THE HEADLINES ABOUT SPAM AND DATA theft soon could be replaced by headlines about attacks on the phone system.
There are some specific additional security measures, mostly dealing with securing the signaling to set up VoIP sessions, but, in general, networks with good practices for IP security will have good VoIP security.
Beyond that, there are issues of protecting the VoIP signaling and the voice medium itself so neither can be compromised to steal network service, bring down the network or listen in on conversations.
flooding the network
These attacks can come from outside a network or within a network. “DoS attacks and activity are increasing,” says Bob Clavenna, senior product manager for session border controller vendor Netrake. “And it’s not just hackers. It is things like customers provisioning equipment incorrectly, not really malicious.”
A DoS attack does not have to occur suddenly. “Flooding by gradual increases in signaling, so it does not come as a wall, makes it tougher on attack-recognition devices,” says Bob Kersey, vice president of product management at CopperCom Inc. “Other tricks are multiple sources, such as if someone is able to find 50 to 100 endpoints on networks and tell them in a coordinated manner to start flooding the network and to send corrupt messages, which also floods the network.”
There are general IP networking tools to identify and deflect DoS attacks, but for VoIP, a specialized class of security devices is used by many network operators: session border controllers, from companies such as Acme Packet; the Kagoor brand of Juniper Networks Inc.; the Jasomi products of Ditech Communications Corp.; and Netrake.
These products usually offer a menu of security features, such as identifying devices that are the sources of DoS attacks and barring them from the network. But that is not their only domain of expertise. Session border controllers also have the ability to monitor and manage authentication and permission in sophisticated ways to give network operators protection from other kinds of attacks, such as fraud and theft.
going after the signal
The fact that VoIP uses UDP packets (which are shorter and easier to manipulate but less secure) rather than TCP packets also creates risks. “From our point of view, if you want to do security, you have to use TCP,” Kershaw says. That view is echoed by Netrake’s Clavenna, who says it is all part of a trend toward “more security to the device, meaning the endpoint.”
That will become more pronounced as wireless VoIP grows, he adds, and already is being seen in UMA networks. Service providers are “setting up encryption between a wireless handset and a UNC (UMA network controller)” like a softswitch that propagates tunneling of the signaling and the medium. It is being used by some GSM operators, such as T-Mobile USA Inc., Clavenna says, for dual-mode mobile/Wi-Fi phone services.
subterfuge and stealing
“One big issue is how to authenticate all these devices,” says Kershaw. However, even with good devices there can be holes, particularly in how that security is implemented. In SIPCert, a new security draft from the IETF, “devices authenticate with local proxies, like a PBX,” Kershaw says. “We would certify the PBX, so it is assumed that everything coming off the PBX is trusted. But there is nothing in the drafts that allows us to enforce that the PBX has done what it is supposed to do.” If it is shown that a PBX or other device is compromised, another complication is how to revoke privileges in a secure and organized manner, and to re-authorize once a system is secure again.
Solutions to these issues are known for IP networks generally, such as using OCSP, an online certificate protocol, but specific policies and technologies need to be developed to manage it in VoIP. Ironically, a device sometimes is authenticated today for ENUM (a database for locating and connecting to VoIP endpoints) by faxing in two copies of the phone bill, Kershaw says.
The fact that ENUM databases, which contain location data for subscribers, even exist is a security challenge, and not an easy one to manage. There is a mechanism called DNSsec for securing such databases, but the issue is as much about policy. “People are asking, ‘Do we need privacy?’” says Paul Mockapetris, chief scientist of Nominum Inc., which specializes in managing such huge databases. “Do you want someone to be able to track your address in London as you move around between 802.11 sites with a Wi-Fi phone? So we need to think about policy.”
Even if a device is authenticated, “how do I know that I am talking to you?” Kershaw asks. The industry is focused on authenticating devices, and the assumption is that the correct person is at the end of the line. “So there is a need, particularly in the enterprise, to have user-level authentication on top of device authentication. So you have a credential that is a unique identifier for you,” he concludes.
Being sure a device and person are authenticated usually involves protecting signaling in VoIP packet headers, data that could be used to corrupt authentication. “But now we are seeing more interest in listening in and eavesdropping, and therefore, we need to encrypt the payload as well,” says Kersey.
And because VoIP, specifically SIP VoIP, was designed to resemble other IP communication, such as e-mail, it is subject to many of the same abuses, such as spam. SIP spam, called “spit” by some, can be most damaging because, unlike traditional telemarketing, it can be automated in the same way spam can be set up to deliver millions of messages. The specter of subscribers receiving as many bogus phone calls in the future as they do spam e-mails today has network operators anxious to come up with ways to filter VoIP calling. One idea to control “spit” was to request that the caller enter a specific digit or series of digits, which would be difficult for an automated spit flow to do.
Service providers also need to monitor their own networks. “We have to ask, are we part of the problem? Are we the source of very rapid-fire calling going out?” says Kersey. The solution is to throttle back subscriber bandwidth and limit the rate of calls an endpoint can place to protect the VoIP network. CopperCom caches calls coming through off-net, and examines packets to see if they come from some blacklisted or even gray-listed source.
more sophistication
“The other generic area that we see today is needing deep signaling validation,” says Kersey. This is another area where session border controllers shine, analyzing packets before they reach a next-generation switch, such as CopperCom’s. “They grab a call and do analysis on it, such as who is calling, call patterns and profiles of that endpoint and how it makes calls in the network,” says Kersey. “The analysis is spread out over a period of time, and it builds up a profile of how a caller typically is using the network. So if it sees odd behavior, particularly from an endpoint, it can bounce that up against caller profiling.”
This kind of security protection is operating at a different layer than that protecting against DoS attacks, or handling pinholing and NAT traversal. It is working more at the application layer, looking at the character of calls, and possibly throttling bandwidth to that endpoint. The capabilities are likely to be implemented, not just in session border controllers, but also in routers and in the next-generation switches that span IP and TDM networks.
Technology providers are developing ways to track usage and report changes. If a service provider sees a dramatic change in use, it may try to notify the customer, whose network or account may be compromised.
Tight security requires not only good technology but also effective policies. “Once something happens, you don’t want to be scrambling,” says Julian Thomson, senior vice president of business development at CopperCom. Service providers need to “make sure they have policies in place and that they have the product in the network and that it is up and running.”
| Links |
| 3Com Corp. www.3com.com Acme Packet www.acmepacket.com CopperCom Inc. www.CopperCom.com Ditech Communications Corp. www.ditechcorp.com The Internet Engineering Task Force (IETF) www.ietf.org Juniper Networks Inc. www.juniper.net Netrake www.netrake.com Nominum Inc. www.nominum.com T-Mobile USA Inc. www.t-mobile.com VeriSign Inc. www.verisign.com VoIP Security Alliance (VOIPSA) www.voipsa.org |
