The leader in session border control for trusted, first class interactive communications
VoIP security at the carrier network edge Kevin Mitchell Director, Solutions Marketing kmitchell@acmepacket.com
SIP Trunking Seminar - September 2007 3 in IP we don t trust anyone!
4 VoIP threats impacts & probabilities Security threat DoS & DDoS attacks Impact Overloads 9 Viruses & malware Probability Internet - free, anonymous 10 1 3-8 4 5 IMS /managed network Comments Service fraud 5 N/A 5 Requires technical sophistication Impact depends on business model Identity theft 2-5 8 6 Requires slightly more technical sophistication than SPIT Man-in-the-middle requires same degree of technical capabilities Information used for other attacks with various impacts Eavesdropping 2 5 2 3 5 3 Requires sophisticated attack capable of covering tracks Catastrophic - all subscribers are impacted Power outage prone areas susceptible Catastrophic - all subscribers impacted Impact varies based on service provider infrastructure, enterprise IP PBX or residential PC Requires technical sophistication and access to wiring closets SPIT 1 10 6 Requires little sophistication Annoying more than harmful
VoIP security concerns 5 SIP Trunking Seminar - September 2007 Accurate. Objective. Proven. User/device authentication and authorization 88% Security Concerns DoS attacks and overloads of next gen voice service infrastructure User privacy and confidentiality Performance impacted when defending against attack Identity theft Service topology exposure 67% 58% 50% 50% 50% Based on interviews with 24 service providers completed in Q2 2007 Service fraud 46% Illegal wiretapping/ eavesdropping 33% SPIT 17% 0% 20% 40% 60% 80% 100% Percent of Respondents Rating 6 or 7 Source: Infonetics Research, Service Provider Plans for VoIP & IMS: North America, Europe, Asia Pacific, Latin America-Caribbean 2007 5
IMS: Is Missing Security Security feature requirement IMS feature Security threat DoS attacks Traffic overloads Viruses/ malware Service fraud ID theft Eavesdropping SPIT ACL static Core IMS functions ACL dynamic Not addressed!!!!!! Topology hiding (NAPT at L3 & L5) I-BCF only, THIG!!! Authentication - subscriber & CSCF IPSec, SIP digest!!!!!! Authorization - subscriber HSS function!!! Signaling encryption IPSec!!!!!! Media encryption Not addressed!!! CAC - I/S-CSCF constraints CAC - network bandwidth constraints Not addressed PDF/RACS function CAC - user limits: sessions (#) Not addressed!!!!!! CAC - user limits: bandwidth Not addressed!!! SIP message & MIME attachment filtering/inspection Not addressed!!! Signaling rate monitoring & policing Not addressed!!!!!! Bandwidth monitoring & policing Not addressed!!! Call gapping - destination number Not addressed!!! Call gapping - source/dest. CSCF or UE Not addressed!!! QoS marking/mapping control Not addressed!!! Satisfied Not addressed Partially addressed SIP Trunking Seminar - September 2007 6
SIP Trunking Seminar - September 2007 7 How do I secure my network? 3. Protect the service Service Provider Peer Enterprise Access 2. Protect the service infrastructure 1. Protect the border IMS core Residential Access
SIP Trunking Seminar - September 2007 8 Border security framework SBC DoS/DDoS protection Protect against SBC DoS/DDOS attacks & overloads Access control Session-aware access control for signaling & media Topology hiding, privacy and VPN separation Complete service infrastructure hiding & user privacy support Support for L2 and L3 VPN services and security Viruses, malware & SPIT mitigation Deep packet inspection enables protection against malicious or annoying attachments/traffic Infrastructure DoS/DDoS prevention Prevent DoS/DDOS attacks on service infrastructure & subscribers Fraud prevention Prevent misuse & fraud Protect against service theft Monitoring and reporting Record attacks & attackers Provide audit trails Fraud prevention Infrastructure DoS prevention SBC DoS protection Viruses malware & SPIT mitigation Access control Topology hiding & privacy & VPN separation
SIP Trunking Seminar - September 2007 9 Best protection combines hardware and software Network processor (NPU) -based protection Layer 3/4 (TCP, SYN, ICMP, etc.) & signaling attack detection & prevention Dynamic & static ACLs (permit & deny) to SPU Trusted & untrusted paths to SPU with configurable bandwidth allocation & bandwidth policing per session Trusted devices - guaranteed signaling rates & access fairness Untrusted devices can access unused trusted bandwidth Separate queues for ICMP, ARP, telnet, etc. Signaling Reverse Path Forwarding (urpf) detection - signaling & media processor Overload prevention - 10 Gbps NPUs > 8 Gbps network interfaces Security processor Signaling processor (SPU) -based protection Overload protection threshold (% SPU) w/graceful call rejection Per-device dynamic trust-binding promotes/demotes devices Network processor Intelligent traffic manager Network processor
Cbeyond s SIP trunking service BeyondVoice with SIPconnect SIP Trunking Acme Seminar Packet confidential - September 2007 10 Direct IP peering between SIP IP PBXs and Cbeyond s VoIP network Reduces equipment cost, provides DID for small customers, enables advanced IP capabilities like HD Voice, network-based call features, etc. SBC improves reliability by handling application server fail-over on behalf of the PBX Acme Packet SBCs protect Cbeyond s network from attack, hide topology and allow secure traversal of enterprise inbound calls using HNT Secure SIP signaling via TLS (soon) PSTN Signaling Media TLS Enterprise
SIP Trunking Seminar - September 2007 11 Net-Net VoIP security threats are multi-dimensional and differ from data ones Focus on the threats degrees of risk and impact to network Free services High Internet-connected ITSP Facilities-based hosted services Service provider peering Low Dedicated security element at the border must protect itself and elements behind it
The leader in session border control for trusted, first class interactive communications
SIP Trunking Seminar - September 2007 13 Acme Packet at a glance Creator of Session Border Controller (SBC) category 56% market share (2006 revenue) and growing Over 420 customers in 81 countries Top tier customers worldwide 23 of top 25 76 of the top 100 6 of top 10 North American MSOs Premier distribution partners Alcatel- Lucent, Avaya, Ericsson, Italtel, Motorola, Nokia Siemens Networks, Nortel, Sonus 300+ employees in 22 countries Headquartered in Burlington, MA Public company (NASDAQ: APKT) w/ strong revenue growth, profits & balance sheet Annual/YTD revenue ($M) $3.3 $16.0 $36.1 $84.1 $52.1 2003 2004 2005 2006 H1 2007