SlideShare a Scribd company logo

VoIP security

Mile Blenton
Mile Blenton

VoIP security - myths & realities

InternetTechnologyBusiness
1 of 19
Download to read offline
VoIP security – myths & realities Ishai Rosmarin Sales Director – EMEA IRosmarin@acmepacket.com
in IP we don’t trust anyone!
VoIP security in the news VoIP Security Alert: Hackers Start Attacking For Cash (June 2006) Two Men Charged With Hacking Into VoIP Networks (June 2006) The Internet's a Scary Place for Voice (May 2006) Is Your VoIP Phone Vulnerable? (June 2006) Are Hackers Eyeing your VoIP Network? (Sept. 2006) VoIP Security: It's More Than Data Security (Aug. 2006)
4 Security Concerns • Everyone worries about security • DoS attacks and overloads are biggest worry Source: Service Provider Plans for Next Gen Voice 2006 (July 2006) 29% 75% 75% 63% 79% 54% 42% 33% 0% 20% 40% 60% 80% Trade performance for security SPIT Illegal wiretapping Service topology exposure Service fraud User privacy and confidentiality User/device authentication and authorization DoS attacks and overloads of next gen voice service infrastructure Percent of Next Gen Voice Respondents Rating 6 or 7
VoIP security threats & solutions
IMS: Is Missing Security DoS/DDoS attacks Traffic overloads Viruses & malware Service fraud Identity theft Eves - dropping SPIT Security feature requirement IMS function/feature Access control - static IP address list Core IMS functions, not applicable for UE Access control - dynamic IP address list Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII x Topology hiding (NAPT at L3 & L5) I-BCF only, THIG sub-function IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Authentication - subscriber & CSCF IPSec, SIP digest IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Authorization - subscriber HSS function IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Signaling encryption IPSec IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Media encryption Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Admission control - I/S-CSCF constraints Not addressed Admission control - network bandwidth constraints PDF/RACS function Admission control - user limits: sessions (#) Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Admission control - user limits: bandwidth Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII SIP message & MIME attachment filtering/inspection Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Signaling rate monitoring & policing Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Bandwidth monitoring & policing Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Call gapping - destination number Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Call gappping - source/destination CSCF or UE Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII QoS marking/mapping control Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Internet Types _ Malicious attacks _ Non-malicious – poor behaving endpoints, power outages Solution requirements _ SBC DoS self-protection • Access control - static & dynamic • Trusted & untrusted paths with policed queues • IDS capabilities _ Service infrastructure DoS prevention • Access control - static & dynamic • Topology hiding • Signaling rate plicing • Bandwidth policing DoS/DDoS attacks threaten subscriber retention and revenue PSTN Transit & O&T HIP IC Services O&T HIP IC Services 1 2 4 3
Viruses & malware can threaten IC endpoints and service infrastructure SIP MIME attachments are powerful tool for richer call ID - vcard text, picture or video Potential Trojan horse for viruses and worms to general- purpose server-based voice platforms _ SIP softswitch, IMS CSCF, SIP servers, app servers _ SIP PBX _ SIP phones & PCs New endpoint vulnerabilities _ Embedded web servers - IP phones _ Java apps – liability or asset? Solution requirements _ Authentication _ SIP message & MIME attachment filtering _ Secure OS environment SQL Slammer Melissa Code Red Nimda Sobig Love Bug Klez Michelangelo
Internet Service fraud risk is business model dependant Business model dimensions _ Internet vs. managed network _ Free vs. fee based _ Anonymous vs. not anonymous Types of fraud _ Service theft _ QoS theft _ Bandwidth theft Solution requirements _ Access control _ Authentication – subscriber & SIP signaling elements _ Authorization – subscriber _ Admission control – subscriber limits - # sessions & bandwidth _ QoS marking/mapping control _ Bandwidth policing PSTNMPLS NONE NONE DiffServ-3 1 2 4 3 A B
Identity theft can’t be prevented entirely by technology How do you know you are talking to Bank of America? Web site techniques don’t work for IC - work for many-one, not many-many Solution requirements – Authentication, access control – Trust chains - pre-established technical & business relationships
Eavesdropping threat is over hyped Less risk than email, who encrypts email? _ Email is information rich (attachments), voice not _ Email always stored on servers, only voice mail _ Email always stored on endpoints, voice not Who is at risk? _ Bad guys - Osama, drug cartels, pedophiles, etc. _ Law enforcement _ Money, love, & health-related – insider trading, adultery, ID theft, Solution requirements _ Authentication – subscriber _ End-to-end encryption (EXPENSIVE) • Signaling (TLS, IPSec) • Media (SRTP, IPSec)
SPIT will be annoying, & possible tool for ID theft Will anonymous, cheap Yahoo subscriber (aka SPITTER) be able to call money-paying Verizon subscriber to solicit - phone sex, penis enlargement, Viagra pill purchase? Techniques that won’t work _ Access control – static _ Content filtering _ Charging - $/call _ Regulation Solution requirements _ Access control – dynamic, IDS-like _ Authentication _ Admission control – subscriber limits (#) _ Trust chains - pre-established technical & business relationships
Who is responsible for security? The individual The organization
The future IC net? The Internet I The Federnet F F F F F
Net-Net Security issues are very complex and multi-dimensional Security investments are business insurance decisions _ Life – DoS attack protection _ Health – SLA assurance _ Property – service theft protection _ Liability – SPIT & virus protection Degrees of risk _ Internet-connected ITSP ` High _ Facilities-based HIP residential services _ Facilities-based HIP business services _ Peering Low _ NEVER forget disgruntled Malcom, OfficeSpace Session border controllers enable service providers to insure their success
Monitor, report & record attacks & attackers; provide audit trails Net-SAFE – security requirements framework for session border control Protect against SBC DoS attacks & overloads (malicious & non-malicious) Session-aware access control for signaling & media Prevent DoS attacks on service infrastructure & subscribers Complete service infrastructure hiding & user privacy support Support for L2 and L3 VPN services and security Prevent misuse & fraud; protect against service theft
Acme Packet Net-Net SD “flawlessly passed all of CT Labs’ grueling attack tests” Total of 34 different test cases, using over 4600 test scripts No failed or dropped calls, even for new calls made during attacks No lost RTP packets during attacks Protected the service provider equipment – did not allow flood attacks into core, stopped packets at edge SD performance not impacted during attack – SD CPU utilization - only 10% increase – Signaling latency - only 2 ms average increase – RTP jitter – less than 1 ms increase (not measurable by test equipment)
Acme Packet SBC DoS/DDoS protection Network processor (NPU) -based protection – L3/4 (TCP, SYN, ICMP, etc.) & signaling attack detection & prevention - – Dynamic & static ACLs (permit & deny) to SPU – Trusted & untrusted paths to SPU w/configurable bandwidth allocation & bandwidth policing per session – Trusted devices - guaranteed signaling rates & access fairness – Untrusted devices – can access unused trusted bandwidth – Separate queues for ICMP, ARP, telnet, etc. – Reverse Path Forwarding (uRPF) detection - signaling & media – Overload prevention - 10 Gbps NPUs > 8 Gbps network interfaces Signaling processor (SPU) -based protection – Overload protection threshold (% SPU) w/graceful call rejection – Per-device dynamic trust-binding promotes/demotes devices Network processor Intelligent traffic manager Network processor Signaling processor Security processor
The leader in session border control for trusted, first class interactive communications

Recommended

76 s201919
76 s20191976 s201919
76 s201919
IJRAT
 
Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...
Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...
Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...
SSH Communications Security
 
Information Security Fundamentals - New Horizons Bulgaria
Information Security Fundamentals - New Horizons BulgariaInformation Security Fundamentals - New Horizons Bulgaria
Information Security Fundamentals - New Horizons Bulgaria
New Horizons Bulgaria
 
Voippresentation
VoippresentationVoippresentation
Voippresentation
eliran2
 
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Jiunn-Jer Sun
 
Information cyber security
Information cyber securityInformation cyber security
Information cyber security
SumanPramanik7
 
Network and web security
Network and web securityNetwork and web security
Network and web security
Nitesh Saitwal
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
Dilum Bandara
 

Recommended

76 s201919
76 s20191976 s201919
76 s201919
IJRAT
 
Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...
Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...
Advanced Privileged Identity Management: Moving Beyond the Gateway Approach t...
SSH Communications Security
 
Information Security Fundamentals - New Horizons Bulgaria
Information Security Fundamentals - New Horizons BulgariaInformation Security Fundamentals - New Horizons Bulgaria
Information Security Fundamentals - New Horizons Bulgaria
New Horizons Bulgaria
 
Voippresentation
VoippresentationVoippresentation
Voippresentation
eliran2
 
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Jiunn-Jer Sun
 
Information cyber security
Information cyber securityInformation cyber security
Information cyber security
SumanPramanik7
 
Network and web security
Network and web securityNetwork and web security
Network and web security
Nitesh Saitwal
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
Dilum Bandara
 
2011-10 The Path to Compliance
2011-10 The Path to Compliance 2011-10 The Path to Compliance
2011-10 The Path to Compliance
Raleigh ISSA
 
Implementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersImplementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommuters
Rishabh Gupta
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Roorkee Cetpa
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
Eric Klein
 
Sarwono sutikno + yoko acc cybervulnerability risk and control for evolving...
Sarwono sutikno + yoko acc cybervulnerability risk and control for evolving...Sarwono sutikno + yoko acc cybervulnerability risk and control for evolving...
Sarwono sutikno + yoko acc cybervulnerability risk and control for evolving...
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Roorkee Cetpa
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7
AfiqEfendy Zaen
 
What is network security and Types
What is network security and TypesWhat is network security and Types
What is network security and Types
Vikram Khanna
 
Ce hv6 module 45 privacy on the internet
Ce hv6 module 45 privacy on the internetCe hv6 module 45 privacy on the internet
Ce hv6 module 45 privacy on the internet
Vi Tính Hoàng Nam
 
System and web security
System and web securitySystem and web security
System and web security
chirag patil
 
Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?
Radware
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineering
Sweta Kumari Barnwal
 
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffersCeh v5 module 07 sniffers
Ceh v5 module 07 sniffers
Vi Tính Hoàng Nam
 
2009: Voice Security And Privacy (Security Summit - Milan)
2009: Voice Security And Privacy (Security Summit - Milan)2009: Voice Security And Privacy (Security Summit - Milan)
2009: Voice Security And Privacy (Security Summit - Milan)
Fabio Pietrosanti
 
Network security
Network securityNetwork security
Network security
Fekadu Abera
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
hibaehed
 
Intruders
IntrudersIntruders
Intruders
techn
 
wireless communication security PPT, presentation
wireless communication security PPT, presentationwireless communication security PPT, presentation
wireless communication security PPT, presentation
Nitesh Dubey
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
Vi Tính Hoàng Nam
 
Sophisticated Attacks vs. Advanced Persistent Security
Sophisticated Attacks vs. Advanced Persistent SecuritySophisticated Attacks vs. Advanced Persistent Security
Sophisticated Attacks vs. Advanced Persistent Security
Priyanka Aash
 
voip gateway
voip gateway voip gateway
voip gateway
Nayomi Ranamuka
 
VoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksVoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacks
n|u - The Open Security Community
 

More Related Content

What's hot

Sarwono sutikno + yoko acc cybervulnerability risk and control for evolving...
Sarwono sutikno + yoko acc cybervulnerability risk and control for evolving...Sarwono sutikno + yoko acc cybervulnerability risk and control for evolving...
Sarwono sutikno + yoko acc cybervulnerability risk and control for evolving...
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7
AfiqEfendy Zaen
 
2009: Voice Security And Privacy (Security Summit - Milan)
2009: Voice Security And Privacy (Security Summit - Milan)2009: Voice Security And Privacy (Security Summit - Milan)
2009: Voice Security And Privacy (Security Summit - Milan)
Fabio Pietrosanti
 
Intruders
IntrudersIntruders
Intruders
techn
 

What's hot (20)

2011-10 The Path to Compliance
2011-10 The Path to Compliance 2011-10 The Path to Compliance
2011-10 The Path to Compliance
 
Implementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersImplementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommuters
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
 
Sarwono sutikno + yoko acc cybervulnerability risk and control for evolving...
Sarwono sutikno + yoko acc cybervulnerability risk and control for evolving...Sarwono sutikno + yoko acc cybervulnerability risk and control for evolving...
Sarwono sutikno + yoko acc cybervulnerability risk and control for evolving...
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7
 
What is network security and Types
What is network security and TypesWhat is network security and Types
What is network security and Types
 
Ce hv6 module 45 privacy on the internet
Ce hv6 module 45 privacy on the internetCe hv6 module 45 privacy on the internet
Ce hv6 module 45 privacy on the internet
 
System and web security
System and web securitySystem and web security
System and web security
 
Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineering
 
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffersCeh v5 module 07 sniffers
Ceh v5 module 07 sniffers
 
2009: Voice Security And Privacy (Security Summit - Milan)
2009: Voice Security And Privacy (Security Summit - Milan)2009: Voice Security And Privacy (Security Summit - Milan)
2009: Voice Security And Privacy (Security Summit - Milan)
 
Network security
Network securityNetwork security
Network security
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
 
Intruders
IntrudersIntruders
Intruders
 
wireless communication security PPT, presentation
wireless communication security PPT, presentationwireless communication security PPT, presentation
wireless communication security PPT, presentation
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
 
Sophisticated Attacks vs. Advanced Persistent Security
Sophisticated Attacks vs. Advanced Persistent SecuritySophisticated Attacks vs. Advanced Persistent Security
Sophisticated Attacks vs. Advanced Persistent Security
 

Viewers also liked

The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 Workshop
Fatih Ozavci
 
VoIP Security for Dummies
VoIP Security for DummiesVoIP Security for Dummies
VoIP Security for Dummies
Avaya Inc.
 
Voice Over IP (VoIP)
Voice Over IP (VoIP)Voice Over IP (VoIP)
Voice Over IP (VoIP)
habib_786
 

Viewers also liked (16)

voip gateway
voip gateway voip gateway
voip gateway
 
VoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksVoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacks
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 Workshop
 
VoIP Hopping the Hotel: Attacking the Crown Jewels through VoIP
VoIP Hopping the Hotel: Attacking the Crown Jewels through VoIPVoIP Hopping the Hotel: Attacking the Crown Jewels through VoIP
VoIP Hopping the Hotel: Attacking the Crown Jewels through VoIP
 
Voip security
Voip securityVoip security
Voip security
 
VOIP security
VOIP securityVOIP security
VOIP security
 
Security Challenges In VoIP
Security Challenges In VoIPSecurity Challenges In VoIP
Security Challenges In VoIP
 
Alessio Pennasilico VoIP security
Alessio Pennasilico VoIP security Alessio Pennasilico VoIP security
Alessio Pennasilico VoIP security
 
VoIP Security
VoIP SecurityVoIP Security
VoIP Security
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!
 
VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco Phones
 
Voice over Internet Protocol (VoIP) using Asterisk
Voice over Internet Protocol (VoIP) using AsteriskVoice over Internet Protocol (VoIP) using Asterisk
Voice over Internet Protocol (VoIP) using Asterisk
 
VoIP Security for Dummies
VoIP Security for DummiesVoIP Security for Dummies
VoIP Security for Dummies
 
VoIP - Technology To Business Models
VoIP - Technology To Business ModelsVoIP - Technology To Business Models
VoIP - Technology To Business Models
 
Voice Over IP (VoIP)
Voice Over IP (VoIP)Voice Over IP (VoIP)
Voice Over IP (VoIP)
 
Odoo ringcentral VOIP Integration
Odoo ringcentral VOIP IntegrationOdoo ringcentral VOIP Integration
Odoo ringcentral VOIP Integration
 

Similar to VoIP security

Information Security
Information SecurityInformation Security
Information Security
Mohit8780
 
An approach to mitigate DDoS attacks on SIP.pptx
An approach to mitigate DDoS attacks on SIP.pptxAn approach to mitigate DDoS attacks on SIP.pptx
An approach to mitigate DDoS attacks on SIP.pptx
amalouwarda1
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network security
Sreerag Gopinath
 
Analysis of VoIP Forensics with Digital Evidence Procedure
Analysis of VoIP Forensics with Digital Evidence ProcedureAnalysis of VoIP Forensics with Digital Evidence Procedure
Analysis of VoIP Forensics with Digital Evidence Procedure
ijsrd.com
 
Generic Voice Security Issues
Generic Voice Security IssuesGeneric Voice Security Issues
Generic Voice Security Issues
jasondewar
 

Similar to VoIP security (20)

Information Security
Information SecurityInformation Security
Information Security
 
Netas Nova Cyber Security Product Family
Netas Nova Cyber Security Product FamilyNetas Nova Cyber Security Product Family
Netas Nova Cyber Security Product Family
 
SonicWALL - Skytek - VnPro.pptx
SonicWALL - Skytek - VnPro.pptxSonicWALL - Skytek - VnPro.pptx
SonicWALL - Skytek - VnPro.pptx
 
Trust It Mini Public
Trust It Mini PublicTrust It Mini Public
Trust It Mini Public
 
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
 
Basics of IT security
Basics of IT securityBasics of IT security
Basics of IT security
 
Cisco Managed Security
Cisco Managed SecurityCisco Managed Security
Cisco Managed Security
 
An approach to mitigate DDoS attacks on SIP.pptx
An approach to mitigate DDoS attacks on SIP.pptxAn approach to mitigate DDoS attacks on SIP.pptx
An approach to mitigate DDoS attacks on SIP.pptx
 
Securty Issues from 1999
Securty Issues from 1999Securty Issues from 1999
Securty Issues from 1999
 
Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...
 
ethical hacking
ethical hackingethical hacking
ethical hacking
 
Case study about voip
Case study about voipCase study about voip
Case study about voip
 
Are You Vulnerable to IP Telephony Fraud and Cyber Threats?
Are You Vulnerable to IP Telephony Fraud and Cyber Threats?Are You Vulnerable to IP Telephony Fraud and Cyber Threats?
Are You Vulnerable to IP Telephony Fraud and Cyber Threats?
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network security
 
Analysis of VoIP Forensics with Digital Evidence Procedure
Analysis of VoIP Forensics with Digital Evidence ProcedureAnalysis of VoIP Forensics with Digital Evidence Procedure
Analysis of VoIP Forensics with Digital Evidence Procedure
 
Askozia VoIP Security white paper - 2017, English
Askozia VoIP Security white paper - 2017, EnglishAskozia VoIP Security white paper - 2017, English
Askozia VoIP Security white paper - 2017, English
 
The Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and LancopeThe Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and Lancope
 
Securing VoIP Networks
Securing VoIP NetworksSecuring VoIP Networks
Securing VoIP Networks
 
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingAsegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
 
Generic Voice Security Issues
Generic Voice Security IssuesGeneric Voice Security Issues
Generic Voice Security Issues
 

Recently uploaded

VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
singhpriety023
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Call Girls in Nagpur High Profile
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
SUHANI PANDEY
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
ellan12
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
SUHANI PANDEY
 
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Delhi Call girls
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
SUHANI PANDEY
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
sexy call girls service in goa
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
Delhi Call girls
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
Neha Pandey
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
SUHANI PANDEY
 

Recently uploaded (20)

Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
 
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in DubaiRussian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
 

VoIP security

  • 1. VoIP security – myths & realities Ishai Rosmarin Sales Director – EMEA IRosmarin@acmepacket.com
  • 3. VoIP security in the news VoIP Security Alert: Hackers Start Attacking For Cash (June 2006) Two Men Charged With Hacking Into VoIP Networks (June 2006) The Internet's a Scary Place for Voice (May 2006) Is Your VoIP Phone Vulnerable? (June 2006) Are Hackers Eyeing your VoIP Network? (Sept. 2006) VoIP Security: It's More Than Data Security (Aug. 2006)
  • 4. 4 Security Concerns • Everyone worries about security • DoS attacks and overloads are biggest worry Source: Service Provider Plans for Next Gen Voice 2006 (July 2006) 29% 75% 75% 63% 79% 54% 42% 33% 0% 20% 40% 60% 80% Trade performance for security SPIT Illegal wiretapping Service topology exposure Service fraud User privacy and confidentiality User/device authentication and authorization DoS attacks and overloads of next gen voice service infrastructure Percent of Next Gen Voice Respondents Rating 6 or 7
  • 5. VoIP security threats & solutions
  • 6. IMS: Is Missing Security DoS/DDoS attacks Traffic overloads Viruses & malware Service fraud Identity theft Eves - dropping SPIT Security feature requirement IMS function/feature Access control - static IP address list Core IMS functions, not applicable for UE Access control - dynamic IP address list Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII x Topology hiding (NAPT at L3 & L5) I-BCF only, THIG sub-function IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Authentication - subscriber & CSCF IPSec, SIP digest IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Authorization - subscriber HSS function IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Signaling encryption IPSec IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Media encryption Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Admission control - I/S-CSCF constraints Not addressed Admission control - network bandwidth constraints PDF/RACS function Admission control - user limits: sessions (#) Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Admission control - user limits: bandwidth Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII SIP message & MIME attachment filtering/inspection Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Signaling rate monitoring & policing Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Bandwidth monitoring & policing Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Call gapping - destination number Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Call gappping - source/destination CSCF or UE Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII QoS marking/mapping control Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
  • 7. Internet Types _ Malicious attacks _ Non-malicious – poor behaving endpoints, power outages Solution requirements _ SBC DoS self-protection • Access control - static & dynamic • Trusted & untrusted paths with policed queues • IDS capabilities _ Service infrastructure DoS prevention • Access control - static & dynamic • Topology hiding • Signaling rate plicing • Bandwidth policing DoS/DDoS attacks threaten subscriber retention and revenue PSTN Transit & O&T HIP IC Services O&T HIP IC Services 1 2 4 3
  • 8. Viruses & malware can threaten IC endpoints and service infrastructure SIP MIME attachments are powerful tool for richer call ID - vcard text, picture or video Potential Trojan horse for viruses and worms to general- purpose server-based voice platforms _ SIP softswitch, IMS CSCF, SIP servers, app servers _ SIP PBX _ SIP phones & PCs New endpoint vulnerabilities _ Embedded web servers - IP phones _ Java apps – liability or asset? Solution requirements _ Authentication _ SIP message & MIME attachment filtering _ Secure OS environment SQL Slammer Melissa Code Red Nimda Sobig Love Bug Klez Michelangelo
  • 9. Internet Service fraud risk is business model dependant Business model dimensions _ Internet vs. managed network _ Free vs. fee based _ Anonymous vs. not anonymous Types of fraud _ Service theft _ QoS theft _ Bandwidth theft Solution requirements _ Access control _ Authentication – subscriber & SIP signaling elements _ Authorization – subscriber _ Admission control – subscriber limits - # sessions & bandwidth _ QoS marking/mapping control _ Bandwidth policing PSTNMPLS NONE NONE DiffServ-3 1 2 4 3 A B
  • 10. Identity theft can’t be prevented entirely by technology How do you know you are talking to Bank of America? Web site techniques don’t work for IC - work for many-one, not many-many Solution requirements – Authentication, access control – Trust chains - pre-established technical & business relationships
  • 11. Eavesdropping threat is over hyped Less risk than email, who encrypts email? _ Email is information rich (attachments), voice not _ Email always stored on servers, only voice mail _ Email always stored on endpoints, voice not Who is at risk? _ Bad guys - Osama, drug cartels, pedophiles, etc. _ Law enforcement _ Money, love, & health-related – insider trading, adultery, ID theft, Solution requirements _ Authentication – subscriber _ End-to-end encryption (EXPENSIVE) • Signaling (TLS, IPSec) • Media (SRTP, IPSec)
  • 12. SPIT will be annoying, & possible tool for ID theft Will anonymous, cheap Yahoo subscriber (aka SPITTER) be able to call money-paying Verizon subscriber to solicit - phone sex, penis enlargement, Viagra pill purchase? Techniques that won’t work _ Access control – static _ Content filtering _ Charging - $/call _ Regulation Solution requirements _ Access control – dynamic, IDS-like _ Authentication _ Admission control – subscriber limits (#) _ Trust chains - pre-established technical & business relationships
  • 13. Who is responsible for security? The individual The organization
  • 14. The future IC net? The Internet I The Federnet F F F F F
  • 15. Net-Net Security issues are very complex and multi-dimensional Security investments are business insurance decisions _ Life – DoS attack protection _ Health – SLA assurance _ Property – service theft protection _ Liability – SPIT & virus protection Degrees of risk _ Internet-connected ITSP ` High _ Facilities-based HIP residential services _ Facilities-based HIP business services _ Peering Low _ NEVER forget disgruntled Malcom, OfficeSpace Session border controllers enable service providers to insure their success
  • 16. Monitor, report & record attacks & attackers; provide audit trails Net-SAFE – security requirements framework for session border control Protect against SBC DoS attacks & overloads (malicious & non-malicious) Session-aware access control for signaling & media Prevent DoS attacks on service infrastructure & subscribers Complete service infrastructure hiding & user privacy support Support for L2 and L3 VPN services and security Prevent misuse & fraud; protect against service theft
  • 17. Acme Packet Net-Net SD “flawlessly passed all of CT Labs’ grueling attack tests” Total of 34 different test cases, using over 4600 test scripts No failed or dropped calls, even for new calls made during attacks No lost RTP packets during attacks Protected the service provider equipment – did not allow flood attacks into core, stopped packets at edge SD performance not impacted during attack – SD CPU utilization - only 10% increase – Signaling latency - only 2 ms average increase – RTP jitter – less than 1 ms increase (not measurable by test equipment)
  • 18. Acme Packet SBC DoS/DDoS protection Network processor (NPU) -based protection – L3/4 (TCP, SYN, ICMP, etc.) & signaling attack detection & prevention - – Dynamic & static ACLs (permit & deny) to SPU – Trusted & untrusted paths to SPU w/configurable bandwidth allocation & bandwidth policing per session – Trusted devices - guaranteed signaling rates & access fairness – Untrusted devices – can access unused trusted bandwidth – Separate queues for ICMP, ARP, telnet, etc. – Reverse Path Forwarding (uRPF) detection - signaling & media – Overload prevention - 10 Gbps NPUs > 8 Gbps network interfaces Signaling processor (SPU) -based protection – Overload protection threshold (% SPU) w/graceful call rejection – Per-device dynamic trust-binding promotes/demotes devices Network processor Intelligent traffic manager Network processor Signaling processor Security processor
  • 19. The leader in session border control for trusted, first class interactive communications