Securing SIP Trunks

APPLICATION NOTE
www.sipera.com
Internet telephony service providers ofer SIP Trunks to connect
enterprise IP PBXs to the traditional public switched telephone
network (PSTN) over the Internet using session initiation protocol (SIP).
Deploying SIP trunks enables enterprises to take full advantage of voice
over IP (VoIP) and eliminate costly time-division multiplexing (TDM)
trunks and TDM gateways. With SIP trunks, enterprises route calls over
the carriers IP backbone and use the same IP connection for all their
communications.
While utilizing SIP trunks brings defnite cost advantages, fully realizing
these and other benefts requires addressing a number of security and
deployment concerns. These include:
Whether the enterprise and the service provider have the
same security requirements.
Whether the service provider and the enterprise have the same
security policies for employees, networks, and VoIP system.
How the enterprise will maintain control over signaling, media,
security, and routing policies.
How the enterprise will address new SIP or media threats to the
enterprise infrastructure or to the service providers infrastructure.
What changes the enterprise has to make to the frewall/network
address translation (NAT) device, IP PBX, private IP addresses,
numbering plan, and other components.
Whether the enterprise network topology will be exposed.
How the enterprise will ensure user/caller ID privacy.
How the enterprise will ensure the privacy of actual
media communications.
How to ensure actual media privacy. (With encryption?
If so, end-to-end?)
Sipera Systems ofers a comprehensive, plug-and-play Unifed
Communications (UC) security solution that enables enterprises to
address these issues, defne a security boundary between themselves
and the service provider, and enjoy the full benefts of secure
SIP trunk deployments.
www.sipera.com
www.sipera.com
SIP TRUNKS APPLICATION NOTE
PROBLEM
An enterprises IP PBX and other UC infrastructure
components are not only valuable enterprise assets; they
are critical components required for VoIP and UC services.
Typically, enterprises control network access to these
components through the use of virtual local area networks
(VLANs), access control lists (ACLs), and frewalls. However,
when enterprises provide connectivity over SIP trunks,
opening access to critical resources over WANs and opening
ports on the frewall present serious security challenges.
Maintaining control over their own security requirements
may also raise issues.
Diferent enterprise and service provider security
requirements
Typically, a SIP trunk provider has one set of security
requirements whereas its enterprise customers have diverse
security requirements. For example, enterprises standardize
on diferent operating systems, implement security policies
diferently, defne diferent frewall rules, require diferent
password lengths, and may difer in their need to use two-
factor authentication for remote users. In the case of VoIP
and UC, these varying security requirements are particularly
important. Instead of being forced to adopt the standards of
their SIP trunk providers, enterprises must be able to enforce
their own unique security standards and maintain control
over all aspects of their Unifed Communications to:
Ensure secure deployment of their SIP trunks.
Improve overall network security.
Determine the specifc signaling, media, and applications
that are allowed or denied access to their networks to
ensure the quality of service (QoS) required for VoIP and
UC services.
Defne fne-grained security policies that are enforced
based on network, user, device, and time-of-day.
Protection against VoIP and UC protocol vulnerabilities
VoIP ofers many more real-time services than data (including
transfer, conference, and hold), making VoIP protocols more
complex, fexible, and exploitable. (Because of this, more
than 50 requests for comments, or RFCs, exist for SIP in the
IETF, compared with only about 10 for HTTP, which has been
around more than twice as long.) With known ports open on
the frewall to allow VoIP and UC trafc through, enterprises
must perform deep-packet inspection and continuously
police application trafc to protect the VoIP network,
endpoints, and IP PBXs from thousands of application-layer
attacks that can cause IP PBX crashes, lost services, and
degradation of voice quality.
These VoIP/UC-specifc application layer attacks include:
Reconnaissance
Spoofng
Eavesdropping
Signaling and media manipulation
Service theft/fraud
Denial of Service (DoS)/Distributed DoS attacks
Fuzzing and bufer overfow exploits
VoIP spam
VoIP phishing
Confdentiality and privacy concerns
When VoIP trafc is sent over the Internet, both signaling and
media trafc must be encrypted to ensure complete privacy
of real-time communications. Attackers can use snifng
methods to easily exploit signaling trafc for reconnaissance
purposes and to learn detailed call-related information (such
as caller and called party IP addresses, date, and time of the
call). Media must be encrypted to ensure privacy of the actual
communication.
However, encrypting media trafc poses the additional
challenge of ensuring acceptable QoS without degrading
performance. The problem is compounded in terms
of management and operational costs if the artifcial
requirement for a VPN client on the phone or a home VPN
gateway is imposed.
Private addressing, frewalls and network address
translation (NAT)
IP addresses in SIP messages and message headers that are
exchanged between the service provider and enterprise
network must be routable IP addresses in the service
providers network. Unlike data applications, VoIP uses
dynamic ports for peer-to-peer media fows between
phones. For SIP trunks to work, enterprises must make
the following major changes to their frewall policies for
performing NAT functionality and protecting internal,
private IP addresses:
Enterprise frewall policies must support opening
dynamic ports for media, which weakens security.
Enterprises must provide internal, private IP addresses
that are routable in the service providers network to
support SIP message exchanges between enterprise
and service provider networks.
Access and authorization
Before establishing a signaling or media session, remote
users must be authenticated. This authentication can be
done in a variety of ways, including the use of digest access
authentication or certifcates. Many enterprises require
the use of two-factor authentication schemes such as RSA
SecurID for remote access to prevent unauthorized calls on
stolen or lost phones.
Policy compliance for UC trafc
To deploy SIP trunks without compromising established
security policies, enterprises must also enforce fne-grained
UC policies. VoIP and IT administrators must control voice,
video, IM, and other UC applications by defning the way the
applications are used and the networks, devices, and users
that are authorized to interact with the applications. Policies
for mobile users and devices must be dynamic and fexible
to satisfy these requirements.
SOLUTION
The Sipera UC-Sec security appliance ofers real-time UC
security allowing enterprises to enjoy the benefts of SIP
trunks without the risks. UC-Sec enables secure, mission-
critical communications over SIP trunks by delivering
comprehensive threat protection, policy enforcement,
access control, and privacy and performing the following
functions within SIP trunk deployments:
Serves as the demarcation point for the enterprise
VoIP and UC network and enforces fne-grained security
policies.
Protects against SIP and Real-time Transport Protocol
(RTP) threats by blocking them at the enterprise perimeter.
Maintains privacy of the enterprise internal network,
caller/user IDs, and communications.
Performs frewall/NAT traversal to simplify the
deployment of SIP trunks.
Demarcation of the enterprise and service provider
VoIP/UC network
Enterprises must enforce a demarcation point between
their VoIP/UC boundary and the service provider using a
UC security appliance like the frewalls and demilitarized
zones (DMZs) they install in their data networks. The
UC-Sec appliance becomes this demarcation point and
performs all security functions required to enforce enterprise
security policies. UC-Sec also provides information from
both the enterprise side and service provider side for QoS
or service availability such that appropriate service level
agreements (SLAs) can be verifed and enforced.
In addition, enterprises must defne policies for VoIP and
UC trafc that apply to the SIP trunk. For example, policies
might defne:
Users that are allowed to make voice and video calls
The SIP trunk to use for international dialing
Trunks that require encryption and threat protection
Calls that must be logged and whether or not to
report the QoS
SECURING MOBILE WORKSPACES
+1 214 206 3210
SIP TRUNKS APPLICATION NOTE
Defne
Security
Assess
Posture
Manage
Compliance
Implement
Measures
1. Defne Security Requirements
Compare business objectives for UC with impact
on information security compliance: HIPAA, PCI,
FERPA, GLBA and others
4. Manage Compliance
Review established posture, manage change,
gather new requirements as business objectives
and regulatory mandates change
3. Implement Security Measures
Optimize security posture and application
performance; confgure policy enforcement, threat
protection, access control, privacy (encryption)
2. Assess Security Posture
Identify vulnerabilities, assess risk, determine gap
between posture and requirements, consider
impact on real-time application performance
Unifed Communications Security Life Cycle
Enterprises that have multiple departments with diferent
security requirements and applications may require more
fexible, fne-grained policy control. Frequently enterprises
use multiple routes to reach the PSTN. Enterprises might
also have multiple internal call servers and require fexible
SIP routing policies at the edge. Siperas UC-Sec ofers fne-
grained UC policy control based on network, user, device
and time-of-day to give enterprises complete control over
their UC infrastructure, devices, and users.
Addressing the vulnerabilities and threats in SIP
and RTP
When trafc from the service provider WAN comes into the
corporate intranet to high value assets such as VoIP servers,
the trafc must pass through a VoIP security appliance, such
as the UC-Sec product, which inspects and validates the
trafc. UC-Sec integrates seamlessly with UC infrastructure.
The solution is VoIP-aware and without degrading UC
performance performs deep-packet inspection and
tracks call states, functions which are crucial for UC threat
mitigation. UC-Sec also has a signature update mechanism
to enable that same protection against new threats.
Maintaining privacy of network topology and
internal domains
Enterprises require a VoIP/UC-aware appliance at the edge
of their networks to hide internal network topology and SIP
domain information. Siperas UC-Sec maintains the integrity
of enterprise networks, changing private IP addresses to
public IP addresses and private internal domains to public
SIP domains in SIP messages, thus preventing exposure of
private network topology data.
UC-Secs comprehensive security solutions also support:
AUser/caller ID anonymity.
User privacy SIP standards that interwork with service
providers SIP trunks.
Encryption of signaling trafc over Transport Layer
Security (TLS) and encryption of media trafc over
Secure RTP (SRTP).
Communicating and interworking disjoint private
networks
Enterprise frewalls and DMZs enforce strict policies and
perform NAT functions to ensure that internal enterprise
networks and servers have private addresses that are
not directly routable from external networks. Without
overhauling these security policies, the Sipera UC-Sec
appliance provides NAT traversal for signaling trafc and
manages dynamic ports for media trafc. UC-Sec also
participates in the signaling trafc to allow only those
media sessions that follow the session specifcation agreed
upon in the signaling channel.
Companies around the world rely on Sipera Systems to
ensure their UC and VoIP deployments support compliance
with information security requirements and mission-
critical corporate objectives. Through dozens of successful
vulnerability assessments, security architecture consulting
projects, and security appliance deployments, Sipera
has developed a standardized Unifed Communications
Security Life Cycle. This process represents a best practice
for continuous improvement of the security architecture,
enabling an enterprise to be certain that essential
security functions can keep pace with the transforming
communications infrastructure.
D
M
Z
External
Firewall
Internal
Firewall
1B. FW/NAT Traversal
2B. Apply VoIP/UC Policies
Detect & Prevent VoIP/UC Threats
Perform Interworking Functions
3B. Media Anomoly Detection
& Prevention
3A. SRTP Media
2A. Encrypted
signaling
Over TLS
PSTN
ITSP
INTRANET
2C. Signaling
Over TLS
3C. RTP Media
IP PBX
E
N
T
E
R
P
R
I
S
E
Sipera UC-Sec
deployed in high
availability mode
External
Firewall
Internal
Firewall
1B. FW/NAT Traversal
2B. Apply VoIP/UC Policies
Detect & Prevent VoIP/UC Threats
Perform Interworking Functions
3B. Media Anomoly Detection
& Prevention
3A. SRTP Media
2A. Encrypted
signaling
Over TLS
PSTN
ITSP
INTRANET
2C. Signaling
Over TLS
3C. RTP Media
IP PBX
E
N
T
E
R
P
R
I
S
E
Sipera UC-Sec
deployed in high
availability mode
IMPLEMENTATION
To enable secure SIP trunks, a single Sipera UC-Sec appliance
is deployed at the customer premise, between the internal
and external frewalls. The UC-Sec provides complete network
security, enforces security policies, and handles other SIP
trunk deployment issues for the enterprise network.
In the deployment shown in the following fgure, Sipera UC-Sec
performs border control functionality such as FW/NAT traversal
(as shown in step 1), interworking, security policy enforcement
based on fne-grained UC policies, and threat protection to
prevent denial of service, spoofng, and stealth attacks.
Because the UC-Sec appliance is a trusted host in the DMZ, SIP
signaling trafc to the enterprise is received by the external
frewall and sent to the Sipera appliance, which processes the
signaling information. If the SIP signaling trafc is encrypted,
UC-Sec decrypts all TLS-encrypted trafc and looks for
anomalous behavior before forwarding the packets through
the internal frewall to the appropriate IP PBX to establish the
requested call session (as shown in step 2).
Once a valid call has been set-up, RTP packets are allowed
to fow through the external frewall to the Sipera UC-Sec
appliance, which decrypts the SRTP trafc (if required) and
looks for anomalous behavior in the media before passing on
the RTP stream to the intended recipient (as shown in step 3).
RESULT
The popularity of SIP trunks is primarily due to cost savings
and the increased reliability ofered through service provider
service level agreements (SLAs). SIP Trunks can deliver much
lower cost local, toll-free, domestic, and international long
distance services to any enterprise willing to replace its
PSTN connectivity. They also ofer a unique opportunity for
large, distributed enterprises to consolidate their VoIP/UC
infrastructure and connectivity to the PSTN.
Therefore, its not surprising that enterprises embrace SIP
Trunks as a means to replace costly PSTN trunks and gateways,
while using real-time, Unifed Communications ubiquitously
over IP networks. In some cases, enterprises use multiple
SIP trunks with diferent providers for disaster recovery,
redundancy, or to enable diferent applications.
Without solving network security and demarcation
challenges, however, SIP trunks cannot be deployed on a large
scale or without considerable risk. Sipera UC-Sec addresses
the challenges of securing SIP trunk deployments, providing
threat protection, access control, policy enforcement, and
privacy protection in a single device and enabling enterprises
to reap the full benefts of their SIP trunk architectures.
Copyright 2011 Sipera Systems, Inc. All rights reserved. Sipera, SLiC, Sipera UC-Sec and related products, Sipera LAVA and Sipera VIPER are trademarks of Sipera Systems, Inc.
Sipera Systems
1900 Firman Drive, Suite 600
Richardson, TX
75081, USA
T: +1 214 206 3210
F: +1 214 206 3215
E: info@sipera.com www.sipera.com www.twitter.com/siperasystems
V#01.09.11
About Sipera Systems
Sipera Systems, the leader in real-time Unifed Communications (UC) security solutions, is the choice of enterprises and service
providers around the world to support their mission-critical UC deployments.
Sipera ofers groundbreaking solutions that secure voice, video, messaging, collaboration, and other real-time communications
in converged IP networks, boosting compliance with information security requirements and simplifying the adoption of UC.
Siperas innovative Borderless UC architecture delivers secure and private enterprise-class communications to any device over
any network in any location.
Backed by the industry-leading research of the VIPER Lab, Siperas award-winning UC-Sec appliance provides comprehensive
threat protection, policy enforcement, access control, and encryption in a single, fexible, plug-and-play device. The UC-Sec is
pre-integrated with all market-leading UC vendor solutions and is the worlds frst UC security device to be Common Criteria
certifed, meeting the stringent international standard for IT security.
UNIFIED COMMUNICATIONS UNLEASHED
UC Security in a Box
Siperas UC-Sec appliance provides a complete application-layer security architecture in one device:
Firewall
Session Border Controller
Intrusion Detection System and Intrusion Prevention System (IDS/IPS)
Access Controller
Authentication
Unifed Communications Proxy
VPN / Encryption
Policy Enforcement
... for all real-time Unifed Communication applications