ToIP PROTECTION ITEM DESCRIPTION V2.1
|
|
- Roy Dennis
- 8 years ago
- Views:
Transcription
1 ToIP PROTECTION ITEM DESCRIPTION V2.1 Edition 4.0 p. 1/58 RSS/SSI/TeS/DCF/FH-PhD,07/32 September 2009 Les informations contenues dans ce document demeurent la propriété du groupe THALES and ne doivent pas être divulguées par le destinataire à des tiers sans l accord écrit de THALES. Information contained in this document is the exclusive property of THALES Group and cannot be disclosed to a third party by the user without written authorisation given by THALES Communications
2 1. TOIP AND SERVICE SECURITY ToIP architectures and protocols Introduction H.323 protocol SIP (Session Initiation Protocol) MGCP (Media Gateway Control Protocol) Proprietary technologies ToIP services ToIP security: background and stakes From ISDN to ToIP The challenges The security stakes and 2010: the critical years 9 2. WHAT PROTECTION FOR TOIP? Functional security blocks Network segmentation Access control at the edge of the data network Access control at the edge of the telephony network Network authentication Integrity and confidentiality of signaling and communications Server and application authentication Core filtering in front of servers: stream safety Focus: an application-layer filter to protect ToIP servers SBC, edge firewall, application-layer firewall Edge firewalls Session Border Controller (SBC) Application-layer protection for servers Conclusion TEOZ: APPLICATION-LAYER SECURITY SOLUTION FOR TOIP TMZ: a sanctuary for voice and video applications TMZ TMZ partitioning Two filtering levels Real-time IP application-layer analysis: Protocol Expert Module (PEM) Stateful IP filtering Application-layer analysis Contextualized signatures IDPS Synthesis ToIP threats Examples in Layers Usage analysis and control: Session Expert Module (SEM) Description Supported protocols SEM module actions Examples of threats prevented by the SEM function Network functionalities IP translations Routing Connectivity, VLAN, aggregation Quality of Service (QoS) DHCP Date and time High availability (clustering) 43 2 / 58
3 3.5.1 Principle VRRP (state protocol) Active/Passive mode Active/active mode Cluster supervision High Availability (OXE spatial redundancy) Hardware technology Licenses PEM module administration Secured access Configuration tool Supervision Logs Master/slave supervision architectures SEM module administration Updates Updating the software Updating IDPS Synthesis TEOZ 2000 and TEOZ Hardware characteristics Security-safety TEOZ 2000 performance TEOZ 3500 performance Alcatel-Lucent inter-operability CONTACT INFORMATION 58 3 / 58
4 1. ToIP and service security 1.1 ToIP architectures and protocols Introduction H.323 protocol The H.323 protocol is the ITU Standard for audio-visual communication sessions on any IP network transmission. The H.323 protocol is currently associated with additional standards as H.225 (signaling) and H.245 (codec selection). To complement fax and data, RTP (Real-time Transport Protocol) is used for sending or receiving multimedia information. Further standards, as H450, provide supplementary services: call transfer, call forwarding, call hold, call waiting The H.323 system is composed of end-points, terminals, gateways, and gatekeepers (address resolution and bandwidth control). H.323 is the most commonly deployed ToIP (Telephony over Internet Protocol) protocol and is widely used within Internet real-time applications such as NetMeeting. However SIP (Session Initiation Protocol) will probably become the more prevalent protocol in the years to come SIP (Session Initiation Protocol) The SIP protocol is the IETF standard initially designed to create two-party or multiparty sessions. SIP is primarily used in ToIP applications; it is also used in application-layer sessions. The SIP roadmap allows its use in other media streams as video conferencing, video according to the development policy of the manufacturers. SIP is a text-based protocol, similar to HTTP, which can run on TCP, UDP or SCTP. SIP includes end-points (terminals, user agents (UA) ), proxy servers or redirect servers, location servers and registrars. These last two servers can be hosted in the proxy server. SIP has been selected as ToIP protocol for the fixed-mobile convergence of the IMS (IP Multimedia Subsystem) architecture defined by 3GPP and was then accepted for the TISPAN architecture as designed in ETSI. TISPAN and IMS have chosen other solutions for ToIP security: SIP is using TLS for TISPAN and is using IPSec for IMS MGCP (Media Gateway Control Protocol) MGCP is a client-server protocol developed by Telcordia and Level 3 Communications, unlike SIP and H.323 that operate in peer-to-peer or client-client modes. MGCP was first used by American cable operators who wished to add phone services to their cable TV offerings. MGCP is a stimulus protocol, the endpoints being "low-intelligence" devices: the protocol is only used to carry keystroke information from the subscriber s set to a central server. The server will then interpret the keystrokes to execute the corresponding actions. This protocol can then be used with all (analog or digital) terminals already installed at the clients facilities, and ToIP services can be deployed without impacting the existing terminal population. Similarly, ADSL Internet access providers and Centrex IP operators use this protocol: the central server controls the subscriber s set. 4 / 58
5 1.1.4 Proprietary technologies Although standard protocols as SIP are the most widely used, the offers of many ToIP providers are based on proprietary technologies. Example: Cisco: Skinny Client Control Protocol (SCCP or Skinny) Nortel: Unisteam Mitel: Minet Alcatel-Lucent: Universal Alcatel (UA) Siemens: Hipath Feature Access (HFA) These protocols often derive from ISDN technologies and consist in a transition to IP, their objectives are to: Keep a functional phone system, identical to the existing ISDN, that what the standard protocols were not capable of at the beginning Ensure smooth transition from ISDN to IP Ensure a captive market for terminals The related architectures vary widely from one provider to another, although the components are the same for all technologies. As the SIP protocol becomes mainstream and develops with manufacturers offering full SIP offers such as Aastra or Avaya proprietary technologies may lose ground. However, in 2009, proprietary technologies are still used and represent the lion s share of corporate customers. 1.2 ToIP services As we use a telephone every day, this technology seems to be rather simple. However, the services provided by PABX, then by IPBXs, are complex and numerous, and depend on the manufacturers. Moreover, additional services as CTI (Computer Telephony Integration), and connections to IP applications are available. The main telephone services are: Black lists Recall Hold Call transfer Multi-party conference Call trace Calling line identification presentation Caller ID block Authentication IVR (Interactive Voice Response) Tone management (hold, transfer ) Messaging Interface conversion (Trunking mode) Vocoder conversion IPBX interconnection 5 / 58
6 1.3 ToIP security: background and stakes From ISDN to ToIP In ISDN architectures, voice and data applications are strictly separated: Distinct networks Distinct terminals Distinct services And distinct threats ISDN PBX ISDN WAN IP (MPLS) Figure 1: RNIS architecture With ToIP, this is no longer the case: Integrated networks (at least at the hardware level) Pooled terminals Converged services And shared threats IPBX WAN IP (MPLS) ISDN Figure 2: ToIP architecture Although simple in appearance, convergence will be the source of complexities, first in terms of infrastructure, service and information security The challenges We have to face it: ToIP is intrinsically vulnerable, because of several factors such as: Migration to IP. Telephony is becoming a common application in its design, which uses standard software components that do not integrate security requirements. The component vulnerability is then transmitted to telephony applications. Number of network elements implemented: a ToIP infrastructure will use several hundreds to several tens of thousands of network elements (routers, switches, servers, terminals ). Each one being a potential entry point for threats. Especially, ToIP terminals are functionally similar to computers, with operating systems, stacks, http services, ftp services this phenomenon is further accelerated by the development of virtual terminals (softphones). Hacking the iphone through SMS reveals the potential weakness of terminals in an infrastructure. 6 / 58
7 Variety and complexity of protocols: whether they are standard or proprietary, the complexity of ToIP protocols is far greater than the protocols currently used in data applications: semantics, sequencing and successions of multi-protocol sessions required for communication. This is no longer the question-response mode currently used for data exchanges. Besides, most of standard protocols are open, and offered in various implementation configurations, according to the manufacturers, with proprietary extensions. SIP is therefore renowned for its misleading simplicity. Interconnection with data networks: by construction, partition of voice and data networks is limited. To benefit from service convergence, resources, as directories, messaging, or DNS and DHCP services, will have to be shared. Integration can be further extended for softphones, instant messaging, CTIs. Voice and data services are susceptible to their mutual vulnerability, with possible crosscontamination. Availability and Quality of Service (QoS) specifications are also to be considered, and telephony services must meet our daily requirements. ToIP must meet these expectations in an open environment. Telephony is also critical for companies: any malfunctioning may lead to loss of revenues, loss of opportunities and loss of efficiency. Moreover, emergency calls should be made at any time, to meet safety obligations and address personrelated hazards. Service availability is a key point, even though alternative solutions such as messaging, e-business, mobile telephony, and collaborative work, etc. are spreading rapidly. Finally, there is a great rush to market products and services based on ToIP. Rapid development and short time-to-market are decisive for the providers work. Comprehensive and native security implementation is considered, whether right or wrong, as a complication factor that slows down availability. As a result, fraud and attacks increase significantly: these new means of communication are diverted from their original use, and their weaknesses are exploited The security stakes They are classified in four categories: Confidentiality 1. Signaling confidentiality, which is too often disregarded. Non-encrypted signaling allows the network topology, stream matrixes, applications and protocols to be discovered and attack strategies to be developed. 2. Communication confidentiality: to protect the strategic data of the company (know-how, strategy, finances, commercial offers, litigations, conflicts ) that can be used in fierce economic competition, whatever the field of activity and size of the company (this issue is often neglected by too many companies) and to protect personal data (privacy) exchanged during phone conversations. This is the case for administrations (income tax and social services, health services, legal services ), and private sector (banks, insurance companies, human resource departments ). Many States require confidentiality of personal data stored and exchanged in information systems, including phone systems. Traditional telephony is considered as safe because we assume that tapping is not possible without physically acting on the devices. IP communications are vulnerable to call interceptions (tapping) as other IP applications, especially if voice and data applications and networks are not sufficiently segmented. In addition, segmentation (VLANs) is not the ultimate solution. 7 / 58
8 Availability The purpose of ToIP is to deliver the % availability of ISDN telephony. If the new technological base seems to be unable to deliver this availability, the target is however 99.99%, which is high for a computer application. To achieve this performance, suitable resilient architectures will be implemented, with related energy supply and air conditioning. Unavailability due to aggressive streams or behaviors must also be prevented. Migration to IP makes the availability of the phone service more vulnerable to internal and external denials of service. Because of the sensitivity of telephone systems, a slightly downgraded Quality of Service makes the application unavailable: attacks are much more subtle than bandwidth saturation. Such attacks may alter the traffic and prevent access to the company s data. There are two ways of generating denial of service attacks in ToIP: o Making unavailable by saturation, freeze or isolation the resources indispensable for the application operation (call server, directory, DNS ). Note: for ToIP, saturation can be achieved with a low bit rate, or a great number of connections, therefore attacks can be rather furtive. o Discouragement of use: making the terminals ring randomly until call pickup is abandoned; downgrading the communication quality by changing codecs or introducing jitter; aborting calls by introducing latency or interfering on packet routing. Finally, denial of service can occur upon technical failures, especially when using low-cost technologies of insufficient maturity (e.g. some SIP terminals). Fraudulent, unlawful or abusive use The abusive use of telephone services charged to companies is already widespread in ISDN technology: call forwarding to premium-rate or international numbers, conference bridges to connect external subscribers free of charge The objective is not only to detect fraudulent use e.g. intrusion in the system for mercantile purposes but also to detect abusive use of their rights by authorized subscribers. Identity fraud This is related to confidentiality and fraud. It involves identity spoofing or stealing the personal details of a user either to have access to unauthorized rights or privileges, or to deceive a correspondent. Besides direct risks, there is a risk to compromise the trust in financial and state certifications (SOX, Bale II, LOF ) by weakening the non-repudiation mechanisms. Civil and penal responsibility It deals with the liability of Organization A whose ToIP system would be hacked to harm Organization B. In this case, and according to the losses, Organization B is entitled to have Organization A condemned, and to ask for civil remedies by law. Risks in terms of finance and image can be substantial. Therefore Organization A must detect intrusions and stepping-stone attacks beforehand, and in case of an attack as security is not infallible demonstrate its goodwill. Nuisances like SPAM SPIT (Spam over Internet Telephony) and SPIM (Spam over Instant Messaging) may become nuisances for ToIP. In comparison, more than 90% of s are now considered as SPAM, and there is no reason that this be different for ToIP and instant messaging. 8 / 58
9 and 2010: the critical years In computer security, it has been demonstrated that, when a new application is widely deployed, it takes about 3 years for the protection and security aspects to be considered. This is due to the following reasons: Rush to market Time necessary for the actors to apprehend the application vulnerability, deployment, impact and interactions with infrastructures, and induced uses and behaviors The year 2009 is a milestone for ToIP: during seminars, customers are no longer asking if ToIP must be secured, instead they are rightfully asking: what do you suggest to secure ToIP?. Similarly, quality of protection becomes a selection issue for ToIP systems, with significant impact for the manufacturers. Besides, this 3-year delay is also observed in hacking. Most intrusions or frauds are no longer committed by individuals for notoriety, but are attempted by criminal organizations, strictly for mercantile purposes: stolen data or topology information can be sold to third parties or serve for blackmail (e.g. denial of service or disclosure). These operations require comprehensive knowledge of applications, which takes time and requires investments for their development, with risk-taking in their execution. The return on investment must be sufficient; two main factors can be considered: Criticality level of the application for the Organization: coverage rate, maturity, embedment in the IS, and impact on operations. This will determine the marketing and blackmail value of the data. Extent of computer population: wide application coverage results in increased vulnerability and higher profits from frauds. Three to four years are required for these two parameters to become mature: this is the case in 2009 and / 58
10 2. What protection for ToIP? 2.1 Functional security blocks The next figures summarizes the main components of ToIP protection: Servers authentication Integrity and confidentiality of communications Streams safety Call servers Hiding, translation («peering») Network authentication ISDN Integrity and confidentiality of signaling IP WAN (MPLS) Voice/data/video/administration segmentation Figure 3: bricks for protection Access control to network, NAT, pinholing Network segmentation To avoid stepping-stone attacks from the data network to the voice network, streams will be segmented into different virtual (if not physical) networks. There are four virtual networks: voice, data, video, and administration. This is achieved through VLAN technologies. If this measure is necessary and of common sense it is far from being sufficient, even if some users do believe it. There may exist bridges between these 3 VLANs: To benefit from convergence, some applications will be used by ToIP services/terminals, and by data services/terminals as well: messaging, directories, DNS, DHCP. Some terminals can give access to both voice and data networks. E.g. PCs with softphones. A voice/data/video infrastructure for corporate customers will implement several hundreds to several thousands of routers, switches, gateways that will be configured to support VLANs. Is there any network operator to claim that VLAN configuration will be perfect and coherent any time? Even though the VLAN configuration would be ideal, Inter-VLAN bridging is easy for experienced technicians. 10 / 58
11 2.1.2 Access control at the edge of the data network This is the current edge firewall, which often exists before ToIP implementation. The ToIP functionalities required for this firewall are limited to the border (see 4.3) Access control at the edge of the telephony network We have two situations to consider: peering (network interconnection) and filtering (access control) specific to voice streams. For peering, there are two functional needs: Hiding the Organization network from the operator and vice versa. This will require advanced NAT functions, more complex than the functions proposed by edge firewalls. Translating the protocols used in the Organization network into those used in the operator network, and vice versa. Some networks may use Session Border Controllers (SBC) (see 4.3.). For specific filtering, we can use a voice application firewall Network authentication It is possible to use a protocol as the 802.1x protocol, currently offered by providers Integrity and confidentiality of signaling and communications These services are provided by stream encryption. All providers currently propose stream encryption, activated by default or not, the key point being the impact on deployments and performances. Free encryption services must not be trusted, because their performances are not constant: hardware will have to be changed or added, and not free of charge. Several technologies are available: Ipsec, SIP-TLS for signaling SRTP for communications Server and application authentication Network authentication is not enough. An effective solution must ensure that only authorized terminals connect to ToIP services: this is signaling encryption. This is achieved through sharing of certificates and encryption keys Core filtering in front of servers: stream safety This block will provide complex content control functions and call session control functions that cannot be ensured by edge firewalls. This function is useful in front of servers, because it controls all data streams between terminals and servers and between servers. Only an application-layer filter, specific to ToIP, is capable of meeting this requirement. 11 / 58
12 2.2 Focus: an application-layer filter to protect ToIP servers As we have seen in the previous chapters, a security package for ToIP must address all threats pertaining to IP as well as to ISDN. Most security packages currently available with the ToIP label focus on the IP aspects (often partially), and just extend standard solutions of network security packages to telephone applications, without considering the specific threats to systems and protocols and their particularities. An application-layer protection mechanism for ToIP must be multi-functional to address all levels of protection (see 4.3.3). 2.3 SBC, edge firewall, application-layer firewall Firewall, application-layer analysis, SBC as seen in Section 4.1 Functional security blocks, these three components are required to efficiently protect ToIP services. They are, however, not interchangeable, in spite of what some providers might make believe, source of confusion for users. The purpose of this section is to clarify the definition of each of these items Edge firewalls These devices were developed in the 90 s when companies were connected to the Internet. The purpose was to protect companies intranets from potential threats due to the Internet and to control incoming and outgoing streams. Firewalls were designed to decide what network traffic should be let through or blocked, through Internet or MPLS connections: what protocols, ports, and addresses to control? Firewalls have generally limited or inexistent content control functionalities, because this control level is resource consuming. To be effective, edge filtering would require controlling all protocols accessing to the network at that point. As a result, the size would need to increase, with significant risks of congestion. How and where to deny service to voice protocols by blocking POP3 or http traffic? Besides, firewall engines were designed to handle simple protocols, which operate on a request-response mode, as http or POP3. They are therefore not suited to complex ToIP protocols and sessions. The ToIP functionalities of the firewalls can be broken down into two categories: Dynamic opening and closing of secondary communication ports (pinholing). Edge firewalls are often already installed when ToIP is deployed, and users do not want to change them. ToIP uses successive protocol sessions to establish and maintain communications: first a primary session (e.g. signaling) with predictable characteristics (protocols, ports ) that can be included in the firewall filter. However, the primary session is used to initiate secondary sessions (e.g. communications) with random characteristics especially ports that have been defined during the primary session. Therefore, we have two possible situations: o The edge firewall is not able to decode the data exchanged during the primary session: by default, all communication ports likely to be used by the secondary communications will have to be opened. This is canceling the border filter otherwise outgoing/incoming communications could not get through the firewall. This situation prevailed for first ToIP deployments. 12 / 58
13 o The edge firewall is able to decode the data exchanged during the primary session: only the necessary ports are dynamically opened at the start of the secondary session, and closed at the session s end. Related security flaws are then suppressed. Network Address Translation in Layer 7 ToIP protocols send address data in Layer 3 as well as in Layer 7. Addresses are often private on the LAN and therefore will be translated into public addresses at the border for routing over the operator s or ISP network (NAT: Network Address Translation). If the edge firewall in charge of this function performs NAT in Layer 3 only, the private addresses will remain in Layer 7 and communications could not be established. NAT will have then to be performed in Layer 7 also. That was not the case in original edge firewalls. These two functionalities are the only ones absolutely necessary in edge firewalls, and are therefore the only ones to be implemented. They require retrieving the data available in Layer 7 (application-layer). Many providers propose firewalls with application-layer analysis capabilities, which is abusive, because no security control is performed at that level, but only research or modification of parameters. Security controls operate in Layers 3 and 4. As pinholing and NAT do not allow the progress of application-layer sessions to be controlled, which is the purpose of application-layer analysis, they do not need to be implemented at the border Session Border Controller (SBC) SBCs are border devices. Unlike edge firewalls described in the previous chapter, they are located at the border of the voice infrastructure, at the connection of the operator s SIP or H.323 trunk. The SBC role is fundamentally the interconnection of Internet networks (peering). SBCs are provided with a suitable functional application content, to cover the following needs: Network topology hiding: the Organization must not know the network of its operator and vice versa. This is achieved through advanced NAT functions that can hide data other than address data. Protocol translation: for the transparent interconnection of networks that do not use the same protocols or same protocol implementations (e.g. SIP to H.323, or SIP A to SIP B ). Traffic and user management: o Application routing: e.g. for incoming calls, with SIP, to softswitches. o Managing overflows: e.g. routing too many outgoing calls to Internet or PSTN connections. o Call/session admission control o SIP registrar and RAS Gatekeeper. Originally, SBCs were used to interconnect operators networks. With the arrival of the H.323 trunk, then SIP trunk, functional needs now exist for companies/operators interconnections Application-layer protection for servers Although they operate at the application level, SBCs are not designed to be used in the infrastructure core, i.e. to protect servers. Their functional strong points (see previous section) are of limited use. 13 / 58
14 Application-layer protection for servers will focus on the following aspects: Precision analysis of protocol streams: to ensure session syntax, consistency, and integrity: o Checking the content and format of packets and packet fields. o Checking the consistency and integrity of a primary session on Protocol A. o Checking the opening of the secondary sessions (Protocols B, C ) started by Protocol A. o Checking the consistency and integrity of secondary sessions (Protocols B, C ). o Checking the consistency of secondary sessions (Protocols B, C ) with what was expected during the primary session (Protocol A). ToIP protocols, sessions and session links are much more complex than what was previously known in data services. Suitable engines will have to be implemented and the protocol technologies used by the providers will have to be precisely known. Finally, standard protocols (SIP ), proprietary protocols and proprietary extensions of standard protocols will have to be comprehensively considered. Fight against fraud, abusive use, SPIT This service can be provided at protocols: telephone session parameters (E.164 numbers, call directions, time stamp, codecs ) will have to be retrieved and compared to specific rules. This requires advanced analysis capability of protocols, and the implementation of a specific engine, different from the engine that handles protocols. Support of back office streams For an efficient and comprehensive operation that has minimum impact on the infrastructure operation, the application-layer filter will be capable of managing protocols or streams that can only be seen at the servers (e.g. CSTA phases 2 and 3 and redundancy streams). Support of ToIP traffic profiles The application-layer filter deployed in front of ToIP servers will be sized and tested according to traffic profiles very different from what is know at the network border. The filter will allow server restart i.e. simultaneous reconnection of all terminals to servers within a short time. The platform will therefore not be sized to throughput data (traditional performance indicator for firewalls and IDPS), but to very short and very aggressive session bursts. Real-time stream processing The ToIP application-layer filter will have no impact in terms of latency and jitter, key parameters for the quality of the phone services. Therefore, the filter will especially implement: o Processor technologies specialized in network and security, with sets of specialized instructions: multi-purpose industrial PCs will thus be excluded. o Software architecture that optimizes processing operations. o Advanced hardware/software integration. o Low use of hardware resources to avoid congestion areas, including during the most critical burst phases. High availability The application-layer security solution will be included in the ToIP SLA, including 99.99% availability. It will offer functionalities to achieve this rate. Contractual agreements between manufacturers and ToIP providers will include this requirement. 14 / 58
15 Integration, validation, simulation capabilities The manufacturer of the ToIP application-layer security solution will be provided with laboratories able to reproduce actual client environments: o Complete systems with related applications o Skills for realistic and binding configuration setting o Simulations tools for traffic and providers terminals, for realistic simulation of the behavior of a real infrastructure Cooperation with ToIP providers Only close cooperation with ToIP providers will meet these requirements: o Access to detailed technical specifications o Advanced access to technical developments (roadmaps synchronization) o Access to R&D expertise o Access to test and simulation environments o Implementation of suitable support and escalation processes Anyway, reverse engineering is potentially very risky for end-users Conclusion Edge firewalls, SBCs and application-layer security solutions have distinct characteristics and purposes: their functional contents are therefore different. Some confusion may remain, sometimes created by providers. Strictly in terms of presence/absence of functions, these three items may seem equivalent. If the lists of functions can be similar, the completeness and maturity level of each solution make them not interchangeable. Checking the presence or absence of a function is not enough: this function must be weighted according to its quality. We then obtain a functional center of gravity that varies from one solution to the other. The next figure illustrates the positioning of each solution: Performance Edge FW TEOZ SBC Routing QoS Data protocols Analysis engine Voice protocols Network interconnection Figure 4: functional weighting 15 / 58
16 As a conclusion, the next figure summarizes the position of each item: Voice / Video servers SBC Distant subscribers Voice IP WAN Firewall Distant subscribers Data IP WAN / Internet Figure 5: positionning in the network 16 / 58
17 3. TEOZ: application-layer security solution for ToIP TEOZ is an application-layer security solution for ToIP: it is designed for the sole purpose of protecting the applications critical to ToIP. TEOZ is embedded in the Organization s network to create a Trusted Multimedia Zone (TMZ) that hosts sensitive devices as servers. The next sections describe the notion of TMZ and the proposed application-layer security services offered to IP and telephony systems. 3.1 TMZ: a sanctuary for voice and video applications TMZ As described in the first part of this document, multimedia applications and especially ToIP will become the next major target for attacks, due to Quality of Service sensitivity and fraud potential. Application availability is critical for the Organization and has strong psychological effects. Therefore, suitable security mechanisms should be implemented, at the organizational and architectural levels and at the technical level as well. These measures must be more consistent than those currently available for data or messaging services, which accept downgraded Quality of Service. Attacks to ToIP can be launched from outside, however, in view of what has been happening in computer networks for several years, many attack have been and will be launched from inside the infrastructure, either directly or by using an internal active component as stepping-stone. To secure ToIP availability and Quality of Service, all active elements, including terminals, will be considered as sources of potential (intentional or unintentional) attacks. Thus, security of ToIP applications must not only be considered at the infrastructure border, but also at the core, i.e. as close to the services to be protected as possible. Each active element, each terminal, is likely to generate or relay attacks. Therefore, efficient filtering must be provided between applications and users, and between applications themselves. Streams will be analyzed on all network interfaces, between applications and users (subscribers or cooperative applications), and applications will be isolated in a dedicated network area called the Trusted Multimedia Zone (TMZ). The TMZ is therefore a sanctuary for vulnerable servers. 17 / 58
18 Figure 6: Trusted Multimedia Zone TMZ partitioning In the simplest situation, all services necessary to a ToIP application are dedicated to this application, including the directory, DNS and messaging, which are separated from data application services. Then, they may be positioned in a common TMZ. However, according to the level of convergence required by the Organization, some services could be pooled between voice and data applications (e.g. directory, messaging and DNS). In this case, the TMZ could be partitioned into several sub-areas (e.g. two): One for applications dedicated to ToIP: call managers, ToIP DHCP, data saving One for voice and data pooled services: messaging, DNS, directory TEOZ will be positioned on the LAN, at the center of a triangle formed by the LAN and the two sub- TMZs. TEOZ will then be able to filter the streams between the LAN and TMZ, and between both sub- TMZs Two filtering levels The TMZ is created through the creation of a second filtering stage, at the infrastructure core, which complements the edge filter. The two filtering stages are the following: 1 st stage: o At the data border: access control to network (what protocols, ports and addresses to control?) o At the voice border: access control to network and peering as applicable (advanced NAT and protocol translation) 2 nd stage. At the core: content control (syntax, consistency of packets and protocol sessions) These architectures are composed of two filtering levels border and core and are already well known in other critical applications as web services (https, soap, XML ), FTP or SQL databases. Anyway, core filtering is achieved through specialized items (web firewalls, SQL firewalls, FTP firewalls ) different from border items. It is also interesting to note that these specialized items are designed and marketed by specific providers, because their business models are different from edge firewalls. The TMZ notion, created with TEOZ, is applicable to another critical application: ToIP. 18 / 58
19 Web services e-business erp / crm HTTP, XML, SOAP app. filter FTP(s) services FTP app. filter Databases SQL app. filter ToIP Unified comm. internal users IP WAN The use of specialized items is already standard for critical applications PSTN Figure 7: the two filtering levels 3.2 Real-time IP application-layer analysis: Protocol Expert Module (PEM) The solution is based on this set of services. The Protocol Expert Module is a firewall (IDPS) dedicated to voice and video applications. It is characterized by a comprehensive knowledge of standard protocols (SIP, H.323, MGCP, RTP, RTCP, SDP ) and its capability of embedding analysis modules of proprietary (Alcatel-Lucent ) or specific (CSTA ASN.1) protocols. The main advantages of the PEM technology are: Implementation of different protection techniques working in synergy to protect network, application and content layers High performances through the consistency of the seamless integration architecture of analysis engines Homogeneous administrative environment (graphical interface) The main security functions implemented in the PEM are: Stateful IP filtering: o State engine for Layers 3 & 4 o Authorization/denial of protocols, ports, addresses o Dynamic opening/closing of ports Analysis of IP application layers: o Compliance analysis of protocol syntax (compliance with RFCs or proprietary specifications) o Compliance analysis of application protocol behavior 19 / 58
20 o Protocols supported: SIP, MGCP, H.323, RTP, RTCP, RTSP, CSTA, SSL, SNMP, SQLnet, Netbios, DNS, FTP, TFTP, HTTP, proprietary protocols IDPS based on contextual signatures The engine used by the PEM is the first real-time technology that combines stateful IP filtering techniques and application-layer analysis techniques. The protection is based on stream analysis at the level of the inter-application communication protocols. RFC or proprietary specification compliance is used to detect attacks such as: Redirection Call interception Denial of services However, if compliance with specifications ensures communication quality, the specifications are not defined with system security in mind. As a result, some attacks do not violate protocol specifications. Checking the compliance of protocols with their expected behavior will allow the following attacks to be blocked: Encapsulation of peer-to-peer protocols (instant messaging, file sharing, communications ) Directory browsing, where a hacker can get control over an HTTP service by using abnormal requests in the URL Buffer overflows due to unusually long requests Transport of malicious data in application-layer requests (code injection, use of reserved bytes ) By analyzing applications and controlling their operation, the analysis engine defines the expected behavior. Violation of security rules generates a preventive action (active response) and/or an alert message to the administrator. Unlike strictly reactive methods (based only on signatures), the engine protects the ToIP system against unknown and complex attacks. The PEM is frequently updated to keep up with the evolution of protocols and add new protocol tests. Protocol-specific rules can also be configured: Restrict/ban commands Restrict parameters (request sizes ) This level of control is configured by the administrator. An analysis module (each protocol is associated with its own module) acts as a configuration object that can be associated with a service, the parameters of which are defined by the administrator Stateful IP filtering This section describes the specifications of IP filtering and the checks performed at the different OSI layers, up to the Transport Layer. The specifications of application-layer checks (up to OSI Layer 7) are described in / 58
VOICE OVER IP SECURITY
VOICE OVER IP SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationSession Initiation Protocol (SIP) The Emerging System in IP Telephony
Session Initiation Protocol (SIP) The Emerging System in IP Telephony Introduction Session Initiation Protocol (SIP) is an application layer control protocol that can establish, modify and terminate multimedia
More informationHow to make free phone calls and influence people by the grugq
VoIPhreaking How to make free phone calls and influence people by the grugq Agenda Introduction VoIP Overview Security Conclusion Voice over IP (VoIP) Good News Other News Cheap phone calls Explosive growth
More informationTECHNICAL CHALLENGES OF VoIP BYPASS
TECHNICAL CHALLENGES OF VoIP BYPASS Presented by Monica Cultrera VP Software Development Bitek International Inc 23 rd TELELCOMMUNICATION CONFERENCE Agenda 1. Defining VoIP What is VoIP? How to establish
More informationRecommended IP Telephony Architecture
Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings
More informationWhite paper. SIP An introduction
White paper An introduction Table of contents 1 Introducing 3 2 How does it work? 3 3 Inside a normal call 4 4 DTMF sending commands in sip calls 6 5 Complex environments and higher security 6 6 Summary
More informationVOICE OVER IP (VOIP) TO ENTERPRISE USERS GIOTIS KONSTANTINOS
VOICE OVER IP (VOIP) TO ENTERPRISE USERS GIOTIS KONSTANTINOS Master of Science in Networking and Data Communications THESIS Thesis Title Voice over IP (VoIP) to Enterprise Users Dissertation submitted
More informationAn outline of the security threats that face SIP based VoIP and other real-time applications
A Taxonomy of VoIP Security Threats An outline of the security threats that face SIP based VoIP and other real-time applications Peter Cox CTO Borderware Technologies Inc VoIP Security Threats VoIP Applications
More informationA Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.
A Brief Overview of VoIP Security By John McCarron Voice of Internet Protocol is the next generation telecommunications method. It allows to phone calls to be route over a data network thus saving money
More information159.334 Computer Networks. Voice over IP (VoIP) Professor Richard Harris School of Engineering and Advanced Technology (SEAT)
Voice over IP (VoIP) Professor Richard Harris School of Engineering and Advanced Technology (SEAT) Presentation Outline Basic IP phone set up The SIP protocol Computer Networks - 1/2 Learning Objectives
More informationBasic Vulnerability Issues for SIP Security
Introduction Basic Vulnerability Issues for SIP Security By Mark Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com The Session Initiation Protocol (SIP) is the future
More informationA host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.
A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based
More informationIntegrate VoIP with your existing network
Integrate VoIP with your existing network As organisations increasingly recognise and require the benefits voice over Internet Protocol (VoIP) offers, they stop asking "Why?" and start asking "How?". A
More informationCurso de Telefonía IP para el MTC. Sesión 1 Introducción. Mg. Antonio Ocampo Zúñiga
Curso de Telefonía IP para el MTC Sesión 1 Introducción Mg. Antonio Ocampo Zúñiga Conceptos Generales VoIP Essentials Family of technologies Carries voice calls over an IP network VoIP services convert
More informationComparing Session Border Controllers to Firewalls with SIP Application Layer Gateways in Enterprise Voice over IP and Unified Communications Scenarios
An Oracle White Paper June 2013 Comparing Session Border Controllers to Firewalls with SIP Application Layer Gateways in Enterprise Voice over IP and Unified Communications Scenarios Introduction Voice
More informationNAT TCP SIP ALG Support
The feature allows embedded messages of the Session Initiation Protocol (SIP) passing through a device that is configured with Network Address Translation (NAT) to be translated and encoded back to the
More informationVoice over IP (VoIP) Overview. Introduction. David Feiner ACN 2004. Introduction VoIP & QoS H.323 SIP Comparison of H.323 and SIP Examples
Voice over IP (VoIP) David Feiner ACN 2004 Overview Introduction VoIP & QoS H.323 SIP Comparison of H.323 and SIP Examples Introduction Voice Calls are transmitted over Packet Switched Network instead
More informationETM System SIP Trunk Support Technical Discussion
ETM System SIP Trunk Support Technical Discussion Release 6.0 A product brief from SecureLogix Corporation Rev C SIP Trunk Support in the ETM System v6.0 Introduction Today s voice networks are rife with
More informationIndepth Voice over IP and SIP Networking Course
Introduction SIP is fast becoming the Voice over IP protocol of choice. During this 3-day course delegates will examine SIP technology and architecture and learn how a functioning VoIP service can be established.
More information1 ABSTRACT 3 2 CORAL IP INFRASTRUCTURE 4
Coral IP Solutions TABLE OF CONTENTS 1 ABSTRACT 3 2 CORAL IP INFRASTRUCTURE 4 2.1 UGW 4 2.2 IPG 4 2.3 FLEXSET IP 5 2.4 FLEXIP SOFTPHONE 6 2.5 TELEPORT FXS/FXO GATEWAYS 7 2.6 CORAL SENTINEL 7 3 CORAL IP
More informationEncapsulating Voice in IP Packets
Encapsulating Voice in IP Packets Major VoIP Protocols This topic defines the major VoIP protocols and matches them with the seven layers of the OSI model. Major VoIP Protocols 15 The major VoIP protocols
More informationVIDEOCONFERENCING. Video class
VIDEOCONFERENCING Video class Introduction What is videoconferencing? Real time voice and video communications among multiple participants The past Channelized, Expensive H.320 suite and earlier schemes
More informationOverview of Voice Over Internet Protocol
Overview of Voice Over Internet Protocol Purva R. Rajkotia, Samsung Electronics November 4,2004 Overview of Voice Over Internet Protocol Presentation Outline History of VoIP What is VoIP? Components of
More informationVoice over IP Basics for IT Technicians
Voice over IP Basics for IT Technicians White Paper Executive summary The IP phone is coming or has arrived on desk near you. The IP phone is not a PC, but does have a number of hardware and software elements
More informationVoice over IP Fundamentals
Voice over IP Fundamentals Duration: 5 Days Course Code: GK3277 Overview: The aim of this course is for delegates to gain essential data networking and Voice over IP (VoIP) knowledge in a single, week-long
More informationSecuring SIP Trunks APPLICATION NOTE. www.sipera.com
APPLICATION NOTE Securing SIP Trunks SIP Trunks are offered by Internet Telephony Service Providers (ITSPs) to connect an enterprise s IP PBX to the traditional Public Switched Telephone Network (PSTN)
More informationTSIN02 - Internetworking
TSIN02 - Internetworking Lecture 9: SIP and H323 Literature: Understand the basics of SIP and it's architecture Understand H.323 and how it compares to SIP Understand MGCP (MEGACO/H.248) SIP: Protocol
More informationFirewall-Friendly VoIP Secure Gateway and VoIP Security Issues
Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues v Noriyuki Fukuyama v Shingo Fujimoto v Masahiko Takenaka (Manuscript received September 26, 2003) IP telephony services using VoIP (Voice
More informationABC SBC: Securing the PBX. FRAFOS GmbH
ABC SBC: Securing the PBX FRAFOS GmbH Introduction A widely reported fraud scenarios is the case of a malicious user detecting the address of a company s PBX and accessing that PBX directly. Once the attacker
More informationCPNI VIEWPOINT 01/2007 INTERNET VOICE OVER IP
INTERNET VOICE OVER IP AUGUST 2007 Abstract Voice over IP (VoIP) is the term used for a set of technologies that enable real time voice or video conversations to take place across IP networks. VoIP devices
More informationConnecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP
Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP Connecting MPLS Voice VPNs Enabling the secure interconnection of Inter-Enterprise VoIP Executive Summary: MPLS Virtual
More informationCPNI VIEWPOINT 02/2007 ENTERPRISE VOICE OVER IP
ENTERPRISE VOICE OVER IP AUGUST 2007 Abstract Voice over IP (VoIP) is the term used for a set of technologies that enable real time voice or video conversations to take place across IP networks. VoIP devices
More informationIP Telephony Deployment Models
CHAPTER 2 Sections in this chapter address the following topics: Single Site, page 2-1 Multisite Implementation with Distributed Call Processing, page 2-3 Design Considerations for Section 508 Conformance,
More informationVoIP Security regarding the Open Source Software Asterisk
Cybernetics and Information Technologies, Systems and Applications (CITSA) 2008 VoIP Security regarding the Open Source Software Asterisk Prof. Dr.-Ing. Kai-Oliver Detken Company: DECOIT GmbH URL: http://www.decoit.de
More informationSIP : Session Initiation Protocol
: Session Initiation Protocol EFORT http://www.efort.com (Session Initiation Protocol) as defined in IETF RFC 3261 is a multimedia signaling protocol used for multimedia session establishment, modification
More informationCPNI VIEWPOINT 03/2007 HOSTED VOICE OVER IP
HOSTED VOICE OVER IP AUGUST 2007 Abstract Voice over IP (VoIP) is the term used for a set of technologies that enable real time voice or video conversations to take place across IP networks. VoIP devices
More informationAlcatel OmniPCX Enterprise R11 Supported SIP RFCs
Alcatel OmniPCX Enterprise R11 Supported SIP RFCs Product & Offer Large & Medium Enterprise Ref: 8AL020033225TCASA ed3 ESD/ Mid & Large Enterprise Product Line Management October 2013 OmniPCX Enterprise
More informationApplied Networks & Security
Applied Networks & Security VoIP with Critical Analysis http://condor.depaul.edu/~jkristof/it263/ John Kristoff jtk@depaul.edu IT 263 Spring 2006/2007 John Kristoff - DePaul University 1 Critical analysis
More informationAn Introduction to VoIP Protocols
An Introduction to VoIP Protocols www.netqos.com Voice over IP (VoIP) offers the vision of a converged network carrying multiple types of traffic (voice, video, and data, to name a few). To carry out this
More informationSIP Trunking Configuration with
SIP Trunking Configuration with Microsoft Office Communication Server 2007 R2 A Dell Technical White Paper End-to-End Solutions Team Dell Product Group - Enterprise THIS WHITE PAPER IS FOR INFORMATIONAL
More informationVoice over IP (VoIP) Basics for IT Technicians
Voice over IP (VoIP) Basics for IT Technicians VoIP brings a new environment to the network technician that requires expanded knowledge and tools to deploy and troubleshoot IP phones. This paper provides
More informationApplication Note. Onsight Connect Network Requirements V6.1
Application Note Onsight Connect Network Requirements V6.1 1 ONSIGHT CONNECT SERVICE NETWORK REQUIREMENTS... 3 1.1 Onsight Connect Overview... 3 1.2 Onsight Connect Servers... 4 Onsight Connect Network
More informationIntegrating Voice over IP services in IPv4 and IPv6 networks
ARTICLE Integrating Voice over IP services in IPv4 and IPv6 networks Lambros Lambrinos Dept.of Communication and Internet studies Cyprus University of Technology Limassol 3603, Cyprus lambros.lambrinos@cut.ac.cy
More informationSIP Security Controllers. Product Overview
SIP Security Controllers Product Overview Document Version: V1.1 Date: October 2008 1. Introduction UM Labs have developed a range of perimeter security gateways for VoIP and other applications running
More informationFRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com
WebRTC for the Enterprise FRAFOS GmbH FRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com This document is copyright of FRAFOS GmbH. Duplication or propagation or extracts
More informationSSVP SIP School VoIP Professional Certification
SSVP SIP School VoIP Professional Certification Exam Objectives The SSVP exam is designed to test your skills and knowledge on the basics of Networking and Voice over IP. Everything that you need to cover
More informationIP Ports and Protocols used by H.323 Devices
IP Ports and Protocols used by H.323 Devices Overview: The purpose of this paper is to explain in greater detail the IP Ports and Protocols used by H.323 devices during Video Conferences. This is essential
More informationVoice over IP. VoIP (In) Security. Presented by Darren Bilby NZISF 14 July 2005
Voice over IP VoIP (In) Security Presented by Darren Bilby NZISF 14 July 2005 Security-Assessment.com Who We Are NZ s only pure-play security firm Largest team of security professionals in NZ Offices in
More informationAbout Firewall Protection
1. This guide describes how to configure basic firewall rules in the UTM to protect your network. The firewall then can provide secure, encrypted communications between your local network and a remote
More informationSIP Trunking and Voice over IP
SIP Trunking and Voice over IP Agenda What is SIP Trunking? SIP Signaling How is Voice encoded and transported? What are the Voice over IP Impairments? How is Voice Quality measured? VoIP Technology Confidential
More informationReview: Lecture 1 - Internet History
Review: Lecture 1 - Internet History late 60's ARPANET, NCP 1977 first internet 1980's The Internet collection of networks communicating using the TCP/IP protocols 1 Review: Lecture 1 - Administration
More informationVoIP Bandwidth Considerations - design decisions
VoIP Bandwidth Considerations - design decisions When calculating the bandwidth requirements for a VoIP implementation the two main protocols are: a signalling protocol such as SIP, H.323, SCCP, IAX or
More informationFRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com
WebRTC for Service Providers FRAFOS GmbH FRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com This document is copyright of FRAFOS GmbH. Duplication or propagation or
More informationA Comparative Study of Signalling Protocols Used In VoIP
A Comparative Study of Signalling Protocols Used In VoIP Suman Lasrado *1, Noel Gonsalves *2 Asst. Prof, Dept. of MCA, AIMIT, St. Aloysius College (Autonomous), Mangalore, Karnataka, India Student, Dept.
More informationAV@ANZA Formación en Tecnologías Avanzadas
SISTEMAS DE SEÑALIZACION SIP I & II (@-SIP1&2) Contenido 1. Why SIP? Gain an understanding of why SIP is a valuable protocol despite competing technologies like ISDN, SS7, H.323, MEGACO, SGCP, MGCP, and
More informationOVERVIEW OF ALL VOIP SOLUTIONS
OVERVIEW OF ALL VOIP SOLUTIONS Kovács Gábor Parnaki Zsolt Gergı 13/03/2009 TABLE OF CONTENTS Introduction Overview of VoIP protocols Standard based implementations: H.323 SIP Proprietary solutions: Skype
More informationVoice over IP Security
Voice over IP Security Patrick Park Cisco Press Cisco Press 800 East 96th Street Indianapolis, Indiana 46240 USA vii Contents Introduction xvii Part I VoIP Security Fundamentals 3 Chapter 1 Working with
More informationEE4607 Session Initiation Protocol
EE4607 Session Initiation Protocol Michael Barry michael.barry@ul.ie william.kent@ul.ie Outline of Lecture IP Telephony the need for SIP Session Initiation Protocol Addressing SIP Methods/Responses Functional
More informationLehrstuhl für Informatik 4 Kommunikation und verteilte Systeme
Chapter 2: Representation of Multimedia Data Chapter 3: Multimedia Systems Communication Aspects and Services Multimedia Applications and Communication Protocols Quality of Service and Resource Management
More informationVoIP Trunking with Session Border Controllers
VoIP Trunking with Session Border Controllers By Chris Mackall Submitted to the Faculty of the Information Technology Program in Partial Fulfillment of the Requirements for the Degree of Bachelor of Science
More informationMaster Kurs Rechnernetze Computer Networks IN2097
Chair for Network Architectures and Services Institute for Informatics TU München Prof. Carle, Dr. Fuhrmann Master Kurs Rechnernetze Computer Networks IN2097 Prof. Dr.-Ing. Georg Carle Dr. Thomas Fuhrmann
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network
More informationBest Practices for Securing IP Telephony
Best Practices for Securing IP Telephony Irwin Lazar, CISSP Senior Analyst Burton Group Agenda VoIP overview VoIP risks Mitigation strategies Recommendations VoIP Overview Hosted by VoIP Functional Diagram
More informationEarthLink Business SIP Trunking. NEC SV8300 IP PBX Customer Configuration Guide
EarthLink Business SIP Trunking NEC SV8300 IP PBX Customer Configuration Guide Publication History First Release: Version 1.0 May 18, 2012 CHANGE HISTORY Version Date Change Details Changed By 1.0 5/18/2012
More informationSIP Trunking Manual 05.15. Technical Support Web Site: http://ws1.necii.com (registration is required)
SIP Trunking Manual 05.15 Technical Support Web Site: http://ws1.necii.com (registration is required) This manual has been developed by NEC Unified Solutions, Inc. It is intended for the use of its customers
More informationCourse Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.
Course Name: TCP/IP Networking Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. TCP/IP is the globally accepted group of protocols
More informationHow To Interwork On An Ip Network
An Overview of - Interworking 2001 RADVISION. All intellectual property rights in this publication are owned by RADVision Ltd. and are protected by United States copyright laws, other applicable copyright
More informationConvergence Technologies Professional (CTP) Course 1: Data Networking
Convergence Technologies Professional (CTP) Course 1: Data Networking The Data Networking course teaches you the fundamentals of networking. Through hands-on training, you will learn the vendor-independent
More informationIntroducing Cisco Voice and Unified Communications Administration Volume 1
Introducing Cisco Voice and Unified Communications Administration Volume 1 Course Introduction Overview Learner Skills and Knowledge Course Goal and Course Flow Additional Cisco Glossary of Terms Your
More informationNetwork Connection Considerations for Microsoft Response Point 1.0 Service Pack 2
Network Connection Considerations for Microsoft Response Point 1.0 Service Pack 2 Updated: February 2009 Microsoft Response Point is a small-business phone solution that is designed to be easy to use and
More informationInternet Working 15th lecture (last but one) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2005
15th lecture (last but one) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2005 1 43 administrational stuff Next Thursday preliminary discussion of network seminars
More informationnexvortex SIP Trunking Implementation & Planning Guide V1.5
nexvortex SIP Trunking Implementation & Planning Guide V1.5 510 S PRING S TREET H ERNDON VA 20170 +1 855.639.8888 Introduction Welcome to nexvortex! This document is intended for nexvortex Customers and
More informationSession Border Controllers in Enterprise
A Light Reading Webinar Session Border Controllers in Enterprise Thursday, October 7, 2010 Hosted by Jim Hodges Senior Analyst Heavy Reading Sponsored by: Speakers Natasha Tamaskar VP Product Marketing
More informationVoice over IP. Presentation Outline. Objectives
Voice over IP Professor Richard Harris Presentation Outline Brief overview of VoIP and applications Challenges of VoIP IP Support for Voice Protocols used for VoIP (current views) RTP RTCP RSVP H.323 Semester
More informationApplication Notes for Avaya IP Office 7.0 Integration with Skype Connect R2.0 Issue 1.0
Avaya Solution & Interoperability Test Lab Application Notes for Avaya IP Office 7.0 Integration with Skype Connect R2.0 Issue 1.0 Abstract These Application Notes describe the steps to configure an Avaya
More informationReceiving the IP packets Decoding of the packets Digital-to-analog conversion which reproduces the original voice stream
Article VoIP Introduction Internet telephony refers to communications services voice, fax, SMS, and/or voice-messaging applications that are transported via the internet, rather than the public switched
More informationVoIP. Overview. Jakob Aleksander Libak jakobal@ifi.uio.no. Introduction Pros and cons Protocols Services Conclusion
VoIP Jakob Aleksander Libak jakobal@ifi.uio.no 1 Overview Introduction Pros and cons Protocols Services Conclusion 2 1 Introduction Voice over IP is routing of voice conversations over the internet or
More informationNeed for Signaling and Call Control
Need for Signaling and Call Control VoIP Signaling In a traditional voice network, call establishment, progress, and termination are managed by interpreting and propagating signals. Transporting voice
More informationProduct Information = = = www.anynode.de e-mail sales@te-systems.de phone +49 5363 8195-0
07 2015 2 Efficient communication anynode is a Session Border Controller that is entirely a software based solution. It works as an interface for any number of SIP UAs for example, SIP phones and SIP PBXs,
More informationApplication Notes. Introduction. Contents. Managing IP Centrex & Hosted PBX Services. Series. VoIP Performance Management. Overview.
Title Series Managing IP Centrex & Hosted PBX Services Date July 2004 VoIP Performance Management Contents Introduction... 1 Quality Management & IP Centrex Service... 2 The New VoIP Performance Management
More informationSIP (Session Initiation Protocol) Technical Overview. Presentation by: Kevin M. Johnson VP Engineering & Ops
SIP (Session Initiation Protocol) Technical Overview Presentation by: Kevin M. Johnson VP Engineering & Ops Page 1 Who are we? Page 2 Who are we? Workforce Automation Software Developer Page 3 Who are
More informationHands on VoIP. Content. Tel +44 (0) 845 057 0176 enquiries@protelsolutions.co.uk. Introduction
Introduction This 4-day course offers a practical introduction to 'hands on' VoIP engineering. Voice over IP promises to reduce your telephony costs and provides unique opportunities for integrating voice
More informationUnit 23. RTP, VoIP. Shyam Parekh
Unit 23 RTP, VoIP Shyam Parekh Contents: Real-time Transport Protocol (RTP) Purpose Protocol Stack RTP Header Real-time Transport Control Protocol (RTCP) Voice over IP (VoIP) Motivation H.323 SIP VoIP
More informationWhite Paper. avaya.com 1. Table of Contents. Starting Points
White Paper Session Initiation Protocol Trunking - enabling new collaboration and helping keep the network safe with an Enterprise Session Border Controller Table of Contents Executive Summary...1 Starting
More informationIngate Firewall/SIParator SIP Security for the Enterprise
Ingate Firewall/SIParator SIP Security for the Enterprise Ingate Systems February, 2013 Ingate Systems AB (publ) Tel: +46 8 600 77 50 BACKGROUND... 1 1 NETWORK SECURITY... 2 2 WHY IS VOIP SECURITY IMPORTANT?...
More informationMINIMUM NETWORK REQUIREMENTS 1. REQUIREMENTS SUMMARY... 1
Table of Contents 1. REQUIREMENTS SUMMARY... 1 2. REQUIREMENTS DETAIL... 2 2.1 DHCP SERVER... 2 2.2 DNS SERVER... 2 2.3 FIREWALLS... 3 2.4 NETWORK ADDRESS TRANSLATION... 4 2.5 APPLICATION LAYER GATEWAY...
More informationACD: Average Call Duration is the average duration of the calls routed bya a VoIP provider. It is a quality parameter given by the VoIP providers.
ACD: Average Call Duration is the average duration of the calls routed bya a VoIP provider. It is a quality parameter given by the VoIP providers. API: An application programming interface (API) is a source
More informationSSVVP SIP School VVoIP Professional Certification
SSVVP SIP School VVoIP Professional Certification Exam Objectives The SSVVP exam is designed to test your skills and knowledge on the basics of Networking, Voice over IP and Video over IP. Everything that
More informationConfiguring SIP Trunking and Networking for the NetVanta 7000 Series
61200796L1-29.4E July 2011 Configuration Guide Configuring for the NetVanta 7000 Series This configuration guide describes the configuration and implementation of Session Initiation Protocol (SIP) trunking
More informationApplication Notes for Configuring Cablevision Optimum Voice SIP Trunking with Avaya IP Office - Issue 1.1
Avaya Solution & Interoperability Test Lab Application Notes for Configuring Cablevision Optimum Voice SIP Trunking with Avaya IP Office - Issue 1.1 Abstract These Application Notes describe the procedures
More informationCconducted at the Cisco facility and Miercom lab. Specific areas examined
Lab Testing Summary Report July 2009 Report 090708 Product Category: Unified Communications Vendor Tested: Key findings and conclusions: Cisco Unified Communications solution uses multilayered security
More informationCisco ASA 5500 Series Unified Communications Deployments
5500 Series Unified Communications Deployments Cisco Unified Communications Solutions unify voice, video, data, and mobile applications on fixed and mobile networks, enabling easy collaboration every time,
More informationContents Introduction Why Fax over IP? How Real-time Fax over IP works Implementation with MessagePlus/Open Summary. About this document
Fax over IP Contents Introduction Why Fax over IP? How Real-time Fax over IP works Implementation with MessagePlus/Open Summary About this document This document describes how Fax over IP works in general
More informationData Networking and Architecture. Delegates should have some basic knowledge of Internet Protocol and Data Networking principles.
Data Networking and Architecture The course focuses on theoretical principles and practical implementation of selected Data Networking protocols and standards. Physical network architecture is described
More informationCisco Networks (ONT) 2006 Cisco Systems, Inc. All rights reserved.
Optimizing Converged Cisco Networks (ONT) reserved. Lesson 2.4: Calculating Bandwidth Requirements for VoIP reserved. Objectives Describe factors influencing encapsulation overhead and bandwidth requirements
More informationInternet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols 2011-11-22. ETSF10 Internet Protocols 2011
Internet Security Voice over IP ETSF10 Internet Protocols 2011 Kaan Bür & Jens Andersson Department of Electrical and Information Technology Internet Security IPSec 32.1 SSL/TLS 32.2 Firewalls 32.4 + Voice
More informationSBC WHITE PAPER. The Critical Component
SBC WHITE PAPER The Critical Component Table of Contents of your VoIP Infrastructure... 3 Enter the SBC... 4 Functions... 5 Security... 5 Denial of Service... 5 Toll Fraud... 6 Encryption... 6 Policy...
More informationImplementing VoIP support in a VSAT network based on SoftSwitch integration
Implementing VoIP support in a VSAT network based on SoftSwitch integration Abstract Satellite communications based on geo-synchronous satellites are characterized by a large delay, and high cost of resources.
More informationCompTIA Convergence+ 2006 Examination Objectives
CompTIA Convergence+ 2006 Examination Objectives Introduction The CompTIA Convergence+ examination covering the 2006 objectives certifies that the successful candidate has the necessary knowledge to perform
More informationinternet technologies and standards
Institute of Telecommunications Warsaw University of Technology 2015 internet technologies and standards Piotr Gajowniczek Andrzej Bąk Michał Jarociński multimedia in the Internet Voice-over-IP multimedia
More information