On Monday, July 18, 2011 07:15:53 PM Moses Mungai wrote:
Hallo Listers,
*(First of all, apologies for a long email)*
This is mainly meant for the Network or Security Engineers in Telco/ISP environments out there.
I work in a Telco (mainly VoIP) and we are looking to buy Big Fat Firewalls with IDS/IPS features with throughput greater than 40Gbps
Reason for this high perfomance requirement is that we want to move VoIP traffic (SIP/RTP) behind the Firewalls to be able to do IDS/IPS inspection of this traffic which is very latency sensitive.
I have done a lot of research around and even contacted the 2 most popular Firewall vendors Cisco/Juniper but am NOT too impressed so far...
The highest demands that we have are on the following IDS/IPS functionalities:
1. Block SIP brute force registrations (Easy to Implement) 2. Ability to detect and block SIP fraud calls (toll fraud) by performing the following deep packet inspection tasks: - Setting a threshold of calls per calling number to destination number and blocking calls that exceed this threshold. - Alternatively the VoIP IPS should be able to do the above automatically e.g. learn calling patterns of Numbers automatically and be able to blacklist offending SRC IP/SIP URI when certain thresholds are reached (and removing this ban after some time) 3. Ability to detect and mitigate IP Telephony SPAM (SPIT)
That said, I have 2 ideas of how to implement the above:
1. *Put everything behind the new Firewalls (but then the FW in question has to have proper IDS/IPS features to automatically detect the above VoIP attacks and block them)* 2. *Install normal Enterprise class Firewalls (without IDS/IPS) and have a 3rd party tool e.g. SNORT doing this in real time and interacting directly with the FWs to block ongoing attacks on the fly.*
My question is to anyone out there who might have input on how best to implement this and which path you would take and why?
Your input is highly appreciated !
Take a look at SBC's eg http://acmepacket.com/ Regards TK