CRENNO Technologies solutions in Session Border Controllers on NGN/IMS Networks Market

1. CRENNO Technologies
Network Security Consultancy & Acme-Packet SBC

2.  Company Profile
 Capabilities
 Consultancy & OnDemand Solutions
 Session Border Controller
 SBC Components & Features
 DoS Protection
 Access Control – VPN Seperation
 Topology Hiding & Privacy
 Malicious SW Protection
 Service DoS Protection
 Fraud Preventing
 Monitoring & Reporting
 Conclusion
Agenda

3. CRENNO Technologies is established in
2009 last quarter of 2009
All Team members are Computer Engineers
Experience Assistances National & International Experiences and
R&D Assistances add power to CRENNO
Technologies
Company Profile

4.  Network Capabilities  Software Capabilities
 Vendors  Languages
 Alcatel-Lucent  JAVA – Glassfish App Server
 Cisco  .NET
 AVAYA  C-C++
 Acme-Packet  Experiences
 Certifications  Telco Software Development
 CCNA  Softswitch Development
 CWNA  SMS GW Development
 Acme-Packet SBC  Other Technologies
 ACA  Solaris UNIX
 ORACLE
Capabilities

5.  Network Types & Security
 Wireless Networks
 Wireline Networks
 Voice Networks
 Network Security (Session Border Controller)
 Services & Solutions
 Design / Integration / Installation
 Consultancy / Optimization
 Support / Education
 Network Equipments’ Load, Performance, Stability Testing
 Network Software Development
Consultancy & OnDemand Solutions

6. Protect The Service
GW SS
Service Provider Peer
Protect Service Provider Infrastructure
GW
Enterprise Access Protect SBC
MGCP CA
Session Border SIP PX
Service
Controller Provider
H.323 GK
Residential Access
MS
Session Border Controller will be used as;
Session Director (SD) – integrated session & media control
Contact Center Session Controller (SC) – session & border gateway control
Border Gateway (BG) – IP-IP packet gateway
AS IPPBX Session Router (SR) – SIP routing proxy & cluster server
Signaling Firewall (SF) – SIP signaling security & encryption
Session Border Controller

7.  SBC Components & Features
 DoS Protection
 Access Control – VPN Seperation
 Topology Hiding & Privacy
 Malicious SW Protection Fraud
Prevention
DoS
Protection
 Service DoS Prevention Access
Service DoS
 Fraud Preventing
Control – VPN
Prevention Seperation
 Monitoring & Reporting Malicious
SW
Topology
Hiding –
Protection Privacy
SBC Components & Features

8. SBC goals for DoS Protection
 Staying ahead, not react to outages
 Protect service provider at all costs
 Enable service for largest possible population
 Don’t impact type of service available
 Don’t impact how service is used
 Don’t require changes in other devices
 Support heterogeneous (multi-vendor) networks
 Don’t rely on external “control” protocols
Features
 Protect SBC from DoS and other attacks
 Dynamically handle device trust
 Better service for trusted users
 Automatically isolate attackers
DoS Protection

9. Access Control & VPN
Per application behaviors
Filter by specific devices or whole networks
Permit access to known devices or networks
Block traffic for applications not supported by SBC
Per user behaviors
Permit or deny access to anonymous users
Permit access to authorized/registered users
Dynamically accept or reject traffic based on device behavior
Media support
Only accept and forward for authorized sessions
Filtering & encryption: high performance, low latency, and scale
Access Control List filters
IPSec and TLS connections
Secure L2 and L3 VPN customers
Maintain security isolation between VPNs
Inter-VPN sessions
Monitor media for intra-VPN sessions
Signaling-only VPNs
Media-only VPNs
Access Control-VPN Seperation

10. Topology Hiding & Privacy
Hide entire topology
 Prevent directed attacks
 Confidentiality
Anonymize all user information
 Privacy and confidentiality
 If desired by service provider
Protect from eavesdroppers
 End users
 Service provider infrastructure
High performance
 High capacity and low-latency
 Performance unaffected by encryption
TLS (Transport Layer Security)
IPSec (IP Security)
SRTP (Secure Real-Time Transport Protocol)
Topology Hiding & Privacy

11. Malicious Software Protection (Virus, Worms, Malware )
Security issues are very complex and multi-dimensional
 Attack sophistication is growing while intruder knowledge is decreasing
Security investments are business insurance decisions
 Life – DoS attack protection
 Health – SLA assurance
 Property – service theft protection
 Liability – SPIT & virus protection
Degrees of risk
 Misconfigured devices
 Operator and Application Errors
 Peering
 Growing CPE exposure to Internet threats
Malicious SW Protection

12. SBC Service Infrastructure DoS Protection
Hide service infrastructure topology
 Layer 1-4 topology hiding + NAT
 Layer 5-7 topology hiding, privacy, + NAT
Prevent infrastructure attacks
 SBC DoS protection implicitly protects service infrastructure
 RTP media policed to session-based codec value
Prevent infrastructure overloads
 Per-infrastructure device signaling overload control
Multiple load balancing strategies and call gapping
Prevent attacks from service provider
 SBC DoS protection works in both directions
 All networks are untrusted networks
Service DoS Protection

13. SBC Fraud Prevention
Authenticate and authorize users
 External policy control (COPS/SOAP) for authorization and CAC
 Numerous access control features provide basic authentication + authorization
 Enforce service contract per-user/device
Prevent piggy-back usage
 Session signaling messages verified to be session consistent
 Early-media blocking for fraud prevention
 RTP media policed to session-based codec value
 Hardware encryption acceleration for IPSec and TLS
Record audit trails
 Call detail records created and exported
 RTP media QoS measurements monitored + recorded
 Media pinhole for ended or stranded calls automatically closed
Fraud Prevention

14. SBC Monitoring & Reporting
Monitor for security breaches
 Access control + DoS filters, counters, etc. recorded and viewable
Notify operations personnel of attacks and overloads
 SNMP Traps generated for attacks, authorization failures, overload events
Secure monitoring & management access
EMS platform available: secured with IPSec or SSL
 Separate, external management interface with SSH, SFTP, ACLs
Create audit trails
 Packet capture of raw packets for analysis
 RTP media QoS measurements monitored + recorded
 Call detail records created and exported via RADIUS
 EMS records security logs
Monitoring & Reporting

15.  CRENNO is a Telecommunication Software Company
 This feature brings both;
 Network Side Businesses
 Software Development Businesses
 CRENNO has a deep knowledge of Acme-Packet Session Border
Controllers.
 For Telecommunication Companies, SBC is a must.
 For Other Companies need to grow their voice network, SBCs are
need to secure themselves.
 Acme-Packet SBC is the leading SBC in the market
 CRENNO Technologies’ vision is growing in both market within the
scope
Conclusion

16. info@crenno.com
twitter/crenno
www.crenno.com