Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 1 NG 9-1-1 security: What is a BCF.

Slides:

Advertisements

Similar presentations

Computer Networks TCP/IP Protocol Suite.

Advertisements

The leader in session border control for trusted, first class interactive communications.

IMS and Security Sri Ramachandran NexTone. 2 CONFIDENTIAL © 2006, NexTone Communications. All rights Traditional approaches to Security - The CIA principle.

Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.

Colombo, Sri Lanka, 7-10 April 2009 Preferential Telecommunications Service Access Networks Lakshmi Raman, Senior Staff Engineer Intellectual Ventures.

Voice Security Interop 2009 Mark D. Collier SecureLogix Corporation

SIP Trunking A VASP Perspective Thomas Roel Convergence Sales Engineer

Addressing Security Issues IT Expo East Addressing Security Issues Unified Communications SIP Communications in a UC Environment.

Johan Garcia Karlstads Universitet Datavetenskap 1 Datakommunikation II Signaling/Voice over IP / SIP Based on material from Henning Schulzrinne, Columbia.

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 of the corporate.

CANTO – 2006 Information Security and Voice over IP (VoIP) Robert Potvin, CISSP VP - Strategic Consulting June 21st, 2006.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 2.

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Your customer as a segment of one That changes every second! Hein Van Der Merwe Chief.

SIP Explained Gary Audin Delphi, Inc. Sponsored by

NENA 2008 Breakout Session Template

Internet of Things Security Architecture

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.

What Makes It Work? A Panel Discussion on Next Generation 9-1-1

Solutions for SIP The SIP enabler We enable SIP communication for business What the E-SBC can do for you.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

Securing Unified Communications Mor Hezi VP Unified Communications AudioCodes.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.

January 23-26, 2007 Ft. Lauderdale, Florida IP Communications, Secure – By Design Roger W. Farnsworth.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

Applied Cryptography for Network Security

The Safe Harbor The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated.

Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen Dr. Mark Stamp SJSU - CS 265 Spring 2003 STEM is proposed as a solution to network vulnerabilities,

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. JD Edwards Summit The Newest JDE Module – Rental Management Joel Sandberg Sales Consultant.

IT Expo SECURITY Scott Beer Director, Product Support Ingate

VoIP Security Assessment Service Mark D. Collier Chief Technology Officer

Getting Started with Oracle Compute Cloud

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

Session Initiation Protocol (SIP). Features of SIP SIP is a lightweight, transport-independent, text-based protocol. SIP has the following features: SIP.

UC Security with Microsoft Office Communication Server R1/R2 FRHACK Sept 8, 2009 Abhijeet Hatekar Vulnerability Research Engineer.

NG911 technology Henning Schulzrinne

Shared success Outline What is network security? Why do we need security? Who is vulnerable? Common security attacks and countermeasures. How to secure.

A New IMS-Like Architecture for Enterprise Applications Reid Stidolph Master Principle Solutions Architect Communications Global Business Unit October.

Oracle Contact Center Anywhere: Go To Market - Positioning James Owens – BDM, Specialist Sales APAC.

Vulnerabilities and Safeguards in Networks with QoS Support Dr. Sonia Fahmy CS Dept., Purdue University.

June 2006 Roles of Session Border Controllers in IMS Networks CANTO - June 2006.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

VoIP Security in Service Provider Environment Bogdan Materna Chief Technology Officer Yariba Systems.

1Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 Contract Management.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

Draft-rosen-ecrit-emergency- framework-00 Brian Rosen NeuStar CPa

Sridhar Ramachandran Chief Technology Officer Core Session Controller.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

Design and implementation of SIP-aware DDoS attack detection system By: Arif Iqbal.

1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.

Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.

SIP Trunking As a Managed Service Why an E-SBC Matters By: Alon Cohen, CTO Phone.com.

SIP-H.323 Interworking Group RRR-1 IETF-48 SIP-H.323 Interworking Requirements draft-agrawal-sip-h323-interworking-reqs-00.txt Hemant.

To Rent or Buy the IP PBX? Maybe it’s Both…. Building a VoIP Solution That Enables Both.

9-1-1 ASSOCIATION - STEPS COMMITTEE 1/3/2013 NG9-1-1 TECHNOLOGY & PROCESS.

1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.

Travel and Transportation General Session and Industry Excellence Awards Vijay Anand, Oracle Sundar Swaminathan, Oracle September 30, 2014 Copyright ©

Copyright 2013 FairPoint Communications Network safety and security – Protecting your communications resources Karen Romano, Vice President, Government.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 5 Lifehacks for the Apex Development environment Five frameworks you should use.

Network Security SUBMITTED BY:- HARENDRA KUMAR IT-3 RD YR. 1.

Comparison of Network Attacks COSC 356 Kyler Rhoades.

1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.

VoIP ALLPPT.com _ Free PowerPoint Templates, Diagrams and Charts.

CompTIA Security+ Study Guide (SY0-401)

IP-NNI Joint Task Force Status Update

IP-NNI Joint Task Force Status Update

CompTIA Security+ Study Guide (SY0-401)

OpenWorld 2018 Oracle API Platform: How to Manage Typical Workflows

Presentation transcript:

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 1 NG security: What is a BCF

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 2 Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracles products remains at the sole discretion of Oracle.

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 3 Topics What are the features/functions of a BCF? What does it mean to provide a highly available BCF? How should the BCF handle overload? What could DDoS and TDoS do to the ESInet? Where does NENA place the BCF into the i3 architecture? Interoperability: Isnt SIP a standard?

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 4 Abstract The BCF (Border Control Function) is an important functional element of the NENA i3 Solution architecture because it provides the first line of defense against deliberate attacks and organic events on the Emergency Services Internet (ESInet.) It is expected that Public Safety Answering Points (PSAPs) will provide a BCF between their internal networks and the ESInet. The BCF is intended to provide secure entry into the ESInet for ingress emergency calls. This Functional Element ensures the smooth processing of emergency calls/sessions, including signaling protocol normalization and interworking, codec negotiation, support for QoS/priority markings, media proxy, and more. As such, there are some baseline, minimum features and functions that are required to effectively ensure the smooth, secure operation of NG9-1-1 networks.

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 5 Background National Emergency Number Association (NENA) - Sets standards for emergency calls in North America Next Generation 911 (NG911) project - Complete overhaul of current 911 system -Initial version of the technical standards known as i3

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 6 What is NG 9-1-1? IP-based replacement for E911 features & functions - Supporting all sources of emergency access to appropriate public safety agencies - Operating on managed, multipurpose IP-based session delivery networks - Providing expanded multimedia data capabilities for PSAPs and other emergency communications entities

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 7 IP-based services are easy targets IP networks are inherently insecure - Developed without security in mind Organizations rely on IP networks - Multimodal communications difficult to control (BYOD) Confidential information freely exchanged by users that dont understand how it is transmitted

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 8 What are the risks/vulnerabilities? 8 Toll fraud, fuzzing, message floods, session hijacking, eavesdropping, MITM call modification, media injection Buffer overflows, malware, D/DoS, bugs, configuration issues Resource exhaustion, account manipulation, service poisoning UDP/TCP floods, ICMP vectors, fuzzing, D/DoS Physical access compromise, reboot Weak passwords, abuse of services, oversharing, pretexting

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 9 Threat landscape

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 10 Denial of Service Many platforms dont perform well in flooding scenarios They either have a flawed architecture or all attacks are presented to CPU, reducing resources available for system/applications (e.g., SIP) In our experience and field validation, a simple TCP SYN attack or INVITE flood is enough to take down many devices hping3 -S --rand-source --flood -p 5060 inviteflood eth0 Reduced feature good enough SBCs work great …until you are under attack! Reduced feature good enough SBCs work great …until you are under attack!

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 11 Wasnt TDM safer? Eavesdropping, media injection, and caller impersonation is as easy as hooking up a linemans test set or butt set to wire pairs. Toll Fraud can be as easy as an open auth code on your PBX or dial-out of voic Physical attacks are always great for DoS, regardless of technology

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 12 What to do? Border Control Function (BCF) Sits between external networks and the ESInet and between the ESInet and agency networks - All traffic from external networks transits a BCF - Acts as a demarc Comprises several distinct elements pertaining to network edge control and SIP message handling Border Firewall - Access control - Protect from attacks Session Border Control - Prevention - Detection - Reaction

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 13 BCF: features Border firewall Session border control - Signaling B2BUA - Media anchoring Denial of service - Detection/protection Topology hiding Signaling normalization NAPT traversal IPv4/v6 interworking Admission control Encryption anchoring

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 14 SBC – Session Border Controller Already protecting live global real-time IP networks Functional element of BCF - DOS/DDOS protection, overload, resource admission control - SIP normalization/interoperability - Resolving NAT issues - Opening/closing pinholes - B2BUA/topology hiding - IPv4-IPv6 interworking - VPN bridging - Transport and encryption - QoS marking, priority, reporting - Call detail records - Transcoding - Much, much more

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 15 Additional features of BCF/SBC Routing and session management - Time-of-day, day-of-week - Cost, carrier - QoS - External policy Normalization - User-configurable Codec management - Stripping, reordering QoS marking Reporting

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 16 High availability – vendor dependent May be limited to media only and not call control or configuration - What good is a call that cant be put on hold, hung up or transferred? - Whats the use if post-failover route treatment may be different? Many cases takes several seconds to fail over all sessions - Which leads to users hanging up May use a network carrying traffic for state replication vs. dedicated links - Leading to loss in peak periods Loses CDR info for established calls First Class HA: Hitless failover Media, session, configuration sync Retention of critical call data Dedicated, redundant HA com links

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 17 Placement of BCF in i3, per NENA