Securing UC Borders with Acme Packet


Published on

Slides from webinar offered by Acme Packet and the SIP School on securing unified communications borders with Acme Packet. To watch recorded webinar or download slides, visit :

Published in: Technology, Business
  • Be the first to comment

Securing UC Borders with Acme Packet

  1. 1. February, 2012Securing yourUnifiedCommunicationsBorders withAcme Packet - inassociation withThe SIP School Patrick McNeil, CISSP Acme Packet Premium Services Graham Francis CEO The SIP School
  2. 2. The SIP School• Founded in April 2000• 5500+ Students• Provide the Industry recognised SSCA® SIP Certification program, endorsed by the TIA + more.• eLearning in modular format• Unique as content evolves as SIP evolves• Connected with Acme Packet to provide SIP foundation training• / Discount codes later.• Now let’s start by looking at the challenges in securing unified communications. 2
  3. 3. The Unified Communications security challengeAdopt enterprise-wide IP communications toimprove collaboration and productivity... …. All without increasing your risk profile 3
  4. 4. Unified Communications services are a prominent targetOctober 2010 - SIPVicious port 5060 scanslead to €11 million lossMarch 2011 – Romania - Former employeeheld - Forged VoIP pins createdMay 2011 - Hudson County, New Jersey ManPleads Guilty to $4.4 Million VoIP FraudSchemeNovember 2011 - Philippine phone phreakersarrested after defrauding AT&T out of $2Million to fund terrorists 4
  5. 5. UC services are an easy target• IP networks are inherently insecure – Developed without security in mind• Organizations rely on IP networks to conduct business – Multimodal communications difficult to control• Confidential information freely exchanged by users that don’t understand how it is transmitted 5
  6. 6. Cybercrime is organized• Knowledge, tools and techniques are shared openly• May have goals motivated by politics or profit• Commoditized sale of both the tools and results of the trade – Computing time on a botnet – “Fake” calling cards – Long distance calling with disposable phones – Number hijacking – Toll / international bypass 6
  7. 7. What are the threats?
  8. 8. How are UC services established? Items in red might reveal sensitive informationINVITE SIP/2.0Via: SIP/2.0/UDP;branch=z9hG4bKb27061747269636bFrom: “JConnor“ <sip:15554141337@>;tag=18de4db33fTo: "15559191212" <>Call-ID: 19424e0d9187654209ed34db33fCSeq: 1 INVITEMax-Forwards: 70User-Agent: BigTelcoVendor/R16.4.1.1 SIPSupported: 100rel,timer,replaces,join,histinfo signalingAllow: INVITE,CANCEL,BYE,ACK,NOTIFY,REFER,OPTIONS,INFO,PUBLISHContact: “JConnor" <sip:15554141337@;transport=udp>Content-Type: application/sdpContent-Length: 165v=0o=- 1 1 IN IP4 IP4 SDPb=AS:64t=0 0 Mediam=audio 19001 RTP/AVP 0 127 descriptiona=rtpmap:0 PCMU/8000a=rtpmap:127 telephone-event/8000 8
  9. 9. How are your services targeted? Voice or video devices, chat, session recording, web integrated real-time communications applications Application CODECs (DSP) Presentation Session SIP, H323, MGCP, H248, TLS (signaling); RTP, RTCP (media) Session Delivery Targets TCP, UDP, SCTP Transport IPv4, IPv6, NAT, IPsec Network Data link technology that supports the transport of IP Data Link Physical Physical technology that supports the transport of data link framesThe OSI Model LayersExploits focused at the middle layers of the OSI model tend to get aroundtraditional security implementations since the whole point is to allow services 9
  10. 10. The penetration campaign Reconnaissance Enumeration Attack Gaining Maintaining Covering access access tracks Port scanning Attack, gain and maintain access, Information gathering OS fingerprinting and cover tracks Service detection • Initial phases of an organized attack can easily go undetected • Stopping or making the early phases of an attack difficult can avoid service outage or fraud 10
  11. 11. What are the threats?Threat Potential ResultReconnaissance scan Preparation for targeted denial of service, fraud, or theft of serviceSession overloads Denial of serviceProtocol fuzzing Denial of serviceSPAM over Internet Targeted denial of service, fraud, breach ofTelephony (SPIT) privacyCall Interception or Targeted denial of service, breach ofSession Hijacking privacy, fraud, theftEavesdropping Breach of privacy, fraud, theftMedia injection Denial of service, fraud, theft 11
  12. 12. Which threats are seen the most?OverloadResource consumption Attackers InternalAvailability disruption A A DoS/DDoS A Internet Unintentional Overload SIP Provider OR Internal Network 12
  13. 13. Which threats are seen the most?Theft of services / fraudLarge phone bills Attackers Internal AInvestigation costs A A Internet SIP Provider OR Internal Network Premium Rate Center 13
  14. 14. Which threats are seen the most?SPAM / SPITNuisance Attackers Internal A ASocial Engineering A Internet SIP Provider OR Internal Network A A A Internal Threat 14
  15. 15. Not as much…“Man in the middle”Session-hijacking Attacker InternalMedia injection A Remote ControlEavesdropping Internet SIP Provider OR Internal Network A Internal Threat 15
  16. 16. A simple example using SIPViciousI just went to your website and got the phone numbers for HR, Support, InvestorRelations, etc., and they all seem to end with 1xxx…Scan the IP range registered to your company as reported by ARINroot@bt:/pentest/voip/sipvicious# ./ -p5060-5061| SIP Device | User Agent | Fingerprint |--------------------------------------------------------------------------------| | Asterisk PBX | Asterisk / SJphone/1.60.289a (SJ Labs) |Enumerate extensions …root@bt:/pentest/voip/sipvicious# ./ -e1000-9999| 1005 | reqauth || 1004 | reqauth || 1003 | reqauth || 1002 | noauth || 1001 | reqauth |We got one extension without a password! It must be misconfigured.Look for numeric passwords for another extension …root@bt:/pentest/voip/sipvicious# ./ -u1001 -r1000-999999192.168.133.128| Extension | Password |------------------------ Now just register a couple of soft phones and make free calls!| 1001 | 1234 | 16
  17. 17. BUT, wasn’t analog TDM safer? NO!We still saw:• Eavesdropping• Media injection• Caller impersonation• Toll fraud• Physical attacks 17
  18. 18. How does Acme Packet secureUnified Communications services?
  19. 19. Net-Net E-SBCs control and securenetwork borders Service Provider IP telephony Conferencing CRM Tele-presence Contact center Enterprise Easy Assured Strong security interoperability reliability • Network • SIP • Quality user border interoperability experience protection • Protocol • Resilient • Privacy interworking services 19
  20. 20. Net-SAFE™Session-Aware Filtering & Enforcement • Hardware & Software DoS/DDoS prevention • Hardware-accelerated encryption & authentication • Dynamic and Static Access control lists • Protocol enforcement and interoperability • Topology hiding and NAT • Session overload protection (upstream/downstream) • Regulatory compliance / legal intercept to recorder • Fraud prevention / endpoint trust management • Routing, high availability and load balancingHW DoS policy SW DoS Routing / Session Management Destination + ACLs policy Availability Endpoint Trust Threshold Management Management Discard 20
  21. 21. confidentiality securityConfidentiality integrity availabilityEnsure thatinformation is notdisclosed tounauthorized parties
  22. 22. Remove identifying data From: JConnor @ my desk To: CustomerObscure the internal structure of your network Via: My PBX Route: PBX, SBCand services so attackers don’t know what or Phone: Brand X Desk Phone, software version x.y.z.1how to attack Send Audio: To my phone Vendor Specific: Location• Back to Back User Agent (B2BUA) - terminates and re-originates all sessions so we can manipulate them• Topology Hiding – modify or strip signaling message parts that might reveal your internal network or telephony topology From: CorpUser @ SBC To: Customer Via: SBC Route: SBC Send Audio: To SBC 22
  23. 23. Authorize and encrypt for privacy and control EnterpriseSignaling or media traffic going across anuntrusted network should be encrypted toavoid eavesdropping or hijacking, and assuremessage integrity A• Fast hardware-accelerated Private network Internet encryption• Encryption specified on Campus Branch boundary by boundary basis Legitimate session TLS-encrypted session• Can ensure non-repudiation Sniffing 23
  24. 24. confidentiality securityIntegrity integrity availabilityData and systemsare not modified orused maliciously oraccidentally
  25. 25. Assure message integrityVerify the integrity of signaling and media that UAS/UAC Sessionenters your network to prevent service disruption Control Function Routing Protocol• Attacks are dropped at the Manipulation network processor and won’t Policing Engine impact the CPU or memory Parser Host Based• Signaling is decomposed and Software analyzed for validity against RFC Traffic Manager requirements Classifier Media Control Network Function Signaling Encryption Network Processor Network Interface Embedded Software Media E-SBC 25
  26. 26. Prevent fraudulent callsMonitor violations of call thresholds to spot misbehaving hosts, and analyze calldetail records to detect fraud patterns• Routing rules can refuse traffic to premium or fraudulent rate centers attacker• SNMP traps to management station indicate potential abuse• Call Detail Record (CDR) feeds can be management station sent “off box” for analysis including metrics for call quality 26
  27. 27. confidentiality securityAvailability integrity availabilityReliability andaccessibility of dataand resources toauthorizedindividuals in atimely manner
  28. 28. Denial of Service (DoS) protectionAssume hosts are untrusted until they verify their identity throughauthentication and/or other actions. Establish thresholds to protect againstcompromised or unintentionally misbehaving hosts• Initial trust level and message thresholds Trusted enforced• Depending on their actions, hosts will be promoted to trusted status or demoted to Untrusted untrusted or denied status• Queues based on trust level make sure services are available even while under Deny DoS attack Dynamic Trust Levels 28
  29. 29. Manage service capacitiesUnderstand the capacities of your services and limit access so they do notbecome overwhelmed • Thresholds per session agent Sessions = 500 – Sessions 50% Burst-rate = 10 cps Sustained = 8 cps – Burst rate Sessions = 300 – Sustained rate Burst-rate = 5 cps 30% – Status Sustained = 4 cps • Variable load balancing Sessions = 200 Burst-rate = 4 cps 20% Sustained = 3 cps 29
  30. 30. Make UC services resilientImplement hardware and/or site redundancy to minimize the impact of physicalattacks to building, power, network, etc. High Availability Multi-site failover• No loss of active sessions • Multiple SIP trunks improve network• Active / Standby failover in 40ms resiliency in disaster recovery scenarios• Checkpointing configuration, media • SBC enables fast failover without & signaling state operator intervention• Preserves CDRs on failover X sessions 30
  31. 31. Security Architecture
  32. 32. Trust zones provide flexibility Use the SBC to create a virtual firewall DMZ architecture to create multiple zones with different trust levels Low Trust Routing Internet Core / SIP or H.323 I Backbone Sig n Sig SIP or H.323 media t media e Partner r High Trust SIP or H.323 Sig Sig w media o media r Sig k Sig Outsourcer I Internal media n media SIP or H.323 SIP or H.323 g Medium Trust Medium Trust 32
  33. 33. Security for SIP trunking applications SIP / MPLS Provider, Internet, or any Untrusted NetworkRun data firewalls and AcmePacket SBCs in parallel to managedata and communications servicesin the optimal location DMZ Acme Packet SBC HA Pair Data Network or UC Network or VLAN VLAN 33
  34. 34. Security for remote worker access Data centersSend remote users to the SBC instead of yourVPN concentrator for message verification,throttling, and best performance without the VPNneed for a VPN client TLS/SRTP to SBC vs VPN Tunnel• SIP message integrity verification• SBC can cache client registration, responding to regular client keep-alives• Confidentiality through signaling and Internet media encryption• Easier connectivity & traversal through local firewalls vs. VPN solutions - VPN especially while travelling Teleworker Teleworker 34
  35. 35. Common Questions
  36. 36. “Why do I need a SBC when theservice provider has one?”• Integrity: The Service Provider SBC is there to protect themselves from Service Provider you• Availability: Routing to SIP gateways and service providers• Interop / Confidentiality: SIP normalization and topology hiding• Quality of Service: Call routing can Customer 1,2,3 …. be dynamically be driven by call quality 36
  37. 37. “What do I tell my securitydepartment?”• 1,525 customers in 107 countries– the industry standard• Processes calls through both general IP and UC specific attacks• Acme Packet Net-Net SBC certified by the U.S. DISA JITC at Ft. Huachuca, AZ for information assurance and interoperability in DoD networks• Can work in a firewall DMZ if best practices are followed 37
  38. 38. Summary
  39. 39. Don’t forget to think holistically…Physical security – locks, badges, lighting, emergency exitsData security - 802.1x, LLDP, firewalls, ACLs, VLAN strategy,internal encryption, administrative interfaces, QoS marking andmeasurementHost security - Anti-virus, control of third party apps andendpoints, patching and configuration of end devices, assetacquisition and disposalDisaster recovery – redundant hardware, services, networkCompensating controls - CDR analysis to prevent or detect insiderabuse, logging, video surveillance; internal scans or penetrationtestingInternal controls - hiring policies and security reviewsEmployee training programs – best practices guidelines and clearexpectations; educate employees to recognize social engineering 39
  40. 40. Additional resourcesAcme Packet services, training, sales, or partners SIP School | Track Linux VoIP wiki pages Over IP Security Alliance (VOIPSA)http://voipsa.orgThe SIP Forum service provider 40
  41. 41. Questions?
  42. 42. Thank you••• The SIP School Discount Code = APDC2204• Link to webinar recording will be e-mailed to all registered participants 42