• No results found

Securing SIP Trunks APPLICATION NOTE.

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Securing SIP Trunks APPLICATION NOTE."

Copied!
6
0
0

Loading.... (view fulltext now)

Download now ( 6 Page )

Full text

(1)

Securing

SIP Trunks

www.sipera.com

SIP Trunks are off ered by Internet Telephony Service Providers (ITSPs) to connect an enterprise’s IP PBX to the traditional Public Switched Telephone Network (PSTN) over the Internet using the Session Initiation Protocol (SIP) Voice over Internet Protocol (VoIP) standard. Deploying SIP trunks enables enterprises to take full advantage of VoIP and eliminate costly Time-Division Multiplexing (TDM) trunks and TDM gateways. Enterprises route calls over the carrier’s IP backbone and use the same IP connection for all their communications.

Once enterprises decide to deploy one or more SIP trunks, however, they must address several important security and deployment issues. In particular, enterprises must consider the following security questions:

• Do the enterprise and the service provider have the same security

requirements?

• Do the service provider and the enterprise have the same security

policies for employees, networks, and VoIP system?

• How can the enterprise maintain control over signaling, media,

security, and routing policies?

• How does the enterprise address new SIP or media threats to the

enterprise infrastructure or to the service provider’s infrastructure?

• What changes must the enterprise make to the fi rewall/network

address translation (NAT) device, IP PBX, private IP addresses, numbering plan, and other components?

• Must the enterprise network topology be exposed?

• How does the enterprise ensure user/caller ID privacy?

• How does the enterprise ensure the privacy of actual media communications?

• How is actual media privacy ensured? Is encryption required? If

so, must it be end-to-end?

To ensure the deployment of secure SIP trunks, enterprises must implement a solution that addresses all of these questions. Sipera™ Systems off ers a comprehensive unifi ed communications (UC) security solution that enables enterprises to do just that, while defi ning a security boundary between themselves and the service provider.

(2)

PROBLEM

An enterprise’s IP PBX and other UC infrastructure components are not only valuable enterprise assets; they are critical components required for VoIP and UC services. Typically, enterprises control network access to these components through the use of virtual local area networks (VLANs), access control lists (ACLs), and fi rewalls. However, when enterprises provide connectivity over SIP trunks, opening access to critical

resources over WANs and opening ports on the fi rewall present serious security challenges. Maintaining control over their own security requirements may also raise issues.

Diff erent enterprise and service provider security requirements

Typically, a SIP trunk provider has one set of security requirements whereas its enterprise customers have diverse security requirements. For example, enterprises standardize on diff erent operating systems, implement security policies diff erently, defi ne diff erent fi rewall rules, require diff erent password lengths, and may diff er in their need to use two-factor authentication for remote users. In the case of VoIP and UC, these varying security requirements are particularly important. Instead of being forced to adopt the standards of their SIP trunk providers, enterprises must be able to enforce their own unique

security standards and maintain control over all aspects of their unifi ed communications to:

• Ensure secure deployment of their SIP trunks

• Improve overall network security

• Determine the specifi c signaling, media,

and applications that are allowed or denied access to their networks to ensure the quality of service (QoS) required for VoIP and UC services

• Defi ne fi ne-grained security policies that are enforced based on network, user, device, and time-of-day

Protection against VoIP and UC protocol vulnerabilities

VoIP off ers many more real-time services than data including transfer, conference, and hold, making VoIP protocols more complex, fl exible, and exploitable. (Because of this, more than 50 requests for comments, or RFCs, exist for SIP in the IETF, compared with only about10 for HTTP, which has been around more than twice as long.)

With known ports open on the fi rewall to

allow VoIP and UC traffi c through, enterprises

must perform deep-packet inspection and continuously police application traffi c to protect the VoIP network, endpoints, and IP PBXs from thousands of application-layer attacks that can cause IP PBX crashes, lost services, and degradation of voice quality.

These VoIP/UC-specifi c application layer attacks include:

• Reconnaissance • Spoofi ng • Eavesdropping

• Signaling and media manipulation

• Service theft/fraud

• Denial of Service (DoS)/Distributed DoS

attacks

• Fuzzing and buff er overfl ow exploits

• VoIP spam

• VoIP phishing

Confi dentiality and privacy concerns

When VoIP traffi c is sent over the Internet, both

signaling and media traffi c must be encrypted

to ensure complete privacy of real-time

communications. Attackers can use sniffi ng

methods to easily exploit signaling traffi c for reconnaissance purposes and to learn detailed call-related information (such as caller and called party IP addresses, date, and time of the call). Media must be encrypted to ensure privacy of the actual communication. However, encrypting media traffi c poses the additional challenge of ensuring acceptable QoS without degrading performance. The problem is compounded in terms of management and operational costs if the artifi cial requirement for a VPN client on the phone or a home VPN gateway is imposed. Private addressing, fi rewalls and network address translation (NAT)

IP addresses in SIP messages and message headers that are exchanged between the service provider and enterprise network must be routable IP addresses in the service provider’s network. Unlike data applications, VoIP uses dynamic ports for peer-to-peer media fl ows between phones. For SIP trunks to work, enterprises must make the following major changes to their fi rewall policies for performing NAT functionality and protecting internal, private IP addresses.

(3)

• Enterprise fi rewall policies must support opening dynamic ports for media, which weakens security.

• Enterprises must provide internal, private

IP addresses that are routable in the service provider’s network to support SIP message exchanges between enterprise and service provider networks.

Access and authorization

Before establishing a signaling or media session, remote users must be authenticated. This authentication can be done in a variety of ways, including the use of digest access authentication or certifi cates. Many enterprises require the use of two-factor authentication schemes such as RSA SecurID for remote access to prevent unauthorized calls on stolen or lost phones. Policy compliance for UC traffi c

To deploy SIP trunks without compromising established security policies, enterprises must also enforce fi ne-grained UC policies. VoIP and IT administrators must control voice, video, IM, and other UC applications by defi ning the way the applications are used and the networks, devices, and users that are authorized to interact with the applications. Policies for mobile users and devices must be dynamic and fl exible to satisfy these requirements.

SOLUTION

The Sipera UC-Sec™ security appliances off er real-time UC security, including comprehensive threat protection, policy enforcement, access control, and privacy to address the issues of SIP trunk deployments. Built on the foundation of the Sipera VIPER™ engine and real-time platform, the UC-Sec appliances perform the following functions for securing SIP trunks:

• Serves as the demarcation point for the

enterprise VoIP and UC network and enforces fi ne-grained security policies.

• Protects against SIP and Real-time Transport

Protocol (RTP) threats by blocking them at the enterprise perimeter.

• Maintains privacy of the enterprise

internal network, caller/user IDs, and communications.

• Performs fi rewall/NAT traversal to simplify

the deployment of SIP trunks.

Demarcation of the enterprise and service provider VoIP/UC network

Enterprises must enforce a demarcation point between their VoIP/UC boundary and the service provider using a UC security appliance like the fi rewalls and “demilitarized zones” (DMZs) they install in their data networks. The UC-Sec security appliance becomes this demarcation point and performs all security functions required to enforce enterprise security policies.

UC-Sec also provides information from both the enterprise side and service provider side for QoS or service availability such that appropriate service level agreements (SLAs) can be verifi ed and enforced.

In addition, enterprises must defi ne policies for VoIP and UC traffi c that apply to the SIP trunk. For example, policies might defi ne:

• Users that are allowed to make voice and

video calls

• The SIP trunk to use for international dialing

• Trunks that require encryption and threat

protection

• Calls that must be logged and whether or not

to report the QoS

Enterprises that have multiple departments with diff erent security requirements and applications may require more fl exible, fi ne-grained policy control. Frequently enterprises use multiple routes to reach the PSTN. Enterprises might also have multiple internal call servers and require fl exible SIP routing policies at the edge. Sipera’s UC-Sec off ers fi ne-grained UC policy control based on network, user, device and time-of-day to give enterprises complete control over their UC infrastructure, devices, and users.

Addressing the vulnerabilities and threats in SIP and RTP

When traffi c from the service provider WAN

comes into the corporate intranet to high value assets such as VoIP servers, the traffi c must pass through a VoIP security appliance, such as the UC-Sec product, which inspects and validates the traffi c.

(4)

UC-Sec is VoIP-aware and performs deep-packet inspection and tracks call states, which is crucial for UC threat mitigation. The UC-Sec appliance also has a signature update mechanism to enable that same protection against new threats.

Maintaining privacy of network topology and internal domains

Enterprises require a VoIP/UC-aware appliance at the edge of their networks to hide internal network

topology and SIP domain information. Sipera’s UC-Sec changes private IP addresses to public IP addresses and changes private internal domains to public SIP domains in SIP messages to prevent exposure of the enterprise network topology.

UC-Sec also supports:

• User/caller ID anonymity

• User privacy SIP standards that interwork with service providers’ SIP trunks

• Encryption of signaling traffi c over Transport Layer Security (TLS) and encryption of media traffi c over

Secure RTP (SRTP)

Communicating and interworking disjoint private networks

Enterprise fi rewalls and DMZs enforce strict policies and perform NAT functions to ensure that internal enterprise networks and servers have private addresses that are not directly routable from external networks. Without overhauling these security policies, the Sipera UC-Sec appliance provides NAT traversal for signaling traffi c and manages dynamic ports for media traffi c. UC-Sec also participates in the signaling traffi c to allow only those media sessions that follow the session specifi cation agreed upon in the signaling channel.

Define Security Assess Posture Manage Compliance Implement Measures

1. Define Security Requirements

Compare business objectives for UC with impact on information security compliance: HIPAA, PCI,

FERPA, GLBA and others

4. Manage Compliance

Review established posture, manage change, gather new requirements as business objectives

and regulatory mandates change

3. Implement Security Measures

Optimize security posture and application performance; configure policy enforcement, threat

protection, access control, privacy (encryption)

2. Assess Security Posture

Identify vulnerabilities, assess risk, determine gap between posture and requirements, consider impact on real-time application performance

Unified Communications Security Life Cycle

Companies around the world rely on Sipera Systems to ensure their UC and VoIP deployments support compliance with information security requirements and mission-critical corporate objectives. Through dozens of successful vulnerability assessments, security architecture consulting projects, and security appliance deployments, Sipera has developed a standardized Unifi ed Communications Security Life Cycle. This process represents a best practice for continuous improvement of the security architecture, enabling an enterprise to be certain that essential security functions can keep pace with the transforming communications infrastructure.

To learn more about Sipera’s solutions and for personal consultation about your UC security requirements, please visit www.sipera.com

(5)

IMPLEMENTATION

To enable secure SIP trunks, a single Sipera UC-Sec security appliance is deployed at the customer premise, between the internal and external fi rewalls, to provide complete network security, enforce security policies, and handle other SIP trunk deployment issues for the enterprise network.

In the deployment shown in the following fi gure, Sipera UC-Sec performs border control functionality such as FW/NAT traversal (as shown in step 1), interworking, security policy enforcement based on fi ne-grained UC policies, and threat protection to prevent denial of service, spoofi ng, and stealth attacks.

Because the UC-Sec product is a trusted host in the DMZ, SIP signaling traffi c to the enterprise is received by the external fi rewall and sent to the Sipera appliance, which processes the signaling information. If the SIP signaling traffi c is encrypted, UC-Sec decrypts all TLS-encrypted

traffi c and looks for anomalous behavior before

forwarding the packets through the internal fi rewall to the appropriate IP PBX to establish the requested call session (as shown in step 2). Once a valid call has been set-up, RTP packets are allowed to fl ow through the external fi rewall to the Sipera UC-Sec product, which decrypts the SRTP traffi c (if required) and looks for anomalous behavior in the media before passing on the RTP stream to the intended recipient (as shown in step 3).

RESULT

The popularity of SIP trunks is primarily due to cost savings and the increased reliability off ered through service provider service level agreements (SLAs). SIP Trunks can deliver much lower cost local, toll-free, domestic, and international long distance services to any enterprise willing to replace its PSTN connectivity. They also off er a unique opportunity for large, distributed enterprises to consolidate their VoIP/UC infrastructure and connectivity to the PSTN. Therefore, it’s not surprising that enterprises embrace SIP Trunks as a means to replace costly PSTN trunks and gateways, while using real-time, unifi ed communications ubiquitously over IP networks. In some cases, enterprises use multiple SIP trunks with diff erent providers for disaster recovery, redundancy, or to enable diff erent applications.

However, without solving network security and demarcation challenges, SIP trunks cannot be deployed on a large scale. The Sipera UC-Sec product off ers a comprehensive security solution with threat protection, access control, policy enforcement, and privacy protection in a single device, enabling enterprises to address all of these challenges and securely deploy SIP trunks.

ENTERPRISE IP PBX Sipera UC-Sec deployed in high-availability mode DMZ Intranet

2a. Encrypted signaling Over TLS

3b. Media Anomaly Detection & Prevention 1. FW/NAT Traversal

3a. SRTP Media

2c. Signaling Over TCP/UDP

2b. Apply VoIP/UC Policies Detect and Prevent VoIP/UC Threats Perform Interworking Functions

3c. RTP Media External Firewall Internal Firewall ITSP PSTN

(6)

About Sipera Systems

Sipera Systems, the leader in real-time Unifi ed Communications (UC) security, is the choice of

enterprises and service providers around the world to support their mission-critical UC deployments. Sipera off ers groundbreaking, production-proven solutions that secure voice, video, messaging, collaboration, and other real-time communications in converged IP networks, boosting compliance with information security requirements.

Backed by the industry-leading research of the VIPER lab, Sipera’s solutions provide comprehensive threat protection, policy enforcement, access control, and encryption in a single fl exible appliance.

www.sipera.com

Sipera Systems Inc. 1900 Firman Drive, Suite 600 Richardson, TX 75081, USA T: 214 206 3210 F: 214 206 3215 E: [email protected] © Copyright 2009 Sipera Systems, Inc. All rights reserved. Sipera, Sipera UC-Sec and related products, Sipera LAVA and Sipera VIPER are trademarks of Sipera Systems, Inc.

V#07-16-09

References

Download now ( PDF - 6 Page - 581.28 KB )

Related documents

Challenges and emerging technical solutions in on-growing salmon farming

Sea water can also be used in a RAS land farm, and the produced fish could reach higher weights (e.g. However the economically optimal size for transfer is not known. By using

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

Implementing the CIA Triad (Continued) Availability AUP Security Awareness Policy Enhanced Access Control Threat Assessment and Monitoring. Asset Protection Policy

Putting Web Threat Protection and Content Filtering in the Cloud

Threat Protection ANTIVIRUS ANTISPYWARE ANTIPHISHING Compliance POLICY ENGINE USER REPORTING/ LOGGING Policy Enforcement URL FILTERING LAPTOP USER PROTECTION VULNERABILITY

90 Third Street, New Dorp, Staten Island, N.Y

Passiontide culminates in the Triduum, which in Latin means 'three days,' comprising: Maundy Thursday with the Mass of the Lord's Supper, Good Friday with

State of South Carolina Policy Guidance and Training

Policy:  Asset Management Policies:  Data Protection & Privacy  Access Control Policies:  Information System Acquisition, Development, Maintenance 

Security

Contingency Planning Configuration Management Incident Management Access Control Threat Management Asset Protection Security Disciplines Threat Management.. Below is a sample

t I. Mobile Device Management: 2014 Vendors and Comparison Guide 1. MDM Considerations By Kasia Lorenc, Fritz Nelson, JUNE 10, :30 AM

Symantec's mobility solution goes beyond device management and includes an enterprise app store, app and data protection policies, mobile threat protection, mobile network control,

Integrity delivery through Asset Management System Standard AS 55001

Integrity matters Advisian 14 Integrity relevance Safety / Risk management Operations / Maintenance Integrity boundary Corrosion / condition Activities and