Securing the SIP Trunk

Securing the SIP Trunk

Ravi VaranasiVice President, Engineering

Sipera [email protected]

SIP trunk

LAN

PSTN

Internet

ISPITSPSIP Trunk

PBXMGW

Enterprise

Definition: • SIP Trunk: Service offered

by an ITSP (Internet Telephony Service Provider) that connects a company's IP-PBX to the telephone system (PSTN) via Internet using the SIP VoIP standard.

Extending VoIP: • With IP-PBX enterprise’s

have converged data and Voice over LAN, SIP trunk allows enterprises to do the same over WAN/Internet

SIP Trunk Benefits for Enterprises

ISPPSTNInternet

PBX MGW

ITSP

SIP Trunk

PBX MGW PBX MGW

Simplicity: works with installed IP-PBX and telephones

Efficiency: Bandwidth, least cost ITSP route selection.

Cost Savings: Operational and Capital

Allows for Consolidation: One ISP/ITSP, One Data Center

Head-Quarters Branches

Functions of SIP trunk components

SIP Trunk

Enterprise

IP-PBX

Remote SBC• NAT traversal• Protocol Interworking• RFC compliance, handling IOT• Encryption termination.

Soft Switch• Interfacing with IP-PBX’es from multiple vendors• MGW connectivity for PSTN• CDRs, Billing, Payment services• Call routing, Dial plans

Remote SBC• NAT traversal• Protocol Interworking• RFC compliance, handling IOT• Encryption termination.


PSTN

Remote SBC

MGW

Soft Switch

ITSP

SIP IP-PBX: Trunk vs Line side functions

• Call delivery– One switch (IP-PBX) to another– Basis: Routing rules, domain

preferences, dial-plans, configuration.

– Trunk reconfig/rerouting needed in case user moves.

• Call establishment– Local IP-PBX to Ext-network– Between ITSPs– Inter-site communication over

public domain.• Specific functions

– Admission control– Policies: Services offered– Billing, CDRs– Options for keepalive messages

• Call delivery– End-user to IP-PBX– Basis: Registration, Contact info

driven.– Mobility control: call delivered

based on SIP:Contact

• Call establishment– Call leg1: End-user to IP-PBX.– Call leg2:

• IP-PBX to end-user (local)• IP-PBX to Trunk

• Specific functions– Phone registration– Admission control– VPN connectivity

Call establishment: Line side vs Trunk

IP-PBX IP-PBX IP-PBX

SIP Trunk

INVITE SDP

BYE

REGISTERREGISTER

REINVITE

200 OK

200 OK SDP

Media to endpointVia IP-PBX if anchored

Optional

200 OK BYE

REFER

200 OK SDP

Media to endpointVia IP-PBX- SIP trunk if anchored

200 OK

200 OK

INVITE SDP

Route lookup

REFER/REINV Optional

Multiple VoIP protocol environment

SIP Trunk

Enterprise

PSTN

Remote SBC

MGW

Soft Switch

ITSP

H.323 or Skinny or SIPH.323 or Skinny or SIP

SIPSIP

Enterprise IP-PBX• Supports H.323/SIP/Skinny on line side• Converts signaling to SIP. Initiates INVITE• Protocol Interworking (SIP others)

• Ex: NT CS1000: H323/Unistim -> SIP• Cisco CCM: Skinny line side -> SIP• Avaya CM: H.323 -> SIP

• RFC compliance, handling IOT


Enterprise IP-PBX• Supports H.323/SIP/Skinny on line side• Converts signaling to SIP. Initiates INVITE• Protocol Interworking (SIP others)

• Ex: NT CS1000: H323/Unistim -> SIP• Cisco CCM: Skinny line side -> SIP• Avaya CM: H.323 -> SIP

• RFC compliance, handling IOT


“Bank” Case Study

PSTNInternet

PBX MGW

ITSP

SIP Trunk

Head-Quarters Branches

Solution:• Secure SIP Trunks to HQ• Secure SIP Trunks to branches

Results:• $ 70,000 per month on long distance cost• $ 15,000 per month saving for two branch

(PBX/MGW maintenance)• First year saving of $1.1 million

About “Bank”• Global Bank; 25000 Employees• PBX Vendor: Avaya

Business Needs: • Replace TDM Trunks with SIP Trunks to

carrier to reduce costs• Consolidate distributed PBXs to 1 data-

centers and remove from 3 branches

Security and Enablement

Comprehensive VPN, Firewall, IPS, DPI & Anti-Spam for UC

Application-Layer VoIP protocols, call-state, services, subscriber aware

Pervasive Soft Phones, Remote Users, SIP Trunks, Click-to-Talk

Real-time Deterministic, very low latency; Not store and forward

Unified Communications

VoIP, IM, Video, Multimedia, Presence, CollaborationOver SIP, SCCP, Microsoft OCS, IMS …

Need for a comprehensive application-layer security approach

enable pervasive, real-timereal-time unified communications

Proliferation of Unified Communications over IP Need for Granular control, Realtime application level security Confidentiality, Integrity of communications

QoS requirements for latency sensitive applications

Reactive Security modelForensics

Detect “Bad behavior”

Traditional IDS/IPS approachSignature/Pattern detection

Policy enforcement: Key to security

Proactive Security modelEnforce corporate admission policies

Device/User level authDeep packet inspection firewall

Policy violation Security Breach

Granular rules based on match criteriaCan partners call partners?

Is video allowed in this domain? IM is ok, no IM with attachments.

Actions based on a vulnerability pattern

Application aware, L7 corporate granular admission control, authentication policies

HTTP(S)HTTP(S)

SCEPSCEP

SOAPSOAP

SIPSIP

LDAPLDAP

HTTP(S)HTTP(S)

(S)RTP(S)RTP

Secure *ALL* open communication channels

Centralized Configuration Server

X.509 Certificate Server

Personal Profile Manager SIP Enablement Server

Corporate Directory Server

Web Server

SIP PhoneSIP Phone

SIP PhoneSIP Phone

Defense in Depth

FirewallUC security

function/deviceCall Server

Layer 3

Attacks blocked by Firewall

IDS/IPS

Legitimate Traffic

Microsoft/ HTTP

Layer 4

Attacks blocked by IPS

SIP/SCCP Fuzzing

SCCP/SIP Stealth Attacks

SCCP/SIPSpoofing

VoIP SPAM

SCCP/SIP/RTP Floods

Real-time, VoIP call state aware, signature and behavior-based signaling & media protection(Including encrypted traffic)

L3 Security is now a commodity market

Attacks moving towards L7 as hackers target applications and services.

Network is a platform rather than a pipe.

Need of the hour: Inline, reliable, low-latency deep packet inspection, state-aware security devices.

Internet

Soft Clients

SIP security use cases

Data VLANVoIP VLAN

IP PhonesIP PBX

WiFi/Dual Mode Phones

DMZ

Crumbling Enterprise perimeter:Extension from trusted to un-trusted domains

• Soft clients • Remote users• SIP trunks• Mobility• Click-to-talk

Service Provider

Partner

Click-to-Talk Hard Phone Dual-mode Phone

► Remote User Security► WiFi/Dual-mode Phone

Security► Click-to-Talk Security► SIP Trunk Security

► Secure Proxy

Rogue Device Rogue EmployeeInfected PC

Bad Guys

Spammer

Infected PC

► SIP IM Compliance► IP PBX Security

Customer pain points• Secure remote UC enablement• Security threats from external and internal clients• Multiple exceptions on secure firewalls to enable UC

Security Gaps with SIP Trunks

• Security policy– ITSP vs. enterprise policy– Firewall for layer 3-4– ? for VoIP layer

• Threat protection– PBX open to ITSP

misconfigurations– 1 TDM PRI = 23 calls– 1 Mb IP connectivity = 100 to

1000 INVITE• Privacy

– Encryption over my LAN but not over ITSP WAN?

LAN

PSTN

Internet

ITSPSIP Trunk

PBX

Enterprise

Rogue Device

UC Security Solution for SIP Trunks

• Security policy– Control your own

policies– Demark VoIP layer

• Threat protection– Flood protection– Signatures for UC

vulnerabilities

• Privacy– TLS/SRTP

LAN

PSTN

Internet

ITSPSIP Trunk

PBX

Enterprise

Rogue Device

Holistic Approach for UC Security

• Establish policy– Define security policies based

on needs of organization

• Assess risk– Perform VoIP vulnerability

assessment

• Implement protection– Deploy comprehensive, real-

time UC security solution

• Manage compliance– Policy enforcement and

reporting– Ongoing, periodic assessments

UC Security Best Practices

• Perform UC vulnerability assessment– Identify risks and potential

vulnerabilities

• Implement strong UC policies– Enforce signaling, media and

application rules

• Police UC security zones– Control access based on

network, user AND device

• Apply UC-specific threat protection– Backed by dedicated VoIP

and UC security research– Understand user behavior to

eliminate false +/-• Access control for UC

– Strong two-factor authentication

• Enforce strong encryption– All signaling and media must

be encrypted for privacy

Multi-Dimensional UC Policies

• Address all dimensions of UC

• Not just networks• Not just users• Device mobility

– Wi-Fi phones/Softphones

• User mobility– Shared office spaces

NetworkDevice

Use

r

ToD

Confidentiality and Privacy

• Signaling encryption – TLS• Media encryption – SRTP• User privacy – Caller ID hiding• Network privacy – Topology hiding• Blocking reconnaissance scans

SSN: 123-45-6789 SSN: 123-45-6789

ôh

;ù’°

–¹q

€IP

‡m

Integrity and Access Control

• Strong authentication– X.509 Certificates, 2-Factor Authentication, SIP Digest Authentication

• Integrity protection– TLS with SHA1, SRTP with SHA1, SIP Digest with auth_int

• Blocking spoofing, caller ID fraud, rogue devices and rogue media packets• Configuration and patch enforcement, quarantine

$1000_sha

$1

00

0_

sh

a

$10000_sha

$1

00

00

_s

ha

X

Availability and Threat Protection

• Blocking application layer DoS floods• Blocking distributed denial of service (DDoS)• Blocking stealth DoS• Blocking malformed or fuzzed messages

X

SIP Trunk Security & Enablement ISP/Operator

Network

Enterprise A

DMZ

InternalFW

ExternalFW/NAT

Bad Guys

• VoIP VPN• TLS proxy• SRTP proxy

• VoIP Firewall• FW/NAT traversal• Whitelist/Blacklist• Call admission control• Domain Policies• Call Routing Policies

• VoIP Intrusion Prevention• VoIP Anti-spam

Enterprise B

Enterprise C

Enterprise D

Soft Clients &IP PhonesIP PBX

SIP Server Routers

Comprehensive, Real-time UC Security

• Define security policies– What UC applications you are

planning to use and rules that govern UC?

• Address risks and gaps– Understand new risks due to UC

in your deployment– Understand new gaps introduced

in current security• Address special needs for UC

– Real-time– Peer-to-peer– UC security zones

• Deploy UC security solution– Threat protection– Policy enforcement– Access control– Privacy

PSTN

Internet

ITSP

SIP Trunks

En

terp

rise

PBX

Mobile Workspaces

IP PBX & VLANs

Hacker

Rogue Device

InfectedPC

Enablement

• Will it work?

• Changes, upgrades to installed VoIP

• Voice Quality

• Visibility QoS/SLA

• Need to change FW policy?

Control

• Who, from where, when?

• Control services and features

Protection

• What about toll fraud, SPAM, DoS?

• Who has access to my PBX?

• Monitoring of security incidences

• Who has access to my private communications?

SIP Trunk requirements

Secure UC Access

• Keep PBX, phones, numbering

• Enforce voice quality

• Visibility in voice quality SLAs

• Topology hiding of internal network

• Standards based encryption TLS/SRTP

• X.509 Certificate, digest authentication, AAA

UC Policy Enforcement

• Enhance security policies

• Control real-time services

• Black list domains/users

• Control access based on network, device, user, SIP domain, time of day

UC Threat Prevention

• Block DoS/DDoS

• Block malicious traffic

• Block spoofed devices

• Zero day protection

SIP Trunk security device functionality

Access Control: X.509 Certificate Based Mutual Authentication

Internet

IP PBX

Intranet

Remote Phone

Root CertificateIssuer: XYZSubject: XYZ

CertificateIssuer: XYZSubject: Company-name SIP IPCS

Root CertificateIssuer: XYZSubject: XYZ

CertificateIssuer: XYZSubject: DeviceName

Step 1Install CA Root and Certificates from each side

Validate SIP Domain, Certificate Subject Name

2a. Send Cert & Cert Request

2b. Send Cert

3. SIP Request

4. Validated SIP Request

Internet

IP PBX

Intranet

Privacy: TLS/SRTP Encryption

External Firewall/Router

Internal Firewall+NAT

2. Signaling over TCP/UDP

4. Media RTP

3. Encrypted media SRTP

1. Encrypted signaling over TLS

DMZ

FW/NAT Traversal

Encrypted Signaling: SIP/TLS

Encrypted Media: SRTP (HW 50 usec)

Unencrypted Signaling: SIP/TCP

Unencrypted Media: RTP

Soft Switch

SRTP vs IPSEC: Overhead, latency, setup and routing considerations

NAT & Topology Hiding

COMPANY.COMCOMPANY.COM

FINANCE.COMPANY.COMFINANCE.COMPANY.COM

FINANCE.COMPANY.COMFINANCE.COMPANY.COM

User2User2

useruser

ITSPITSP

EXTERNAL.COMEXTERNAL.COM202.201.200.199202.201.200.199

192.168.1.199192.168.1.199

192.168.1.198192.168.1.198

192.168.1.197192.168.1.197

INVITEFrom: [email protected]: [email protected]:192.168.1.187

192.168.1.187192.168.1.187

192.168.1.188192.168.1.188

PHONEPHONE

INVITEFrom: [email protected]: [email protected]:202.201.200.199

INVITEFrom: [email protected] To: [email protected]:202.201.200.198

202.201.200.198202.201.200.198

INVITEFrom: [email protected] To: [email protected]:192.168.1.199

Info from SIP headers that can expose topology• Internal domains, application servers• Hops in network (record-route option)• L3-L4 info• Call-id, Contact, Refer-to, Call-info, Geolocation, P-Asserted-Id …

Privacy: User Identity privacy



useruser

ITSPITSP

EXTERNAL.COMEXTERNAL.COM

INVITEFrom: [email protected]: [email protected]

PHONEPHONE

INVITEFrom: [email protected]: [email protected]: [email protected]: Id

Fuzzing Protection: Protocol Scrubbing

• PROTOS and SIP torture signatures– Need to check signal messages against proper formatting, field

length, content, etc.– Regex based flexible rules, per UA type based rules

• Signatures updatable constantly

//ValidREGISTER sip:ss2.wcom.com SIP/2.0

//Fuzzed%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S%S sip:ss2.wcom.com SIP/2.0 Via: SIP/2.0/UDP there.com:5060 From: LittleGuy <sip:[email protected]> To: LittleGuy <sip:[email protected]> Call-ID: [email protected] CSeq: 2 REGISTER Contact: <sip:[email protected]> Authorization: Digest username="UserB", realm="MCI WorldCom SIP", nonce="ea9c8e88df84f1cec4341ae6cbe5a359", opaque="", uri="sip:ss2.wcom.com", response="dfe56131d1958046689cd83306477ecc" Content-Length: 0

Call Servers

Valid

Fuzzed

Internet

IP PBX

Intranet

Spoofing Prevention

7. Attacker script tries to spoof register

8. Fingerprint mismatch,SIP Challenge, No response, Registrationdisallowed

1. Phone registers

2. IPCS learns fingerprint

5. Phone re-registration complete

6. IPCS updates fingerprint

3. Phone moves to new location

4a. Phone tries to re-register

4b. Fingerprint mismatch,SIP Challenge, Response

IP, Src: 172.16.1.11, Dst: 172.16.1.20TCP, Src Port: 4933, Dst Port: 5060REGISTER sip:ss2.wcom.com SIP/2.0Via: SIP/2.0/UDP there.com:5060 From: LittleGuy <sip:[email protected]> Call-ID: [email protected] Contact: <sip:[email protected]>

IP, Src: 172.16.1.10, Dst: 172.16.1.20TCP, Src Port: 4925, Dst Port: 5060REGISTER sip:ss2.wcom.com SIP/2.0Via: SIP/2.0/UDP there.com:5060 From: LittleGuy <sip:[email protected]> Call-ID: [email protected] Contact: <sip:[email protected]>

Zero-Day Attacks with Behavior Learning

Internet

IP PBX

Intranet

Protected Endpoint

1. Observe non conformant rate of traffic to protected endpoint

2. Attacker makes call

3. Challenge,No response, Source Blocked

4. New call6. Allow call

5. Challenge, Valid Response

IP PBX

Intranet

Remote user enablement: VoIP/Video, OCS, Telepresence

External Firewall+NAT

Internal Firewall+NAT

4. Signaling over TCP/UDP

3. Media RTP

1. Static Firewall Channel: to enable secure channel between two IPCS

RADIUS AAA serverToken Auth Server

3. Authenticate incoming user

Internet

100 - 1000 media ports

5060 always open

5. SRTP/ERTP Media

2. TLS Setup

DMZ

4. Fingerprint Verification DoS/DDoS and Fuzzing Prevention

Anomaly Detection and Prevention Behavior Learning Voice SPAM Prevention

5. Media Anomaly Detection and Prevention

• Encrypted Signaling & Media• Voice/Video optimized• Built in security

4. Signaling over TLS

Security Policy

• Before one can be secure, define what it means to be secure

• Security policy defines the constraints with which all UC is governed– What? (phones, servers)– Whom? (users)– Where? (networks, domains)– When? (time of day, day of

week)– What level of security?

Policy?

35 © 2007 Sipera Systems, Inc. All Rights Reserved.

Corporate Overview

Remote/Mobile Users

L7 granular policies

Data VLANVoIP VLAN

IP PBXMobile Phone

Functionality

VoIP VPN: No cryptoVoIP Firewall: G711, No NATVoIP IPS: Protect against

stealth attacks on phone

Anti-spam: Protect against Spam Functionality

VoIP VPN: TLS/SRTPVoIP Firewall: Low BW, Remote NAT Block VideoVoIP IPS: Protect against


Anti-spam: Protect against Spam

Internet

Rogue Device

Criteria

Network: Data VLANUser: SupportDevice: Mobile

Phone

Functionality

VoIP Firewall: Block

Criteria

Network: InternetUser: SupportDevice: Nokia E61

Criteria

Network: Data VLANUser: SupportDevice: Nokia E61

Policy Enforcement: Centralized UC Policies

Partner

Data VLANVoIP VLAN

IP PBX

Internet


SP

IP Phones Soft Clients WiFi/Dual Mode Phones

Enterprise

SOURCE

Network Device User Time of Day


FLOW

App Media Routing Security Signaling

App Media Routing Security Signaling

POLICY

SOURCE

ApplyRoutingApply

RoutingRequestRequest

DEST



FLOW

App Media Security Signaling

App Media Security Signaling

POLICY

DEST

Policy Control: Network, Device, User, ToD

Partner

Data VLANVoIP VLAN

IP PBX

Internet


SP

IP Phones Soft Clients WiFi/Dual Mode Phones

Enterprise Determine Network

VoIP VLAN

Data VLAN

Internet

Determine Device

Hard Phone

Soft Clients

WiFi/Dual Mode

Determine Network

Determine Device

Flow Criteria

Determine User

Determine ToD

Media Rule

Policy EnforcementApplication, Signaling, Security, Media

• Application Rules• Media Rules• Routing Rules• Security Rules• Signaling Rules

Application Rule

Voice

Video

IM

Codec Prioritization

Low

High

Encryption

SRTP

RTP

Mobility and Remote User

Data VLANVoIP VLAN

IP PBXMobile Phone

Flow Criteria

Network: Data VLANUser-Grp: SupportDevice: Nokia E61

Service

Media: RTP, G711, No NATSignaling: TCP, No NATSecurity: Protect against


Flow Criteria

Network: InternetUser-Grp: SupportDevice: Nokia E61

Service

Media: SRTP, G729, NATSignaling: TLS, Remote NATSecurity: Protect against


Internet

Enterprise

SIP Trunk Least Cost Routing

Data VLANVoIP VLAN

IP PhonesIP PBX

SP 1

Flow Criteria

Network: VoIP VLAN

User: SupportDevice: Avaya

4602ToD: Day

SP 2

Service

Application: IM, VideoMedia: RTP, G711Signaling: TCPRouting: SP2Security: Protect floods

Flow Criteria

Network: VoIP VLAN

User: SupportDevice: Avaya

4602ToD: Night

Enterprise Service

Application: No IM, No VideoMedia: SRTP, G729Signaling: TLSRouting: SP1Security: Protect floods

ToD and Priority Routing allows overall lower operation costs ToD and Priority Routing allows overall lower operation costs

UC vs Data Security

Remote UC enablement, IP-PBX security, Mobility control, Toll fraud, mutual-auth, centralized

management, TLS, SRTP, ERTP

Web Services, IM, File Transfer, Network Mgmt., Authentication,

Directory Services, Name Services, SSL, IPSEC, SRTP

VoIP/VideoVoice, Video, IM, Collaboration

DataL7 services, Security

TCP, UDP, IP, ICMP, DHCP

SIP, SCCP (Skinny), MGCP, TFTP, H.323, RTP/RTCP/RTSP, TAPI/JTAPIHTTP, FTP, SMTP, TFTP, SMTP/ESMTP, DNS/EDNS, LDAP, NTP, RPC

Protocol Inspection and RFC Compliance

Network Protection

SIP (Avaya, Cisco, Msft Nortel), SCCP (Skinny), IMS, UMA, OCS

VoIP DoS/DDoS Protection

HTTP, FTP, ESMTP, TFTP

Data DoS/DDoS Protection

Regex based, hierarchical policyStatistical AD, IPS, AV signatures

Full/cut-through TCP proxyHTTP, P2P, IM, SMTP, XML

Message securityCall flow/state aware, behavioral AD, signatures, semantic protocol

scrubbing, fingerprinting, VoIP SPAM, false +ve free drop actions

SIP, SCCP, IMS, UMAL7 protocol proxy

Real time Voice/Video security

THANK YOU!!

Ravi VaranasiVice President, EngineeringSipera [email protected].

mailto:[email protected]

Date post:	31-Oct-2014
Category:	Documents
Upload:	sandra4211
View:	3,592 times
Download:	7 times

Securing the SIP Trunk

Documents