Hallo Listers,
(First of all, apologies for a long email)
This is mainly meant for the Network or Security Engineers in Telco/ISP environments out there.
I work in a Telco (mainly VoIP) and we are looking to buy Big Fat Firewalls with IDS/IPS features with throughput greater than 40Gbps
Reason for this high perfomance requirement is that we want to move VoIP traffic (SIP/RTP) behind the Firewalls to be able to do IDS/IPS inspection of this traffic which is very latency sensitive.
I have done a lot of research around and even contacted the 2 most popular Firewall vendors Cisco/Juniper but am NOT too impressed so far...
The highest demands that we have are on the following IDS/IPS functionalities:
- Block SIP brute force registrations (Easy to Implement)
- Ability to detect and block SIP fraud calls (toll fraud) by performing the following deep packet inspection tasks:
- Setting a threshold of calls per calling number to destination number and blocking calls that exceed this threshold.
- Alternatively the VoIP IPS should be able to do the above automatically e.g. learn calling patterns of Numbers automatically and be able to blacklist offending SRC IP/SIP URI when certain thresholds are reached (and removing this ban after some time)
- Ability to detect and mitigate IP Telephony SPAM (SPIT)
That said, I have 2 ideas of how to implement the above:
- Put everything behind the new Firewalls (but then the FW in question has to have proper IDS/IPS features to automatically detect the above VoIP attacks and block them)
- Install normal Enterprise class Firewalls (without IDS/IPS) and have a 3rd party tool e.g. SNORT doing this in real time and interacting directly with the FWs to block ongoing attacks on the fly.
My question is to anyone out there who might have input on how best to implement this and which path you would take and why?
Your input is highly appreciated !
--
Kind Regards,
Moses Mungai
Oslo, Norway
