Who needs a Session Border Controller

May 8, 2015 - PRLog -- Every year the number of PBX fraud victims increases dramatically. More and more companies are targeted by individuals who are looking to bring down or exploit the communications system. Some do it for fun and others for illicit profit, but the end result is always the same… Huge bills and down time.

The most vulnerable targets remain small-medium size businesses that are new to managing their own IP PBX system. They either don’t have the IT experience and staff to properly secure and maintain the network, or they’re unaware of the risks altogether having recently switched from a landline system. Whatever the reason, many networks are consistently left unprotected. By the time most companies realize that something is wrong with their phone expenses, it’s too late—the network security has been compromised.

Toll fraud losses are growing at rate faster than global telecom revenues.

Things to be considered

•The law is clear, you are the only responsible for the security of your phone system and any charges generated from it.

•You will pay on average 5,000$ USD to 80,000$ per attack to your carrier.

•Downtime of your whole system is very common.

•In some cases you will have to find a different carrier.

Who needs an SBC?

If you are deploying an IP PBX system connected to the internet, chances are that it will get hacked within 5h-6h by hackers looking to make calls at your expense or to bring your communication network down just because they can.

•VoIP became a favorite target for hackers as its popularity and uptake increased in the past years.

•Firewalls are just unable to block hackers who use scripts and bots to access PBX systems.

•The Source address of the hacker is being deliberately spoofed, making it more difficult to detect even more when this one is also masked by the “noise” of many randomly generated addresses.

•A common and devastating attack is the DoS (Denial of Service). PBX systems are unable to handle the flood of SIP requests generated by the hackers. These thousands of simultaneous requests brings your PBX down.

•Brute force password guessing can have the same impact as a DoS attack

And these are only a few attacks out of the thousands used by hackers worldwide...

Would you leave your home unlocked? So then why leave your PBX open??

Most hackers today, are after the money; so they commit what is known as toll fraud. They access your PBX and use your accounts to place long distance calls or other chargeable calls.

Here are some interesting articles about the phenomenon.

Asterisk PBX Hack Attack (or, how scammers hijacked my phone system to place unauthorized calls) http://deepliquid.com/blog/archives/19

How Filipino phreakers turned PBX systems into cash machines for terrorists http://arstechnica.com/tech-policy/2011/11/how-filipino-phreakers-turned-pbx-systems-into-cash-machines-for-terrorists/

How I know my PBX is getting attacked or hacked?

Chances are you won't know until it’s too late...

Only having an active analysis of the VoIP packets and action can secure your PBX and inform you of attacks in progress.

How to protect my PBX?

Use an SBC, check the logs regularly, allow your firewall to open only SIP and RTP ports, use strong passwords, implement strong outbound rules, peer configuration without authentications etc.

Read the following:

http://www.voipmechanic.com/securing-asterisk.htm

PBX systems are unable to detect attacks such as:

•SIP port scanning

•Password guessing

•Toll Fraud

•Dos/DDoS

•Buffer Overflow

•SIP Anomaly

•Etc.,

An SBC offers support protection at Layer 7 by using SIP-TLS and media encryption etc., NAT, interoperability, media transcoding etc.,

What is Blox (Session border controller) (http://allo.com/sbc.html?affId=184316)?


•BLOX is an Open Source SIP session border controller

•BLOX will secure your internal PBX/Gateway/VoIP Network from external network/Internet.

•BLOX handles SIP-NAT issues observed in the common VOIP deployments.

•BLOX conducts DPI Packet Inspection of SIP traffic, supporting the Signatures for Key Malwares/Vulnerabilities observed in SIP Deployments

•BLOX supports SIP-TLS, Topology Hiding, CAC, Media Pin-holing, Media Encryption(SRTP), Transcoding, Hosted PBX

Blox Basic Functions

•SIP Outbound/Inbound Trunk and policies to route the calls.

•Secure Remote access to Internal SIP PBX.

•Eliminates bad VoIP signaling and media protocol at the network boundary.

•Built-in firewall which can controls IP Addresses/Port based Filtering, DOS/DDOS Attacks, IP Blacklist & NAT. It opens pinhole in the firewall to allow VoIP signaling and media to pass through.

•Media bridging, this may include Voice over IP and Fax over IP.

•Least Call Routing Re-Direct

•DTMF Support for RFC2833/INBAND/SIP INFO

Deployment Scenario

Scenario 1:

In the above scenario Blox SBC will be placed behind Firewall in DMZ zone. SIP and RTP packets will be forwarded to Blox SBC by firewall.

Scenario 2:

In the above scenario Blox SBC will be placed in the public internet. Blox will act as SIP B2BUA and protect the internal network from any direct contact from external network.

Blox opens the RTP (Media) Port based on the negotiated media parameters (RTP Pin-holing)

PBXs behind Blox, can connect to Trunk via Blox and receive calls from Trunks by registering to Blox

Roaming User (Upper Registration) are allowed to connect to PBX via Blox, this way PBX can be accessed in a secure way.

Blox Main Features

•SIP Trunking (Connectivity)

•Remote Worker (Roaming User)

•SIP Registration Pass-thru

•Core Session Router (Call Routing)

•SIP Intrusion Prevention

•DDoS / DoS Attack Protection

•SIP Registration Scan Attack Detection

•SIP Header Normalization

•SIP Malformed Packet Protection

•Topology Hiding

•Call Access Control (Total calls per Trunk, Inbound/Outbound)

•Least Cost Routing

•IP Firewall

•VLAN and Virtual IP support

•IPSec Encryption

•Packet-to-packet call flows (B2B UA)

•Media relay with pinhole control

•SIP Request Rate Limiting

•Support IPV4

•Hardware-based Transcoding

•Hardware-based Media Encryption with SRTP

•Media anchoring

•Call Security with TLS

•Advanced NAT Traversal Capabilities

•T.38 Fax Relay

•CDR record generation

•SIP Header Manipulation

•RTCP Statistics

Advanced Features

Allo Transcoding Card can provides you the following Media Service (www.allo.com)

•Media codec transcoding through Allo Transcoding card with Full RTP Transcoding (G.711, G.722, G.729, G.726, G.723.1, iLBC, AMR, G.722.1)

•T.38 Fax Bridging (G711 to T.38 Packets)

•SRTP media encryption through Allo Transcoding Card

For support contact support@blox.org

Visit BLOX.org and join our forum.