Acme Packet introduced a security requirements framework that identifies the requirements that a session border controller (SBC) must satisfy to protect the SBC itself; to protect the service infrastructure (e.g. SIP servers, softswitches, application servers, media servers or media gateways; and to protect subscriber, enterprise and service provider security including confidentiality and privacy. Acme Packet's "Net-SAFE" (Session Aware Filtering and Enforcement) spans seven functional areas, each of which is a collection of more specific requirements, including:
- Session border controller DoS protection: Autonomic, SBC self-protection against malicious and non-malicious DoS attacks and overloads at layer 3/4 (e.g. TCP, SYN, ICMP, fragments, etc.) and L5 (e.g. SIP signaling floods, malformed messages, etc.). Mandates hardware-enforced fairness, control and throttling for signaling and media.
- Access control: Session-aware access control for signaling and media using static and dynamic permit/deny ACLs at layer 3 and 5.
- Topology hiding and privacy: Complete infrastructure topology hiding at all protocol layers for confidentiality and attack prevention security, as well as modification, removal or insertion of call signaling application headers and fields. Privacy support using industry-standard encryption methods such as TLS and IPSec.
- VPN separation: Support for Virtual Private Networks (VPNs) with full inter-VPN topology hiding and separation, ability to create separate signaling and media-only VPNs, and with optional intra-VPN media hair-pinning to monitor calls within a VPN.
- Service infrastructure DoS prevention: Per-device signaling and media overload control, with deep packet inspection and call rate control to prevent DoS attacks from reaching service infrastructure such as SIP servers, softswitches, application servers, media servers or media gateways.
- Fraud prevention: Session-based authentication, authorization, and contract enforcement for signaling and media; and service theft protection.
- Monitoring and reporting: Audit trails, event logs, access violation logs and traps, management access command recording, Call Detail Records (CDRs) with media performance monitoring, raw packet capture ability and lawful intercept capability.
In addition, Acme Packet announced three new enhanced security features - enhanced SBC DoS self-protection against signaling attacks, a hardware acceleration module for TLS and IPSec, and SIP privacy support - to the existing set of Net-SAFE features in Acme Packet's Net-Net products.
- The new DoS attack protection feature defends the signaling processor in the Net-Net product family by dynamically performing classification, policing, shaping and discarding based on session events, using them to build trust or detect attackers.
- The new hardware encryption module enables the session border controller to perform hardware-accelerated encryption and authentication for each signaling session on the public network, while translating the signaling to use a lower-overhead, more efficient transport protocol such as UDP (User Datagram Protocol) on the service provider's private network. Consequently, the session border controller can offload the per-session encryption and authentication processing burden from the service provider's internal signaling equipment.
- The SIP privacy enhancement, supporting RFCs 3323 and 3325, provides anonymity to the caller identity information in SIP signaling messages on a per-user or per-call basis as instructed by the service provider's SIP infrastructure. This enables service providers to provide a caller privacy service for their subscribers concerned about identity theft, spyware monitoring, and eavesdropping by unknown entities.
