speech/automatic speech recognition), Public switched telephone network (PSTN) ... An increasing number of businesses are realizing the inherent benefits of ...
Munir B. Sayyad et. al. / International Journal of Engineering Science and Technology Vol. 2(10), 2010, 5765-5769
NOVEL APPROACH TO RESOLVE NETWORK SECURITY ISSUES IN IPPBX IN CONVERGED ARCHITECTURE MUNIR B. SAYYAD, Reliance Technology Innovation Labs, Reliance Communication, Navi Mumbai-400710, Maharashtra, India
NILESH NIKAM Reliance Technology Innovation Labs, Reliance Communication, Navi Mumbai-400710, Maharashtra, India
S.L NALBALWAR Dr.B.A..T .University, Lonere, Mangaon, District: Raigad-402103,Maharashtra, India. Abstract : This paper aims to examine the security issues in the IP-PBX (IP Private Branch Exchange) .The Traces are taken on the live environment using Vendor ‘X’ CDMA MSC. The traces are also taken at SBC (Session Boarder Controller). The PBX services can be provided over IP via a SIP (session initiation protocol) trunk provided by network operator. The SIP trunk is connected to a switch i.e. MSC. Thus IP connectivity is available at IP-PBX end. Now calls can be originated from IP-PBX which is terminating on a mobile handset registered with MSC. The problem arises when a dummy/blank/fake CLI (caller line identification) is configured at IP-PBX. As MSC is doing only part of routing depending upon called party number, such calls with fake CLI pass through MSC without any intervention. So called party and even MSC are unaware of real number of calling party. Similar security issue arises when IP-PBX sends dummy IP addresses of IP phones connected to IP-PBX. Thus conflict of IP addresses and or called party numbers creates a major security concern. These are important issues for interfacing IP with traditional wire line or wireless network. Such a security issue can be resolved by registering IP-PBX and its extension numbers with MSC. This paper describes the probable methods to resolve above issues. Keywords: IP-PBX, VoIP, Signaling protocol, SIP. 1. Introduction An IP (Internet Protocol) PBX (Private branch exchange) is a business telephone system designed to deliver voice or video over a data network and interoperate with the normal Public Switched Telephone Network (PSTN). VoIP (Voice over Internet Protocol) gateways can be combined with traditional PBX functionality enabling businesses to use their managed intranet to help reduce long distance expenses, enjoy the benefits of a single network for voice and data and advanced CTI features or be used on a pure IP system which in most cases give greater cost savings, greater mobility, and increased redundancy. An IP-PBX can exist as a hardware object, or virtually, as a software system. Because a major part of IP PBX functionality is provided in software, it is relatively inexpensive and easy to add additional functionality, such as conferencing, XML-RPC control of live calls, Interactive voice response (IVR), TTS/ASR (text to speech/automatic speech recognition), Public switched telephone network (PSTN) interconnection ability supporting both analogue and digital circuits, Voice over IP protocols including SIP, Inter-Asterisk eXchange, H.323, Jingle (extension of XMPP protocol introduced by Google Talk) and others.
ISSN: 0975-5462
5765
Munir B. Sayyad et. al. / International Journal of Engineering Science and Technology Vol. 2(10), 2010, 5765-5769 2. IP-PBX overview An increasing number of businesses are realizing the inherent benefits of IP-Telephony for cost reduction, increased productivity and administrative simplicity and are therefore adopting IP-PBX solutions for their office requirements. Integrating voice, fax, video, and IP communications, it provides structured and intelligent applications that help organizations integrate their communications with their business policies and practices. The IP-PBX solution that connects the TDM world with the world of IP, offers a wealth of trunk (PRI, FXO) and phone (FXS) interfaces. Also, the IP-PBX supports the leading IP protocols such as SIP and MGCP. Thus providing,
The modular architecture allows “pay-as-you-grow” which lowers the enterprises’ initial investment Choice of SIP compliant devices including phones, soft phones, video phones and other specialized SIP terminals Significantly lower long distance and international communications costs by using SIP trunks Fully distributed architecture enables one system image across multiple servers and locations Out of the box applications: Unified Messaging, IVR, Distributed ACD, Voice Conferencing and more Simple and intuitive management of multiple sites as a single system Much easier to install & configure than a proprietary phone system Easier to manage because of web based configuration interface No need for separate phone wiring Allows users to hot plug their phone anywhere in the office - users simply takes their phone, plug it into the nearest Ethernet port and keep their existing number! Allows easy roaming - calls can be diverted anywhere in the world because of the SIP protocol characteristics Significant cost reduction by leveraging Internet SIP standard eliminates proprietary, expensive phones Scalable Better reporting Better overview of system status and calls
3. P-PBX System Architecture Figure shows the detailed network setup used during test setup. IP-PBX is connected to the internet via internet service provider (ISP). Here session border controller (SBC) is used to hide the network topology of telecom network i.e. IP addresses of internal elements such as Mobile switching centre (MSC).
SIP connectivity provided between MSC and SBC. Here IP-PBX is acting like an individual network element. Whereas SIP phones connected to IP-PBX are end users. The SIP trunk has assigned a number 02230800800 as a pilot number. So when a mobile subscriber calls to this pilot number 02230800800, MSC routes the calls towards IP-PBX over a SIP trunk. Similar routing is configured at MSC end to route the calls for SIP extension numbers .Thus both incoming and outgoing calls are possible. Cellphone
Cellphone
SIP
tru nk
SIP Phone
SBC
Internet
BTS
IP PBX MSC
Gateway
PSTN
Fig. 1. Practical set up of Interfacing IP-PBX with MSC through SBC .
ISSN: 0975-5462
5766
Munir B. Sayyad et. al. / International Journal of Engineering Science and Technology Vol. 2(10), 2010, 5765-5769
Fig. 2 shows the SIP call flow in which call is originated from IP-PBX to a mobile number registered with MSC. Here SBC has two different interfaces, external for public network interface and internal for private network interface. 4. Network Security Issues
IP-PBX 202.217.50.166
SBC External 97.253.50.126
SBC Internal 192.168.50.199
MSC 192.168.50.5
Invite 100 Trying
Invite 100 Trying 180 Ringing
180 Ringing
200 Ok 200 Ok ACK ACK
RTP Bye
Bye 200 Ok
200 Ok
Fig. 2. SIP call flow for a call originated from IP- PBX and terminating on cell phone
Authors In today’s telecom network, calling party and called party numbers are the part of call detailed record (CDR) and used for billing purpose. IP-PBX has a capability to assign any number (calling party number) to the SIP phones connected to IP-PBX. So the security violates if IP-PBX assigns a dummy caller line identification (CLI) for an outgoing call from IP-PBX. As the MSC have no any other way to know the real number of extension, MSC need to believe on the CLI provided by IP-PBX. If the IP-PBX and MSC are under control of the same operator then operator can itself configure IP-PBX and maintain the security. But depending upon business requirements it is not possible for operator to have control over IP-PBX all the time. Similar security violation observed when IP-PBX operator configures fake IP addresses for extensions. Thus prohibiting configuration of fake or dummy CLI or IP at IP-PBX is major task for operator. Provision should be made so that MSC should reject such unauthenticated calls originated from IP-PBX. Let have a practical real time test scenario in which call is originated from IP-PBX (IP: 202.217.50.166) having real number assigned as “02230800800” calling to a cell phone 9393939393. But we configured a dummy CLI at IP-PBX as “611” as shown in the SIP INVITE message. So CLI displayed on the cell phone is “611” which is a actually dummy CLI. Thus CLI or IP addresses can be changed at IP-PBX.
Fig. 3. A part of SIP invite message originated from IP- PBX and terminating on cell phone having dummy CLI as 611
ISSN: 0975-5462
5767
Munir B. Sayyad et. al. / International Journal of Engineering Science and Technology Vol. 2(10), 2010, 5765-5769 5. Prevention of Security Violation Blocking of such calls with dummy CLI or IP address is main purpose of solutions proposed. 5.1. Solution [I]: Authentication at MSC. It is always better to maintain a Mapping table of the IP addresses with assigned subscriber numbers (CLI) at MSC end. If a call come from IP-PBX with IP address and CLI that is not matching with the entries in the mapping table of MSC, such calls would be rejected. This is authentication of both IP address and assigned CLI number. Only authenticated calls would be allowed. A sample mapping table is as shown below. Table 1. Mapping table at MSC end.
IP address
Assigned CLI number
202.217.50.166 202.217.50.167 202.217.50.168
02230800800 02230800801 02230800802
5.2. Solution [II]: Use of IP PBX server In this case IP PBX system consists of one or more SIP phones / VOIP phones, IP PBX server and optionally includes a VOIP Gateway. The IP PBX server is similar to a proxy server. SIP clients, being either soft phones or hardware based phones, register with the IP PBX server, and when they wish to make a call they ask the IP PBX to establish the connection. The IP PBX has a directory of all phones/users and their corresponding SIP address and thus is able to connect an internal call or route an external call via either a VOIP gateway or a VOIP service provider.
Here IP-PBX server is a separate network element and is under control of network operator which takes care of registering IP-PBX extensions and mapping of CLI and IP addresses. 6. Conclusion
SIP
tru n
k
With the help of strong authentication system it is possible to avoid fraud and fake use of network resources at very first stage. Authentication plays a major role in security of IP-PBX as only authenticated users can access the resources. Implementing authentication system at gateway level could be a better option to protect other
SBC BTS IP-PBX
MSC
Internet
PSTN
Gateway
IP-PBX server
IP-PBX
Fig. 4. IP-PBX server as a separate network element for managing IP-PBXs
ISSN: 0975-5462
5768
Munir B. Sayyad et. al. / International Journal of Engineering Science and Technology Vol. 2(10), 2010, 5765-5769 attacks also. It is hoped that this methodology for preventing security violation of IP-PBX, currently under construction, will help to develop more sophisticated systems for safe-guarding of telecommunications networks. References [1] [2] [3] [4] [5] [6] [7] [8]
IEEE Paper : Telecom Convergence using IP Multimedia Subsystem (IMS) Munir B.Sayyad, Dr. Sanjay L.Nalbalwar Dr.S.B.Deaosarkar 3rd Generation Partnership Project, http://www.3GPP.org Telecoms & Internet converged Services & Protocols for Advanced Networks (TISPAN) http://www.etsi.org/tispan 3GPP TS 29.100-2 V8.0.0 “3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Open Service Access (OSA); Parlay X Web Services; Part 2: Third party call (release 8), Sept 2007 WS –I. “Web Services Interoperability Organization” http://www.ws-i.org ETSI ES 282 003 V1.1.1, “Telecommunications and internet converged Services and Protocols for advanced Networking(TISPAN), Resource and Admission ontrol Sub-systems(RACS); Functional Architecture” 2006 G. Camarillo and M.A. Garcia-Martin, The 3G IP multimedia subsystems (IMS): Merging the Internet and the cellular worlds, John Wiley & Sons, Chichester UK 2004. IP Multimedia Subsystem - IMS Technical White Paper © 2005 IP Unity.
ISSN: 0975-5462
5769
