Securing SIP Trunks APPLICATION NOTE. www.sipera.com



Similar documents
White Paper. avaya.com 1. Table of Contents. Starting Points

SIP Trunking Configuration with

Ingate Firewall/SIParator SIP Security for the Enterprise

Securing Unified Communications for Healthcare

Security Best Practices for Enterprise VoIP. Preventing Attacks and Managing Risk

Recommended IP Telephony Architecture

SIP Trunking with Microsoft Office Communication Server 2007 R2

Voice over IP Security

ENTERPRISE SESSION BORDER CONTROLLERS: SAFEGUARDING TODAY S AND TOMORROW S UNIFIED COMMUNICATIONS

Network Security Topologies. Chapter 11

Session Border Controllers in Enterprise

Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP

SIP Security Controllers. Product Overview

What is an E-SBC? WHITE PAPER

Comparing Session Border Controllers to Firewalls with SIP Application Layer Gateways in Enterprise Voice over IP and Unified Communications Scenarios

An Oracle White Paper August What Is an Enterprise Session Border Controller?

OpenScape Session Border Controller Delivering security, interoperability and cost savings to the enterprise network border

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

How To Support An Ip Trunking Service

APPLICATION NOTE. SIP Trunking Connectivity, Security and Deployment Scenarios. Introduction

Best Practices for Securing IP Telephony

Cisco Advanced Services for Network Security

Cisco ASA 5500 Series Unified Communications Deployments

Firewall Security. Presented by: Daminda Perera

Oracle s SIP Network Consolidation Solutions. Using SIP to Reduce Expenditures and Improve Communications

An outline of the security threats that face SIP based VoIP and other real-time applications

VOICE OVER IP SECURITY

Configuring a Mediatrix 500 / 600 Enterprise SIP Trunk SBC June 28, 2011

SIP Trunking. Cisco Press. Christina Hattingh Darryl Sladden ATM Zakaria Swapan. 800 East 96th Street Indianapolis, IN 46240

Security & Reliability in VoIP Solution

OpenScape UC Firewall and OpenScape Session Border Controller

How To Secure A Voice Over Internet Protocol (Voip) From A Cyber Attack

SIP Trunking Steps to Success, Part One: Key Lessons from IT Managers Who ve Been There

OfficeMaster Gate (Virtual) Enterprise Session Border Controller for Microsoft Lync Server. Quick Start Guide

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Local Session Controller: Cisco s Solution for the U.S. Department of Defense Network of the Future

PENTEST. Pentest Services. VoIP & Web.

VoIPon Solutions Tel: +44 (0) Ranch Asterisk VoIP Solution

SBC WHITE PAPER. The Critical Component

Communications Transformations 2: Steps to Integrate SIP Trunk into the Enterprise

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Dialogic. BorderNet Products Interwork and Connect Seamlessly and Securely at the Network Edge

Voice Over IP and Firewalls

SIP Trunking The Provider s Perspective

PETER CUTLER SCOTT PAGE. November 15, 2011

Threat Mitigation for VoIP

Threats to be considered (1) ERSTE GROUP

Oracle s Solution for Secure Remote Workers. Providing Protected Access to Enterprise Communications

An Oracle White Paper February Centralized vs. Distributed SIP Trunking: Making an Informed Decision

1 ABSTRACT 3 2 CORAL IP INFRASTRUCTURE 4

S-Series SBC Interconnect Solutions. A GENBAND Application Note May 2009

Dialogic BorderNet Session Border Controller Solutions

Security and the Mitel Teleworker Solution

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

VoIP Security regarding the Open Source Software Asterisk

SIP SECURITY JULY 2014

VoIP Security Threats and Vulnerabilities

Acme Packet session border controllers in the enterprise

Application Notes for Avaya IP Office 7.0 Integration with Skype Connect R2.0 Issue 1.0

Application Notes for Configuring Cablevision Optimum Voice SIP Trunking with Avaya IP Office - Issue 1.1

How To Understand The Purpose Of A Sip Aware Firewall/Alg (Sip) With An Alg (Sip) And An Algen (S Ip) (Alg) (Siph) (Network) (Ip) (Lib

POWERING UNIFIED COMMUNICATIONS WITH BRANCH SRX SERIES SERVICES GATEWAYS

Analysis of the Optimal Branch Network Architecture for Successful Unified Communications in the Enterprise

Chapter 1 The Principles of Auditing 1

Brochure. Dialogic BorderNet Session Border Controller Solutions

ETM System SIP Trunk Support Technical Discussion

Fact Sheet. N-fon Case Study

VOIP SECURITY: BEST PRACTICES TO SAFEGUARD YOUR NETWORK ======

DoS/DDoS Attacks and Protection on VoIP/UC

Session Control Applications for Enterprises


Cisco Virtual Office Unified Contact Center Architecture

How To Protect Your Business From A Voice Firewall

10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network

Multi-layered Security Solutions for VoIP Protection

ThinkTel ITSP with Registration Setup Quick Start Guide

Risk Free Migration to Lync Kevin Isacks, VP SBC & CA Development

Challenges and opportunities for Open Source solutions

SBC - the UC-glue Security, Interoperability, Reliability. Alexander Kunzi

Mitigating the Security Risks of Unified Communications

Implementing Cisco IOS Network Security

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

Oracle s Session Initiation Protocol Trunking Solution. Increase Agility and Reduce Costs with Session Initiation Protocol Trunks

Security Guidance for Deploying IP Telephony Systems

Enterprise Voice and Online Services with Microsoft Lync Server 2013

IP Ports and Protocols used by H.323 Devices

T.38 fax transmission over Internet Security FAQ

Session Border Controllers and Videoconferencing

SIP, Security and Session Border Controllers

Solution Brief. Secure and Assured Networking for Financial Services

Firewall Environments. Name

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Security Considerations for DirectAccess Deployments. Whitepaper

Transcription:

APPLICATION NOTE Securing SIP Trunks SIP Trunks are offered by Internet Telephony Service Providers (ITSPs) to connect an enterprise s IP PBX to the traditional Public Switched Telephone Network (PSTN) over the Internet using the Session Initiation Protocol (SIP) Voice over Internet Protocol (VoIP) standard. Deploying SIP trunks enables enterprises to take full advantage of VoIP and eliminate costly Time-Division Multiplexing (TDM) trunks and TDM gateways. Enterprises route calls over the carrier s IP backbone and use the same IP connection for all their communications. Once enterprises decide to deploy one or more SIP trunks, however, they must address several important security and deployment issues. In particular, enterprises must consider the following security questions: Do the enterprise and the service provider have the same security requirements? Do the service provider and the enterprise have the same security policies for employees, networks, and VoIP system? How can the enterprise maintain control over signaling, media, security, and routing policies? How does the enterprise address new SIP or media threats to the enterprise infrastructure or to the service provider s infrastructure? What changes must the enterprise make to the firewall/network address translation (NAT) device, IP PBX, private IP addresses, numbering plan, and other components? Must the enterprise network topology be exposed? How does the enterprise ensure user/caller ID privacy? How does the enterprise ensure the privacy of actual media communications? How is actual media privacy ensured? Is encryption required? If so, must it be end-to-end? To ensure the deployment of secure SIP trunks, enterprises must implement a solution that addresses all of these questions. Sipera Systems offers a comprehensive unified communications (UC) security solution that enables enterprises to do just that, while defining a security boundary between themselves and the service provider. www.sipera.com

PROBLEM An enterprise s IP PBX and other UC infrastructure components are not only valuable enterprise assets; they are critical components required for VoIP and UC services. Typically, enterprises control network access to these components through the use of virtual local area networks (VLANs), access control lists (ACLs), and firewalls. However, when enterprises provide connectivity over SIP trunks, opening access to critical resources over WANs and opening ports on the firewall present serious security challenges. Maintaining control over their own security requirements may also raise issues. Different enterprise and service provider security requirements Typically, a SIP trunk provider has one set of security requirements whereas its enterprise customers have diverse security requirements. For example, enterprises standardize on different operating systems, implement security policies differently, define different firewall rules, require different password lengths, and may differ in their need to use two-factor authentication for remote users. In the case of VoIP and UC, these varying security requirements are particularly important. Instead of being forced to adopt the standards of their SIP trunk providers, enterprises must be able to enforce their own unique security standards and maintain control over all aspects of their unified communications to: Ensure secure deployment of their SIP trunks Improve overall network security Determine the specific signaling, media, and applications that are allowed or denied access to their networks to ensure the quality of service (QoS) required for VoIP and UC services Define fine-grained security policies that are enforced based on network, user, device, and time-of-day Protection against VoIP and UC protocol vulnerabilities VoIP offers many more real-time services than data including transfer, conference, and hold, making VoIP protocols more complex, flexible, and exploitable. (Because of this, more than 50 requests for comments, or RFCs, exist for SIP in the IETF, compared with only about10 for HTTP, which has been around more than twice as long.) With known ports open on the firewall to allow VoIP and UC traffic through, enterprises must perform deep-packet inspection and continuously police application traffic to protect the VoIP network, endpoints, and IP PBXs from thousands of application-layer attacks that can cause IP PBX crashes, lost services, and degradation of voice quality. These VoIP/UC-specific application layer attacks include: Reconnaissance Spoofing Eavesdropping Signaling and media manipulation Service theft/fraud Denial of Service (DoS)/Distributed DoS attacks Fuzzing and buffer overflow exploits VoIP spam VoIP phishing Confidentiality and privacy concerns When VoIP traffic is sent over the Internet, both signaling and media traffic must be encrypted to ensure complete privacy of real-time communications. Attackers can use sniffing methods to easily exploit signaling traffic for reconnaissance purposes and to learn detailed call-related information (such as caller and called party IP addresses, date, and time of the call). Media must be encrypted to ensure privacy of the actual communication. However, encrypting media traffic poses the additional challenge of ensuring acceptable QoS without degrading performance. The problem is compounded in terms of management and operational costs if the artificial requirement for a VPN client on the phone or a home VPN gateway is imposed. Private addressing, firewalls and network address translation (NAT) IP addresses in SIP messages and message headers that are exchanged between the service provider and enterprise network must be routable IP addresses in the service provider s network. Unlike data applications, VoIP uses dynamic ports for peer-to-peer media flows between phones. For SIP trunks to work, enterprises must make the following major changes to their firewall policies for performing NAT functionality and protecting internal, private IP addresses.

Enterprise firewall policies must support opening dynamic ports for media, which weakens security. Enterprises must provide internal, private IP addresses that are routable in the service provider s network to support SIP message exchanges between enterprise and service provider networks. Access and authorization Before establishing a signaling or media session, remote users must be authenticated. This authentication can be done in a variety of ways, including the use of digest access authentication or certificates. Many enterprises require the use of two-factor authentication schemes such as RSA SecurID for remote access to prevent unauthorized calls on stolen or lost phones. Policy compliance for UC traffic To deploy SIP trunks without compromising established security policies, enterprises must also enforce fine-grained UC policies. VoIP and IT administrators must control voice, video, IM, and other UC applications by defining the way the applications are used and the networks, devices, and users that are authorized to interact with the applications. Policies for mobile users and devices must be dynamic and flexible to satisfy these requirements. SOLUTION The Sipera UC-Sec security appliances offer real-time UC security, including comprehensive threat protection, policy enforcement, access control, and privacy to address the issues of SIP trunk deployments. Built on the foundation of the Sipera VIPER engine and real-time platform, the UC-Sec appliances perform the following functions for securing SIP trunks: Serves as the demarcation point for the enterprise VoIP and UC network and enforces fine-grained security policies. Protects against SIP and Real-time Transport Protocol (RTP) threats by blocking them at the enterprise perimeter. Maintains privacy of the enterprise internal network, caller/user IDs, and communications. Performs firewall/nat traversal to simplify the deployment of SIP trunks. Demarcation of the enterprise and service provider VoIP/UC network Enterprises must enforce a demarcation point between their VoIP/UC boundary and the service provider using a UC security appliance like the firewalls and demilitarized zones (DMZs) they install in their data networks. The UC-Sec security appliance becomes this demarcation point and performs all security functions required to enforce enterprise security policies. UC-Sec also provides information from both the enterprise side and service provider side for QoS or service availability such that appropriate service level agreements (SLAs) can be verified and enforced. In addition, enterprises must define policies for VoIP and UC traffic that apply to the SIP trunk. For example, policies might define: Users that are allowed to make voice and video calls The SIP trunk to use for international dialing Trunks that require encryption and threat protection Calls that must be logged and whether or not to report the QoS Enterprises that have multiple departments with different security requirements and applications may require more flexible, fine-grained policy control. Frequently enterprises use multiple routes to reach the PSTN. Enterprises might also have multiple internal call servers and require flexible SIP routing policies at the edge. Sipera s UC-Sec offers fine-grained UC policy control based on network, user, device and time-of-day to give enterprises complete control over their UC infrastructure, devices, and users. Addressing the vulnerabilities and threats in SIP and RTP When traffic from the service provider WAN comes into the corporate intranet to high value assets such as VoIP servers, the traffic must pass through a VoIP security appliance, such as the UC-Sec product, which inspects and validates the traffic.

UC-Sec is VoIP-aware and performs deep-packet inspection and tracks call states, which is crucial for UC threat mitigation. The UC-Sec appliance also has a signature update mechanism to enable that same protection against new threats. Maintaining privacy of network topology and internal domains Enterprises require a VoIP/UC-aware appliance at the edge of their networks to hide internal network topology and SIP domain information. Sipera s UC-Sec changes private IP addresses to public IP addresses and changes private internal domains to public SIP domains in SIP messages to prevent exposure of the enterprise network topology. UC-Sec also supports: User/caller ID anonymity User privacy SIP standards that interwork with service providers SIP trunks Encryption of signaling traffic over Transport Layer Security (TLS) and encryption of media traffic over Secure RTP (SRTP) Communicating and interworking disjoint private networks Enterprise firewalls and DMZs enforce strict policies and perform NAT functions to ensure that internal enterprise networks and servers have private addresses that are not directly routable from external networks. Without overhauling these security policies, the Sipera UC-Sec appliance provides NAT traversal for signaling traffic and manages dynamic ports for media traffic. UC-Sec also participates in the signaling traffic to allow only those media sessions that follow the session specification agreed upon in the signaling channel. Unified Communications Security Life Cycle Unified Communications Security Life Cycle 1. Define Security Requirements Compare business objectives for UC with impact on information security compliance: HIPAA, PCI, FERPA, GLBA and others Define Security Assess Posture 2. Assess Security Posture Identify vulnerabilities, assess risk, determine gap between posture and requirements, consider impact on real-time application performance 4. Manage Compliance Review established posture, manage change, gather new requirements as business objectives and regulatory mandates change Manage Compliance Implement Measures 3. Implement Security Measures Optimize security posture and application performance; configure policy enforcement, threat protection, access control, privacy (encryption) Companies around the world rely on Sipera Systems to ensure their UC and VoIP deployments support compliance with information security requirements and mission-critical corporate objectives. Through dozens of successful vulnerability assessments, security architecture consulting projects, and security appliance deployments, Sipera has developed a standardized Unified Communications Security Life Cycle. This process represents a best practice for continuous improvement of the security architecture, enabling an enterprise to be certain that essential security functions can keep pace with the transforming communications infrastructure. To learn more about Sipera s solutions and for personal consultation about your UC security requirements, please visit www.sipera.com

IMPLEMENTATION To enable secure SIP trunks, a single Sipera UC-Sec security appliance is deployed at the customer premise, between the internal and external firewalls, to provide complete network security, enforce security policies, and handle other SIP trunk deployment issues for the enterprise network. In the deployment shown in the following figure, Sipera UC-Sec performs border control functionality such as FW/NAT traversal (as shown in step 1), interworking, security policy enforcement based on fine-grained UC policies, and threat protection to prevent denial of service, spoofing, and stealth attacks. Because the UC-Sec product is a trusted host in the DMZ, SIP signaling traffic to the enterprise is received by the external firewall and sent to the Sipera appliance, which processes the signaling information. If the SIP signaling traffic is encrypted, UC-Sec decrypts all TLS-encrypted traffic and looks for anomalous behavior before forwarding the packets through the internal firewall to the appropriate IP PBX to establish the requested call session (as shown in step 2). Once a valid call has been set-up, RTP packets are allowed to flow through the external firewall to the Sipera UC-Sec product, which decrypts the SRTP traffic (if required) and looks for anomalous behavior in the media before passing on the RTP stream to the intended recipient (as shown in step 3). RESULT The popularity of SIP trunks is primarily due to cost savings and the increased reliability offered through service provider service level agreements (SLAs). SIP Trunks can deliver much lower cost local, toll-free, domestic, and international long distance services to any enterprise willing to replace its PSTN connectivity. They also offer a unique opportunity for large, distributed enterprises to consolidate their VoIP/UC infrastructure and connectivity to the PSTN. Therefore, it s not surprising that enterprises embrace SIP Trunks as a means to replace costly PSTN trunks and gateways, while using real-time, unified communications ubiquitously over IP networks. In some cases, enterprises use multiple SIP trunks with different providers for disaster recovery, redundancy, or to enable different applications. However, without solving network security and demarcation challenges, SIP trunks cannot be deployed on a large scale. The Sipera UC-Sec product offers a comprehensive security solution with threat protection, access control, policy enforcement, and privacy protection in a single device, enabling enterprises to address all of these challenges and securely deploy SIP trunks. ENTERPRISE IP PBX Intranet Internal Firewall 1. FW/NAT Traversal 2b. Apply VoIP/UC Policies Detect and Prevent VoIP/UC Threats Perform Interworking Functions 2c. Signaling Over TCP/UDP 2a. Encrypted signaling Over TLS 3a. SRTP Media ITSP 3c. RTP Media Sipera UC-Sec deployed in high-availability mode DMZ External Firewall PSTN 3b. Media Anomaly Detection & Prevention

UC Security Defined About Sipera Systems Sipera Systems, the leader in real-time Unified Communications (UC) security, is the choice of enterprises and service providers around the world to support their mission-critical UC deployments. Sipera offers groundbreaking, production-proven solutions that secure voice, video, messaging, collaboration, and other real-time communications in converged IP networks, boosting compliance with information security requirements. Backed by the industry-leading research of the VIPER lab, Sipera s solutions provide comprehensive threat protection, policy enforcement, access control, and encryption in a single flexible appliance. www.sipera.com V#07-16-09 Sipera Systems Inc. 1900 Firman Drive, Suite 600 Richardson, TX 75081, USA T: 214 206 3210 F: 214 206 3215 E: info@sipera.com Copyright 2009 Sipera Systems, Inc. All rights reserved. Sipera, Sipera UC-Sec and related products, Sipera LAVA and Sipera VIPER are trademarks of Sipera Systems, Inc.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information