SIP Security
This section provides an overview of Oracle® Enterprise Session Border Controller’s security capability. Oracle® Enterprise Session Border Controller security is designed to provide security for VoIP and other multi-media services. It includes access control, DoS attack, and overload protection, which help secure service and protect the network infrastructure (including the Oracle® Enterprise Session Border Controller). In addition, Oracle® Enterprise Session Border Controller security lets legitimate users to still place calls during attack conditions, protecting the service itself.
Oracle® Enterprise Session Border Controller security includes the Net-SAFE framework’s numerous features and architecture designs. Net-SAFE is a requirements framework for the components required to provide protection for the Session Border Controller (SBC), the service provider’s infrastructure equipment (proxies, gateways, call agents, application servers, and so on), and the service itself.
Denial of Service Protection
The Oracle® Enterprise Session Border Controller Denial of Service (DoS) protection functionality protects softswitches and gateways with overload protection, dynamic and static access control, and trusted device classification and separation at Layers 3-5. The Oracle® Enterprise Session Border Controller itself is protected from signaling and media overload, but more importantly the feature allows legitimate, trusted devices to continue receiving service even during an attack. DoS protection prevents the Oracle® Enterprise Session Border Controller host processor from being overwhelmed by a targeted DoS attack from the following:
- IP packets from an untrusted source as defined by provisioned or dynamic ACLs
- IP packets for unsupported or disabled protocols
- Nonconforming/malformed (garbage) packets to signaling ports
- Volume-based attack (flood) of valid or invalid call requests, signaling messages, and so on.
- Overload of valid or invalid call requests from legitimate, trusted sources
Levels of DoS Protection
The multi-level Oracle® Enterprise Session Border Controller Denial of Service protection consists of the following strategies:
- Fast path filtering/access control: involves access control for signaling packets destined for the Oracle® Enterprise Session Border Controller host processor as well as media (RTP) packets. The SBC accomplishes media filtering using the existing dynamic pinhole firewall capabilities. Fast path filtering packets destined for the host processor require the configuration and management of a trusted list and a deny list for each Oracle® Enterprise Session Border Controller realm (although the actual devices can be dynamically trusted or denied by the Oracle® Enterprise Session Border Controller based on configuration). You do not have to provision every endpoint/device on the Oracle® Enterprise Session Border Controller, but instead retain the default values.
- Host path protection: includes flow classification, host path policing and unique signaling flow policing. Fast path filtering alone cannot protect the Oracle® Enterprise Session Border Controller host processor from being overwhelmed by a malicious attack from a trusted source. The host path and individual signaling flows must be policed to ensure that a volume-based attack will not overwhelm the Oracle® Enterprise Session Border Controller’s normal call processing; and subsequently not overwhelm systems beyond it. The Oracle® Enterprise Session Border Controller must classify each source based on its ability to pass certain criteria that is signaling- and application-dependent. At first each source is considered untrusted with the possibility of being promoted to fully trusted. The Oracle® Enterprise Session Border Controller maintains two host paths, one for each class of traffic (trusted and untrusted), with different policing characteristics to ensure that fully trusted traffic always gets precedence.
- Host-based malicious source detection and isolation – dynamic deny list. Malicious sources can be automatically detected in real-time and denied in the fast path to block them from reaching the host processor.
Configuration Overview
NAT table entries are used to filter out undesired IP addresses (deny list). After the packet from an endpoint is accepted through NAT filtering, policing is implemented in the Traffic Manager based on the sender’s IP address. NAT table entries are used to distinguish signaling packets coming in from different sources for policing purposes.
You can configure deny rules based on the following:
- ingress realm
- source IP address
- transport protocol (TCP/UDP)
- application protocol (SIP)
You can configure guaranteed minimum bandwidth for trusted and untrusted signaling paths.
You can configure signaling path policing parameters for individual source addresses. Policing parameters include:
- peak data rate in bits per second
- average data rate in bits per second
- maximum burst size
SIP Unauthorized Endpoint Call Routing
The Oracle® Enterprise Session Border Controller (ESBC) can route new dialog-creating SIP INVITEs from unauthorized endpoints to a session agent or session agent group; then rejection can occur based on the allow-anonymous setting for the SIP port. This type of provisional acceptance and subsequent rejection applies only to INVITEs; the ESBC continues to reject all other requests, such as SUBSCRIBE.
You might enable this feature if you have a network in which unauthorized SIP endpoints continually try to register even if the Oracle® Enterprise Session Border Controller has previously rejected them and never will accept them. For instance, the user account associated with the endpoint might have been removed or core registrars might be overloaded.