We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byAshton Glass
Modified over 2 years ago
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 1 NG security: What is a BCF
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 2 Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracles products remains at the sole discretion of Oracle.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 3 Topics What are the features/functions of a BCF? What does it mean to provide a highly available BCF? How should the BCF handle overload? What could DDoS and TDoS do to the ESInet? Where does NENA place the BCF into the i3 architecture? Interoperability: Isnt SIP a standard?
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 4 Abstract The BCF (Border Control Function) is an important functional element of the NENA i3 Solution architecture because it provides the first line of defense against deliberate attacks and organic events on the Emergency Services Internet (ESInet.) It is expected that Public Safety Answering Points (PSAPs) will provide a BCF between their internal networks and the ESInet. The BCF is intended to provide secure entry into the ESInet for ingress emergency calls. This Functional Element ensures the smooth processing of emergency calls/sessions, including signaling protocol normalization and interworking, codec negotiation, support for QoS/priority markings, media proxy, and more. As such, there are some baseline, minimum features and functions that are required to effectively ensure the smooth, secure operation of NG9-1-1 networks.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 5 Background National Emergency Number Association (NENA) - Sets standards for emergency calls in North America Next Generation 911 (NG911) project - Complete overhaul of current 911 system -Initial version of the technical standards known as i3
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 6 What is NG 9-1-1? IP-based replacement for E911 features & functions - Supporting all sources of emergency access to appropriate public safety agencies - Operating on managed, multipurpose IP-based session delivery networks - Providing expanded multimedia data capabilities for PSAPs and other emergency communications entities
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 7 IP-based services are easy targets IP networks are inherently insecure - Developed without security in mind Organizations rely on IP networks - Multimodal communications difficult to control (BYOD) Confidential information freely exchanged by users that dont understand how it is transmitted
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 8 What are the risks/vulnerabilities? 8 Toll fraud, fuzzing, message floods, session hijacking, eavesdropping, MITM call modification, media injection Buffer overflows, malware, D/DoS, bugs, configuration issues Resource exhaustion, account manipulation, service poisoning UDP/TCP floods, ICMP vectors, fuzzing, D/DoS Physical access compromise, reboot Weak passwords, abuse of services, oversharing, pretexting
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 9 Threat landscape
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 10 Denial of Service Many platforms dont perform well in flooding scenarios They either have a flawed architecture or all attacks are presented to CPU, reducing resources available for system/applications (e.g., SIP) In our experience and field validation, a simple TCP SYN attack or INVITE flood is enough to take down many devices hping3 -S --rand-source --flood -p 5060 inviteflood eth0 Reduced feature good enough SBCs work great …until you are under attack! Reduced feature good enough SBCs work great …until you are under attack!
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 11 Wasnt TDM safer? Eavesdropping, media injection, and caller impersonation is as easy as hooking up a linemans test set or butt set to wire pairs. Toll Fraud can be as easy as an open auth code on your PBX or dial-out of voic Physical attacks are always great for DoS, regardless of technology
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 12 What to do? Border Control Function (BCF) Sits between external networks and the ESInet and between the ESInet and agency networks - All traffic from external networks transits a BCF - Acts as a demarc Comprises several distinct elements pertaining to network edge control and SIP message handling Border Firewall - Access control - Protect from attacks Session Border Control - Prevention - Detection - Reaction
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 13 BCF: features Border firewall Session border control - Signaling B2BUA - Media anchoring Denial of service - Detection/protection Topology hiding Signaling normalization NAPT traversal IPv4/v6 interworking Admission control Encryption anchoring
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 14 SBC – Session Border Controller Already protecting live global real-time IP networks Functional element of BCF - DOS/DDOS protection, overload, resource admission control - SIP normalization/interoperability - Resolving NAT issues - Opening/closing pinholes - B2BUA/topology hiding - IPv4-IPv6 interworking - VPN bridging - Transport and encryption - QoS marking, priority, reporting - Call detail records - Transcoding - Much, much more
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 15 Additional features of BCF/SBC Routing and session management - Time-of-day, day-of-week - Cost, carrier - QoS - External policy Normalization - User-configurable Codec management - Stripping, reordering QoS marking Reporting
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 16 High availability – vendor dependent May be limited to media only and not call control or configuration - What good is a call that cant be put on hold, hung up or transferred? - Whats the use if post-failover route treatment may be different? Many cases takes several seconds to fail over all sessions - Which leads to users hanging up May use a network carrying traffic for state replication vs. dedicated links - Leading to loss in peak periods Loses CDR info for established calls First Class HA: Hitless failover Media, session, configuration sync Retention of critical call data Dedicated, redundant HA com links
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 17 Placement of BCF in i3, per NENA
The leader in session border control for trusted, first class interactive communications.
Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Overcoming the SOA Network Fallacy Roberto Medrano.
Winter 2001 VoN Developers Conference -- January 24, 2001 SIP Proxies Jonathan Rosenberg Chief Scientist.
For trusted, first class interactive communications.
Introduction to Network Security INFSCI 1075: Network Security Amir Masoumzadeh.
1 Carrier VoIP Security: Threats and Defenses. 2 Agenda Security Philosophy VoIP Basics (IETF SIP-based) VoIP Threats Fundamental VoIP Security Mechanisms.
John Bean Managing Director, Europe, Middle East and Africa 2 June 2014 © 2010, Peering Partner's. All rights reserved.
Network+ Guide to Networks 5 th Edition Chapter 11 Voice and Video Over IP.
Carleton University 1 February 25th, 2014 Voice over IP Presenter: Tony Hutchinson System Engineering Manager.
UNIT 2: Firewalls Content : Firewalls in general basic operation and architecture Main border firewalls using stateful inspection Screening firewalls.
Denial of Service (DoS) By Vijay C Uyyuru, Prateek Arora, & Terry Griffin.
© 2008 AT&T Knowledge Ventures. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Knowledge Ventures. 1 Numbering for IP-Based Relay Services.
Unpublished © Telemetry Associates Ltd – SMARTHOUSEII-M4.ppt slide no 1 SMARTHOUSE logo copyright Telemetry Associates Ltd. SMARTHOUSE – Second Open.
© Copyright AARNet Pty Ltd Development of SIP-H.323 Gateway Project Ruston Hutchens 20 th APAN Meeting, Taipei, Taiwan Thursday 25 rd August 2005 v2.
Incident Response Managing Security at Microsoft Published: April 2004.
Insert your company logo here (on slide master). Insert your company logo here (on slide master) Developed by the Department of Communications, Information.
ITU-TSG16 ITU-T Standardization Seminar – Madrid, December 2002 H.323 and some Security-related issues – a presentation in two parts Simão Ferraz.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Living in a Network Centric World IT305: Computer Networks – Chapter 1.
AVAYA CONFIDENTIAL Provided under a Non Disclosure Agreement Avaya Aura ® Architecture and Roadmap Conrad Uniacke Senior Product Manager November 14, 2012.
© Copyright AARNet Pty Ltd Development of SIP-H.323 Gateway Project Ruston Hutchens 20 th APAN Meeting, Taipei, Taiwan Tuesday 23 rd August 2005 v2.
Version 4.1 CCNA Discovery 2– Chapter 7. Contents 7.1: ISP Services : TCP / IP Protocols 7.2: 7.3: DNS 7.3: 7.4: Application Layer Protocols 7.4.
What happened to IPv5? and other oft asked IPv6 questions The Internet Society, IPv6 and You Susan Estrada.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Software Development QA Best Practices May 20, 2010 Suzette Hackl, CSM Senior Project Manager Skyline Technologies, Inc.
1 A Cloud Reference Framework … for discussion only … Please send comments and suggestions to Bhumip Khasnabish Friday,
Internet Protocol-based Emergency Services Hannes Tschofenig 112 Rescue Forum, 11 th October 2012, Žilina, Slovakia.
Safety and Certification Approaches for Ethernet based Aviation Databuses FAA Software Conference – July 2005 Yang-Hang Lee, Arizona State University Philip.
1 The Role of the Transport Layer in Delivering an Assured Elastic Service Chris Christou (Booz Allen Hamilton/GIG EWSE) ICCRG 12 February 2007.
© 2016 SlidePlayer.com Inc. All rights reserved.