Presenter. Zane Ryan. Director Dot Force zane.ryan@dotforce.co.uk www.dotforce.co.uk



Similar documents
Dialogic BorderNet 500

Secure SIP Trunking in Legacy PSTN/PBX Environments

Ingate Firewall/SIParator SIP Security for the Enterprise

Release the full potential of your Cisco Call Manager with Ingate Systems

Session Border Controllers in Enterprise

Best Practices for Securing IP Telephony

How To Support An Ip Trunking Service

PETER CUTLER SCOTT PAGE. November 15, 2011

SIP Trunking The Provider s Perspective

Dialogic BorderNet 500 Gateways

Voice Over IP and Firewalls

SIP Trunking with Microsoft Office Communication Server 2007 R2

Securing SIP Trunks APPLICATION NOTE.

nexvortex SIP Trunking Implementation & Planning Guide V1.5

OpenScape Session Border Controller Delivering security, interoperability and cost savings to the enterprise network border

OfficeMaster Gate (Virtual) Enterprise Session Border Controller for Microsoft Lync Server. Quick Start Guide

Configuring a Mediatrix 500 / 600 Enterprise SIP Trunk SBC June 28, 2011

Application Note Startup Tool - Getting Started Guide

Application Note Configuring the Synapse SB67070 SIP Gateway for Broadvox GO! SIP Trunking

SIP Proxy. SIP Proxy. Bicom SYSTEMS. SIP Proxy... Advanced Simplicity

Session Border Controller

SBC 1000/2000 Configuration Guide with Lync 2013 for Windstream/ LPAETEC SIP Trunk Deployments

Recommended IP Telephony Architecture

Skype Connect Getting Started Guide

Setup Reference guide for PBX to SBC interconnection

SIP Trunking Steps to Success, Part One: Key Lessons from IT Managers Who ve Been There

APPLICATION NOTE. SIP Trunking Connectivity, Security and Deployment Scenarios. Introduction

Hosted PBX Platform-asa-Service. Offering

Comparing Session Border Controllers to Firewalls with SIP Application Layer Gateways in Enterprise Voice over IP and Unified Communications Scenarios

SIP Trunking. Cisco Press. Christina Hattingh Darryl Sladden ATM Zakaria Swapan. 800 East 96th Street Indianapolis, IN 46240

SIP Trunking Configuration with

SIP Security Controllers. Product Overview

How To Guide. SIP Trunking Configuration Using the SIP Trunk Page

IP Ports and Protocols used by H.323 Devices

Configuring the Sonus SBC 2000 with Cisco Unified Call Manager 10.5 for Verizon Deployment

The SIP School- 'Mitel Style'

Basic Vulnerability Issues for SIP Security

Avaya IP Office 8.1 Configuration Guide

Voice over IP Security

Welltel - Session Border Controller SBC 120

How to Configure the NEC SV8100 for use with Integra Telecom SIP Solutions

Application Note Patton SmartNode in combination with a CheckPoint Firewall for Multimedia security

SIPconnect: Interoperable SIP Trunks

VoIP Logic Platform: Peering SIP Trunking

Welcome. SIP Trunking Workshop for Service Providers. February 1, The Ingate SIP Trunking and Unified Communications Summit

Security & Reliability in VoIP Solution

White Paper. avaya.com 1. Table of Contents. Starting Points

ShoreTel, Ingate & BandTel for SIP Trunking

Wave SIP Trunk Configuration Guide FOR BROADVOX

Application Notes for Configuring SIP Trunking between Metaswitch MetaSphere CFS and Avaya IP Office Issue 1.0

nexvortex Setup Guide

The SIP School- 'Mitel Style'

S-Series SBC Interconnect Solutions. A GENBAND Application Note May 2009

Setup Reference Guide for KX-TDE/NCP to SBC SIP Trunking

Configuring a LAN SIParator. Lisa Hallingström Paul Donald Bogdan Musat Adnan Khalid Per Johnsson Rickard Nilsson

Application Notes Rev. 1.0 Last Updated: January 9, 2015

Setup Reference Guide for KX-NS1000 to SBC SIP Trunking

Allstream Converged IP Telephony

VoIP Application Note:

Indepth Voice over IP and SIP Networking Course

An outline of the security threats that face SIP based VoIP and other real-time applications

Application Notes Rev. 1.0 Last Updated: February 3, 2015

How To Understand The Purpose Of A Sip Aware Firewall/Alg (Sip) With An Alg (Sip) And An Algen (S Ip) (Alg) (Siph) (Network) (Ip) (Lib

Session Control Applications for Enterprises

nexvortex Setup Template

VoIP Security: How Secure is Your IP Phone?

How to Configure the Avaya IP Office 6.1 for use with Integra Telecom SIP Solutions

SIP Trunking and Architecture

Session Border Controller

ihub SIP Trunks Service Definition Document

Application Notes for Configuring Cablevision Optimum Voice SIP Trunking with Avaya IP Office - Issue 1.1

SBC WHITE PAPER. The Critical Component

Solving the Firewall/NAT Traversal Issue of SIP:

SIP SECURITY JULY 2014

EarthLink Business SIP Trunking. NEC SV8300 IP PBX Customer Configuration Guide

Application Notes for Configuring Broadvox SIP Trunking with Avaya IP Office - Issue 1.0

SITEL Voice Architecture

EarthLink Business SIP Trunking. NEC SV8100 IP PBX Customer Configuration Guide

What is an E-SBC? WHITE PAPER

EarthLink Business SIP Trunking. Switchvox SMB 5.5 & Adtran SIP Proxy Implementation Guide

How To Configure Aastra Clearspan For Aastro (Turbos) And Bpb (Broadworks) On A Pc Or Macbook (Windows) On An Ipa (Windows Xp) On Pc Or Ipa/

SIP A Technology Deep Dive

How the ETM (Enterprise Telephony Management) System Relates to Session Border Controllers (SBCs) A Corporate Whitepaper by SecureLogix Corporation

SangomaSBCs Keeping Your VoIP Network Secure. Simon Horton Sangoma

UC and SIP Trunking Luncheon. Sponsored by:

VoIP Trunking with Session Border Controllers

SIP Trunking Quick Reference Document

Secure VoIP for optimal business communication

Best Practices for deploying unified communications together with SIP trunking connectivity

VoIPon Solutions Tel: +44 (0) Ranch Asterisk VoIP Solution

Application Notes for Configuring Intelepeer SIP Trunking with Avaya IP Office Issue 1.0

ShoreTel, Ingate & Broadvox for SIP Trunking

Troubleshooting Voice Over IP with WireShark

ThinkTel ITSP with Registration Setup Quick Start Guide

How to Configure the Allworx 6x, 24x and 48x for use with Integra Telecom SIP Solutions

Voice over IP Basics for IT Technicians

Transcription:

Presenter Zane Ryan Director Dot Force zane.ryan@dotforce.co.uk www.dotforce.co.uk

Ingate Systems Headquarters in Stockholm, Sweden North American subsidiary in New Hampshire Long Island, New York San Jose, California Ottawa, Canada Leading provider of Enterprise Session Border Controllers Fully SIP capable Enterprise Firewalls Enterprise SBCs (SIParator) Avaya DevConnect partner since 2005 Preconfigurations for all major SIP trunking providers Support for remote workers Security and control

Some Well Known Customers 2 Major Japanese Banks (protected under NDA) $ Major Boston, MA Based Financial Services Firm (protected under NDA

Possibilites with SIP SIP 4

Why an SBC?

The Ingate appliance family SIParator 66 SIParator 95 1800 Calls* 4 500 Mbit/s 300 000 Packets/s SIParator 96 3000 Calls* 4 500 Mbit/s 300 000 Packets/s SIParator 56 800 Calls* 900 Mbit/s 90 000 Packets/s SIParator 21 50 Calls* 200 Mbit/s 10 000 Packets/s SIParator 51 150 Calls* 500 Mbit/s 28 500 Packets/s 400 Calls* 700 Mbit/s 50 000 Packets/s *) Calls = Concurrent RTP Sessions = SIP Trunks

SIParator Modes are Used Together with Existing (non SIP Aware) Firewalls* WAN SIParator recommended with shared data and voice IP pipe: SIParator controls QoS (traffic shapes to favour voice over data) Setup of Existing Firewall using LAN or DMZ SIParator: Port Forward 5060 Port Forward Media Port range * Ingate can also be used as the complete combined Data and Voice Enterprise Firewall

Ingate Licenses Capacity licenses Functional Modules 8

Ingate modules SIP Trunking Module Additional Trunk Group (Pages) Remote SIP Connectivity Enhanced Security Module Quality of Service VoIP Survival Mode SIP Registrar 9

What is SIP Trunking? Public Internet MPLS SIP Trunking Provider SIP System PSTN IP PBX Firewall

Common SIP Applications Remote Desktop Extending SIP communications to Remote & Home Offices. Extension of IP PBX services using Open Source standardized Protocol Use of off the self SIP Phones and Soft SIP Clients.

Connectivity for Remote Users Traveling user 802.11 Hotspot Home user (No VPN is being used) Hotel NAT Internet SIP/PSTN Gateway Home NAT PSTN IP-PBX Ingate Firewall SIP/PSTN Gateway Dela y Dela y

Are you technically ready? IP PBX? Evaluation and Analysis Service Provider? E SBC? 13

Common Deployment Issues Problem #1 NAT BREAKS SIP SIP Protocol is an Application Layer Protocol Network Address Translation (NAT) resides at the Transport Layer (TCP/IP) NAT will not change the SIP addressing within the TCP/UDP datagram Firewalls are a NATing device and BLOCK all Incoming SIP Traffic to the LAN Any NAT device, either Far End (remote) or Near End (on prem) can effect the call

Common Deployment Issues Resolution #1 NAT BREAKS SIP SIP Protocol requires a SIP Proxy or Application Layer Gateway and NAT SIP Proxy (SIP Aware Firewall) will correct IP Addresses and Port allocation in SIP Protocol from Private LAN addresses to Public WAN address. SIP Proxy monitors all SIP Traffic IN and OUT and can apply routing rules

Common Deployment Issues Ingate Benefits NAT BREAKS SIP Ingate have a SIP Proxy, SIP B2BUA and NAT working together Ingate SIParator can bring enhance the SIP capabilities and SIP security of an existing Firewall Ingate can provide Far End NAT Traversal functionality What Other IP PBXs Vendors Do Most all IP PBX vendors recommend the use of some sort of SIP Aware Firewall for deployment Other recommend the use of Port Forwarding, to forward Port 5060 and a thousand other Ports to the IP PBX HUGE SECURITY RISK!!

Common Deployment Issues Problem #2 SIP Interoperability Not all SIP is the same One vendors implementation may not be the same as another There are many SIP components and extensions that may be supported on one vendors equipment and not on another SIP Protocol is an open standard and can be left to interpretation by each vendor Examples Use of REFER Method is not typically supported by ITSP Use of INVITE with Replaces Header is not typically supported by ITSP Some ITSPs don t like SDP with a=inactive attribute ENUM SIP URI Delivery is supported by some and not by others Various TO and FROM Header conformances Alternate SIP Domain routing requirements

Common Deployment Issues Resolution #2 SIP Interoperability Testing and Development for each Vendor Extensive Testing and Development time devoted to each vendor integration to ensure complete interoperability a huge undertaking Customization and Flexibility development for each Vendor integration SIP Connect Compliance Adherence to SIP Forum SIP Connect Compliance, governing body of SIP Trunking deployments an standards

Common Deployment Issues Ingate Benefits SIP Interoperability In General, Can rewrite headers commonly needing changed between vendors Provide SIP Protocol error checking and fixes Protocol non conformances Routing Rules and Policies to direct traffic Contains extensive list of features devoted to SIP non conformances customization Ingate contains a B2BUA Separates the call between the two parties, helping separate two different implementations of SIP Provides Client or Server User Accounts for Registration and Authentication Separate SIP Method Handling between two parties

PBX interoperability Service providers 360 Networks Airespring AT&T BandTel Bandwidth.com Bell Canada Broadvox Cablevision Cbeyond Cellip Cordia Corporation Earthlink Business Excel Switching Gamma Global Crossing IP-Only Juma Networks Level 3 Nectar Netlogic NetSolutions Nexvortex Nuvox One Communications Paetec Primus Qwest RNK Telecom Skype SoTel TDC Tele2 Telia Toplink Verizon VoIP Unlimited Windstream Voxbone More in pipeline... Carrier Equipment Acme Packet Broadsoft NexPoint Sonus Sylantro Ingate SIParator Ingate Firewall S I P T R U N K Compliant with: IP-PBXs Aastra A-700 Aastra Clearspan Aastra MX-One Aastra Pointspan Avaya Cisco Call Manager Digium/Asterisk Fonality HP Innovaphone Interactive Intelligence Iwatsu Microsoft Mitel NEC / Sphere Nortel Objectworld Panasonic Pingtel Samsung SER Shoretel Siemens

Common Deployment Issues Problem #3 SIP Security SIP is written in clear text within the datagram of a UDP or TCP Transport. Confidential User/SIP URI Information A SIP URI is like an Email Address, once someone has it, they who you are and where you are located. The malicious person or software can send SIP Request after SIP Request to your SIP URI. Some malicious uses like DoS Attacks, SPIT Attacks, Intrusion of Services, Toll Fraud, Telemarkers and more. Called and Calling Party Number Information Private LAN Network Address Scheme Giving away the confidential Private IP Address scheme of the internal LAN network, gives malicious attackers knowledge of the internal configuration of the Enterprise. The Port being used on the device, gives malicious attackers where to direct traffic Media Attributes Easy to see what Media is being negotiated and where its going

Common Deployment Issues Common SIP Attacks Intrusion of Services Devices attempting Register with a IP PBX in an attempt to look like an IP PBX extension and gain IP PBX services SPIT (SPAM over Internet Telephony) Toll Fraud A form of an Intrusion of Service, where malicious attempts to send INVITEs to an IP PBX to gain access to PSTN Gateways and SIP Trunking to call the PSTN Denial of Service INVITE (or any SIP Request) Flood in an attempt to slow services or disrupt services Or any UDP or TCP traffic directed at a SIP Service on SIP Ports Indirect Security Breaches Private LAN IP Address and infrastructure are now made public, and can be used in attacks to other non SIP areas

Common Deployment Issues Resolution #3 SIP Security Dynamic Encryption of SIP URI Using the SIP Specification, enforce an Encrypted SIP URI where possible Dynamic Port Allocation Dynamically change ports on every call. Hide LAN IP Address Scheme Apply LAN to WAN Network Address Translation within the SIP Signaling TLS and SRTP TLS Transport provides complete encryption of SIP Signaling SRTP provides encryption of RTP Media IDS/IPS for SIP Protocol SIP Protocol specific Intrusion Detection Systems and Intrusion Prevention Systems allow for monitoring and statics of all SIP Traffic, and apply rules and policies based on the traffic Traffic Routing Rules and Policies IP Address Authentication, SIP URI Validation, and Routing Rules

Fallback and Failover Functions Monitor availability of SIP servers Failure detection and reporting SIP traffic re-route and recovery based upon failure Use in parallel as failover pairs 24

Other SBC SIP Features Accounting Generate CDRs RADIUS accounting Management Police media bandwidth per session based upon authorized codec Terminate inactive session with session timers Ensure only authorized sessions receive correct QoS and resource allocation Routing Extensive Dial Plan DNS (global federation) Least cost routing (LCR) ENUM based routing Large local route tables for static, localized routing decisions Codec stripping & re ordering

Ingate Start Up Tool Step 1: Assign Addresses Step 2: Select IP PBX Step 2: Select Service Provider

Ingate solutions SIP Proxy based architecture. Aware of NATed environments and dynamically controlling built in NAT and firewall. Additional Back to Back User Agent allows Ingate to mitigate any differences in the signaling Continues tests against PBXs and service providers Ingate conducts frequent formal recertification testing Ingate is committed to assuring its customers that the SIP signaling will be normalized

Is it expensive? What will I gain or lose?

Possibilites with SIP SIP Trunking IP Centrex Unified Communications

IP Centrex Solutions The Ingate E SBC, centrally located at the ITSP, provides: Protection of the network Routing and interoperability with carriers and IP PBXs Far End NAT Traversal (FENT) SIP trunking Service Provider PC Softphone Internet Simple NAT/FW PC Softphone Legacy Firewall Ingate SIParator CDR (MOS) QoS Ingate SBC Firewall FENT CDR (MOS) ITSP Service Provider Equipment

Bringing it all together!