Discover the Main Ways of Protecting VoIP Networks
Greetings everyone! The network already has a lot of articles written about the fact that SBC protects the VoIP network and prevents theft of traffic, reflects the DoS / DDoS attacks and provides full VoIP security services. However, very little is written about real attacks in the world of VoIP and SIP, and which technologies provide security. In the article we tried to describe, what are the attacks in the VoIP world, what is its peculiarity, what is their difference from usual network attacks, and how does AudioCodes SBC prevent these attacks and provides the same protection that everyone writes about.
First, we define two basic SBC configurations:
- SIP Trunk is the most common use of SBC when it is used to connect to SIP operators over an IP network
- Registration – use SBC to connect remote users to IP PBX (for example Asterisk) from the Internet.
In terms of security, they are very different, because in the first case you know from where the call comes (although again not always, but more on this later in more detail). In the second case, you initially do not know from where the registration and call can come. All my examples will later refer to these two options for connecting SBC (SIP).
The security settings should be made from the simplest things, namely:
Make the configuration of the management interface only on the internal network, preferably separate from the signaling. The network roles of the AudioCodes SBC interfaces have several meanings. To control SBC, use the interface with the OAMP role. This interface should be on the internal network, and ideally (especially for large companies, where an attack can occur from within the company) in a dedicated subnet that has nothing to do with the VoIP network.
If possible, use non-standard ports. This especially applies to corporate networks, since communication operators are forced to inform about ports for connecting their customers, and it is not difficult to find out at which address and port the operator is operating. If we talk about the corporate network, then information about addresses and ports is not published anywhere, so the option to find them is to check the port with a message, or just listen to this address. In most cases, scammers who hack into a VoIP network start by simply sending a test SIP message to a large number of addresses and waiting for an answer. If the answer is received, then they will start the system “break”. If you use the non-standard SIP port 5060 for SIP, this will at least reduce the probability that your SIP address will be found.
AudioCodes SBC allows you to use any Internet, port and the port can be different from the port that is used internally. The SIP ports on which SBC operates are configured in the SIP Interface table. It is also important to configure only the protocol on which you plan to work (UDP / TCP / TLS). If the port is not used, then just leave the value “0”, in this case, this port will not work on this SIP interface.
To configure SIP Trunk, if possible, you need to configure the Firewall of the 3rd level and leave only those addresses from which SIP messages and RTP traffic can come to access SBC. These settings are made in the menu: (Configuration tab> VoIP menu> Security> Firewall Settings). But here there are several points that must be taken into account when setting up:
In most cases, SIP Trunk is configured not for an IP address, but for a domain name. Thus, do not forget to open the port on the DNS server that is used for the public Internet, otherwise, SBC simply does not find the server address.
If the junction is a large operator or a large system, it is not always possible to correctly determine the IP address/addresses. This is due to the fact that operators use several systems that operate under the same name. Moreover, IP addresses there can both be deleted and added, and this can be the reason that either all calls will stop working at some point or some of the calls.
Thus, the use of a standard Firewall is desirable, but it should be used cautiously and wisely, so as not to damage the telephony service.
Next, configure the call admission control. These are various restrictions for both calls and SIP messages. Here the values for different SBC configurations (SIP Trunk and Registration) will be different.
Simultaneous sessions. It is necessary to limit the number of simultaneous connections. If we talk about the SIP trunk, then the number of sessions per operator should not be more than the number of sessions that you buy from him. Theoretically, the operator should block more sessions, but here it is necessary to approach this issue on the principle of “it is better to trust, but to check additionally.” If we talk about connecting users via the Internet (the Registration configuration), then it is necessary to restrict fairly rigidly, to 1, a maximum of 2 simultaneous calls.Posted on: June 1, 2017Ana Nichols