The essence and problems of IP telephony, its use in secure mode. Information security in IP telephony networks
Since VoIP technology is based on IP technology and uses the Internet, it also inherits all its vulnerabilities. The consequences of these attacks, coupled with the vulnerabilities that arise from the architectural features of VoIP networks, force us to think about ways to strengthen security and a thorough analysis of the existing IP network. Moreover, adding any new service, such as voicemail, to an insufficiently protected infrastructure can trigger the emergence of new vulnerabilities.
Risks and vulnerabilities inherited from IP networks.
Poor network design
An incorrectly designed network can lead to a large number of problems associated with the use and provision of the necessary degree of information security in VoIP networks. Firewalls, for example, are a vulnerability in the network because additional ports must be opened for the VoIP network to function properly, and firewalls that do not support VoIP technology may simply leave previously used ports open even after calls have ended.
Vulnerable IP PBXs and gateways
If an attacker gains access to a gateway or PBX, he also gains access to capture entire sessions (essentially, the ability to listen to a call), find out the call and network parameters. Thus, the greatest attention must be paid to the security of the PBX. Losses from such intrusions can reach significant amounts.
Packet replay attacks
A packet replay attack can be carried out on a VoIP network by repeatedly transmitting a series of valid packets in order to receiving device re-processed information and transmitted response packets, which can be analyzed to replace packets (spoofing) and gain access to the network. For example, even if the data is encrypted, it is possible to repeat the packet with the user's login and password, and thus gain access to the network.
Risks and vulnerabilities specific to VoIP networks
Packet spoofing and masking
The use of spoofing packets with an incorrect source IP address can be used for the following purposes:
Forwarding packets to another network or system
Traffic interception and man-in-the-middle attack (picture below)
- Disguise under a trusted device - “Transfer of responsibility” for an attack to another device
- Fuzzing- Loading the system with packages with incompletely correct information, which causes errors in the system when processing them, such as delays in operation, information leaks and complete system failure
- Scanning for possible vulnerabilities- Port scanning can provide an attacker with initial data to carry out a full-fledged attack, such as operating system models, types of services and applications used. By finding a vulnerable service, an attacker can gain access to control the entire network, and, as a result, the ability to cause great damage.
- Low reliability compared to traditional networks- To achieve high-quality communication, packets containing voice and video payload are given high priority in QoS (quality of service) mechanisms. However, the reliability of VoIP and data networks tends to reach 99.9%, which is lower than the degree of reliability in traditional telephone networks, which this parameter strives for 99.999%. Of course, the difference is not so great, but over the course of a year this difference results in an additional 8.7 hours during which the system does not work. But it is necessary to understand that not every enterprise can be harmed by this.
- DDoS(Distributed Denial of Service) attacks- Attacks DoS And DDoS occur when an attacker sends extremely large volumes of random messages to one or more VoIP devices from one or more locations (DoS and DDoS, respectively). A multi-location attack uses "zombies" - compromised servers and workstations that automatically send malicious requests based on the attacker's needs. Such an attack is considered successful when the number of requests exceeds the computing power of the object, resulting in a denial of service to end users.
VoIP systems are especially vulnerable to such attacks because they have a high priority in QoS technology and require less traffic to disrupt their operation than conventional data networks. An example of a DoS attack against a VoIP network would be an attack during multiple transmission of call cancellation or call establishment signals, which is also called a SIP CANCEL DoS attack.
- CID spoofing- One type of packet spoofing attack is based on manipulation of the caller ID (Caller ID or CID), which is used to identify the caller before answering. An attacker can replace this identifier text string or telephone number and can be used to carry out various actions that harm the network or the business owner. In addition, in VoIP networks there is no way to hide this identifier, since telephone numbers are included in the packet headers in the SIP protocol. This allows an attacker with a packet sniffer such as tcpdump to find out phone numbers even if they have the “private” parameter from the service provider.
- Conclusion- The use of IP telephony brings a huge amount of benefits to any organization - VoIP-based solutions are more scalable, easily integrated and their cost is lower than classic solutions. However, any organization that has implemented a VoIP solution must be aware of possible threats and make every effort to increase the degree of information security on the network. Only a few attack methods have been listed, but it is important to understand that combinations of attacks are often used and new attacks are being developed almost daily. But it is already clear that this technology is the future and it is unlikely to give way to another technology in the foreseeable future.
IP telephony? She's being attacked too! Operating principle
The operating principle of IP telephony technology is simple. Its central component is the server (gateway), which is responsible for connecting the telephone and IP networks, i.e. it is connected both to the telephone network and can reach any regular telephone, and to a data network (for example, the Internet) and can access any computer. In function of this device includes:
Answer to pick up caller
Establishing a connection with a remote gateway and the called party
Digitization (encoding), compression, packetization and signal restoration
This gateway (for example, Cisco Catalyst 4000 Access Gateway Module or Cisco VG200) receives a regular telephone signal as input, digitizes it (if the signal is not digital) and compresses the received data, after which it transmits it to the IP network in the form of regular packets (but not very large size). At the other end, the gateway restores the signal in the reverse order. This component may not be used if you do not plan to integrate your IP phones into the public telephone network (see Fig. 1).
In order to be able to build a distributed IP telephony network, it is necessary to have a dispatcher who is responsible for distributing calls between gateways (for example, Cisco CallManager). In addition to this task, the dispatcher carries out authentication and authorization of subscribers, and also has an interface to the billing system.
To facilitate the administration of a large number of remote gateways and dispatchers, special software called a monitor can be used. And finally, the last mandatory element of an IP telephony network is the subscriber point, which can be implemented either in software (for example, Cisco IP SoftPhone) or in hardware (for example, Cisco IP Phone, connected directly to the Ethernet port of the switch). Moreover, in the first case, calls can be made even through home computer, equipped with a sound card and microphone, and in the second case, the so-called subscriber station acts as a subscriber point. IP phone. Another component of the IP telephony architecture can be called specialized user applications that have arisen through the integration of voice, video and data (call centers, unified messaging systems).
Why are IP telephony attacked?
IP telephony networks are a good target for hackers. Some of them may play a prank on you by sending you a voice message on behalf of the company management. Someone may want to access voice mailbox your management or even wants to intercept voice data on financial transactions exchanged between employees of the finance department or accounting department. Your competitors may want to undermine your reputation by disabling gateways and dispatchers, thereby disrupting the availability of telephone services to your subscribers, which in turn may also result in damage to your customers' business. There are other reasons, for example, calls at someone else's expense (theft of service).
Possible threats
The main problem with IP telephony security is that it is too open and makes it relatively easy for attackers to attack its components. Despite the fact that cases of such attacks are practically unknown, they can be carried out if desired, because attacks on regular IP networks can be directed at digitized voice networks with virtually no changes. On the other hand, the similarity of regular IP networks and IP telephony networks also tells us ways to protect them, but more on that a little later.
Attacks on regular telephony are also applicable to its IP cousin - the lantern.
IP telephony, being a direct relative of conventional telephony and IP technology, has absorbed not only their advantages, but also their disadvantages. Those. attacks inherent in regular telephony can also be applied to its IP component. I will list some of them, some of which I will consider in more detail:
Telephone eavesdropping
Denial of service
Number substitution
Service theft
Unexpected challenges
Unauthorized configuration change
Account fraud.
Data interception
Data interception is the biggest problem of both conventional telephony and its IP cousin.
However, in the latter case this danger is much higher, because the attacker no longer needs to have physical access to telephone line. What makes the situation worse is the fact that many protocols built on top of the TCP/IP stack transmit data in clear text. HTTP, SMTP, IMAP, FTP, Telnet, SQL*net and, among other things, IP telephony protocols suffer from this sin. An attacker who was able to intercept IP voice traffic (which is not encrypted between gateways by default) can easily restore the original conversations. There are even automated tools for this. For example, the vomit (Voice Over Misconfigured Internet Telephones) utility, which converts data obtained as a result of traffic interception using the freely distributed tcpdump protocol analyzer into a regular WAV file that can be listened to using any computer player. This utility allows you to convert voice data transmitted using Cisco IP phones and compressed using the G.711 codec. Moreover, in addition to unauthorized eavesdropping, attackers can retransmit intercepted voice messages (or fragments thereof) to achieve their goals.
However, I would like to immediately note that intercepting voice data is not as simple a task as it seems at first glance. The attacker must have information about the addresses of gateways or subscriber points, the VoIP protocols used (for example, H.323) and compression algorithms (for example, G.711). Otherwise, it will be difficult for an attacker to set up software to intercept traffic, or the volume of intercepted data and the time for analyzing it will exceed all permissible limits.
Data interception can be carried out both from inside the corporate network and from outside. A skilled attacker with access to the physical data transmission medium can connect his IP phone to the switch and thus eavesdrop on other people's conversations. It can also change the routes of network traffic and become the central node of the corporate network through which traffic of interest passes. Moreover, if in the internal network you can, with a certain degree of probability, detect an unauthorized device that intercepts voice data, then in the external network it is almost impossible to detect branches. Therefore, any unencrypted traffic leaving the corporate network should be considered insecure.
Denial of service
Traditional telephone communication always guarantees communication quality even under high loads, which is not an axiom for IP telephony. High load on the network in which digitized voice data is transmitted leads to significant distortion and even loss of some voice messages. Therefore, one of the attacks on IP telephony may consist of sending a large number of “noise” packets to the IP telephony server, which clog the data transmission channel, and if a certain threshold value is exceeded, they can even disable part of the IP telephony network (i.e. e. denial of service attack). What is typical is that to implement such an attack there is no need to “reinvent the wheel” - it is enough to use the well-known DoS attacks Land, Ping of Death, Smurf, UDP Flood, etc. One solution to this problem is bandwidth reservation, which can be achieved using modern protocols such as RSVP. Protection methods will be discussed in more detail below.
Denial of service is a serious problem for IP telephony devices. - flashlight
Number substitution
To communicate with a subscriber in a regular telephone network, you must know his number, and in IP telephony, the role of the telephone number is played by the IP address. Therefore, it is possible that an attacker, using address spoofing, will be able to impersonate the subscriber you need. That is why the task of ensuring authentication is not ignored in all existing VoIP standards and will be discussed a little later.
Attacks on subscriber points
It is necessary to understand that subscriber points implemented on a personal computer are less secure devices than special IP phones. This thesis also applies to any other software-based IP telephony components. This is due to the fact that not only IP telephony-specific attacks can be carried out on such components. The computer itself and its components (operating system, application programs, databases, etc.) are susceptible to various attacks that can also affect IP telephony components. For example, Internet worms Red Code, Nimda, various Trojans and viruses, DoS attacks and their distributed modifications - all this can, if not disable the voice IP infrastructure, then significantly disrupt its functioning. At the same time, even if no vulnerabilities are found in the software itself (for the time being), then other third-party software components used by it (especially well-known ones) can reduce the overall security to zero. After all, the general rule has long been known: “the security of the entire system is equal to the security of its weakest link.” For example, we can cite Cisco CallManager, which uses Windows 2000 Server, MS Internet Information Server and MS SQL Server for its operation, each of which has its own set of holes.
Attacks on dispatchers
Attackers can also attack nodes (Gatekeeper in H.323 terms or Redirect server in SIP terms) that store information about user conversations (subscriber names, time, duration, reason for calling end, etc.). This can be done both for the purpose of obtaining confidential information about the conversations themselves, and for the purpose of modifying and even deleting this data. In the latter case, the billing system (for example, a telecom operator) will not be able to correctly bill its customers, which may disrupt or damage the entire IP telephony infrastructure.
IP telephony standards and their security mechanisms
The lack of uniform accepted standards in this area (see Fig. 2) does not allow the development of universal recommendations for the protection of IP telephony devices. Each working group or the manufacturer solves the problems of ensuring the security of gateways and dispatchers in its own way, which leads to the need to carefully study them before choosing adequate protection measures.
H.323 Security
H.323 is a protocol that allows you to build a VoIP system from start to finish. H.323 includes a number of specifications, incl. and H.235, which implements some security mechanisms (authentication, integrity, confidentiality, and non-repudiation) for voice data.
Authentication within the framework of the H.323 standard can be implemented either using symmetric cryptography algorithms (in this case, no preliminary exchange is required between interacting devices and is not so intensively loaded on the central processor), and using certificates or passwords. In addition, the H.235 specification allows the use of IPSec as an authentication mechanism, which is also recommended for use in other IP telephony standards.
After establishing a secure connection, which occurs through TCP port 1300, the nodes participating in the exchange of voice data exchange information about the encryption method, which can be used at the transport (encryption of RTP protocol packets) or network (using IPSec) level.
SIP Security
This protocol, similar to HTTP and used by subscriber points to establish connections (not necessarily telephone, but also, for example, for games), does not have serious security and is focused on the use of third-party solutions (for example, PGP). As an authentication mechanism, RFC 2543 offers several options and, in particular, basic authentication (as in HTTP) and PGP-based authentication. In an attempt to address the protocol's weak security, Michael Thomas of Cisco Systems developed a draft IETF standard called the "SIP security framework" that describes external and internal threats to the SIP protocol and how to protect against them. In particular, such methods include protection at the transport level using TLS or IPSec. By the way, Cisco, in its SAFE corporate network security architecture, pays great attention to practical issues of IP telephony security.
MGCP Security
The MGCP standard, defined in RFC 2705 and not applicable at endpoints (MGCP gateways can handle both H.323-capable and SIP-capable components), uses the IPSec specification's ESP protocol to protect voice data. The AH protocol can also be used (but not in IPv6 networks), which provides authentication and connectionless integrity and protection against replays transmitted between gateways. At the same time, the AH protocol does not provide data confidentiality, which is achieved by using ESP (along with the other three security functions).
Security
Choosing the Right Topology
It is not recommended to use hubs for VoIP infrastructure, which make it easier for attackers to intercept data. In addition, because digitized voice usually travels through the same cable system and through the same network equipment as regular data; it is worth correctly delimiting the information flows between them. This, for example, can be done using the VLAN mechanism (however, you should not rely on them alone). It is advisable to place servers participating in the IP telephony infrastructure in a separate network segment (see Fig. 3), protected not only using the protection mechanisms built into switches and routers (access control lists, address translation and attack detection), but also using additionally installed security tools (firewalls, attack detection systems, authentication systems, etc.).
You must remember that the transmission of voice data over your corporate network leaves a special imprint on its design. You should pay great attention to issues of high availability and fault tolerance. If users can still get used to a short-term outage of a Web server or mail system, then get used to the disruption telephone communication they won't be able to. A regular telephone network fails so rarely that many users naturally assign the property of failure-free operation to its IP sister. Therefore, a failure in the operation of the VoIP infrastructure can undermine the trust of users in it, which in turn can lead to a refusal to use it and cause material damage to its owner.
Physical Security
It is advisable to prohibit unauthorized user access to network equipment, incl. and switches, and, if possible, place all non-subscriber equipment in specially equipped server rooms. This will prevent unauthorized connection of an attacker's computer. In addition, you should regularly check for unauthorized devices connected to the network that can be “embedded” directly into the network cable. To identify such devices, you can use various methods, incl. and scanners (for example, Internet Scanner or Nessus), which remotely determine the presence of “foreign” devices on the network.
Access control
Another fairly simple way to protect your VoIP infrastructure is to control MAC addresses. Do not allow IP phones with unknown MAC addresses to access gateways and other elements of the IP network that transmit voice data. This will prevent unauthorized connection of “foreign” IP phones that can listen to your conversations or carry out telephone communications at your expense. Of course, the MAC address can be faked, but you still shouldn’t neglect such a simple protective measure, which can be implemented without any problems on most modern switches and even hubs. Nodes (mainly gateways, dispatchers and monitors) must be configured to block all unauthorized attempts to access them. To do this, you can use both capabilities built into operating systems and products from third parties. And since we work in Russia, I recommend using products certified by the State Technical Commission of Russia, especially since there are a lot of such products.
VLAN
Virtual Local Area Network (VLAN) technology provides a secure division of a physical network into multiple isolated segments that operate independently of each other. In IP telephony, this technology is used to separate voice transmission from regular data transmission (files, e-mail, etc.). Dispatchers, gateways, and IP phones are placed on a dedicated VLAN for voice. As I noted above, VLAN makes life much more difficult for attackers, but does not eliminate all problems with eavesdropping on conversations. There are techniques that allow attackers to intercept data even in a switched environment.
Encryption
Encryption must be used not only between gateways, but also between the IP phone and the gateway. This will protect the entire path that voice data takes from one end to the other. Privacy is not only an integral part of the H.323 standard, but is also implemented in the equipment of some manufacturers. However, this mechanism is almost never used. Why? Because the quality of data transmission is a top priority, and continuous encryption/decryption of a voice data stream takes time and often introduces unacceptable delays into the process of transmitting and receiving traffic (a delay of 200...250 ms can significantly reduce the quality of conversations). In addition, as mentioned above, the lack of a single standard does not allow all manufacturers to adopt a single encryption algorithm. However, in fairness, it must be said that the difficulties of intercepting voice traffic so far make it possible to turn a blind eye to its encryption.
By the way, if you do decide to use encryption, remember that by encrypting voice data, you are hiding it not only from an attacker, but also from quality assurance (QoS) tools that will not be able to provide it with the appropriate bandwidth and priority service . Having eliminated one problem (vulnerability), you face another (quality of service). And you can be sure that in this situation you will prefer solving the second problem, neglecting the solution to the first. By the way, not everything can be encrypted either. Signaling protocols used in IP telephony are not recommended to be encrypted, because in this case, you will encrypt all the service information necessary to maintain the functionality of the entire network.
But you shouldn’t give up encryption right away - it’s still necessary to secure your negotiations. Therefore, it is worthwhile to approach VoIP data encryption wisely. For example, Cisco recommends using the Crypto command in the IOS operating system of your equipment instead of using a GRE tunnel or using Cisco VPN 3000 VPN concentrators, which allows you to protect data while maintaining quality of service. In addition, you can use selective encryption only for certain fields in VoIP packets.
Firewall
To protect a corporate network, firewalls are usually used, which can equally well
can also be used to protect VoIP infrastructure. The only thing that needs to be done is to add a number of rules that take into account the network topology, the location of installed IP telephony components, etc. For example, access to Cisco CallManager from the Internet or perimeter network is usually blocked, but when using Web-based management, such access must be allowed, but only on port 80 and only for a limited range of external addresses. And to protect the SQL server included in Cisco CallManager, you can deny access from all ports except 1433.
By the way, there are two types of firewalls that can be used to protect IP telephony components. The first of them, corporate, is installed at the exit from the corporate network and protects all its resources at once. An example of such a firewall is CiscoSecure PIX Firewall. The second type is personal, protecting only one specific node, which can host a subscriber point, gateway or dispatcher. Examples of such personal firewalls are RealSecure Desktop Protector or BlackICE PC Protector. In addition, some operating systems (such as Linux or Windows 2000) have built-in personal firewalls, which can be used to enhance the security of your VoIP infrastructure. Depending on the IP telephony standard used, the use of firewalls can lead to different problems. For example, after subscriber stations have exchanged information about connection parameters using the SIP protocol, all interaction is carried out through dynamically allocated ports with numbers greater than 1023. In this case, the ITU “does not know” in advance which port will be used for voice data exchange and, as a result, such exchange will be blocked. Therefore, the firewall must be able to analyze SIP packets in order to determine the ports used for communication and dynamically create or change its rules. A similar requirement applies to other IP telephony protocols.
Another problem is related to the fact that not all firewalls are able to competently process not only the IP telephony protocol header, but also its data body, because often important information is contained within it. For example, information about subscriber addresses in the SIP protocol is located in the data body. A firewall's inability to "get to the bottom of things" may result in voice communications being unable to be exchanged through the firewall or leaving a hole in the firewall that is too large for attackers to exploit.
Authentication
Various IP phones support authentication mechanisms that allow you to use its capabilities only after presenting and verifying a password or personal PIN number that allows the user to access the IP phone. However, it should be noted that this decision not always convenient for the end user, especially when using an IP phone on a daily basis. The usual contradiction “security or convenience” arises.
RFC 1918 and Address Translation
It is not recommended to use IP addresses accessible from the Internet for VoIP - this significantly reduces the overall level of infrastructure security. Therefore, whenever possible, use addresses specified in RFC 1918 (10.x.x.x, 192.168.x.x, etc.) that are not routable on the Internet. If this is not possible, then you need to use the network address translation (NAT) mechanism on the firewall protecting your corporate network.
Attack detection systems
We have already discussed above some attacks that can disrupt the operation of the VoIP infrastructure. To protect against them, you can use well-proven and well-known intrusion detection systems in Russia, which not only promptly identify attacks, but also block them, preventing them from harming the resources of the corporate network. Such tools can protect both entire network segments (for example, RealSecure Network Sensor or Snort) and individual nodes (for example, CiscoSecure IDS Host Sensor or RealSecure Server Sensor).
IP telephony is increasingly being used in companies. It increases the efficiency of doing business and allows you to carry out many previously impossible operations (for example, integration with CRM and other business applications, reducing the costs of building and operating telecommunications infrastructure, creating effective Call centers, reducing the total cost of system ownership, etc. ). However, the active development of IP telephony is hampered by the fact that many rumors about its low security circulate around this technology. Cisco Systems has proven that this is not the case and this publication is intended to debunk existing myths about the insecurity of IP telephony.
It should be noted right away that Cisco is the only manufacturer that provides protection for the IP telephony infrastructure at all its levels, from the transport environment to voice applications. This is achieved by implementing solutions as part of the Cisco Self-Defending Network initiative. The high level of security of Cisco Systems solutions is confirmed by independent testing laboratories. In particular, NetworkWorld magazine (http://www.nwfusion.com/reviews/2004/0524voipsecurity.html) tested several IP telephony solutions and only Cisco gave the highest possible rating of “SECURE” (“secure”).
1. IP telephony does not protect against eavesdropping
Cisco IP telephony solutions use several technologies and mechanisms to ensure the confidentiality of transactions. First, it allocates voice traffic to a dedicated network segment and restricts access to the voice stream by using access control rules on routers and firewalls. Secondly, all voice traffic can be protected from unauthorized eavesdropping using virtual private network (VPN) technology. The IPSec protocol allows you to protect telephone conversations even across networks open access, for example, the Internet. And finally, Cisco has implemented in its IP phones the SecureRTP (SRTP) protocol, specially designed to ensure the confidentiality of the voice stream, which does not allow outsiders to penetrate the secrets of telephone conversations.
2. IP telephony is susceptible to infection by worms, viruses and Trojans
To protect the IP telephony infrastructure from infection by various malware, Cisco offers a number of protective measures that allow you to build a layered defense that prevents not only the introduction, but also the spread of worms, viruses, Trojan horses and other types of malicious activity. The first line of defense is the use of firewalls and attack detection and prevention systems, along with antivirus software from Cisco partner companies, to restrict access to the IP telephony infrastructure.
The second line of defense is based on the use of antiviruses and attack prevention systems on end nodes participating in the IP telephony infrastructure - Cisco IP SoftPhone, Cisco CallManager, Cisco Unity, Cisco IP Contact Center (IPCC) Express, Cisco Personal Assistant, Cisco IP Interactive Voice Response etc.
The last, but not the least important line of defense is the Network Admission Control initiative proposed by Cisco Systems. As part of this initiative, all workstations and servers that do not comply with the security policy (including those with uninstalled anti-virus software) will not be able to access the corporate network and cause damage to its resources.
3. IP telephony does not protect against spoofing of phones and control servers
To protect against devices trying to disguise themselves as authorized IP phones or unauthorized connected to the network infrastructure, Cisco suggests using not only the above-mentioned access control rules on routers and firewalls, but also developed means of strict authentication of all subscribers of the IP telephony infrastructure ( including the Call Manager management server), which uses various standardized protocols to authenticate, including RADIUS, X.509 PKI certificates, etc.
4. An attacker with administrative rights can disrupt the functioning of the 1P telephony infrastructure
CallManager provides advanced capabilities to empower various system administrators with only the rights they need to perform their responsibilities. Such rights may include read-only access to specific settings, complete lack of access to them, access to change, etc.). In addition, all actions performed by the administrator are recorded in a special log and can be analyzed at any time in search of traces of unauthorized activity.
The configuration of IP phones and their interaction with CallManager is managed via a channel protected from unauthorized access, preventing any attempts to read or modify control commands. To protect the control channel, various standardized protocols and algorithms are used - IPSec, TLS, SHA-1, etc.
5. CallManager is not secure because it is installed on the Windows platform
Despite the fact that the CallManager IP telephony infrastructure management server is installed on the Windows platform, it does not have any features inherent to this platform weak points. This is due to the fact that CallManager runs on a secure and optimized version of Windows in which:
- all unnecessary services and accounts are disabled,
- all necessary and regularly updated patches are installed,
- security policy is configured.
6. IP telephony is easy to fail
Although various components of IP telephony are potentially susceptible to denial of service attacks, Cisco Systems solutions offer a range of protective measures to prevent both DoS attacks and their consequences. To do this, you can use both information security mechanisms built into network equipment and additional solutions offered by Cisco Systems:
- Division of the corporate network into non-overlapping segments of voice and data transmission, which prevents the occurrence of common attacks in the “voice” section, incl. and DoS.
- Application of special access control rules on routers and firewalls that protect the perimeter of the corporate network and its individual segments.
- Application of an attack prevention system on Cisco Secure Agent nodes.
- Application of a specialized protection system against DoS and DDoS attacks Cisco Guard and Cisco Traffic Anomaly Detector.
- Applying special settings on a network Cisco equipment, preventing address spoofing, which is often used in DoS attacks, and limiting bandwidth, which does not allow the attacked resources to be disabled by a large flow of useless traffic.
IP phones themselves contain a number of special settings that prevent unauthorized access to them. Such settings include, for example, access to phone functions only after presenting an identifier and password, or prohibiting local changes to settings, etc.
In order to prevent unauthorized modified software and configuration files from being loaded onto the IP phone, their integrity is controlled by an electronic digital signature and X.509 certificates.
8. CallManager can be overloaded with a large number of calls
The maximum number of calls per hour per CallManager server is up to 100,000 (depending on configuration) and this number can be increased to 250,000 when using a CallManager cluster. At the same time, in CallManager there are special settings, limiting the number of incoming calls to the required value. In addition, if communication with one of the CallManagers is lost, the IP phone can be automatically re-registered on the backup CallManager, as well as the call route can be automatically changed.
9. It’s easy to commit fraud in IP telephony
The IP telephony infrastructure management server CallManager contains a number of features that help reduce the likelihood of telephone fraud depending on its type (theft of services, falsification of calls, refusal of payment, etc.). In particular, for each subscriber you can:
- block calls both to and from certain groups of numbers,
- block the ability to forward calls to various types of numbers - landline, mobile, intercity, international, etc.,
- filter calls based on various parameters,
- etc.
10.Traditional telephony is more secure than IP telephony
This is the most common myth that exists in the field of telephony. Traditional telephony, developed decades ago, is much less secure with the new and more advanced IP telephony technology. In traditional telephony, it is much easier to connect to someone else’s conversation, spoof a number, “flood” calls and many other threats, some of which have no analogues in IP telephony (for example, war dialing). The security of traditional telephony is provided by much more expensive tools and mechanisms than in IP telephony, in which these tools are built into the components of this technology themselves. For example, to protect against eavesdropping, the traditional one uses special devices - scramblers, the centralized control of which is impossible; not to mention the cost of purchasing and installing them in front of each telephone set.
IP telephony:- Listening. When confidential information about users (identifiers, passwords) or confidential data is transmitted over unsecured channels, there is a possibility of eavesdropping and abuse by an attacker for personal gain.
- Data manipulation. Data transmitted over communication channels can, in principle, be changed.
- Data substitution about a user occurs when an attempt is made to pass off one network user as another. This creates the possibility of unauthorized access to important system functions.
- Denial of service (DoS) is one of the types of attacks by violators, as a result of which some nodes or the entire network are disabled. It is carried out by flooding the system with unnecessary traffic, the processing of which consumes all system resources. To prevent this threat, you must use a tool to recognize such attacks and limit their impact on the network.
The basic elements in the field of security are:
- authentication;
- integrity;
- active check.
Using Advanced Tools authentication helps keep your identification information and data. Such means may be based on information that the user knows (the password).
Information integrity- is the ability of computer technology or automated system ensure the integrity of information in conditions of accidental and (or) intentional distortion (destruction). Under threat of integrity violation refers to any intentional modification of information stored in a computer system or transmitted from one system to another. When attackers deliberately change information, the integrity of the information is said to be compromised. Integrity will also be compromised if a random software or hardware error causes the unauthorized change.
And finally active check means checking the correct implementation of security technology elements and helps detect unauthorized network penetration and DoS attacks. Active background check acts as an early warning system for various types problems and therefore allows you to take proactive measures before serious damage occurs.
8.2. Methods of cryptographic information protection
The basis of any secure communication is cryptography. Cryptography is a set of security methods information interactions, that is, deviations from their normal, standard course, caused by malicious actions of various subjects, methods based on secret algorithms for converting information. In addition, cryptography is an important component for authentication, integrity and confidentiality mechanisms. Authentication is a means of confirming the identity of the sender or recipient of information. Integrity means that the data has not been changed and confidentiality creates a situation in which the data cannot be understood by anyone other than its sender and recipient. Typically, cryptographic mechanisms exist in the form algorithm(mathematical function) and secret value ( key). Moreover, the more bits in such a key, the less vulnerable it is.
Suitable methods for assessing the effectiveness of cryptographic systems have not yet been developed.
The simplest criterion for such effectiveness is probability of key discovery, or power of multiple keys (M). Essentially this is the same as cryptographic strength. To estimate it numerically, you can also use the complexity of solving the cipher by trying all the keys.
However, this criterion does not take into account other important requirements for cryptosystems:
- the impossibility of disclosing or meaningfully modifying information based on an analysis of its structure;
- perfection of the security protocols used;
- the minimum amount of key information used;
- minimum complexity of implementation (in the number of machine operations), its cost;
- high efficiency.
It is, of course, desirable to use some integral indicators that take into account these factors.
Three main cryptographic method used in security systems:
- symmetric encryption;
- asymmetric encryption;
- one-way hash functions.
All existing authentication, integrity and confidentiality technologies are based on these three methods.
Secret key encryption technology ( symmetric algorithm) requires that both participants in an encrypted conversation have access to the same key. This is necessary because the sender uses the key to encrypt the message, and the recipient uses the same key to decrypt it. As a consequence, the problem of securely transmitting this key arises. Algorithms symmetric encryption They use keys that are not very long and can quickly encrypt large amounts of data. The procedure for using symmetric key systems is as follows:
- Securely created, distributed and stored symmetrical The secret key.
- The sender uses symmetric algorithm encryption along with secret symmetric key to receive the ciphertext.
- The sender transmits the encrypted text. A symmetric secret key is never transmitted over unsecured communication channels.
- To recover the original text, the recipient applies the same symmetric algorithm encryption along with the same symmetric key, which the recipient already has.
Most widely used cipher symmetric encryption is DES (Data Encryption Standard), developed by IBM in 1976 and recommended by the US National Bureau of Standards for use in open sectors of the economy.
The DES algorithm works as follows. Data is presented in digital form and are divided into blocks 64 bits long, then encrypted block by block. The block is divided into left and right parts. At the first stage of encryption, instead of the left part of the block, the right part is written, and instead of the right part, the sum modulo 2 (XOR operation) of the left and right parts is written. At the second stage, bitwise replacements and permutations are performed according to a certain scheme. A DES key is 64 bits long, of which 56 are random bits and 8 are service bits used to control the key.
Rice. 8.1.
DES has two modes of operation: ECB (Electronic Code Book) and CBC (Cipher Block Chaining). The SBC mode differs from the usual one in that before encrypting the next block, the operation "exclusive OR" with the previous block. In situations where the reliability of the DES algorithm seems insufficient, its modification is used - Triple DES (triple DES). Strictly speaking, there are several variants of Triple DES. The simplest is re-encryption: the plaintext is encrypted with the first key, the resulting ciphertext with the second, and, finally, the data obtained after the second step with the third. All three keys are selected independently of each other.
IDEA (International Data Encryption Algorithm) is another block cipher with a key length of 128 bits. This European standard (from ETH, Zurich) was proposed in 1990. The IDEA algorithm is not inferior to the DES algorithm in terms of speed and resistance to analysis.
CAST is a block cipher that uses a 128-bit key in the US and a 40-bit key in the export version. CAST is used by Northern Telecom (Nortel).
The Skipjack cipher, developed by the US National Security Agency (NSA), uses 80-bit keys. It is part of the Capstone Project, which aims to develop a publicly available cryptographic standard that meets US government requirements. Capstone has four main components: the Skipjack cipher; digital signature algorithm based on the DSS (Digital Signature Standard) standard; hash function based on the SHA algorithm (Secure Hash Algorithm); a chip that implements all of the above (for example, Fortezza - PCMCIA board based on this chip).
The RC2 and RC4 ciphers were developed by Ron Reivest, one of the founders of RSA Data Security, and patented by this company. They use keys of different lengths and replace DES in exported products. RC2 cipher is a block cipher, with a block length of 64 bits; RC4 cipher is stream cipher. According to the developers, performance RC2 and RC4 must be no less than that of the DES algorithm.
All open encryption systems have the following main disadvantages. Firstly, the reliability of the channel for transmitting the key to the second participant in secret negotiations is fundamental. In other words, the key must be transmitted over a secret channel. Secondly, to the service key generation increased requirements are imposed due to the fact that for n subscribers in the “everyone with everyone” interaction scheme, n x (n-1)/2 keys are required, that is, the dependence of the number of keys on the number of subscribers is quadratic.
To solve the above problems symmetric encryption systems with asymmetric encryption, or public key encryption, are designed that use the properties of the secret functions developed by Diffie and Hellman.
These systems are characterized by the presence of two keys for each subscriber: public and private (secret). In this case, the public key is transmitted to all participants in secret negotiations. Thus, two problems are solved: there is no need for secret delivery of the key (since using a public key it is impossible to decrypt messages encrypted for the same public key, and, therefore, there is no point in intercepting the public key); There is also no quadratic dependence of the number of keys on the number of users - for n users 2n keys are required.
The first cipher developed on the principles asymmetric encryption, is an RSA cipher.
The RSA cipher is named after the first letters of the surnames of its inventors: Ron Rivest (Rivest), Adi Shamir and Leonard Eldeman (Aldeman) - the founders of the RSA Data Security company. RSA is not only the most popular of the asymmetric ciphers, but perhaps the best known cipher in general. The mathematical rationale for RSA is as follows: finding divisors of a very large natural number that is the product of two primes is an extremely labor-intensive procedure. Using a public key, it is very difficult to calculate a matching private key. The RSA cipher has been extensively studied and is found to be strong when the key length is sufficient. For example, 512 bits is not enough to ensure durability, but 1024 bits is considered an acceptable option. Some argue that as processor power increases, RSA will become less resistant to brute-force attacks. However, an increase in processor power will make it possible to use more long keys, which will increase the strength of the cipher.
Rice. 8.2.
The cipher operates according to the following algorithm:
- First step: two simple very large numbers p and q are randomly selected.
- Second step: two products are calculated: n = pq, m = (p-1)(q-1) .
- Third step: a random integer E is selected that does not have common factors with m.
- Fourth step: find D such that DE = 1 modulo m.
- Fifth step: the source text is divided into blocks of length X no more than n.
- Sixth step: to encrypt a message, you need to calculate C = XE modulo n.
- Seventh step: for decryption, calculate X = CD modulo n.
For encryption you need to know a pair of numbers E, n, for decryption - D, n. The first pair is the public key, the second is the private key. Knowing the public key, you can calculate the value of the private key. A necessary intermediate action of this transformation is to find the factors p and q, for which it is necessary to factor n into factors; this procedure takes a very long time. The cryptographic strength of the RSA cipher is associated with the enormous computational complexity.
Another cipher using asymmetric encryption, is
Send your good work in the knowledge base is simple. Use the form below
Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.
Posted on http://www.allbest.ru/
Introduction
1 Construction of an IP telephony network
1.1 Packet switching transport technologies
1.2 Levels of IP telephony architecture
1.3 Different approaches to building IP telephony networks
1.3.1 Network based on the H.323 protocol
1.3.2 SIP-based network
1.3.3 MGCP based network
1.4 Comparison of approaches to building an IP telephony network
1.5 Options for IP telephony systems (scenarios)
2. Types of threats in IP telephony and methods to combat them
2.1 Types of threats in IP telephony
2.2 Methods of cryptographic information protection
2.3 Protection against eavesdropping
2.4 Access network security
2.5 Authentication technologies
3. Ensuring security in terms of checking resource access rights (AAA). Comparison of TACACS+ and RADIUS protocols
3.1 Indirect authentication
3.2 AAA technologies based on the TACACS+ protocol
3.2.1 TACACS+ protocol
3.2.2 Properties of the TACACS+ protocol
3.2.3 AAA processes in the TACACS+ protocol
3.3 AAA technologies based on the RADIUS protocol
3.3.1 RADIUS protocol
3.3.2 Properties and capabilities of the RADIUS protocol
3.3.4 RADIUS audit process
3.3.5 Comparison of the capabilities of the TACACS+ and RADIUS protocols
3.3.6 Technical inconsistencies with the theoretical characteristics of the TACACS and RADIUS protocols
Conclusion
List of sources used
Introduction
IP telephony has enough advantages to soon spread throughout our country; taking into account the economic aspects and the message of the President of the Republic of Kazakhstan Nursultan Abishevich Nazarbayev to the people of Kazakhstan “New decade, new economic recovery, new opportunities for Kazakhstan”: “The leading economies of the world will operate in more complex, competitive conditions and will take preventive measures to prepare for the next economic cycle, increasing workforce productivity, investing in infrastructure and telecommunications, strengthening financial systems, improving government efficiency, and creating an enabling environment for business development.”
VoIP is a communication system that provides voice signal transmission over the Internet or any other IP networks. The signal over the communication channel is transmitted in digital form and, as a rule, is converted (compressed) before transmission in order to remove redundancy.
Gone are the days when operators were wary of using IP telephony, considering the level of security of such networks to be low. Today we can already say that IP telephony has become a kind of standard in telephone communications. This is explained by the convenience, relative reliability and relatively low cost of IP telephony compared to analog communications. It can be argued that IP telephony increases business efficiency and allows for previously unavailable operations such as integration with various business applications.
If we talk about the shortcomings and vulnerabilities of IP telephony, first of all, we should note the same “diseases” that other services using the IP protocol suffer from. This is exposure to worms and viruses, DoS attacks, unauthorized remote access, etc.
Despite the fact that when building an IP telephony infrastructure, this service is usually separated from network segments in which non-voice data flows, this is not a guarantee of security. Today, a large number of companies integrate IP telephony with other applications, such as email. On the one hand, this creates additional conveniences, but on the other hand, it also creates new vulnerabilities. In addition, the operation of an IP telephony network requires a large number of components, such as support servers, switches, routers, firewalls, IP phones, etc.
Among the main threats to which the IP telephone network is exposed are:
Registration of someone else's terminal, allowing you to make calls at someone else's expense;
Subscriber substitution;
Ending a communication session;
Denial of service;
Remote unauthorized access to IP telephony infrastructure components;
Unauthorized software update on an IP phone (for example, for the purpose of introducing a Trojan or spyware);
Hacking the billing system (for operator telephony).
This is not a complete list of possible problems associated with the use of IP telephony. The VoIP Security Alliance (VOIPSA) has developed a document describing a wide range of IP telephony threats, which in addition to technical threats includes VoIP extortion, spam, etc.
And yet the main thing vulnerable spot IP telephony is a human factor that has set teeth on edge. The problem of security when deploying an IP telephone network is often relegated to the background, and the choice of solution is made without the participation of security specialists. In addition, specialists do not always configure the solution properly, even if it contains the appropriate protection mechanisms, or they purchase protection tools that are not designed to effectively process voice traffic (for example, firewalls may not understand the proprietary signaling protocol used in the IP telephony solution ). Ultimately, the organization is forced to expend additional financial and human resources to protect the deployed solution or accept its insecurity.
1 . Network buildingIP-telephony
1.1 Packet Switching Transport Technologies
Most manufacturers with a wide range of package telephony products take a “technology neutral” position and allow the buyer to choose the technology that best suits their integration strategy. Basic packet voice technologies - Frame Relay, ATM and IP packet routing - differ in the efficiency of using communication channels, the degree of coverage of different sections of the network, reliability, manageability, information and access protection, as well as cost.
Figure 1.1. Speech on ATM
Figure 1.2. Speech over Frame Relay
Figure 1.3. Speech over IP
ATM transport technology has been successfully used for several years in public backbone networks and in corporate networks, and now it is beginning to be actively used for high-speed access via xDSL channels (for small offices) and SDH/Sonet (for large enterprises).
The main advantages of this technology are its maturity, reliability and the availability of developed means of operational network management. It has mechanisms for managing the quality of service and monitoring the use of network resources that are unsurpassed in their effectiveness. However, the limited prevalence and high cost of equipment do not allow ATM to be considered the best choice for organizing end-to-end telephone connections from one end node to another. Frame Relay technology was destined to play the same role in packet telephony that quasi-electronic PBXs played in circuit-switched telephony: they provided an example of efficient software-controlled technology, but had limited opportunities for further development.
Many enterprise networks have adopted Frame Relay's low-cost, predictable performance services, and most are happy with their choice. In the short term, voice transmission technology over Frame Relay will be quite effective for organizing multiservice access and long-distance communication channels. But Frame Relay networks are not widespread: as a rule, in practice, non-switched point-to-point connections are used.
The technology for transmitting voice information over networks with IP packet routing is attractive, first of all, for its versatility - speech can be converted into a stream of IP packets at any point in the network infrastructure: on the operator’s network backbone, at the territorial border distributed network, on the corporate network and even directly at the end user terminal. Ultimately, it will become the most widely adopted packet telephony technology because it can reach all market segments while being highly adaptable to new applications. Despite the universality of the IP protocol, the implementation of IP telephony systems is hampered by the fact that many operators consider them to be insufficiently reliable, poorly managed and not very effective. But a well-designed network infrastructure with effective mechanisms for ensuring quality of service makes these shortcomings insignificant. Per port, the cost of IP telephony systems is at the level (or slightly lower) of the cost of Frame Relay systems, and is certainly lower than the cost of ATM equipment. At the same time, it is already clear that prices for IP telephony products are falling faster than for other products, and that there is a significant intensification of competition in this market.
1.2 IP telephony architecture levels
The architecture of Voice over IP technology can be simplified into two planes. The lower plane is the core network with IP packet routing, the upper plane is the open architecture for call service control (communication requests).
The bottom plane, to put it simply, is a combination of well-known Internet protocols: this is RTP (Real Time Transport Protocol), which operates on top UDP protocol(User Datagram Protocol), located, in turn, in the TCP/IP protocol stack above the IP protocol.
Thus, the RTP/UDP/IP hierarchy represents a kind of transport mechanism for voice traffic. Here we note that in networks with routing of IP packets for data transmission, mechanisms are always provided for retransmitting packets in the event of their loss.
When transmitting information in real time, the use of such mechanisms will only worsen the situation, therefore, to transmit information that is sensitive to delays, but less sensitive to losses, such as speech and video information, the mechanism of non-guaranteed delivery of information RTP/UDPD/IP is used. ITU-T recommendations allow delays in one direction not exceeding 150 ms. If the receiving station requests retransmission of the IP packet, the delay will be too long.
Now let's move on to the upper plane of management of servicing communication requests. Generally speaking, call service control involves making decisions about where the call should be routed and how the connection between subscribers should be established.
The tool for such management is telephone signaling systems, starting with systems supported by decade-step PBXs and providing for the combination of routing functions and functions for creating a switched conversational channel in the same decade-step finders. Further, the principles of signaling evolved to signaling systems over dedicated signaling channels, to multi-frequency signaling, to general-channel signaling protocols No. 7 and to the transfer of routing functions to the corresponding service processing nodes of the Intelligent Network.
In packet-switched networks the situation is more complex. An IP routing network fundamentally supports a number of different routing protocols simultaneously.
Such protocols today are: RIP - Routing Information Protocol, IGRP - Interior Gateway Routing Protocol, EIGRP - Enhanced Interior Gateway Routing Protocol, IS-IS - Intermediate System-to-intermediate System, OSPF - Open Shortest Path First, BGP - Border Gateway Protocol, etc. In the same way, a number of protocols have been developed for IP telephony.
The most common is the protocol specified in ITU-T recommendation H.323, in particular because it came into use earlier than other protocols, which, moreover, did not exist at all before the introduction of H.323.
Another call service control plane protocol, SIP, aims to make endpoints and gateways more intelligent and support value-added services for users.
Another protocol, SGCP, has been developed since 1998 in order to reduce the cost of gateways by implementing intelligent call processing functions in centralized equipment. IPDC is very similar to SGCP, but has many more operational management mechanisms (OAM&P) than SGCP. At the end of 1998, the MEGACO working group of the IETF committee developed the MGCP protocol, based mainly on the SGCP protocol, but with some additions in the OAM&P part.
The MEGACO working group did not stop there, continued to improve the gateway management protocol and developed the MEGACO protocol, which is more functional than MGCP.
1.3 Various approaches to building IP telephony networks
To make it clear how exactly the protocols differ from each other, I will briefly consider the architecture of networks built on the basis of these protocols, and the procedures for establishing and terminating connections using them.
1.3 .1 Network based on H.323 protocol
The first ever approach to building IP telephony networks on a standardized basis was proposed by the International Telecommunication Union (ITU) in recommendation H.323. Networks based on H.323 protocols are aimed at integration with telephone networks and can be considered as ISDN networks superimposed on data networks.
In particular, the connection establishment procedure in such IP telephony networks is based on the Q.931 recommendation and is similar to the procedure used in ISDN networks.
Recommendation H.323 provides a rather complex set of protocols, which are intended not just for transmitting voice information over packet-switched IP networks. Its purpose is to enable multimedia applications to operate on networks with unguaranteed quality of service. Voice traffic is just one of the applications of H.323, along with video and data.
The option for building IP telephony networks, proposed by the International Telecommunication Union in recommendation H.323, is well suited to those local telephone network operators who are interested in using a packet-switched network (IP network) to provide long-distance and international communication services. The RAS protocol, part of the H.323 protocol family, provides control over the use of network resources, supports user authentication, and can provide charging for services.
Figure 1.4 shows the network architecture based on the H.323 recommendation. The main network devices are: Terminal, Gateway, Gatekeeper and Multipoint Control Unit (MCU).
Figure 1.4. H.323 network architecture
An H.323 terminal is a user endpoint of an IP telephony network that provides two-way voice (multimedia) communication with another H.323 terminal, gateway or conference control device.
The IP telephony gateway implements the transmission of voice traffic over networks with routing of IP packets using the H.323 protocol. The main purpose of the gateway is to convert voice information coming from the PSTN into a form suitable for transmission over networks with IP packet routing. In addition, the gateway converts DSS1 and SS7 signaling messages into H.323 signaling messages and performs the reverse conversion in accordance with ITU H.246 recommendation.
The gatekeeper contains all the intelligence of the IP telephony network.
A network built in accordance with recommendation H.323 has a zone architecture (Figure 1.5). The gatekeeper performs the functions of managing one zone of the IP telephony network, which includes: terminals, gateways, conference control devices registered with this gatekeeper. Individual fragments of the H.323 network zone can be geographically separated and connected to each other through routers.
Figure 1.5. H.323 network area
The most important functions of a gatekeeper are:
Registration of terminals and other devices;
Controlling access of system users to IP telephony services using RAS signaling;
Convert the called user (announced caller name, phone number, address Email etc.) to the transport address of networks with IP packet routing (IP address + TCP port number);
Monitoring, management and reservation of network capacity;
Relay of H.323 signaling messages between terminals.
In one IP telephony network that meets the requirements of ITU recommendation H.323, there can be several gatekeepers interacting with each other using the RAS protocol.
In addition to the basic functions defined by the H.323 recommendation, the gatekeeper may be responsible for user authentication and billing for telephone connections. A conference control device provides the ability to organize communications between three or more participants.
Recommendation H.323 provides for three types of conference (Figure 1.6): centralized (i.e. controlled by an MCU, with which each conference participant is connected in point-to-point mode), decentralized (when each conference participant is connected to the rest of its participants in point-to-point mode). group of points) and mixed.
The advantage of a centralized conference is the relatively simple terminal equipment, the disadvantage is the high cost of the conference control device.
A decentralized conference requires more complex terminal equipment and it is desirable that the IP network supports the transmission of IP packets in IP multicasting mode. If this mode is not supported on the network, the terminal must transmit voice information to each of the other participants in the conference in point-to-point mode.
The conference control device consists of one mandatory element- a conference controller (Multipoint Controller - MC), and, in addition, may include one or more processors for processing user information (Multipoint Processor - MP). The controller may be physically associated with a gatekeeper, gateway, or conference control device, which in turn may be associated with a gateway or gatekeeper.
Drawing. 1.6. Types of conferences in H.323 networks
The conference controller is used to organize any type of conference. It organizes the exchange between conference participants of data about the modes supported by their terminals, and indicates in what mode conference participants can transmit information, and this mode can change during the conference, for example, when a new participant joins it.
Since there can be several controllers on the network, for each newly created conference a special procedure must be carried out to identify the controller that will manage this conference.
When organizing a centralized conference, in addition to the MS controller, an MP processor must be used to process user information. The MP processor is responsible for switching or mixing speech streams, video information and data. A decentralized conference does not require a processor.
There is another element of the H.323 network - the H.323 proxy server, i.e. intermediary server. This server runs on application level and can inspect packets of information exchanged between two applications.
The proxy server can determine which application (H.323 or other) the call is associated with and make the desired connection. The proxy server performs the following key functions:
Connection via dial-up means or local networks of terminals that do not support the Resource Reservation Protocol (RSVP). Two such proxy servers can form a tunnel connection in an IP network with a given quality of service;
Routing H.323 traffic separately from regular data traffic;
Ensuring converter compatibility network addresses, since it is allowed to place H.323 equipment in networks with the address space of private networks;
Access protection - availability only for H.323 traffic.
The RAS (Registration Admission Status) protocol ensures the interaction of endpoints and other devices with the gatekeeper.
The main functions of the protocol are: registering a device in the system, controlling its access to network resources, changing the bandwidth during communication, polling and indicating the current state of the device. The transport protocol is a protocol with non-guaranteed delivery of information UDP.
The H.225.0 (Q.931) protocol supports connection establishment, maintenance, and termination procedures. The transport protocol is a connection-based protocol with guaranteed delivery of TCP information.
According to the H.245 protocol, information is exchanged between the participants in the connection, which is necessary to create logical channels. These channels transmit voice information packaged in RTP/UDP/IP packets.
Performing the procedures provided by the RAS protocol is the initial phase of establishing a connection using H.323 signaling. This is followed by the H.225.0 signaling phase (Q.931) and the exchange of H.245 control messages. The destruction of the connection occurs in the reverse order: first, the H.245 control channel and the H.225.0 signaling channel are closed, after which the gatekeeper is notified via the RAS channel that the previously occupied bandwidth has been released.
The complexity of the H.323 protocol is demonstrated in Figure 1.7, which shows a simplified scenario for establishing a connection between two users. This scenario assumes that the end users already know each other's IP addresses. In a typical case, there are more steps because gatekeepers and gateways are involved in establishing the connection.
Let's walk through this simplified scenario step by step.
1) User terminal A sends a connection request - a SETUP message - to user terminal B on TCP port 1720;
2) The terminal device of the called user B responds to the SETUP message with an ALERTING message, indicating that the device is free and the called user is alerted to an incoming call;
3) After user B accepts the call, a CONNECT message is sent to calling party A with the TCP port number of the H.245 control channel;
4) The end devices exchange information via the H.245 channel about the types of speech codecs used (G.729, G.723.1, etc.), as well as other functionality of the equipment, and notify each other about the RTP port numbers to which information should be conveyed;
5) Logical channels are opened for transmitting voice information;
6) Voice information is transmitted in both directions in RTP protocol messages; In addition, information transmission is monitored using the RTCP protocol.
Figure 1.7. Simplified scenario for establishing a connection in the H.323 network
The above call servicing procedure is based on the H.323 protocol version 1. Version 2 of the H.323 protocol allows you to transmit the information necessary to create logical channels directly in the H.225.0 protocol SETUP message without using the H.245 protocol.
This procedure is called “fast start” and allows you to reduce the number of information exchange cycles when establishing a connection. In addition to organizing a basic connection, H.323 networks provide additional services in accordance with ITU H.450.X recommendations.
Another important problem worth noting is the quality of service in H.323 networks. An endpoint requesting access from a gatekeeper may use the transportQoS field in the RAS ARQ message to indicate its ability to reserve network resources.
Recommendation H.323 defines the Resource Reservation Protocol (RSVP) as a means of providing guaranteed quality of service, which requires terminals to support the RSVP protocol. Unfortunately, RSVP is not widely used, leaving H.323 networks without a core mechanism for ensuring guaranteed quality of service. This is a general problem with IP telephony networks and is not unique to H.323 networks.
1.3.2 Protocol-based networkSIP
The second approach to building IP telephony networks, proposed by the MMUSIC working group of the IETF committee in RFC 2543, is based on the use of the SIP - Session Initiation Protocol.
SIP is a text-based protocol that is part of the global multimedia architecture developed by the Internet Engineering Task Force (IETF).
This architecture also includes the Resource Reservation Protocol (RSVP, RFC 2205), the Real-Time Transport Protocol (RTP, RFC 1889), the Real-Time Streaming Protocol, RTSP, RFC 2326), Session Description Protocol (SDP, RFC 2327), Session Announcement Protocol (SAP). However, the functionality of SIP is independent of any of these protocols.
It should be noted right away that although the H.323 protocol is the most widely used today, an increasing number of manufacturers are trying to provide support for the SIP protocol in their new products.
So far these are isolated phenomena and cannot seriously compete with the H.323 protocol. However, given the growth rate of the popularity of the SIP protocol, it is very likely that in the near future solutions based on it will occupy a significant niche in the IP telephony market.
The SIP approach to building IP telephony networks is much simpler to implement than H.323, but is less suitable for organizing interaction with telephone networks. This is mainly due to the fact that the SIP signaling protocol, which is based on the HTTP protocol, does not fit well with the signaling systems used in the PSTN. Therefore, SIP is more suitable for Internet service providers to provide IP telephony services, and this service will be just part of a package of services.
However, SIP supports intelligent network (IN) services such as name mapping, forwarding and routing, which are essential for using SIP as a signaling protocol in a public network where the operator's priority is to provide a wide range of telephone services. .
Another important feature of the SIP protocol is its support for user mobility, i.e. its ability to access ordered services anywhere and from any terminal, and the ability of the network to identify and authenticate the user as he moves from one location to another.
This feature of SIP is not unique, and, for example, the H.323 protocol also largely supports this feature. Now is the time when this opportunity will become the main attractive feature of next-generation IP telephony networks. This mode of operation will require remote registration of users on the identification and authentication server.
Let's move directly to the architecture of networks based on the SIP protocol (Figure 1.8).
Figure 1.8. Example of a SIP-based network
A SIP network contains three main types of elements: user agents, proxy servers, and forwarding servers.
User Agents (User Agents or SIP clients) are terminal equipment applications and include two components: a User Agent Client (UAC) and a User Agent Server (UAS), otherwise known as a client and a server. respectively.
The UAC client initiates SIP requests, i.e. acts as the calling party. The UAS server accepts requests and returns responses, i.e. acts as the called party.
Additionally, there are two types of SIP network servers: proxy servers (intermediary servers) and forwarding servers.
SIP servers can operate in both stateful mode (statefull) and stateless mode (stateless).
A SIP server operating in stateless mode can serve an arbitrarily large number of users, unlike an H.323 gatekeeper, which can work with a limited number of users simultaneously.
A proxy server (Proxy-server) acts “on behalf of other clients” and contains client (UAC) and server (UAS) functions. This server interprets and can rewrite request headers before sending them to other servers (Figure 1.9). Reply messages follow the same path back to the proxy server rather than to the client.
Figure 1.9. SIP network with proxy server
Figure 1.9 shows the algorithm for establishing a connection using the SIP protocol with the participation of a proxy server:
1) The proxy server receives an INVITE connection request from the calling user's equipment;
2) The proxy server establishes the client's location using a location server;
3) The proxy server sends the INVITE request to the called user;
4) The called user's equipment notifies the latter of the incoming call and returns a message to the proxy server that the INVITE request is being processed (code 100). The proxy server, in turn, forwards this information to the calling user's equipment;
5) When the called subscriber receives a call, his equipment notifies the proxy server (code 200), which forwards information that the call has been accepted to the calling user's equipment;
6) The calling party confirms the establishment of the connection by sending an ACK request, which the proxy server forwards to the called party. The connection has been established and the subscribers can exchange voice information.
The Redirect server determines the current location of the called subscriber and reports it to the calling user (Figure 1.10). For determining current location the called subscriber, the redirection server accesses the location server, the principles of operation of which are not specified in the RFC 2543 document.
The algorithm for establishing a connection using the SIP protocol with the participation of a forwarding server is as follows:
1) The forwarding server receives an INVITE connection request from the calling party and contacts the location server, which provides the current address of the called client;
2) The forwarder forwards this address to the calling party. Unlike a proxy server, the redirection server does not transmit an INVITE request to the equipment of the called user;
3) The calling user's equipment confirms the completion of the transaction with the redirection server with an ACK request;
5) The called user's equipment notifies the latter of the incoming call and returns a message to the calling equipment that the INVITE request is being processed (code 100);
6) When the called subscriber accepts the call, the calling user's equipment is notified (code 200). The connection is established, the subscribers can exchange voice information.
Figure 1.10. SIP network with forwarding server
There is also a serverless connection option, when one terminal can send a request to another terminal directly.
SIP signaling enables user agents and network servers to determine location, issue requests, and manage connections.
INVITE - a request invites a user or service to participate in a communication session and contains a description of the parameters of this communication. With this request, the user can determine the functionality of his communication partner's terminal and start a communication session using limited number messages and confirmations of their receipt.
ACK - the request confirms receipt of the response to the INVITE command from the called party and completes the transaction.
OPTIONS - the request allows you to obtain information about the functionality of user agents and network servers. However, this request is not used to establish communication sessions.
BYE - The request is used by the caller and callee to destroy the connection. Before breaking the connection, user agents send this request to the server, indicating their intent to terminate the communication session.
A CANCEL request allows user agents and network servers to cancel any previously sent request if a response has not yet been received.
1. 3.3 Network basedMGCP
The third approach to building IP telephony networks, based on the use of the MGCP protocol, was also proposed by the IETF committee, the MEGACO working group.
In developing this protocol, the MEGACO working group relied on network architecture, containing three types of main functional blocks (Figure 1.11):
Gateway - Media Gateway (MG), which performs the functions of converting voice information coming from the PSTN at a constant transmission rate into a form suitable for transmission over networks with IP packet routing (encoding and packaging of voice information into RTP/UDP/IP packets, as well as the inverse transformation);
Gateway controller - Call Agent, which performs gateway management functions;
Signaling Gateway (SG), which ensures the delivery of signaling information coming from the PSTN to the gateway controller and the transfer of signaling information in the opposite direction.
Thus, all the intelligence of a functionally distributed gateway is concentrated in the controller, the functions of which can be distributed across several computer platforms.
Figure 1.11. Network architecture based on the MGCP protocol
The signaling gateway performs the functions of STP - a transit point of the SS7 signaling network. The gateways themselves perform only the functions of converting speech information. One controller controls several gateways simultaneously.
There may be several controllers on the network. They are assumed to be synchronized with each other and consistently control the gateways involved in the connection. However, MEGACO does not define a protocol for synchronizing the operation of controllers.
In a number of works devoted to the study of the capabilities of the MGCP protocol, it is proposed to use the H.323, SIP or ISUP/IP protocols for this purpose. MGCP messages are carried by the protocol without guaranteed delivery of UDP messages. The IETF SIGTRAN Working Group is currently developing a mechanism for the gateway controller and signaling gateway to interact.
The signaling gateway must receive packets arriving from the PSTN from the three lower levels of the SS7 signaling system (levels of the MTP message transfer subsystem) and transmit signaling messages from the upper, user level to the gateway controller. The signaling gateway must also be able to transmit Q.931 signaling messages coming from the PSTN over the IP network.
The main focus of the SIGTRAN working group is on developing the most efficient mechanism for transmitting signaling information over IP networks.
It should be noted that there are several reasons why it was necessary to abandon the use for this purpose. TCP protocol. The SIGTRAN working group proposes to use the Stream Control Transport Protocol (SCTP) for transmitting signaling information, which has a number of advantages over the TCP protocol, the main one of which is a significant reduction in the delivery time of signaling information and, consequently, the connection establishment time - one of the most important parameters of quality of service.
If the PSTN uses signaling over dedicated signaling channels (DSC), then the signals first arrive along with user information at the transport gateway, and then are transmitted to the gateway controller without the mediation of the signaling gateway.
Note that MGCP is an internal protocol for exchanging information between functional blocks of a distributed gateway, which externally appears to be a single gateway. The MGCP protocol is a master/slave protocol. This means that the gateway controller is the master, and the gateway itself is the slave device, which must execute all commands coming from the Call Agent controller.
The above solution provides network scalability and ease of network management through the gateway controller. Gateways do not have to be smart devices, require less processor power, and therefore become less expensive. In addition, new signaling protocols or additional services are introduced very quickly, since these changes only affect the gateway controller and not the gateways themselves.
The third approach, proposed by the IETF (MEGACO Working Group), is well suited for the deployment of global IP telephony networks that replace traditional telephone networks.
Let's consider algorithms for establishing and destroying connections using the MGCP protocol. The first example covers the interaction of the MGCP protocol with the SS7 protocol (Figure 1.12).
Figure 1.12. Establishing and tearing down a connection using MGCP (Example 1)
1) A connection request is received from the telephone exchange ATS-A to the signaling gateway SG1 via a common signaling channel in the form of an IAM message of the ISUP protocol. In Figure 1.12, signaling gateways SG1 and SG2 are combined with transport gateways TGW1 and TGW2, respectively. Gateway SG1 transmits the IAM message to the gateway controller, which processes the request and determines that the call should be routed to the ATS-B through TGW2.
2) The controller reserves the TGW1 gateway port (talk channel). For this purpose, it sends the CreateConnection command to the gateway. Note that the TGW1 gateway port can only receive information (“recvonly” mode), since it is not yet aware of which address and how it should transmit information.
3) In response to this command, the TGW1 gateway returns a description of the communication session parameters.
4) Having received the response from TGW1, the controller sends a CRCX command to the second gateway TGW2 in order to reserve a port in this gateway.
5) TGW2 selects the port that will participate in the connection and acknowledges receipt of the CRCX command. Using two CRCX commands, a unidirectional conversation channel is created to transmit acoustic signals or voice prompts and notifications to the caller. At the same time, the TGW2 gateway port can not only receive, but also transmit information, since it has received a description of the communication parameters from the oncoming gateway.
7) The ATS-B station responds to the IAM message with an ACM confirmation, which is immediately forwarded to the ATS-A station.
8) After the called subscriber accepts the call, ATS-B sends an ANM message to the gateway controller.
10) TGW1 performs and confirms the mode change.
11) The controller transmits the ANM message to the ATS-A, after which the conversational phase of the connection begins.
12) Completion of the conversational phase occurs as follows. In our case, caller B hangs up first. ATS-B transmits a REL message through the signaling gateway to the gateway controller.
13) Having received the REL message, the gateway controller terminates the connection with the called subscriber.
14) The gateway confirms the completion of the connection and transmits the statistical data collected during the connection to the controller.
15) The gateway controller transmits an RLC message to the ATS-B to confirm the release.
16) In parallel, the controller terminates the connection with the calling party
17) Gateway TGW1 confirms the completion of the connection and transmits statistical data collected during the connection to the controller.
18) ATS-A confirms the completion of the connection by sending an RLC message, after which the connection is considered destroyed.
Figure 1.13. Establishing and tearing down a connection using MGCP (Example 2)
The second example illustrates the interaction of the MGCP protocol with the SS7 and H.323 protocols (Figure 1.13).
1) A connection request (IAM message) is received from the telephone exchange ATS-A to the signaling gateway SG1 via a common signaling channel. In Figure 1.13, signaling gateway SG1 is also combined with transport gateway TGW1. Gateway SG1 sends the IAM message to the Gateway Controller, which processes the request and determines that the call should be routed to the called user's endpoint, an H.323 terminal.
2) The gateway controller reserves the TGW1 gateway port (talk channel). For this purpose, it sends the CreateConnec-tion command to the gateway. And in this example, the TGW1 gateway port can only receive information (“recvonly” mode).
3) In response to the received command, the TGW1 gateway returns a description of the communication parameters.
4) Having received the response from the TGW1 gateway, the controller sends an ARQ message with the alias address of the called subscriber to the H.323 network gatekeeper.
5) In response to the ARQ message, the gatekeeper sends an ACF message indicating the transport address of its signaling channel.
6) The controller sends a SETUP connection request to the transport address of the gatekeeper signaling channel, using the Fast Start procedure. The gatekeeper forwards the SETUP message to the called terminal.
7) The called terminal sends an ARQ request for access to network resources.
8) In response to the ARQ request, the gatekeeper sends an acknowledgment of the request to the ACF.
9) The called terminal sends an ALERTING message, which the gatekeeper routes to the gateway controller. In this case, the called user is given a visual or acoustic signal of an incoming call, and the calling user is given an indication that the called user is not busy and is receiving a call signal.
10) The controller converts the ALERTING message into an ACM message, which is immediately forwarded to the ATS-A.
11) After the called user accepts incoming call, the controller will receive a CONNECT message.
12) The gateway controller changes the “recvoonly” mode in the TGW1 gateway to full duplex mode.
13) TGW1 performs and confirms the connection mode change.
14) The controller transmits the ANM message to the ATS-A, after which the conversational phase of the connection begins, during which the calling user’s equipment transmits voice information packaged in RTP/UDP/IP packets to the transport address of the RTP channel of the called subscriber’s terminal, and the latter transmits packetized voice information to the transport address of the RTP channel of the calling subscriber's terminal. Using the RTCP channel, information transmission over the RTP channel is controlled.
15) After the end of the conversation phase, the connection destruction phase begins. The user equipment initiating the connection failure must stop transmitting voice information, close the logical channels and send a RELEASE COMPLETE message, after which the signaling channel is closed.
16) The gateway controller sends a RELEASE message to ATS-A to terminate the connection.
17) In addition, the controller sends the DLCX command to the gateway.
18) The gateway confirms the completion of the connection and transmits the statistical data collected during the connection to the controller.
19) After the above actions, the controller and terminal equipment notify the gatekeeper about the release of the occupied bandwidth. For this purpose, each of the connection participants sends a DRQ connection exit request to the gatekeeper via the RAS channel, to which the gatekeeper must send a DCF confirmation.
20) A confirmation of RLC disconnection comes from ATS-A, after which the connection is considered destroyed.
It should be noted that the interaction algorithm between the SIP and MGCP protocols is not very different from the algorithm described above.
The MEGACO working group of the IETF continues to work on improving the gateway control protocol, within the framework of which the MEGACO protocol has been developed, which is more functional than MGCP.
The International Telecommunication Union, in draft version 4 of recommendation H.323, introduced the principle of gateway decomposition. The functional blocks of the distributed gateway will be controlled by the gateway controller - Media Gateway Controller - using the MEGACO protocol adapted to H.323, which is called Gateway Control Protocol in the H.248 recommendation.
MEGACO protocol messages differ from MGCP protocol messages, but the procedures for establishing and destroying connections using both protocols are identical, so a description of the connection establishment procedure based on the MEGACO protocol is not given here.
1.4 Comparison of approaches to building an IP telephony network
ip telephony cryptographic authentication tacacs+
Currently, the H.323 and MGCP protocols are suitable for building well-functioning and PSTN-compatible IP telephony networks. As already noted, the SIP protocol interacts somewhat worse with the signaling systems used in the PSTN.
The approach based on the use of the MGCP protocol has a very important advantage over the approach proposed by the ITU in recommendation H.323: the gateway controller supports SS7 signaling and other types of signaling, as well as transparent transmission of signaling information over the IP telephony network.
The main disadvantage of the third approach presented in this paragraph is the incompleteness of the standards.
The functional components of distributed gateways developed by different telecommunications equipment manufacturers are practically incompatible.
The functions of the gateway controller are not precisely defined. The mechanisms for transferring signaling information from the signaling gateway to the controller and in the opposite direction are not standardized.
Disadvantages also include the lack of a standardized protocol for interaction between controllers. In addition, MGCP is a gateway control protocol, but is not intended to control connections involving user terminal equipment (IP phones).
This means that in a network built on the MGCP protocol, a gatekeeper or SIP server must be present to manage the terminal equipment.
It is also worth noting that in existing IP telephony applications, such as providing international and long distance communication, it is inappropriate to use the MGCP protocol (as well as the SIP protocol) due to the fact that the overwhelming number of IP telephony networks today are built on the basis of the H.323 protocol. The operator will have to build a separate IP telephony network based on the MGCP (or SIP) protocol, which is associated with significant capital investments. At the same time, a telecom operator with H.323 standard equipment can join existing IP telephony networks.
In the last of the approaches mentioned (in draft version 4 of Recommendation H.323), ITU-T introduced the gate decomposition principle used in the third approach.
The distributed gateway functional blocks will be controlled by the gateway controller - MGC (Media Gateway Controller) using the MEGACO/H.248 protocol. The draft version 4 of the H.323 recommendation also provides for the possibility of transparent transmission of SS7 signaling and other types of signaling over IP telephony networks and processing of all types of signaling by the gatekeeper without conversion into H.225.0 signaling messages.
The information presented in this chapter is by no means sufficient to draw final conclusions regarding the prospects for using one or another IP telephony protocol, although the first impression may already be formed. In the following chapters, the authors will try to provide more in-depth information on this topic, but they undertake not to impose any one point of view on the reader, but to give him everything he needs to draw the appropriate conclusions himself.
1.5 System optionsIP telephony(scripts)
There are three most commonly used IP telephony scenarios:
- “computer-to-computer”;
- “computer-phone”;
- “telephone-telephone”.
The computer-to-computer scenario is implemented on the basis of standard computers equipped with multimedia tools and connected to the Internet.
The components of the computer-to-computer IP telephony model are shown in Figure 1.14. In this scenario, analog speech signals from subscriber A's microphone are converted to digital form using an analog-to-digital converter (ADC), typically at 8000 samples/s, 8 bits/sample, resulting in 64 Kbps.
The digital speech data samples are then compressed by an encoder to reduce the bandwidth needed to transmit them by a ratio of 4:1, 8:1 or 10:1. Speech compression algorithms are discussed in detail in the next chapter. The output data after compression is formed into packets, to which protocol headers are added, after which the packets are transmitted through the IP network to the IP telephony system serving subscriber B.
When the packets are received by Subscriber B's system, the protocol headers are removed and the compressed speech data is sent to a device that decompresses it into its original form, after which the speech data is again converted to analog form using a digital-to-analog converter (DAC) and ends up in Subscriber B's phone.
For a typical connection between two subscribers, IP telephony systems simultaneously implement both transmit and receive functions at each end.
The IP network shown in Figure 1.14 means either global network Internet or corporate intranet of an enterprise. Description of the protocols used in IP networks, including protocols for transmitting voice information over an IP network.
Figure 1.14 Computer-to-Computer IP telephony scenario
To support the computer-to-computer scenario, it is desirable for the Internet service provider to have a separate server (gatekeeper) that converts user names into dynamic IP addresses. The scenario itself is aimed at a user who needs the network mainly for data transmission, and requires IP telephony software only occasionally for conversations with colleagues.
The effective use of computer-to-computer telephony is usually associated with increased productivity in large companies, for example, when organizing a virtual presentation on a corporate network with the ability not only to see documents on the Web server, but also to discuss their contents using an IP phone .
Similar documents
Consideration of the features of developing a complex for automating the analysis of external penetration attempts and monitoring local connections for a telephony server. General characteristics of the SSH protocol, main versions. Analysis of basic password authentication.
course work, added 02/22/2013
Prospects for the development of IP telephony (Internet telephony). Internet network and IP protocol. History of the development of IP telephony. Advantages of using IP telephony. IP telephony quality indicator. Payment system for IP telephony billing and management services.
course work, added 05/16/2008
Structure of the TCP/IP protocol. Interaction of circuit and packet switching systems. Characteristics of a packet switching network. Services provided by OJSC MGTS using a packet switching network. Calculation of the implementation efficiency of the designed network.
thesis, added 05/22/2012
Basic concepts of IP telephony, structure of IP telephony networks. ASU network structure. Cisco Systems solutions for IP telephony. Cisco Routers Systems. Catalyst 2950 series switch. IP phone. Settings VPN networks. Methods and means of protecting information.
thesis, added 09/10/2008
The emergence of the concept of a multi-level hierarchical structure of a telephone network. Electronic technology that made it possible to transfer all means of telephony to element base. Development of IP telephony, providing voice transmission over packet switching networks.
abstract, added 12/06/2010
The use of an IP address in the TCP/IP protocol, its role in organizing a connection to the Internet. The concept of a subnet mask. Data required to configure the TCP/IP protocol. A mechanism for testing its configuration and connection to networks using utilities.
presentation, added 11/02/2014
Coordination of various IP telephony scenarios. Transmission of voice and video using IP telephony. Methods for viewing an image that is transmitted to the interlocutor. Size of audio buffers and subscriber call delay.
test, added 02/20/2011
Basics of IP telephony: communication methods, advantages and standards. Development of a scheme for the main communication channel for organizing IP telephony. Functions of a mobile control point. Development of a backup communication channel scheme for organizing IP telephony.
course work, added 10/11/2013
IP telephony and Wi-Fi technology. The need to implement a mobile office IP telephony network, its design plan. Setting up the Yeastar MyPBX 400 server to connect to the Zebra Telecom operator. Calculation of capital costs and operating costs.
thesis, added 02/19/2013
History of the activities of the Moscow city telephone network. Structure of the TCP/IP protocol. Interaction of circuit and packet switching systems. Characteristics of a packet switching network. Services of a promising network, economic efficiency of its implementation.