ABC SBC: Securing the Enterprise. FRAFOS GmbH. Bismarckstr CHIC offices Berlin. Germany.

Similar documents
ABC SBC: Secure Peering. FRAFOS GmbH

FRAFOS ABC-SBC Generic SIP Trunk Integration Guide for ShoreTel 14.2

HIGH DENSITY MEDIA GATEWAY WITH MODULAR INTERFACES AND SBC. Comparative table for call capacities of the KMG SBC 750:

Dialogic BorderNet Virtualized Session Border Controller

Comparative table of the call capacity of KMG 200 MS: Number of SBC calls Maximum TDM channels Total calls Bridge**

Brochure. Dialogic BorderNet Session Border Controller Solutions

Ingate SIParator /Firewall SIP Security for the Enterprise

White Paper. SIP Trunking: Deployment Considerations at the Network Edge

Ingate Firewall & SIParator Product Training. SIP Trunking Focused

SIP security and the great fun with Firewall / NAT Bernie Höneisen SURA / ViDe, , Atlanta, GA (USA)

Become a WebRTC School Qualified Integrator (WSQI ) supported by the Telecommunications Industry Association (TIA)

Session Border Controller

Dialogic BorderNet Session Border Controller

Dialogic BorderNet 4000 Session Border Controller

Sonus Networks engaged Miercom to evaluate the call handling

Dialogic Session Border Controller Performance Validation

Oracle Communications WebRTC Session Controller

Application Note. Microsoft OCS 2007 Configuration Guide

FreeSWITCH as a Kickass SBC. Moises Silva Manager, Software Engineering

Network Requirements

Sangoma Session Border Controllers. Frederic Dickey Shaunt Libarian October 17, 2013

SBC Site Survey Questionnaire Forms

Patton Electronics Co Rickenbacker Drive, Gaithersburg, MD 20879, USA tel: fax:

Common Components. Cisco Unified Border Element (SP Edition) Configuration Profile Examples 5 OL

Connecting AudioCodes' SBC to Microsoft Teams Direct Routing Enterprise Model

SBCs from Sangoma Flexibility, Ease of Use and an Unmatched ROI Simon Horton Director of Product Management

ABC Monitoring Solution

Maintaining High Availability for Enterprise Voice in Microsoft Office Communication Server 2007

Load Balancing FreeSWITCHes

Real-Time Communications for the Web. Presentation of paper by:cullen Jennings,Ted Hardie,Magnus Westerlund

Frequently Asked Questions (Dialogic BorderNet 500 Gateways)

ORACLE ENTERPRISE COMMUNICATIONS BROKER

Installation & Configuration Guide Version 4.0

Dialogic PowerMedia Media Resource Broker (MRB)

Avaya Port Matrix: Avaya Proprietary Use pursuant to the terms of your signed agreement or Avaya policy.

Connecting AudioCodes' SBC to Microsoft Teams Direct Routing Hosting Model

Unified Communication:

Realtime Multimedia in Presence of Firewalls and Network Address Translation

Oracle Communications Session Router

CCNP Voice (CCVP) Syllabus/Module Details CVOICE Cisco Voice over IP and QoS v8.0 (CVOICE v8.0)

APP NOTES TeamLink and Firewall Detect

Realtime Multimedia in Presence of Firewalls and Network Address Translation. Knut Omang Ifi/Oracle 9 Nov, 2015

Instavc White Paper. Future of Enterprise Communication

WebRTC: IETF Standards Update September Colin Perkins

Session Abstract 11/25/2013

SESSION BORDER CONTROLLERS PRODUCT LINE

SIP Flex Test Suite. Highlights. IMS and VoIP Network Element and Service Testing

Application Note Asterisk BE with Remote Phones - Configuration Guide

VoIP Basics. 2005, NETSETRA Corporation Ltd. All rights reserved.

Performance Monitoring and Alarm Guide

Microsoft Teams Direct Routing Enterprise Model and Swisscom SIP Trunk "Smart Business Connect" using AudioCodes Mediant SBC

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP LTM for SIP Traffic Management. Archived

Oracle Communications Operations Monitor

Analysis and Signature of Skype VoIP Session Traffic

Acme Packet 1100 Enterprise Session Border Controller (E SBC)

SBC Configuration Examples for Mediant SBC

WEBRTC FOR CONTACT CENTERS

Softswitches Years TELES

VPN-1 Power/UTM. Administration guide Version NGX R

WebRTC Monitoring and Alerting

Connecting AudioCodes' SBC to Microsoft Teams Direct Routing Hosting Model

Aeonix & Ingate. Role in Enterprise

Microsoft Teams Direct Routing Enterprise Model and DTAG SIP Trunk using AudioCodes Mediant SBC

P2PSIP, ICE, and RTCWeb

Cisco Unified Border Element (SP Edition) for Cisco ASR 1000 Series

SBC Edge 2000 V5.0.1 IOT Skype for Business 2015 Intermedia SIP Trunk Application Notes

Technical White Paper for NAT Traversal

Technical Overview. Mitel MiCloud Telepo for Service Providers 4.0. Key Features

Firewalls for Secure Unified Communications

Security for SIP-based VoIP Communications Solutions

Cisco Unified Border Element Enterprise Edition Version 8.5

Communications Transformations 2: Steps to Integrate SIP Trunk into the Enterprise

Configuration Guide IP-to-IP Application

White Paper Conquering Scalable WebRTC Conferencing

SBC Deployment Guide Architecture Options and Configuration Examples

Load Balancing FreePBX / Asterisk in AWS

NAT (NAPT/PAT), STUN, and ICE

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

Meeting the Challenges of an HA Architecture for IBM WebSphere SIP

Department of Computer Science. Burapha University 6 SIP (I)

VoipSwitch User Portal for Rich Communiation Suite RCS features, HTML 5, WebRTC powered FOR DESKTOP AND MOBILES

WebRTC standards update (September 2014) Victor Pascual

This is a sample chapter of WebRTC: APIs and RTCWEB Protocols of the HTML5 Real-Time Web by Alan B. Johnston and Daniel C. Burnett.

MonAM ( ) at TUebingen Germany

Reflections on Security Options for the Real-time Transport Protocol Framework. Colin Perkins

IP-to-IP Gateway Test Suite

Configuring Hosted NAT Traversal for Session Border Controller

Performance Monitoring and Alarm Guide

Application Note Asterisk BE with SIP Trunking - Configuration Guide

Application Note 3Com VCX Connect with SIP Trunking - Configuration Guide

The Technical Interconnect Model for IP-based voice services

APP NOTES Onsight Connect Network Requirements

Sonus Networks submitted their SBC 5100 Session Border

Teams Direct Routing. Configuration Checklists for BTIP and Business Talk SIP services. 28 january Teams Direct Routing AudioCodes Checklist 0.

Network Requirements

Cisco Webex Cloud Connected Audio

Series Aggregation Services Routers.

Configuration Note. AireSpring SIP Trunk & Genesys Contact Center using AudioCodes Mediant SBC. Session Border Controllers (SBC)

Hit the Ground Running. VoIP. Robert Sparks

Application Notes for Configuring the XO Communications SIP Trunking Service with Avaya IP Office 10.0 Issue 1.0

Transcription:

ABC SBC: Securing the Enterprise FRAFOS GmbH Bismarckstr 10-12 CHIC offices 10625 Berlin Germany www.frafos.com

Introduction A widely reported fraud scenarios is the case of a malicious user detecting the address of a company s PBX and accessing that PBX directly. Once the attacker has managed to have access to the PBX the attacker can start making calls and even sell telephony minutes through that PBX with the costs incurred upon the owner of the PBX. The ABC SBC establishes a secure border between the enterprise VoIP solution and the rest of the world. As the border element, the ABC SBC hides the details of the enterprise solution and absorbs any attacks and fraud attempts. Further, the mediation features of the ABC SBC shield the enterprise network from malfunctioning user agents and any interoperability issues. Topology Hiding As the result of a SIP session establishment the involved end points will have exchanged the IP addresses of where to send and receive media traffic. This means that a user using VoIP for calling the enterprise will know the IP address of the enterprise PBX. A malicious user could use this information to try and get access to the enterprise PBX. By having the ability to contact the PBX directly, an attacker might be able to misuse any security holes that might exist at the PBX. This would allow the attacker to initiate calls through the PBX with the costs being incurred on the enterprise. When deploying the ABC SBC as the interconnection element between the enterprise and the VoIP service provider, which are serving the enterprise, the ABC SBC hides all information about the PBX before forwarding them to the VoIP service provider. The ABC SBC replaces the address of the PBX with its own. Hence, headers such as Contact, Via, Record-Route, Route and so on include the SBCs address only. Denial of Service and Overload Protection If we have learned one thing from the Internet, then it is that there will always be some people with enough technical skill and time to figure out a way to attack some service. The ABC SBC protects an enterprise VoIP service from DoS attacks or a sudden increase in the number of calls, e.g., Christmas calls.

In order to keep the malicious traffic and overload away from the PBX the ABC SBC supports the following protection mechanisms: Traffic limitation: An enterprise can limit the rate of incoming and outgoing calls. Once these limits are exceeded, the ABC SBC starts rejecting calls arriving in excess of these limits. These limits can apply to either the entire enterprise or to single sources, e.g., number of calls from some department should not exceed some limit, or to certain destinations, e.g., no more than X long distance calls can be conducted in parallel. Content filtering: An attacker could try to get access to some protected resources by launching an SQL injection attack or try to bring a server down by sending SIP messages with malformatted content. By analyzing the content of incoming SIP messages and rejecting messages that seem to include malicious content the ABC SBCs can protect the enterprise PBX and VoIP solution. NAT- Traversal Support Network Address Translators (NAT) are used to overcome the lack of IPv4 address availability by hiding an enterprise behind one or few IP addresses. The devices behind the NAT use private IP addresses that are not routable in the public Internet. In case there is a NAT between the PBX and the SBC then the ABC SBC can offer NAT traversal support. In general one could, however, expect the PBX and the enterprise SBC to be in the same network. In this case the ABC SBC acts as a NAT. This is achieved by having two interfaces at the ABC SBC with one of them private and the other public with the PBX connected to the ABC SBC over the private one. The ABC SBC uses its public address to communicate with the VoIP service providers. Unlike NATs which only mangle the IP addresses in the IP headers, the ABC SBC includes its public IP address in the contact, routing and body parts of the SIP message. Access Control and Fraud Prevention The ABC SBCs controls which users and what messages can cross the borders of a VoIP infrastructure and use the offered VoIP services. This is achieved by a number of features: Access control: In order to protect the PBX, the ABC SBC only accepts calls arriving

over a secure connection established with a trusted VoIP operator. The trust relation can be established using TLS or IPSEC. Fraud prevention: By using blacklists the administrator of the enterprise s VoIP service can limit the destinations to which the enterprise users can call. This helps in protecting against the case that an attacker manages to get access to the PBX and starts calling expensive service numbers or exotic countries. Interoperability Mediation With different standardization groups working in SIP and the different interpretation of developers to the same specifications, interoperability between SIP components of different manufacturers and of different network architectures in unfortunately not always guaranteed. The ABC SBC offers a powerful GUI based mediation functionality that enables an operator to adapt incoming and outgoing traffic. Using the ABC SBC mediation GUI, an operator can configure the following actions: Stateless SIP header manipulation: The ABC SBC can be configured to remove certain headers and add others. Statefull message handling: To support the differences between the IMS and IETF specifications the AB SBC is capable of overcoming differences in the call flows and generating appropriate responses and requests. Message blocking: The ABC SBC drops/rejects requests and messages not supported by an enterprise. Header manipulation: The ABC SBC can be configured to change the content of a certain header. Transport mediation: SIP can be transported over UDP, TCP and SCTP. Further, it can work over IPv4 and IPv6. The ABC SBC can enable two elements using different transport protocols to communicate seamlessly with each other. Media transcoding: The ABC SBC supports software based transcoding of media.

Capacity The ABC SBC supports up to 5000 simultaneous calls running with G.711 codec on off the shelve hardware. For smaller enterprises, FRAFOS also offers the ABC SBC as a software only solution that can be deployed on top of hardware chosen by the enterprise. The ABC SBC can also be integrated into a virtualized environment on top of already available hardware. The capacity of the ABC SBC will depend then on the used hardware and available resources.

Technical Specifications Supported Platforms Linux WebRTC Features Javascript SIP over WebSocket NAT traversal using ICE, TURN, STUN JsSIP support Media Services Routing audio codec including G.711, OPUS. Routing of video codec including VP8 Dynamic jitter control NAT/NAPT on media RTP inactivity monitoring Codec filtering Media Applications Call recording Announcement services Software based transcoding (G711u/a, G726, OPUS, ilbc, L16, G722, Speex; on request: G729a, G729a/b, AMR) Management Capabilities GUI based configuration and monitoring Secure embedded web-based GUI SSH access SNMP V2 status and logs Local logging of alarms, events and statistics REST and XML RPC based open interfaces Virtualization Amazon cloud Virtualization software OVM, KVM.. High Availability Active/Hot Standby redundancy model QoS Control Bandwidth limitation and management Call admission control per peering partner/trunk Call Routing Call blocking and filtering Embedded routing engine Load balancing Peer monitoring and availability detection Alternative routing on failure Table based routing for LCA SIP Registration pass-through Registration caching and offload SIP header manipulation SIP Back2Back UA Protocol Support UDP, TCP WebSocket Translation between transport protocols Per source/destination transport layer mediation SNMP, NTP, SSHDNS RTP, RTCP, SRTP TLS, DTLS, SDES Hardware Hardware independent

About FRAFOS FRAFOS GmbH is a manufacturer of VoIP solutions with offices in Berlin and Prague. FRAFOS was incorporated as privately held company in May 2010, in Berlin, Germany. The history of FRAFOS team and technology goes back to the late nineties. As researchers at the prestigious German public R&D institute Fraunhofer FOKUS, the FRAFOS founders were the among the first to work the SIP and RTP standards and to develop open source solutions that paved the way for the VoIP revolution. FRAFOS offers SIP session management and security solutions of the latest generation that come either as a standalone solution or as a cloud ready implementation. The flagship product of FRAFOS, the ABC SBC, offers open interfaces and built in multimedia applications such as recording and announcements. The ABC SBC enables the service providers and enterprises to simplify their service infrastructure and prepares them for future challenges.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback