WIXLIB

Secure All-IPTelephonyNetwork protection is serious business. Anywhere there’s ahole in a network security “fence” or “gate” some snooper,hacker or toll-fraud thief is going to find it. A good, solidnetwork protection strategy builds a series of security“gates” at multiple layers within the OSI model.

ContentsIntroduction.3Trojans .3Authored byW. Glendon FlowersProduct Marketing ManagerPatton Electronics Co.Multi-Layered Strategy .3Layer One: Physical .4Layer Two: Frame Layer .4Layer Three: Network (IP/Packet) Layer .4Layer Four: Transport Layer.5Layer Five: Session Layer .6Layer Six: Presentation .6Marc AeberhardProduct Line Manager,Patton Electronics Co.Patrick RamerChief Software Engineer,Patton Electronics Co.Layer Seven: Application .6Operating System Security.7Conclusion .7Copyright 2018,Patton Electronics Company.All rights reserved.About Patton.8About the authors .8Printed in the USA.2

IntroductionVoice-over-IP technology has given birth to severaldaughters: unified communications, SIP trunking,hosted (IP) PBX and cloud telephony. These developments offer features that boost workforce productivity along with streamlined, flexible network architectures and reductions in capital expenses (CapEx)and operating costs (OpEx). Unfortunately, the ALLIP revolution has a downside. Converged communication networks widen the attack surface for malicious players on the Internet. IP telephony opens theenterprise network to such vulnerabilities as tollfraud, denial of service (DoS) and distributed denialof service (DDoS) attacks, among others.“Ultimately, it’s the very flexibility that makes VoIP systems so appealing that also makes them vulnerable;businesses that adopt VoIP as a communications standard need to consider implementing additional securitypractices to keep business data secure.”The eSBC reduces the attack surface of the enterprisenetwork systems by creating a “choke point” that prevents intruders from sending unauthorized data orextracting valuable or sensitive data from a network.“The attack surface of a software environment is the sumof the different points (the “attack vectors”) where anunauthorized user (the “attacker”) can try to enter data toor extract data from an environment. Keeping the attacksurface as small as possible is a basic security measure.”— WikipediaTo ensure the enterprise local area network (LAN) isprotected against security threats, we need mechanisms at various layers of the InternationalOrganization for Standardization (ISO) Open SystemsInterconnection (OSI) model for network communication (see figure 1). Because, anywhere there’s a hole ina network security “fence” or “gate” some snooper,hacker or toll-fraud thief is likely to find it.– Larry AltonTrojansWith toll fraud, the company may never notice theintrusion until the exorbitant phone bill comes in. WithDoS/DDoS the loss of network resources is quicklyapparent, yet the disruption of business operations iscostly, and may take hours or days to resolve.Network protection is serious business. You want tosecure your ALL-IP network systems against all manner of hackers, snoopers, malicious intruders and thelike. That’s what this white paper is about: networksecurity for enterprise-class IP telephony.This paper proposes an enterprise network security solution for SIP (session initiation protocol)based VoIP telephony with SIP trunking servicedelivered by an Internet telephony serviceprovider (ITSP). The solution relies on an enterprise session border controller (eSBC) installedas customer premise equipment (CPE) at the subscriber location.For starters, you don’t want any Trojans hiding inyour VoIP equipment. Recently, the news has beenabout gear from “certain countries” contains backdoors that allow snooping and hacking into your network. We don’t like that. So, let’s start with choosingreliable, high-quality manufacturer located in a trusted country. No Trojans.Multi-Layered StrategyA good, solid network protection strategy builds aseries of security “gates” at multiple layers withinthe OSI model. Each and every sender must clearall the gates before being admitted to the enterprise LAN and VoIP network.So, as we outline our network-protection (security)strategy, which will be implemented in an eSBCdevice, let’s start at the bottom of the seven-layerOSI model and work our way up.3

As figure 1 shows, the Access Control List (ACL)provides security/firewall functions that span threeof the OSI layers: 2) Frame, 3) Packet, and 4)Transport, which we will discuss in layer-by-layerdetail below.“Phone fraud is a multi-million dollar industry that crosses international and industry borders. Attackers targetcall centers, as well as consumers, in attempts to gainaccess to funds, steal merchandise, and phish for identities. Phone fraud is now so prevalent that the averageenterprise call center is exposing more than 9 millioneach year to fraud.”– Pindrop SecurityLayer One: PhysicalInterface Activation/De-activation. At the mostbasic level unwanted access to the network via aphysical interface must be prevented. This meansany ports on the eSBC that are intended for futureactivation (not currently intended for active use)should be disabled—that is configured as out-ofservice. The eSBC must provide such configurationcapability.Layer Two: Frame LayerACL MAC filtering. One aspect of the ACL is filteringon the Media Access Control (MAC) address. TheMAC address is a device identifier at the Ethernetframe layer. Defining known and trusted Ethernetdevices—hardwareSIP phones, software SIPphones on PCs and laptops, skype-for-business(S4B) endpoints and other unified communications(UC) clients endpoints—provides a way to blockunknown (suspicious) devices from entering theenterprise LAN and wreaking havoc.Layer Three: Network (IP/Packet)LayerACL IP filtering. The access control list supportsfiltering by Internet Protocol (IP) addresses.Trusted (friendly) and suspicious or known malicious IP addresses are called out and eitherblocked or allowed accordingly.ACL call initiation filtering. Another ACL featurethat may be configured involves blocking voicetraffic associated with calls that were not initiatedby a SIP endpoint within the enterprise LAN or thetrusted remote peer, the ITSP Domain or IP.Trusted Networks. Only trusted networks areallowed: Using virtual private network technology(VPN), remote networks can securely be grantedaccess to the phone service provided by the ITSP.Overload protection. To prevent DOS/DDOSattacks, the maximum packet volume thresholdFigure 1: eSBC security gates presented according to OSI layer4

Figure 2: Mapping VoIP protocols to the ISO OSI Modelcan be specified in the eSBC device configuration.When the threshold is exceeded, further incomingtraffic is blocked until the volume returns to a normal expected level. This function prevents a totalbreakdown of the enterprise network.passwords. Once the attacker has access to theaccount, they may use it to make or resell unauthorized calls. The attacker may also use the access toconduct a voice phishing (vishing) campaign. Portblocking can obviate such attacks.Layer Four: Transport LayerPort Blocking. For voice over IP (see figure 2),we’re talking about the session initiation protocol(SIP) protocol data unit (PDU), which is encapsulated in a User Datagram Protocol (UDP) orTransmission Control Protocol (TCP) in the transportlayer. UDP or TCP ports exploited by malicious entities (notably 5060 and 5061) can be blocked.Attackers often use these ports to locate a weaklyconfigured IP PBX system and brute-force SIP“Toll fraud, which is sometimes called VoIP fraud, is whena hacker is able to access your phone system and makefraudulent long distance calls from your account. Longdistance per-minute charges add up fast. According to asurvey conducted by the Communications Fraud ControlAssociation (CFCA), a whopping 46.3 billion in losseswere attributed to toll fraud in 2013 alone.”— Bruce Brownlee, Callforwarding.com5

Encryption: A fully secure eSBC solution employsdata encryption for both the signaling informationand the encoded media (voice). Transport Layer Security (TLS) encrypts thesignaling (header information) of the SIP PDU.The encryption prevents invasive parties fromcapturing calling or called party information formalicious purposes. The encryption also aids inpreventing address spoofing.Secure Real-time Transport Protocol (SRTP)encrypts the digital media enclosed in the RTPPDU (RFC 3550). The encryption prevents snooperand hackers from listening in on sensitive voicecalls and exploiting that information. SRTP usestwo types of keys: session keys for the content andmaster keys like the lock on your door.Stateful Firewall: This function ensures incomingtraffic is only accepted once the connection has beeninitiated. Your business is your castle. Who wants tocome in? Is your drawbridge up or down? Traffic maybe allowed or disallowed based on the state of thetransport connection. Connection Established? Gateopen. Connection Terminated? Gate closed.With the help of a B2BUA this functionality can beleveraged at the application level. See B2BUA in section Layer Seven: Application.Layer Five: Session LayerThe SIP protocol per se (RFC 3261) lives in thesession layer. There is a rich set of mechanismsdefined with in the SIP standard that can be leveraged to prevent toll fraud and DOS/DDOS attacks. SIP Authentication—Username / Passwordauthentication ensures only valid and legitimatecallers can initiate a SIP call. Here’s how theprocess works:1) A User Agent Client (UAC) sends a SIP message to a User Agent Server (UAS)2) The UAS responds back with a 4xx challengeresponse3) A UAC uses data in the 4xx challengeresponse to encrypt his or her identity credentials (e.g. telephone password)4) The UAC resends the SIP message with theencrypted credentialsThis four-step process ensures that only authenticated messages are sent to SIP applications forprocessing. Messages that don’t pass authentication are discarded. SIP-Trust-Remote—A list of trusted remotepeers can be configured for each SIP interfaceon the eSBC device. The trusted peers list maybe specified using IP addresses or fully qualifieddomain names (FQDNs). When this mechanismis set up, connection requests from peers notincluded in the list will be rejected. Requests sentfrom not trusted hosts receive a SIP 503 ServiceUnavailable response from the eSBC. SIP-Peer-Flood prevent—When a DOS/DDOSattack is indicated by the network layer, SIP messages are rejected until the threat is cleared.Layer Six: PresentationThis is where the coder-decoder (CODEC), whichconverts analog voice to ones and zeroes (digitalvoice packets(/RTP), is specified. Common codecs,such as G.711, G.722 and G.729, are well known.Part of a good security policy at this layer involvesblocking as suspicious any traffic that employs an“odd”, unusual, or unrecognized CODEC.Layer Seven: ApplicationProvisioning/Configuration—Access to the CPEdevice for provisioning and configuration is restricted to known and approved customer accounts withauthenticated credentials. User names and passwords are encrypted. In addition, TFTP and Telnetaccess to the device can be enabled or restricted toprevent unwanted penetration.6