TMCnet News
Acme Packet Introduces Net-SAFE for Session Border ControllersAcme Packet Introduces Net-SAFE for Session Border Controllers Establishes security requirements framework for session border controllers Adds enhanced signaling DoS protection, TLS and IPSec hardware acceleration module and SIP privacy support to comprehensive, existing set of Net-SAFE security features SAN JOSE, CA – March 7, 2005 – Acme Packet® today introduced Net-SAFE™ (Session Aware Filtering and Enforcement), a comprehensive security requirements framework for session border controllers (SBCs). In addition, Acme Packet announced three new enhanced security features - enhanced SBC DoS self-protection against signaling attacks, a hardware acceleration module for TLS and IPSec, and SIP privacy support - to the existing set of Net-SAFE features in Acme Packet’s Net-Net® products. Overall, Acme Packet’s security capabilities set the industry benchmark for session border controller security functionality. Net-SAFE – the security requirements framework for SBCs The Net-SAFE framework identifies the requirements that a session border controller must satisfy to protect the SBC itself; to protect the service infrastructure (e.g. SIP servers, softswitches, application servers, media servers or media gateways; and to protect subscriber, enterprise and service provider security including confidentiality and privacy. Net-SAFE spans seven functional areas, each of which is a collection of more specific requirements, including: • Session border controller DoS protection: Autonomic, SBC self-protection against malicious and non-malicious DoS attacks and overloads at layer 3/4 (e.g. TCP, SYN, ICMP, framents, etc.) and L5 (e.g. SIP signaling floods, malformed messages, etc.). Mandates hardware-enforced fairness, control and throttling for signaling and media. • Access control: Session-aware access control for signaling and media using static and dynamic permit/deny ACLs at layer 3 and 5. • Topology hiding and privacy: Complete infrastructure topology hiding at all protocol layers for confidentiality and attack prevention security, as well as modification, removal or insertion of call signaling application headers and fields. Privacy support using industry-standard encryption methods such as TLS and IPSec. • VPN separation: Support for Virtual Private Networks (VPNs) with full inter-VPN topology hiding and separation, ability to create separate signaling and media-only VPNs, and with optional intra-VPN media hair-pinning to monitor calls within a VPN. • Service infrastructure DoS prevention: Per-device signaling and media overload control, with deep packet inspection and call rate control to prevent DoS attacks from reaching service infrastructure such as SIP servers, softswitches, application servers, media servers or media gateways. • Fraud prevention: Session-based authentication, authorization, and contract enforcement for signaling and media; and service theft protection. • Monitoring and reporting: Audit trails, event logs, access violation logs and traps, management access command recording, Call Detail Records (CDRs) with media performance monitoring, raw packet capture ability and lawful intercept capability. New Net-SAFE features extend SBC security leadership Specific new security enhancements in today’s announcement include enhanced SBC DoS self-protection against signaling attacks, a hardware acceleration module for TLS and IPSec, and SIP privacy support. Together these security features protect the SBC from deadly signaling attacks, prevent infrastructure DoS and overload conditions, and protect subscriber, enterprise, and service provider confidentiality and privacy. Session border controller signaling processor DoS protection DoS and distributed denial of service (DDoS) attacks are becoming every-day threats for service providers. While attacks on Internet-based services continue to increase both in volume and cost impact, so too does the value of those services to the provider. As usage of real-time IP voice, video and multimedia services grows, they become a more prominent target for attack. In some cases, busy time and abnormal conditions or events cause increases in call signaling rates which go beyond what the service provider infrastructure can support, resulting in network conditions that are similar in effect to DoS attacks. This new autonomic, SBC attack protection feature defends the signaling processor in the Net-Net product family by taking advantage of the hardware-based, two-tier network processor-signaling processor architecture common in all the Net-Net products. The feature enables the Net-Net hardware to dynamically perform classification, policing, shaping and discarding based on session events, using them to build trust or detect attackers. The result is non-stop operation in the presence of signaling attacks and guaranteed high performance thanks to the hardware-based filtering and usage enforcement. Features include: • Network processor-based access control to signaling processor – dynamic and static permit/deny ACLs including trust-level classification - with line-rate performance - Dynamic trust-binding - IP address/port of trusted endpoints - Dynamic attacker isolation - IP address/port of DoS suspects • Signaling processor protection - Trusted & untrusted paths from network processor to signaling processor w/configurable bandwidth scheduling and partitioning, providing hardware-based access fairness and SBC overload protection - Signaling processor path bandwidth policing per session, providing per-session signaling rate enforcement • Reporting – attacks and overloads - SNMP traps - Logging TLS & IPSec hardware acceleration module This hardware-based encryption module enables existing Net-Net products to maintain the industry’s highest call volume and signaling rates with the lowest call setup latency possible, while providing authentication and privacy between the session border controller and the remote device. The new module enables the session border controller to perform hardware-accelerated encryption and authentication for each signaling session on the public network, while translating the signaling to use a lower-overhead, more efficient transport protocol such as UDP (User Datagram Protocol) on the service provider’s private network. Consequently, the session border controller can offload the per-session encryption and authentication processing burden from the service provider’s internal signaling equipment, providing greater scalability for the service architecture as a whole. Specifically, this add-on hardware module supports TLS v1.1 – an enhanced SSLv3 encrypted transport defined by RFC 2246 and IPSec defined by numerous IETF RFCs including numerous key exchange, protocols, modes, encryption, authentication and ciphers options. SIP User Privacy The SIP privacy enhancement, supporting RFCs 3323 and 3325, enhances the Net-SAFE Privacy functionality by anonymizing caller identity information in SIP signaling messages on a per-user or per-call basis as instructed by the service provider’s SIP infrastructure. This enables service providers to provide a caller privacy service for their subscribers concerned about identity theft, spyware monitoring, and eavesdropping by unknown entities. About Acme Packet Acme Packet, the leader in session border control, enables service providers to deliver premium, interactive communications - voice, video and multimedia sessions - across IP network borders. Our Net-Net family has been selected by 9 of the top 10, and 16 of the top 25 service providers in the world to satisfy critical security, service assurance and law enforcement requirements in wireline, cable and wireless networks. These deployments support all applications - from trunking to hosted enterprise and residential services; all protocols – SIP, H.323, MGCP/NCS and H.248; and all border points - peering, access network and data center. For more information, contact us at +1 781.328.4400, or visit www.acmepacket.com. |