VoIP Network Security

Greetings to all. The network has already written a lot of articles that SBC protects the VoIP network and prevents theft of traffic, repels DoS / DDoS attacks and ensures the full security of VoIP services. But very little is written about what attacks in reality are in the world of VoIP and SIP, and which technologies provide security. In this article I tried to describe what attacks are in the world of VoIP, what is their peculiarity, what is their difference from ordinary network attacks and how does AudioCodes SBC prevent these attacks and provide the very protection that everyone writes about.

To begin with, we define two basic SBC configurations:

1. SIP Trunk - the most common use of SBC when it is used to connect to SIP operators over an IP network
2. Registration - use of SBC to connect remote subscribers to an IP PBX (for example Asterisk) from the Internet.

From a security point of view, they are very different, since in the first case, you know from where the call comes in (although not always, but more on that later). In the second case, you initially do not know from where the registration and call can come. All my examples will further refer to these two SBC connection options (SIP).
Security settings should be made with the simplest things, namely:

1. Configure the management interface only on the internal network, preferably separately from the alarm. The network roles of interfaces on AudioCodes SBC have several meanings. To manage the SBC, an interface with the OAMP role is used. This interface should be in the internal network, and ideally (especially for large companies, where the attack can occur from within the company) in a dedicated subnet that has nothing to do with the VoIP network.
2. If possible, use non-standard ports. This is especially true for corporate networks, as telecom operators are forced to inform about the ports to connect their customers, and to find out by what address and port the operator is not a problem. If we talk about a corporate network, then information about addresses and ports is not published anywhere, so the option to find them out is to check the port with a message, or just listen to this address. In most cases, fraudsters who break into the VoIP network begin by simply sending a test SIP message to a large number of addresses and waiting for a response. If the answer is received, then they will begin to break the system. If you use a non-standard SIP port 5060 for SIP, this will at least reduce the likelihood that your SIP address will be found. AudioCodes SBC allows you to use any port in the direction of the Internet, and the port may be different from the port that is used within the network. SIP ports on which SBC works are configured in the SIP Interface table. It is also important to configure only the protocol on which you plan to work (UDP / TCP / TLS). If the port is not used, then simply leave the value “0”, in this case this port will not work on this SIP interface.
3. For SIP Trunk configuration, if possible, you need to configure a Level 3 Firewall and leave only those addresses from which SIP messages and RTP traffic can access to the SBC. These settings are made in the menu: (Configuration tab> VoIP menu> Security> Firewall Settings). But there are several points that must be taken into account when setting up:
   
   • In most cases, SIP Trunk is configured not to an IP address, but to a domain name. Thus, do not forget to open the port on the DNS server that is used for the public Internet, otherwise the SBC simply will not find the server address.
   • If the joint goes with a large operator, or a large system, then it is not always possible to correctly determine the IP address / addresses. This is due to the fact that operators use several systems that operate under the same name. Moreover, IP addresses there can both be deleted and added, and this may be the reason that either all calls will stop working at some point, or part of the calls.
   Thus, the use of a standard Firewall is desirable, but it should be used carefully and wisely, so as not to harm the telephony service.
4. Next, you need to configure Call Admission Control - call control. These are various restrictions for both calls and SIP messages. Here the values ​​for different SBC configurations (SIP Trunk and Registration) will be different.
   
   • Simultaneous sessions. Be sure to limit the number of simultaneous connections. If we talk about a SIP trunk, then the number of sessions per operator should be no more than the number of sessions you buy from him. Theoretically, the operator should block a greater number of sessions, but here it is worthwhile to approach this issue on the principle “it is better to trust, but check additionally at home”. If we talk about connecting users via the Internet (Registration configuration), then it should be limited rather strictly to 1, maximum 2 simultaneous calls. 2 calls are sometimes required in order to be able to transfer calls. Although at the same time, a call transfer can be used by an attacker as an additional “hole” in the system. So, with this setting, the call can enter the system, then be transferred to where it is needed, after that you can set up the second call and also transfer it.
   • For SIP Trunk, it is also worth setting a limit on the growth of voice traffic. If you use a fairly large VoIP connection, then it becomes more difficult to control, and it is rather difficult to determine the surge in growth. One of the mechanisms is limiting sessions per second of each direction. If we talk about the configuration with registration, this is especially important for limiting the number of registration attempts per second, when an attacker tries to pick up a password, then he starts sending a large number of SIP Register messages, limiting the number of registrations per second, this process makes it very difficult for an attacker .
   
   On AudioCodes SBC, you can configure Call Admission Control both to the entire system, as well as to individual destinations or individual SIP interfaces. And for remote subscribers, you can configure restrictions for an individual user. Call Admission Control is configured as: (Configuration tab> VoIP menu> SBC> Admission Control)
5. The next step to configure security is to configure routing. When setting up routing, you need to carefully look at the number format that is used for routing. Small prefixes, * characters, and any general rules should be avoided. Use the number format more often with a given number length value. Call routing should be the most detailed, so that the call can be made only to the numbers you need and from certain numbers. This is a fairly simple rule, which, unfortunately, many people forget.
6. Another important setting is the message qualification to ensure that the message meets certain requirements. As a simple example, I can give the following. As a corporate standard, the company uses software clients for sipphone smartphones (as an example). They use the user-agent field in the following format: “User-Agent: sipphone-version-9.99”. On SBC, in this case, we need to configure that we accept registrations and calls, only from those devices whose user-agent field contains (sipphone-version -) (. *). So, you can set a sufficiently large number of rules that will identify the device accurately enough and the attacker will need to spend quite a lot of time to find the correct format of the SIP message that you use.
7. In any company (especially from a telecom operator), traffic theft is carried out by the banal password theft (human factor). Having access parameters and a login with a password, it is possible to easily and easily hack the network and generate traffic where required. As protection, you can use separate logins / passwords on SIP phones that are not communicated to employees. But unfortunately, this is not always possible, for various reasons. For example, operators provide a login / password to access their own soft switch so that a customer can register using any device. In order to further secure your IP telephony network, AudioCodes is configured with a separate list of users with their own separate passwords. This makes it possible to reduce the influence of the human factor, since knowledge of the password for registration from inside the network does not allow registering from the outside with the same password, and controlling the passwords from the outside can be made more difficult, for example, setting up smartphones only by the IT department. For telecom operators, this decision is made using RestAPI, but this topic is a separate article. Also, it allows to provide access from the outside only by the user who is in the SBC database.
8. One of the ways to attack (although rare) is to send incorrect SIP messages to your device. This is done in order to disable your IP PBX, as there is a chance that when processing such a message, the IP PBX may not correctly perceive this message and either fail or not work correctly. To prevent such messages, the Message Policy Table is configured on the AudioCodes SBC (Configuration tab> VoIP> SIP Definitions> Message Policy Table). In this table, you can describe various parameters of a SIP message, in which the message will be considered correct or not, for example: Maximum message length, maximum header length, maximum body length of the element, maximum number of headers. It is also possible to define those methods of SIP messages that are allowed or not allowed (INVITE \ BYE \ REFER and others). All this allows you to check in detail the SIP for correctness and send to the IP-PBX / soft switch only those messages that will be correctly perceived by them.
   
   
9. Hiding topology. One of the tasks of SBC is to completely hide the topology of the customer’s network, and not just the IP addresses, but everything that can produce at least some internal infrastructure. There is no special tick to hide the topology on the SBC, since the IP-PBX has the right to use any type of fields and use information about itself in them. Thus, the only effective way to hide the topology is the analysis of messages and its further transformation using SIP Manipulation Rules. How these rules work, I wrote earlier in the article: habrahabr.ru/company/audiocodes/blog/253015
10. Restriction of outgoing calls. As is known, an attack can occur both from outside and from the internal network of an enterprise. This means that it is necessary to limit not only from the outside, but also with outgoing traffic. Namely, as I wrote earlier, you first need to avoid common routing plans and configure routing only where it is needed. But not a few important aspect, also, is the verification of the number of the caller. For example, allow calls only from internal numbers of employees, and if the number does not match the internal number, then the call is simply repulsed. On AudioCodes SBC, there are several options for verifying these numbers: make the appropriate qualification rules for incoming numbers, or specify possible prefixes of internal numbers when writing routing rules. Another way that might be of interest to the corporate environment is through LDAP checks. That is, each call is checked by LDAP to see if there is such a number in the organization or not. Moreover, policy restrictions can be made in the same way. For example, if a user is in the group for working with European partners, then he is allowed to call to European numbers, if not, then not allowed. This rule is well applied in those organizations when the company's PBX does not support policies, or when a company has several PBXs where policies need to be merged into one. Also, it makes sense to make certain restrictions (for example, only on internal or local calls) for subscribers who are connected through a public network.
    

All the above rules are relevant primarily to protect your IP telephony infrastructure from traffic theft and are basic settings that directly or indirectly ensure your safety. But to protect against DoS / DDoS attacks, another mechanism is used, which is called IDS (Intrusion Detect System) - AudioCodes Mediant SBC function, which detects attacks according to pre-configured criteria and reacts to these attacks accordingly, depending on the setting. Reaction options can be different: sending SNMP Trap to the server monitoring information about the attack, and depending on the threshold value, the error can be Minor, Major or Critical; blocking directions for a specific time. These thresholds and actions are configured in the IDS Rule Table. Let us examine in more detail what can be configured here. The first thing that needs to be set up is the type of message to which an action should be taken. There are the following options:

• Connection abuse - problems with TLS authentication
• Malformed message is not a valid SIP message. SBC checks messages for correctness with the SIP standard as well as for set values, such as: maximum message length, SIP Message Policy Rules compliance.
• Authentication failure - Error checking authentication, registration, or when establishing a connection
• Dialog establish failure - Error while establishing a dialog (for example, a connection). This may be a problem with the qualification of the message, problems with routing or any other local errors.
• Abnormal flow is not a correct dialogue. Any answers that are not relevant to the existing dialogue. Requests not related to users.

Next are the settings for the time during which we collect these values ​​and thresholds, upon reaching which certain triggers are triggered during the configured time: sending SNMP Trap alarm (Minor, Major or Critical); blocking addresses from which these messages come (attack). If we are talking about blocking, then the number of seconds for which this address is blocked is also indicated here.
As an example of using this rule - with more than 2 unsuccessful registrations within 5 seconds, the IP address is being blocked, from which an attempt is made to select passwords with a warning that an attack is taking place. Thus, we minimize the chance for an attacker to pick a password by brute force. But, when using these rules, you should be very careful, because with excessive protection, you may encounter a situation where a correctly working direction can be blocked.
In any case, each installation is kind of unique, and somewhere you need to use some rules, somewhere else. That is why there is no universal scheme for protecting VoIP networks, and each time it is required to analyze business requirements and to adjust the system to business requirements, both security and functionality. Our task is to provide the maximum number of opportunities to provide a secure connection, so that we can provide a secure and reliable connection for any type of connection.
To summarize what was written above, I would like to note that the number of VoIP attacks in the world is only growing, along with the number of VoIP connections. Moreover, operators increase the volume of VoIP traffic, and it is becoming more and more difficult for the operator to control it. All this leads to the fact that VoIP security becomes an important component of any company that switches to Voice over IP. And here SBC plays an important role in ensuring secure connection to SIP operators, especially through the public network. And if we talk about connecting SIP phones to IP PBXs, then SBC becomes just a necessary component, since most of the system hacks occur through this type of connection.
Periodically, I hear that the SBC is the right and necessary device, but it is too expensive and is intended for telecom operators, or for large enterprises. Our SBC is oriented for a different type of business, and can be a budget solution, starting from 5 simultaneous connections and ending with a carrier-class solution. Thus, SBC becomes available equipment even for a small company. At the same time, the functionality of the small SBC does not differ from the high-performance SBC

Well, in the end, I wish you a safe, reliable and high-quality use of the full potential of your IP telephony!