Dipping Your Toes into the SIP Stream

SIP copy

There are surprises and there are surprises.

For instance, I like it when I come home after a long day at work to find that my wife made dinner reservations at my favorite Saint Paul restaurant – W. A. Frost. I also like it when I finish my tax returns and discover that I don’t owe thousands of dollars in unpaid taxes.

I’ve also had the less-fortunate variety several times and can do without that kind of excitement.

One thing is certain: I don’t like getting surprised at work. Those surprises generally involve more toil, looking foolish, ending up with less money, putting in longer hours, or all of the above. The looking foolish part happened to me recently, but instead of moping about it, I decided to use it as a teaching tool.

This article originally appeared on SIP Adventures and is reprinted with permission.

I recently began working with a company and their carrier on adding SIP trunks to an Avaya PBX. Unfortunately, I was brought into the project late in the game and quite a bit of discussion had already occurred. Perhaps I was told all the details or perhaps I was not, but the result was that I was under a few false assumptions about what the customer wanted and what the carrier was set to deliver.

Specifically, it turned out that yes, SIP trunks were being deployed, but the customer wasn’t actually set up to work with direct SIP. That carrier, which happens to be Verizon, was providing the SIP, but the SIP was terminating on a Cisco 2911 router configured as a SIP-to-PRI gateway. So, SIP to the demark point and ISDN to the customer’s communications system.

It’s no wonder that I couldn’t get straight answers about session border controllers and session managers. There weren’t any and the customer wasn’t about to deploy them.

Now, if I were an unscrupulous sales guy, I might try and tell the customer that he was making a bad decision and up-sell him on equipment that he wasn’t ready to deploy, but thankfully I am neither a sales guy nor unscrupulous. Instead, I embraced this as a viable solution that will serve the customer well until he is ready to move a little deeper into SIP.

There are situations where SIP — at least total SIP immersion — is not the best answer. A business may have a number of good reasons why it wants to dip its toes into the SIP stream, but it wants to do so in a measured and controlled manner. It wants to reap some of the benefits of SIP, but is fully conscious of what it can and cannot afford.

This particular business has an Avaya system that has been kept up-to-date on software and hardware, but is still predominately TDM. They understand the benefits of VoIP, but haven’t invested in a VoIP-ready network. Additionally, the nature of this business is not one that has Ethernet cables where they are needed for telephony. Although antiquated by today’s standards, analog and digital telephones are still in wide use by many businesses. This business needed a compelling reason to change and until they got it, things were staying put.

Still, they wanted to take advantage of some of the benefits of SIP and SIP trunks are a great place to start. They can eliminate many of their costly ISDN trunks, create a better business continuity strategy, consolidate networks, and take the first step towards what may ultimately be a much larger leap into SIP.

Related article: Wow, I Can Do That with Unified Communications?

Baby Steps

So, the idea of bringing in those SIP trunks, running them through a SIP-to-PRI gateway, and terminating T1s on their existing line cards is a perfectly good choice. One day they may decide to take things a little further, but other than having to re-purpose a fairly inexpensive Cisco router, they haven’t thrown good money at bad.

Later on, they can move those SIP trunks away from the 2911 to an SBC without having to completely redesign their SIP solution. SIP is flexible enough to support quite a few of these transition solutions. That Cisco router could just as easily have been one of the many SIP-to-TDM gateways offered by AudioCodes.

In the end, my surprise turned out just fine. Granted, I was a little confused for a while, but that’s nothing new. Once I understood what was what, I was able to assist Verizon with their implementation questions and get the customer rolling down the road to SIP.

That’s the kind of work surprise I can deal with.

Related Articles:

Reducing the Risks of Distributed Denial of Service Attacks

Picture what may just be one of the scariest scenarios in your career: The network has slowed to a crawl. You can barely hold a management interface, let alone control the network elements involved. The attack propagates, and as it does you watch your services drop one by one. Panic sets in. You’re experiencing a Denial of Service (DoS) attack. All resources are focused on stamping this fire out—and that may very well be the intention of the attackers.

A DoS attack might be a smokescreen to get you to focus elsewhere while the intruder goes about covert business in a much safer fashion, leaving little forensics afterward.

DoS attacks are an easy thing to comprehend. Even the term Distributed Denial of Service (DDoS) is an easy extension. But the strategy behind why they’re used and their intent can vary dramatically. A DoS attack can occur in an array of sophistication. Here’s a quick breakout from the simplest to most complex attacks:

  • Network Level attacks:

    The simplest ones—TCP, UDP, ICMP, Floods

  • Reflective/Amplified attacks:

    Service focused—DNS, NTP, SNMP, SSDP, Specific floods

  • Fragmentation:

    Session specific—overlaps, missing, too many

  • Application specific:

    Repetitive GET, slow READ or loop calls

  • Crafted:

    Stack and protocol level, buffer resources

These methods are often overlapped in a targeted fashion. In essence the attack is a series of waves that each hit in varying degrees of sophistication and focus. Other times the attack is relatively primitive and easy to isolate. The reason for this is that in the simplest levels, it’s an easy thing to do. As an example, a disgruntled student, upset over a new vending matching policy, could mount a DoS attack against his or her school administration. On the other end of the spectrum is a much darker orchestration, the sleight of the hand to get you to look elsewhere. This is typically the signature of an Advanced Persistent Threat (APT).

Unless an attack is very simple and short-lived, it needs to be distributed in the way it operates. It needs to be generated from various points of origin. This is referred to as a DDoS attack. The attacker needs to coordinate a series of end points to execute some particular event at the same point in time or perhaps, in more sophisticated examples, as phased against a time series. For a DDoS attack, the attacker requires a command and control (C2) capability. This means that they need to have access and response to the compromised systems. This is referred to as a Botnet.

Botnets do not have to be sophisticated to be successful. They only have to implement a simple set of instructions at the right point in time. Let’s take the recent reflective/amplified DDoS attack on Dynamic DNS services on the East coast of the U.S., which affected several large firms such as Amazon and Yahoo. The attack was mounted from residential video surveillance cameras. Even though there was no direct intrusion, the firms were impacted. Which leads us to two lessons.

Lesson number one: Security in IoT needs to be taken more seriously in the product design stages. Perhaps the concept and treatment of residential security systems needs to be rethought.

Lesson number two: As we move to outsourcing and cloud services we need to realize that we spread the reality of our exposed risk. Due diligence is required to assure that service providers and partners are doing their role in end-to-end security. But do you recall I mentioned that the source of the orchestrated attack was from the residential network? This brings about a new degree of challenges as we look at the new world of consumer IoT.

How do we maintain security in that sector? Clearly the residence itself should uphold best practices with a well-maintained and monitored gateway. But let’s face it, this is generally not going to happen. The monitoring of behaviors and abnormalities at the provider interface level is the next best catch and many providers are moving to reach this goal.

The other key point to remember about botnets is that in order to command, one has to control. This can happen in various ways. One is automatic. It infects and sits until a predefined time and then activates. This is the simplest. Another method requires true C2. Either way, bad code gets residence or existing code gets leveraged in negative ways. You should be able to pick out the anomalies.

Proper design with hyper-segmentation can greatly reduce the risk of propagation from the initial infection. The botnet is contained and should be readily identified, if you’re watching. Are you?

Less Maintenance, More Innovation: How to (Finally) Fill the IT Skills Gap

If you take a good look at how the business ecosystem is evolving, you’ll find that it’s being redefined by five key market trends:

You’d be hard pressed to find research that doesn’t indicate the takeover of these five megatrends.

Forrester, for instance, predicts that machine learning and automation will replace 7% of all U.S. jobs by 2025. According to the Economist Intelligence Unit, almost 80% of companies identified digital transformation as their top strategic priority last year. Gartner believes that 70% of all newly deployed apps will run on open source databases by 2018; meanwhile, research continues to show that some 20 to 30 billion objects could be connected to the IoT by 2020.

As these technologies shape our smart digital world, so too do they raise the stakes in terms of customer expectations. Next-generation consumers demand nothing short of a sophisticated digital experience marked by greater quality, agility, speed and contextualization.

The Need to Transform NOW

Driven by these trends, organizations have no choice but to consider how they can adapt to grow and thrive. Competitors are moving at rapid new paces and blazing unforeseen trails. We’re seeing this disruption industry-wide, from companies like Uber and Lyft that have revolutionized the taxi industry (taxi trips have fallen by as much as 30% in cities like L.A.) to Airbnb, which turned the hospitality industry on its head by introducing the concept of an end-to-end digital homestay experience.

Look around and you’ll see just how much your own industry is changing. Do you realize how much new ground is ready to be broken? How much unexplored territory there is to seize? The organizations that thrive will be the first to not only see the possibilities, but successfully execute them. To do so, however, companies must undergo some level of transformation—and IT must be a central part of that transformation.

Elevating IT to Accelerate Business

To enable business to move at a pace that maintains a competitive edge, leaders must ask themselves how they’re empowering their IT staff. As it currently stands, something needs to be done about today’s IT skills gap. What we’re seeing is too many departments tied down to costly, archaic systems that hinder performance and productivity. There are too many people doing the same things and expecting different results. In a world where IT maintenance and innovation must be expertly balanced, teams are working to keep the lights on and not spending enough time learning new technologies and strategies or becoming part of the solution. This has been an ongoing problem that needs to be talked about less and acted on more.

The bottom line is that organizations will only truly accelerate in the digital era if IT spends enough time on strategic initiatives. Consider that 60% of top-performing companies engage IT to gather ideas for innovation, and 49% collect ideas through business unit workshops facilitated by IT. Without question, IT should be factored as a critical part of business innovation.

So, how can businesses free their IT teams to begin innovating? The right technology here is key—specifically, it has to be a combination of business process automation over an automated, end-to-end, meshed networking architecture. Let’s first focus on networking—this open, agile and integrated platform liberates IT by substantially reducing the level of complexity associated with traditional network maintenance, allowing teams to spend more time on high-level strategic initiatives. I’d like to take a look at how such a platform helps fill the IT skills gap from a traditional networking standpoint and outline some of the security benefits this architecture can bring.


Traditional legacy architecture, often referred to as “client-server” is becoming near obsolete thanks to the proliferation of automation and M2M. But before we jump too quickly, you may remember the resistance from peer-to-peer communication where IT in fact won the battle and for the most part didn’t allow it—simply put, the legacy architecture couldn’t sustain it. As manual processes continue to be replaced by smarter, automated processes, it’s imperative that organizations start thinking differently in terms of networking.

This may mean, for example, seamlessly integrating AI and machine learning into their communications strategy to engage customers with flexible new touch points. This will also likely require the integration of services from several vendors with different capabilities, versus one single provider, hence the importance of having an open ecosystem with standards as much as possible.

Regardless of how organizations go about it, the fact is that they must begin moving their networks in a new direction if they wish to progress at the pace their business needs to. Fully-meshed, end-to-end architecture offers an open ecosystem in which businesses can begin freely automating, integrating and reinventing traditional processes without a high level of complexity. This time freedom enables IT to begin reimagining business outcomes. The use of open, integrated, future-proof technology opens new doors of opportunity to do so.


With billions of IoT devices directly communicating and sharing data, organizations are now operating in an essentially borderless network—or as I like to call it, the everywhere perimeter. While this everywhere perimeter enables organizations to operate with unmatched agility and ease, it can also destroy companies if left unprotected. As one can imagine, the strategy and technology needed to protect a virtually borderless network look drastically different than those protected by a traditional firewall or legacy network architecture (Static VLANs, ACLs). This is exactly why IT needs to flex its strategic muscles and identify a stronger security approach, one that safeguards the organization with a near impenetrable network that significantly minimizes security risks and reduces exposure.

An end-to-end meshed networking architecture lets organizations quickly and securely enable services across the network anywhere they are consumed (i.e., personal mobile device, Wi-Fi hotspot, corporate campus). This is done through end-to-end network segmentation, which is widely considered to be the holy grail of network security today. Comprised of three core components—hyper-segmentation, native stealth and automated elasticity—this solution ensures organizations have the necessary framework for next-generation cybersecurity defense. By minimizing security risks in this way, organizations can ensure they are maximizing the value of IT. Lay the foundation right first, then focus on business process workflow automation. Doing the opposite or simply ignoring the foundation will cause pain and slow down your business transformation while making it extremely difficult to maximize the benefits of, for example, IOT.

In the end, every important business initiative requires time. Organizations won’t be able to reinvent themselves if their IT department has none to spare.

APTs Part 4: How Do You Detect an Advanced Persistent Threat in Your Network?

Here in part four of my APT series, we’re looking at how to detect Advanced Persistent Threats in your network. The key is to know what to look for and how to spot it.

Look for patterns of behavior that are unusual from a historical standpoint. Some things to look for are unusual patterns of session activity. Port scanning and the use of discovery methods should be monitored as well. Look for unusual TCP connections, particularly lateral or outbound encrypted connections.

Remember that there is a theory to all types of intrusion. An attacker needs to compromise the perimeter. Unless the attacker is very lucky, they will not be where they need or want to be. This means that a series of lateral and northbound moves will be required to establish a foothold. In order for any information to leave your organization there has to be an outbound exfiltration channel. This is another area where APTs have to diverge from the normal behavior of a user.

Here’s what to look for:

  • Logon Activity:

    Logons to new or unusual systems can be a flag. New or unusual session types are also a flag to watch for, particularly outbound encrypted sessions or unusual time of day or location. Watch for jumps in activity or velocity.

  • Program execution:

    Look for new or unusual program executions at unusual times of the day or from unusual locations. Execution of the program from a privileged account status rather than a normal user account should also be alarming.

  • File access:

    Look for unusually high volume access to file servers or unusual file access patterns. Also be sure to monitor cloud-based sharing uploads as these are a very good way to hide in the flurry of other activity.

  • Network activity:

    New IP addresses or secondary addresses can be a flag. Unusual DNS queries should be looked into, particularly those with a bad or no reputation. Look for the correlation between the above points and new or unusual network connection activity. Many C2 channels are established in this fashion.

  • Database access:

    Most users do not have access to the database directly. But also look for manipulated applications calls doing sensitive table access, modifications or deletions. Be sure to lock down the database environment by disabling many of the added options that most modern databases provide. An application proxy service should be implemented to prevent direct access in a general fashion.


    The goal is to arrive at a risk score based on the aggregate of the above. This involves the session serialization of hosts as they access resources. The problem with us as humans is this: if we’re barraged with tons of data and forced to do the picking out of significant data, we are woefully inefficient. First of all, we have a propensity for missing certain data sets. How often have you heard the saying, “Another set of eyes”? Never manually analyze data alone, always have another set of eyes go over it.


    At Avaya we’ve developed a shortest path bridging networking fabric we refer to as SDN Fx™ Architecture that is based on three basic self-complimentary security principles:

    • Hyper-segmentation: This is a new term that we’ve coined to indicate the primary deltas of this new approach to traditional network micro-segmentation. First, hyper-segments are extremely dynamic and lend themselves well to automation and dynamic service chaining, as is often required with software-defined networks. Second, they are not based on IP routing and therefore do not require traditional route policies or access control lists to constrict access to the micro-segment. These two traits create a service that is well suited for security automation.
    • Stealth: Due to the fact that SDN Fx is not based on IP, it is dark from an IP discovery perspective. Many of the topological aspects to the network, which are of key importance to APTs, simply cannot be discovered by traditional port scanning and discovery techniques. So the hyper-segment holds the user or intruder in a narrow and dark community that has little or no communications capability with the outside world, except through well-defined security analytic inspection points.
    • Elasticity: Because we are not dependent on IP routing to establish service paths, we can extend or retract certain secure hyper-segments based on authentication and proper authorization. Just as easily however, SDN FX can retract a hyper-segment, perhaps based on an alert from security analytics that something is amiss with the suspect system. There may even be the desire to redirect them into Honey pot environments where a whole network can be replicated in SDN Fx for little or no cost from a networking perspective.

In the End

Hardly a day goes by without hearing about a data breach somewhere in the world. To combat these breaches, it’s imperative to understand how APTs work and how you can detect them. Remember—prevention is ideal, but detection is a must!

With this blog series, I hope I’ve helped you see how to limit the impact of APTs on your enterprise. If you missed a blog post, here’s the whole series:

APTs Part 1: Protection Against Advanced Persistent Threats to Your Data

APTs Part 2: How the Advanced Persistent Threat Works

APTs Part 3: Prevention is Ideal, But Detection is a Must

APTs Part 4: How Do You Detect an Advanced Persistent Threat in Your Network?