With the migration towards VoIP using the public internet as the transport media instead of the private connections of ISDN, the risk that uninvited people are going to use the phone system for their own expensive use is real. This creates the need for securing the connections towards the internet. And were we are common to use Firewalls to secure our network with PC’s, Workstations and File servers, those firewalls are not capable of securing the VoIP/UC connections, in fact most of the time they are the cause for breaking the phone connection with none or one way speech. Therefor new products and solutions are necessary, in most cases a Session Border Controller (SBC) will secure the phone network. But where more people are working out of the office, the need to secure those connections is raised frequently. Within the product portfolio we offer at Com8 you find the security solution fine-tuned to your needs.
SBC for securing your UC connection with;
- Provide a demarcation point for the SIP provider
- Securing your SIP-Trunk from the provider
- Termination of the VPN connections
- Connecting IP-Phones behind a NAT firewall to the IP-PBX
- Transcoding your Phone codecs
- Providing Topology Hiding
- Firewalling for UC connections
- Blocks TDos attacks
- Offer new protection methods like STIR/SHAKEN to your Phone system
- Reverse proxy server, connecting your remote IP Phones to your PBX securely
- Stun/Turn services for enabling the RTP (voice) connection through Nat/double Nat firewall networks.
- Intrusion detection and prevention for Unified Communication, to secure in depth your UC data.
The Sangoma or Dialogic SBC instead of or in combination with a firewall.
Firewalls and Unified Threat Management (UTM) are great security products in today’s networks as they offer a wide protection against blended threats. But these devices offer little coverage in VoIP security protection. Firewalls and UTM focus on data security, email, web, worms, trojans etc. none of these data applications are “real time”, where VoIP requires immediate application of security policies. In addition, the inherent function of firewalls is to deny all unsolicited traffic. Whereby, the act of making a phone call is an unsolicited event, therefor firewalls can be counterproductive to an effective VoIP deployment by denying VoIP traffic. Furthermore, firewalls do not provide the SIP protocol addressing needs to rewrite and re-address proper SIP signalling and media negotiations. The purpose of an SBC is to enhance the “real time” VoIP security policies to the existing security infrastructure, and focus on establishing reliable SIP communications instead of just “poking holes” in your firewall to allow phone calls through at the risk of breaching security. Firewalls do not have the needed Real-Time and Protocol Security requirements for VoIP, but Firewalls still need consideration when deploying VoIP as they are a part of every network deployment.
Common attacks in VoIP are;
- Toll Fraud
- Intrusion of Service
- Identity Theft
- Denial of Service
Com8 will assist you with finding the right solution for your needs out of the product portfolio of Sangoma or Dialogic, both well-known brands in UC Security, with a hardware device or a software solution installed on the servers at your customer or your datacentre.
The innovaphone Reverse Proxy server:
The innovaphone Reverse Proxy is a software module, which is available on innovaphone gateways. It is designed to allow safe access to services of the innovaphone PBX from the public internet. To accomplish this the gateway must be accessible from the public internet either by NAT port forwarding, or directly. The reverse proxy forwards traffic to configurable destinations. The access to internal destinations can be limited in several ways and algorithms to detect attacks are implemented, which are used to put ip addresses into a blacklist. The reverse proxy supports H.323, SIP, HTTP and LDAP over TCP or TLS.
ICE stands for Interactive Connectivity Establishment and defines a systematic way of finding possible communication options between two endpoints (through NATs and Firewalls), including using relays as necessary.
STUN stands for Session Traversal Utilities for NAT. STUN provides the requesting endpoint its public IP address. STUN is a relatively lightweight process—lightweight because once STUN provides a publicly-reachable IP address for the requestor, it is no longer involved in the conversation.
When the IP-Phone is behind a NAT Firewall, it only sees its local IP address. Other endpoints in the call (IP-PBX and /or IP-Phone might be unable to use this local IP address to connect to endpoint, as they might be on another network outside the local network and therefor blocked by the firewall. In such cases, the IP-Phone can ask a STUN server to provide its public IP address. The other participants then use the ICE procedures and attempt to establish a connection using the public IP address and if the connection is successfully set up, media flows directly between the users, without any active intermediary. For all practical purposes, the STUN then drops out of sight, waiting for the next query.
However, the above situation is successful only for some NATs. In other NAT implementations, the port will be translated to some other port, along with the IP address to which it is attached. This situation is called “symmetric NAT”. The public IP address of the STUN process is not enough to establish connectivity here, as the port would also need translation.
That is where a TURN server becomes essential.
Were the STUN server only sends the outside (internet) IP-address to the participants (IP-Phone / IP-PBX) the TURN server will be much more involved in the IP data connection and the setup of the different connections you need (special the RTP connection to transport the voice). Due to this the TURN server can also acts as a relay — holding and buffering content before forwarding it to the client on the usable port it has discovered and catalogued with the client’s public IP address.
Lets have a simplified look at how the TURN server works together with the clients, the IP-Phone and IP-PBX. The connection is started after the IP-Phone is booted and due to its configuration is setting up an connection to the Turn server, this connection will be the first connection the TURN server stores for use later. After that the Phone will try to set-up a connection to the IP-PBX using the ICE protocol, and due to that the IP-PBX will also connect to the TURN server, were the turn server also maintains and stores this connection. After this the IP-PBX will respond to the request of the IP-Phone and after some more handshake handling using the TURN server the RTP connection is set-up to be able to send the voice to the other client you like to talk with. In this process the TURN server will stay in between of the RTP connection.
Intrusion detection and prevention in UC:
An Intrusion Detection System or IDS is an automated system that detects unauthorized access to an information system or network. Unauthorized access means an infringement of the confidentiality, integrity or availability of information. This can range from attacks by specialized hackers to so-called script kiddies that use automated - and often written by others attacks. This in combination with an Intrusion Prevention System (IPS) is an Intrusion Detection Prevention System (IDP).
An Intrusion Prevention System (IPS) is a security device that can monitor network and / or system activities for unwanted behaviour. An Intrusion Prevention system can respond to this in real time by blocking or preventing such activities. Network-based IPS systems operate "in-line" so that all network traffic can be monitored for malicious codes and attacks. If an attack is detected, the IPS can stop (drop) the "suspicious" packets, while the remaining network traffic can continue.
The role of an Intrusion Detection Prevention System (IDP) system in the network is often confused with access control and application layer firewalls. Although there are similarities in the way in which IDP and firewalls approach a network or system, there are fundamental differences with regard to the security functionalities. In most cases, an IDP is designed to operate completely invisibly on the network. An IDP does not have an IP address for the segments being monitored and does not respond directly to network traffic, but monitors network traffic silently as it passes. Important advantages are that the IDP technology provides a better insight with regard to various operations that take place on the network such as, overactive hosts, bad logons, unauthorized content and other network and application layer functionalities.
Within the Sangoma SBC solutions you will find the IDP solution to add security to your UC connections. All signatures are based on VoIP attacks stop malicious attacks towards your PBX in the data stream from IP phones and VoIP systems, and the connection from you SIP provider.