Follow Me

Latest Posts

Subscribe by Email

Your email:

Blog Authors

Browse by Category

Sonus In Session

Current Articles | RSS Feed RSS Feed

Session Border Control and Security, Part 2: Protecting the Quarterback

Posted on Mon, Dec 05, 2011 @ 12:04 PM
  
  
  
  

By Bob Bradley, Product Line Manager, Security Solutions at Sonus Networks

Just as an offensive lineman in football must protect the quarterback at the line of scrimmage, a Session Border Controller (SBC) must protect core network elements at the network’s edge. And just as in football, an SBC’s opponents have a multitude of defensive plays in their book, ranging from blitzes of brute force (e.g., a Denial of Service attack) to sneakier strategies (e.g., Rogue RTP attacks). To mitigate these plays, SBCs have six different counterdefensive moves that they can use to guard the border from all opposing forces:

    • Topology hiding
    • Access control
    • DoS/DDos protection
    • Signaling and media encryption
    • Fraud protection
    • SIP normalization

Counterdefensive Move #1: Topology Hidingo lineTo protect the IP identities of the network elements (i.e., their IP addresses), a secure network  hides those addresses from the outside world. This defensive move, known as topology hiding, is a common practice of both SBCs and firewalls. Topology hiding presents a unique challenge for SIP session communications, however, because SIP sessions require a direct connection to specific IP address for a period of time. Fortunately, SBCs have a workaround to this problem, known as Network Address Translation (NAT) or Network Address Port Translation (NAPT) traversal—but an explanation of how that works is a discussion for another day. 

From a protection standpoint, an SBC hides the network topology by acting as a back-to-back user agent (B2BUA). Sonus SBCs, including both the NBS9000 and NBS5200 SBC, can perform this B2BUA role in one of two ways: as a De-Militarized Zone (DMZ) Host or as a Bastion Host.

Dealing with Zone Coverage: The Sonus SBC in a DMZ Host Configuration

In this configuration, the Sonus SBC acts as a DMZ host and uses the local IP routers (where the Access Control List is often stored) to perform the filtering functions of a dedicated DMZ router. This combination of DMZ router and DMZ host provides a layered security model that reduces the risk of increased latency and/or jitter that often occurs with standalone firewall solutions. The SBC/router tandem also permits other services, such as media transcoding, to share the physical packet-peering connection.

Dealing with Man-to-Man Coverage: The Sonus NBS in a Bastion Host Configuration

In this configuration, one set of Sonus NBS packet interfaces supports external connectivity to/from the trusted network, while a physically separate set of interfaces supports external connectivity to/from the untrusted network. The external interfaces will generally employ public IP addresses to avoid any risk of overlapping with a peering partner's numbering plan. Since the Sonus NBS is explicitly aware of the traffic associated with each interface, it can apply different and more rigorous security policies to packets that originate from untrusted sources. 

Counterdefensive Move #2: Access Control Lists
To protect the network from excessive and/or unnecessary traffic, an SBC should utilize packet rate limiting at the IP layer.  This rate limiting is usually based on IP Access Control Lists (ACLs), which control the whitelisting and blacklisting of peer networks.  (Sonus SBCs also perform dynamic whitelisting of specific endpoints based on their registration status in the network.) Much like a screen play in football, the SBC will use the information in the ACLs to either discard packets from blacklisted sources or accept packets from whitelisted sources. In order to match packets with the correct source in the ACL, the SBC will examine the following packet information:

  • Address Context, LIF Group, LIF ID
  • Protocol (ex: UDP, TCP, ICMP), Source IP address (IPv4 and IPv6) + network prefix length, source transport port
  • Destination IP address (IPv4 and IPv6) + network prefix length
  • Destination transport port

Counterdefensive Move #3: DoS/DDoS Protection
Denial of Service (DoS) and Distributed DoS (DDoS) attacks can freeze a network faster than a pair of 300-lb pass rushers. Sonus SBCs identify and block DoS/DDoS attacks by matching traffic against ACLs in real time (and discarding traffic that matches blacklisted parameters), policing traffic for each zone based on priority and capacity, and using micro-policers to examine application-to-application packet flows.

Counterdefensive Move #4: Signaling and Media Encryption
To ensure the security and integrity of SIP communications as they enter and exit the network, an SBC must encrypt both the signaling packets (using TLS and/or IPsec) and the media packets (using SRTP).  This is much like a quarterback changing signals and plays at the line of scrimmage to confuse the defensive players. When setting up a SIP session, X.509-based digital certificates can also be used for strong endpoint authentication (think of it as a “hard count”). Given the growing need for secure communications, Sonus SBCs feature a unique architectural design that performs much of the signaling and media encryption using dedicated hardware and processors within the SBC device itself, so that encryption does not affect other aspects of SBC performance such as call processing or transcoding.

Counterdefensive Move #5: Fraud Protection
Like the strong safety who suddenly blitzes, not everyone in the world of SIP communications is who they appear to be. Rogue RTP streams are an example of this: media that comes from a non-trusted source masquerading as a trusted source. Why would anyone do this? To steal bandwidth, get network services without paying for them, or to sneak malware into your network. Fortunately, SBCs protect against Rogue RTP streams through a combination of encryption, endpoint authentication and traffic policing.

Counterdefensive Move #6: SIP Normalization
Just as every football team has its own audible codes, each SIP device manufacturer seems to have its own way of “speaking” SIP. To correctly understand and interpret the SIP messages from peer networks and multivendor network equipment, SBCs should provide robust SIP interoperability. Sonus SBCs use SIP Message Manipulation (SMM) to manipulate SIP headers and parameters and normalize the SIP conversation between different devices. In this way, a “SIP of the tongue” doesn’t prevent SBCs from doing their job of accurately policing and protecting the network.

As you can see, with an SBC on the job, our network should have no trouble connecting with the endzone on every call. But who’s got the SBC’s back? Find out in our next team walkthrough.

Tags: , , , , , , ,

Comments

Programmers and integrators will be looking to the SBC for programming interfaces so internet and ERP applications can participate in the voice and video sessions. The SBC is the key component needed for comm suites and application frameworks/RIA such as Tomcat, DotNet and HTML5 to interface to communications sessions. The SBC may be well positioned to provide the interfaces for ubiquitous and converged/smart services with strong points being security, reliability, network position and scalability. The over the top industry will come to the SBC for the benefits and participation in the paradigm. A SBC simulator and SDK’s is the next step now that the Sonus SBC platform is battle ready.
Posted @ Tuesday, December 06, 2011 10:43 AM by Mark Anthony
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics

     Legal Disclaimer