Securing SIP Trunks APPLICATION NOTE.

Transcription

1 APPLICATION NOTE Securing SIP Trunks SIP Trunks are offered by Internet Telephony Service Providers (ITSPs) to connect an enterprise s IP PBX to the traditional Public Switched Telephone Network (PSTN) over the Internet using the Session Initiation Protocol (SIP) Voice over Internet Protocol (VoIP) standard. Deploying SIP trunks enables enterprises to take full advantage of VoIP and eliminate costly Time-Division Multiplexing (TDM) trunks and TDM gateways. Enterprises route calls over the carrier s IP backbone and use the same IP connection for all their communications. Once enterprises decide to deploy one or more SIP trunks, however, they must address several important security and deployment issues. In particular, enterprises must consider the following security questions: Do the enterprise and the service provider have the same security requirements? Do the service provider and the enterprise have the same security policies for employees, networks, and VoIP system? How can the enterprise maintain control over signaling, media, security, and routing policies? How does the enterprise address new SIP or media threats to the enterprise infrastructure or to the service provider s infrastructure? What changes must the enterprise make to the firewall/network address translation (NAT) device, IP PBX, private IP addresses, numbering plan, and other components? Must the enterprise network topology be exposed? How does the enterprise ensure user/caller ID privacy? How does the enterprise ensure the privacy of actual media communications? How is actual media privacy ensured? Is encryption required? If so, must it be end-to-end? To ensure the deployment of secure SIP trunks, enterprises must implement a solution that addresses all of these questions. Sipera Systems offers a comprehensive unified communications (UC) security solution that enables enterprises to do just that, while defining a security boundary between themselves and the service provider.

2 PROBLEM An enterprise s IP PBX and other UC infrastructure components are not only valuable enterprise assets; they are critical components required for VoIP and UC services. Typically, enterprises control network access to these components through the use of virtual local area networks (VLANs), access control lists (ACLs), and firewalls. However, when enterprises provide connectivity over SIP trunks, opening access to critical resources over WANs and opening ports on the firewall present serious security challenges. Maintaining control over their own security requirements may also raise issues. Different enterprise and service provider security requirements Typically, a SIP trunk provider has one set of security requirements whereas its enterprise customers have diverse security requirements. For example, enterprises standardize on different operating systems, implement security policies differently, define different firewall rules, require different password lengths, and may differ in their need to use two-factor authentication for remote users. In the case of VoIP and UC, these varying security requirements are particularly important. Instead of being forced to adopt the standards of their SIP trunk providers, enterprises must be able to enforce their own unique security standards and maintain control over all aspects of their unified communications to: Ensure secure deployment of their SIP trunks Improve overall network security Determine the specific signaling, media, and applications that are allowed or denied access to their networks to ensure the quality of service (QoS) required for VoIP and UC services Define fine-grained security policies that are enforced based on network, user, device, and time-of-day Protection against VoIP and UC protocol vulnerabilities VoIP offers many more real-time services than data including transfer, conference, and hold, making VoIP protocols more complex, flexible, and exploitable. (Because of this, more than 50 requests for comments, or RFCs, exist for SIP in the IETF, compared with only about10 for HTTP, which has been around more than twice as long.) With known ports open on the firewall to allow VoIP and UC traffic through, enterprises must perform deep-packet inspection and continuously police application traffic to protect the VoIP network, endpoints, and IP PBXs from thousands of application-layer attacks that can cause IP PBX crashes, lost services, and degradation of voice quality. These VoIP/UC-specific application layer attacks include: Reconnaissance Spoofing Eavesdropping Signaling and media manipulation Service theft/fraud Denial of Service (DoS)/Distributed DoS attacks Fuzzing and buffer overflow exploits VoIP spam VoIP phishing Confidentiality and privacy concerns When VoIP traffic is sent over the Internet, both signaling and media traffic must be encrypted to ensure complete privacy of real-time communications. Attackers can use sniffing methods to easily exploit signaling traffic for reconnaissance purposes and to learn detailed call-related information (such as caller and called party IP addresses, date, and time of the call). Media must be encrypted to ensure privacy of the actual communication. However, encrypting media traffic poses the additional challenge of ensuring acceptable QoS without degrading performance. The problem is compounded in terms of management and operational costs if the artificial requirement for a VPN client on the phone or a home VPN gateway is imposed. Private addressing, firewalls and network address translation (NAT) IP addresses in SIP messages and message headers that are exchanged between the service provider and enterprise network must be routable IP addresses in the service provider s network. Unlike data applications, VoIP uses dynamic ports for peer-to-peer media flows between phones. For SIP trunks to work, enterprises must make the following major changes to their firewall policies for performing NAT functionality and protecting internal, private IP addresses.

3 Enterprise firewall policies must support opening dynamic ports for media, which weakens security. Enterprises must provide internal, private IP addresses that are routable in the service provider s network to support SIP message exchanges between enterprise and service provider networks. Access and authorization Before establishing a signaling or media session, remote users must be authenticated. This authentication can be done in a variety of ways, including the use of digest access authentication or certificates. Many enterprises require the use of two-factor authentication schemes such as RSA SecurID for remote access to prevent unauthorized calls on stolen or lost phones. Policy compliance for UC traffic To deploy SIP trunks without compromising established security policies, enterprises must also enforce fine-grained UC policies. VoIP and IT administrators must control voice, video, IM, and other UC applications by defining the way the applications are used and the networks, devices, and users that are authorized to interact with the applications. Policies for mobile users and devices must be dynamic and flexible to satisfy these requirements. SOLUTION The Sipera UC-Sec security appliances offer real-time UC security, including comprehensive threat protection, policy enforcement, access control, and privacy to address the issues of SIP trunk deployments. Built on the foundation of the Sipera VIPER engine and real-time platform, the UC-Sec appliances perform the following functions for securing SIP trunks: Serves as the demarcation point for the enterprise VoIP and UC network and enforces fine-grained security policies. Protects against SIP and Real-time Transport Protocol (RTP) threats by blocking them at the enterprise perimeter. Maintains privacy of the enterprise internal network, caller/user IDs, and communications. Performs firewall/nat traversal to simplify the deployment of SIP trunks. Demarcation of the enterprise and service provider VoIP/UC network Enterprises must enforce a demarcation point between their VoIP/UC boundary and the service provider using a UC security appliance like the firewalls and demilitarized zones (DMZs) they install in their data networks. The UC-Sec security appliance becomes this demarcation point and performs all security functions required to enforce enterprise security policies. UC-Sec also provides information from both the enterprise side and service provider side for QoS or service availability such that appropriate service level agreements (SLAs) can be verified and enforced. In addition, enterprises must define policies for VoIP and UC traffic that apply to the SIP trunk. For example, policies might define: Users that are allowed to make voice and video calls The SIP trunk to use for international dialing Trunks that require encryption and threat protection Calls that must be logged and whether or not to report the QoS Enterprises that have multiple departments with different security requirements and applications may require more flexible, fine-grained policy control. Frequently enterprises use multiple routes to reach the PSTN. Enterprises might also have multiple internal call servers and require flexible SIP routing policies at the edge. Sipera s UC-Sec offers fine-grained UC policy control based on network, user, device and time-of-day to give enterprises complete control over their UC infrastructure, devices, and users. Addressing the vulnerabilities and threats in SIP and RTP When traffic from the service provider WAN comes into the corporate intranet to high value assets such as VoIP servers, the traffic must pass through a VoIP security appliance, such as the UC-Sec product, which inspects and validates the traffic.

4 UC-Sec is VoIP-aware and performs deep-packet inspection and tracks call states, which is crucial for UC threat mitigation. The UC-Sec appliance also has a signature update mechanism to enable that same protection against new threats. Maintaining privacy of network topology and internal domains Enterprises require a VoIP/UC-aware appliance at the edge of their networks to hide internal network topology and SIP domain information. Sipera s UC-Sec changes private IP addresses to public IP addresses and changes private internal domains to public SIP domains in SIP messages to prevent exposure of the enterprise network topology. UC-Sec also supports: User/caller ID anonymity User privacy SIP standards that interwork with service providers SIP trunks Encryption of signaling traffic over Transport Layer Security (TLS) and encryption of media traffic over Secure RTP (SRTP) Communicating and interworking disjoint private networks Enterprise firewalls and DMZs enforce strict policies and perform NAT functions to ensure that internal enterprise networks and servers have private addresses that are not directly routable from external networks. Without overhauling these security policies, the Sipera UC-Sec appliance provides NAT traversal for signaling traffic and manages dynamic ports for media traffic. UC-Sec also participates in the signaling traffic to allow only those media sessions that follow the session specification agreed upon in the signaling channel. Unified Communications Security Life Cycle Unified Communications Security Life Cycle 1. Define Security Requirements Compare business objectives for UC with impact on information security compliance: HIPAA, PCI, FERPA, GLBA and others Define Security Assess Posture 2. Assess Security Posture Identify vulnerabilities, assess risk, determine gap between posture and requirements, consider impact on real-time application performance 4. Manage Compliance Review established posture, manage change, gather new requirements as business objectives and regulatory mandates change Manage Compliance Implement Measures 3. Implement Security Measures Optimize security posture and application performance; configure policy enforcement, threat protection, access control, privacy (encryption) Companies around the world rely on Sipera Systems to ensure their UC and VoIP deployments support compliance with information security requirements and mission-critical corporate objectives. Through dozens of successful vulnerability assessments, security architecture consulting projects, and security appliance deployments, Sipera has developed a standardized Unified Communications Security Life Cycle. This process represents a best practice for continuous improvement of the security architecture, enabling an enterprise to be certain that essential security functions can keep pace with the transforming communications infrastructure. To learn more about Sipera s solutions and for personal consultation about your UC security requirements, please visit

5 IMPLEMENTATION To enable secure SIP trunks, a single Sipera UC-Sec security appliance is deployed at the customer premise, between the internal and external firewalls, to provide complete network security, enforce security policies, and handle other SIP trunk deployment issues for the enterprise network. In the deployment shown in the following figure, Sipera UC-Sec performs border control functionality such as FW/NAT traversal (as shown in step 1), interworking, security policy enforcement based on fine-grained UC policies, and threat protection to prevent denial of service, spoofing, and stealth attacks. Because the UC-Sec product is a trusted host in the DMZ, SIP signaling traffic to the enterprise is received by the external firewall and sent to the Sipera appliance, which processes the signaling information. If the SIP signaling traffic is encrypted, UC-Sec decrypts all TLS-encrypted traffic and looks for anomalous behavior before forwarding the packets through the internal firewall to the appropriate IP PBX to establish the requested call session (as shown in step 2). Once a valid call has been set-up, RTP packets are allowed to flow through the external firewall to the Sipera UC-Sec product, which decrypts the SRTP traffic (if required) and looks for anomalous behavior in the media before passing on the RTP stream to the intended recipient (as shown in step 3). RESULT The popularity of SIP trunks is primarily due to cost savings and the increased reliability offered through service provider service level agreements (SLAs). SIP Trunks can deliver much lower cost local, toll-free, domestic, and international long distance services to any enterprise willing to replace its PSTN connectivity. They also offer a unique opportunity for large, distributed enterprises to consolidate their VoIP/UC infrastructure and connectivity to the PSTN. Therefore, it s not surprising that enterprises embrace SIP Trunks as a means to replace costly PSTN trunks and gateways, while using real-time, unified communications ubiquitously over IP networks. In some cases, enterprises use multiple SIP trunks with different providers for disaster recovery, redundancy, or to enable different applications. However, without solving network security and demarcation challenges, SIP trunks cannot be deployed on a large scale. The Sipera UC-Sec product offers a comprehensive security solution with threat protection, access control, policy enforcement, and privacy protection in a single device, enabling enterprises to address all of these challenges and securely deploy SIP trunks. ENTERPRISE IP PBX Intranet Internal Firewall 1. FW/NAT Traversal 2b. Apply VoIP/UC Policies Detect and Prevent VoIP/UC Threats Perform Interworking Functions 2c. Signaling Over TCP/UDP 2a. Encrypted signaling Over TLS 3a. SRTP Media ITSP 3c. RTP Media Sipera UC-Sec deployed in high-availability mode DMZ External Firewall PSTN 3b. Media Anomaly Detection & Prevention

6 UC Security Defined About Sipera Systems Sipera Systems, the leader in real-time Unified Communications (UC) security, is the choice of enterprises and service providers around the world to support their mission-critical UC deployments. Sipera offers groundbreaking, production-proven solutions that secure voice, video, messaging, collaboration, and other real-time communications in converged IP networks, boosting compliance with information security requirements. Backed by the industry-leading research of the VIPER lab, Sipera s solutions provide comprehensive threat protection, policy enforcement, access control, and encryption in a single flexible appliance. V# Sipera Systems Inc Firman Drive, Suite 600 Richardson, TX 75081, USA T: F: E: info@sipera.com Copyright 2009 Sipera Systems, Inc. All rights reserved. Sipera, Sipera UC-Sec and related products, Sipera LAVA and Sipera VIPER are trademarks of Sipera Systems, Inc.