Common Misconceptions

Alan D. PercyDirector of Market DevelopmentAlan.percy@audiocodes.com

The Truth of Enterprise SIP

Security

3

Threat is widely recognized

“Security Is IP Networking's Downside”Gartner Report, 2006

“SIP is not an easy protocol to secure.”RFC 3261

“T.J. Max theft is believed largest hack ever”AP Newswire, March 30, 2007

“…SIP is vulnerable to certain attacks.”RFC 3329

4

Known Threats

• Known SIP Security Threats:– Theft of services (unauthorized use of your network)– Recording and eavesdropping– Call Detail Capturing (tracking who you call and for

how long)– Spoofing and Man-in-the-middle (Phone Phishing)– Denial of Service Attacks– Registration Flooding– Malformed Messages– Unsolicited incoming calling (SPIT)– Trojan horse devices– Viruses and Worms– and more.

5

Three Misconceptions about Security

6

Misconception #1

Eavesdropping VoIP

is easy

7

IP-PBX SIP Architecture

Media Gateway

LAN Switch

PSTN

PSTN SIP

SIP Phones

SIP

T1/E1

Secure Facility

Secured with

SIP/TLSSRTP

IP-PBX

8

Points of Risk

Signaling

Media

IP

Management

SIP/TLS

SRTP

HTTPS

9

Misconception #2

SIP Trunking is easy to secure with a

SIP Firewall

10

SIP Trunking is at Risk

• SIP Trunking without correct protection is open to DoS attack, theft of service and other threats too!

11

Protecting Against DoS Attacks

One of two approaches:

1. Use PSTN Trunking• Cannot execute a DoS attack over a PSTN circuit• Media gateway insulates enterprise from outside world• Enterprise uses PSTN as a “moat” around SIP Island

2. Secure SIP Trunks with SBC• Firewalls do not fully protect against DoS• Many SIP Security devices don’t support SIP/TLS or

SRTP• Protect with an Enterprise-class Session Border

Controller

12

SBC – Includes DoS Filtering and Rate Limiting

ICMP

ARP Request

ARP Response

DTMF

SIP - Invite

SIP - Register

SIP- Response

SIP - Unknown

SIP - Other

SIP - Register

SIP - Other

DoS Filters

Un-Solicited SIP Traffic

Established SIP Signaling “Pinholes”

nRT - HI

nRT - LO

Best Effort

Port

SIP App Server

Traffic Management/Shaping maintain per queue rate, size and discard policy

RADIUS

VRRP

Dispatcher

Rate Limiting &Prioritization

Application Intelligence

13

Misconception #3

Security is very expensive

14

AudioCodes Solutions with Security

Mediant 2000Scalable Digital Media GatewayMediant 1000

Modular Media Gateway

MediaPack MP-11xAnalog Media Gateway

All support HTTPS, SIP/TLS, and SRTP

Mediant 1000 MSBGwith Integrated SBC

15

Good Security Practices for Enterprises

Deploy encryption security (SIP/TLS and SRTP) Secure the front door (trunk lines)

PSTN Trunking or Enterprise SBC

Secure the back door (set and manage the passwords) Control access Manage software on

all the devices in the system

Eliminate WiFi access Keep an audit trail

16

Q/A and More Information

www.audiocodes.comor

Alan.percy@audiocodes.com