Net-SAFE major functions

SBC DoS protection

SBC requirements

  • Protect SBC from DoS and other malicious attacks
  • Protect SBC from becoming overloaded in unforeseen conditions
  • Allow trusted/authenticated users access while under DoS attack
  • Dynamically build trust relationship per subscriber device
  • Automatically isolate attackers
  • Give preference to trusted devices over unknown
  • Provide fair access opportunity for unknown devices

Net-SAFE functions/features

Network processor

  • Network processor-based attack detection and prevention—TCP, SYN, ICMP,fragments, etc.
  • Network processor-based access control to signaling processor—dynamic permit and deny ACLs (see below)
  • Signaling processor protection
    • Trusted and untrusted paths to signaling processor w/configurable bandwidth partitioning
    • Signaling processor path bandwidth policing per-session
  • Signaling processor access fairness using hardware based mechanisms
  • Protocol-based queue separation—separate queues for ICMP, ARP, Telnet, FTP, etc.
  • Guaranteed signaling rates for each trusted device
  • Untrusted devices can use remaining bandwidth unused by trusted
  • Reverse Path Forwarding (uRPF) detection for signaling and media
  • Network processor overload prevention
    • Max 8 Gbps interface with 10 Gbps hardware

Signaling processor

  • Signaling processor overload protection (% CPU) with graceful call rejection
  • Per-user dynamic trust-binding promotes/demotes users

Access control

SBC requirements

  • Filter specific devices or whole networks, per application
  • Permit access to known devices or networks, per application
  • Permit access to authorized/registered users
  • Permit or deny access to anonymous users
  • Dynamically accept or reject traffic based on device behavior
  • Accept media only for authorized sessions
  • Blocking all traffic for not supported by SBC
  • Support many high-performance, low-latency ACL filters

Net-SAFE functions/features

Network processor ACLs

  • Static permit/deny lists
    • IP address/port of session agents (CA, AS, IP PBX, etc.)
    • IP address/port prefix of endpoints, per protocol
  • Dynamic permit lists
    • IP address/port of endpoints w/successful registration or session request (SIP REGISTER, MGCP RSIP, ACK on session request)
    • Signaling-controlled IP address/port pinholes for RTP and RTCP
  • Dynamic deny lists
    • IP address/port of detected attackers

Signaling processor ACLs

  • Static permit lists
    • IP address/port of session agents (CA, AS, IP PBX, etc.)
    • IP address/port prefix of endpoints, per protocol
  • Dynamic permit list
    • Session agent authenticated endpoints
    • Registered endpoints
    • DNS-authenticated endpoints

Topology hiding and privacy

SBC requirements

  • Hide entire topology to prevent directed attacks and preserve confidentiality
  • Anonymize user information for privacy and confidentiality
  • Protect users and infrastructure from eavesdroppers, identity thieves and fraud

Net-SAFE functions/features

Topology hiding

  • Network processor-based layer 1-4 hiding for signaling and media
    • Ethernet MAC + VLAN translation
    • L3 double-NAT translation
    • L4 double-NAT of TCP/UDP ports
    • Reset of TTL field, hiding the hop-count distance
    • Interception of ICMP ping/trace route
  • Signaling processor-based layer 5-7 hiding
    • NAT for signaling messages and headers
    • Route stripping of VIA and RECORD ROUTE lists
    • Removal and insertion of fields and headers

Privacy

  • Encryption—accelerator hardware module
    • TLS
      • Encryption- AES, 3DES, DES algorithms
      • Authentication- MD5 NULL, SHA NULL
      • Ciphers—TLS v1 ciphers
      • Range of key sizes
    • IPsec
      • Key exchange—IKE, manual
      • Protocols—ESP
      • Encryption—AES, 3DES, DES
      • Packet authentication—HMAC MD5, HMAC SHA-1
      • User identity
      • SIP privacy (RFCs 3323 and 3325)

VPN separation

SBC requirements

  • Secure L2 and L3 VPN customers
  • Maintain security isolation between VPNs
  • Support inter-VPN sessions
  • Monitor media for intra-VPN sessions for lawful intercept or fraud prevention

Net-SAFE functions/features

Network processor

  • VLAN tagging for VPN separation
  • VLAN and Prefix-based identification and separation of VPNs
  • Layer 1-4 topology hiding
  • By customer VPN (L2 or L3)
  • Media (RTP and RTCP) hairpinning or media release for inter and intra-VPN calls

Signaling processor

  • VPN session separation, even for overlapping addresses
  • Layer 5-7 topology hiding
  • By signaling and media transport VPN

Service infrastructure DoS prevention

SBC requirements

  • Prevent attackers from learning service infrastructure topology
  • Prevent the infrastructure from being attacked
  • Prevent the infrastructure from becoming overloaded

Net-SAFE functions/features

Network processor

  • SBC DoS protection prevents DoS attacks from reaching infrastructure
  • Media bandwidth policing per-session

Signalling processor

  • Session agent constraint-based admission control—number of sessions, session rate
  • Session agent load balancing
  • Session signaling rate limiting (“call gapping”)
  • Limit number of inbound and outbound sessions per device
  • B2BSA operation blocks many attacks

Fraud prevention

SBC requirements

  • Must authenticate and authorize users
  • Enforce service contract per-user/device
  • Prevent piggyback usage

Net-SAFE functions/features

Network processor

  • Access control features perform authentication and authorization
  • Service theft protection
  • Media bandwidth policing prevents bandwidth theft
  • QoS marking/mapping prevents QoS theft
  • Media timers close media pinholes for stranded calls

Signaling processor

  • Authentication and authorization
    • Digest authentication
    • Session agent authentication—H.235 transparency
    • Session agent authorization
    • DNS-based authentication
    • IP address or prefix-based authentication
    • TLS and IPsec for authentication
    • Policy server-based authentication and authorization
  • Admission control—bandwidth

Monitoring and reporting

SBC requirements

  • Alarms for attacks and overloads
  • Audit trails for attack response and fraud investigation
  • Secure monitoring and management access from unauthorized personnel and attack

Net-SAFE functions/features

Alarms via SNMP traps

  • Attack detection
  • User authorization failures
  • Signaling processor utilization % threshold

Monitoring and reporting

  • Audit trails
    • Logging—local and remote
    • RADIUS CDRs
    • Media QoS reporting
  • Separate network interfaces for management traffic
  • Management security
    • CLI
      • SSH
      • SFTP
      • User access control
        • Administrative access control (group privileges)
        • RADIUS-based user authentication and access control
    • EMS
      • IPsec—EMS to SBC
      • https—EMS—client, north-bound SOAP/XML interface
      • Administrative user authentication and access control
        • Username/password
        • User and user group ACLs
        • Audit trails—security log of all activities performed on the SBC through the EMS
 Resources
 
 Whitepaper