Escolar Documentos
Profissional Documentos
Cultura Documentos
Countermeasures
Interop NY – Sept 19, 2006
Gregory M. Lebovitz
gregory@juniper.net
Major Concern
50%
40%
Dynamic
pinholes
EndPoint Media Wide Range of Ports; Media
EndPoint
Undue Exposure
Internet Protocol
Source: 194.90.133.115
Destination: 194.90.133.116 Softswitch
Internet Protocol
Source: 194.90.81.144
194.90.133.115
VF-4000 session Softswitch
border controller
Destination: 194.90.133.116
ALG technology to
extend corporate VoIP
MPLS TE passed to
provider MPLS network
PoE Switch
Internal VoIP Zone architecture for
End-Point
Network
intra/inter zones with
policy enforcement
Secure and Assured Infrastructure
• prevent eavesdropping
• Hide Signaling
IP PBX IP PBX
Branch
Office Corporate
VPN Tunnel Network
Firewall/NAT issues
MGCP IAD
H.323/SIP
SIP/H.323 Phones Endpoints VPN/VLAN
SIP/H.323 Phones mappings Wireless
POTS Phone
IP Phone
Mobile
Phone
SS7 IN
Network Softswitch
Media
Gateway Media
Application Media OSS Softswitch Gateway
Server Server
Class 5
Switch Router Other
Carrier
VoIP Service Provider
Network Protection Internet
or IP NW
POTS
Hosted IP Centrex IP PBX Services Voice Over Broadband (Cable, DSL) Wireless/Mobile
IP PBX Router Wireless/
Data Cable/DSL Mobile
FW/NAT Modem Base Station
10.1 10.1 20.1
MGCP IAD
H.323/SIP
SIP/H.323 Phones Endpoints POTS Phone Wireless Mobile
SIP/H.323 Phones IP Phone Phone
Register
Phone num
1234
SIP/Phone
10.0.0.1
IP Network
alice@juniper.net
Media Rate
Limited to
Codec Bandwidth
SBC
Network at risk due to
signaling DoS attacks Excess
Signaling
Discarded Media
Gateway PBXA PBXB DNS
HQ VoIP Infrastructure