VL-82

SIP Trunking and Security

by William Flanagan

Lot's of activity around SIP trunking over the last few months.  More carrier offerings, more carriers.  Quite a bit about how to use a Session Border Controller (SBC), both within the carrier and on the customer premisses.  Two issues remain unsettled:

Compatibility

Major strides have been taken toward settling on the minimum requirements for SIP trunks so any device could operate with any service.  The goal is to play as soon as you plug.  Not quite there yet, but efforts such as, SIPconnect 1.1, the SIP Forum's Technical Recommendation, show real promise. 

The SIP standards are huge, constantly expanding (more than 50 separate task groups are at work most of the time),  and subject to interpretation.  That is, different implementers can read the text of the documents in conflicting ways.  Hence the need for compatibility testing, certifications of interoperability between vendors, and considerable care in configuring new installations.

An enterprise SBC can resolve many compatibility issues.  They can have separate configurations for inside and outside connections, converting between the two as necessary.

• Existing H.323 systems can connect to SIP trunks when the SBC converts the signaling messages.
• Transcoding in the SBC allows devices using different codecs or different bit rate streams to connect.
• Phones with private IP addresses (10.x.x.x or 192.168.x.x) can receive calls from the Internet when the SBC proxy also applies Network Address Translation (NAT). 
• Part of that NAT task is to register the phones and link them to an external, routable address (or proxy the registration for the IP PBX). 

For a more detailed description and a diagram see this sample page from my new book, VoIP and Unified Communications.

Security

I mentioned this before, but it bears repeating:  VoIP has all the vulnerabilities of data networks and needs to be protected from the Internet even while it must connect to it.  Tough situation--complicated by  the many new protocols and behaviors that voice introduces to the network.  Data firewalls and Intrusion Detection/Prevention Systems don't always understand SIP signaling messages and stream formats so may ignore exploits unique to voice.  For examples:

• A crook who gains access to an IP PBX he can generate thousands of calls lasting only 1 s each.  A data IPS may not see that as odd because it consumes little bandwidth.  But it can be expensive if each call incurs a cost based on a termination fee (for example, to a 900 number). 
• Voice malware can monitor specific extensions of executives, engineers, or finance people.  The flexibility of VoIP allows the network to "fork" a call so that a third party is rung at the same time and can then listen to or record conversations on that extension.
• Voice streams may contain packets with spoofed vLAN identifiers.  A "voice" connection in this way can give an attacker access to any server in a data center or on an enterprise network.  Again, data-oriented security won't recognize the attack.

Some of this information comes from Addis Hallmark and VIPER Lab, a VoIP security research company acquired by Avaya in 2011 when it bought Sipera Systems.  For the past decade they observed and tested VoIP systems to characterize "normal" and "deviant" behaviors.  That information built into software differentiates the SBC from a traditional firewall or IPS.  They also created the "VLANhopper" tool that illustrates how a device assigned to a voice vLAN can access another vLAN on the same network. 

Be aware.
___________________

How Can Flanagan Consulting Help You?   

     We understand not only the technology of networks, but also
     the surrounding business processes:  procurement, bid
     preparation/analysis, statements of work, financial analysis,
     consensus building around a solution, and more.
     Find out now:  call +1.703.242.8381  or email Bill@Flanagan-Consulting.com

Flanagan Consulting Supports Litigation Professionals

   Several associates are experienced in analysis of patents, trademarks,
   contracts, and other intellectual property related to IT and communications.
   We have assisted attorneys preparing claims, depositions, and testimony.
   How can we help you?  Queries to +1.703.242.8381.

We Know Hard Drive File Recovery

   Through bitter experience we learned how to apply several powerful software tools
   to the problem of recovering files from a hard drive when the partition table disappears.
   If you have a similar problem with a SATA or IDE drive, particularly on a Linux system,
   we can help.  Contact us for information.

Advertise Here...

  ...to reach over two thousand interesting people in Telecom and IT.
  For details, call the Publisher at +1.703.855.0191

NEW BOOK ALMOST READY

        VoIP and Unified Communications
          Internet Telephony and the future Voice Network

Wiley Interscience, part of Wiley & Sons, should publish my sixth book in February 2012.  For the list of previous books see the Publications page on the web site.  Together, those five titles have sold over 70,000 copies.  Hope you like this one too.  I'll let you know when it's out and where you read an excerpt.

Responses to ViewsLetter and Subscriptions

    Mail is welcome when addressed to publisher@viewsletter.com.

Special thanks for supporting ViewsLetter to www.Webtorials.com,
your best source for communications tutorials and white papers.