Securing Carrier VoIP
Networks
BY CRAIG WARREN
Carriers and service providers deploying VoIP networks are recognizing
the need to protect the infrastructure from hackers and denial of service (DoS)
attacks. After all, VoIP networks are IP-based networks just like the public
Internet, and weve seen how vulnerable the Internet is to such
disruptions. The attacks demonstrate just how easy it is to gain access to
Internet-connected servers and steal, damage, or corrupt their contents.
When carriers and service providers deploy VoIP networks, they will have to
take precautions or suffer the fate of eBay,
Amazon.com, and others security
breaches, lost business, and all.
The old saying about an ounce of prevention applies here. The best time
to mount a defense is when attacks happen. But few carriers, other than the
IP purists building next-generation networks from scratch, really understand
the problem. Most companies wait until they experience a security breach
before taking action. Many of them dont know that new VoIP security
solutions are available today. Whats more, standards are taking shape
that will provide more choices and lower prices.
The Internet was designed for data. In its current state, it cannot
replicate the public switched telephone network (PSTN). Its just not as
reliable. And VoIP networks have been limited experiments. They cant yet
boast the reliability that 100 years of refinement have given the current
telephone network.
Some VoIP service providers use the public Internet to carry voice
packets while other carriers wouldnt think of using it because of its
poor voice quality. But voice quality could be the least of their problems.
The same operating systems and underlying computer hardware that power the
World Wide Web are used in VoIP infrastructure. Most application servers,
location servers, proxy servers, softswitches, and gatekeepers used in VoIP
networks are open system platforms with their own inherent vulnerabilities.
Like those on the public Internet, these systems are susceptible to the same
attacks, vulnerable to the same security breaches, and are sitting ducks
unless the proper precautions are taken.
THE IMPORTANCE OF VoIP SECURITY
Backbone carriers and service providers have found that IP voice traffic
has its own particular set of characteristics that render data security
solutions inadequate. Theyve asked vendors to develop new products to
protect their next-generation IP networks and expect them to actively
support standards. Of course, they still need to preserve voice quality,
too. Carriers and service providers establish peering relationships by
interconnecting their networks. Carriers collocate and connect directly
through LAN interfaces, while others connect over a WAN through routers. For
all practical purposes, interconnected networks become one larger network,
each side inheriting the strengths and weaknesses of the other. Just like
the weakest link in a chain, the combined network becomes just as vulnerable
as the weakest network. Carriers and service providers are thus looking for
ways to protect their networks at the peering points.
In order to have a viable service, carriers and service providers must
deploy secure, reliable, real-time communications. Failure to implement
security solutions will make VoIP networks susceptible to outages and
slowdowns that could result in lost revenue, reputation, and customer
confidence. One way to avoid this problem is to install a firewall system
that can handle the real-time demands of IP telephony and multimedia
applications. Such a device must meet two requirements:
- It must have a firewall policy that allows one host to send packets to
another host, from one port to another; and
- It must allow call control (signaling elements) to control the
firewall.
HOW IT WOULD WORK
One solution is to design a system that would use high-speed, stateless,
packet-filtering technology that allows policy provisioning while enabling
signaling elements to have control over the firewall. This system would
resemble an IETF proposal that describes a
decomposed model for providing firewall and network address translation
(NAT) functions under application control.
In an IP telephony network, special consideration must be given to
signaling elements, which are responsible for locating the called party and
for arbitrating call setup and teardown messages. Under the decomposed model
endorsed by the IETF, these signaling elements control the firewall.
When a signaling element observes that an authorized call is being set up
between two endpoints, it can glean the relevant IP addresses and port
numbers from those messages to create policy for the firewall, or for
multiple firewalls. When the call is torn down, the same (or another)
signaling element can remove the policy from the firewall. The result: The
firewall remains closed until a call is set up.
When a call is set up, policy within each firewall is modified by the IP
telephony network element(s) to allow the media packets for that telephone
call to flow through them. As each new call is set up, policy is created to
match, and as each call is torn down, policy is removed. At any given
instant, the firewall allows only the media for existing, authorized calls
to pass through it. No other traffic passes and, subsequently, there are no
attacks.
Of course, some static policy is necessary to allow signaling traffic to
pass through the firewall, as well as to allow other potentially essential
network traffic. This sort of policy must be site-specific and supported by
the system.
ANATOMY OF A VOIP FIREWALL
The system purpose-built to perform the firewall and NAT functions
would consist of specialized hardware and software in order to achieve
high performance and low latency. Software-based firewalls are too slow and
inject too much delay. ASIC-based hardware firewalls are fast, but not
flexible enough to be controlled by the application. Whats needed is the
right combination of hardware for speed and software for flexibility.
One or more packet processing cards and a single management card (printed
circuit cards mounted in a chassis) would comprise the hardware elements.
Each packet processing card separates a protected (secure) network,
from an unprotected, or open one. Each processing card provides
firewalling and NAT services to the path connecting the open and secure
networks. The only management and control path to the processing cards is
via the management cards Ethernet interface. As a result, the processing
cards are invisible to the networks to which they are attached, and the
interface is non-addressable. The management card provides the control
interface to the signaling element. The signaling element provisions the
firewall, opening and closing media ports. Voice packets crossing the
network interface undergo dynamic NAT to move media on and off the IP
network to the appropriate endpoints.
The best VoIP security solution for carriers and service providers is a
firewall/dynamic NAT solution that scales to meet requirements for capacity
and performance. It must be designed specifically for the multimedia traffic
used by carrier-class IP telephony services. Its firewall control
protocol must give the IP network call signaling elements control of the
firewall and its policies, and support fail-over and redundant
configurations to ensure high availability. Such capabilities will enable
secure, real-time communications. They are the essential services that will
help transform the Internet into the new public telephone network.
Craig Warren is corporate evangelist and co-founder of
Minneapolis-based Aravox Technologies. Aravoxs network services platform
enables secure, real-time communications for carriers, access providers, and
managed service providers deploying Voice-over-IP networks. For more
information, visit Aravoxs Web site at www.aravox.com.
[ Return
To The November/December 2001 Table Of Contents ]
|