Presentation is loading. Please wait.

Presentation is loading. Please wait.

For trusted, first class interactive communications.

Similar presentations

Presentation on theme: "For trusted, first class interactive communications."— Presentation transcript:

1 for trusted, first class interactive communications

2 Acme Packet Confidential 2 Securing enterprise VOIP Firewall pinhole/ACL are not enough –Open signaling ACL –Full range of RTP ports open Data IDS not sufficient for SIP and H323 –Not inline of signaling and media –Rely on triggers of other network elements that do not have call awareness Session Border Controllers ARE VOIP security –Track record of 5+ years of securing next gen VOIP networks –Inline for signaling and media –Call state clean up transactions and dialogs Verify valid users/devices –Hardware based policing/filtering is most affective for DoS/DDoS atacks –Protection against malicious software attacks –Fraud prevention

3 Acme Packet Confidential 3 Solution: enterprise SIP peering Enterprise Migration Eliminate access charges per site Fully converge voice/data over MPLS VPN Data Center PBX model (centralization) drives SIP peering capacity Security Hardware based signaling overload policing Full topology hiding (NAT) of signaling and media Session based RTP pin-holing (Rogue Protection) IP PBX/endpoint DoS prevention IPSec, TLS, SRTP Signaling SIP Header Manipulation-vendor interop CAC- bandwidth and session based Routing- Local and ENUM Load balancing, failure based re-route Outbound to carriers Inbound- to users PBX IP access to PSTN, hosted services, IP extranet, other IP subscribers Service Provider Enterprise site, MPLS VPN or private network H.323 or SIP PBX SIP SIP endpoints /server Regional PBX

4 Acme Packet Confidential 4 Solution: enterprise SIP station side Enterprise Migration Virtualizes the office and contact center Remote worker/ traveling worker small sites without MPLS connectivity Security Hardware based signaling overload policing per user Full topology hiding (NAT) of signaling and media Session based RTP pin-holing (Rogue Protection) IP PBX/endpoint DoS prevention IPSec, TLS, SRTP Registration overload protection SIP Registration Based ACLs- only invites pass from Registered users Signaling SIP Header Manipulation-vendor interop CAC- bandwidth and session based Per User CAC SBC Virtualization allows for Access and Peering on same SBC Teleworkers Internet Enterprise site, MPLS VPN or private network H.323 or SIP PBX SIP SIP endpoints /server Regional Data Center PBX NAT Service Provider

5 Acme Packet Confidential 5 Solution: IP contact centers MPLS Internet Customers Managed SIP/H.323, codec X CSR5 Contact center - SIP/G.711 CSR1 CSR2 CSR3 CSR4 Site A Site B Enterprise Migration Reduces Transfer and Connect costs Increases visibility for transferred calls Tie in teleworkers to virtualize the Contact Center Security Hardware based signaling overload policing per user Full topology hiding (NAT) of signaling and media Session based RTP pin-holing (Rogue Protection) IP PBX/endpoint DoS prevention IPSec, TLS, SRTP Registration overload protection SIP Registration Based ACLs- only Invites pass from Registered users Signaling SIP Header Manipulation-vendor interop Routing/ Failure re-routing CAC- bandwidth and session based SBC Virtualization allows for Access and Peering on same SBC Packet Replication to call recording devices

6 6 Acme Packet market-leading Net-Net product family Net-Net 4000 Net-Net 4000 PAC Net-Net 9000 Net-Net EMS Multi-protocol Security Service reach SLA assurance Revenue & profit protection Regulatory compliance Management High availability Net-Net OS Integrated & decomposed SBC configurations

7 Acme Packet Confidential 7 Net-Net 4000 series Acme Packet Net-Net platform performance & capacity Net-Net 9000 series SD Signaling performance 1200 SIP mps 85 SIP calls/sec 9600 mps 680 SIP calls/sec SIP mps 150 – 570 SIP calls/sec SR Signaling performance Up to 500 calls/secN/ATBD Media sessions *32K - 128K256K -1million32K – 128K Transcoded sessionsNA 0 – 16,000 Network interfaces (active) (2 or 4) 1000 Mbps or (8) 10/100 Mbps (32) 1000 Mbps(8 or 16) 1000 Mbps High availabilityInter-system1x1 or Nx1Intra-system Package size/slots1U / 2 slots10U or 18U7U / 13 slots Net-Net 4000 series PAC * Actual achievable session capacity is based on signaling performance

8 Acme Packet Confidential 8 Net-Net OS architecture Session Control Subsystem Network Processor Subsystem SIP H323 IWF SIP B2BUA Security Front End Access Control Denial of Service Protection Encryption Engine Traffic Management Signaling Flow Policing DNS/ ENUM Management & Configuration Routing, Policy & Accounting NAT RelaySignaling Services Media Control Number Manipulation Session Routing Admission Control Route Policy Load Balancing Traffic Controls Accounting & QoSReporting DNS ALG CLI XML RADIUS SNMP Redundancy Management Configuration Repository Dynamic Access Control Dynamic NAPT Relay HNT / RTP Latching Media Supervision Timers Transcoding Bandwidth Policing QoSMeasurements QoSMarking Lawful Intercept (CCC) DTMF Extraction QoS Stats NAT ALG HTTP TFTP H248 MGCP/ NCS H323 B2B GK GW SIP H323 IWF SIP B2BUA Security Front End Access Control Denial of Service Protection Encryption Engine Traffic Management Signaling Flow Policing DNS/ ENUM Resource and Bandwidth Control Bandwidth Policy Enforcement Bearer Resource Management SYSLOG

9 Acme Packet Confidential 9 SIP protocol repair and normalization SIP header and parameter manipulation per realm and session agent – Stripping – Insertion – Modification Configurable SIP status code mapping per session agent Inbound/outbound number manipulation rules per realm and session agent Configurable SIP timers and counters per realm Configurable Q.850-to-SIP status mapping Configurable TCP/UDP transport per realm Configurable option tag handling per realm Configurable FQDN-IP / IP-FQDN mapping SIP route header stripping Malformed signaling packet filtering Many SIP options for vendor and version inter-working E.164 number normalization

10 Acme Packet Confidential 10 Acme Packet hosted NAT traversal Basic operation –SIP client sends REGISTER to Net-Net SDs address; SD forwards to registrar –Net-Net auto-detects NATed clients –In OK, SD instructs SIP client to refresh registration periodically to keep NAT binding open –Net-Net SD provides to client SDP for media relay –Media relay latches on first RTP packet. All packets relayed to destination client Client Media Signaling Firewall/NAT Client B2BUA Media Relay Net-Net SD

11 Acme Packet Confidential 11 Business continuity / redundancy Redundant Net-Net product configurations offer non-stop performance Supports new calls, no loss of active sessions (media and signaling) including capabilities (protocol dependent) Preserves CDRs on failover 1:1 Active Standby architecture Shared virtual IP/Mac addresses Failover for node failure, network failure, poor health, manual intervention –40 ms failover time Checkpointing of configuration, media & signaling state Software option – requires no additional hardware Find SD through DNS round-robin or configured proxy ActiveStandby X All sessions stay up. Process new sessions immediately Active New call

12 Acme Packet Confidential 12 Service virtualization Business Services SOHO Interconnect Services Net-Net Session Director Multi-Service Backbone

13 Acme Packet Confidential 13 Realms and realm groups Signaling service Media resources Number translation tables Signaling access control & DoS Packet Marking policy Media release policy Realm Bandwidth CAC policy Realm Resources Policies Session routing and interworking Virtual IP Realm group

14 Acme Packet Confidential 14 SIP-H.323 interworking Enterprise Core H.323 or SIP H.323 or SIP PSTN SIP Voice ASP (SIP) Data Center IP services PSTN origination & termination IP PBX Legacy PBX with GW Enterprise SIP & H.323 Interworking –Supports all popular H.323 IP PBX vendors - Cisco, Avaya, Nortel etc. –Maximizes investments made in legacy IP PBX –reduces termination costs as high capacity SP trunking is SIP PBX & SIP-based services integration –Transport services - 1+ dialing –SIP Centrex-PBX integration with unified dial plan management –Supports Cisco CM & other H.323 PBXs; H.323 gateway to TDM PBX Voice ASP (calling card, directory, etc.) –Enables connections with SIP & H.323 service providers

15 Acme Packet Confidential 15 SD routing overview Acme Packets Session Director has several types of routing mechanisms –Local policies Extremely flexible; based on previous-hop, previous-realm, req-URI, From, cost, time/day, media-type, etc. –ENUM Actually a subset of local-policies, so has that flexibility too –Trunk-group-URI selection of next-hop or group of next-hops Per IETF draft-ietf-iptel-trunk-group, and for some proprietary TGIDs –Request-URI matching cached registered endpoints For requests from core to dynamic subscribers –Request-URI hostname resolution –Route-header routing per RFC 3261 –Static 1:1 mapping For simple cases only needing security and protocol repair

16 Acme Packet Confidential 16 Local-Route-Table – technical details Sub-features –Supports 200k+ routes –Supports multiple, distinct local-route-tables –Decision of whether and which local-route-table to use is based on the result of local-policies, so can do hybrid routing configs –Supports regular expression results, similar to ENUM results –Used to replace Request-URI with new value based on regex –Route-tables are in XML format, gzipped –Provides support for rn/cic-specific lookups, and user-defined prefix lengths Useful for peering applications: –Can choose which peer to send calls to based on it –Can choose which core softswitch/gateway to send inbound calls to Supports both proxy and b2bua modes

17 Acme Packet Confidential 17 Traffic load balancing Load balance multiple SIP/H.323 softswitches, application servers or gateways Load balancing options –Hunt –Round Robin –Least busy –Lowest sustained rate –Proportional Detect & route around element failures Session Agent Stats for H.323 & SIP destinations Common Session Agent constraints –Max sessions –Max outbound sessions –Max burst rate –Max sustained rate –Session Agent unavailable or unresponsive

18 Acme Packet Confidential 18 Session admission control Realm based – access networks or transit links –Realm and realm group bandwidth constraints Session Agent based – call controllers or app servers –Session Agent constraints (capacity, rate, availabilty, etc.) –Softswitch, etc. – signaling rate limiting or call gapping Per-user CAC –Based on AOR or IP address Address based –Code gapping constraints based on destination address/phone # Policy Server-based –TISPAN RACS and Packet Cable Multimedia Policy Server interface Overload protection –Signaling Session border controller - rejects sessions gracefully when host processor >=90% load (default). This is a configurable option

19 Acme Packet Confidential 19 Net-Net Session Director lawful intercept for hosted communications Legal intercept independent of softswitch for both IP-PSTN and IP-IP calls Supports SIP, MGCP and H.323 Call content - media flows replicated and forwarded to DF over Call Content Connection (CCC) Call data - sent to DF over Call Data Connection (CDC) PSTN SIP H.323 MGCP SIP MGCP Law enforcement agencies (LEAF & CF) Edge router Lawful intercept server (DF & SPAF) Net-Net SD (AF) CDC CCC Service infrastructure A SignalingMedia Subscribers

20 Net-SAFE

21 Acme Packet Confidential 21 The net-net Security issues are very complex and multi-dimensional –Attack sophistication is growing while intruder knowledge is decreasing Security investments are business insurance decisions –Life – DoS attack protection –Health – SLA assurance –Property – service theft protection –Liability – SPIT & virus protection Degrees of risk –Misconfigured devices High –Operator and Application Errors –Peering` –Growing CPE exposure to Internet threats –NEVER forget disgruntled Malcom, OfficeSpace Low Only purpose-built Session border controllers protect enterprise assets

22 Acme Packet Confidential 22 Riding the bull Threat mitigation represents staying ahead of security threats –Attacker dont publish their methods As data attack models have matured they have dramatically increased in number –Putting pressure on security defense scale The requirements of real-time services such as VoIP and multimedia are different from those of data –Similar trends, different devices Statefull, service-aware, and dynamic policy application –Endpoints may be authenticated, but their intentions may not be –Protocol messages may be valid, but how theyre used may not be

23 Acme Packet Confidential 23 Net-SAFE Worm/Virus & Malicious SW Access Control & VPN Separation

24 Acme Packet Confidential 24 Three goals of Net-SAFE Service Provider Peer Enterprise Access Enterprise Protect the Enterprises Infrastructure Protect the SBC Protect the Service Contact Center DoS attacks remain the #1 security threat the security element must first defend itself!

25 Acme Packet Confidential 25 The SD is architected to secure… Hardware and software-based DoS protection –Trust and untrust queues with wire-speed packet classification and dynamic trust management integration Smart Border DPI –Security gateway fully terminates session traffic for signaling deep packet inspection –Passive DPI is unable to function on the ever-growing amount of encrypted/compressed traffic flows Real-time IDP –Dynamic Trust Management leverages smart DPI and monitors traffic behavior patterns making trust level adjustments without administrator intervention –Avoids harmful false-positive DoS risks Extending trust to the endpoint –IPsec, TLS, and SRTP

26 Hardware- and software-based DoS protection

27 Acme Packet Confidential 27 Security Engine Acme Packet multi-processor hardware architecture Network processor Intelligent traffic manager Network processor Signaling processors Security processors Media Control Function Session Control Function Signaling Media

28 Acme Packet Confidential 28 Security Engine Acme Packet multi-processor hardware architecture Network processor Intelligent traffic manager Network processor Signaling processors Security processors Media Control Function Session Control Function Security Engine Enlarged View

29 Acme Packet Confidential 29 DoS logical hardware path Perform ACL lookup and packet classification: chooses trusted, untrusted, or denied path Each Trusted queue can be set for average policed rates Deny CAMs Acme Hardware DoS Protection Discard Trusted Path Classifier chose specific Trusted queue Untrusted Path 1k Untrusted queues Total Untrusted pipe can be reserved a minimum amount of bandwidth, and a max if more is available Classifier chose 1 of 1k hash buckets To CPU RR W RR Tail Drop Total rate can be configured

30 Acme Packet Confidential 30 Software DoS policy Must pass SW DoS policy Discard Must pass HW DoS policy + ACLs SW DoS Decisions on SD Check for legal message format (parse it) Check previous-hop is authorized Check if below constraints limit Reject Call Allow Check if below local CPU load threshold Reject It

31 Acme Packet Confidential 31 SBC DoS protection features Protect SBC from DoS and other attacks –Both malicious and unintentional attacks –Self-limiting ceiling check (%CPU) with graceful call rejection –Automatically promotes/demotes device trust level based on behavior –Enforced max aggregate rate for all traffic –Separate, policed queues for management + control protocols –Hardware capacity of NP subsystem is greater than all interfaces combined –Reverse path forwarding checked for signaling + media –Hardware-policed queues for control packets (ICMP, ARP, Telnet, etc.), separate from Trusted traffic

32 Smart Border DPI

33 Acme Packet Confidential 33 Session DPI models Full Protocol Termination via Security Gateway –Breaks session into two segments for complete control –Terminates and reinitiates signaling message & SDP with unique session IDs –Simplifies traffic anomaly detection –Able to inspect encrypted and compressed packets Passive DPI via In-Line Security Appliance –Maintains single session through system –Modifies addresses in signaling messages & SDP as they pass thru system –Unable to inspect encrypted and compressed packets ALG Segment 1 Segment 2

34 Acme Packet Confidential 34 SD DPI - the broadest set of protocols on the market Over 80 known threats involving the following protocols –SIP, H.323 – H.225, H.323 – H.245 –H.248, MGCP, NCS –RTP –TCP, UDP –IP –ICMP, ARP SD DPI capabilities are coupled with scaleable decryption/encryption processing to stand up against the strongest security defenses

35 Real-time IDP

36 Acme Packet Confidential 36 Dynamic trust management Dynamic trust level binds to hardware classification Individual device trust classification Provides fair access opportunity for new and unknown devices Multi-queue access fairness for unknown traffic Automatically promotes/demotes device trust level based on behavior Per-device constraints and authorization

37 Acme Packet Confidential 37 Promotion and demotion of users Demotion occurs in stages –Trusted to Untrusted then –Untrusted to Denied Trusted to untrusted when: –Registration timeout –Excessive signaling messages –Excessive malformed packets Untrusted to denied demotion: –Excessive signaling messages –Excessive malformed packets –Different from trusted to untrusted thresholds Example (TP = time period) –max-signal-threshold: 20 –untrusted-signal-threshold : 4 –Up to 4 messages / TP to become trusted –If device sends >20 messages / TP, demoted to untrusted –If cant become trusted in 4 messages / TP, demoted to denied Promotion to trusted user - SIP Promotion to trusted user - MGCP Demotion to untrusted user - SIP

38 Extending trust to the endpoint

39 Acme Packet Confidential 39 TLS (Transport Layer Security) TLS SIP TLS Required elements –SD populated with Signaling Security Module (SSM) + 2GB memory –TLS user agent (UA) on endpoint –TLS server on SD –Trusted Certificate Authority TLS handshake between TLS UA and TLS server –Using either single-sided (server authentication) OR –Mutual authentication SIP signaling only after successful TLS setup Mix encrypted / unencrypted signaling TCP / UDP / TLS interworking TLS Access Intra-network Inter-network

40 Acme Packet Confidential 40 TLS DoS protection DoS protection for TLS (C4.1.1 / D6.0) Benefit – prevent encryption starvation attacks Problem overcome –too many TLS conns to endpoint –too many TLS conns to SIP interface –too many quiet TLS connections Application – SIP-TLS access How it works - if a response to a SIP transaction is not received to within a configurable period of time, TLS connection is torn down TLS sessions Timer

41 Acme Packet Confidential 41 IPsec (IP Security) Manual keying –Same key both ends IPSec tunnel –Manual input of key Selective encryption (2 SDs) –All traffic (for peering) –Signaling only –Ia interface between SC and BG Selection encryption: SD to UE –Signaling only (Gm interface) –Signaling and media Select two modes for operation: –Tunnel (entire IP packet) or transport (payload only) mode –AH (anti-tampering) or ESP (encrypt + anti-tamper) mode Encryption ciphers –DES, 3DES-CBC, AES-CBC (128 bit and 256 bit), or NULL cipher Data integrity hashes –HMAC-MD5 or HMAC-SHA1 IPSec SIP IPSec Access Intra-network Inter-network

42 Acme Packet Confidential 42 SRTP (Secure Real-Time Transport Protocol ) SRTP key derivation –12 different options, including: –SDES (Session Description Protocol Security Descriptions) – RFC Many customers asking for this –MIKEY (Multimedia Internet KEYing) – we probably wont do this Using SDES –Secure signaling (IPSec or TLS) –Key exchanged in SDP (privacy provided by IPSec or TLS) TLS SIP TLS Access Intra-network Inter-network SRTP Availability NN92 00: 1H / 08 NN42 50: 2H / 08

43 Net-Net EMS

44 Acme Packet Confidential 44 Net-Net EMS Configuration –Configure, provision, upgrade, inventory –Multiple networks, multiple systems Fault - manage and filter events, alarms and logs Performance –Monitor performance Security –Control EMS, system and function access by user or administrator group –Per user audit trail EMS management –EMS configuration & management (back-up, upgrade, licensing, etc.)

45 Acme Packet Confidential 45 Net-Net management Net-Net 4250/9200 management interfaces and protocols Interfaces Fault interface –SNMPv2 (current), SNMPv3 (future), TL-1 (future) Configuration –XML (current), CORBA (future) Accounting –RADIUS CDRs Performance –SNMPv2 (current), SNMPv3 (future), XML (future) Security –RADIUS server (AAA), IPSec (future) Protocols: TMF814 –This is the same as CORBA (future). SNMP –SNMPv2 (current), SNMPv3 (future)

46 Acme Packet Confidential 46 Full enterprise adoption of end-to-end real time IP communications in the call and data center Proven Interoperability with Service Providers Mediation of IP address spaces, codecs, signaling, transport, and encryption protocols Scale for centralized, and solutions for decentralized architectures Border trust and security Revenue, cost and quality assurance Regulatory and business compliance Acme Packet brings financial strength and market leading experience, partners, support, and technology to the Enterprise market. Why Acme Packet in the enterprise?

Download ppt "For trusted, first class interactive communications."

Similar presentations

Ads by Google