ToIP PROTECTION ITEM DESCRIPTION V2.1

Size: px
Start display at page:

Download "ToIP PROTECTION ITEM DESCRIPTION V2.1"

Transcription

1 ToIP PROTECTION ITEM DESCRIPTION V2.1 Edition 4.0 p. 1/58 RSS/SSI/TeS/DCF/FH-PhD,07/32 September 2009 Les informations contenues dans ce document demeurent la propriété du groupe THALES and ne doivent pas être divulguées par le destinataire à des tiers sans l accord écrit de THALES. Information contained in this document is the exclusive property of THALES Group and cannot be disclosed to a third party by the user without written authorisation given by THALES Communications

2 1. TOIP AND SERVICE SECURITY ToIP architectures and protocols Introduction H.323 protocol SIP (Session Initiation Protocol) MGCP (Media Gateway Control Protocol) Proprietary technologies ToIP services ToIP security: background and stakes From ISDN to ToIP The challenges The security stakes and 2010: the critical years 9 2. WHAT PROTECTION FOR TOIP? Functional security blocks Network segmentation Access control at the edge of the data network Access control at the edge of the telephony network Network authentication Integrity and confidentiality of signaling and communications Server and application authentication Core filtering in front of servers: stream safety Focus: an application-layer filter to protect ToIP servers SBC, edge firewall, application-layer firewall Edge firewalls Session Border Controller (SBC) Application-layer protection for servers Conclusion TEOZ: APPLICATION-LAYER SECURITY SOLUTION FOR TOIP TMZ: a sanctuary for voice and video applications TMZ TMZ partitioning Two filtering levels Real-time IP application-layer analysis: Protocol Expert Module (PEM) Stateful IP filtering Application-layer analysis Contextualized signatures IDPS Synthesis ToIP threats Examples in Layers Usage analysis and control: Session Expert Module (SEM) Description Supported protocols SEM module actions Examples of threats prevented by the SEM function Network functionalities IP translations Routing Connectivity, VLAN, aggregation Quality of Service (QoS) DHCP Date and time High availability (clustering) 43 2 / 58

3 3.5.1 Principle VRRP (state protocol) Active/Passive mode Active/active mode Cluster supervision High Availability (OXE spatial redundancy) Hardware technology Licenses PEM module administration Secured access Configuration tool Supervision Logs Master/slave supervision architectures SEM module administration Updates Updating the software Updating IDPS Synthesis TEOZ 2000 and TEOZ Hardware characteristics Security-safety TEOZ 2000 performance TEOZ 3500 performance Alcatel-Lucent inter-operability CONTACT INFORMATION 58 3 / 58

4 1. ToIP and service security 1.1 ToIP architectures and protocols Introduction H.323 protocol The H.323 protocol is the ITU Standard for audio-visual communication sessions on any IP network transmission. The H.323 protocol is currently associated with additional standards as H.225 (signaling) and H.245 (codec selection). To complement fax and data, RTP (Real-time Transport Protocol) is used for sending or receiving multimedia information. Further standards, as H450, provide supplementary services: call transfer, call forwarding, call hold, call waiting The H.323 system is composed of end-points, terminals, gateways, and gatekeepers (address resolution and bandwidth control). H.323 is the most commonly deployed ToIP (Telephony over Internet Protocol) protocol and is widely used within Internet real-time applications such as NetMeeting. However SIP (Session Initiation Protocol) will probably become the more prevalent protocol in the years to come SIP (Session Initiation Protocol) The SIP protocol is the IETF standard initially designed to create two-party or multiparty sessions. SIP is primarily used in ToIP applications; it is also used in application-layer sessions. The SIP roadmap allows its use in other media streams as video conferencing, video according to the development policy of the manufacturers. SIP is a text-based protocol, similar to HTTP, which can run on TCP, UDP or SCTP. SIP includes end-points (terminals, user agents (UA) ), proxy servers or redirect servers, location servers and registrars. These last two servers can be hosted in the proxy server. SIP has been selected as ToIP protocol for the fixed-mobile convergence of the IMS (IP Multimedia Subsystem) architecture defined by 3GPP and was then accepted for the TISPAN architecture as designed in ETSI. TISPAN and IMS have chosen other solutions for ToIP security: SIP is using TLS for TISPAN and is using IPSec for IMS MGCP (Media Gateway Control Protocol) MGCP is a client-server protocol developed by Telcordia and Level 3 Communications, unlike SIP and H.323 that operate in peer-to-peer or client-client modes. MGCP was first used by American cable operators who wished to add phone services to their cable TV offerings. MGCP is a stimulus protocol, the endpoints being "low-intelligence" devices: the protocol is only used to carry keystroke information from the subscriber s set to a central server. The server will then interpret the keystrokes to execute the corresponding actions. This protocol can then be used with all (analog or digital) terminals already installed at the clients facilities, and ToIP services can be deployed without impacting the existing terminal population. Similarly, ADSL Internet access providers and Centrex IP operators use this protocol: the central server controls the subscriber s set. 4 / 58

5 1.1.4 Proprietary technologies Although standard protocols as SIP are the most widely used, the offers of many ToIP providers are based on proprietary technologies. Example: Cisco: Skinny Client Control Protocol (SCCP or Skinny) Nortel: Unisteam Mitel: Minet Alcatel-Lucent: Universal Alcatel (UA) Siemens: Hipath Feature Access (HFA) These protocols often derive from ISDN technologies and consist in a transition to IP, their objectives are to: Keep a functional phone system, identical to the existing ISDN, that what the standard protocols were not capable of at the beginning Ensure smooth transition from ISDN to IP Ensure a captive market for terminals The related architectures vary widely from one provider to another, although the components are the same for all technologies. As the SIP protocol becomes mainstream and develops with manufacturers offering full SIP offers such as Aastra or Avaya proprietary technologies may lose ground. However, in 2009, proprietary technologies are still used and represent the lion s share of corporate customers. 1.2 ToIP services As we use a telephone every day, this technology seems to be rather simple. However, the services provided by PABX, then by IPBXs, are complex and numerous, and depend on the manufacturers. Moreover, additional services as CTI (Computer Telephony Integration), and connections to IP applications are available. The main telephone services are: Black lists Recall Hold Call transfer Multi-party conference Call trace Calling line identification presentation Caller ID block Authentication IVR (Interactive Voice Response) Tone management (hold, transfer ) Messaging Interface conversion (Trunking mode) Vocoder conversion IPBX interconnection 5 / 58

6 1.3 ToIP security: background and stakes From ISDN to ToIP In ISDN architectures, voice and data applications are strictly separated: Distinct networks Distinct terminals Distinct services And distinct threats ISDN PBX ISDN WAN IP (MPLS) Figure 1: RNIS architecture With ToIP, this is no longer the case: Integrated networks (at least at the hardware level) Pooled terminals Converged services And shared threats IPBX WAN IP (MPLS) ISDN Figure 2: ToIP architecture Although simple in appearance, convergence will be the source of complexities, first in terms of infrastructure, service and information security The challenges We have to face it: ToIP is intrinsically vulnerable, because of several factors such as: Migration to IP. Telephony is becoming a common application in its design, which uses standard software components that do not integrate security requirements. The component vulnerability is then transmitted to telephony applications. Number of network elements implemented: a ToIP infrastructure will use several hundreds to several tens of thousands of network elements (routers, switches, servers, terminals ). Each one being a potential entry point for threats. Especially, ToIP terminals are functionally similar to computers, with operating systems, stacks, http services, ftp services this phenomenon is further accelerated by the development of virtual terminals (softphones). Hacking the iphone through SMS reveals the potential weakness of terminals in an infrastructure. 6 / 58

7 Variety and complexity of protocols: whether they are standard or proprietary, the complexity of ToIP protocols is far greater than the protocols currently used in data applications: semantics, sequencing and successions of multi-protocol sessions required for communication. This is no longer the question-response mode currently used for data exchanges. Besides, most of standard protocols are open, and offered in various implementation configurations, according to the manufacturers, with proprietary extensions. SIP is therefore renowned for its misleading simplicity. Interconnection with data networks: by construction, partition of voice and data networks is limited. To benefit from service convergence, resources, as directories, messaging, or DNS and DHCP services, will have to be shared. Integration can be further extended for softphones, instant messaging, CTIs. Voice and data services are susceptible to their mutual vulnerability, with possible crosscontamination. Availability and Quality of Service (QoS) specifications are also to be considered, and telephony services must meet our daily requirements. ToIP must meet these expectations in an open environment. Telephony is also critical for companies: any malfunctioning may lead to loss of revenues, loss of opportunities and loss of efficiency. Moreover, emergency calls should be made at any time, to meet safety obligations and address personrelated hazards. Service availability is a key point, even though alternative solutions such as messaging, e-business, mobile telephony, and collaborative work, etc. are spreading rapidly. Finally, there is a great rush to market products and services based on ToIP. Rapid development and short time-to-market are decisive for the providers work. Comprehensive and native security implementation is considered, whether right or wrong, as a complication factor that slows down availability. As a result, fraud and attacks increase significantly: these new means of communication are diverted from their original use, and their weaknesses are exploited The security stakes They are classified in four categories: Confidentiality 1. Signaling confidentiality, which is too often disregarded. Non-encrypted signaling allows the network topology, stream matrixes, applications and protocols to be discovered and attack strategies to be developed. 2. Communication confidentiality: to protect the strategic data of the company (know-how, strategy, finances, commercial offers, litigations, conflicts ) that can be used in fierce economic competition, whatever the field of activity and size of the company (this issue is often neglected by too many companies) and to protect personal data (privacy) exchanged during phone conversations. This is the case for administrations (income tax and social services, health services, legal services ), and private sector (banks, insurance companies, human resource departments ). Many States require confidentiality of personal data stored and exchanged in information systems, including phone systems. Traditional telephony is considered as safe because we assume that tapping is not possible without physically acting on the devices. IP communications are vulnerable to call interceptions (tapping) as other IP applications, especially if voice and data applications and networks are not sufficiently segmented. In addition, segmentation (VLANs) is not the ultimate solution. 7 / 58

8 Availability The purpose of ToIP is to deliver the % availability of ISDN telephony. If the new technological base seems to be unable to deliver this availability, the target is however 99.99%, which is high for a computer application. To achieve this performance, suitable resilient architectures will be implemented, with related energy supply and air conditioning. Unavailability due to aggressive streams or behaviors must also be prevented. Migration to IP makes the availability of the phone service more vulnerable to internal and external denials of service. Because of the sensitivity of telephone systems, a slightly downgraded Quality of Service makes the application unavailable: attacks are much more subtle than bandwidth saturation. Such attacks may alter the traffic and prevent access to the company s data. There are two ways of generating denial of service attacks in ToIP: o Making unavailable by saturation, freeze or isolation the resources indispensable for the application operation (call server, directory, DNS ). Note: for ToIP, saturation can be achieved with a low bit rate, or a great number of connections, therefore attacks can be rather furtive. o Discouragement of use: making the terminals ring randomly until call pickup is abandoned; downgrading the communication quality by changing codecs or introducing jitter; aborting calls by introducing latency or interfering on packet routing. Finally, denial of service can occur upon technical failures, especially when using low-cost technologies of insufficient maturity (e.g. some SIP terminals). Fraudulent, unlawful or abusive use The abusive use of telephone services charged to companies is already widespread in ISDN technology: call forwarding to premium-rate or international numbers, conference bridges to connect external subscribers free of charge The objective is not only to detect fraudulent use e.g. intrusion in the system for mercantile purposes but also to detect abusive use of their rights by authorized subscribers. Identity fraud This is related to confidentiality and fraud. It involves identity spoofing or stealing the personal details of a user either to have access to unauthorized rights or privileges, or to deceive a correspondent. Besides direct risks, there is a risk to compromise the trust in financial and state certifications (SOX, Bale II, LOF ) by weakening the non-repudiation mechanisms. Civil and penal responsibility It deals with the liability of Organization A whose ToIP system would be hacked to harm Organization B. In this case, and according to the losses, Organization B is entitled to have Organization A condemned, and to ask for civil remedies by law. Risks in terms of finance and image can be substantial. Therefore Organization A must detect intrusions and stepping-stone attacks beforehand, and in case of an attack as security is not infallible demonstrate its goodwill. Nuisances like SPAM SPIT (Spam over Internet Telephony) and SPIM (Spam over Instant Messaging) may become nuisances for ToIP. In comparison, more than 90% of s are now considered as SPAM, and there is no reason that this be different for ToIP and instant messaging. 8 / 58

9 and 2010: the critical years In computer security, it has been demonstrated that, when a new application is widely deployed, it takes about 3 years for the protection and security aspects to be considered. This is due to the following reasons: Rush to market Time necessary for the actors to apprehend the application vulnerability, deployment, impact and interactions with infrastructures, and induced uses and behaviors The year 2009 is a milestone for ToIP: during seminars, customers are no longer asking if ToIP must be secured, instead they are rightfully asking: what do you suggest to secure ToIP?. Similarly, quality of protection becomes a selection issue for ToIP systems, with significant impact for the manufacturers. Besides, this 3-year delay is also observed in hacking. Most intrusions or frauds are no longer committed by individuals for notoriety, but are attempted by criminal organizations, strictly for mercantile purposes: stolen data or topology information can be sold to third parties or serve for blackmail (e.g. denial of service or disclosure). These operations require comprehensive knowledge of applications, which takes time and requires investments for their development, with risk-taking in their execution. The return on investment must be sufficient; two main factors can be considered: Criticality level of the application for the Organization: coverage rate, maturity, embedment in the IS, and impact on operations. This will determine the marketing and blackmail value of the data. Extent of computer population: wide application coverage results in increased vulnerability and higher profits from frauds. Three to four years are required for these two parameters to become mature: this is the case in 2009 and / 58

10 2. What protection for ToIP? 2.1 Functional security blocks The next figures summarizes the main components of ToIP protection: Servers authentication Integrity and confidentiality of communications Streams safety Call servers Hiding, translation («peering») Network authentication ISDN Integrity and confidentiality of signaling IP WAN (MPLS) Voice/data/video/administration segmentation Figure 3: bricks for protection Access control to network, NAT, pinholing Network segmentation To avoid stepping-stone attacks from the data network to the voice network, streams will be segmented into different virtual (if not physical) networks. There are four virtual networks: voice, data, video, and administration. This is achieved through VLAN technologies. If this measure is necessary and of common sense it is far from being sufficient, even if some users do believe it. There may exist bridges between these 3 VLANs: To benefit from convergence, some applications will be used by ToIP services/terminals, and by data services/terminals as well: messaging, directories, DNS, DHCP. Some terminals can give access to both voice and data networks. E.g. PCs with softphones. A voice/data/video infrastructure for corporate customers will implement several hundreds to several thousands of routers, switches, gateways that will be configured to support VLANs. Is there any network operator to claim that VLAN configuration will be perfect and coherent any time? Even though the VLAN configuration would be ideal, Inter-VLAN bridging is easy for experienced technicians. 10 / 58

11 2.1.2 Access control at the edge of the data network This is the current edge firewall, which often exists before ToIP implementation. The ToIP functionalities required for this firewall are limited to the border (see 4.3) Access control at the edge of the telephony network We have two situations to consider: peering (network interconnection) and filtering (access control) specific to voice streams. For peering, there are two functional needs: Hiding the Organization network from the operator and vice versa. This will require advanced NAT functions, more complex than the functions proposed by edge firewalls. Translating the protocols used in the Organization network into those used in the operator network, and vice versa. Some networks may use Session Border Controllers (SBC) (see 4.3.). For specific filtering, we can use a voice application firewall Network authentication It is possible to use a protocol as the 802.1x protocol, currently offered by providers Integrity and confidentiality of signaling and communications These services are provided by stream encryption. All providers currently propose stream encryption, activated by default or not, the key point being the impact on deployments and performances. Free encryption services must not be trusted, because their performances are not constant: hardware will have to be changed or added, and not free of charge. Several technologies are available: Ipsec, SIP-TLS for signaling SRTP for communications Server and application authentication Network authentication is not enough. An effective solution must ensure that only authorized terminals connect to ToIP services: this is signaling encryption. This is achieved through sharing of certificates and encryption keys Core filtering in front of servers: stream safety This block will provide complex content control functions and call session control functions that cannot be ensured by edge firewalls. This function is useful in front of servers, because it controls all data streams between terminals and servers and between servers. Only an application-layer filter, specific to ToIP, is capable of meeting this requirement. 11 / 58

12 2.2 Focus: an application-layer filter to protect ToIP servers As we have seen in the previous chapters, a security package for ToIP must address all threats pertaining to IP as well as to ISDN. Most security packages currently available with the ToIP label focus on the IP aspects (often partially), and just extend standard solutions of network security packages to telephone applications, without considering the specific threats to systems and protocols and their particularities. An application-layer protection mechanism for ToIP must be multi-functional to address all levels of protection (see 4.3.3). 2.3 SBC, edge firewall, application-layer firewall Firewall, application-layer analysis, SBC as seen in Section 4.1 Functional security blocks, these three components are required to efficiently protect ToIP services. They are, however, not interchangeable, in spite of what some providers might make believe, source of confusion for users. The purpose of this section is to clarify the definition of each of these items Edge firewalls These devices were developed in the 90 s when companies were connected to the Internet. The purpose was to protect companies intranets from potential threats due to the Internet and to control incoming and outgoing streams. Firewalls were designed to decide what network traffic should be let through or blocked, through Internet or MPLS connections: what protocols, ports, and addresses to control? Firewalls have generally limited or inexistent content control functionalities, because this control level is resource consuming. To be effective, edge filtering would require controlling all protocols accessing to the network at that point. As a result, the size would need to increase, with significant risks of congestion. How and where to deny service to voice protocols by blocking POP3 or http traffic? Besides, firewall engines were designed to handle simple protocols, which operate on a request-response mode, as http or POP3. They are therefore not suited to complex ToIP protocols and sessions. The ToIP functionalities of the firewalls can be broken down into two categories: Dynamic opening and closing of secondary communication ports (pinholing). Edge firewalls are often already installed when ToIP is deployed, and users do not want to change them. ToIP uses successive protocol sessions to establish and maintain communications: first a primary session (e.g. signaling) with predictable characteristics (protocols, ports ) that can be included in the firewall filter. However, the primary session is used to initiate secondary sessions (e.g. communications) with random characteristics especially ports that have been defined during the primary session. Therefore, we have two possible situations: o The edge firewall is not able to decode the data exchanged during the primary session: by default, all communication ports likely to be used by the secondary communications will have to be opened. This is canceling the border filter otherwise outgoing/incoming communications could not get through the firewall. This situation prevailed for first ToIP deployments. 12 / 58

13 o The edge firewall is able to decode the data exchanged during the primary session: only the necessary ports are dynamically opened at the start of the secondary session, and closed at the session s end. Related security flaws are then suppressed. Network Address Translation in Layer 7 ToIP protocols send address data in Layer 3 as well as in Layer 7. Addresses are often private on the LAN and therefore will be translated into public addresses at the border for routing over the operator s or ISP network (NAT: Network Address Translation). If the edge firewall in charge of this function performs NAT in Layer 3 only, the private addresses will remain in Layer 7 and communications could not be established. NAT will have then to be performed in Layer 7 also. That was not the case in original edge firewalls. These two functionalities are the only ones absolutely necessary in edge firewalls, and are therefore the only ones to be implemented. They require retrieving the data available in Layer 7 (application-layer). Many providers propose firewalls with application-layer analysis capabilities, which is abusive, because no security control is performed at that level, but only research or modification of parameters. Security controls operate in Layers 3 and 4. As pinholing and NAT do not allow the progress of application-layer sessions to be controlled, which is the purpose of application-layer analysis, they do not need to be implemented at the border Session Border Controller (SBC) SBCs are border devices. Unlike edge firewalls described in the previous chapter, they are located at the border of the voice infrastructure, at the connection of the operator s SIP or H.323 trunk. The SBC role is fundamentally the interconnection of Internet networks (peering). SBCs are provided with a suitable functional application content, to cover the following needs: Network topology hiding: the Organization must not know the network of its operator and vice versa. This is achieved through advanced NAT functions that can hide data other than address data. Protocol translation: for the transparent interconnection of networks that do not use the same protocols or same protocol implementations (e.g. SIP to H.323, or SIP A to SIP B ). Traffic and user management: o Application routing: e.g. for incoming calls, with SIP, to softswitches. o Managing overflows: e.g. routing too many outgoing calls to Internet or PSTN connections. o Call/session admission control o SIP registrar and RAS Gatekeeper. Originally, SBCs were used to interconnect operators networks. With the arrival of the H.323 trunk, then SIP trunk, functional needs now exist for companies/operators interconnections Application-layer protection for servers Although they operate at the application level, SBCs are not designed to be used in the infrastructure core, i.e. to protect servers. Their functional strong points (see previous section) are of limited use. 13 / 58

14 Application-layer protection for servers will focus on the following aspects: Precision analysis of protocol streams: to ensure session syntax, consistency, and integrity: o Checking the content and format of packets and packet fields. o Checking the consistency and integrity of a primary session on Protocol A. o Checking the opening of the secondary sessions (Protocols B, C ) started by Protocol A. o Checking the consistency and integrity of secondary sessions (Protocols B, C ). o Checking the consistency of secondary sessions (Protocols B, C ) with what was expected during the primary session (Protocol A). ToIP protocols, sessions and session links are much more complex than what was previously known in data services. Suitable engines will have to be implemented and the protocol technologies used by the providers will have to be precisely known. Finally, standard protocols (SIP ), proprietary protocols and proprietary extensions of standard protocols will have to be comprehensively considered. Fight against fraud, abusive use, SPIT This service can be provided at protocols: telephone session parameters (E.164 numbers, call directions, time stamp, codecs ) will have to be retrieved and compared to specific rules. This requires advanced analysis capability of protocols, and the implementation of a specific engine, different from the engine that handles protocols. Support of back office streams For an efficient and comprehensive operation that has minimum impact on the infrastructure operation, the application-layer filter will be capable of managing protocols or streams that can only be seen at the servers (e.g. CSTA phases 2 and 3 and redundancy streams). Support of ToIP traffic profiles The application-layer filter deployed in front of ToIP servers will be sized and tested according to traffic profiles very different from what is know at the network border. The filter will allow server restart i.e. simultaneous reconnection of all terminals to servers within a short time. The platform will therefore not be sized to throughput data (traditional performance indicator for firewalls and IDPS), but to very short and very aggressive session bursts. Real-time stream processing The ToIP application-layer filter will have no impact in terms of latency and jitter, key parameters for the quality of the phone services. Therefore, the filter will especially implement: o Processor technologies specialized in network and security, with sets of specialized instructions: multi-purpose industrial PCs will thus be excluded. o Software architecture that optimizes processing operations. o Advanced hardware/software integration. o Low use of hardware resources to avoid congestion areas, including during the most critical burst phases. High availability The application-layer security solution will be included in the ToIP SLA, including 99.99% availability. It will offer functionalities to achieve this rate. Contractual agreements between manufacturers and ToIP providers will include this requirement. 14 / 58

15 Integration, validation, simulation capabilities The manufacturer of the ToIP application-layer security solution will be provided with laboratories able to reproduce actual client environments: o Complete systems with related applications o Skills for realistic and binding configuration setting o Simulations tools for traffic and providers terminals, for realistic simulation of the behavior of a real infrastructure Cooperation with ToIP providers Only close cooperation with ToIP providers will meet these requirements: o Access to detailed technical specifications o Advanced access to technical developments (roadmaps synchronization) o Access to R&D expertise o Access to test and simulation environments o Implementation of suitable support and escalation processes Anyway, reverse engineering is potentially very risky for end-users Conclusion Edge firewalls, SBCs and application-layer security solutions have distinct characteristics and purposes: their functional contents are therefore different. Some confusion may remain, sometimes created by providers. Strictly in terms of presence/absence of functions, these three items may seem equivalent. If the lists of functions can be similar, the completeness and maturity level of each solution make them not interchangeable. Checking the presence or absence of a function is not enough: this function must be weighted according to its quality. We then obtain a functional center of gravity that varies from one solution to the other. The next figure illustrates the positioning of each solution: Performance Edge FW TEOZ SBC Routing QoS Data protocols Analysis engine Voice protocols Network interconnection Figure 4: functional weighting 15 / 58

16 As a conclusion, the next figure summarizes the position of each item: Voice / Video servers SBC Distant subscribers Voice IP WAN Firewall Distant subscribers Data IP WAN / Internet Figure 5: positionning in the network 16 / 58

17 3. TEOZ: application-layer security solution for ToIP TEOZ is an application-layer security solution for ToIP: it is designed for the sole purpose of protecting the applications critical to ToIP. TEOZ is embedded in the Organization s network to create a Trusted Multimedia Zone (TMZ) that hosts sensitive devices as servers. The next sections describe the notion of TMZ and the proposed application-layer security services offered to IP and telephony systems. 3.1 TMZ: a sanctuary for voice and video applications TMZ As described in the first part of this document, multimedia applications and especially ToIP will become the next major target for attacks, due to Quality of Service sensitivity and fraud potential. Application availability is critical for the Organization and has strong psychological effects. Therefore, suitable security mechanisms should be implemented, at the organizational and architectural levels and at the technical level as well. These measures must be more consistent than those currently available for data or messaging services, which accept downgraded Quality of Service. Attacks to ToIP can be launched from outside, however, in view of what has been happening in computer networks for several years, many attack have been and will be launched from inside the infrastructure, either directly or by using an internal active component as stepping-stone. To secure ToIP availability and Quality of Service, all active elements, including terminals, will be considered as sources of potential (intentional or unintentional) attacks. Thus, security of ToIP applications must not only be considered at the infrastructure border, but also at the core, i.e. as close to the services to be protected as possible. Each active element, each terminal, is likely to generate or relay attacks. Therefore, efficient filtering must be provided between applications and users, and between applications themselves. Streams will be analyzed on all network interfaces, between applications and users (subscribers or cooperative applications), and applications will be isolated in a dedicated network area called the Trusted Multimedia Zone (TMZ). The TMZ is therefore a sanctuary for vulnerable servers. 17 / 58

18 Figure 6: Trusted Multimedia Zone TMZ partitioning In the simplest situation, all services necessary to a ToIP application are dedicated to this application, including the directory, DNS and messaging, which are separated from data application services. Then, they may be positioned in a common TMZ. However, according to the level of convergence required by the Organization, some services could be pooled between voice and data applications (e.g. directory, messaging and DNS). In this case, the TMZ could be partitioned into several sub-areas (e.g. two): One for applications dedicated to ToIP: call managers, ToIP DHCP, data saving One for voice and data pooled services: messaging, DNS, directory TEOZ will be positioned on the LAN, at the center of a triangle formed by the LAN and the two sub- TMZs. TEOZ will then be able to filter the streams between the LAN and TMZ, and between both sub- TMZs Two filtering levels The TMZ is created through the creation of a second filtering stage, at the infrastructure core, which complements the edge filter. The two filtering stages are the following: 1 st stage: o At the data border: access control to network (what protocols, ports and addresses to control?) o At the voice border: access control to network and peering as applicable (advanced NAT and protocol translation) 2 nd stage. At the core: content control (syntax, consistency of packets and protocol sessions) These architectures are composed of two filtering levels border and core and are already well known in other critical applications as web services (https, soap, XML ), FTP or SQL databases. Anyway, core filtering is achieved through specialized items (web firewalls, SQL firewalls, FTP firewalls ) different from border items. It is also interesting to note that these specialized items are designed and marketed by specific providers, because their business models are different from edge firewalls. The TMZ notion, created with TEOZ, is applicable to another critical application: ToIP. 18 / 58

19 Web services e-business erp / crm HTTP, XML, SOAP app. filter FTP(s) services FTP app. filter Databases SQL app. filter ToIP Unified comm. internal users IP WAN The use of specialized items is already standard for critical applications PSTN Figure 7: the two filtering levels 3.2 Real-time IP application-layer analysis: Protocol Expert Module (PEM) The solution is based on this set of services. The Protocol Expert Module is a firewall (IDPS) dedicated to voice and video applications. It is characterized by a comprehensive knowledge of standard protocols (SIP, H.323, MGCP, RTP, RTCP, SDP ) and its capability of embedding analysis modules of proprietary (Alcatel-Lucent ) or specific (CSTA ASN.1) protocols. The main advantages of the PEM technology are: Implementation of different protection techniques working in synergy to protect network, application and content layers High performances through the consistency of the seamless integration architecture of analysis engines Homogeneous administrative environment (graphical interface) The main security functions implemented in the PEM are: Stateful IP filtering: o State engine for Layers 3 & 4 o Authorization/denial of protocols, ports, addresses o Dynamic opening/closing of ports Analysis of IP application layers: o Compliance analysis of protocol syntax (compliance with RFCs or proprietary specifications) o Compliance analysis of application protocol behavior 19 / 58

20 o Protocols supported: SIP, MGCP, H.323, RTP, RTCP, RTSP, CSTA, SSL, SNMP, SQLnet, Netbios, DNS, FTP, TFTP, HTTP, proprietary protocols IDPS based on contextual signatures The engine used by the PEM is the first real-time technology that combines stateful IP filtering techniques and application-layer analysis techniques. The protection is based on stream analysis at the level of the inter-application communication protocols. RFC or proprietary specification compliance is used to detect attacks such as: Redirection Call interception Denial of services However, if compliance with specifications ensures communication quality, the specifications are not defined with system security in mind. As a result, some attacks do not violate protocol specifications. Checking the compliance of protocols with their expected behavior will allow the following attacks to be blocked: Encapsulation of peer-to-peer protocols (instant messaging, file sharing, communications ) Directory browsing, where a hacker can get control over an HTTP service by using abnormal requests in the URL Buffer overflows due to unusually long requests Transport of malicious data in application-layer requests (code injection, use of reserved bytes ) By analyzing applications and controlling their operation, the analysis engine defines the expected behavior. Violation of security rules generates a preventive action (active response) and/or an alert message to the administrator. Unlike strictly reactive methods (based only on signatures), the engine protects the ToIP system against unknown and complex attacks. The PEM is frequently updated to keep up with the evolution of protocols and add new protocol tests. Protocol-specific rules can also be configured: Restrict/ban commands Restrict parameters (request sizes ) This level of control is configured by the administrator. An analysis module (each protocol is associated with its own module) acts as a configuration object that can be associated with a service, the parameters of which are defined by the administrator Stateful IP filtering This section describes the specifications of IP filtering and the checks performed at the different OSI layers, up to the Transport Layer. The specifications of application-layer checks (up to OSI Layer 7) are described in / 58

VOICE OVER IP SECURITY

VOICE OVER IP SECURITY VOICE OVER IP SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

Session Initiation Protocol (SIP) The Emerging System in IP Telephony

Session Initiation Protocol (SIP) The Emerging System in IP Telephony Session Initiation Protocol (SIP) The Emerging System in IP Telephony Introduction Session Initiation Protocol (SIP) is an application layer control protocol that can establish, modify and terminate multimedia

More information

TECHNICAL CHALLENGES OF VoIP BYPASS

TECHNICAL CHALLENGES OF VoIP BYPASS TECHNICAL CHALLENGES OF VoIP BYPASS Presented by Monica Cultrera VP Software Development Bitek International Inc 23 rd TELELCOMMUNICATION CONFERENCE Agenda 1. Defining VoIP What is VoIP? How to establish

More information

How to make free phone calls and influence people by the grugq

How to make free phone calls and influence people by the grugq VoIPhreaking How to make free phone calls and influence people by the grugq Agenda Introduction VoIP Overview Security Conclusion Voice over IP (VoIP) Good News Other News Cheap phone calls Explosive growth

More information

Recommended IP Telephony Architecture

Recommended IP Telephony Architecture Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings

More information

White paper. SIP An introduction

White paper. SIP An introduction White paper An introduction Table of contents 1 Introducing 3 2 How does it work? 3 3 Inside a normal call 4 4 DTMF sending commands in sip calls 6 5 Complex environments and higher security 6 6 Summary

More information

159.334 Computer Networks. Voice over IP (VoIP) Professor Richard Harris School of Engineering and Advanced Technology (SEAT)

159.334 Computer Networks. Voice over IP (VoIP) Professor Richard Harris School of Engineering and Advanced Technology (SEAT) Voice over IP (VoIP) Professor Richard Harris School of Engineering and Advanced Technology (SEAT) Presentation Outline Basic IP phone set up The SIP protocol Computer Networks - 1/2 Learning Objectives

More information

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method. A Brief Overview of VoIP Security By John McCarron Voice of Internet Protocol is the next generation telecommunications method. It allows to phone calls to be route over a data network thus saving money

More information

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection. A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

More information

Call Control Protocols and IPv6 in IP Video Solutions

Call Control Protocols and IPv6 in IP Video Solutions CHAPTER 4 Call Control Protocols and IPv6 in IP Video Solutions Revised: March 30, 2012, Protocols provide a complete set of specifications and suite of standards for communications between devices, This

More information

Basic Vulnerability Issues for SIP Security

Basic Vulnerability Issues for SIP Security Introduction Basic Vulnerability Issues for SIP Security By Mark Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com The Session Initiation Protocol (SIP) is the future

More information

An outline of the security threats that face SIP based VoIP and other real-time applications

An outline of the security threats that face SIP based VoIP and other real-time applications A Taxonomy of VoIP Security Threats An outline of the security threats that face SIP based VoIP and other real-time applications Peter Cox CTO Borderware Technologies Inc VoIP Security Threats VoIP Applications

More information

VOICE OVER IP (VOIP) TO ENTERPRISE USERS GIOTIS KONSTANTINOS

VOICE OVER IP (VOIP) TO ENTERPRISE USERS GIOTIS KONSTANTINOS VOICE OVER IP (VOIP) TO ENTERPRISE USERS GIOTIS KONSTANTINOS Master of Science in Networking and Data Communications THESIS Thesis Title Voice over IP (VoIP) to Enterprise Users Dissertation submitted

More information

Integrate VoIP with your existing network

Integrate VoIP with your existing network Integrate VoIP with your existing network As organisations increasingly recognise and require the benefits voice over Internet Protocol (VoIP) offers, they stop asking "Why?" and start asking "How?". A

More information

Curso de Telefonía IP para el MTC. Sesión 1 Introducción. Mg. Antonio Ocampo Zúñiga

Curso de Telefonía IP para el MTC. Sesión 1 Introducción. Mg. Antonio Ocampo Zúñiga Curso de Telefonía IP para el MTC Sesión 1 Introducción Mg. Antonio Ocampo Zúñiga Conceptos Generales VoIP Essentials Family of technologies Carries voice calls over an IP network VoIP services convert

More information

ETM System SIP Trunk Support Technical Discussion

ETM System SIP Trunk Support Technical Discussion ETM System SIP Trunk Support Technical Discussion Release 6.0 A product brief from SecureLogix Corporation Rev C SIP Trunk Support in the ETM System v6.0 Introduction Today s voice networks are rife with

More information

Comparing Session Border Controllers to Firewalls with SIP Application Layer Gateways in Enterprise Voice over IP and Unified Communications Scenarios

Comparing Session Border Controllers to Firewalls with SIP Application Layer Gateways in Enterprise Voice over IP and Unified Communications Scenarios An Oracle White Paper June 2013 Comparing Session Border Controllers to Firewalls with SIP Application Layer Gateways in Enterprise Voice over IP and Unified Communications Scenarios Introduction Voice

More information

Encapsulating Voice in IP Packets

Encapsulating Voice in IP Packets Encapsulating Voice in IP Packets Major VoIP Protocols This topic defines the major VoIP protocols and matches them with the seven layers of the OSI model. Major VoIP Protocols 15 The major VoIP protocols

More information

Overview of Voice Over Internet Protocol

Overview of Voice Over Internet Protocol Overview of Voice Over Internet Protocol Purva R. Rajkotia, Samsung Electronics November 4,2004 Overview of Voice Over Internet Protocol Presentation Outline History of VoIP What is VoIP? Components of

More information

Voice over IP (VoIP) Overview. Introduction. David Feiner ACN 2004. Introduction VoIP & QoS H.323 SIP Comparison of H.323 and SIP Examples

Voice over IP (VoIP) Overview. Introduction. David Feiner ACN 2004. Introduction VoIP & QoS H.323 SIP Comparison of H.323 and SIP Examples Voice over IP (VoIP) David Feiner ACN 2004 Overview Introduction VoIP & QoS H.323 SIP Comparison of H.323 and SIP Examples Introduction Voice Calls are transmitted over Packet Switched Network instead

More information

NAT TCP SIP ALG Support

NAT TCP SIP ALG Support The feature allows embedded messages of the Session Initiation Protocol (SIP) passing through a device that is configured with Network Address Translation (NAT) to be translated and encoded back to the

More information

Indepth Voice over IP and SIP Networking Course

Indepth Voice over IP and SIP Networking Course Introduction SIP is fast becoming the Voice over IP protocol of choice. During this 3-day course delegates will examine SIP technology and architecture and learn how a functioning VoIP service can be established.

More information

Voice over IP Basics for IT Technicians

Voice over IP Basics for IT Technicians Voice over IP Basics for IT Technicians White Paper Executive summary The IP phone is coming or has arrived on desk near you. The IP phone is not a PC, but does have a number of hardware and software elements

More information

1 ABSTRACT 3 2 CORAL IP INFRASTRUCTURE 4

1 ABSTRACT 3 2 CORAL IP INFRASTRUCTURE 4 Coral IP Solutions TABLE OF CONTENTS 1 ABSTRACT 3 2 CORAL IP INFRASTRUCTURE 4 2.1 UGW 4 2.2 IPG 4 2.3 FLEXSET IP 5 2.4 FLEXIP SOFTPHONE 6 2.5 TELEPORT FXS/FXO GATEWAYS 7 2.6 CORAL SENTINEL 7 3 CORAL IP

More information

Voice over IP Fundamentals

Voice over IP Fundamentals Voice over IP Fundamentals Duration: 5 Days Course Code: GK3277 Overview: The aim of this course is for delegates to gain essential data networking and Voice over IP (VoIP) knowledge in a single, week-long

More information

TSIN02 - Internetworking

TSIN02 - Internetworking TSIN02 - Internetworking Lecture 9: SIP and H323 Literature: Understand the basics of SIP and it's architecture Understand H.323 and how it compares to SIP Understand MGCP (MEGACO/H.248) SIP: Protocol

More information

Securing SIP Trunks APPLICATION NOTE. www.sipera.com

Securing SIP Trunks APPLICATION NOTE. www.sipera.com APPLICATION NOTE Securing SIP Trunks SIP Trunks are offered by Internet Telephony Service Providers (ITSPs) to connect an enterprise s IP PBX to the traditional Public Switched Telephone Network (PSTN)

More information

VIDEOCONFERENCING. Video class

VIDEOCONFERENCING. Video class VIDEOCONFERENCING Video class Introduction What is videoconferencing? Real time voice and video communications among multiple participants The past Channelized, Expensive H.320 suite and earlier schemes

More information

ABC SBC: Securing the PBX. FRAFOS GmbH

ABC SBC: Securing the PBX. FRAFOS GmbH ABC SBC: Securing the PBX FRAFOS GmbH Introduction A widely reported fraud scenarios is the case of a malicious user detecting the address of a company s PBX and accessing that PBX directly. Once the attacker

More information

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues v Noriyuki Fukuyama v Shingo Fujimoto v Masahiko Takenaka (Manuscript received September 26, 2003) IP telephony services using VoIP (Voice

More information

Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP

Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP Connecting MPLS Voice VPNs Enabling the secure interconnection of Inter-Enterprise VoIP Executive Summary: MPLS Virtual

More information

CPNI VIEWPOINT 01/2007 INTERNET VOICE OVER IP

CPNI VIEWPOINT 01/2007 INTERNET VOICE OVER IP INTERNET VOICE OVER IP AUGUST 2007 Abstract Voice over IP (VoIP) is the term used for a set of technologies that enable real time voice or video conversations to take place across IP networks. VoIP devices

More information

CPNI VIEWPOINT 02/2007 ENTERPRISE VOICE OVER IP

CPNI VIEWPOINT 02/2007 ENTERPRISE VOICE OVER IP ENTERPRISE VOICE OVER IP AUGUST 2007 Abstract Voice over IP (VoIP) is the term used for a set of technologies that enable real time voice or video conversations to take place across IP networks. VoIP devices

More information

IP Telephony Deployment Models

IP Telephony Deployment Models CHAPTER 2 Sections in this chapter address the following topics: Single Site, page 2-1 Multisite Implementation with Distributed Call Processing, page 2-3 Design Considerations for Section 508 Conformance,

More information

CPNI VIEWPOINT 03/2007 HOSTED VOICE OVER IP

CPNI VIEWPOINT 03/2007 HOSTED VOICE OVER IP HOSTED VOICE OVER IP AUGUST 2007 Abstract Voice over IP (VoIP) is the term used for a set of technologies that enable real time voice or video conversations to take place across IP networks. VoIP devices

More information

SIP : Session Initiation Protocol

SIP : Session Initiation Protocol : Session Initiation Protocol EFORT http://www.efort.com (Session Initiation Protocol) as defined in IETF RFC 3261 is a multimedia signaling protocol used for multimedia session establishment, modification

More information

SIP Security Controllers. Product Overview

SIP Security Controllers. Product Overview SIP Security Controllers Product Overview Document Version: V1.1 Date: October 2008 1. Introduction UM Labs have developed a range of perimeter security gateways for VoIP and other applications running

More information

SIP Trunking Configuration with

SIP Trunking Configuration with SIP Trunking Configuration with Microsoft Office Communication Server 2007 R2 A Dell Technical White Paper End-to-End Solutions Team Dell Product Group - Enterprise THIS WHITE PAPER IS FOR INFORMATIONAL

More information

Voice over IP (VoIP) Basics for IT Technicians

Voice over IP (VoIP) Basics for IT Technicians Voice over IP (VoIP) Basics for IT Technicians VoIP brings a new environment to the network technician that requires expanded knowledge and tools to deploy and troubleshoot IP phones. This paper provides

More information

Alcatel OmniPCX Enterprise R11 Supported SIP RFCs

Alcatel OmniPCX Enterprise R11 Supported SIP RFCs Alcatel OmniPCX Enterprise R11 Supported SIP RFCs Product & Offer Large & Medium Enterprise Ref: 8AL020033225TCASA ed3 ESD/ Mid & Large Enterprise Product Line Management October 2013 OmniPCX Enterprise

More information

Application Note. Onsight Connect Network Requirements V6.1

Application Note. Onsight Connect Network Requirements V6.1 Application Note Onsight Connect Network Requirements V6.1 1 ONSIGHT CONNECT SERVICE NETWORK REQUIREMENTS... 3 1.1 Onsight Connect Overview... 3 1.2 Onsight Connect Servers... 4 Onsight Connect Network

More information

Applied Networks & Security

Applied Networks & Security Applied Networks & Security VoIP with Critical Analysis http://condor.depaul.edu/~jkristof/it263/ John Kristoff jtk@depaul.edu IT 263 Spring 2006/2007 John Kristoff - DePaul University 1 Critical analysis

More information

VoIP Security regarding the Open Source Software Asterisk

VoIP Security regarding the Open Source Software Asterisk Cybernetics and Information Technologies, Systems and Applications (CITSA) 2008 VoIP Security regarding the Open Source Software Asterisk Prof. Dr.-Ing. Kai-Oliver Detken Company: DECOIT GmbH URL: http://www.decoit.de

More information

An Introduction to VoIP Protocols

An Introduction to VoIP Protocols An Introduction to VoIP Protocols www.netqos.com Voice over IP (VoIP) offers the vision of a converged network carrying multiple types of traffic (voice, video, and data, to name a few). To carry out this

More information

IP Ports and Protocols used by H.323 Devices

IP Ports and Protocols used by H.323 Devices IP Ports and Protocols used by H.323 Devices Overview: The purpose of this paper is to explain in greater detail the IP Ports and Protocols used by H.323 devices during Video Conferences. This is essential

More information

Voice over IP. VoIP (In) Security. Presented by Darren Bilby NZISF 14 July 2005

Voice over IP. VoIP (In) Security. Presented by Darren Bilby NZISF 14 July 2005 Voice over IP VoIP (In) Security Presented by Darren Bilby NZISF 14 July 2005 Security-Assessment.com Who We Are NZ s only pure-play security firm Largest team of security professionals in NZ Offices in

More information

SIP Trunking and Voice over IP

SIP Trunking and Voice over IP SIP Trunking and Voice over IP Agenda What is SIP Trunking? SIP Signaling How is Voice encoded and transported? What are the Voice over IP Impairments? How is Voice Quality measured? VoIP Technology Confidential

More information

About Firewall Protection

About Firewall Protection 1. This guide describes how to configure basic firewall rules in the UTM to protect your network. The firewall then can provide secure, encrypted communications between your local network and a remote

More information

FRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com

FRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com WebRTC for Service Providers FRAFOS GmbH FRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com This document is copyright of FRAFOS GmbH. Duplication or propagation or

More information

Integrating Voice over IP services in IPv4 and IPv6 networks

Integrating Voice over IP services in IPv4 and IPv6 networks ARTICLE Integrating Voice over IP services in IPv4 and IPv6 networks Lambros Lambrinos Dept.of Communication and Internet studies Cyprus University of Technology Limassol 3603, Cyprus lambros.lambrinos@cut.ac.cy

More information

SSVP SIP School VoIP Professional Certification

SSVP SIP School VoIP Professional Certification SSVP SIP School VoIP Professional Certification Exam Objectives The SSVP exam is designed to test your skills and knowledge on the basics of Networking and Voice over IP. Everything that you need to cover

More information

FRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com

FRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com WebRTC for the Enterprise FRAFOS GmbH FRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com This document is copyright of FRAFOS GmbH. Duplication or propagation or extracts

More information

VoIP Bandwidth Considerations - design decisions

VoIP Bandwidth Considerations - design decisions VoIP Bandwidth Considerations - design decisions When calculating the bandwidth requirements for a VoIP implementation the two main protocols are: a signalling protocol such as SIP, H.323, SCCP, IAX or

More information

Review: Lecture 1 - Internet History

Review: Lecture 1 - Internet History Review: Lecture 1 - Internet History late 60's ARPANET, NCP 1977 first internet 1980's The Internet collection of networks communicating using the TCP/IP protocols 1 Review: Lecture 1 - Administration

More information

Voice over IP Security

Voice over IP Security Voice over IP Security Patrick Park Cisco Press Cisco Press 800 East 96th Street Indianapolis, Indiana 46240 USA vii Contents Introduction xvii Part I VoIP Security Fundamentals 3 Chapter 1 Working with

More information

Master Kurs Rechnernetze Computer Networks IN2097

Master Kurs Rechnernetze Computer Networks IN2097 Chair for Network Architectures and Services Institute for Informatics TU München Prof. Carle, Dr. Fuhrmann Master Kurs Rechnernetze Computer Networks IN2097 Prof. Dr.-Ing. Georg Carle Dr. Thomas Fuhrmann

More information

A Comparative Study of Signalling Protocols Used In VoIP

A Comparative Study of Signalling Protocols Used In VoIP A Comparative Study of Signalling Protocols Used In VoIP Suman Lasrado *1, Noel Gonsalves *2 Asst. Prof, Dept. of MCA, AIMIT, St. Aloysius College (Autonomous), Mangalore, Karnataka, India Student, Dept.

More information

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. Course Name: TCP/IP Networking Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. TCP/IP is the globally accepted group of protocols

More information

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme Chapter 2: Representation of Multimedia Data Chapter 3: Multimedia Systems Communication Aspects and Services Multimedia Applications and Communication Protocols Quality of Service and Resource Management

More information

AV@ANZA Formación en Tecnologías Avanzadas

AV@ANZA Formación en Tecnologías Avanzadas SISTEMAS DE SEÑALIZACION SIP I & II (@-SIP1&2) Contenido 1. Why SIP? Gain an understanding of why SIP is a valuable protocol despite competing technologies like ISDN, SS7, H.323, MEGACO, SGCP, MGCP, and

More information

OVERVIEW OF ALL VOIP SOLUTIONS

OVERVIEW OF ALL VOIP SOLUTIONS OVERVIEW OF ALL VOIP SOLUTIONS Kovács Gábor Parnaki Zsolt Gergı 13/03/2009 TABLE OF CONTENTS Introduction Overview of VoIP protocols Standard based implementations: H.323 SIP Proprietary solutions: Skype

More information

EE4607 Session Initiation Protocol

EE4607 Session Initiation Protocol EE4607 Session Initiation Protocol Michael Barry michael.barry@ul.ie william.kent@ul.ie Outline of Lecture IP Telephony the need for SIP Session Initiation Protocol Addressing SIP Methods/Responses Functional

More information

Introducing Cisco Voice and Unified Communications Administration Volume 1

Introducing Cisco Voice and Unified Communications Administration Volume 1 Introducing Cisco Voice and Unified Communications Administration Volume 1 Course Introduction Overview Learner Skills and Knowledge Course Goal and Course Flow Additional Cisco Glossary of Terms Your

More information

Network Connection Considerations for Microsoft Response Point 1.0 Service Pack 2

Network Connection Considerations for Microsoft Response Point 1.0 Service Pack 2 Network Connection Considerations for Microsoft Response Point 1.0 Service Pack 2 Updated: February 2009 Microsoft Response Point is a small-business phone solution that is designed to be easy to use and

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network

More information

Best Practices for Securing IP Telephony

Best Practices for Securing IP Telephony Best Practices for Securing IP Telephony Irwin Lazar, CISSP Senior Analyst Burton Group Agenda VoIP overview VoIP risks Mitigation strategies Recommendations VoIP Overview Hosted by VoIP Functional Diagram

More information

Convergence Technologies Professional (CTP) Course 1: Data Networking

Convergence Technologies Professional (CTP) Course 1: Data Networking Convergence Technologies Professional (CTP) Course 1: Data Networking The Data Networking course teaches you the fundamentals of networking. Through hands-on training, you will learn the vendor-independent

More information

Session Border Controllers in Enterprise

Session Border Controllers in Enterprise A Light Reading Webinar Session Border Controllers in Enterprise Thursday, October 7, 2010 Hosted by Jim Hodges Senior Analyst Heavy Reading Sponsored by: Speakers Natasha Tamaskar VP Product Marketing

More information

Receiving the IP packets Decoding of the packets Digital-to-analog conversion which reproduces the original voice stream

Receiving the IP packets Decoding of the packets Digital-to-analog conversion which reproduces the original voice stream Article VoIP Introduction Internet telephony refers to communications services voice, fax, SMS, and/or voice-messaging applications that are transported via the internet, rather than the public switched

More information

Unit 23. RTP, VoIP. Shyam Parekh

Unit 23. RTP, VoIP. Shyam Parekh Unit 23 RTP, VoIP Shyam Parekh Contents: Real-time Transport Protocol (RTP) Purpose Protocol Stack RTP Header Real-time Transport Control Protocol (RTCP) Voice over IP (VoIP) Motivation H.323 SIP VoIP

More information

VoIP Trunking with Session Border Controllers

VoIP Trunking with Session Border Controllers VoIP Trunking with Session Border Controllers By Chris Mackall Submitted to the Faculty of the Information Technology Program in Partial Fulfillment of the Requirements for the Degree of Bachelor of Science

More information

SIP Trunking Manual 05.15. Technical Support Web Site: http://ws1.necii.com (registration is required)

SIP Trunking Manual 05.15. Technical Support Web Site: http://ws1.necii.com (registration is required) SIP Trunking Manual 05.15 Technical Support Web Site: http://ws1.necii.com (registration is required) This manual has been developed by NEC Unified Solutions, Inc. It is intended for the use of its customers

More information

Application Notes for Avaya IP Office 7.0 Integration with Skype Connect R2.0 Issue 1.0

Application Notes for Avaya IP Office 7.0 Integration with Skype Connect R2.0 Issue 1.0 Avaya Solution & Interoperability Test Lab Application Notes for Avaya IP Office 7.0 Integration with Skype Connect R2.0 Issue 1.0 Abstract These Application Notes describe the steps to configure an Avaya

More information

EarthLink Business SIP Trunking. NEC SV8300 IP PBX Customer Configuration Guide

EarthLink Business SIP Trunking. NEC SV8300 IP PBX Customer Configuration Guide EarthLink Business SIP Trunking NEC SV8300 IP PBX Customer Configuration Guide Publication History First Release: Version 1.0 May 18, 2012 CHANGE HISTORY Version Date Change Details Changed By 1.0 5/18/2012

More information

Internet Working 15th lecture (last but one) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2005

Internet Working 15th lecture (last but one) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2005 15th lecture (last but one) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2005 1 43 administrational stuff Next Thursday preliminary discussion of network seminars

More information

Application Notes. Introduction. Contents. Managing IP Centrex & Hosted PBX Services. Series. VoIP Performance Management. Overview.

Application Notes. Introduction. Contents. Managing IP Centrex & Hosted PBX Services. Series. VoIP Performance Management. Overview. Title Series Managing IP Centrex & Hosted PBX Services Date July 2004 VoIP Performance Management Contents Introduction... 1 Quality Management & IP Centrex Service... 2 The New VoIP Performance Management

More information

Need for Signaling and Call Control

Need for Signaling and Call Control Need for Signaling and Call Control VoIP Signaling In a traditional voice network, call establishment, progress, and termination are managed by interpreting and propagating signals. Transporting voice

More information

nexvortex SIP Trunking Implementation & Planning Guide V1.5

nexvortex SIP Trunking Implementation & Planning Guide V1.5 nexvortex SIP Trunking Implementation & Planning Guide V1.5 510 S PRING S TREET H ERNDON VA 20170 +1 855.639.8888 Introduction Welcome to nexvortex! This document is intended for nexvortex Customers and

More information

Ingate Firewall/SIParator SIP Security for the Enterprise

Ingate Firewall/SIParator SIP Security for the Enterprise Ingate Firewall/SIParator SIP Security for the Enterprise Ingate Systems February, 2013 Ingate Systems AB (publ) Tel: +46 8 600 77 50 BACKGROUND... 1 1 NETWORK SECURITY... 2 2 WHY IS VOIP SECURITY IMPORTANT?...

More information

Voice over IP. Presentation Outline. Objectives

Voice over IP. Presentation Outline. Objectives Voice over IP Professor Richard Harris Presentation Outline Brief overview of VoIP and applications Challenges of VoIP IP Support for Voice Protocols used for VoIP (current views) RTP RTCP RSVP H.323 Semester

More information

White Paper. avaya.com 1. Table of Contents. Starting Points

White Paper. avaya.com 1. Table of Contents. Starting Points White Paper Session Initiation Protocol Trunking - enabling new collaboration and helping keep the network safe with an Enterprise Session Border Controller Table of Contents Executive Summary...1 Starting

More information

An Overview of H.323 - SIP Interworking

An Overview of H.323 - SIP Interworking An Overview of - Interworking 2001 RADVISION. All intellectual property rights in this publication are owned by RADVision Ltd. and are protected by United States copyright laws, other applicable copyright

More information

VoIP. Overview. Jakob Aleksander Libak jakobal@ifi.uio.no. Introduction Pros and cons Protocols Services Conclusion

VoIP. Overview. Jakob Aleksander Libak jakobal@ifi.uio.no. Introduction Pros and cons Protocols Services Conclusion VoIP Jakob Aleksander Libak jakobal@ifi.uio.no 1 Overview Introduction Pros and cons Protocols Services Conclusion 2 1 Introduction Voice over IP is routing of voice conversations over the internet or

More information

Communication Systems SIP

Communication Systems SIP Communication Systems SIP Computer Science Organization I. Data and voice communication in IP networks II. Security issues in networking III. Digital telephony networks and voice over IP 2 Part 3 Digital,

More information

SIP (Session Initiation Protocol) Technical Overview. Presentation by: Kevin M. Johnson VP Engineering & Ops

SIP (Session Initiation Protocol) Technical Overview. Presentation by: Kevin M. Johnson VP Engineering & Ops SIP (Session Initiation Protocol) Technical Overview Presentation by: Kevin M. Johnson VP Engineering & Ops Page 1 Who are we? Page 2 Who are we? Workforce Automation Software Developer Page 3 Who are

More information

Product Information = = = www.anynode.de e-mail sales@te-systems.de phone +49 5363 8195-0

Product Information = = = www.anynode.de e-mail sales@te-systems.de phone +49 5363 8195-0 07 2015 2 Efficient communication anynode is a Session Border Controller that is entirely a software based solution. It works as an interface for any number of SIP UAs for example, SIP phones and SIP PBXs,

More information

MINIMUM NETWORK REQUIREMENTS 1. REQUIREMENTS SUMMARY... 1

MINIMUM NETWORK REQUIREMENTS 1. REQUIREMENTS SUMMARY... 1 Table of Contents 1. REQUIREMENTS SUMMARY... 1 2. REQUIREMENTS DETAIL... 2 2.1 DHCP SERVER... 2 2.2 DNS SERVER... 2 2.3 FIREWALLS... 3 2.4 NETWORK ADDRESS TRANSLATION... 4 2.5 APPLICATION LAYER GATEWAY...

More information

Hands on VoIP. Content. Tel +44 (0) 845 057 0176 enquiries@protelsolutions.co.uk. Introduction

Hands on VoIP. Content. Tel +44 (0) 845 057 0176 enquiries@protelsolutions.co.uk. Introduction Introduction This 4-day course offers a practical introduction to 'hands on' VoIP engineering. Voice over IP promises to reduce your telephony costs and provides unique opportunities for integrating voice

More information

ACD: Average Call Duration is the average duration of the calls routed bya a VoIP provider. It is a quality parameter given by the VoIP providers.

ACD: Average Call Duration is the average duration of the calls routed bya a VoIP provider. It is a quality parameter given by the VoIP providers. ACD: Average Call Duration is the average duration of the calls routed bya a VoIP provider. It is a quality parameter given by the VoIP providers. API: An application programming interface (API) is a source

More information

Configuring SIP Trunking and Networking for the NetVanta 7000 Series

Configuring SIP Trunking and Networking for the NetVanta 7000 Series 61200796L1-29.4E July 2011 Configuration Guide Configuring for the NetVanta 7000 Series This configuration guide describes the configuration and implementation of Session Initiation Protocol (SIP) trunking

More information

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

Cconducted at the Cisco facility and Miercom lab. Specific areas examined Lab Testing Summary Report July 2009 Report 090708 Product Category: Unified Communications Vendor Tested: Key findings and conclusions: Cisco Unified Communications solution uses multilayered security

More information

Contents Introduction Why Fax over IP? How Real-time Fax over IP works Implementation with MessagePlus/Open Summary. About this document

Contents Introduction Why Fax over IP? How Real-time Fax over IP works Implementation with MessagePlus/Open Summary. About this document Fax over IP Contents Introduction Why Fax over IP? How Real-time Fax over IP works Implementation with MessagePlus/Open Summary About this document This document describes how Fax over IP works in general

More information

Application Notes for Configuring Cablevision Optimum Voice SIP Trunking with Avaya IP Office - Issue 1.1

Application Notes for Configuring Cablevision Optimum Voice SIP Trunking with Avaya IP Office - Issue 1.1 Avaya Solution & Interoperability Test Lab Application Notes for Configuring Cablevision Optimum Voice SIP Trunking with Avaya IP Office - Issue 1.1 Abstract These Application Notes describe the procedures

More information

Cisco Networks (ONT) 2006 Cisco Systems, Inc. All rights reserved.

Cisco Networks (ONT) 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) reserved. Lesson 2.4: Calculating Bandwidth Requirements for VoIP reserved. Objectives Describe factors influencing encapsulation overhead and bandwidth requirements

More information

SSVVP SIP School VVoIP Professional Certification

SSVVP SIP School VVoIP Professional Certification SSVVP SIP School VVoIP Professional Certification Exam Objectives The SSVVP exam is designed to test your skills and knowledge on the basics of Networking, Voice over IP and Video over IP. Everything that

More information

ENTERPRISE SESSION BORDER CONTROLLERS: SAFEGUARDING TODAY S AND TOMORROW S UNIFIED COMMUNICATIONS

ENTERPRISE SESSION BORDER CONTROLLERS: SAFEGUARDING TODAY S AND TOMORROW S UNIFIED COMMUNICATIONS ENTERPRISE SESSION BORDER CONTROLLERS: SAFEGUARDING TODAY S AND TOMORROW S UNIFIED COMMUNICATIONS ALCATEL-LUCENT OPENTOUCH SESSION BORDER CONTROLLER A SECURE SOLUTION FOR BORDERLESS CONVERSATIONS APPLICATION

More information

Overview of VoIP Systems

Overview of VoIP Systems 2 Overview of VoIP Systems In their simplest form, Voice over IP protocols simply enable two (or more) devices to transmit and receive real-time audio traffic that allows their respective users to communicate.

More information

Data Networking and Architecture. Delegates should have some basic knowledge of Internet Protocol and Data Networking principles.

Data Networking and Architecture. Delegates should have some basic knowledge of Internet Protocol and Data Networking principles. Data Networking and Architecture The course focuses on theoretical principles and practical implementation of selected Data Networking protocols and standards. Physical network architecture is described

More information

Cisco ASA 5500 Series Unified Communications Deployments

Cisco ASA 5500 Series Unified Communications Deployments 5500 Series Unified Communications Deployments Cisco Unified Communications Solutions unify voice, video, data, and mobile applications on fixed and mobile networks, enabling easy collaboration every time,

More information

Transport and Network Layer

Transport and Network Layer Transport and Network Layer 1 Introduction Responsible for moving messages from end-to-end in a network Closely tied together TCP/IP: most commonly used protocol o Used in Internet o Compatible with a

More information