SIP Trunks CUBE CUCM Security V2 PDF

All IP mit Cisco: Security Bausteine mit
Cisco Unified Border Element
Ralf Kuschel, Mehmet Solak

Systems Engineer(s), Deutsche Telekom Account Team @ Cisco
April 2018
CUBE am Deutschland LAN SIP Trunk
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Fragen aus der Praxis
CUBE / xDSL
CUCM Router
SIP
SIP (1TR118)
DT Internet / NGN PSTN

Privat IP Public IP
• Kann der Kunde die CUBE Funktionen und den Internet Anschluss auf dem gleichen Router
verwenden?
• Kann der Anschluss ausschließlich für Voice genutzt werden?
• Wie kann der CUBE-Router am VDSL / ADSL abgesichert werden?
• Kann eine Firewall davor installiert werden?
• Kann eine Firewall dahinter installiert werden?
• Kann der CUBE hinter einem anderen Internet Router mit NAT installiert werden?
• Welche Security Features bietet der CUBE auf der Applikationsebene für Voice?
Warum ein Session Border Controller ?
Session
Security Interop Resiliency
Control
• Network Topology hiding • Protocol Interworking • Call Admission Control • SIP Trunk load balancing
• NAT (L3 level) • SIP<->H323 • Bandwidth & Platform • Connectivity to more
• SIP<->SIP allocation then one SIP Trunk
• Voice Application Firewall • Load balancing
• TDOS • Media interworking
• Access Control • Transcoding • Service Provider Geo
• Inspection and • Translating redundancy
Monitoring
• Media Services • Local PSTN breakout
• Encryption • Call Recording
• TLS/SRTP • MOH • High Availability
Five Layers of Security in CUBE
EXTERNAL
SECURITY
Policy
APPLICATION LAYER
Dialpeer
Matching
Voice Trust List
TCP & UDP

Mechanisms
NETWORK LAYER
Access Control
Lists
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
CUBE Voice Security Protection per Design Specs
DOS Identity / Service Theft

SIP Digest Authentication
B2BUA – L7 Inspection
Voice Application Code
L7 Protocol-independent memory structures holding call SIP Hostname Validation
state and attributes (CLID, Called #, Codec…) SIP Trunk Register
Call Volume/BW Limiting
(CAC) Toll Fraud
Call Codec Limiting Co-resident IOS: ACLs, COR
SIP Malformed Inspection

Dial-peer Dial-peer
SIP Listen Port Configuration DTMF xlation

SIP/H.323 SIP/H.323 Privacy
Codec Filtering Protocol
RTP Malformed Protocol
Xcoding Control Stack SIP Header Manipulation
Stack
Topology Hiding Authentication and encryption (media) – SRTP
RTP RTP
Co-resident IOS: ACLs, FW, Library Library Authentication and encryption (signaling) –
IPS TLS
DSP API Co-resident IOS: All VPN features
TCP UDP TLS TCP UDP TLS
DSP Hardware
IOS Infrastructure (ACLs, FW, IPS, VPN)

Ingress I/F HW LAN/WAN Interfaces Egress I/F
Signaling Media
SIP Trunks und Firewall Design
Scenarios
CUBE & external Firewall Deployment Scenarios
CUBE
PBX Router
SIP
No Firewall, SIP Trunk
#1
CUBE only
F/W between PBX

FW CUBE
Router
CUBE and rest SIP SIP Trunk
of Enterprise #2
UC Network
PBX CUBE
F/W Router Router
& FW
between SIP SIP Trunk
CUBE and #3
SP
CUBE
PBX FW Router Router
F/W on SIP
& FW
SIP Trunk
either side #4
of CUBE
Firewall : General Guidelines mit ALL-IP Sip Trunks
• #1, #2: CUBE hat eine Public IP-Adresse und muss durch CUBE eigene Verfahren
geschütz werden
• # 3, #4: CUBE steht hinter einer Firewall bzw. NAT Router
• DT Sip Trunk Plattform erkennt, dass CUBE hinter einem NAT Router steht
• NAT Router sollte SIP ALG unterstützen
• Externe Firewall: NAT Pinholing und Firewall Regeln sollten dynamisch au bzw. abgebaut
werden
• SIP Ports: TCP 5060 , TCP 5061 (TLS)
• Media Ports: 1025 - 65.536
9 9
ACLs für WAN Interfaces, um nur SIP, RTP und DNS zu erlauben
ip access-list extended FROM-DT-TO-CUBE

Mögliche Regeln für
permit tcp 217.0.0.0 0.0.255.255 eq 5060 /5061 any ! SIP Signaling Scenario #1 und #2
permit tcp any any established
deny tcp any any
permit udp 217.0.0.0 0.0.255.255 range 1025 65525 any ! RTP Port Range
permit udp host 217.0.43.33 eq domain any ! DT DNS Server
permit udp host 217.0.43.17 eq domain any ! DT DNS Server
deny udp any any
deny ip any any
!
interface Dialer0
....
ip access-group FROM-DT-TO-CUBE in
....
CUBE Security Features
Topology/Address Hiding
192.168.10.12 192.168.10.1 80.107.214.21 217.55.66.77.88
IP WAN
Inside Outside
Service Provider
Enterprise LAN —192.168.10.0.x/24
• Requirements
• Maintain connectivity without exposing the IP network details
• B2BUA provides complete topology hiding on signaling and media
• Maintains security and operational independence of both networks
• Provides implicit NAT service by substituting Cisco Unified Border Element IP addresses on
all traffic
Voice IP Trust List for SIP Signaling
• 1. Enable CUBE Application
voice service voip
mode border-element license capacity 20 à License count entered here not enforced though
this CLI is required to see “show cube” CLI output
allow-connections sip to sip à By default IOS/IOS-XE voice devices do not allow
an incoming VoIP leg to go out as VoIP
• 2. Create a trusted list of IP addresses to prevent toll-fraud

voice service voip
ip address trusted list à Toll fraud prevention: Applications initiating signaling towards CUBE, e.g. CUCM,
ipv4 217.0.0.0 /16 ! SP SIP Trunk adress or range Service Provider’s SBC. IP Addresses from dial-peers with
ipv4 10.10.1.10/24 ! CUCM “session target ip” or Server Group are trusted by default and
need not be populated here
sip
silent-discard untrusted à Default configuration starting XE 3.10.1 /15.3(3)M1 to mitigate TDoS Attack
14
Close Unused Session Transport Mechanisms and
Protocols
• Close Unused H.323/SIP Ports and Transport Mechanisms
• By default these ports are open when a voice-enabled software load is

deployed on the router (either as a PRI gateway or Cisco UBE).
sip-ua
no transport udp
voice service voip

h323
call service stop
SIP Registration/Digest Authentication
• SIP Registration: eine Methode um den Kunden über seine

Rufnummer, Username eindeutig zu identifizieren.
• registrar dns:sip-trunk.telekom.de expires 240 tcp auth-realm sip-trunk.telekom.de
• credentials number +4922XXYYZZ username 55155667788 password 7 XXYYZZBBAACC realm
sip-trunk.telekom.de
• SIP Digest Authentication: Eine Methode um den Kunden über

einen Passwort authentifizieren
• authentication username 55155667788 password 7 XXYYZZBBAACC realm sip-trunk.telekom.de
SIP Listening Port Protection
§ Default Listen Ports sind 5060 (UDP/TCP) und 5061 (TLS)
§ Die Ports sind ”well-known” und sind Ziele für Angriffe
§ Die Möglichkeit besteht, die Listen Ports von “well-known” auf andere Ports
umzuändern
§ Gilt nicht für ALL-IP SIP Trunks, da bei ALL-IP 5060 / 5061 vorausgesetzt
wird
§ i.d.R gültig für Private SIP Trunks
voice service voip

sip
listen-port non-secure 2000 secure 2050
Call Admission Control at the edge...
CUBE provides various CAC mechanisms to safeguard your network from SIP based attacks and to enforce policies based on:
• Total calls • Maximum connections per destination
• CPU & Memory • Dial-peer or interface bandwidth
• Call spike detection
Total Calls, Call Spike call spike call-number [steps

High Water Mark Detection number-of-steps size milliseconds]
CPU, Memory call spike 10 steps 5 size 200
Low Water Mark
CUBE CUBE
call threshold global [total/mem/cpu] calls low xx high yy If a call spike is detected, reject
call treatment on calls
Max Calls per Max Bandwidth Call #3 Rejected

Call #3
Destination Rejected by based by CUBE
Call #1 CUBE Call #1 – 80Kbps
Call #2 Call #2 – 80 Kbps
Call #3 CUBE Call #3 – 80 Kbps
CUBE
dial-peer voice 1 voip dial-peer voice 1 voip

max-conn 2 max-bandwidth 160
Call Admission Control at the edge...
CUBE provides various CAC mechanisms to safeguard your network from SIP based attacks and to enforce policies based on:
• Total calls • Maximum connections per destination
• CPU & Memory • Dial-peer or interface bandwidth
• Call spike detection
Total Calls, Call Spike call spike call-number [steps

High Water Mark Detection number-of-steps size milliseconds]
CPU, Memory call spike 10 steps 5 size 200
Low Water Mark
CUBE CUBE
call threshold global [total/mem/cpu] calls low xx high yy If a call spike is detected, reject
call treatment on calls
Max Calls per Max Bandwidth Call #3 Rejected

Call #3
Destination Rejected by based by CUBE
Call #1 CUBE Call #1 – 80Kbps
Call #2 Call #2 – 80 Kbps
Call #3 CUBE Call #3 – 80 Kbps
CUBE
dial-peer voice 1 voip dial-peer voice 1 voip

max-conn 2 max-bandwidth 160
Call Admission Control Based on Total Calls, CPU and
Memory usage
• CUBE provides various different CAC mechanisms – based on Total
calls, CPU Utilization & Memory utilization
Total Calls, CPU, High Water Mark

Low Water Mark
Memory CUBE
Configuration on CUBE
Step1 : § Set the threshold for Total-Calls
call threshold global total-calls low <low-threshold> high <high-threshold>
! call threshold global total-calls low 20 high 24
! The call threshold global total-callscommand controls the total number of calls to be
! supported on the CUBE. The command tracks the number of calls, rejecting the 25th call
! and not accepting calls again until the total number of calls falls below 20
§ Set the threshold for Total-memory

call threshold global total-mem low <low-threshold> high <high-threshold>
§ Set the threshold for CPU usage (Average or last 5 seconds)

call threshold global cpu-5sec low <low-threshold> high <high-threshold>
© 2017 OR
Cisco and/or its affiliates. All rights reserved. Cisco Confidential
call threshold global cpu-avg low <low-threshold> high <high-threshold>
Call Admission Control Based on Total Calls, CPU and
Memory usage
Step 2 : § Enable the Call Treatment using:

call treatment on
§ Enter the Call Treatment cause-code:

call treatment cause-code ?
busy Insert cause code indicating the GW is busy (17)
no-QoS Insert cause code indicating the GW cant provide QoS (49)
no-resource Insert cause code indicating the GW has no resource (47)
Step 3 : Call Treatment Options
call treatment action ?
hairpin Hairpin
playmsg Play the selected message
reject Disconnect the call and pass down cause code
Call Admission Control based on Call spikes
§ Call spike CAC monitors call arrival rate over a moving window of time; calls exceeding the
configured rate threshold are rejected
§ Protection against unexpected high call volumes, and INVITE-based DOS attacks
§ Can be configured globally or on a per dial-peer level
§ Error code will be sent when a call spike occurs
§ This error code is also configurable globally or on a per dial-peer level
Call Spike
Detection
CUBE
If a call spike is detected, reject calls
Call Admission Control based on Call spikes
call spike call-number [steps number-of-steps size milliseconds]
SIP SP A
CUBE
Example: If a call spike is detected, reject calls

call spike 10 steps 5 size 200 • 10 calls accepted during the most recent window
• The most recent window is 1-second (5x200ms)
• The window moves on every 200ms
Call arrival 2 2 2 2 2 3 1 4
200ms 200ms 200ms 200ms 200ms 200ms 200ms 200ms
10 calls; all accepted
Most recent 11 calls; 10 acc, 1 rejected

time window
10 calls; all accepted
12 calls; 10 acc, 2 rejected
Call Admission Control based on Bandwidth
§ Bandwidth based CAC feature provides a mechanism to limit number of SIP calls based
on the aggregate media bandwidth limit either at:
§ Dial-Peer level or,
§ Interface level
§ Provides the ability to configure the SIP error response code for calls rejected by this
feature
§ Examples:
Call #1 – 80Kbps
Call #2 – 80 Kbps dial-peer voice 1 voip
max-bandwidth 160
Call #3 – 80 Kbps
CUBE Call #3 Rejected by CUBE
At Dial-Peer level At Interface level
dial-peer voice 1 voip !
destination-pattern 2... CUBE# call threshold interface GigabitEthernet0/0 int-bandwidth
max-bandwidth 160 low 120 high 160
session protocol sipv2 !
session target ipv4:9.44.44.9:6080
CUBE Dial-Peer Configuration
Outbound Dial-peer vom CUBE zum ALL-IP SIP-Trunk
dial-peer voice 2001 voip

description ***Outbound PSTN DIAL-PEER***
huntstop ! Call loop vermeiden
session protocol sipv2
session target sip-server
destination e164-pattern-map 2000
voice-class codec 1
voice-class sip profiles 2000
voice-class sip tenant 2000
ip qos dscp cs6 signaling
clid strip name
no vad!
2
5
CUBE Dial-Peer Configuration
Inbound Dial-peer vom CUBE zum ALL-IP SIP-Trunk
!
dial-peer voice 2002 voip
description ***inbound PSTN DIAL-PEER***
session protocol sipv2
destination dpg 2002
incoming called-number +492284335329.T !
Wenn möglich kein incoming called-number .T konfigurieren !
voice-class codec 1
voice-class sip profiles 5000
inbound voice-class sip tenant 2000
dtmf-relay rtp-nte
fax-relay ecm disable
fax rate 14400
ip qos dscp cs6 signaling
clid strip name
no vad
!
2
6
RTP Port Range and Phantom Packets
§ A phantom packet is a valid RTP packet meant for the CUBE or Voice TDM gateway without an
existing signaling session
§ When a phantom packet is received by the VoIP RTP layers of the gateways, the packet is punted
to the UDP process to check if it is required by any other applications causing performance issues
§ A malicious attacker can also send a large number of phantom/rogue packets to impact CPU
§ Configure VoIP port range for phantom packets. If a phantom packet is received on the
configured port, the VoIP RTP layer can safely drop the packet. If a phantom packet is received
on any other port, the VoIP RTP layer punts the packet to the UDP process.
§ RTP port range on ISR G2 is from 16K to 32K, and 8K to 48K on ISR 4K, ASR1K, and vCUBE
voice service voip
!
media-address range 192.168.10.1 192.168.10.254 ß Internal Interface
media-address range 217.0.0.1 217.0.255.254 ß External Interface
! the port-range here decides which ports to be used for this media-range
! used to drop phantom packets within this port-range, no impact on which ports to use
sip
source filter ! Filter out incoming incorrect remote addr/port RTP packets
Media Policing to protect against RTP Floods
§ Leaky Bucket Algorithm (LBA) checks RTP payload in the
RTP packet against the expected negotiated rate in SIP
signaling and identify violation if any
§ LBA identifies violation and triggers policing actions on
violated rtp packets.
§ Policing actions can be one of the following:
§ Drop all violated packets
§ Drop all the violated packets as well as disconnect call once it
reaches the configured number of violations, or
§ Ignore the violations
§ SYSLOG and SNMP trap can be generated to inform
violation to the system administrator.
28 28
Introduction to Multi-VRF
VRF
VRF
VRF
§ Virtualise at Layer 3 forwarding

§ Multi-VRF allows for the use of only one router to accomplish the tasks that multiple routers
usually perform
§ Associates to one or more Layer 3 interfaces on router/switch
§ Each VRF has its own
Forwarding table (CEF), Routing process (RIP, OSPF, BGP)
• Prior to IOS 15.6(2)T / IOS-XE 16.3.1, CUBE only supports a single VRF for Voice
Multi-VRF Aware Call Routing on CUBE .6
15 6.3.
/
.2T 1
VRF VRF 1
XE
Interface Interface
Tenant Tenant
Dial-Peer Dial-Peer
VRF
VRF
VRF
• CUBE allows intra and inter VRF routing of voice and video calls without the need of Route
Leaks improving security at the network level
• Overlapped IP addressing and Dial Plan with Multi VRF feature provides seamless integration
of networks
• Provision to configure RTP port ranges for each VRF and allocation of Local RTP ports based
upon VRF.
• Listen sockets on UDP, TCP and TLS transports based on the VRF
VRF and ALL IP SIP Trunks à IOS XE 16.7 because of “DNS aware VRF”
SIP TLS & SRTP
SIP TLS & SRTP mit ALL- IP SIP Trunk
CUCM Cluster DT NGN
TCP / RTP CUBE
TCP / SRTP
TLS / RTP TCP / RTP
TLS / SRTP TLS / SRTP
• Das CA Certificate der DT muss in den Truststore des Routers importiert werden
• https://www.telesec.de/de/public-key-infrastruktur/support/root-zertifikate/category/58-deutsche-telekom-root-ca-2
• Root CA .cer oder der konvertieren zum. “.der”, damit es in den Router importiert werden kann
• SRTP: AES_CM_128_HMAC_SHA1_80 oder AES_CM_128_HMAC_SHA1_32
• SIP: TLS 1.2
• 29xx und 39xx Router: SRTP – RTP Interworking benötigt DSP’s
• 43xx und 44xx Router: SRTP – RTP Interworking auf der CPU, daher keine DSP’s notwendig
• Performancewert des Routers mit SRTP / TLS beachten
Wie kann CUBE vor unterschiedlichen
Security Attacken schützen (Summary)
Voice Security Attacks
CUBE Protection at Various Layers (1 of 4)
SBC Threat / Network Layer (protects at entry point in the Application Layer (CUBE)
network)
Security Requirement Protection built in the B2BUA layer
ACLs, NBAR, CoPP
Calls/Traffic from untrusted Access Control Lists (ACLs) to Allow/Deny Explicit Toll Fraud prevention using
sources Sources of Calls
a. IP Trust Lists [IOS 15.1(2)T]
a. Only allow service provider’s SBC to initiate
b. Silent-discard CLI – TDoS attack
traffic from PSTN side
mitigation [IOS 15.3(3)M]
b. Only allow your enterprise PBX (CUCM) to
c. Topology/Address Hiding for both media
initiate traffic from internal network side
and signaling
c. Modifiable port range
d. SIP Trunk Registration/Authentication –
Close unused H323/SIP ports and transport prevents session hijacking
mechanisms.
DoS/TDoS Attacks e. Option to change well known listening
sip-ua
ports
no transport udp
voice service voip f. Explicit incoming/outgoing dial-peer
h323 matching
call service stop
Malformed Signaling NBAR – protection against Automatic checks by SIP/H.323 Protocol stacks
Packets signaling(SIP/H.323/SIP-TLS), UDP attacks on
in IOS Voice code 36
open RTP ports, and crafted packets
network)
ACLs, NBAR, CoPP
Large Rate of packet Control Plane Policing (CoPP policy) • CAC mechanisms based on
arrival, flooding implemented with ACLs – limits the rate of CPU/memory/bandwidth utilization and
packets and mitigates attacks from otherwise total number of calls
Trustred Sources
• Call Spike monitors call arrival rate over
a moving window of time
Rogue/Phantom RTP / Deep packet inspection with ACL and NBAR • Define media address and RTP port
RTCP packets Policing ranges
• Source filter - Filters out incoming
incorrect remote address/port RTP
Packets
• Automatic checks by IOS Voice code
on Call-ID, RTP sequence numbers,
SSRC
Malformed RTP / RTCP NBAR Policing to classify them as invalid RTP Library check in the IOS Voice code,
packets DSP check
SBC Threat / Network Layer (protects at entry point in Application Layer (CUBE)
the network)
ACLs, NBAR, CoPP
Encrypted signaling or • Service Providers provide SIP trunks over • TLS signed INVITES / Digest
media secure VPN Authentication
• IPSec for untrusted WAN segments, • TLS to non-TLS, SRTP Passthru,
deploy TLS/SRTP internally SRTP/RTP interworking
• Optional : Front end CUBE with an external • SHA1-80, SHA1-128, SHA1-256
FW crypto suite, NGE
Rogue BYEs Policed with ACLs and Control Plane Policing Automatic checks at signaling Protocol
(ie Bye with Random Stack, Call Leg Transaction checks within
CallID) IOS Voice code
Eavesdropping/Privacy Encryption SIP-TLS with sRTP
network)
ACLs, NBAR, CoPP
Service Theft ACLs • Class of Restriction
IPSec • Toll Fraud prevention mechanisms
• SIP Trunk Registration
(authentication/credentials CLI)
• SIP Hostname Validation
• Encryption (TLS with SRTP)

SIP Trunks CUBE CUCM Security V2 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SIP Trunks CUBE CUCM Security V2 PDF

Uploaded by

Copyright:

Available Formats

All IP mit Cisco: Security Bausteine mit

Cisco Unified Border Element

Ralf Kuschel, Mehmet Solak

DT Internet / NGN PSTN

Voice Trust List

TCP & UDP

DOS Identity / Service Theft

SIP Malformed Inspection

SIP Listen Port Configuration DTMF xlation

IOS Infrastructure (ACLs, FW, IPS, VPN)

F/W between PBX

ip access-list extended FROM-DT-TO-CUBE

deny tcp any any

permit udp host 217.0.43.33 eq domain any ! DT DNS Server

permit udp host 217.0.43.17 eq domain any ! DT DNS Server

deny udp any any

deny ip any any

192.168.10.12 192.168.10.1 80.107.214.21 217.55.66.77.88

Enterprise LAN —192.168.10.0.x/24

• 2. Create a trusted list of IP addresses to prevent toll-fraud

• By default these ports are open when a voice-enabled software load is

voice service voip

• SIP Registration: eine Methode um den Kunden über seine

• SIP Digest Authentication: Eine Methode um den Kunden über

§ Default Listen Ports sind 5060 (UDP/TCP) und 5061 (TLS)

§ Die Ports sind ”well-known” und sind Ziele für Angriffe

voice service voip

Total Calls, Call Spike call spike call-number [steps

Max Calls per Max Bandwidth Call #3 Rejected

dial-peer voice 1 voip dial-peer voice 1 voip

Total Calls, Call Spike call spike call-number [steps

Max Calls per Max Bandwidth Call #3 Rejected

dial-peer voice 1 voip dial-peer voice 1 voip

Total Calls, CPU, High Water Mark

§ Set the threshold for Total-memory

§ Set the threshold for CPU usage (Average or last 5 seconds)

Step 2 : § Enable the Call Treatment using:

§ Enter the Call Treatment cause-code:

If a call spike is detected, reject calls

Example: If a call spike is detected, reject calls

10 calls; all accepted

Most recent 11 calls; 10 acc, 1 rejected

dial-peer voice 2001 voip

§ Virtualise at Layer 3 forwarding

You might also like