As you can see in the above schematic diagram, the network has a star structure. Remote locations are directly connected to one central location. Remote Call Shops are connected to a central location over the Lottery network infrastructure. Aside from the call shop network infrastructure, there is also a lottery network infrastructure at remote locations. These two networks are not separated at the moment. Phones and PCs will be installed at each remote location for use in billing and administration. Remote locations are connected to the network using Cisco 1940 series router.
Our recommendation is to build a central location around the following 4 major components:
- SWITCHware / Multi-Tenant PBXware
- SIPProxy / SBC
- Border Firewall
- Monitoring subsystem
Every one of these components is important, but SWITCHware is the “heart” of the system.
SWITCHware provides SIP security options.
- SIPProt is a SIP security module that can be installed on SWITCHware and provide some security options for SWITCHware. SIPProt has been designed to provide protection in case of SIP attack attempts.
- IP address registration
The next most important part of the infrastructure we suggest to be installed on the central location is SIP proxy. SIP proxy has few major roles:
- Call routing
- SIP protection
The firewall is an important part of the infrastructure. It is the first line of network defend. The most important task of the firewall is to control traffic according to the configured ACL (Access Control Lists).
Possible SIP security scenarios
Here is a list of situations in which SIP security can be compromised:
- SIP DOS attack from internal and external network
- Stolen SIP authentication details
- Network threats from public / Lottery network
- Network security threats to Lottery network
SIP DOS attack from internal and external network
Major consequence of the SIP attack attempts can be that your SIP service is unavailable for your phones from Call shops. The source of this kind of threat can be a PC in your network (Lottery network) or from an external network. (See picture)
Because this is a serious problem, we have two places where we can defend our network from this kind of threat.
SIP DOS attack problem solution
The first place is SIP proxy and the second place is SWITCHware.
On SIP proxy it is possible to configure it to answer only known (our remote) IP addresses. In this case, attacks will not find any SIP service on our side.
In case that attacker has somehow found the IP address of our SIP server, we have a second line of defense, which is SWITCHware. On SWITCHware it is possible to install SIPProt, our SIP protection module. SIPProt is able to recognize and block SIP attacks. As a mechanism to recognize SIP attacks, SIPProt uses the following techniques:
- Pattern recognition
- Brute force detection
To be able to prevent “false alarms” and to avoid situations where a “friendly” IP is blocked, SIPProt uses white lists. Also, a black list is supported which will allow permanently blocked IPs.
SIPProt will log any attack attempt in the appropriate log file and generate the appropriate email notifications.
So using the above two SIP protection mechanisms we are able to protect your SIP services from SIP attacks no matter from which side attacks come, whether internal or external networks.
Stolen SIP authentication details / phones
There are a few possibilities for someone who wants to steal sensitive SIP authentication information:
- To steal phone from a call shop
- Sniff SIP traffic
- Pick up information from the provisioning server
These are most common situations in which your SIP security is endangered.
Situation when phone is stolen from Call shop
The first major problem that you may have when a phone is stolen from the call shop is the possibility to make calls without your control. If the stolen phone is connected to another part of the public network, is there a possibility to make calls from it?
This situation is not such a big problem because of two facts:
If the call shop uses static IP to connect to the public network, only that IP will be enabled, based on appropriate extension configuration. So, if someone connects the phone to some other network with another IP, SWITCHware will deny all these SIP registrations.
The other consideration is: If the phone is stolen it is possible to take SIP authentication information from it.
It is very difficult to read SIP authentication information (password) even if you know login information for the phone web GUI.
Also, the phone is not enabled to place calls before the operator has allowed it through the application. So even if the phone is registered from some other location, calls are disabled until the operator allows it.
Solution for stolen phone situation
Use static IPs for remote call shops on the public side
Change SIP credentials every time the phone is rebooted
This will guarantee that if the phone is stolen, the next time powers on
Configured daily / monthly limit on every extension
Even if someone successfully registers the stolen phone on SWITCHware, every extension will have configured a limit per day / month, so the potential financial risk will be limited.
Sniff SIP traffic
There is a real possibility for SIP traffic be sniffed on the network in two places:
On the LAN network on the remote side (Call shop network)
On the public network, along the public provider’s infrastructure.
In this situation, when an intruder is able to pickup SIP traffic, a SIP registration request that contains authentication details, can also be sniffed.
SIP registration requests contain an authentication secret that is encrypted using an MD5 algorithm. This means that intruder will not be able just like that to pickup registration secret from sniffed SIP traffic.
Solution to prevent the risk of SIP traffic sniffing
To avoid this kind of problem, our recommendation is to use a SIP TLS protocol. Unlike ordinary SIP protocol which uses “plain text”, SIP TLS exchange encrypts messages during communication. SIP TLS is supported with SIP proxy and SBC setup.
Stolen files from the provisioning server
Auto provision of configuration files will allow the phone to pick up configuration and read configuration from a file. So the phone can be automatically configured. But this brings some security risks. Theoretically, if someone has some information, he will be able to pick up the configuration files and use the authentication information to register a phone and place uncontrolled calls. Fortunately, this is not so easy. To be able to do that, the intruder has to know the following information:
Authentication details of the auto provisioning server (https service)
MAC address of phone
The MAC address of the phone is not so difficult to get, but the auto provisioning server login details are not so easy to obtain. If https service is used for auto provisioning, all data in communication between the phone and the server will be encrypted.
Solution for prevent risk of stolen auto provisioning files
There are a few things which will have to be done to avoid this kind of threat:
Dynamically generate auto provisioning authentication information for every phone (different authentication details for every phone).
This will make it very difficult to break in to the auto provisioning server.
The auto provisioning file has to be encrypted, every file will be generated with a different encryption key.
So if someone breaks in to the auto provisioning server he will be able to pick up encrypted files. Every file will have a different decryption key.
Network threats from public / lottery network
As a transport network between call shops and the central location, you use part of the lottery network infrastructure. The lottery network uses the public network to connect to remote locations. This means that voice traffic will pass through the lottery network infrastructure and also through the public network. Because of this, the central location has to be protected from possible intrusions and attacks. The best way to do that is to use a firewall to protect the central location, as is shown on the topology schematic diagram.
Solution to prevent the risk of network threats from the public / lottery network
To provide additional protection, the firewall has to provide the following functions:
IP filtering, allow only public IPs to belong to remote call shops. This means that you have to provide static IPs on remote locations. Traffic from all other IPs will be denied.
Port filtering, allow only VoIP traffic and management traffic from remote Call shops to a central location internal network
Allow traffic management only from “known” IPs.
Using the above recommendations, the central location will be safe from possible intrusions and attacks from the public network.
On the remote call shop side, the local private IP will be NATed to the public IP. This situation will provide some kind of security because there is no need to open any port from the public side to the local side of the network. So local IPs will not be directly visible to the public network.
But because the Lottery network devices and your network devices (phones, admin PC) will be in same local network, this can be a potential security problem. Because of that you have to try to separate these two parts of local network. Our recommendation is to use different IP subnets connected to different local network ports of a local router and if it is possible to use different VLANs.
Network threats from our network to the lottery network
The main consideration when talking about the possibility to prevent intruders from our network to the lottery network infrastructure is the fact that we share the same network infrastructure. So the only way to provide security to the lottery network is to separate these two networks.
Solution for provide protection to the lottery network
So on the remote location, the networks have to be separated in the following way:
Separation of network segments on network layer 2. This can be provided using VLAN segments on local networks.
Separation of network on network layer 3 using different IP subnets.
Appropriate ACL on router that will block traffic between these IPs subnets.
This situation is shown in the following pictures:
Different VLANs will allow the separation of traffic on network layer 2, which means that the only way to have traffic between two segments is over the router. Of course this kind of traffic will be blocked on the router so these two network segments will be totally separated.
To provide a high level of network security, our recommendation is to provide the following:
Build network topology according to the topology shown in the picture from the beginning of the document. This means that the central location has to be built from the following components:
- SIP proxy
- SWITCHware with SIPProt installed
Use static IPs on call shop remote locations.
This is important because in the case that the central location will be appropriately protected from intrusions from unknown public IPs. And this will be implemented on the firewall.
Also, by using static IPs we will be able to allow SIP registrations only from known IPs. This will be configured on SIP proxy and SWITCHware. So if a phone is stolen, you do not to need worry about possible financial loss.
Call administration/billing for every remote Call shop will be allowed only from known IPs.
Use SIP TLS protocol (not needed if each location has a static IP).
Use encrypted auto provisioning files.
Use different encryption keys for every phone. Generate GUI / SIP URL provisioning and SIP authentication credentials dynamically and different for every phone.
SNMP network monitoring. We can provide you with this.
SIP/RTP monitoring. We can install our voipMON solution.
Use daily / monthly call spending limits.
Separate the lottery network and your network on a remote location.
This will prevent the lottery network from being a potential threat to your network security. Also, this will protect the lottery’s network from potential threats from your network.
Make sure to have dedicated staff for all of the above.