Do You Practice Safe SIP?
Put your feet up on your desk, you just saved your employer 60% on long distance by implementing a SIP trunk telephony solution. A promotion must be imminent and obviously well earned. But the cigar isn't the only thing beckoning your attention – the call center manager is at your door. Evidently all incoming calls to the call center stopped. Then someone else reports that calls are coming in to the rest of the company – but it's a pre-recorded venomous message going to every phone or message-box in the firm from a former employee. Good news, a position has opened in the firm's Antarctic branch.
Possible? Absolutely. As with all things Internet, Session Initiation Protocol (SIP) represents a new world of economics and benefits, as well as some serious threats. With dedicated landlines, voice communications was reasonably secure and most threats required physical access. But with SIP, threats can come from anywhere – from passive threats such as eavesdropping or SIP registration floods due to a power outage, annoying threats such as SPIT (SPAM over Internet Telephony), to malicious attacks and viruses sent by disgruntled ex-employees or script kitties.
The threats described above are real. A Denial of Service attack can not only block calls, but completely disable a phone system. SPIT attacks are embarrassing and rarely publicized, but Columbia University experienced one in 2007, a malicious attacker through a proxy service delivered a pre-recorded message to extensions throughout the campus. Communications over SIP circuits should not be treated the same as Email or other IP streams. Even worse, to accommodate network address translation (NAT), many users just open up SIP ports on their firewall, effectively disabling security. To improve security, many firewall vendors offer support for SIP ALG (Application Level Gateway). SIP ALG helps address NAT-related problems, but many router implementations of ALG actually break the protocol. ALG problems result from incorrectly-modified headers that break incoming calls and sometimes completely disable communications. As SIP increases in popularity, it is increasingly important to learn about the dangers of SIP; particularly in mission critical implementations.
To truly benefit from SIP services, implementations need to include planning for security and protection. One emerging trend is to implement SIP and SIP trunking through a Session Border Controller (SBC).
An SBC is conceptually similar to a firewall designed for Internet voice services, although it works much differently than a firewall. While firewalls examine the packets that flow through them, SBCs actually intercept packets and forward as/where appropriate. As session control elements, SBCs provide security and interworking fixups for SIP signaling and media. SBCs were originally designed to protect service providers, but now the enterprise is discovering their benefits. SBCs are typically deployed on the edge of the network, and provide a variety of services including security, redundancy, and QoS.
An SBC regenerates signaling so it has full visibility to the application level in the data stream, meaning that the phone system has an end-to-end session with the SBC as does the SIP service provider. This enables the SBC to perform a variety of services including the ability to monitor call state during an encrypted conversation. The SBC can control SIP sessions and media flows in ways an ALG firewall cannot. For example, only an SBC can respond to SIP signaling messages or support dynamic access control lists (ACLs) and policies. An SBC can protect against a SIP registration attack and block against misconfigured devices. Because it can't see the application layer, a firewall can't do this. Thus only SBCs can securely deliver reliable and trusted SIP communications, while protecting against attacks; intentional or accidental.
Because of these unique capabilities, the SBC is rapidly emerging as the defacto standard for safe SIP-ing. The SBC offers three levels of protection; it protects the core enterprise infrastructure, it protects critical Internet services that rely on SIP, and it protects itself. Core infrastructure includes the data center and mission critical systems such as UC servers, and dependent services such as the contact center. Critical services include SIP trunk services, private networking, and other hosted services. Protecting the SBC itself means a purpose-built hardware design that contains exposure from attacks and overloads.
In addition to security, SBCs provide a means to improve performance and decrease costs. The SBC can dynamically route traffic to different service providers based on outages and performance including the ability to detect and route around failed paths Routing decisions can be based on a variety of metrics, including price (least cost routing).
To get a better understanding of SBC, consider Acme Packet's Net-Net Operating System for SBCs. It offers a wide range of protocol support including SIP, H.323, SIP-H.323, MCCP/NCS, H.248, and RTSP, interoperable with all major IP PBX systems and unified communication platforms. Acme Packet offers carrier class high availability, including rugged design for denial-of-service protection and intrusion detection/prevention capabilities. These types of standards and specifications can't be found on firewalls, and are required for protection against emerging SIP threats such as viruses, and even threats found in "harmless" communications such as IM.
SIP Trunking has crossed into the mainstream, which means that security issues will follow. Infonetics recently predicted SIP telephony services will grow 89 percent over the next few years, with enterprise accounts representing most of that growth. SIP trunking services represent the next big wave of VoIP growth, following widespread adoption of VoIP handsets. The drivers are mostly financial, but SIP offers a number of technical benefits as well. The trick will be to realize those benefits without losing control of the network. SBC is as easy as 123.
This paper is sponsored by Acme Packet.