Alcatel-Lucent OmniPCX Enterprise

IP Touch Security: NGP

All Rights Reserved © 2009, Alcatel-Lucent 1

OBJECTIVE

‹ To describe de the IP Touch Security in case of New Generation Platform

Alcatel-Lucent OmniPCX Enterprise – IP Touch Security: NGP

Ref. ENTP0534P26TEUS Issue 02
 IP Touch Security
Solution historical

„ The IP Touch Security Solution offered the possibility to secure the “signaling
and voice” over IP in Stand-Alone configuration at its first launching
z A SSM(1) is required to secure the CS CPU
z And a MSM(2) is required to secure a MG (Crystal or Common hardware)
z The IP Touch handles themselves the security feature

„ A second step of development allowed to secure IP ABCF Network links

(Signaling first, then Signaling + Voice)

„ Then, this Thalès solution has been chosen to respond to some customers who
wanted a strong and reliable signaling link against DOS(3) attacks for remote IP
Media Gateways (Common hardware)... The Thalès VPN Client is embedded on
the GD(4) and only encrypts the signaling
z This GD is then called “MGSec”

„ The release 9.1 introduces the possibility to secure a MG without Thalès boxes
(NGP Crystal & Common hardware) for Signaling & Voice. The Thalès VPN Client
is embedded on both platforms boards

All Rights Reserved © 2009, Alcatel-Lucent 2

1) SSM: Server Security Module. In case of Call Server duplication, A SSM can be used per CPU

2) MSM: Media Security Module. According to the box generation [MSM or MSM-RM (Rack Mounted)] and the topology, a MSM can
protect a GD (or GD + GA) or an INTIPA/B (or two INTPA/B)

3) Deny Of Service

4) This solution does not require a MSM to protect the GD

Alcatel-Lucent OmniPCX Enterprise – IP Touch Security: NGP

Ref. ENTP0534P26TEUS Issue 02
 NGP Security

„ A NGP board always controls the authenticity of the binary even if the security
mode is “Bypass”(1)
z The binaries are signed with the Alcatel-Lucent private key. The boards use
the Alcatel-Lucent public key stored in their flash to authenticate the files.
This authentication control ensures that the binary has been produced by
Alcatel-Lucent
z The integrity control uses the “SHA-1” HMAC method(2) for NGP boards

„ The new NGP hardware capabilities offer the possibility to handle the security
functionalities without any MSM(3) . The security level of this solution is the
following one:
z Signaling encryption: AES-CBC(4)
z Voice encryption: SRTP(5) and SRTCP

„ Terminology
z SoftMSM: NGP Media Gateway(6) running the embedded Thalès VPN client and
the Thalès SRTP library (available as of i1.605.14e)

All Rights Reserved © 2009, Alcatel-Lucent 3

1) In the previous release the GD authenticated its binary only if the security feature was activated (“Security=Protect” in the
lanpbx.cfg file). The crystal INTIP board did not support this authentication

2) The MD5 method is still used for classical Common hardware (GD-GD2/MGSec)

3) A SSM is still required to protect the Call Server. The MSM are not used to protect the NGP Media Gateways

4) Advanced Encryption Standard (AES) cipher Algorithm - in Cipher Block Chaining (CBC) Mode
The packet authentication uses the HMAC-SHA-1 method

5) The voice encryption is realized with the AES-CM cipher [Advanced Encryption Standard (AES) cipher Algorithm - in Counter Mode
(CM)]

6) It includes both types of platforms: Common and Crystal hardware

Alcatel-Lucent OmniPCX Enterprise – IP Touch Security: NGP

Ref. ENTP0534P26TEUS Issue 02
 SoftMSM Media Gateway
Initialization

„ To initialize the IP-Link with the CS, the NGP boards use a PSK key at the
ISAKMP(1) phase (used to authenticate the equipment)

z Like a MGSec, the SoftMSM MG uses a PSK key (PSKg2) different than the one
used by the SMs and IP Touch

† This PSKg2 key is derivate from some data of the NGP secured binaries(2)

{ Like the MGSec case, it is possible (recommended) to customize the SoftMSM key because
the NGP boards binaries are transmitted in clear data (TFTP is not encrypted)

{ The Customization Center has to be used to generate this key. This key is called: PSKmg

„ When the authentication phase is realized, the SoftMSM MG establishes a

permanent IPSec tunnel with the CS (Main + Stand-by CPUs)(3)

All Rights Reserved © 2009, Alcatel-Lucent 4

1) ISAKMP: Internet Security Association and Key Management Protocol

2) The SSMs also own this data, that allows them to generate the same default PSKg2

3) Those addresses are retrieved from the “lanpbx.cfg” file

Alcatel-Lucent OmniPCX Enterprise – IP Touch Security: NGP

Ref. ENTP0534P26TEUS Issue 02
 IP Touch Security Solution
Licenses

„ Different licenses are used to control the system configuration

z “325 IP Touch Security Engine”: allows or not the IP Touch security feature

z “326 Secured IP Touch Phones”: number of potential secured IP Touch Sets

z “327 IP Touch Security MSM”: number of MSM

z “343 MgSec Max Number”: number of MGSec

z “348 Soft MSM Lock (new)”: number of NGP secured Media Gateways

† If a GD3 is managed as a SoftMSM, the lock counts for “1”, this counter is not
incremented for all associated GA3 boards (from the same MG)(1)

† The management of a Crystal rack with INTIPa/b boards counts for “1” (what ever
the number of INTIP boards)

All Rights Reserved © 2009, Alcatel-Lucent 5

1) If a GD3 (as for a GD/GD2) is connected behind a MSM, this lock is not incremented

Alcatel-Lucent OmniPCX Enterprise – IP Touch Security: NGP

Ref. ENTP0534P26TEUS Issue 02
 IP Touch Security Solution

„ Restriction

z When an INT-IP3 A is managed as a SoftMSM, only one compression daughter

board can be used

† So 60 compressors max (instead of 120)

„ Recommendation

z It is strongly recommended to realize at least one full startup of the NGP

boards without encryption before switching them to SoftMSM mode

All Rights Reserved © 2009, Alcatel-Lucent 6

Alcatel-Lucent OmniPCX Enterprise – IP Touch Security: NGP

Ref. ENTP0534P26TEUS Issue 02