Power Sec MLP
Power Sec MLP
The PowerSec Concept- Multi-Layered Protection (MLP)
In a complex network, there are large numbers of potential vulnerabilities and attack
targets. The Usage of VoIP technology and growth of Cyber-attacks against infrastructure
exposes the enterprise to new type of threats. Hackers may try to put the Soft-switch or IP-PBX in a Denial of Service (DoS) position. Peer-to-Peer oriented protocols such as SIP, RTP and RTCP can be used to inject malicious programs such as Worms, Trojan horses and Zombie programs. In many cases unauthorized users may try to use the enterprise infrastructure to establish free long distance or international calls. By intercepting the VoIP protocols (signaling and Media) hackers can study the customer network topology, expose private information and violate the customer’s privacy and confidentiality. Eavesdropping can be implemented by different freeware tools, such as Wireshark, and expose the enterprise to more risks and privacy violation. VoIP Systems are used by hackers as Back-door access to the enterprise network. Packet spoofing (application layer) can be implemented for impersonating a legitimate user sending data.
There are five security criteria that the enterprise should comply with:
Authentications, Confidentiality, Privacy, Authorization and Integrity.
In order to comply with the 5 security criteria and overcome the challenges, SEGURO presents the concept of Multi-Layered Protection (MLP). The concept of MLP is based on Application based Hierarchical approach to securing the Enterprise network. SEGURO PowerSec presents a powerful Session Border Controller which provides the MLP.
The PowerSec consists of several modules that fulfill the MLP:
1. Fields manipulation at the IP, UDP and TCP layers and manipulation at the application layer of the SIP and the Session Description Protocol. This is used for NAT Traversal, FW Penetration, and Topology Hiding and to conceal private information.
2. Digest Authentication using MD5 hash function to avoid Impersonation of a legitimate user or server (SIP Client or IP-PBX or SIP Proxy)
3. SIP Signaling Encryption using TLS over TCP and Media Encryption over SRTP – Secured Real Time Transport Protocol. The PowerSec is using Asymmetric algorithm for encryption keys exchange complies with two methods: ZRTP for in-band and SDES for Out of band method. As part of the SRTP the PowerSec is using the Roll over counter to avoid re-play attacks.
4. The PS implement a Deep Packet Inspection procedure for message integrity check and discard malicious programs or altered messages (including viruses, worms, etc.).
5. In order to avoid the “Back-door” attack, a hardening process and penetration tests were conducted to ensure the PowerSec immunity.
6. Since the PS is a crucial system at the enterprise network, it is possible to have two systems in redundant mode for avoiding Single- Point-Of-Failure (SPoF) The PowerSec provides add-on functionalities such as Recording and Playback for encrypted calls, IPV4-to-IPV6 mediator and innovative Reporting module.
Cost/Performance – PowerSec is offered in a competitive price and provides all the required functionalities with high performance for enterprise and ITSP.
Add-on services – The PowerSec of SEGURO is a unique solution which presents embedded RECORDING and Play-back capabilities, Signaling and Media encryption including Internal Firewall.
Processing Delay – PowerSec presents the lowest values of signaling latency due to its special technology and efficiency.
Virtualization – Due to the fact that the PowerSec is a pure software based solution, without the need for dedicated cards or proprietary HW, it can be installed on a standard server in virtual environment with other applications side-by-side.
Redundancy- In order to avoid single-point-of-failure, PowerSec presents robust redundant topology consists of multiple servers (from version 1.6). Most of other solutions are limited to 1+1 redundant topology.