Acme Packet Introduces Net-SAFE for Session Border Controllers; Establishes Security Requirements Framework for Session Border Controllers.SAN JOSE San Jose, city, United States San Jose (sănəzā`, săn hōzā`), city (1990 pop. 782,248), seat of Santa Clara co., W central Calif.; founded 1777, inc. 1850. , Calif. -- Adds enhanced signaling DoS protection, TLS (1) (Transport Layer Security) A security protocol from the IETF that is based on the Secure Sockets Layer (SSL) 3.0 protocol developed by Netscape. TLS uses digital certificates to authenticate the user as well as authenticate the network (in a wireless and IPSec hardware acceleration In computing, hardware acceleration is the use of hardware to perform some function faster than is possible in software running on the normal (general purpose) CPU. Examples of hardware acceleration include blitting acceleration functionality in graphics processing units (GPUs) and module and SIP privacy support to comprehensive, existing set of Net-SAFE security features Acme (company, jargon) ACME - /ak'mee/ 1. A Company that Makes Everything. The canonical imaginary business. Possibly also derived from the word "acme" meaning "highest point". 2. A program for MS-DOS. Packet(R) today introduced Net-SAFE(TM) (Session Aware Filtering and Enforcement), a comprehensive security requirements framework for session border controllers A Session Border Controller is a device used in some VoIP networks to exert control over the signaling and usually also the media streams involved in setting up, conducting, and tearing down calls. (SBCs). In addition, Acme Packet announced three new enhanced security features - enhanced SBC (1) (SBC Communications Inc., San Antonio, TX, www.sbc.com) A large, national telecommunications company that grew from a multitude of local and regional companies, including Southwestern Bell, Pacific Bell and Nevada Bell, into a single, unified brand by 2002. DoS self-protection against signaling attacks, a hardware acceleration module for TLS and IPSec, and SIP privacy support - to the existing set of Net-SAFE features in Acme Packet's Net-Net(R) products. Overall, Acme Packet's security capabilities set the industry benchmark for session border controller security functionality. "The session border controller is in a unique position to defend the service provider's infrastructure from attack and overload, since it provides the first point of communication and defense at the edge of the network," declared Seamus Hourihan, Acme Packet's VP of Product Management & Marketing. "While Acme Packet's products have always provided advanced security features in many areas, today's announcements will significantly raise the bar for session border control security services Security services are state institutions for the provision of intelligence, primarily of a strategic nature, but also including protective security intelligence. Examples include the Security Service (MI5) and the Secret Intelligence Service (MI6) in the United Kingdom, and the ." Net-SAFE - the security requirements framework for SBCs The Net-SAFE framework identifies the requirements that a session border controller must satisfy to protect the SBC itself; to protect the service infrastructure (e.g. SIP servers, softswitches, application servers, media servers or media gateways; and to protect subscriber, enterprise and service provider security including confidentiality and privacy. Net-SAFE spans seven functional areas, each of which is a collection of more specific requirements, including: --Session border controller DoS protection: Autonomic, SBC self-protection against malicious and non-malicious DoS attacks and overloads at layer 3/4 (e.g. TCP (1) (Transmission Control Protocol) The reliable transport protocol within the TCP/IP protocol suite. TCP ensures that all data arrive accurately and 100% intact at the other end. , SYN 1. (character) SYN - Synchronous idle. 2. (language) SYN - A syntactic specification language for COPS. ["Metalanguages of the Compiler Production System COPS", J. Borowiec, in GI Fachgesprach "Compiler-Compiler", ed W. , ICMP (Internet Control Message Protocol) A TCP/IP protocol used to send error and control messages. For example, a router uses ICMP to notify the sender that its destination node is not available. , framents, etc.) and L5 (e.g. SIP signaling floods, malformed malĀ·formed adj. Abnormally or faultily formed. messages, etc.). Mandates hardware-enforced fairness, control and throttling for signaling and media. --Access control: Session-aware access control for signaling and media using static and dynamic permit/deny ACLs at layer 3 and 5. --Topology hiding and privacy: Complete infrastructure topology hiding at all protocol layers for confidentiality and attack prevention security, as well as modification, removal or insertion of call signaling application headers and fields. Privacy support using industry-standard encryption methods such as TLS and IPSec. --VPN separation: Support for Virtual Private Networks (VPNs) with full inter-VPN topology hiding and separation, ability to create separate signaling and media-only VPNs, and with optional intra-VPN media hair-pinning to monitor calls within a VPN (Virtual Private Network) A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. . --Service infrastructure DoS prevention: Per-device signaling and media overload control, with deep packet inspection Analyzing network traffic to discover the type of application that sent the data. In order to prioritize traffic or filter out unwanted data, deep packet inspection can differentiate data, such as video, audio, chat, voice over IP (VoIP), e-mail and Web. and call rate control to prevent DoS attacks from reaching service infrastructure such as SIP servers, softswitches, application servers, media servers or media gateways. --Fraud prevention: Session-based authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. , authorization, and contract enforcement for signaling and media; and service theft protection. --Monitoring and reporting: Audit trails, event logs, access violation logs and traps, management access command recording, Call Detail Records (CDRs) with media performance monitoring, raw packet capture ability and lawful intercept capability. New Net-SAFE features extend SBC security leadership Specific new security enhancements in today's announcement include enhanced SBC DoS self-protection against signaling attacks, a hardware acceleration module for TLS and IPSec, and SIP privacy support. Together these security features protect the SBC from deadly signaling attacks, prevent infrastructure DoS and overload conditions, and protect subscriber, enterprise, and service provider confidentiality and privacy. Session border controller signaling processor DoS protection DoS and distributed denial of service A condition in which a system can no longer respond to normal requests. See denial of service attack. (DDoS) attacks are becoming every-day threats for service providers. While attacks on Internet-based services continue to increase both in volume and cost impact, so too does the value of those services to the provider. As usage of real-time IP voice, video and multimedia services grows, they become a more prominent target for attack. In some cases, busy time and abnormal conditions or events cause increases in call signaling rates which go beyond what the service provider infrastructure can support, resulting in network conditions that are similar in effect to DoS attacks. This new autonomic, SBC attack protection feature defends the signaling processor in the Net-Net product family by taking advantage of the hardware-based, two-tier network processor-signaling processor architecture common in all the Net-Net products. The feature enables the Net-Net hardware to dynamically perform classification, policing, shaping and discarding based on session events, using them to build trust or detect attackers. The result is non-stop operation in the presence of signaling attacks and guaranteed high performance thanks to the hardware-based filtering and usage enforcement. Features include: --Network processor-based access control to signaling processor - dynamic and static permit/deny ACLs including trust-level classification - with line-rate performance --Dynamic trust-binding - IP address/port of trusted endpoints --Dynamic attacker isolation - IP address/port of DoS suspects --Signaling processor protection --Trusted & untrusted paths from network processor to signaling processor w/configurable bandwidth scheduling and partitioning, providing hardware-based access fairness and SBC overload protection --Signaling processor path bandwidth policing per session, providing per-session signaling rate enforcement --Reporting - attacks and overloads --SNMP traps --Logging TLS & IPSec hardware acceleration module This hardware-based encryption module enables existing Net-Net products to maintain the industry's highest call volume and signaling rates with the lowest call setup latency possible, while providing authentication and privacy between the session border controller and the remote device. The new module enables the session border controller to perform hardware-accelerated encryption and authentication for each signaling session on the public network, while translating the signaling to use a lower-overhead, more efficient transport protocol such as UDP UDP (uridine diphosphate): see uracil. (User Datagram Protocol) A protocol within the TCP/IP protocol suite that is used in place of TCP when a reliable delivery is not required. (User Datagram Protocol See UDP. (protocol) User Datagram Protocol - (UDP) Internet standard network layer, transport layer and session layer protocols which provide simple but unreliable datagram services. UDP is defined in STD 6, RFC 768. ) on the service provider's private network. Consequently, the session border controller can offload the per-session encryption and authentication processing burden from the service provider's internal signaling equipment, providing greater scalability for the service architecture as a whole. Specifically, this add-on hardware module supports TLS v1.1 - an enhanced SSLv3 encrypted transport defined by RFC (Request For Comments) A document that describes the specifications for a recommended technology. Although the word "request" is in the title, if the specification is ratified, it becomes a standards document. 2246 and IPSec defined by numerous IETF See Internet Engineering Task Force. IETF - Internet Engineering Task Force RFCs including numerous key exchange, protocols, modes, encryption, authentication and ciphers options. SIP User Privacy The SIP privacy enhancement, supporting RFCs 3323 and 3325, enhances the Net-SAFE Privacy functionality by anonymizing caller identity information in SIP signaling messages on a per-user or per-call basis as instructed by the service provider's SIP infrastructure. This enables service providers to provide a caller privacy service for their subscribers concerned about identity theft, spyware monitoring, and eavesdropping Secretly gaining unauthorized access to confidential communications. Examples include listening to radio transmissions or using laser interferometers to reconstitute conversations by reflecting laser beams off windows that are vibrating in synchrony to the sound in the room. by unknown entities. About Acme Packet Acme Packet, the leader in session border control, enables service providers to deliver premium, interactive communications - voice, video and multimedia sessions - across IP network borders. Our Net-Net family has been selected by 9 of the top 10, and 16 of the top 25 service providers in the world to satisfy critical security, service assurance and law enforcement requirements in wireline, cable and wireless networks. These deployments support all applications - from trunking to hosted enterprise and residential services; all protocols - SIP, H.323, MGCP/NCS and H.248; and all border points - peering, access network and data center. For more information, contact us at +1 781.328.4400, or visit www.acmepacket.com. |
|
||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion