For trusted, first class interactive communications

for trusted, first class interactive communications

Acme Packet Confidential 2

Securing enterprise VOIP

Firewall pinhole/ACL are not enough

– Open signaling ACL

– Full range of RTP ports open

Data IDS not sufficient for SIP and H323

– Not inline of signaling and media

– Rely on triggers of other network elements that do not have call awareness

Session Border Controllers ARE VOIP security

– Track record of 5+ years of securing next gen VOIP networks

– Inline for signaling and media

– Call state

• clean up transactions and dialogs

• Verify valid users/devices

– Hardware based policing/filtering is most affective for DoS/DDoS atacks

– Protection against malicious software attacks

– Fraud prevention


Solution: enterprise SIP peering

Enterprise Migration Eliminate access charges per site

Fully converge voice/data over MPLS VPN

Data Center PBX model (centralization) drives SIP peering capacity

Security Hardware based signaling overload policing

Full topology hiding (NAT) of signaling and media

Session based RTP pin-holing (Rogue Protection)

IP PBX/endpoint DoS prevention

IPSec, TLS, SRTP

Signaling SIP Header Manipulation-vendor interop

CAC- bandwidth and session based

Routing-

Local and ENUM

Load balancing, failure based re-route

Outbound to carriers

Inbound- to users PBX

IP access to PSTN, hosted services, IP extranet, other IP subscribers

Service Provider

Enterprise site, MPLS VPN or private network

H.323 or SIP PBX

SIP

SIP endpoints/server

Regional PBX


Solution: enterprise SIP station sideEnterprise Migration

Virtualizes the office and contact center

Remote worker/ traveling worker

small sites without MPLS connectivity

Security Hardware based signaling overload policing

per user




IPSec, TLS, SRTP

Registration overload protection

SIP Registration Based ACLs- only invites pass from Registered users

Signaling

SIP Header Manipulation-vendor interop


Per User CAC

SBC Virtualization allows for Access and Peering on same SBC Teleworkers

Internet

Enterprise site, MPLS VPN or private network

H.323 or SIP PBX

SIP

SIP endpoints/server

Regional Data Center PBX

NAT NATServiceProvider


Solution: IP contact centers

MPLS

Internet

Customers

ManagedSIP/H.323, codec X

CSR5

Contact center - SIP/G.711

CSR1 CSR2 CSR3 CSR4

Site A Site B

Enterprise Migration Reduces Transfer and Connect costs

Increases visibility for transferred calls

Tie in teleworkers to virtualize the Contact Center

Security Hardware based signaling overload policing per

user




IPSec, TLS, SRTP

Registration overload protection

SIP Registration Based ACLs- only Invites pass from Registered users

Signaling

SIP Header Manipulation-vendor interop

Routing/ Failure re-routing


SBC Virtualization allows for Access and Peering on same SBC

Packet Replication to call recording devices

6

Acme Packet market-leadingNet-Net product family

Net-Net 4000

Net-Net 4000 PAC Net-Net 9000

Net-Net EMS

Multi-protocol

Security Service reach SLA assurance

Revenue & profit protection Regulatory compliance

Management High availabilityNet-Net OS

Integrated & decomposed SBC configurations


Net-Net 4000 series

Acme Packet Net-Net platformperformance & capacity

Net-Net 9000 series

SD Signaling performance

1200 SIP mps85 SIP calls/sec

9600 mps680 SIP calls/sec

2100-8000 SIP mps150 – 570 SIP calls/sec

SR Signaling performance

Up to 500 calls/sec N/A TBD

Media sessions * 32K - 128K 256K -1million 32K – 128K

Transcoded sessions NA NA 0 – 16,000

Network interfaces (active)

(2 or 4) 1000 Mbpsor (8) 10/100 Mbps

(32) 1000 Mbps (8 or 16) 1000 Mbps

High availability Inter-system 1x1 or Nx1 Intra-system

Package size/slots 1U / 2 slots 10U or 18U 7U / 13 slots

Net-Net 4000 series PAC

* Actual achievable session capacity is based on signaling performance


Net-Net OS architecture

SessionControlSubsystem

NetworkProcessorSubsystem

Management & Configuration

Routing, Policy & Accounting

NAT RelaySignaling Services

Media Control

NumberManipulation

Session Routing

AdmissionControl

Route Policy

LoadBalancing

Traffic Controls

Accounting & QoS Reporting

DNS ALG

CLI

XML

SNMP

SYSLOG

Redundancy Management

Configuration Repository

Dynamic Access Control

Dynamic NAPT Relay

HNT / RTP Latching

Media Supervision Timers

Transcoding

Bandwidth Policing

QoS Measurements

QoS Marking

Lawful Intercept (CCC)

DTMF Extraction

QoSStats

NAT ALGHTTPTFTP

H248MGCP/

NCS

H323B2BGKGW

SIPH323IWF

SIP B2BUA

SecurityFront End

Access Control

Denial of Service Protection

Encryption Engine

Traffic Management

Signaling Flow Policing

DNS/ENUM

Resource andBandwidth Control

Bandwidth Policy Enforcement

Bearer Resource Management




Media Control

NumberManipulation

Session Routing

AdmissionControl

Route Policy

LoadBalancing

Traffic Controls


DNS ALG

CLI

XML

SNMP

SYSLOG




Dynamic NAPT Relay

HNT / RTP Latching


Transcoding

Bandwidth Policing

QoS Measurements

QoS Marking


DTMF Extraction

QoSStats

NAT ALGHTTPTFTP

H248MGCP/

NCS

H323B2BGKGW

SIPH323IWF

SIP B2BUA

SecurityFront End

Access Control


Encryption Engine

Traffic Management


DNS/ENUM




Media Control

NumberManipulation

Session Routing

AdmissionControl

Route Policy

LoadBalancing

Traffic Controls


DNS ALG

CLI

XML

RADIUS

SNMP




Dynamic NAPT Relay

HNT / RTP Latching


Transcoding

Bandwidth Policing

QoS Measurements

QoS Marking


DTMF Extraction

QoSStats

NAT ALGHTTPTFTP

H248MGCP/

NCS

H323B2BGKGW

SIPH323IWF

SIP B2BUA

SecurityFront End

Access Control


Encryption Engine

Traffic Management


DNS/ENUM

Resource andBandwidth Control

Bandwidth Policy Enforcement

Bearer Resource Management

SYSLOG


SIP protocol repair and normalization

SIP header and parameter manipulation per realm and session agent– Stripping

– Insertion

– Modification

Configurable SIP status code mapping per session agent

Inbound/outbound number manipulation rules per realm and session agent

Configurable SIP timers and counters per realm

Configurable Q.850-to-SIP status mapping

Configurable TCP/UDP transport per realm

Configurable option tag handling per realm

Configurable FQDN-IP / IP-FQDN mapping

SIP route header stripping

Malformed signaling packet filtering

Many SIP options for vendor and version inter-working

E.164 number normalization


Acme Packet hosted NAT traversal

Basic operation– SIP client sends REGISTER to Net-Net SD’s address; SD forwards to registrar– Net-Net auto-detects NATed clients– In OK, SD instructs SIP client to refresh registration periodically to keep NAT binding open– Net-Net SD provides to client SDP for media relay– Media relay latches on first RTP packet. All packets relayed to destination client

4.4.4.4

7.7.7.7

Client

Media

Signaling

Firewall/NATClient

1.1.1.1 2.2.2.23.3.3.3

B2BUA

MediaRelay

5.5.5.5

Net-Net SD


Business continuity / redundancy

Redundant Net-Net product configurations offer non-stop performance

Supports new calls, no loss of active sessions (media and signaling) including capabilities (protocol dependent)

Preserves CDRs on failover

1:1 Active Standby architecture

Shared virtual IP/Mac addresses

Failover for node failure, network failure, poor health, manual intervention

– 40 ms failover time

Checkpointing of configuration, media & signaling state

Software option – requires no additional hardware

10.0.0.1

Find SD through DNS round-robin or configured proxy

sd0.co.jp

10.0.0.1

sd0.fc.co.jp

Active Standby

X

All sessions stay up. Process new sessions immediately

Active

New call


Service virtualization

Business Services

SOHO

InterconnectServices

Net-NetSession Director

Multi-ServiceBackbone


Realms and realm groups

Signaling service

Mediaresources

Number translation tables

Signaling access control & DoS

Packet Marking policy

Media release policy

Realm

Bandwidth CAC policy

Realm

Realm

RealmRealmRealmRealm

Resources Policies

Session routing and interworking

Virtual IP Virtual IP

Rea

lm g

roup


SIP-H.323 interworking

Enterprise Core

H.323 or SIP

H.323 orSIP

SIP SIP

PSTN

SIP SIP

Voice ASP (SIP)

Data Center IP services

PSTN origination & termination

IP PBXLegacy PBX

with GW

Enterprise SIP & H.323 Interworking– Supports all popular H.323 IP PBX

vendors - Cisco, Avaya, Nortel etc.– Maximizes investments made in

legacy IP PBX– reduces termination costs

as high capacity SP trunking is SIP

PBX & SIP-based services integration– Transport services - 1+ dialing – SIP Centrex-PBX integration with

unified dial plan management– Supports Cisco CM & other H.323

PBXs; H.323 gateway to TDM PBX

Voice ASP (calling card, directory, etc.)– Enables connections with

SIP & H.323 service providers


SD routing overview

Acme Packet’s Session Director has several “types” of routing mechanisms– Local policies

• Extremely flexible; based on previous-hop, previous-realm, req-URI, From, cost, time/day, media-type, etc.

– ENUM• Actually a subset of local-policies, so has that flexibility too

– Trunk-group-URI selection of next-hop or group of next-hops• Per IETF draft-ietf-iptel-trunk-group, and for some proprietary TGIDs

– Request-URI matching cached registered endpoints• For requests from core to dynamic subscribers

– Request-URI hostname resolution– Route-header routing per RFC 3261– Static 1:1 mapping

• For simple cases only needing security and protocol repair


Local-Route-Table – technical detailsSub-features – Supports 200k+ routes

– Supports multiple, distinct local-route-tables

– Decision of whether and which local-route-table to use is based on the result of local-policies, so can do hybrid routing configs

– Supports regular expression results, similar to ENUM results

– Used to replace Request-URI with new value based on regex

– Route-tables are in XML format, gzipped

– Provides support for rn/cic-specific lookups, and user-defined prefix lengths

Useful for peering applications:– Can choose which peer to send calls to based on it

– Can choose which core softswitch/gateway to send inbound calls to

Supports both proxy and b2bua modes


Traffic load balancing Load balance multiple SIP/H.323 softswitches, application servers or gatewaysLoad balancing options

– Hunt– Round Robin– Least busy– Lowest sustained rate– Proportional

Detect & route around element failuresSession Agent Stats forH.323 & SIP destinationsCommonSession Agentconstraints

– Max sessions– Max outbound sessions– Max burst rate– Max sustained rate– Session Agent unavailable

or unresponsive

SA-1

SA1hostname=gateway1.acme.comip-address=192.168.1.50realm-id = backbonemax-sessions =500max-outbound sessions=500max-burst-rate=10cpsmax-sustained rate=8cpsallow-next-hop-lp=enabledcarriers= mci, att, sprint



Session Agent Groupname= acme_groupstrategy = proportionaldestinations =gateway1.acme.comgateway2.acme.comgateway3.acme.com

50% Traffic

20% of Traffic

30% of Traffic


Session admission control

Realm based – access networks or transit links

– Realm and realm group bandwidth constraints

Session Agent based – call controllers or app servers

– Session Agent constraints (capacity, rate, availabilty, etc.)

– Softswitch, etc. – signaling rate limiting or “call gapping”

Per-user CAC

– Based on AOR or IP address

Address based

– Code gapping constraints based on destination address/phone #

Policy Server-based

– TISPAN RACS and Packet Cable Multimedia Policy Server interface

Overload protection

– Signaling

• Session border controller - rejects sessions gracefully when host processor >=90% load (default). This is a configurable option


Net-Net Session Director lawful intercept for hosted communications

Legal intercept independent of softswitch for both IP-PSTN and IP-IP calls

Supports SIP, MGCP and H.323

Call content - media flows replicated and forwarded to DF over Call Content Connection (CCC)

Call data - sent to DF over Call Data Connection (CDC)

PSTN

SIP H.323MGCP

SIPMGCP

Law enforcementagencies(LEAF & CF)

Edge router

Lawful interceptserver (DF & SPAF)

Net-Net SD(AF)

CDCCCC

Serviceinfrastructure

A

Signaling Media

Subscribers

Net-SAFE™


The net-net

Security issues are very complex and multi-dimensional– Attack sophistication is growing while intruder knowledge is decreasing

Security investments are business insurance decisions– Life – DoS attack protection– Health – SLA assurance– Property – service theft protection– Liability – SPIT & virus protection

Degrees of risk– Misconfigured devices High– Operator and Application Errors – Peering `– Growing CPE exposure to Internet threats– NEVER forget disgruntled Malcom, OfficeSpace Low

Only purpose-built Session border controllers protect enterprise assets


Riding the bull

Threat mitigation represents staying “ahead” of security threats– Attacker don’t publish their methods

As data attack models have matured they have dramatically increased in number– Putting pressure on security defense scale

The requirements of real-time services such as VoIP and multimedia are different from those of data– Similar trends, different devices

Statefull, service-aware, and dynamic policy application – Endpoints may be authenticated, but their intentions may not be

– Protocol messages may be valid, but how they’re used may not be


Net-SAFE

Worm/Virus& Malicious

SW

AccessControl &

VPN Separation


Three goals of Net-SAFE

Service Provider

Peer

Enterprise Access

Enterprise

Protect the Enterprise’s Infrastructure

Protect the SBC

Protect the Service

Contact Center

DoS attacks remain the #1 security threat the security element must first defend itself!


The SD is architected to secure…

Hardware and software-based DoS protection– Trust and untrust queues with wire-speed packet classification and dynamic

trust management integration

Smart Border DPI– Security gateway fully terminates session traffic for signaling deep packet

inspection – Passive DPI is unable to function on the ever-growing amount of

encrypted/compressed traffic flows

Real-time IDP– Dynamic Trust Management leverages smart DPI and monitors traffic behavior

patterns making trust level adjustments without administrator intervention– Avoids harmful false-positive DoS risks

Extending trust to the endpoint– IPsec, TLS, and SRTP

Hardware- and software-based DoS protection


Security EngineSecurity Engine

Acme Packet multi-processor hardware architecture

Network processor

Intelligent traffic

manager

Network processor

Signaling processors

Security processors

MediaControlFunction

SessionControlFunction

Signaling Media


Security Engine

Acme Packet multi-processor hardware architecture

Network processor

Intelligent traffic

manager

Network processor

Signaling processors

Security processors

MediaControlFunction

SessionControlFunction

Security Engine

Enlarged View


DoS logical hardware path

Perform ACL lookup and packet

classification: chooses trusted,

untrusted, or denied path

Each Trusted queue can be set for average policed rates

Deny

CAMs Acme Hardware DoS Protection

Discard

Trusted Path

Classifier chose

specific Trusted queue

Untrusted Path

1k Untrusted queuesTotal Untrusted pipe can be reserved a minimum amount of bandwidth, and a max if

more is available

Classifier chose 1 of

1k hash buckets

To CPU

RR

WRR

WRR

Tail Drop

Total rate can be configured


Software DoS policy

Must pass SW DoS policy

Discard

Must pass HW DoS policy + ACLs

SW DoS Decisions on SD

Check for legal message format (parse it)

Check previous-hop is authorized

Check if below constraints limit

Reject Call

Allow

Check if below local CPU load threshold Reject It


SBC DoS protection featuresProtect SBC from DoS and other attacks

– Both malicious and unintentional attacks

– Self-limiting ceiling check (%CPU) with graceful call rejection

– Automatically promotes/demotes device trust level based on behavior

– Enforced max aggregate rate for all traffic

– Separate, policed queues for management + control protocols

– Hardware capacity of NP subsystem is greater than all interfaces combined

– Reverse path forwarding checked for signaling + media

– Hardware-policed queues for control packets (ICMP, ARP, Telnet, etc.), separate from Trusted traffic

Smart Border DPI


Session DPI models

Full Protocol Termination via Security Gateway

– Breaks session into two segments for complete control

– Terminates and reinitiates signaling message & SDP with unique session IDs

– Simplifies traffic anomaly detection

– Able to inspect encrypted and compressed packets

Passive DPI via In-Line Security Appliance

– Maintains single session through system

– Modifies addresses in signaling messages & SDP as they pass thru system

– Unable to inspect encrypted and compressed packets

ALG

Segment 1 Segment 2


SD DPI - the broadest set of protocols on the market

Over 80 known threats involving the following protocols– SIP, H.323 – H.225, H.323 – H.245– H.248, MGCP, NCS– RTP– TCP, UDP – IP – ICMP, ARP

SD DPI capabilities are coupled with scaleable decryption/encryption processing to stand up against the strongest security defenses

Real-time IDP


Dynamic trust management

Dynamic trust level binds to hardware classification

Individual device trust classification

Provides fair access opportunity for new and unknown devices

Multi-queue access fairness for unknown traffic

Automatically promotes/demotes device trust level based on behavior

Per-device constraints and authorization


Promotion and demotion of users

Demotion occurs in stages– Trusted to Untrusted then– Untrusted to Denied

Trusted to untrusted when:– Registration timeout– Excessive signaling messages– Excessive malformed packets

Untrusted to denied demotion:– Excessive signaling messages– Excessive malformed packets– Different from trusted to untrusted

thresholds

Example (TP = time period)– max-signal-threshold: 20– untrusted-signal-threshold: 4– Up to 4 messages / TP to become trusted– If device sends >20 messages / TP,

demoted to untrusted– If can’t become trusted in 4 messages /

TP, demoted to denied

REG REG

200 OK200 OK

UA1 RegistrarPromotion UA1

INVITE INVITE

200 OK200 OK

UA1 UA2ACK ACK

Promotion UA2Promotion UA1

200 OK for Invite

200 OK for Register

200 OK for RSIPRSIP RSIP

200 OK200 OK

GW1 Soft Switch

Soft Switch

Promotion GW1 Promotion soft-switch

CRCX CRCX

200 OK200 OK

GW1 Promotion GW1

200 OK for CRCX

Promotion to trusted user - SIP

Promotion to trusted user - MGCP

Demotion to untrusted user - SIP

Extending trust to the endpoint


TLS (Transport Layer Security)

TLS

SIP

TLS

Required elements– SD populated with Signaling Security Module (SSM) + 2GB memory– TLS user agent (UA) on endpoint– TLS server on SD– Trusted Certificate Authority

TLS handshake between TLS UA and TLS server– Using either single-sided (server authentication) OR– Mutual authentication

SIP signaling only after successful TLS setup

Mix encrypted / unencrypted signaling

TCP / UDP / TLS interworking

TLS

Access

Intra-network Inter-network


TLS DoS protection

DoS protection for TLS (C4.1.1 / D6.0)

Benefit – prevent encryption starvation attacks

Problem overcome

– too many TLS conns to endpoint

– too many TLS conns to SIP interface

– too many quiet TLS connections

Application – SIP-TLS access

How it works - if a response to a SIP transaction is not received to within a configurable period of time, TLS connection is torn down

TLS sessions

Timer


IPsec (IP Security)Manual keying

– Same key both ends IPSec tunnel– Manual input of key

Selective encryption (2 SDs)– All traffic (for peering)– Signaling only– Ia interface between SC and BG

Selection encryption: SD to UE– Signaling only (Gm interface)– Signaling and media

Select two modes for operation:– Tunnel (entire IP packet) or transport

(payload only) mode– AH (anti-tampering) or ESP (encrypt + anti-

tamper) mode

Encryption ciphers– DES, 3DES-CBC, AES-CBC (128 bit and 256

bit), or NULL cipher

Data integrity hashes– HMAC-MD5 or HMAC-SHA1

IPSec

SIP

IPSec

IPSec

Access



SRTP (Secure Real-Time Transport Protocol )

SRTP key derivation

– 12 different options, including:

– SDES (Session Description Protocol Security Descriptions) – RFC 4568. Many customers asking for this

– MIKEY (Multimedia Internet KEYing) – we probably won’t do this

Using SDES

– Secure signaling (IPSec or TLS)

– Key exchanged in SDP (privacy provided by IPSec or TLS)

TLS

SIP

TLS

TLS

Access


SRTP

SRTP

SRTP

AvailabilityNN9200: 1H / 08NN4250: 2H / 08

Net-Net EMS


Net-Net EMS

Configuration– Configure, provision,

upgrade, inventory – Multiple networks, multiple

systems

Fault - manage and filter events, alarms and logsPerformance – Monitor performance

Security – Control EMS, system and

function access by user or administrator group

– Per user audit trail

EMS management– EMS configuration &

management (back-up, upgrade, licensing, etc.)


Net-Net management

Net-Net 4250/9200 management interfaces and protocolsInterfaces

• Fault interface– SNMPv2 (current), SNMPv3 (future), TL-1 (future)

• Configuration– XML (current), CORBA (future)

• Accounting– RADIUS CDRs

• Performance– SNMPv2 (current), SNMPv3 (future), XML (future)

• Security – RADIUS server (AAA), IPSec (future)

Protocols:• TMF814

– This is the same as CORBA (future).• SNMP

– SNMPv2 (current), SNMPv3 (future)


Full enterprise adoption of end-to-end real time IP communications in the call and data center

Proven Interoperability with Service Providers

Mediation of IP address spaces, codecs, signaling, transport, and encryption protocols

Scale for centralized, and solutions for decentralized architectures

Border trust and security

Revenue, cost and quality assurance

Regulatory and business compliance

Acme Packet brings financial strength and market leading experience, partners, support, and technology to the Enterprise market.

Why Acme Packet in the enterprise?

Documents

For trusted, first class interactive communications