begins - 1:00 et/12:00 ct/11:00 mt/10:00 pt. today’s topic the top five reasons you need an sbc!...
TRANSCRIPT
Begins - 1:00 ET/12:00 CT/11:00 MT/10:00 PT
Today’s TopicThe Top Five Reasons You Need an SBC!
Presenter:Dwight Reifsnyder, Convergence Systems Engineer
Let’s Take a Tour of Your Screen
Copies and Replay Information!
Hard Copies of Today’s
Presentation
Recorded Replay Available
Please contact your NACR Representative. If you do not have one, you may email
Valerie Rodriguez @ [email protected].
Visit www.nacr.com – click on the Education tab.
Today’s Replay will be available starting Friday after 3 PM Central
Stay Tuned!
Coming in February:
Information from ConvergeOne Capital
The Center of Excellence Training
E-SBC Installation and AdministrationCourse # CE025ILT
System Manager & Session Manager (SMGR)Course # CE021ILT
More info and registration Available: www.nacr-coelearning.com
Questions? email:[email protected]
Enterprise Session Border ControllerFive Reasons Why You Need an SBC
8
Could this be your network? Al Qaeda-Linked Group Steals
Hundreds of Thousands from NY Businesses with Toll Fraud Attacks
(Jan 2013)
Vishing Scams Claim $11 Million Euros in the UK Alone (August
2013)
DDoS for hire vendor starts offering TDoS attack capabilities
“..operates 24/7, and promises 100% anonymity. It charges $20 for one hour of DDoS attack, $50 for a day, and $500
for one week, (Oct 2013)
Hacker toured dozens of global conference rooms using common videoconferencing equipment. Easily hacked several top venture capital, law firms, pharmaceutical and oil companies…(and) the Goldman Sachs boardroom. Videoconferencing systems were designed with visual and audio clarity in mind, not security (January 2012)
DoS Attackers Turn from Websites to Phones
"New attacks on mobile devices are targeting executives of companies. It's not to steal money, it's to steal
corporate information and manipulate the stock price.”
(May 2013)
DHS Warns of ‘TDoS’ Extortion Attacks on Public Emergency
Networks (April 2013)
ReMax office owner hit by tollfraud, $600,000 bill (May
2013)
Sheriff’s Office Taken Down by TDoS Attack(May 2013)
9
What Does an SBC Actually Do?
SBC Basic SIP Trunking Functions
0.1 - Entity/Flow Based Access Control0.b - Status Monitoring with Automatic Failover1 – SIP Feature Support (Internetworking)2 – Security BCP Topology Hiding3 – Packet and Protocol Inspection and Correction4 – Scenario Specific Message Manipulation5 – In Dialog Message Interception/Redirection
Real Life Examples
10
0.1) Entity/Flow Based Access Control
Digital War
Dialing
11
Entity/Flow Based Access Control
Trusted Server ConfigurationIP/Protocol/Port
Server Based Flow Server Configuration,
Interface
12
0.b) Status Monitoring with Automatic Failover
Verizons Alternate Route Recovery Service (VARRS)� � �o VARRS provides a business continuity option for VoIP IP
Trunking and VoIP IP Integrated Access in which Company provisions mirrored capacity in secondary geographically-diverse Session Border Controller (SBC) High Availability (HA) Pairs serving Customers enterprise. This feature will �permit Customer to route inbound and outbound traffic through a redundantly-provisioned backup Company SBC HA Pair in the event of an outage on the primary Company SBC HA Pair, or an outage affecting Customers facilities or �equipment that necessitates secondary routing.
13
Status Monitoring with Automatic Failover
OPTIONS messages for Heartbeat
Multiple Routes in Profile
14
1) SIP Feature Support (Internetworking)
The SIP Interoperability Testbed
“SIPit is organized by the SIP forum and lead by Robert Sparks, one of the engineers in the IETF. At SIPit we test both the base SIP standard, as documented in RFC 3261, and the new additions, like SIP Outbound, SIP identity, GRUU and ICE. We have phones, proxys, conference bridges, session border controllers and all kinds of devices as well as SIP stacks under development. We have a gentleman’s agreement not to reveal anything else than generic test results. I can’t use Facebook and say “ha ha, Saul’s new SIP server sucks!“. This leads to a very open and helpful environment.
http://www.voip-forum.com/sip/2013-01/sipit30/
15
Feature Support Internetworking
Early MediaOptions
One Way Media
Fax Relay
16
2) Security BCP Topology Hiding
The Value of an IP Address:
“an IP itself will not let you break into a computer, but it is necessary to launch an attack and can reveal information about the user”
https://www.hackthissite.org/forums/viewtopic.php?f=24&t=6970&start=10&sid=d28fe5d2e3e713ccfb10e4bc072c9087
17
Security BCP Topology Hiding
Internal Domains/IP numbers are hidden
10.192.172.1033.44.140.121
18
3) Packet and Protocol Inspection and Correction
Denial of Serviceo Call/registration overloado Malformed messages (fuzzing)
Configuration errorso Mis-configured deviceso Operator and application errors
Theft of serviceo Vishingo Unauthorized userso Unauthorized media types
Viruses and SPITo Viruses via SIP messages o Malware via IM sessionso SPIT – unwanted traffic
Source: Nemertes Research
Enterprise Adoption of Collaboration Tools
Increased usage of collaboration toolsmeans security threats are more of a concern
19
Packet and Protocol Inspection and Correction
Proactively identifying and preparing defenses against the ever changing unknowns of the wild beyond your network borders.
State-of-the-art research facility with a dedicated team of expert vulnerability assessment professionals.
Uncover vulnerabilities that put communications at risk in next-generation, multi-vendor networking environments.
20
21
4) Scenario Specific SIP Message Manipulation
SIP can be implemented in slightly different ways. “Tweaking” is required to make things work
The two previous topics (Internetworking and Topology Hiding) are examples of SIP signaling manipulations
SBC vendors user different terms for this function:o Header Manipulation Rules o SIP Header Manipulation o SIP Message Manipulation
22
Specific SIP Message Manipulation
Domain PoliciesSignaling Rules
General
23
Slight Detour –Dialogues and Transactions
All SIP calls must have:o INVITEo 200 OKo ACK
A call is a dialogue
A dialogue consists of multiple transactions
http://telconotes.files.wordpress.com/2013/03/sip-transaction-vs-dialog.png
24
Slight Detour – SIP Request Methods
STANDARD SIP REQUEST METHODSINVITE Establishes a sessionACK Confirms an INVITE requestBYE Ends a sessionCANCEL Cancels establishing of a sessionREGISTER Communicates user location (host name, IP)OPTIONS Communicates information about the capabilities of the calling and receiving SIP phonesPRACK Provisional AcknowledgementSUBSCRIBE Subscribes for Notification from the Notification serviceNOTIFY Notifies the subscriber of a new eventPUBLISH Publishes an event to the ServerINFO Sends mid session informationREFER Asks the recipient to issue call transferMESSAGE Transports Instant MessagesUPDATE Modifies the state of a session
STANDARD SIP RESPONSE CODES1xx informational responses2xx success responses3xx redirection responses4XX request failures5xx server errors6xx global failures
25
SIP Message Manipulation
Domain PoliciesSignaling Rules
Requests
26
SIP Message Manipulation
Domain PoliciesSignaling Rules
Responses
27
SIP Message Manipulation
Domain PoliciesSignaling Rules
Request Headers
28
SIP Message Manipulation
Domain PoliciesSignaling Rules
Response Headers
29
SIP Message Manipulation
SigMa Scripting Language for granular control of every header, every parameter, every option, at any point within the call flow
30
SigMa Scripting Language
Language Constructso Variables
Built-in: %HEADERS, %SDP, %BODY, %INITIAL_REQUEST … User defined: %foo
o Statements Assignment: %foo = “bar”; Conditional: if (…) then { … } else { … } Function call
o Header operations: remove(), exists(), append()o Regex functions: regex_replace(), regex_get(), regex_match()
Print statement: print “hello”, “there”;o Functional Blocks
Session Block: within session “…” where <condition>{…} Message Block: act on […] where <condition>{…}
31
Hook Points - %ENTRY_POINT, %DIRECTION
PRE_ROUTINGPRE_ROUTING POST_ROUTINGPOST_ROUTING
Proxy (Routing)Proxy (Routing)
Transaction Layer
Transaction Layer
Transaction Layer
Transaction Layer
TransportTransportTransportTransport AFTER_NETWORKAFTER_NETWORK
INBOUND OUTBOUND
32
5) In Dialog Message Interception/Redirection
SBC – TrunkingSession Manager
Experience Portal
Internet
Carrier
3rd Party SIP(Call Manager, Fax, etc)
SBC – VO Users
SIP EndpointsMessaging
Communication Manager
H.323 Endpoints
Communication Manager
3rd Party SIP(Call Manager, Fax, etc)
SBC – VO Users
SIP EndpointsMessaging
H.323 Endpoints
Original Call Transferred CallSame Call Outside/New Call Inside
33
In Dialog Message Interception/Redirection
Click this checkbox
34
Life in the Trenches - Real World Examples
35
Large Hospital System –The Case of the Missing Voicemail Box
Customer Requirement:o Integrate Definity (pre-SIP) to voicemail systemo Dialogic gateway 8 line digital to SIP converter
36
Large Hospital System – The Case of the Missing Voicemail Box
Issue Description:o Diversion Header used “Tel” format, not “SIP”o From and To Headers used dashes in number
<tel:3034422181><sip:[email protected]>
37
International Law Firm –The Case of the Incomplete Transfer
Customer Requirement:o Provision Incoming SIP trunks for Centralization
Issue Descriptiono Internal Transfers work fine, but
incoming SIP calls were dropped when attempting to transfer or cover to voicemail
38
International Law Firm –The Case of the Incomplete Transfer
SBC SM CM SM MMCarrier – MaxFwds=10
MaxFwds+2 MaxFwds+2 MaxFwds+2 MaxFwds+2 MaxFwds+2
39
Thank you!
Questions?
A friendly reminder to please click the survey link before exiting today’s webinar. Thank you!