Covergence Session Manager Security Architecture

The Covergence Session Manager provides complete DoS attack and intrusion protection capability through the use of an architecture that is designed to provide total security for all SIP applications without sacrificing system or application performance. The important features of this security architecture are described below.

DoS Attack Detection and Prevention

Brute force DoS attacks are based on the exhaustion of the computing or communications resources of the system or network under attack. In a SIP environment, DoS attacks can occur either at the transport level (TCP connection - or “SYN” - floods, for example) and/or at the application level (“REGISTER” or “INVITE” floods, for example). They can exploit either the signaling channel or the media channel. If left unprotected, critical SIP based business systems can be rendered unusable for both internal and external communications by denial of service attacks.

The CSM includes multi-level DoS attack detection and mitigation technology that protects SIP based applications and systems from brute force denial of service attacks. The DoS protection system stores short-term connection activity records in a real-time database, analyzes the data on a continuous basis and looks for patterns of abnormal connection activity, such as an abnormally high number of new connections that all share common network, session or application level attributes. When the system detects a denial of service attack, it takes an administratively defined action. The action can be passive, such as generating a management event (alerting), or active, such as denying system resources to connections that match the DoS connection profile for an administratively defined (blocking) period. The Covergence DoS attack detection and mitigation technology shields SIP based business systems from brute force denial of service attacks that would otherwise disable them.

The CSM also protects against distributed DoS or dynamic automated attacks. These attacks occur when either a network address or IP port is dynamically altered to fool the system into believing the data is from multiple sources. The CXC protects against dynamic attacks using configurable thresholds on any combination of transport or sip packet conditions. Using these capabilities, administrators can tailor the system to recognize these types dynamic of attacks without affecting legitimate traffic.

Intrusion and Attack Prevention

Covergence features such as cryptographic authentication, signaling and media encryption, signaling and media validation, and virus scanning delivers the application-level security required to extend SIP based applications across network and organizational boundaries while protecting the infrastructure from intrusion and attack.

Cryptographic Authentication

One of the most powerful methods for ensuring security at network boundaries is controlling access to the network based on the authenticated identity of the user. The SIP protocol includes standard methods (such as Digest, TLS and S/MIME) for cryptographic authentication, and SIP vendors have implemented their own proprietary extensions that use alternative authentication techniques (such as Kerberos and NTLM). In addition, the definition of standard mechanisms for cryptographic authentication in a cross-domain context is an area of active discussion and development within the IETF. The Covergence solution provides comprehensive support for identity based access control at network boundaries using standard, vendor-specific and emerging (pre-standard) authentication techniques. Using Covergence’s policy based management system, network security administrators can implement identity based access control policies that restrict access to users who can prove their identity cryptographically. Access control policies can be defined at the user, group, role, organization and/or domain level, and can be applied within and/or between SIP administrative domains. The enforcement of access control policies based on authenticated identity protects corporate assets from unauthorized access and prevents a wide range of intrusions and attacks.

Signaling and Media Encryption

Encryption is another important technique for ensuring the security of corporate communications and preventing intrusions and attacks. This is especially true for the SIP protocol, where sensitive signaling and media information is often transported over the network in “clear” (unencrypted) format. Although an asset from a product development and debugging perspective, this represents a major vulnerability from a security perspective, as there is a large class of attacks that are based on the visibility and mutability of signaling and media information. For example, if an attacker has access to the unencrypted signaling stream associated with a SIP based voice conversation, the attacker can easily disrupt (terminate) the conversation by assuming (“spoofing”) the IP address of one of the participants and sending a session termination (“BYE”) message to the other participant. Similarly, if the media stream associated with the audio call is unencrypted, the attacker can eavesdrop on the conversation and/or inject unauthorized information into the audio stream.

The Covergence solution provides complete support for mid-stream signaling and media encryption using a variety of end-to-end and hop-by-hop cryptography techniques such as the Transport Layer Security (TLS) protocol and Secure Real-time Transport Protocol (SRTP). These features enable network security administrators to enforce signaling and media encryption policies that protect the enterprise from a wide variety of attacks and ensure the confidentiality, authenticity and integrity of SIP based communications

Signaling and Media Validation

Many exploits and attacks are based on the presentation of invalid signaling and/or media information to the system or network under attack. For example, the injection of malicious, invalid signaling information is the basis for most “buffer overflow” attacks, which enable an attacker to execute unauthorized software on the target system and thereby gain control of (compromise) it. Alternatively, it is very easy, with SIP, to construct malicious, cooperating SIP user agents (end systems) that exploit the independence of the signaling and media streams to consume unauthorized network resources (such as bandwidth) by, for example, signaling for a low bandwidth (e.g. compressed audio) connection and then setting up a high bandwidth (e.g. full motion video) connection.

The architecture of the Covergence solution enables it to support both syntactic (non-stateful) and semantic (stateful) validation of the signaling and media streams that traverse it. As signaling messages enter the system, the signaling proxy fully parses, inspects and validates every message independently and in the context of its enclosing transaction or dialog, and rejects messages that appear invalid, malicious, illegal or unexpected (out of context). The media proxy ensures that the media sessions actually set up by the user agents correspond to the sessions that were negotiated during the associated signaling dialog and permitted by applicable media control policies. These signaling and media validation features protect the corporate SIP infrastructure from a wide range of attacks and prevent the unauthorized or fraudulent consumption of valuable network resources such as bandwidth.

Virus Scanning

One of the strengths of SIP is that it can support multiple modes of communication simultaneously. For example, two users who are engaged in an instant messaging conversation can also transfer files to each other. Although the contextual transfer of files is a valuable capability from a collaboration perspective, it represents a problem from a security perspective, as SIP based file transfers will bypass corporate gateway and server based email virus scanning systems. This problem is further complicated by the fact that most implementations of SIP based file transfer use the media channel, rather than the signaling channel, to transport the data, thus causing it to bypass SIP signaling proxies and servers.

The Covergence solution includes an optional virus scanning capability for SIP based file transfers. The virus scanning feature can be used to block, disinfect or quarantine infected files that are transferred in either the signaling or the media channel, and includes periodic, automatic updates to the virus signature database. This feature enables enterprises to permit SIP based file transfers without compromising security.