+NAT
2. Signaling over TCP/UDP
4. Media RTP
3. Encrypted media SRTP
1. Encrypted signaling over TLS
DMZ
FW/NAT Traversal
Encrypted Signaling: SIP/TLS
Encrypted Media: SRTP (HW 50 usec)
Unencrypted Signaling: SIP/TCP
Unencrypted Media: RTP
Soft Switch
SRTP vs IPSEC: Overhead, latency, setup and routing considerations
NAT & Topology Hiding
COMPANY.COMCOMPANY.COM
FINANCE.COMPANY.COMFINANCE.COMPANY.COM
FINANCE.COMPANY.COMFINANCE.COMPANY.COM
User2User2
useruser
ITSPITSP
EXTERNAL.COMEXTERNAL.COM202.201.200.199202.201.200.199
192.168.1.199192.168.1.199
192.168.1.198192.168.1.198
192.168.1.197192.168.1.197
INVITEFrom: user@finance.company.comTo: PHONE@EXTERNAL.COMSDP:192.168.1.187
192.168.1.187192.168.1.187
192.168.1.188192.168.1.188
PHONEPHONE
INVITEFrom: user@company.comTo: PHONE@EXTERNAL.COMSDP:202.201.200.199
INVITEFrom: PHONE@EXTERNAL.COM To: user@company.comSDP:202.201.200.198
202.201.200.198202.201.200.198
INVITEFrom: PHONE@EXTERNAL.COM To: user@finance.company.comSDP:192.168.1.199
Info from SIP headers that can expose topology• Internal domains, application servers• Hops in network (record-route option)• L3-L4 info• Call-id, Contact, Refer-to, Call-info, Geolocation, P-Asserted-Id …
Privacy: User Identity privacy
COMPANY.COMCOMPANY.COM
COMPANY.COMCOMPANY.COM
useruser
ITSPITSP
EXTERNAL.COMEXTERNAL.COM
INVITEFrom: user@COMPANY.COMTo: PHONE@EXTERNAL.COM
PHONEPHONE
INVITEFrom: ANONYMOUS@COMPANY.COMTo: PHONE@EXTERNAL.COMP-Asserted-Id: user@COMPANY.COMPrivacy: Id
Fuzzing Protection: Protocol Scrubbing
• PROTOS and SIP torture signatures– Need to check signal messages against proper formatting, field
length, content, etc.– Regex based flexible rules, per UA type based rules
• Signatures updatable constantly
//ValidREGISTER sip:ss2.wcom.com SIP/2.0
//Fuzzed%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S sip:ss2.wcom.com SIP/2.0 Via: SIP/2.0/UDP there.com:5060 From: LittleGuy <sip:UserB@there.com> To: LittleGuy <sip:UserB@there.com> Call-ID: 123456789@there.com CSeq: 2 REGISTER Contact: <sip:UserB@110.111.112.113> Authorization: Digest username="UserB", realm="MCI WorldCom SIP", nonce="ea9c8e88df84f1cec4341ae6cbe5a359", opaque="", uri="sip:ss2.wcom.com", response="dfe56131d1958046689cd83306477ecc" Content-Length: 0
Call Servers
Valid
Fuzzed
Internet
IP PBX
Intranet
Spoofing Prevention
7. Attacker script tries to spoof register
8. Fingerprint mismatch,SIP Challenge, No response, Registrationdisallowed
1. Phone registers
2. IPCS learns fingerprint
5. Phone re-registration complete
6. IPCS updates fingerprint
3. Phone moves to new location
4a. Phone tries to re-register
4b. Fingerprint mismatch,SIP Challenge, Response
IP, Src: 172.16.1.11, Dst: 172.16.1.20TCP, Src Port: 4933, Dst Port: 5060REGISTER sip:ss2.wcom.com SIP/2.0Via: SIP/2.0/UDP there.com:5060 From: LittleGuy <sip:UserB@there.com> Call-ID: 123456789@there.com Contact: <sip:UserB@172.16.1.11>
IP, Src: 172.16.1.10, Dst: 172.16.1.20TCP, Src Port: 4925, Dst Port: 5060REGISTER sip:ss2.wcom.com SIP/2.0Via: SIP/2.0/UDP there.com:5060 From: LittleGuy <sip:UserB@there.com> Call-ID: 123456789@there.com Contact: <sip:UserB@172.16.1.10>
Zero-Day Attacks with Behavior Learning
Internet
IP PBX
Intranet
Protected Endpoint
1. Observe non conformant rate of traffic to protected endpoint
2. Attacker makes call
3. Challenge,No response, Source Blocked
4. New call6. Allow call
5. Challenge, Valid Response
IP PBX
Intranet
Remote user enablement: VoIP/Video, OCS, Telepresence
External Firewall+NAT
Internal Firewall+NAT
4. Signaling over TCP/UDP
3. Media RTP
1. Static Firewall Channel: to enable secure channel between two IPCS
RADIUS AAA serverToken Auth Server
3. Authenticate incoming user
Internet
100 - 1000 media ports
5060 always open
5. SRTP/ERTP Media
2. TLS Setup
DMZ
4. Fingerprint Verification DoS/DDoS and Fuzzing Prevention
Anomaly Detection and Prevention Behavior Learning Voice SPAM Prevention
5. Media Anomaly Detection and Prevention
• Encrypted Signaling & Media• Voice/Video optimized• Built in security
4. Signaling over TLS
Security Policy
• Before one can be secure, define what it means to be secure
• Security policy defines the constraints with which all UC is governed– What? (phones, servers)– Whom? (users)– Where? (networks, domains)– When? (time of day, day of
week)– What level of security?
Policy?
35 © 2007 Sipera Systems, Inc. All Rights Reserved.
Corporate Overview
Remote/Mobile Users
L7 granular policies
Data VLANVoIP VLAN
IP PBXMobile Phone
Functionality
VoIP VPN: No cryptoVoIP Firewall: G711, No NATVoIP IPS: Protect against
stealth attacks on phone
Anti-spam: Protect against Spam Functionality
VoIP VPN: TLS/SRTPVoIP Firewall: Low BW, Remote NAT Block VideoVoIP IPS: Protect against
stealth attacks on phone
Anti-spam: Protect against Spam
Internet
Rogue Device
Criteria
Network: Data VLANUser: SupportDevice: Mobile
Phone
Functionality
VoIP Firewall: Block
Criteria
Network: InternetUser: SupportDevice: Nokia E61
Criteria
Network: Data VLANUser: SupportDevice: Nokia E61
Policy Enforcement: Centralized UC Policies
Partner
Data VLANVoIP VLAN
IP PBX
Internet
Click-to-Talk Hard Phone Dual-mode Phone
SP
IP Phones Soft Clients WiFi/Dual Mode Phones
Enterprise
SOURCE
Network Device User Time of Day
Network Device User Time of Day
FLOW
App Media Routing Security Signaling
App Media Routing Security Signaling
POLICY
SOURCE
ApplyRoutingApply
RoutingRequestRequest
DEST
Network Device User Time of Day
Network Device User Time of Day
FLOW
App Media Security Signaling
App Media Security Signaling
POLICY
DEST
Policy Control: Network, Device, User, ToD
Partner
Data VLANVoIP VLAN
IP PBX
Internet
Click-to-Talk Hard Phone Dual-mode Phone
SP
IP Phones Soft Clients WiFi/Dual Mode Phones
Enterprise Determine Network
VoIP VLAN
Data VLAN
Internet
Determine Device
Hard Phone
Soft Clients
WiFi/Dual Mode
Determine Network
Determine Device
Flow Criteria
Determine User
Determine ToD
Media Rule
Policy EnforcementApplication, Signaling, Security, Media
• Application Rules• Media Rules• Routing Rules• Security Rules• Signaling Rules
Application Rule
Voice
Video
IM
Codec Prioritization
Low
High
Encryption
SRTP
RTP
Mobility and Remote User
Data VLANVoIP VLAN
IP PBXMobile Phone
Flow Criteria
Network: Data VLANUser-Grp: SupportDevice: Nokia E61
Service
Media: RTP, G711, No NATSignaling: TCP, No NATSecurity: Protect against
stealth attacks on phone
Flow Criteria
Network: InternetUser-Grp: SupportDevice: Nokia E61
Service
Media: SRTP, G729, NATSignaling: TLS, Remote NATSecurity: Protect against
stealth attacks on phone
Internet
Enterprise
SIP Trunk Least Cost Routing
Data VLANVoIP VLAN
IP PhonesIP PBX
SP 1
Flow Criteria
Network: VoIP VLAN
User: SupportDevice: Avaya
4602ToD: Day
SP 2
Service
Application: IM, VideoMedia: RTP, G711Signaling: TCPRouting: SP2Security: Protect floods
Flow Criteria
Network: VoIP VLAN
User: SupportDevice: Avaya
4602ToD: Night
Enterprise Service
Application: No IM, No VideoMedia: SRTP, G729Signaling: TLSRouting: SP1Security: Protect floods
ToD and Priority Routing allows overall lower operation costs ToD and Priority Routing allows overall lower operation costs
UC vs Data Security
Remote UC enablement, IP-PBX security, Mobility control, Toll fraud, mutual-auth, centralized
management, TLS, SRTP, ERTP
Web Services, IM, File Transfer, Network Mgmt., Authentication,
Directory Services, Name Services, SSL, IPSEC, SRTP
VoIP/VideoVoice, Video, IM, Collaboration
DataL7 services, Security
TCP, UDP, IP, ICMP, DHCP
SIP, SCCP (Skinny), MGCP, TFTP, H.323, RTP/RTCP/RTSP, TAPI/JTAPIHTTP, FTP, SMTP, TFTP, SMTP/ESMTP, DNS/EDNS, LDAP, NTP, RPC
Protocol Inspection and RFC Compliance
Network Protection
SIP (Avaya, Cisco, Msft Nortel), SCCP (Skinny), IMS, UMA, OCS
VoIP DoS/DDoS Protection
HTTP, FTP, ESMTP, TFTP
Data DoS/DDoS Protection
Regex based, hierarchical policyStatistical AD, IPS, AV signatures
Full/cut-through TCP proxyHTTP, P2P, IM, SMTP, XML
Message securityCall flow/state aware, behavioral AD, signatures, semantic protocol
scrubbing, fingerprinting, VoIP SPAM, false +ve free drop actions
SIP, SCCP, IMS, UMAL7 protocol proxy
Real time Voice/Video security
THANK YOU!!
Ravi VaranasiVice President, EngineeringSipera Systems.ravi@sipera.com214-269-2437.
Recommended