Completely solves the security problems of softswitch Devices

Source: Internet
Author: User
Tags dedicated ip

Softswitch devices are still commonly used. So I studied the security issues of softswitch devices and shared them here, hoping to be useful to you. For a new dedicated network, you can plan the bandwidth and use the call Count Control Function of SS to implement the network call congestion control function.

First, we plan the total data bandwidth available for the softswitch device service between two locations in advance. calculate the total number of simultaneous connections that support the service based on the total bandwidth and service type. When a call request comes to the SS, SS first judge S current is 0, if S = 0, then reject the new call, if S> 0 then continue to process; When SS completes a business connection S = S-1. If the data bandwidth between two locations changes, the SS should be notified to correct the total number of connections.

About SS Reliability

For the SS that undertakes the narrowband domain call control function, the active/standby dual-host mode is used. The user data of the controlled user is stored in HLR, and the routing data is stored in RS. After the host and backup machine are activated, the data can be accessed, the gateway resource data used by the SS must be backed up on the backup machine in advance. In this way, the reliability of the SS is achieved through idle redundancy of resources.

The preceding active/standby dual-host mode can be used for the SS that undertakes the bandwidth domain call control function. However, for higher device usage efficiency, multi-host load balancing can also be used. Each BAC is responsible for distributing control information of n SS devices (for example, using SS in the same province for load balancing of broadband domain services). After receiving a call request from a SIP user, based on pre-set traffic allocation principles (such as polling), each SS has its own IP address, but only published to BAC. These SS functions are identical, handling the call requests sent by BAC, query the unified HLR to obtain the user business attribute information and user status, query the RS to obtain the user IP address for routing, the next hop SS or business platform, to achieve business connection and control. When an SS fault occurs, this call processing will be affected. The next order of new call requests will be processed by other SS, and the network service processing capability will lose 1/n, however, some SS resources do not need to be vacant. BAC implements the Dynamic Distribution of call control information to SS. It has the Protocol Resolution function. It can identify which messages belong to the same call based on the parameters of the application protocol and distribute them to the same SS for call processing. The reliability of BAC itself will be ensured through multi-host backup.

For signaling gateways, relay gateways, large-capacity Integrated Access gateways, and IAD/small-capacity Integrated Access gateways deployed in private networks, the backup SS address setting function should be supported on the local machine. When the Active Server fails to exit the service, new call requests should be sent to the standby server for processing.

For various SIP users and IAD terminals deployed on the public Internet, write only the softswitch devices to be accessed or various management and application servers (such as the IAD network management system and file server) on the user side) the domain name, not the IP address, returns the address of the corresponding BAC device after DNS resolution through the domain name parser of the softswitch network. After receiving the call request, BAC first identifies the user type (using the protocol type or whether the request carries a host name). For the call request of an IAD user, BAC directs the call to the active SS Based on the preset value. For SIP users' call requests, BAC directs the call evenly to one of the active SS Based on the preset principle (such as polling.

Solving security problems

Firstly, devices such as Softswitch, relay media gateway, integrated access media gateway, and Media Server are deployed on a dedicated network. The network can be a new private network or a virtual private network using technologies such as MPLSVPN, communication between Softswitch devices and message isolation between Softswitch devices and non-Softswitch devices can be achieved through various means, A large number of softswitch retail investors and other non-softswitch network devices are difficult to directly access these softswitch network devices, greatly reducing the possibility of attacks by Internet users. Because the devices in the softswitch private network have high trust level, it can basically avoid user attacks in the private network by means of Signaling Protocols (such as authentication) and device management.

For the IAD and SIP soft and hard terminals used by non-important customers, due to the large number of devices and wide distribution, various access methods will be used to quickly converge to BAC devices, the BAC device can communicate with other devices in the private network. In this case, the BAC provides the signaling and Media Proxy functions and security detection and isolation functions. Because IAD and SIP terminals are distributed on the user side, they pose a great threat to the security of core Softswitch devices. Therefore, in this solution, carriers should adopt a user-free configuration solution for IAD or SIP terminals, the operator shall be responsible for the configuration and subsequent updates and modifications of all network and user data, and the user shall not be able to modify the data on his/her own. On the user side, only the domain names of the softswitch devices or various management and application servers (such as the IAD network management system and file server) to be accessed are written, rather than IP addresses, this prevents IP addresses exposed by the SS from being vulnerable to illegal attacks. The encryption and authentication mechanism is enabled in the signaling protocol. The SS regularly checks the validity of user identities, ensures SS control over gateways and users, and prevents unauthorized users from stealing or interfering with services.

Through the domain name resolution mechanism and the signaling of the BAC device and the full proxy function of the media, protects important softswitch network devices by shielding IP addresses of softswitch, relay media gateway, integrated access media gateway, and media server.

BAC supports the access control list (ACL) function. It can set access control rules based on source, destination IP addresses, and port numbers to filter packets. It can filter packets based on specific control protocols, blocks access from illegal devices and unauthorized protocols to Softswitch devices; Provides simple application layer attack protection to implement some proxy service firewall functions, including: processes messages based on the user registration status, discards non-registered messages sent by unregistered users, and establishes a monitoring list for user terminals that fail to register authentication, when failed registration attempts reach a certain frequency, take appropriate measures; set the normal signaling message traffic value allowed by the IP address/port, when the message sent from the same source IP address and port exceeds this value within one minute, the address/port is blacklisted and corresponding measures are taken. The ability to shield the address of the Communication peer based on business needs, user security needs, and operational needs.

To work with secure Softswitch networks, each device needs to be improved accordingly. For example, multiple network segments are supported, multiple isolated physical ports can be provided or multiple VLANs can be supported on one physical port. Media ports can be dynamically opened and closed, and port settings can be minimized; user-oriented services can be faced with users through Web or Portal, so as to reduce risks by means of business proxy; devices need specialized software/hardware platform design.

Resolution of QoS Problems

The current IP network technology cannot completely solve the QoS problem, and the existing public IP network cannot provide large-scale bearer services with QoS Assurance for the softswitch network. This solution uses the dedicated network + BAC signaling media Full Proxy function to solve QoS problems to a certain extent.

Private Network networks can be established through leased lines, private IP networks, and MPLSVPN. To ensure QoS, MPLSVPN still requires support from all IP network devices, however, the current IP network cannot provide QoS throughout the entire network. The leased line and dedicated IP network can be used to forecast and plan network traffic and organize the network according to the needs of the softswitch service. Because the private network is dedicated, it is easy to know the changes of business traffic and flow direction during use, the network can be adjusted in time. By combining with the call Count Control Function of softswitch devices, the network congestion control problem can be effectively solved. For example, if a new private network is built, you can also uniformly consider the QoS function of the device when introducing network devices, differentiate the softswitch services of different service levels, and set them to some services for Bandwidth Reservation.

The full proxy device can tag the QoS of the signaling and media based on different users and services, to help the subsequent QoS processing of the IP network devices. In future QoS solutions, this device can also receive commands from Softswitch devices or other QoS control devices, in the call establishment phase, different subsequent processes (such as connection, rejection, redirection, and encoding method change) are performed based on the user's QoS requirements and network QoS conditions ).

Prevent unauthorized business Bypass

By loading a certain number of SIP Communication software on a PC, the user of the SIP Soft End can access the carrier's softswitch system in various parts of the world through the Internet to realize the communication function, when a user uses a soft terminal to call another user in a remote region, the operator can only receive the cost of local calls, but cannot receive the international or domestic long-distance call income. In addition, some terminal software may also get the peer user address information returned by the SS, stop the interaction with the SS, and directly communicate with the called address using other IP Phone software, this allows operators to bypass user addressing and fail to obtain benefits. The above problems can be improved to some extent through BAC. The first problem is that the terminal only has a Softswitch domain name, which is resolved to the SBC to which it belongs through DNS; SBC sends its own and users' IP addresses to the softswitch; and the softswitch device performs IP address analysis, determine whether the user's IP address matches the IP address of the BAC used. If the IP address matches, the call continues. If the IP address does not match, the call is rejected. Of course, the premise of this solution is that the SS has understood the relationship between the IP address and the regional distribution.

For the second problem, blocking the address of the end user from the message and media through the BAC device can effectively prevent business bypass and satisfy certain businesses (such as anonymous chat) this feature is recommended for edge service access devices.

Conclusion

The BAC, an important part of this solution, has completed the formulation of enterprise equipment specifications, including product functions, performance, and Protocol extensions. It has already been applied for approval by the Communications Standards Association of the Ministry of Information Industry. Equipment manufacturers have realized the importance of the device and completed the development of the device.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.