Home » Data Protection » Network Security

Industry View

Industry View | VoIP Security

Bob Bradley of Sonus Networks provides practical tips for mitigating VoIP security risks

Page 3

In this role, the network border switch provides enterprises with their first line of defense on the perimeter at network demarcation points. These points relay between the enterprise and the carrier peering partner. These elements not only defend the core enterprise network from VoIP related intrusions, but they also provide policy-based control over IP voice sessions, basic signaling protocol (SIP, H323, SIP-I) interworking, QoS (quality of service), bandwidth management of media streams and advanced media services, such as audio codec transcoding and FAX support.

The network border switch's role becomes even more important as enterprises with multiple locations become more vulnerable to DoS attacks by interconnecting via the public Internet to carry both external and intra-company VoIP traffic, in lieu of dedicated connections. In this scenario, enterprises can mitigate risk by implementing a split DMZ-style topology for VoIP elements front-ended with an SBC. This deployment can be used to protect the VoIP network, similar to solutions used to secure Web server farms and database systems from DoS attacks..

As you look to protect the network from the inside out, it is important to recognize that although built on IP, VoIP network elements such as provisioning systems, billing systems, SIP servers and IP PBXs share common vulnerabilities with their non-VoIP counterparts. This is because these systems are based on commercial, off-the-shelf (COTS) items, such as commodity operating systems (Solaris, Linux, Windows) that run on general-purpose computers. Other COTS components may be protocol stacks (TCP/IP) from OEMs that are embedded in proprietary platforms. As such, vulnerabilities may exist, but protection against intrusions and exploits can be mitigated by proper hardening, just as their non-VoIP counterparts are provisioned today.

In addition to these traditional weaknesses, VoIP-specific vulnerabilities such as SIP protocol stack corruption may exist, as well. These threats can be mitigated by many of the same general techniques used for protection at the lower layer. Given the session state nature of SIP, organizations need a class of session-aware devices, such as the SBC described earlier, to provide the edge protection not provided by firewalls, ACLs and VoIP exploit signature matching by IDS/IPS.

Another technique that businesses should consider is placing VoIP phones on separate, secured VLANs to protect against unauthorized devices that may eavesdrop on internal communication and lead to theft or fraud. Additionally, to further protect against these breaches, VoIP devices should also be isolated so inbound and outbound traffic is limited and can be easily controlled by a call manager. Businesses should also implement encryption technology to secure calls that travel over public networks to prevent the fraudulent use of VoIP, including authentication exploitation and theft.