Presentation is loading. Please wait.

Presentation is loading. Please wait.

for trusted, first class interactive communications

Published byLucas Russo Modified over 10 years ago

Similar presentations

Presentation on theme: "for trusted, first class interactive communications"— Presentation transcript:

1 for trusted, first class interactive communications

2 Securing enterprise VOIP
Firewall pinhole/ACL are not enough Open signaling ACL Full range of RTP ports open Data IDS not sufficient for SIP and H323 Not inline of signaling and media Rely on triggers of other network elements that do not have call awareness Session Border Controllers ARE VOIP security Track record of 5+ years of securing next gen VOIP networks Inline for signaling and media Call state clean up transactions and dialogs Verify valid users/devices Hardware based policing/filtering is most affective for DoS/DDoS atacks Protection against malicious software attacks Fraud prevention Acme Packet Confidential

3 Solution: enterprise SIP peering
Enterprise site, MPLS VPN or private network Enterprise Migration Eliminate access charges per site Fully converge voice/data over MPLS VPN Data Center PBX model (centralization) drives SIP peering capacity Security Hardware based signaling overload policing Full topology hiding (NAT) of signaling and media Session based RTP pin-holing (Rogue Protection) IP PBX/endpoint DoS prevention IPSec, TLS, SRTP Signaling SIP Header Manipulation-vendor interop CAC- bandwidth and session based Routing- Local and ENUM Load balancing, failure based re-route Outbound to carriers Inbound- to users PBX H.323 or SIP PBX SIP endpoints /server SIP Regional PBX Routing to site A or B, or session agent groups Telephone number/URI called Codec – voice vs. video Load balancing for session agent group hunt, round robin, least busy, proportional distribution, lowest sustained rate SIP pings to test SA availability Admission control by SA Max. inbound & outbound sessions (#) Max. outbound sessions (#) Max. INVITE burst rate (# sessions per sec) Max. INVITE sustained rate (# sessions per sec) Use case 3 years in due diligence 100% SIP 45 page SBC RFI 95% feature coverage Contact center and PBX Multi-vendor PBX and ASP environment Main campuses and contact centers ahead of branch offices Services differentiation first, cost savings 2nd Service Provider IP access to PSTN, hosted services, IP extranet, other IP subscribers Acme Packet Confidential

4 Solution: enterprise SIP station side
Enterprise site, MPLS VPN or private network Enterprise Migration Virtualizes the office and contact center Remote worker/ traveling worker small sites without MPLS connectivity Security Hardware based signaling overload policing per user Full topology hiding (NAT) of signaling and media Session based RTP pin-holing (Rogue Protection) IP PBX/endpoint DoS prevention IPSec, TLS, SRTP Registration overload protection SIP Registration Based ACLs- only invites pass from Registered users Signaling SIP Header Manipulation-vendor interop CAC- bandwidth and session based Per User CAC SBC Virtualization allows for Access and Peering on same SBC H.323 or SIP PBX SIP endpoints /server SIP Regional Data Center PBX Routing to site A or B, or session agent groups Telephone number/URI called Codec – voice vs. video Load balancing for session agent group hunt, round robin, least busy, proportional distribution, lowest sustained rate SIP pings to test SA availability Admission control by SA Max. inbound & outbound sessions (#) Max. outbound sessions (#) Max. INVITE burst rate (# sessions per sec) Max. INVITE sustained rate (# sessions per sec) Use case 3 years in due diligence 100% SIP 45 page SBC RFI 95% feature coverage Contact center and PBX Multi-vendor PBX and ASP environment Main campuses and contact centers ahead of branch offices Services differentiation first, cost savings 2nd Internet Service Provider NAT NAT Teleworkers Acme Packet Confidential

5 Solution: IP contact centers
Enterprise Migration Reduces Transfer and Connect costs Increases visibility for transferred calls Tie in teleworkers to virtualize the Contact Center Security Hardware based signaling overload policing per user Full topology hiding (NAT) of signaling and media Session based RTP pin-holing (Rogue Protection) IP PBX/endpoint DoS prevention IPSec, TLS, SRTP Registration overload protection SIP Registration Based ACLs- only Invites pass from Registered users Signaling SIP Header Manipulation-vendor interop Routing/ Failure re-routing CAC- bandwidth and session based SBC Virtualization allows for Access and Peering on same SBC Packet Replication to call recording devices Contact center - SIP/G.711 Site A Site B CSR1 CSR2 CSR3 CSR4 MPLS CSR5 For the first solution, the SBC brings the following benefits and features to the distributed sites of a CC that are connected via MPLS VPNs. Routing to site A or B, or session agent groups Telephone number/URI called Codec – voice vs. video Load balancing for session agent group based on hunt, round robin, least busy, proportional distribution, lowest sustained rate SIP pings to test SA availability Admission control by SA Max. inbound & outbound sessions (#) Max. outbound sessions (#) Max. INVITE burst rate (# sessions per sec) Max. INVITE sustained rate (# sessions per sec) Use Case Very large healthcare provider with IP contact center Blend of network and CPE: IXC for inbound 800 ASP-hosted IVR Cisco and Avaya call center platforms, PBXs, and gateways Formidable economics and service model Critical requirements: security, QoS, scale, HA, VPN segregation, DoS protection, interoperability Customer passed on Cisco and Nextone Internet Managed SIP/H.323, codec X Customers Acme Packet Confidential

6 Acme Packet market-leading Net-Net product family
Security Service reach SLA assurance Net-Net OS Revenue & profit protection Regulatory compliance Multi-protocol Management High availability Net-Net 9000 Net-Net 4000 PAC Net-Net 4000 Integrated & decomposed SBC configurations Net-Net EMS

7 Acme Packet Net-Net platform performance & capacity
Net-Net series Net-Net series PAC Net-Net series SD Signaling performance 1200 SIP mps 85 SIP calls/sec 9600 mps 680 SIP calls/sec SIP mps 150 – 570 SIP calls/sec SR Signaling performance Up to 500 calls/sec N/A TBD Media sessions * 32K - 128K 256K -1million 32K – 128K Transcoded sessions NA 0 – 16,000 Network interfaces (active) (2 or 4) 1000 Mbps or (8) 10/100 Mbps (32) 1000 Mbps (8 or 16) 1000 Mbps High availability Inter-system 1x1 or Nx1 Intra-system Package size/slots 1U / 2 slots 10U or 18U 7U / 13 slots * Actual achievable session capacity is based on signaling performance Acme Packet Confidential

8 Net-Net OS architecture
Management & Configuration Routing, Policy & Accounting NAT Relay Signaling Services Media Control Number Manipulation Session Routing Admission Control Route Policy Load Balancing Traffic Controls Accounting & QoS Reporting DNS ALG CLI XML SNMP SYSLOG Redundancy Management Repository Dynamic Access Control Dynamic NAPT Relay HNT / RTP Latching Media Supervision Timers Transcoding Bandwidth Policing Measurements Marking Lawful Intercept (CCC) DTMF Extraction Stats NAT HTTP TFTP H248 MGCP/ NCS H323 B2B GK GW SIP IWF B2BUA Security Front End Access Control Denial of Service Protection Encryption Engine Traffic Management Signaling Flow Policing DNS/ ENUM Resource and Bandwidth Control Bandwidth Policy Enforcement Bearer Resource Management Routing, Policy & Accounting Management & Session Routing Accounting & Configuration Number Manipulation Admission Route DNS/ DNS/ Load Traffic QoS Reporting Control Policy ENUM ENUM Balancing Controls Session Control Subsystem Signaling Services NAT Relay CLI H323 NAT SIP SIP DNS XML SIP SIP B2B MGCP/ ALG H323 H323 H248 B2BUA B2BUA GK NCS ALG IWF IWF HTTP GW TFTP RADIUS QoS Stats Resource and Bandwidth Policy Enforcement SNMP Bandwidth Control Bearer Resource Management Security Security Access Control Access Control Traffic Management Traffic Management SYSLOG Front End Front End Denial of Service Protection Denial of Service Protection Signaling Flow Policing Signaling Flow Policing Encryption Engine Encryption Engine Network Processor Subsystem Redundancy Management Dynamic Access Control Bandwidth Policing Media Control Dynamic NAPT Relay QoS Measurements HNT / RTP Latching QoS Marking Configuration Media Supervision Timers Lawful Intercept (CCC) Repository Transcoding DTMF Extraction Acme Packet Confidential

9 SIP protocol repair and normalization
SIP header and parameter manipulation per realm and session agent Stripping Insertion Modification Configurable SIP status code mapping per session agent Inbound/outbound number manipulation rules per realm and session agent Configurable SIP timers and counters per realm Configurable Q.850-to-SIP status mapping Configurable TCP/UDP transport per realm Configurable option tag handling per realm Configurable FQDN-IP / IP-FQDN mapping SIP route header stripping Malformed signaling packet filtering Many SIP options for vendor and version inter-working E.164 number normalization Acme Packet Confidential

10 Acme Packet hosted NAT traversal
Basic operation SIP client sends REGISTER to Net-Net SD’s address; SD forwards to registrar Net-Net auto-detects NATed clients In OK, SD instructs SIP client to refresh registration periodically to keep NAT binding open Net-Net SD provides to client SDP for media relay Media relay latches on first RTP packet. All packets relayed to destination client Client Media Signaling Firewall/NAT B2BUA Media Relay Net-Net SD Acme Packet Confidential

11 Business continuity / redundancy
sd0.co.jp Redundant Net-Net product configurations offer non-stop performance Supports new calls, no loss of active sessions (media and signaling) including capabilities (protocol dependent) Preserves CDRs on failover 1:1 Active Standby architecture Shared virtual IP/Mac addresses Failover for node failure, network failure, poor health, manual intervention 40 ms failover time Checkpointing of configuration, media & signaling state Software option – requires no additional hardware Active Standby Find SD through DNS round-robin or configured proxy X sd0.fc.co.jp Active New call All sessions stay up. Process new sessions immediately Acme Packet Confidential

12 Service virtualization
Net-Net Session Director Interconnect Services SOHO Multi-Service Backbone Business Services Acme Packet Confidential

13 Realms and realm groups
Session routing and interworking Policies Resources Signaling service Media resources Number translation tables Packet Marking policy Bandwidth CAC policy Realm group Media release policy Signaling access control & DoS Virtual IP Virtual IP Realm Realm Realm Realm Realm Realm Realm Acme Packet Confidential

14 PSTN origination & termination Data Center IP services
SIP-H.323 interworking Enterprise SIP & H.323 Interworking Supports all popular H.323 IP PBX vendors - Cisco, Avaya, Nortel etc. Maximizes investments made in legacy IP PBX reduces termination costs as high capacity SP trunking is SIP PBX & SIP-based services integration Transport services - 1+ dialing SIP Centrex-PBX integration with unified dial plan management Supports Cisco CM & other H.323 PBXs; H.323 gateway to TDM PBX Voice ASP (calling card, directory, etc.) Enables connections with SIP & H.323 service providers PSTN PSTN origination & termination SIP SIP Voice ASP (SIP) Data Center IP services Enterprise Core SIP SIP H.323 or SIP H.323 or SIP IP PBX Legacy PBX with GW Acme Packet Confidential

15 Acme Packet Confidential
SD routing overview Acme Packet’s Session Director has several “types” of routing mechanisms Local policies Extremely flexible; based on previous-hop, previous-realm, req-URI, From, cost, time/day, media-type, etc. ENUM Actually a subset of local-policies, so has that flexibility too Trunk-group-URI selection of next-hop or group of next-hops Per IETF draft-ietf-iptel-trunk-group, and for some proprietary TGIDs Request-URI matching cached registered endpoints For requests from core to dynamic subscribers Request-URI hostname resolution Route-header routing per RFC 3261 Static 1:1 mapping For simple cases only needing security and protocol repair Acme Packet Confidential

16 Local-Route-Table – technical details
Sub-features Supports 200k+ routes Supports multiple, distinct local-route-tables Decision of whether and which local-route-table to use is based on the result of local-policies, so can do hybrid routing configs Supports regular expression results, similar to ENUM results Used to replace Request-URI with new value based on regex Route-tables are in XML format, gzipped Provides support for rn/cic-specific lookups, and user-defined prefix lengths Useful for peering applications: Can choose which peer to send calls to based on it Can choose which core softswitch/gateway to send inbound calls to Supports both proxy and b2bua modes Acme Packet Confidential

17 Traffic load balancing
Load balance multiple SIP/H.323 softswitches, application servers or gateways Load balancing options Hunt Round Robin Least busy Lowest sustained rate Proportional Detect & route around element failures Session Agent Stats for H.323 & SIP destinations Common Session Agent constraints Max sessions Max outbound sessions Max burst rate Max sustained rate Session Agent unavailable or unresponsive Acme Packet Confidential

18 Session admission control
Realm based – access networks or transit links Realm and realm group bandwidth constraints Session Agent based – call controllers or app servers Session Agent constraints (capacity, rate, availabilty, etc.) Softswitch, etc. – signaling rate limiting or “call gapping” Per-user CAC Based on AOR or IP address Address based Code gapping constraints based on destination address/phone # Policy Server-based TISPAN RACS and Packet Cable Multimedia Policy Server interface Overload protection Signaling Session border controller - rejects sessions gracefully when host processor >=90% load (default). This is a configurable option Acme Packet Confidential

19 Net-Net Session Director lawful intercept for hosted communications
Law enforcement agencies (LEAF & CF) Legal intercept independent of softswitch for both IP-PSTN and IP-IP calls Supports SIP, MGCP and H.323 Call content - media flows replicated and forwarded to DF over Call Content Connection (CCC) Call data - sent to DF over Call Data Connection (CDC) Lawful intercept server (DF & SPAF) PSTN Service infrastructure A CDC CCC SIP MGCP Net-Net SD (AF) Edge router SIP MGCP H.323 Subscribers Signaling Media Acme Packet Confidential

20 Net-SAFE™

21 Acme Packet Confidential
The net-net Security issues are very complex and multi-dimensional Attack sophistication is growing while intruder knowledge is decreasing Security investments are business insurance decisions Life – DoS attack protection Health – SLA assurance Property – service theft protection Liability – SPIT & virus protection Degrees of risk Misconfigured devices High Operator and Application Errors Peering ` Growing CPE exposure to Internet threats NEVER forget disgruntled Malcom, OfficeSpace Low Only purpose-built Session border controllers protect enterprise assets Acme Packet Confidential

22 Acme Packet Confidential
Riding the bull Threat mitigation represents staying “ahead” of security threats Attacker don’t publish their methods  As data attack models have matured they have dramatically increased in number Putting pressure on security defense scale The requirements of real-time services such as VoIP and multimedia are different from those of data Similar trends, different devices Statefull, service-aware, and dynamic policy application Endpoints may be authenticated, but their intentions may not be Protocol messages may be valid, but how they’re used may not be Acme Packet Confidential

23 Acme Packet Confidential
Net-SAFE Access Control & VPN Separation Worm/Virus & Malicious SW Acme Packet Confidential

24 Three goals of Net-SAFE
Protect the Service Service Provider Peer Protect the Enterprise’s Infrastructure Protect the SBC Enterprise Access Enterprise DoS attacks remain the #1 security threat  the security element must first defend itself! This slide is animated build. The goals of Net-SAFE are: Protect the Session Border Controller – it’s the first line of defense, so if it fails, so does the service. Protect the Service Provider’s Infrastructure – this means protecting the softswitches, gateways, app servers, gatekeepers, call agents, etc. Protect the Service – this means protect the SIP or hosted PBX or access or whatever service, end-to-end Contact Center Acme Packet Confidential

25 The SD is architected to secure…
Hardware and software-based DoS protection Trust and untrust queues with wire-speed packet classification and dynamic trust management integration Smart Border DPI Security gateway fully terminates session traffic for signaling deep packet inspection Passive DPI is unable to function on the ever-growing amount of encrypted/compressed traffic flows Real-time IDP Dynamic Trust Management leverages smart DPI and monitors traffic behavior patterns making trust level adjustments without administrator intervention Avoids harmful false-positive DoS risks Extending trust to the endpoint IPsec, TLS, and SRTP Acme Packet Confidential

26 Hardware- and software-based DoS protection

27 Acme Packet multi-processor hardware architecture
Session Control Function Security processors Signaling processors Signaling Media Control Function Intelligent traffic manager 5 Gbps 5 Gbps Media This slide shows the media (RTP+RTCP) flows through the hardware layer only, while signaling (SIP/MGCP/H.323/etc.) gets sent to the Signaling processor through one of two paths. It also shows the QoS monitoring engines which snoop on RTP+RTCP packets to calculate jitter, latency, and lost packets, in hardware. 5 Gbps 5 Gbps Xcode & QoS engines Network processor Network processor Security Engine 1 Gbps 1 Gbps 1 Gbps 1 Gbps Security Engine 1 Gbps 1 Gbps 1 Gbps 1 Gbps Acme Packet Confidential

28 Acme Packet multi-processor hardware architecture
Enlarged View Session Control Function Security processors Signaling processors Media Control Function Intelligent traffic manager 5 Gbps 5 Gbps This enlarges the view of the queues inside the Trusted and Untrusted paths. The gray one on the right is the Untrusted path, where each user goes into one of a thousand queues with other untrusted users. In normal attack situations the signaling processor would detect the attack and dynamically demote the device to denied in the hardware. But even if it doesn’t detect it as an attack, the Untrusted path gets serviced by the Signaling processor in a fair access mechanism, so that an attack by an untrusted device will only impact 1/1000th of the overall population of untrusted devices, at worst case. (and even then there’s a probability of users in the same 1/1000th percentile getting in and getting promoted to Trusted) There are also another, separate 1000 queues for fragments, with similar behavior. The path in the middle is the Trusted path, where each trusted device has its own queue. That lets us provide each Trusted device its own share of the signaling, plus police its traffic so that it can’t attack (so we trust it, but not completely). The path on the left is for the traffic coming from the signaling processor out of the system, which is trusted and has its own path. There are more queues not shown here, for control protocols (ICMP, FTP, etc.), if they are enabled. Any protocol not enabled doesn’t even make it past the NPs. 5 Gbps 5 Gbps Xcode & QoS engines Network processor Network processor Security Engine 1 Gbps 1 Gbps 1 Gbps 1 Gbps Security Engine 1 Gbps 1 Gbps 1 Gbps 1 Gbps Acme Packet Confidential

29 DoS logical hardware path
Perform ACL lookup and packet classification: chooses trusted, untrusted, or denied path Each Trusted queue can be set for average policed rates Deny CAMs Acme Hardware DoS Protection Discard Trusted Path Classifier chose specific Trusted queue Untrusted Path 1k Untrusted queues Total Untrusted pipe can be reserved a minimum amount of bandwidth, and a max if more is available Classifier chose 1 of 1k hash buckets To CPU RR WRR Tail Drop Total rate can be configured This slide show the hardware-level piece in a different way. Release 2.0 has 16k Trusted, and 14k Denied ACLs (dynamic and static together). Release and beyond have up to 32k Trusted and 14k Denied, but the Trusted use up denied space after the first 16k trusted entries. Release and beyond have a configurable number of minimum trusted, maximum denied and minimum media entries – so the 64k total entries can be partitioned as needed. All releases have 1k Untrusted queues, and the same source address/port is always tied to the same untrusted queue (with other untrusted source addresses/ports). In other words, a device will always end up in the same untrusted queue, until it either gets promoted to trusted and has its own individual queue, or it gets demoted to denied and doesn’t go into any queue. Release and beyond have an additional 1k untrusted queues for fragmented packets. Acme Packet Confidential

30 Must pass HW DoS policy + ACLs
Software DoS policy SW DoS Decisions on SD Check if below local CPU load threshold Reject It Check for legal message format (parse it) Reject Call Check previous-hop is authorized Check if below constraints limit Allow This slide shows the Software DoS Policy (or admission control). The SD verifies if its CPU is below the load limit (90% by default), if the packet is well-formed/parse-able, if the previous hop is authorized (as in whether it’s a Session Agent or Registered), and if it’s a sEssion Agent, then whether the Session Agent it receives it from is below the configure max-sessions constraint. If it passes all the tests, it is admitted to the next stage. If the message is malformed, it is also counted against the invalid-signal-threshold counter. If it is well-formed, it is counted against the maximum-signal-threshold counter. If the invalid or maximum counters exceed the configured threshold for the configured tolerance-window (30 seconds by default), then the endpoint is demoted (either from trusted to untrusted, or from untrusted to denied). Must pass HW DoS policy + ACLs Must pass SW DoS policy Discard Acme Packet Confidential

31 SBC DoS protection features
Protect SBC from DoS and other attacks Both malicious and unintentional attacks Self-limiting ceiling check (%CPU) with graceful call rejection Automatically promotes/demotes device trust level based on behavior Enforced max aggregate rate for all traffic Separate, policed queues for management + control protocols Hardware capacity of NP subsystem is greater than all interfaces combined Reverse path forwarding checked for signaling + media Hardware-policed queues for control packets (ICMP, ARP, Telnet, etc.), separate from Trusted traffic This slide shows which features fulfill the first 3 requirements for SBC DoS protection (note the smaller icon on the top right). There are actually more features to address these requirements than just this slide, as you’ll see in following slides. Some notes on these features, starting with bottom left and working clockwise: Individual device trust classification – this is actually the dynamic + static ACLs, which identify (classify) trusted devices based on their ip address/port, protocol, and dest ip address/port + protocol. That classification is used to decide which pipe to put the device’s packets in. Per-device policing and enforcement of trusted signaling rates – this is the individual, separately-configurable trusted queues inside the trusted pipe. Each queue inside the trusted pipe is for a single device sending signaling (not media) traffic to the SBC. The queues are policed/shaped such that a device cannot exceed the configured rates. Separate path for trusted traffic – this just points out the separate trusted from untrusted pipes. Automatically identifies attackers based on behavior – this is one the key pieces of the DoS protection; it is the ability of the processor to detect an attacker based on different traits” today it’ based on exceeding a bad-message rate (where bad message is a parsing error) or on exceeding a signaling message rate (like too many SIP packets in a time period). Both of those are configurable rates. In the future we will add more intelligence, but for now it’s a fairly straightforward detection mechanism. Dynamic trust-binding: dynamic hardware adaptation – this is what I call the feedback loop (it even looks like one, doesn’t it?); it’s the ability of the signaling processor to feedback to the NP layer the information necessary to decide who is trusted, untrusted, and malicious. Ultimately that’s what makes the whole DoS feature dynamic, very useful, and very cool! Separate path for unknown/untrusted traffic - this just points out the separate trusted from untrusted pipes. Policing and segmentation of untrusted/unknown traffic – the Untrusted pipe actually has some fairly clever pieces to it: namely that it has numerous internal queues, which grow and shrink dynamically based on overall memory usage; each queue represents groups of users; the flows are all given equal/fair access to the signaling processor; and the whole pipe is policed/shaped to configurable limits. What does this mean? It means that not only do we control/enforce unknown traffic, but we also try to provide some fairness and attack isolation within the group f untrusted users. So even if we don’t detect an attacker, or it takes us a few seconds to do so, the impact of the attack will not harm the SBC, and will be isolated to only impacting a fraction of the overall serviced users. That’s critical, because no one can guarantee detection of all attacks, but we’ll still keep te service running for most users in such a case. Automatic hardware filtering of attacking devices – naturally, once the signaling processor subsystem detects an attacker and updates the hardware, the hardware will drop all packets from the malicious source, for a configurable time period. That completes the feedback loop for intelligent, self-protecting DoS protection. Be sure to note this is only the first slide of features for SBC DoS protection, there are 2 more to go. Acme Packet Confidential

32 Smart Border DPI

33 Acme Packet Confidential
Session DPI models Full Protocol Termination via Security Gateway Breaks session into two segments for complete control Terminates and reinitiates signaling message & SDP with unique session IDs Simplifies traffic anomaly detection Able to inspect encrypted and compressed packets Passive DPI via In-Line Security Appliance Maintains single session through system Modifies addresses in signaling messages & SDP as they pass thru system Unable to inspect encrypted and compressed packets Segment 1 Segment 2 ALG Acme Packet Confidential

34 SD DPI - the broadest set of protocols on the market
Over 80 known threats involving the following protocols SIP, H.323 – H.225, H.323 – H.245 H.248, MGCP, NCS RTP TCP, UDP IP ICMP, ARP SD DPI capabilities are coupled with scaleable decryption/encryption processing to stand up against the strongest security defenses Acme Packet Confidential

35 Real-time IDP

36 Dynamic trust management
Dynamic trust level binds to hardware classification Individual device trust classification Provides fair access opportunity for new and unknown devices Multi-queue access fairness for unknown traffic Automatically promotes/demotes device trust level based on behavior Per-device constraints and authorization Acme Packet Confidential

37 Promotion and demotion of users
Promotion to trusted user - SIP Demotion to untrusted user - SIP Demotion occurs in stages Trusted to Untrusted then Untrusted to Denied Trusted to untrusted when: Registration timeout Excessive signaling messages Excessive malformed packets Untrusted to denied demotion: Different from trusted to untrusted thresholds Example (TP = time period) max-signal-threshold: 20 untrusted-signal-threshold: 4 Up to 4 messages / TP to become trusted If device sends >20 messages / TP, demoted to untrusted If can’t become trusted in 4 messages / TP, demoted to denied Promotion to trusted user - MGCP Demotion occurs in stages From Trusted to Untrusted, and then from Untrusted to Denied The reason for this is to give Trusted devices a second chance, but only a small one Demotes from Trusted to Untrusted when: Registration timeout If an endpoint either times out its registration, or explicitly de-registers itself, it will be demoted from Trusted to Untrusted Exceeded max-signal-threshold SD receives more SIP/MGCP messages than max-signal-threshold is configured for in tolerance-window time period This count includes re-transmissions (they count as unique messages) Exceeded invalid-signal-threshold SD receives more malformed or unacceptable/unauthorized SIP/MGCP messages than invalid-signal-threshold is set for in tolerance-window time period Demotes from Untrusted to Denied when: Exceeds untrusted-signal-threshold SD receives more SIP/MGCP messages than untrusted-signal-threshold is configured for in tolerance-window time period Exceeds invalid-signal-threshold Example: Max-signal-threshold = 20, untrusted-signal-threshold = 4 Would mean a new device can send 4 messages in the time period to try to get trusted (e.g., Register and Register+digest) Once it’s registered it can send 20 messages in a time period If it exceeds that it gets demoted to untrusted and has 4 chances again for another time period If it doesn’t do it in 4 messages in the time period it gets denied Acme Packet Confidential

38 Extending trust to the endpoint

39 TLS (Transport Layer Security)
Required elements SD populated with Signaling Security Module (SSM) + 2GB memory TLS user agent (UA) on endpoint TLS server on SD Trusted Certificate Authority TLS handshake between TLS UA and TLS server Using either single-sided (server authentication) OR Mutual authentication SIP signaling only after successful TLS setup Mix encrypted / unencrypted signaling TCP / UDP / TLS interworking Intra-network Inter-network TLS TLS Access TLS SIP Acme Packet Confidential

40 Acme Packet Confidential
TLS DoS protection DoS protection for TLS (C4.1.1 / D6.0) Benefit – prevent encryption starvation attacks Problem overcome too many TLS conns to endpoint too many TLS conns to SIP interface too many quiet TLS connections Application – SIP-TLS access How it works - if a response to a SIP transaction is not received to within a configurable period of time, TLS connection is torn down TLS sessions Timer Acme Packet Confidential

41 Acme Packet Confidential
IPsec (IP Security) Manual keying Same key both ends IPSec tunnel Manual input of key Selective encryption (2 SDs) All traffic (for peering) Signaling only Ia interface between SC and BG Selection encryption: SD to UE Signaling only (Gm interface) Signaling and media Select two modes for operation: Tunnel (entire IP packet) or transport (payload only) mode AH (anti-tampering) or ESP (encrypt + anti-tamper) mode Encryption ciphers DES, 3DES-CBC, AES-CBC (128 bit and 256 bit), or NULL cipher Data integrity hashes HMAC-MD5 or HMAC-SHA1 Inter-network Intra-network IPSec IPSec Access IPSec SIP Acme Packet Confidential

42 SRTP (Secure Real-Time Transport Protocol )
SRTP key derivation 12 different options, including: SDES (Session Description Protocol Security Descriptions) – RFC Many customers asking for this MIKEY (Multimedia Internet KEYing) – we probably won’t do this Using SDES Secure signaling (IPSec or TLS) Key exchanged in SDP (privacy provided by IPSec or TLS) Inter-network Intra-network TLS TLS SRTP Access SRTP TLS SRTP Availability NN9200: 1H / 08 NN4250: 2H / 08 SIP Acme Packet Confidential

43 Net-Net EMS

44 Acme Packet Confidential
Net-Net EMS Configuration Configure, provision, upgrade, inventory Multiple networks, multiple systems Fault - manage and filter events, alarms and logs Performance Monitor performance Security Control EMS, system and function access by user or administrator group Per user audit trail EMS management EMS configuration & management (back-up, upgrade, licensing, etc.) Acme Packet Confidential

45 Acme Packet Confidential
Net-Net management Net-Net 4250/9200 management interfaces and protocols Interfaces Fault interface SNMPv2 (current), SNMPv3 (future), TL-1 (future) Configuration XML (current), CORBA (future) Accounting RADIUS CDRs Performance SNMPv2 (current), SNMPv3 (future), XML (future) Security RADIUS server (AAA), IPSec (future) Protocols: TMF814 This is the same as CORBA (future). SNMP SNMPv2 (current), SNMPv3 (future) Acme Packet Confidential

46 Why Acme Packet in the enterprise?
Full enterprise adoption of end-to-end real time IP communications in the call and data center Proven Interoperability with Service Providers Mediation of IP address spaces, codecs, signaling, transport, and encryption protocols Scale for centralized, and solutions for decentralized architectures Border trust and security Revenue, cost and quality assurance Regulatory and business compliance Acme Packet brings financial strength and market leading experience, partners, support, and technology to the Enterprise market. Acme Packet Confidential

Download ppt "for trusted, first class interactive communications"

Similar presentations

Computer Networks TCP/IP Protocol Suite.

Computer Networks TCP/IP Protocol Suite.
1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.

1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.
The leader in session border control for trusted, first class interactive communications.

The leader in session border control for trusted, first class interactive communications.
The leader in session border control

The leader in session border control
SIP, Firewalls and NATs Oh My!. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
www.dynamicsoft.com Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
IMS and Security Sri Ramachandran NexTone. 2 CONFIDENTIAL © 2006, NexTone Communications. All rights Traditional approaches to Security - The CIA principle.

IMS and Security Sri Ramachandran NexTone. 2 CONFIDENTIAL © 2006, NexTone Communications. All rights Traditional approaches to Security - The CIA principle.
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Pune, India, 13 – 15 December 2010 ITU-T Kaleidoscope 2010 Beyond the Internet? - Innovations for future networks and services Ivan Gaboli, Virgilio Puglia.

Pune, India, 13 – 15 December 2010 ITU-T Kaleidoscope 2010 Beyond the Internet? - Innovations for future networks and services Ivan Gaboli, Virgilio Puglia.
SIP Trunking A VASP Perspective Thomas Roel Convergence Sales Engineer 651.796.7043

SIP Trunking A VASP Perspective Thomas Roel Convergence Sales Engineer
Chapter 1: Introduction to Scaling Networks

Chapter 1: Introduction to Scaling Networks
What is access control list (ACL)?

What is access control list (ACL)?
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Design Clinic: Cisco UC Architecture for Corporate Branch Offices Tim Wellborn – CCIE #15397.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Design Clinic: Cisco UC Architecture for Corporate Branch Offices Tim Wellborn – CCIE #15397.
Johan Garcia Karlstads Universitet Datavetenskap 1 Datakommunikation II Signaling/Voice over IP / SIP Based on material from Henning Schulzrinne, Columbia.

Johan Garcia Karlstads Universitet Datavetenskap 1 Datakommunikation II Signaling/Voice over IP / SIP Based on material from Henning Schulzrinne, Columbia.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA TCP/IP Protocol Suite and IP Addressing Halmstad University Olga Torstensson 035-167575

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA TCP/IP Protocol Suite and IP Addressing Halmstad University Olga Torstensson
Aeonix & Ingate Role in Enterprise

Aeonix & Ingate Role in Enterprise
SIP Explained Gary Audin Delphi, Inc. Sponsored by

SIP Explained Gary Audin Delphi, Inc. Sponsored by
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Similar presentations

Ads by Google