SIP Trunking and Security
by William Flanagan
Lot's of activity around SIP trunking over the last few months.
More carrier offerings, more carriers. Quite a bit about how to
use a Session Border Controller (SBC), both within the carrier and on
the customer premisses. Two issues remain unsettled:
Major strides have been taken toward settling on the minimum
requirements for SIP trunks so any device could operate with any
service. The goal is to play as soon as you plug. Not
quite there yet, but efforts such as, SIPconnect 1.1, the SIP Forum
Recommendation, show real promise.
The SIP standards are huge, constantly expanding (more than 50 separate
task groups are at work most of the time), and subject to
interpretation. That is, different implementers can read the text
of the documents in conflicting ways. Hence the need for
compatibility testing, certifications of interoperability between
vendors, and considerable care in configuring new installations.
An enterprise SBC can resolve many compatibility issues. They can
have separate configurations for inside and outside connections,
converting between the two as necessary.
- Existing H.323 systems can connect to SIP trunks when the SBC
converts the signaling messages.
- Transcoding in the SBC allows devices using different codecs or
different bit rate streams to connect.
- Phones with private IP addresses (10.x.x.x or 192.168.x.x) can
receive calls from the Internet when the SBC proxy also applies Network
Address Translation (NAT).
- Part of that NAT task is to register the phones and link them to
an external, routable address (or proxy the registration for the IP
For a more detailed description and a diagram see this sample page
from my new book, VoIP and Unified Communications
I mentioned this before, but it bears repeating: VoIP has all the
vulnerabilities of data networks and needs to be protected from the
Internet even while it must connect to it. Tough
situation--complicated by the many new protocols and behaviors
that voice introduces to the network. Data firewalls and
Intrusion Detection/Prevention Systems don't always understand SIP
signaling messages and stream formats so may ignore exploits unique to
voice. For examples:
- A crook who gains access to an IP PBX he can generate thousands
of calls lasting only 1 s each. A data IPS may not see that as
odd because it consumes little bandwidth. But it can be expensive
if each call incurs a cost based on a termination fee (for example, to
a 900 number).
- Voice malware can monitor specific extensions of executives,
engineers, or finance people. The flexibility of VoIP allows the
network to "fork" a call so that a third party is rung at the same time
and can then listen to or record conversations on that extension.
- Voice streams may contain packets with spoofed vLAN
identifiers. A "voice" connection in this way can give an
attacker access to any server in a data center or on an enterprise
network. Again, data-oriented security won't recognize the attack.
Some of this information comes from Addis Hallmark and VIPER Lab, a
VoIP security research company acquired by Avaya in 2011 when it bought
Sipera Systems. For the past decade they observed and tested VoIP
systems to characterize "normal" and "deviant" behaviors. That
information built into software differentiates the SBC from a
traditional firewall or IPS. They also created the "VLANhopper"
tool that illustrates how a device assigned to a voice vLAN can access
another vLAN on the same network.
How Can Flanagan Consulting Help You?
We understand not only the technology of
networks, but also
the surrounding business processes:
preparation/analysis, statements of work,
consensus building around a solution, and more.
Find out now: call +1.703.242.8381
or email Bill@Flanagan-Consulting.com
Flanagan Consulting Supports Litigation Professionals
Several associates are experienced in analysis of patents,
contracts, and other intellectual property related to IT
We have assisted attorneys preparing claims, depositions,
How can we help you? Queries to +1.703.242.8381.
We Know Hard Drive File Recovery
Through bitter experience we learned how to apply several
powerful software tools
to the problem of recovering files from a hard drive when
the partition table disappears.
If you have a similar problem with a SATA or IDE drive,
particularly on a Linux system,
we can help. Contact us for information.
...to reach over two thousand interesting people in Telecom and
For details, call the Publisher at +1.703.855.0191
NEW BOOK ALMOST READY
VoIP and Unified
Telephony and the future Voice Network
Wiley Interscience, part of Wiley & Sons, should publish my sixth
book in February 2012. For the list of previous books see the
Publications page on the web site. Together, those five titles
have sold over 70,000 copies. Hope you like this one too.
I'll let you know when it's out and where you read an excerpt.
Responses to ViewsLetter and Subscriptions
Mail is welcome when addressed to firstname.lastname@example.org
for supporting ViewsLetter to www.Webtorials.com
your best source for communications tutorials and white papers.
|In Converged Networking
We Have the Experience
3800 Concorde Parkway, Suite 1500, Chantilly, VA USA
Ph: +1.703.242.8381 Fx: +1.703.242.8391
Flanagan Consulting is a Service Mark of W. A. Flanagan, Inc.
"Beware of false knowledge; it is more dangerous than ignorance."
--George Bernard Shaw