 |
NET-NET FAMILY
PRODUCTS
PLATFORMS
Net-Net EMS
Net-SAFE
WHITE PAPERS
TECHNOLOGY
INTELLECTUAL PROPERTY NOTICES
|
|
Net-SAFE™ – the security requirements framework for SBCs
DoS and distributed denial of service (DDoS) attacks are becoming every-day threats for service providers. While attacks on Internet-based services continue to increase both in volume and cost impact, so too does the value of those services to the provider. As usage of real-time IP voice, video and multimedia services grows, they become a more prominent target for attack. In some cases, busy time and abnormal conditions or events cause increases in call signaling rates which go beyond what the service provider infrastructure can support, resulting in network conditions that are similar in effect to DoS attacks. Loss of VoIP service is more than just loss of revenue. In an environment with increased competition, service providers are concerned about customer defections to alternative providers, impact on brand reputation and emergency call availability.
The session border controller is in a unique position to defend the service provider’s infrastructure from attack and overload, since it provides the first point of communication and defense at the edge of the network. Acme Packet’s products have always provided advanced security features in many areas; continued enhancements will raise the bar for session border control security services.
The Net-SAFE™ (Session Aware Filtering and Enforcement) framework identifies the requirements that a session border controller must satisfy to protect the SBC itself; to protect the service infrastructure (e.g. SIP servers, softswitches, application servers, media servers or media gateways); and to protect subscriber, enterprise and service provider security including confidentiality and privacy. Net-SAFE spans seven functional areas, each of which is a collection of more specific requirements, including:
-
Session border controller DoS protection: Autonomic, SBC self-protection against malicious and non-malicious DoS attacks and overloads at layer 3/4 (e.g. TCP, SYN, ICMP, fragments, etc.) and L5 (e.g. SIP signaling floods, malformed messages, etc.). Mandates hardware-enforced fairness, control and throttling for signaling and media.
-
Access control: Session-aware access control for signaling and media using static and dynamic permit/deny ACLs at layer 3 and 5.
-
Topology hiding and privacy: Complete infrastructure topology hiding at all protocol layers for confidentiality and attack prevention security, as well as modification, removal or insertion of call signaling application headers and fields. Privacy support using industry-standard encryption methods such as TLS and IPSec.
-
VPN separation: Support for Virtual Private Networks (VPNs) with full inter-VPN topology hiding and separation, ability to create separate signaling and media-only VPNs, and with optional intra-VPN media hair-pinning to monitor calls within a VPN.
-
Service infrastructure DoS prevention: Per-device signaling and media overload control, with deep packet inspection and call rate control to prevent DoS attacks from reaching service infrastructure such as SIP servers, softswitches, application servers, media servers or media gateways.
-
Fraud prevention: Session-based authentication, authorization, and contract enforcement for signaling and media; and service theft protection.
-
Monitoring and reporting: Audit trails, event logs, access violation logs and traps, management access command recording, Call Detail Records (CDRs) with media performance monitoring, raw packet capture ability and lawful intercept capability.
Net-SAFE security requirements and Acme Packet functions/features
SBC DoS protection
SBC requirements
-
Protect SBC from DoS and other malicious attacks
-
Protect SBC from becoming overloaded in unforeseen conditions
-
Allow trusted/authenticated users access while under DoS attack
-
Dynamically build trust relationship per subscriber device
-
Automatically isolate attackers
-
Give preference to trusted devices over unknown
-
Provide fair access opportunity for unknown devices
Acme Packet Net-SAFE functions/features
-
Network processor
-
Network processor-based attack detection & prevention - TCP, SYN, ICMP, fragments, etc.
-
Network processor-based access control to signaling processor - dynamic permit & deny ACLs (see below)
-
Signaling processor protection
-
Signaling processor access fairness using hardware based mechanisms
-
Protocol-based queue separation - separate queues for ICMP, ARP, Telnet, FTP, etc.
-
Guaranteed signaling rates for each trusted device
-
Untrusted devices can use remaining bandwidth unused by trusted
-
Reverse Path Forwarding (uRPF) detection for signaling and media
-
Network processor overload prevention
-
Signaling processor
Access control
SBC requirements
-
Filter specific devices or whole networks, per application
-
Permit access to known devices or networks, per application
-
Permit access to authorized/registered users
-
Permit or deny access to anonymous users
-
Dynamically accept or reject traffic based on device behavior
-
Accept media only for authorized sessions
-
Blocking all traffic for not supported by SBC
-
Support many high-performance, low-latency ACL filters
Acme Packet Net-SAFE functions/features
-
Network processor ACLs
-
Static permit/deny lists
-
IP address/port of session agents (CA, AS, IP PBX, etc.)
-
IP address/port prefix of endpoints, per protocol
-
Dynamic permit lists
-
IP address/port of endpoints w/successful registration or session request (SIP REGISTER, MGCP RSIP, ACK on session request)
-
Signaling-controlled IP address/port pinholes for RTP & RTCP
-
Dynamic deny lists
-
Signaling processor ACLs
-
Static permit lists
-
IP address/port of session agents (CA, AS, IP PBX, etc.)
-
IP address/port prefix of endpoints, per protocol
-
Dynamic permit list
Topology hiding & privacy
SBC requirements
-
Hide entire topology to prevent directed attacks and preserve confidentiality
-
Anonymize user information for privacy and confidentiality
-
Protect users and service provider infrastructure from eavesdroppers, identity thieves and fraud
Acme Packet Net-SAFE functions/features
Topology hiding
Privacy
VPN separation
SBC requirements
-
Secure L2 and L3 VPN customers
-
Maintain security isolation between VPNs
-
Support inter-VPN sessions
-
Monitor media for intra-VPN sessions for lawful intercept or fraud prevention
Acme Packet Net-SAFE functions/features
-
Network processor
-
VLAN tagging for VPN separation
-
VLAN and Prefix-based identification and separation of VPNs
-
Layer 1-4 topology hiding
-
By customer VPN (L2 or L3)
-
Media (RTP & RTCP) hair-pinning or media release for inter and intra-VPN calls
-
Signaling processor
-
VPN session separation, even for overlapping addresses
-
Layer 5-7 topology hiding
-
By signaling and media transport VPN
Service infrastructure DoS prevention
SBC requirements
-
Prevent attackers from learning service infrastructure topology
-
Prevent the infrastructure from being attacked
-
Prevent the infrastructure from becoming overloaded
Acme Packet Net-SAFE functions/features
-
Network processor
-
Signaling processor
-
Session agent constraint-based admission control - number of sessions, session rate
-
Session agent load balancing
-
Session signaling rate limiting (“call gapping”)
-
Limit number of inbound & outbound sessions per device
-
B2BSA operation blocks many attacks
Fraud prevention
SBC requirements
Acme Packet Net-SAFE functions/features
-
Network processor
-
Signaling processor
Monitoring & reporting
SBC requirements
-
Alarms for attacks and overloads
-
Audit trails for attack response & fraud investigation
-
Secure monitoring & management access from unauthorized personnel and attack
Acme Packet Net-SAFE functions/features
|
|
