Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP

Similar documents
Session Border Controllers in Enterprise

Securing SIP Trunks APPLICATION NOTE.

S-Series SBC Interconnect Solutions. A GENBAND Application Note May 2009

SIP Trunking Configuration with

Application Notes. Introduction. Contents. Managing IP Centrex & Hosted PBX Services. Series. VoIP Performance Management. Overview.

VOIP THE ULTIMATE GUIDE VERSION /23/2014 onevoiceinc.com

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

What is an E-SBC? WHITE PAPER

Recommended IP Telephony Architecture

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

Voice Over IP and Firewalls

Dialogic. BorderNet Products Interwork and Connect Seamlessly and Securely at the Network Edge

Voice Over Internet Protocol (VOIP) SECURITY. Rick Kuhn Computer Security Division National Institute of Standards and Technology

Addressing Inter Provider Connections With MPLS-ICI

VPLS lies at the heart of our Next Generation Network approach to creating converged, simplified WANs.

Security Considerations

SIP Security Controllers. Product Overview

TECHNICAL CHALLENGES OF VoIP BYPASS

APPLICATION NOTE. SIP Trunking Connectivity, Security and Deployment Scenarios. Introduction

SIP Trunking. Cisco Press. Christina Hattingh Darryl Sladden ATM Zakaria Swapan. 800 East 96th Street Indianapolis, IN 46240

White Paper. Traversing Firewalls with Video over IP: Issues and Solutions

An Oracle White Paper August What Is an Enterprise Session Border Controller?

Integrating SIP Trunks in Enterprise Networks for Next- Generation Unified Communications

Voice over IP Security

Cisco Networks (ONT) 2006 Cisco Systems, Inc. All rights reserved.

Interactive communications over IP networks

White Paper. avaya.com 1. Table of Contents. Starting Points

VoIP Trunking with Session Border Controllers

Brochure. Dialogic BorderNet Session Border Controller Solutions

Voice over IP Basics for IT Technicians

Best Practices for Securing IP Telephony

SIP, Security and Session Border Controllers

EarthLink Business SIP Trunking. NEC SV8300 IP PBX Customer Configuration Guide

EarthLink Business SIP Trunking. NEC SV8100 IP PBX Customer Configuration Guide

Sprint s Partner Interexchange Network (PIN) A New Approach to Scalable Voice Peering

Deploying Secure Enterprise Wide IP Videoconferencing Across Virtual Private Networks

Implementing VoIP monitoring solutions. Deployment note

1 ABSTRACT 3 2 CORAL IP INFRASTRUCTURE 4

SIP Trunking The Provider s Perspective

Application Note. Pre-Deployment and Network Readiness Assessment Is Essential. Types of VoIP Performance Problems. Contents

OpenScape Session Border Controller Delivering security, interoperability and cost savings to the enterprise network border

Ingate Firewall/SIParator SIP Security for the Enterprise

Voice over IP (VoIP) Basics for IT Technicians

Dialogic BorderNet Session Border Controller Solutions

WHITE PAPER. Addressing Inter Provider Connections with MPLS-ICI CONTENTS: Introduction. IP/MPLS Forum White Paper. January Introduction...

EarthLink Business SIP Trunking. ININ IC3 IP PBX Customer Configuration Guide

VoIP Security regarding the Open Source Software Asterisk

Optimizing Converged Cisco Networks (ONT)

Benefits of Using a Demarcation Device When Integrating Legacy Voice, SIP Trunks and Microsoft OCS R2

SIP Trunking with Microsoft Office Communication Server 2007 R2

Session Border Controller

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Gateways and Their Roles

CPNI VIEWPOINT 02/2007 ENTERPRISE VOICE OVER IP

Voice over IP (VoIP) for Telephony. Advantages of VoIP Migration for SMBs BLACK BOX blackbox.com

An Examination of the Firewall/NAT Problem, Traversal Methods, and Their Pros and Cons

NETWORK ISSUES: COSTS & OPTIONS

ethernet services for multi-site connectivity security, performance, ip transparency

Voice Over IP (VoIP) Denial of Service (DoS)

How To Understand The Purpose Of A Sip Aware Firewall/Alg (Sip) With An Alg (Sip) And An Algen (S Ip) (Alg) (Siph) (Network) (Ip) (Lib

IVCi s IntelliNet SM Network

Securing Unified Communications for Healthcare

Cisco ASA 5500 Series Unified Communications Deployments

SBC WHITE PAPER. The Critical Component

Introduction to DE-CIX NGN. Andreas Sturm

IP Telephony Deployment Models

Secure Voice over IP (VoIP) Networks

Session Border Controller

ETM System SIP Trunk Support Technical Discussion

EarthLink Business SIP Trunking. Toshiba IPedge Customer Configuration Guide

Communications Transformations 2: Steps to Integrate SIP Trunk into the Enterprise

Data Networking and Architecture. Delegates should have some basic knowledge of Internet Protocol and Data Networking principles.

Secure VoIP for optimal business communication

Sprint Global MPLS VPN IP Whitepaper

Methods for Lawful Interception in IP Telephony Networks Based on H.323

IP Implementation in Private Branch Exchanges From 9:30 a.m until 4:30 p.m (7 hrs./day) 5 days / week

VOICE OVER IP SECURITY

Quality of Service Analysis of site to site for IPSec VPNs for realtime multimedia traffic.

ABC SBC: Securing the PBX. FRAFOS GmbH

EdgeMarc 4508T4/4508T4W Converged Networking Router

Release the full potential of your Cisco Call Manager with Ingate Systems

Microsoft Lync and SIP trunking - Ensuring multi-vendor technology success with Prognosis

VegaStream Information Note Considerations for a VoIP installation

Application Notes for Avaya IP Office 7.0 Integration with Skype Connect R2.0 Issue 1.0

Cisco Integrated Services Routers Performance Overview

VitalPBX. Hosted Voice That Works. For You

IOCOM Whitepaper: Connecting to Third Party Organizations

Cisco Group Encrypted Transport VPN: Tunnel-less VPN Delivering Encryption and Authentication for the WAN

Securing VoIP Networks using graded Protection Levels

Layer-2 Design: Link Balancers Simplified

Secured Voice over VPN Tunnel and QoS. Feature Paper

Indepth Voice over IP and SIP Networking Course

CPNI VIEWPOINT 03/2007 HOSTED VOICE OVER IP

ITL BULLETIN FOR JANUARY 2011

Integrate VoIP with your existing network

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Hosted PBX Platform-asa-Service. Offering

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

Transcription:

Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP

Connecting MPLS Voice VPNs Enabling the secure interconnection of Inter-Enterprise VoIP Executive Summary: MPLS Virtual Private Networks (VPNs) are among the hottest technologies offered today by service providers for the secure transport of data, voice and multi-media services within a geographically dispersed enterprise network. This technology, in combination with IP telephony, is the basis of a service offering called the Voice VPN. Enterprise customers are using Voice VPNs as a means to drive down cost and increase integration between the handset, computer and mobile devices of the corporate user. For example, utilizing premised based IP PBXs and IP phones at all sites within the VPN allows the enterprise customer to bypass long distance toll charges when calling another enterprise location with the VPN. This is commonly referred to as On-Net to On-Net calling. However, voice traffic that leaves the enterprise, referred to as On-Net to Off-Net calling, must transit the PSTN. This requires a device called a media gateway, which connects the IP network to the PSTN at each location. Even if the On-Net to Off-Net call is destined for an enterprise that is also a Voice VPN customer the call still must transit the PSTN for security and billing purposes. This ties up expensive gateway ports and TDM transport facilities. It also degrades the voice quality, due to the fact that calls are converted from IP to TDM and back to IP (possibly a number of times). The goal of this paper is to explain, in detail, what technologies are required to enable costeffective On-Net to Off-Net calling between Voice VPNs without transiting the PSTN in a highly secure and scalable fashion. Page 1 of 11

Today s Enterprise VoIP VPN Today s enterprise VoIP VPN s are islands and only able to interconnect to other enterprise VoIP VPNs via the PSTN (See Figure 1). Figure 1: Today s MPLS Infrastructure for Enterprise Voice VPNs In examining this architecture the obvious question is Why is the PSTN needed when the call origination and destination is a VoIP endpoint between two enterprise Voice VPNs? Well, there are several valid reasons why this is necessary today in the carrier network. 1. Network Address Port Translation (NAPT) A VPN typically utilizes a private IP addressing scheme, which is not routable outside that VPN. To connect to another IP network such as the Internet, a router, illustrated as the NAPT Provider Edge (PE) device, translates and maps a private IP address to a public IP address which is then routable to any other reachable IP network. This scheme, described by RFC 1631, has been in place for years and works well for data applications. However, VoIP protocol suites such as H.323, MGCP and SIP that include IP address and port information in their message payloads are adversely affected by the use of NAPT. Most NAPT devices do not edit the contents of the IP payload (Layer 7 content), therefore the indicated IP address and port for media in a signaling packet will be ignored and the media (voice) will not pass through the router/firewall. Page 2 of 11

Figure 2: SIP Example - destination address and port of the media is embedded in the SIP payload, which current NAPT devices cannot translate. Compounding the NAT problem is the fact that it is common for Voice VPN customers utilizing private IP addressing schemes to have overlapping IP addresses. For example, VPN-1 and VPN-2 could in fact have IP Phones with the same IP address making it impossible to route calls between them. Even if the NAPT PE device illustrated below had the capability to solve these problems it would still be routing the voice to a public IP network, allowing enterprise voice traffic to be vulnerable to hackers that can easily eavesdrop and place unauthorized calls over the enterprise network s resources. Figure 3: Current deployment architecture for Firewall and NAT devices 2. Security Voice VPNs are implemented in a manner that prohibits any Inter-Enterprise communication for security purposes. This allows all traffic within the Voice VPN to be Page 3 of 11

considered trusted, therefore once a user is authenticated and authorized onto the network no further security policing, such as a firewall, is required for that user to communicate with all locations within the Voice VPN. To enable interconnection of Voice VPNs, service providers will need to interconnect trusted networks together and must ensure that there is a secure boundary (firewall) between the Voice VPNs - protecting the enterprise networks from security threats. The most recognized threats to a Voice VPN are: Denial-of-service (DoS) attacks: Prevention of access to a network service by bombarding IP PBXs, IP Phones or media gateway devices on the Voice VPN with unauthorized packets. Eavesdropping: Unauthorized interception of Real-Time Transport Protocol (RTP) media streams and decoding of signaling messages for the purposes of listening to the calls or learning the IP network topology of the Voice VPN or service provider networks. Unauthorized access: Impersonation of a legitimate user allowing the hacker to gain access to enterprise network resources to place unauthorized phone calls. Another security requirement the service provider must address is how to ensure privacy when voice traffic must transit a public non-trusted network. As mentioned earlier, private IP addresses must use a NAPT function to be mapped to a public IP address before the packets can be routed to another enterprise Voice VPN. Most enterprise customers see this as a major security concern and mandate that all voice traffic transiting a public IP network must be encrypted. The use of RTP encryption and IPSec is an option but very complex and costly for the service provider to administer and maintain. Also, these technologies typically do not interoperate in the multi-vendor environments deployed within the enterprise networks. Of course the carrier VoIP network elements such as proxy servers, gatekeepers, and media gateways must be protected from these types of attacks originating from a Voice VPN customers network as well. Traditional routers and firewalls do not meet these VoIP security requirements. 3. Billing Without traffic traversing the PSTN how can the service provider generate call detail records (CDR) needed to capture revenue for the origination/termination of the On-Net to Off-Net calls placed between the Voice VPNs? 4. Call Admission Control (CAC) How can the service provider create and enforce a Service Level Agreement (SLA) for each Voice VPN customer, which limits the number of calls or amount of bandwidth the Voice VPN is allowed to use on the IP network in a manner similar to the way they can today with a TDM trunk connection to the PSTN? MPLS routers are not session aware and cannot offer this capability on a call-by -call basis, which is required for Call Admission Control (CAC). Since voice is real-time traffic it is imperative that it is policed at the point of ingress onto the service provider s network to ensure that the authorized calls have adequate network resources to guarantee toll quality. Without this capability honoring a Voice VPN SLA is not possible. Page 4 of 11

It is clear that with existing router and firewall technology, service providers cannot overcome the critical obstacles of: NAT traversal, NAPT, overlapping IP addresses, security, billing and admission control. Connecting even two enterprises introduces new requirements. Because existing products cannot meet these requirements, a new product category has risen to the challenge Session Controllers. Session Controllers reside at the edge of the service provider s network and are a highperformance, high-capacity critical network element that handle both signaling and media. Session Controllers meet the requirements for interconnection by delivering security, QoS mediation, and management (session detail records for billing and reconciliation) for the peering of VoIP networks. They support service provider SIP and H.323 networks and complement existing network infrastructure such as MPLS routers and Layer 3 and 4-aware firewalls. Page 5 of 11

Netrake ncite Session Controller Enabling the secure interconnection of Voice VPNs A Session Controller is a new network element that provides carrier grade, secure, protocol aware session based network address/port translation, hosted Voice VPN firewall, session admission control and session detail records for real time, multi-media communications such as IP telephony. With a session controller, interconnecting Voice VPNs is now possible as illustrated in Figure 4. Figure 4: The deployment of session controllers within existing MPLS VPN networks is seamless How the Hosted Voice VPN Firewall works The ncite Session Controller connects to the provider edge (PE) MPLS router via gigabit ethernet interfaces. The PE router sets an 802.1q VLAN tag, which correlates to a Voice VPN within the MPLS network on all packets routed to the ncite. Through the use of the 802.1q VLAN tags the ncite is able to support overlapping private IP addresses used in the Voice VPNs via a virtual interface. Each Voice VPN uses a unique virtual interface configured on the ncite which acts as an outbound proxy, in the case of SIP, for the Voice VPN and performs SIP proxy 1, media anchoring* and registration binding* for the sessions. This places the ncite in the signaling and media path for all voice traffic routed between the Voice VPNs where it serves as a firewall protecting the Voice VPNs from the VoIP security threats such as Denial of Service attacks, flood protection, Rogue RTP, etc. The ncite also performs the following critical tasks to enable the secure interconnection of the Voice VPNs. 1 *For a more detailed explanation of the ncite s SIP features please read http://www.netrake.com/pdf/ts_sip_features.pdf. Page 6 of 11

1. Network Address Port Translation (NAPT) Figure 5: Hosted Firewall - The ncite is seamlessly deployed into existing architectures and dynamically opens/closes pinholes and performs NAT bindings to allow authorized traffic through The ncite performs NAPT of the layer 3 IP addresses as well as the IP address and port information in the message payloads of SIP and H.323 protocols. The ncite has a virtual network that contains a pool of registered public IP addresses to interconnect all virtual interfaces in the system.. When a voice packet arrives on a virtual interface, the ncite requests an address/port pair from the pool and translates the Voice VPNs private IP address to a public IP address allowing it to be routed to the destination Voice VPN. The ncite then creates a pinhole through the Voice VPN firewall for the duration of the call. Once the call is complete the pinhole is closed in the firewall and the ncite releases the IP address/port pair for future use. 2. Security The ncite acts as a hosted Voice VPN firewall within the carrier network providing protection from the most important threats to a Voice VPN: Denial-of-service (DoS) Attack Prevention The ncite also detects a sophisticated form of DoS attack called Rogue RTP. Rogue RTP is defined as receiving RTP traffic from multiple sources matching the open pinholes of an active call. What makes it difficult to detect is that in most cases this may be a legitimate function of the voice network, such as a media server injecting RTP packets into an active call mid stream to provide music while the call is on hold or a gateway fails over to another device. Or, in some cases, this could be a hacker that guessed the IP address/port of an active call and is injecting inauthentic RTP packets for the purposes of disrupting the call. Due to the varying scenarios, this situation makes it impossible to guarantee the sending and receiving of IP addresses and port numbers of all RTP packets will be the same for Page 7 of 11

the duration of the call. Therefore, configuring an ACL that includes source IP address and source port during the authentication process to prevent Rogue RTP is not possible. The ncite algorithm that detects the occurrence of Rogue RTP is called Late Rouge Detection (LRD). LRD is based on RTP arriving from multiple sources for longer than a configurable time and by performing RTP header validation for each packet. Each RTP packet is compared against expected value of the Source IP Address, Source Port, RTP version number and RTP sequence number. Since it is possible for the RTP packets to arrive out of sequence the RTP sequence number is checked to make sure it is within the range of expected sequence numbers. Any changes to these parameters indicate signs of rogue RTP activity. Once the RTP session is declared rogue, the source IP address and source port of the senders along with the reason for declaring the stream rogue is recorded and an alarm is generated. The ncite informs the operator with appropriate parameters to identify the call and allows the operator to monitor the call while in progress or terminate the call if necessary. The IP address/port used for the pinhole can then placed on a quarantine list, so no future calls will use the pinhole that has been compromised until the operator can make the necessary policy changes to block the hackers access to the network. Eavesdropping The ncite Session Controller is a completely secure network element with a pool of IP address/port pairs that change dynamically on a call-by-call basis as the calls are routed between Voice VPNs. This virtual network in not accessible or known to anyone other than the service provider provisioning the network and the two VoIP endpoints participating in the call. Hence, the RTP (voice) never traverses a public network and requires no RTP encryption for the media or IP Sec tunnels between VPNs to ensure security. This meets the Voice VPN customer requirements for security and greatly simplifies the provisioning and maintenance for the service provider. Unauthorized Access Prior to dynamically opening a pinhole through the existing firewall, ncite performs the session admission control (SAC) function to authenticate the call. ncite opens pinholes by matching 3 tuples (Destination IP Address, Destination Port, and Protocol) against an access control list (ACL) for the Voice VPNs. Once the call is authenticated, ncite performs SIP, H.323 and RTP message validation on each packet in the session and disallows any unauthorized or suspicious packets from passing through the firewall. 3. Billing. The ncite generates session detail records (SDRs), which may be imported by the carrier billing system to capture the origination/termination revenue for all calls routed between Voice VPNs. Since the ncite anchors the media for calls routed between Voice VPNs, the SDR contains detailed information pertaining to the quality of the call. Network conditions such as delay, jitter and packet loss are reported enabling the operator to troubleshoot call quality issues in real-time. Below is a partial SDR. Page 8 of 11

Netrake ncite Session Detail Record (SDR) callinghost calleduser calledhost callendstate callstarttime callendtime callduration callingsrcip callingdestip callingflowpacket callingminlatency callingmaxlatency callingavglatency callingavgjitter calledsrcip calleddestip terminatingip calledflowpacket calledminlatency calledmaxlatency 64.50.24.171 3001 c.net 1 1008637291 1008637295 3.994 64.50.24.171 10.6.111.1 219 25 26 26 5684 10.6.111.1 64.50.24.171 10.6.111.1 180 25 26 10.6.111.1 3001 c.net 1 1008637437 1008637447 9.994 10.6.111.1 10.6.111.1 530 25 26 26 5700 10.6.111.1 10.6.111.1 10.6.111.1 489 23 27 10.6.111.1 3001 c.net 1 1008637549 1008637552 2.894 10.6.111.1 10.6.111.1 175 25 26 26 5674 10.6.111.1 10.6.111.1 10.6.111.1 130 25 26 10.6.111.1 3001 c.net 1 1008637669 1008637674 4.594 10.6.111.1 10.6.111.1 245 25 26 26 5685 10.6.111.1 10.6.111.1 10.6.111.1 212 25 27 64.50.24.171 3001 c.net 1 1008637734 1008637737 3.294 64.50.24.171 10.6.111.1 200 25 27 26 5680 10.6.111.1 64.50.24.171 10.6.111.1 137 25 26 10.6.111.1 3001 c.net 1 1008637852 1008637871 18.694 10.6.111.1 10.6.111.1 950 24 27 26 5705 10.6.111.1 10.6.111.1 10.6.111.1 904 25 26 4. Session Admission Control. When a Voice VPN customer is provisioned on the ncite, the operator specifies a virtual line count for that customer. The virtual line count equates to the number of concurrent calls that specific Voice VPN customer is allowed to route through the ncite. When the virtual line count limit is exceeded the ncite can be configured to enforce SLA s by doing the following: Generate a busy message and send to the call initiator. Allow the call and flag the SDR indicating a violation of SLA. This flag can then be used to trigger a premium charge for all calls exceeding the SLA in the carrier billing system. Downgrade the QoS and allow the call through a best effort route. The ncite enables this utilizing diffserv packet marking on all packets routed to the MPLS network where they can be placed on the appropriate LSP per the service providers MPLS trafficengineering scheme. Calls are admitted based on source address, destination port, destination address, and protocol using 3- or 4-tuple admission control. Page 9 of 11

Summary The ncite Session Controller is a new class of network infrastructure product that enables service providers offering MPLS VPNs the ability to overlay real-time, peer-to-peer multimedia applications such as IP telephony onto their existing network architecture. By combining the critical functions discussed in this paper into a single scalable, manageable and highly available system the ncite greatly reduces the CAPEX and OPEX associated with other multi-box solutions on the market. ncite can also be utilized by the service provider to enable several other applications such as; Wholesale VoIP origination/termination with other carriers Secure instant messaging with push to talk capabilities Secure video conferencing Hosted Media Gateway Hosted Communications Services such as IP Centrex, Presence, Conferencing and Call Centers Firewall traversal solutions for enterprise and consumer product offerings that utilize a public IP network Finally, the ncite Session Controller is easy to deploy, simply requiring its components to be positioned in the communication path in the servi ce provider and each corresponding enterprise network. The solution provides complete transparency and anonymity for existing network communication devices - none of the devices have to change their behavior. The Netrake solution ensures secure traversal of real-time communications and enables communication service providers to deliver valuable, secure products and services to their enterprise customers.. Page 10 of 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information