FreeSWITCH as a Kickass SBC. Moises Silva Manager, Software Engineering

Similar documents
Load Balancing FreeSWITCHes

Ingate Firewall & SIParator Product Training. SIP Trunking Focused

ABC SBC: Secure Peering. FRAFOS GmbH

Comparative table of the call capacity of KMG 200 MS: Number of SBC calls Maximum TDM channels Total calls Bridge**

SIP security and the great fun with Firewall / NAT Bernie Höneisen SURA / ViDe, , Atlanta, GA (USA)

SBC Configuration Examples for Mediant SBC

Ingate SIParator /Firewall SIP Security for the Enterprise

Sangoma Session Border Controllers. Frederic Dickey Shaunt Libarian October 17, 2013

let your network blossom Orchid One Security Features

White Paper. SIP Trunking: Deployment Considerations at the Network Edge

ThinkTel ITSP with Registration Setup

ABC SBC: Securing the Enterprise. FRAFOS GmbH. Bismarckstr CHIC offices Berlin. Germany.

What is SIP Trunking? ebook

Allstream NGNSIP Security Recommendations

HIGH DENSITY MEDIA GATEWAY WITH MODULAR INTERFACES AND SBC. Comparative table for call capacities of the KMG SBC 750:

SBC Site Survey Questionnaire Forms

Session Border Controller

become a SIP School Certified Associate endorsed by the Telecommunications Industry Association (TIA)

FRAFOS ABC-SBC Generic SIP Trunk Integration Guide for ShoreTel 14.2

INTERFACE SPECIFICATION SIP Trunking. 8x8 SIP Trunking. Interface Specification. Version 2.0

Application Notes for Configuring Fonolo In-Call Rescue with Avaya IP Office Server Edition using SIP Trunks Issue 1.0

Patton Electronics Co Rickenbacker Drive, Gaithersburg, MD 20879, USA tel: fax:

SBC Deployment Guide Architecture Options and Configuration Examples

Technical White Paper for NAT Traversal

NEC: SIP Trunking Configuration Guide V.1

Microsoft Lync Server 2013 and Twilio SIP Trunk using AudioCodes Mediant E-SBC

Journal of Information, Control and Management Systems, Vol. X, (200X), No.X SIP OVER NAT. Pavel Segeč

Open Mic Webcast. Jumpstarting Audio- Video Deployments Tony Payne March 9, 2016

The SIP School ~ Mitel Style [based on MCD4.0]

Application Note 3Com VCX Connect with SIP Trunking - Configuration Guide

SBCs from Sangoma Flexibility, Ease of Use and an Unmatched ROI Simon Horton Director of Product Management

Configuration Note. Microsoft Lync Server 2013 & ITSP SIP Trunk using AudioCodes Mediant SBC. Interoperability Laboratory. Version 6.

Firewalls for Secure Unified Communications

Configuration Guide IP-to-IP Application

Microsoft Skype for Business Server 2015 and Flowroute SIP Trunk using AudioCodes Mediant E-SBC

Using the OpenSIPS b2bua

Unofficial IRONTON ITSP Setup Guide

SBC Configuration Examples

Unified Communication:

UNDERSTANDING FreeSWITCH CLUSTERING with OpenSIPS (done well) Giovanni Maruzzelli

LISTENING BY SPEAKING

Implementing SBC Firewall Traversal and NAT

Network Address Translation (NAT) Contents. Firewalls. NATs and Firewalls. NATs. What is NAT. Port Ranges. NAT Example

Department of Computer Science. Burapha University 6 SIP (I)

One-Voice Resiliency. Branch Voice Resilience for Microsoft Skype for Business or Lync Server Environments and Skype for Business Online. Version 7.

Analysing Protocol Implementations

Broadvox Fusion Platform Version 1.2 ITSP Setup Guide

One-Voice Resiliency. Branch Voice Resilience for Microsoft Skype for Business or Lync Server Environments and Skype for Business Online. Version 7.

Installation & Configuration Guide Version 4.0

Configuration Note. AireSpring SIP Trunk & Genesys Contact Center using AudioCodes Mediant SBC. Session Border Controllers (SBC)

Configuration Note. Telenor SIP Trunk & Genesys Contact Center using AudioCodes Mediant SBC. Session Border Controllers (SBC)

One-Voice Resiliency with SIP Trunking

Microsoft Skype for Business Server 2015 and TELUS SIP Trunk using AudioCodes Mediant E-SBC

Network Address Translation (NAT) Background Material for Overlay Networks Course. Jan, 2013

Configuration Note Windstream SIP Trunk & Genesys Contact Center using AudioCodes Mediant SBC

[MS-ICE2]: Interactive Connectivity Establishment (ICE) Extensions 2.0

VoIP Security Threat Analysis

Advanced Computer Networks. IP Mobility

VPN-1 Power/UTM. Administration guide Version NGX R

Application Note Asterisk BE with SIP Trunking - Configuration Guide

Dialogic BorderNet 4000 Session Border Controller

WHITE PAPER. Session Border Controllers: Helping keep enterprise networks safe TABLE OF CONTENTS. Starting Points

OpenScape Session Border Controller V9

Configuration Note. Microsoft Lync Server 2013 & NextGenTel SIP Trunk using Mediant E-SBC. Enterprise Session Border Controllers (E-SBC)

Application Note Asterisk BE with Remote Phones - Configuration Guide

Microsoft Skype for Business Server 2015 and DTAG SIP Trunk using AudioCodes Mediant MSBR E-SBC

Configuration Note Microsoft Lync Server 2013 & tipicall SIP Trunk using Mediant E-SBC

Application Note Configuration Guide for ShoreTel and Ingate

Microsoft Skype for Business Server 2015 and ShoreTel UC System using AudioCodes Mediant E-SBC

AudioCodes OVR with SIP Trunking

Polycom RealPresence Access Director System

NAT (NAPT/PAT), STUN, and ICE

Teams Direct Routing. Configuration Checklists for BTIP and Business Talk SIP services. 28 january Teams Direct Routing AudioCodes Checklist 0.

SIP TRUNKING CARRIER CERTIFICATION OXE-SIP configuration

Application Notes for Configuring CenturyLink SIP Trunking with Avaya IP Office Issue 1.0

Configuration Note Microsoft Lync Server 2013 & Windstream SIP Trunk using Mediant E-SBC

Application Scenario 1: Direct Call UA UA

Abstract. Avaya Solution & Interoperability Test Lab

Unified Border Element (CUBE) with Cisco Unified Communications Manager (CUCM) Configuration Example

Security and Lawful Intercept In VoIP Networks. Manohar Mahavadi Centillium Communications Inc. Fremont, California

Realtime Multimedia in Presence of Firewalls and Network Address Translation

Realtime Multimedia in Presence of Firewalls and Network Address Translation. Knut Omang Ifi/Oracle 9 Nov, 2015

Abstract. Avaya Solution & Interoperability Test Lab

Dialogic BorderNet Session Border Controller

Configuration Note Microsoft Lync Server 2013 & Netia SIP Trunk using Mediant E-SBC

Copyright and Trademark Statement

SESSION BORDER CONTROLLERS PRODUCT LINE

Category: Informational. Acme Packet A. Hawrylyshen Skype, Inc. M. Bhatia 3CLogic April 2010

Common Components. Cisco Unified Border Element (SP Edition) Configuration Profile Examples 5 OL

Aeonix & Ingate. Role in Enterprise

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Configure MiVoice Office SP1 with MBG for use with TelNet Worldwide SIP trunk services

Mediant E-SBC for BroadCloud SIP Trunk with Microsoft Skype for Business Server 2015

Frequently Asked Questions (Dialogic BorderNet 500 Gateways)

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

Application Note. Microsoft OCS 2007 Configuration Guide

CyberP3i Course Module Series

Become a WebRTC School Qualified Integrator (WSQI ) supported by the Telecommunications Industry Association (TIA)

Installation & Configuration Guide Version 1.6

Configuration Note Microsoft Lync Server 2013 & BluIP SIP Trunk using Mediant E-SBC

Transcription:

FreeSWITCH as a Kickass SBC Moises Silva <moy@sangoma.com> Manager, Software Engineering

FreeSWITCH as a Kickass SBC Moises Silva <moy@sangoma.com> Manager, Software Engineering Moises Silva <moy@sangoma.com> Manager, Software Engineering

SBC: The Mythical Beast No precise technical definition Not standardized anywhere B2BUA or Proxy? Handles signaling or media? More of a marketing term than technical? 3

SBC: The Mythical Beast 4

SBC: The Mythical Beast Enterprise Network Internet PSTN IP-PBX Intranet SIP trunk S B C Internal Firewall External Firewall ITSP Telco DMZ SIP-Endpoints 5

SBC: The Mythical Beast Carrier SBC sits at the edge of service provider networks Enterprise SBC sits at the edge between customer and service provider 6

SBC: Definition Recently loosely described by RFC 5853 7

SBC: Definition Topology Hiding Media Traffic Management Fix capability mismatches SIP NAT Access Control Protocol Repair Media Encryption Threat protection (ie: DoS, Malformed packets) 8

Topology Hiding Hide the service provider or enterprise network implementation details Use of RFC 3323 (privacy) not enough B2BUA required in most cases 9

Topology Hiding INVITE before topology hiding 10

Topology Hiding INVITE after topology hiding 11

Topology Hiding in FreeSWITCH FreeSWITCH is a B2BUA Header manipulation using SIP dialplan variables Do not enable SDP pass-thru (bypass_media=true) 12

Topology Hiding Cons It is a B2BUA! Breaks end to end security mechanisms such as RFC 4474 Obviously no difference from a MITM attack 13

Media Traffic Management SBC may modify SDP to stay in media path Operators enforce the use of certain codecs Single point for audition (ie Lawful Interception) 14

Media Traffic Management SDP before media management 15

Media Traffic Management SDP after media management Session attribute removed enforcing a policy 16

Media Traffic Management Allows operators to use different billing model according to the media type (Voice, Video, Text) Fix lost or ignored BYE issue QoS based routing 17

Media Traffic Management in FreeSWITCH Flexible codec configuration in SIP profiles or dialplan Media timeout via SIP profile configuration or channel variable rtp_timeout_sec Flexible SDP manipulation thru variables 18

Media Traffic Management in FreeSWITCH Set codec preferences SDP manipulation 19

Media Traffic Management in FreeSWITCH Use record_session for local recordings Use oreka_record to send media to recording server (pending merge on official git repo) git@github.com:moises-silva/freeswitch.git 20

Media Traffic Management in FreeSWITCH G.722 SIP UA G.729 FreeSWITCH SIP UA G.711 Oreka Recording Server (orkaudio) 21

Media Traffic Management Cons Increase length of media path SBC must be aware of all types of media, slowing adoption of new media features 22

Fix Capability Mismatches Allow interconnection of user agents with different capabilities (ie: codecs) IPv4 to IPv6 internetworking SIP over UDP to TCP etc 23

Fix Capability Mismatches in FreeSWITCH Virtually every codec in the industry HD voice codecs such as G.722 and Siren 7 Hardware transcoding available 24

Fix Capability Mismatches in FreeSWITCH SIP over UDP/TCP/TLS IPv4 and IPv6 support 25

Fix Capability Mismatches G.729 / TLS / IPv6 SIP UA G.711 / UDP / IPv4 FreeSWITCH PRI GW 26

SIP NAT Detect when a UA is behind NAT Help maintain NAT bindings alive Provides a publicly reachable IP address 27

SIP NAT in FreeSWITCH Automatic RTP adjustment when media comes from different address than advertised on SDP Aggressive NAT detection STUN and ICE support 28

Access Control It s all about control, yes, sys admins are control freaks The network edge of the operator or enterprise is a convenient place to enforce policies All SIP and RTP traffic to/from a single point (the SBC) 29

Access Control in FreeSWITCH Flexible ACL configuration available mod_limit for call rate and general resource limiting per IP or realm Distributed limits across servers 30

Protocol Repair The world isn t perfect, broken devices are everywhere Not feasible to throw all broken equipment to the garbage (that d be too easy wouldn t it?) 31

Protocol Repair in FreeSWITCH Allows matching and fixing of SIP header values Allows modifying SDP contents Not always possible, SIP stack may discard messages if deemed malformed (ie FUBAR) 32

Media Encryption Desirable to perform encryption on public network Internal network may need un-encrypted media (ie, lawful interception, endpoints without SRTP support) 33

Media Encryption in FreeSWITCH TLS / SRTP support ZRTP / SRTP support 34

Threat Protection DoS Malformed and/or malicious packets SIP REGISTER scans (ie: sipvicious) SIP INVITE scans 35

Threat Protection for FreeSWITCH DoS limitation using iptables hashlimit (Kristian s famous script) iptables hashlimit does not work on TLS obviously iptables hashlimit does not help with malformed packets 36

Threat Protection for FreeSWITCH Fail2ban for registration scans Depends on log line format, good enough? mod_fail2ban makes things easier (by kyconquers on github) 37

Threat Protection Use SIP ACLs Even trusted networks can become compromised IP spoofing on UDP traffic makes things complicated 38

Sofia Limits Extension to mod_sofia to specify SIP message limits, per host optionally (no ACL yet ) Uses mod_hash (or any limit interface) to keep track of messages Launch ESL event when limit is exceeded Malformed packets are accounted for as well 39

Sofia Limits 40

Conclusion Yes, SBCs get in the way, and that s a useful and desirable feature in some businesses FreeSWITCH core foundations go a long way in implementing most common SBC features 41

THANK YOU. 42

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback