For trusted, first class interactive communications.
-
Upload
lucas-russo -
Category
Documents
-
view
234 -
download
0
Transcript of For trusted, first class interactive communications.
for trusted, first class interactive communications
Acme Packet Confidential 2
Securing enterprise VOIP
Firewall pinhole/ACL are not enough
– Open signaling ACL
– Full range of RTP ports open
Data IDS not sufficient for SIP and H323
– Not inline of signaling and media
– Rely on triggers of other network elements that do not have call awareness
Session Border Controllers ARE VOIP security
– Track record of 5+ years of securing next gen VOIP networks
– Inline for signaling and media
– Call state
• clean up transactions and dialogs
• Verify valid users/devices
– Hardware based policing/filtering is most affective for DoS/DDoS atacks
– Protection against malicious software attacks
– Fraud prevention
Acme Packet Confidential 3
Solution: enterprise SIP peering
Enterprise Migration Eliminate access charges per site
Fully converge voice/data over MPLS VPN
Data Center PBX model (centralization) drives SIP peering capacity
Security Hardware based signaling overload policing
Full topology hiding (NAT) of signaling and media
Session based RTP pin-holing (Rogue Protection)
IP PBX/endpoint DoS prevention
IPSec, TLS, SRTP
Signaling SIP Header Manipulation-vendor interop
CAC- bandwidth and session based
Routing-
Local and ENUM
Load balancing, failure based re-route
Outbound to carriers
Inbound- to users PBX
IP access to PSTN, hosted services, IP extranet, other IP subscribers
Service Provider
Enterprise site, MPLS VPN or private network
H.323 or SIP PBX
SIP
SIP endpoints/server
Regional PBX
Acme Packet Confidential 4
Solution: enterprise SIP station sideEnterprise Migration
Virtualizes the office and contact center
Remote worker/ traveling worker
small sites without MPLS connectivity
Security Hardware based signaling overload policing
per user
Full topology hiding (NAT) of signaling and media
Session based RTP pin-holing (Rogue Protection)
IP PBX/endpoint DoS prevention
IPSec, TLS, SRTP
Registration overload protection
SIP Registration Based ACLs- only invites pass from Registered users
Signaling
SIP Header Manipulation-vendor interop
CAC- bandwidth and session based
Per User CAC
SBC Virtualization allows for Access and Peering on same SBC Teleworkers
Internet
Enterprise site, MPLS VPN or private network
H.323 or SIP PBX
SIP
SIP endpoints/server
Regional Data Center PBX
NAT NATServiceProvider
Acme Packet Confidential 5
Solution: IP contact centers
MPLS
Internet
Customers
ManagedSIP/H.323, codec X
CSR5
Contact center - SIP/G.711
CSR1 CSR2 CSR3 CSR4
Site A Site B
Enterprise Migration Reduces Transfer and Connect costs
Increases visibility for transferred calls
Tie in teleworkers to virtualize the Contact Center
Security Hardware based signaling overload policing per
user
Full topology hiding (NAT) of signaling and media
Session based RTP pin-holing (Rogue Protection)
IP PBX/endpoint DoS prevention
IPSec, TLS, SRTP
Registration overload protection
SIP Registration Based ACLs- only Invites pass from Registered users
Signaling
SIP Header Manipulation-vendor interop
Routing/ Failure re-routing
CAC- bandwidth and session based
SBC Virtualization allows for Access and Peering on same SBC
Packet Replication to call recording devices
6
Acme Packet market-leadingNet-Net product family
Net-Net 4000
Net-Net 4000 PAC Net-Net 9000
Net-Net EMS
Multi-protocol
Security Service reach SLA assurance
Revenue & profit protection Regulatory compliance
Management High availabilityNet-Net OS
Integrated & decomposed SBC configurations
Acme Packet Confidential 7
Net-Net 4000 series
Acme Packet Net-Net platformperformance & capacity
Net-Net 9000 series
SD Signaling performance
1200 SIP mps85 SIP calls/sec
9600 mps680 SIP calls/sec
2100-8000 SIP mps150 – 570 SIP calls/sec
SR Signaling performance
Up to 500 calls/sec N/A TBD
Media sessions * 32K - 128K 256K -1million 32K – 128K
Transcoded sessions NA NA 0 – 16,000
Network interfaces (active)
(2 or 4) 1000 Mbpsor (8) 10/100 Mbps
(32) 1000 Mbps (8 or 16) 1000 Mbps
High availability Inter-system 1x1 or Nx1 Intra-system
Package size/slots 1U / 2 slots 10U or 18U 7U / 13 slots
Net-Net 4000 series PAC
* Actual achievable session capacity is based on signaling performance
Acme Packet Confidential 8
Net-Net OS architecture
SessionControlSubsystem
NetworkProcessorSubsystem
Management & Configuration
Routing, Policy & Accounting
NAT RelaySignaling Services
Media Control
NumberManipulation
Session Routing
AdmissionControl
Route Policy
LoadBalancing
Traffic Controls
Accounting & QoS Reporting
DNS ALG
CLI
XML
SNMP
SYSLOG
Redundancy Management
Configuration Repository
Dynamic Access Control
Dynamic NAPT Relay
HNT / RTP Latching
Media Supervision Timers
Transcoding
Bandwidth Policing
QoS Measurements
QoS Marking
Lawful Intercept (CCC)
DTMF Extraction
QoSStats
NAT ALGHTTPTFTP
H248MGCP/
NCS
H323B2BGKGW
SIPH323IWF
SIP B2BUA
SecurityFront End
Access Control
Denial of Service Protection
Encryption Engine
Traffic Management
Signaling Flow Policing
DNS/ENUM
Resource andBandwidth Control
Bandwidth Policy Enforcement
Bearer Resource Management
Management & Configuration
Routing, Policy & Accounting
NAT RelaySignaling Services
Media Control
NumberManipulation
Session Routing
AdmissionControl
Route Policy
LoadBalancing
Traffic Controls
Accounting & QoS Reporting
DNS ALG
CLI
XML
SNMP
SYSLOG
Redundancy Management
Configuration Repository
Dynamic Access Control
Dynamic NAPT Relay
HNT / RTP Latching
Media Supervision Timers
Transcoding
Bandwidth Policing
QoS Measurements
QoS Marking
Lawful Intercept (CCC)
DTMF Extraction
QoSStats
NAT ALGHTTPTFTP
H248MGCP/
NCS
H323B2BGKGW
SIPH323IWF
SIP B2BUA
SecurityFront End
Access Control
Denial of Service Protection
Encryption Engine
Traffic Management
Signaling Flow Policing
DNS/ENUM
Management & Configuration
Routing, Policy & Accounting
NAT RelaySignaling Services
Media Control
NumberManipulation
Session Routing
AdmissionControl
Route Policy
LoadBalancing
Traffic Controls
Accounting & QoS Reporting
DNS ALG
CLI
XML
RADIUS
SNMP
Redundancy Management
Configuration Repository
Dynamic Access Control
Dynamic NAPT Relay
HNT / RTP Latching
Media Supervision Timers
Transcoding
Bandwidth Policing
QoS Measurements
QoS Marking
Lawful Intercept (CCC)
DTMF Extraction
QoSStats
NAT ALGHTTPTFTP
H248MGCP/
NCS
H323B2BGKGW
SIPH323IWF
SIP B2BUA
SecurityFront End
Access Control
Denial of Service Protection
Encryption Engine
Traffic Management
Signaling Flow Policing
DNS/ENUM
Resource andBandwidth Control
Bandwidth Policy Enforcement
Bearer Resource Management
SYSLOG
Acme Packet Confidential 9
SIP protocol repair and normalization
SIP header and parameter manipulation per realm and session agent– Stripping
– Insertion
– Modification
Configurable SIP status code mapping per session agent
Inbound/outbound number manipulation rules per realm and session agent
Configurable SIP timers and counters per realm
Configurable Q.850-to-SIP status mapping
Configurable TCP/UDP transport per realm
Configurable option tag handling per realm
Configurable FQDN-IP / IP-FQDN mapping
SIP route header stripping
Malformed signaling packet filtering
Many SIP options for vendor and version inter-working
E.164 number normalization
Acme Packet Confidential 10
Acme Packet hosted NAT traversal
Basic operation– SIP client sends REGISTER to Net-Net SD’s address; SD forwards to registrar– Net-Net auto-detects NATed clients– In OK, SD instructs SIP client to refresh registration periodically to keep NAT binding open– Net-Net SD provides to client SDP for media relay– Media relay latches on first RTP packet. All packets relayed to destination client
4.4.4.4
7.7.7.7
Client
Media
Signaling
Firewall/NATClient
1.1.1.1 2.2.2.23.3.3.3
B2BUA
MediaRelay
5.5.5.5
Net-Net SD
Acme Packet Confidential 11
Business continuity / redundancy
Redundant Net-Net product configurations offer non-stop performance
Supports new calls, no loss of active sessions (media and signaling) including capabilities (protocol dependent)
Preserves CDRs on failover
1:1 Active Standby architecture
Shared virtual IP/Mac addresses
Failover for node failure, network failure, poor health, manual intervention
– 40 ms failover time
Checkpointing of configuration, media & signaling state
Software option – requires no additional hardware
10.0.0.1
Find SD through DNS round-robin or configured proxy
sd0.co.jp
10.0.0.1
sd0.fc.co.jp
Active Standby
X
All sessions stay up. Process new sessions immediately
Active
New call
Acme Packet Confidential 12
Service virtualization
Business Services
SOHO
InterconnectServices
Net-NetSession Director
Multi-ServiceBackbone
Acme Packet Confidential 13
Realms and realm groups
Signaling service
Mediaresources
Number translation tables
Signaling access control & DoS
Packet Marking policy
Media release policy
Realm
Bandwidth CAC policy
Realm
Realm
RealmRealmRealmRealm
Resources Policies
Session routing and interworking
Virtual IP Virtual IP
Rea
lm g
roup
Acme Packet Confidential 14
SIP-H.323 interworking
Enterprise Core
H.323 or SIP
H.323 orSIP
SIP SIP
PSTN
SIP SIP
Voice ASP (SIP)
Data Center IP services
PSTN origination & termination
IP PBXLegacy PBX
with GW
Enterprise SIP & H.323 Interworking– Supports all popular H.323 IP PBX
vendors - Cisco, Avaya, Nortel etc.– Maximizes investments made in
legacy IP PBX– reduces termination costs
as high capacity SP trunking is SIP
PBX & SIP-based services integration– Transport services - 1+ dialing – SIP Centrex-PBX integration with
unified dial plan management– Supports Cisco CM & other H.323
PBXs; H.323 gateway to TDM PBX
Voice ASP (calling card, directory, etc.)– Enables connections with
SIP & H.323 service providers
Acme Packet Confidential 15
SD routing overview
Acme Packet’s Session Director has several “types” of routing mechanisms– Local policies
• Extremely flexible; based on previous-hop, previous-realm, req-URI, From, cost, time/day, media-type, etc.
– ENUM• Actually a subset of local-policies, so has that flexibility too
– Trunk-group-URI selection of next-hop or group of next-hops• Per IETF draft-ietf-iptel-trunk-group, and for some proprietary TGIDs
– Request-URI matching cached registered endpoints• For requests from core to dynamic subscribers
– Request-URI hostname resolution– Route-header routing per RFC 3261– Static 1:1 mapping
• For simple cases only needing security and protocol repair
Acme Packet Confidential 16
Local-Route-Table – technical detailsSub-features – Supports 200k+ routes
– Supports multiple, distinct local-route-tables
– Decision of whether and which local-route-table to use is based on the result of local-policies, so can do hybrid routing configs
– Supports regular expression results, similar to ENUM results
– Used to replace Request-URI with new value based on regex
– Route-tables are in XML format, gzipped
– Provides support for rn/cic-specific lookups, and user-defined prefix lengths
Useful for peering applications:– Can choose which peer to send calls to based on it
– Can choose which core softswitch/gateway to send inbound calls to
Supports both proxy and b2bua modes
Acme Packet Confidential 17
Traffic load balancing Load balance multiple SIP/H.323 softswitches, application servers or gatewaysLoad balancing options
– Hunt– Round Robin– Least busy– Lowest sustained rate– Proportional
Detect & route around element failuresSession Agent Stats forH.323 & SIP destinationsCommonSession Agentconstraints
– Max sessions– Max outbound sessions– Max burst rate– Max sustained rate– Session Agent unavailable
or unresponsive
SA-1
SA1hostname=gateway1.acme.comip-address=192.168.1.50realm-id = backbonemax-sessions =500max-outbound sessions=500max-burst-rate=10cpsmax-sustained rate=8cpsallow-next-hop-lp=enabledcarriers= mci, att, sprint
SA2hostname=gateway2.acme.comip-address=192.168.1.51realm-id = backbonemax-sessions =200max-outbound sessions=200max-burst-rate=5cpsmax-sustained rate=4cpsallow-next-hop-lp=enabledcarriers= mci, att, sprint
SA3hostname=gateway3.acme.comip-address=192.168.1.52realm-id = backbonemax-sessions =300max-outbound sessions=300max-burst-rate=6cpsmax-sustained rate=5cpsallow-next-hop-lp=enabledcarriers= mci, att, sprint
Session Agent Groupname= acme_groupstrategy = proportionaldestinations =gateway1.acme.comgateway2.acme.comgateway3.acme.com
50% Traffic
20% of Traffic
30% of Traffic
Acme Packet Confidential 18
Session admission control
Realm based – access networks or transit links
– Realm and realm group bandwidth constraints
Session Agent based – call controllers or app servers
– Session Agent constraints (capacity, rate, availabilty, etc.)
– Softswitch, etc. – signaling rate limiting or “call gapping”
Per-user CAC
– Based on AOR or IP address
Address based
– Code gapping constraints based on destination address/phone #
Policy Server-based
– TISPAN RACS and Packet Cable Multimedia Policy Server interface
Overload protection
– Signaling
• Session border controller - rejects sessions gracefully when host processor >=90% load (default). This is a configurable option
Acme Packet Confidential 19
Net-Net Session Director lawful intercept for hosted communications
Legal intercept independent of softswitch for both IP-PSTN and IP-IP calls
Supports SIP, MGCP and H.323
Call content - media flows replicated and forwarded to DF over Call Content Connection (CCC)
Call data - sent to DF over Call Data Connection (CDC)
PSTN
SIP H.323MGCP
SIPMGCP
Law enforcementagencies(LEAF & CF)
Edge router
Lawful interceptserver (DF & SPAF)
Net-Net SD(AF)
CDCCCC
Serviceinfrastructure
A
Signaling Media
Subscribers
Net-SAFE™
Acme Packet Confidential 21
The net-net
Security issues are very complex and multi-dimensional– Attack sophistication is growing while intruder knowledge is decreasing
Security investments are business insurance decisions– Life – DoS attack protection– Health – SLA assurance– Property – service theft protection– Liability – SPIT & virus protection
Degrees of risk– Misconfigured devices High– Operator and Application Errors – Peering `– Growing CPE exposure to Internet threats– NEVER forget disgruntled Malcom, OfficeSpace Low
Only purpose-built Session border controllers protect enterprise assets
Acme Packet Confidential 22
Riding the bull
Threat mitigation represents staying “ahead” of security threats– Attacker don’t publish their methods
As data attack models have matured they have dramatically increased in number– Putting pressure on security defense scale
The requirements of real-time services such as VoIP and multimedia are different from those of data– Similar trends, different devices
Statefull, service-aware, and dynamic policy application – Endpoints may be authenticated, but their intentions may not be
– Protocol messages may be valid, but how they’re used may not be
Acme Packet Confidential 23
Net-SAFE
Worm/Virus& Malicious
SW
AccessControl &
VPN Separation
Acme Packet Confidential 24
Three goals of Net-SAFE
Service Provider
Peer
Enterprise Access
Enterprise
Protect the Enterprise’s Infrastructure
Protect the SBC
Protect the Service
Contact Center
DoS attacks remain the #1 security threat the security element must first defend itself!
Acme Packet Confidential 25
The SD is architected to secure…
Hardware and software-based DoS protection– Trust and untrust queues with wire-speed packet classification and dynamic
trust management integration
Smart Border DPI– Security gateway fully terminates session traffic for signaling deep packet
inspection – Passive DPI is unable to function on the ever-growing amount of
encrypted/compressed traffic flows
Real-time IDP– Dynamic Trust Management leverages smart DPI and monitors traffic behavior
patterns making trust level adjustments without administrator intervention– Avoids harmful false-positive DoS risks
Extending trust to the endpoint– IPsec, TLS, and SRTP
Hardware- and software-based DoS protection
Acme Packet Confidential 27
Security EngineSecurity Engine
Acme Packet multi-processor hardware architecture
Network processor
Intelligent traffic
manager
Network processor
Signaling processors
Security processors
MediaControlFunction
SessionControlFunction
Signaling Media
Acme Packet Confidential 28
Security Engine
Acme Packet multi-processor hardware architecture
Network processor
Intelligent traffic
manager
Network processor
Signaling processors
Security processors
MediaControlFunction
SessionControlFunction
Security Engine
Enlarged View
Acme Packet Confidential 29
DoS logical hardware path
Perform ACL lookup and packet
classification: chooses trusted,
untrusted, or denied path
Each Trusted queue can be set for average policed rates
Deny
CAMs Acme Hardware DoS Protection
Discard
Trusted Path
Classifier chose
specific Trusted queue
Untrusted Path
1k Untrusted queuesTotal Untrusted pipe can be reserved a minimum amount of bandwidth, and a max if
more is available
Classifier chose 1 of
1k hash buckets
To CPU
RR
WRR
WRR
Tail Drop
Total rate can be configured
Acme Packet Confidential 30
Software DoS policy
Must pass SW DoS policy
Discard
Must pass HW DoS policy + ACLs
SW DoS Decisions on SD
Check for legal message format (parse it)
Check previous-hop is authorized
Check if below constraints limit
Reject Call
Allow
Check if below local CPU load threshold Reject It
Acme Packet Confidential 31
SBC DoS protection featuresProtect SBC from DoS and other attacks
– Both malicious and unintentional attacks
– Self-limiting ceiling check (%CPU) with graceful call rejection
– Automatically promotes/demotes device trust level based on behavior
– Enforced max aggregate rate for all traffic
– Separate, policed queues for management + control protocols
– Hardware capacity of NP subsystem is greater than all interfaces combined
– Reverse path forwarding checked for signaling + media
– Hardware-policed queues for control packets (ICMP, ARP, Telnet, etc.), separate from Trusted traffic
Smart Border DPI
Acme Packet Confidential 33
Session DPI models
Full Protocol Termination via Security Gateway
– Breaks session into two segments for complete control
– Terminates and reinitiates signaling message & SDP with unique session IDs
– Simplifies traffic anomaly detection
– Able to inspect encrypted and compressed packets
Passive DPI via In-Line Security Appliance
– Maintains single session through system
– Modifies addresses in signaling messages & SDP as they pass thru system
– Unable to inspect encrypted and compressed packets
ALG
Segment 1 Segment 2
Acme Packet Confidential 34
SD DPI - the broadest set of protocols on the market
Over 80 known threats involving the following protocols– SIP, H.323 – H.225, H.323 – H.245– H.248, MGCP, NCS– RTP– TCP, UDP – IP – ICMP, ARP
SD DPI capabilities are coupled with scaleable decryption/encryption processing to stand up against the strongest security defenses
Real-time IDP
Acme Packet Confidential 36
Dynamic trust management
Dynamic trust level binds to hardware classification
Individual device trust classification
Provides fair access opportunity for new and unknown devices
Multi-queue access fairness for unknown traffic
Automatically promotes/demotes device trust level based on behavior
Per-device constraints and authorization
Acme Packet Confidential 37
Promotion and demotion of users
Demotion occurs in stages– Trusted to Untrusted then– Untrusted to Denied
Trusted to untrusted when:– Registration timeout– Excessive signaling messages– Excessive malformed packets
Untrusted to denied demotion:– Excessive signaling messages– Excessive malformed packets– Different from trusted to untrusted
thresholds
Example (TP = time period)– max-signal-threshold: 20– untrusted-signal-threshold: 4– Up to 4 messages / TP to become trusted– If device sends >20 messages / TP,
demoted to untrusted– If can’t become trusted in 4 messages /
TP, demoted to denied
REG REG
200 OK200 OK
UA1 RegistrarPromotion UA1
INVITE INVITE
200 OK200 OK
UA1 UA2ACK ACK
Promotion UA2Promotion UA1
200 OK for Invite
200 OK for Register
200 OK for RSIPRSIP RSIP
200 OK200 OK
GW1 Soft Switch
Soft Switch
Promotion GW1 Promotion soft-switch
CRCX CRCX
200 OK200 OK
GW1 Promotion GW1
200 OK for CRCX
Promotion to trusted user - SIP
Promotion to trusted user - MGCP
Demotion to untrusted user - SIP
Extending trust to the endpoint
Acme Packet Confidential 39
TLS (Transport Layer Security)
TLS
SIP
TLS
Required elements– SD populated with Signaling Security Module (SSM) + 2GB memory– TLS user agent (UA) on endpoint– TLS server on SD– Trusted Certificate Authority
TLS handshake between TLS UA and TLS server– Using either single-sided (server authentication) OR– Mutual authentication
SIP signaling only after successful TLS setup
Mix encrypted / unencrypted signaling
TCP / UDP / TLS interworking
TLS
Access
Intra-network Inter-network
Acme Packet Confidential 40
TLS DoS protection
DoS protection for TLS (C4.1.1 / D6.0)
Benefit – prevent encryption starvation attacks
Problem overcome
– too many TLS conns to endpoint
– too many TLS conns to SIP interface
– too many quiet TLS connections
Application – SIP-TLS access
How it works - if a response to a SIP transaction is not received to within a configurable period of time, TLS connection is torn down
TLS sessions
Timer
Acme Packet Confidential 41
IPsec (IP Security)Manual keying
– Same key both ends IPSec tunnel– Manual input of key
Selective encryption (2 SDs)– All traffic (for peering)– Signaling only– Ia interface between SC and BG
Selection encryption: SD to UE– Signaling only (Gm interface)– Signaling and media
Select two modes for operation:– Tunnel (entire IP packet) or transport
(payload only) mode– AH (anti-tampering) or ESP (encrypt + anti-
tamper) mode
Encryption ciphers– DES, 3DES-CBC, AES-CBC (128 bit and 256
bit), or NULL cipher
Data integrity hashes– HMAC-MD5 or HMAC-SHA1
IPSec
SIP
IPSec
IPSec
Access
Intra-network Inter-network
Acme Packet Confidential 42
SRTP (Secure Real-Time Transport Protocol )
SRTP key derivation
– 12 different options, including:
– SDES (Session Description Protocol Security Descriptions) – RFC 4568. Many customers asking for this
– MIKEY (Multimedia Internet KEYing) – we probably won’t do this
Using SDES
– Secure signaling (IPSec or TLS)
– Key exchanged in SDP (privacy provided by IPSec or TLS)
TLS
SIP
TLS
TLS
Access
Intra-network Inter-network
SRTP
SRTP
SRTP
AvailabilityNN9200: 1H / 08NN4250: 2H / 08
Net-Net EMS
Acme Packet Confidential 44
Net-Net EMS
Configuration– Configure, provision,
upgrade, inventory – Multiple networks, multiple
systems
Fault - manage and filter events, alarms and logsPerformance – Monitor performance
Security – Control EMS, system and
function access by user or administrator group
– Per user audit trail
EMS management– EMS configuration &
management (back-up, upgrade, licensing, etc.)
Acme Packet Confidential 45
Net-Net management
Net-Net 4250/9200 management interfaces and protocolsInterfaces
• Fault interface– SNMPv2 (current), SNMPv3 (future), TL-1 (future)
• Configuration– XML (current), CORBA (future)
• Accounting– RADIUS CDRs
• Performance– SNMPv2 (current), SNMPv3 (future), XML (future)
• Security – RADIUS server (AAA), IPSec (future)
Protocols:• TMF814
– This is the same as CORBA (future).• SNMP
– SNMPv2 (current), SNMPv3 (future)
Acme Packet Confidential 46
Full enterprise adoption of end-to-end real time IP communications in the call and data center
Proven Interoperability with Service Providers
Mediation of IP address spaces, codecs, signaling, transport, and encryption protocols
Scale for centralized, and solutions for decentralized architectures
Border trust and security
Revenue, cost and quality assurance
Regulatory and business compliance
Acme Packet brings financial strength and market leading experience, partners, support, and technology to the Enterprise market.
Why Acme Packet in the enterprise?