IP Communications Security

By: Richard "Zippy" Grigonis

If you think the enterprise should worry about IP communications security, rest assured that service providers are positively electrified by it, mostly because of the costs attacks incur on their network, and the liability issues that may ensue. In addition to such traditional technologies as packet inspection and all of the goodies found in session border controllers, newer concepts such as NAC (Network Access Control) have appeared at the enterprise level, which keeps an eye on network endpoints, and enforces enterprise security policies and blocks the spread of malware. Given the variety of what’s available – Firewalls, Intrusion (News - Alert) Detection Systems (IDSs), Intrusion Prevention Systems (IPSs) and messaging security systems – both network operators and enterprises are struggling to come up with ways of coordinating the activities of all of these overlapping technologies.

Lately there has been an emphasis on packet/content inspection.

Take Cloudmark (News - Alert) for example, which provides comprehensive messaging security solutions that enable the world’s largest service providers (both fixed-line and mobile) to prevent messaging abuse from adversely affecting their infrastructure, operations and subscribers. Cloudmark has developed an approach that leverages the strength of its network of global service provider customers in rapid threat detection. Cloudmark currently protects over 250 million mailboxes in 163 countries.

Jamie de Guerre (News - Alert), CTO of Cloudmark, says, “We provide to service providers protection for any attack that may be happening over a messaging medium. That can be email or SMS, MMS or potentially some other areas, such as blog stem messages or social networking messages. The typical types of attack one encounters in this area would be spam attacks, phishing, viruses, malware and denial-of-service or harvesting attacks via email or messaging in general. The benefit of our solution is that we have the most real-time and scalable solution in the market that has the highest accuracy of blocking all of those threats with the fewest false positives. Also we have the ability to do this in a cost-effective manner for service providers. Today, we’re deployed at the majority of fixed-line service providers in North America and a couple of other geographical areas around the world, including Japan and several large service providers in Europe. We’re starting to move more and more into the mobile space. We’re deployed in two of the top ten largest mobile service providers in the world and we’re deployed in eight of the top eleven North American mobile operators and eight of the top ten Japanese operators. We also have four large Tier 1 European operators using our solutions.”

“There are several problems that service providers face with messaging security,” says de Guerre. “Today a typical North American consumer operator receives hundreds of millions of messages of day. If you take Comcast (News - Alert), for example, they receive between 500 million and a billion message attempts each day. At every North American operator, about 96 percent of all incoming messages are spam. Therefore, if you have to process all of the messages through your entire messaging infrastructure, and worse, if you have to store those messages, then that’s extremely expensive. Your messaging infrastructure is now several orders of magnitude larger than it would be if you only needed to process and store legitimate messages, which are 4 percent of the total. It’s very costly to allow all of that spam to move through the messaging infrastructure. Clourmark provides the ability to run a highly accurate, highly performing messaging security solution right at the edge of the provider’s network, right at the edge of their email datacenters, and block all of those messages early in the process so that the provider is delivering only legitimate messages to the more expensive internal messaging infrastructure.”

“One of our case studies concerns a service provider with five million subscribers,” says de Guerre. “They were previously using 50 edge appliance products from an appliance vendor and 47 Dell (News - Alert) servers running our biggest competitor, Symantec Brightmail. They were able to consolidate all of that to just nine servers running Cloudmark. Additionally, with the deployment they saw Cloudmark filtering an additional 80 percent of what the previous platform was missing. The cost savings for doing that is very dramatic across the infrastructure.”

“The other benefit is to the subscriber,” says de Guerre. “As North American cable and telecom operators start to compete with service providers which supply free email solutions, such as Gmail, Yahoo Mail and MSN or Windows Live Messaging, the quality of that service in a number of areas is important, spam being one of the most important today. If a lot of spam gets through, the email experience will be poor for the user. So, as these cable and telecom operators are looking to have services be as ‘sticky’ to users as possible, one of the things they discover is that the email address is itself sticky — people don’t like to change their email address very often. If the service provider can provide a very good email experience, then users will not only stick with that email service, but they’ll also stick with the overall product offering. Cloudmark enables the operator to provide that premium user experience via spam filtering.”

“On the mobile side, the issues are different and geographically-specific,” says de Guerre. “In North America and most of Europe, there’s not a big spam problem for SMS and MMS mobile messaging. But there’s a growing concern that it’s coming, which is partly derived from observing what’s happening in the rest of the world. In Asia, the Middle East and several parts of South America and Africa, you’re seeing a lot more spam on mobile phones. So the messaging costs are high to both the provider and user. A spam in your email is an accepted event and you just delete it. But if you get an SMS spam and your mobile phone vibrates in the middle of a meeting, that’s much more intrusive. Moreover, you may be paying for the receipt of that message, in which case you have to call your provider’s support people, and that becomes a costly customer complaint scenario for the provider.”

“The other fundamental issue we see with mobile messaging is that the popularity of SMS and MMS messaging is growing and operators are looking more and more to monetize content services and revenues through that medium and other content media to the mobile phone,” says de Guerre. “As that popularity grows, it makes it more attractive to the hackers to send their spam or malware. That presents a significant risk to operators in trying to get the benefit of new mobile revenues over the messaging medium. They won’t be able to do that if users lose confidence in the medium. If users see that half of their messages are complete spam, it’s unlikely that they’ll follow through in accepting other content services that’s coming over the mobile medium, such as legitimate advertising or promotions. That’s why we at Cloudmark are working with several mobile operators around the world to put in place protections similar to what we’ve done on the fixed-line side for the mobile networks.”

Another player in this space is Bivio Networks (News - Alert), which supplies next-gen network appliance platforms, enabling application developers to rapidly develop and deploy wire-speed, deep-packet processing network applications. For example, the Bivio 7000 Series of programmable network appliance platforms delivers 10 Gbps throughput performance within a standard Linux programming and execution environment.

Elan Amir, CEO of Bivio Networks, says, “We’re not actually a security vendor per se. We’re actually a broader networking vendor in the sense that we are a deep packet inspection equipment vendor and, among other things, we also sell to the security vendors. The way we look at the security market is as a broader play wherein deep packet inspection is the underlying technology for a lot of networking market segments, one of which, and perhaps the most important at this point, is the security market. We see in the security market a consolidation around general deep packet inspection.”

“One of the biggest problems in security has been that the market has historically cemented itself to an application view,” says Amir, “so you have firewalls, IDS and anti-virus vendors, and leak prevention vendors, network access control vendor applications. Each of these different applications drags along with it a piece of hardware into the IT infrastructure, and so very quickly the tasks that each one of these applications is charged with doing ends up overlapping or ‘bleeding over’ into tasks that are actually in the realm of a different application. This creates quite a bit of complexity, both from a deployment standpoint and a management standpoint and you never know exactly which policy is controlling which action and I think what you’ll see moving forward from a security standpoint is that the process of controlling the packets and network flow will be defined in software that is a lot more uniform, as opposed to just these disparate functions that are all put together. In the Internet telephony space, of course, in some sense it’s somewhat of a greenfield situation, simply because as IP telephony becomes more prevalent, the security risks and issues concerning anything from unauthorized interception to viruses and security threats that embed themselves inside the payload obviously are such that we’ve just barely begun to scratch the surface of what’s possible out there. There really isn’t quite the critical mass of devices to handle everything.”

“This is all evolving to a broader approach to security,” says Amir, “that collectively is known as deep packet inspection. It’s the discipline of examining the payloads of the network traffic and then taking action based on that. Rather than specializing in an individual application at the outset, you have the individual policies emerge from an underlying deep packet inspection framework.”

“IT managers want to know how to make all of their security applications and devices work together,” says Amir. “Their IDS system, NAC [Nework Admission Control], anti-virus gateways, their host-based leak prevention system, all of this stuff sort of fits into the network and supposedly takes care of different pieces of a problem, but they really don’t. Their functions actually overlap and when a threat comes in to the organization, it’s quite difficult to figure out which system should have taken care of the problem, let alone making sure that all the policies across all of these systems actually work together to give you an overall policy that is what the IT organization really wants. That’s the number one security problem right now in general.”

The Wild World of Web Security

Finjan (News - Alert) also specializes in active real-time content inspection technology. Finjan provides secure web gateway solutions for the enterprise market that prevent “crimeware” and other malicious web content from infiltrating corporate networks and stealing business data. Their content inspection technology detects malicious content based on the code’s intended criminal action, without using signatures, URLs or reputation attributes.

As originally disclosed in Finjan’s Q2 Trend Report, cybercriminals quickly realized that in order to avoid detection by URL filtering or reputation services products, they needed to avoid detection by deploying several new techniques, such as:

1. Storing IP addresses of web crawlers in their attack databases. This method enables cybercriminals to serve legitimate content to these web crawlers while serving malicious content to all other site visitors. Since these web crawlers are the main feed for updating URL filtering and reputation services databases, the result is a false rating or categorization of infected websites.
2. Using random web page names. This method prevents ‘black listing’ of malicious pages. Each time users visit an infected site, a new unique URL is created and served dynamically.
3. Code obfuscation. This method ‘breaks’ anti-virus signatures to avoid detection.

Finjan says that legitimate websites, hosted in the U.S., were compromised by criminals to infect web users with trojans and other malicious content using these techniques.

A typical “random js attack” is performed by dynamic embedding of scripts into a webpage. It provides a random filename that can only be accessed once. This dynamic embedding is done in such a selective manner, so when a user receives a page with the embedded malicious script once, it won’t be referenced again on subsequent requests. This method prevents being caught in later forensic analyses. The “evasive effect” is achieved by storing the visiting user machine’s IP address on the server. Upon accessing the site again from the same IP address, the malicious JavaScript is no longer referenced in the source HTML of the site, and so the malicious filename (URL) that was previously used to serve malicious code is also no longer accessible on the web server. Thus, all traces of the malicious code have vanished.

During December 2007, Finjan detected about 10,000 new legitimate domains which have fallen victim to this type of attack.

Finjan’s Vital Security Web Appliances can identify these attacks. For increased Web 2.0 and productivity control, URL Filtering engines from IBM (News - Alert) Proventia Web Filter technology and Websense are available as an extra option. Finjan’s Secure Web Gateway Solutions also include an optional cache appliance, providing enterprises with a complete solution for active real-time web security and content acceleration. Finjan’s Secure Web Gateway Solution supports the Cisco (News - Alert) WCCPv2 standards and ICAP for interoperability with various networking and caching systems. Finjan’s RUSafe™ assesses incoming and outgoing web traffic using Finjan’s security technologies, without requiring any changes to the security infrastructure and network topology. It sniffs live traffic from the switch, scans the content using Finjan’s active real-time content inspection technologies, and generates summary-level and detailed-level reports which specify the magnitude and type of malicious content detected by the appliance.

In short, Finjan’s technology installs in the network and monitors traffic as it comes in as html and JavaScript. It determines what the scripts are doing, and whether they come from myspace, or wherever.

The DNS Connection

Nominum (News - Alert) provides highly scalable, reliable and secure DNS and DHCP servers. These products were developed by Nominum engineers based on their experience in writing BIND (version 9) and ISC-DHCP (version 3). Unlike these open source products written primarily to demonstrate those specifications were implementable, Nominum products are commercial grade and focus on carrier-class requirements and are scalable and have high availability and high performance characteristics.

Georges Smine (News - Alert), Nominum’s Director of Product Management, says, “Our products rest in the naming and addressing solutions space, which is really a layer that had been neglected for a long time, but now the last few years, especially in the carrier market and now the enterprise market, companies have been looking at it as vital for their well-being. We’ve played a role in the routing directory space through the use of ENUM [“Electronic Numbering”] for pure telephony providers who are moving to IP.”

“From a product perspective, when you look at the world of DNS [Domain Name System], it’s really the underlying layer for any type of application,” says Smine, “but it does play a more sensitive role for communications-type applications, especially considering that SIP [Session Initiation Protocol (News - Alert)] is highly dependent on the DNS. When you look at companies running their DNS infrastructure, if you really want to protect your communications links, you must protect DNS and ensure that it’s not vulnerable to, say, denial-of-service attacks, or other attacks that can bring the network down. These are usually attacks meant to create harm or create disruptions, and it used to be done for bravado purposes — by macho hackers looking at ways of ‘proving’ themselves among their peers.”

“Now, protecting your DNS servers is very important,” says Smine. “Another aspect of protecting their uptime is also making sure that you’re not allowing people to be phished. There’s also a type of attack called ‘farming’ where you think you’re looking at your bank account URL, but the IP address that correlates to that domain name may have been altered by virtue of ‘poisoning’ your existing DNS server. These are things that we also protect against in our native DNS infrastructure. That’s especially true for anyone who want to run any type of IP communication in the public Internet. If you’re trying to make a call with your SIP phone, for example, and you’re using a SIP address to reach a customer call center, there is a chance your call could be diverted somewhere else and you may be induced by a fake customer representative into giving away your account information.”

“Another aspect of our involvement in security involves ENUM technology,” says Smine. “We provide the routing directory and repository for all types of telephone numbers that a carrier will manage. These type of routing directories — you can consider them as a sort of IP-enabled SCP [Service Control Point] — tend to run in a very protected environment, which means that they’re less likely to be vulnerable to external attacks. This means that most of the time that data is being accessed by a switching infrastructure which is either owned by the carrier itself or by partner carriers that have control of that infrastructure. Having said that, that does not mean that you don’t have any security measures around it. You must make sure that this database is always up and available, and that you can use the data inside of it to ensure that it is originating and being provisioned from well-identified sources, so that there’s no risk of anybody inserting a telephone number to divert calls at the core. And of course that data also can be used to validate incoming calls when you’re serving the Class 5 switch equivalent. You want to ensure that these identities are not being spoofed and you’re not allowing attackers to pretend that they’re somebody else.”

“The amount of money spent on security can be justified only by the potential risk of loss,” says Smine. “You’re not going to spend a lot of money if you’re protecting something that is really not valuable. Usually security in communications and the Internet comes as an afterthought or really in the aftermath of some major violation.”

“Carriers are concerned over loss, such as an intentional blockage of their service to customers,” says Smine. “And they’re also concerned about identity theft or service theft, or the intentional disruption of service quality. Some are concerned over the theft of services, such as the Miami operation that took control of unprotected softswitches and routed calls through them for free. Liability also concerns network operators when it comes to things such as spoofing. I had a customer in Europe who said that even though their network was protected, somebody managed to run a scam on their network and steal the identity of customers. They felt they had to do something and were partly responsible. Then of course, there’s spit, but we haven’t seen a lot of that yet.”

DNS also figures heavily in the technology of VirnetX, whose next-gen technologies are designed for secure real-time communications solutions. Designed for seamless authentication and automatic encryption via a domain name (DNS) look-up, VirnetX technology establishes a secure communication link without entering any cryptographic information. VirnetX’s technology provides wide-reaching technology implications, including unified communications and messaging, VoIP, IM, video conferencing, secure session initiation protocol (SIP), and web and real-time collaboration services.

Recently VirnetX announced their GABRIEL Connection Technology for securing private data and content shared across next-gen networks, such as Web 2.0, peer-to-peer (P2P) networks, VoIP, unified communications and collaboration software applications. GABRIEL Connection Technology enables secure across-the-network verification using a combination of cryptographic certified domain names, computer network addresses and public keys. GABRIEL allows for the creation of hardware or software solutions based on a foundational security platform with automatic link initiations and seamless management of new registration services. This enables ubiquitous, secure unified communications between any combination of devices, operating systems, software applications and even connecting sensors. Businesses can now obtain a new secure domain name or establish “invisible security”.

Kendall Larsen, CEO and President of VirnetX, says, “We were founded in 2005. We have a rich set of intellectual property that enables the next generation of security for Internet telephony. When I say ‘enables’, we’re very strong with intellectual property and we’re actually developing our own set of products and licensing practices. We focus on the areas of fully authenticated and fully encrypted real-time communications. What does that entail? Every important conversation on a network should be fully authenticated down to the user level, as well as fully encrypted, relative to setting up a VPN, so that rich media on a real-time basis can flow transparently, fully encrypted, and fully authenticated, across domains. That’s the basis of our intellectual property and the fundamental foundation for good, secure Internet telephony. We all want to implement this across networks and providers and accelerate the great trends we’re seeing now with IP communications.”

“We are aware of the work being done by Cullen Jennings (News - Alert) and the security working groups at the IETF,” says Larsen. “We believe that is important work, and those guys truly understand it. The work they do helps developers such as ourselves and others in the industry, and we support them. We believe that they also support rich intellectual property as VirnetX encompasses. We actually acquired our intellectual property from SAIC, a large government integrator working in the intelligence community. They had the de facto standard for encryption technology; for ‘raw’ crypto as well as secure protocols that are still being used today in real-time communications. The idea was that everybody should have an X.509 certificate at the device level, and they should present it to the network or to the controllers for permission for authentication, and a VPN should be set up between the origination and destination points. That means that standard crypto is still good, implemented in a way that uses X.509 for authentication, sets up VPN channels and encrypts those channels with those X.509 certificates resident in the devices.”

“Who’s doing this? Most major vendors have made statements and/or products supporting this,” says Larsen. “The issue at hand is how to get intercommunications accomplished with these fully authenticated and fully encrypted channels. That segues into current service provider and industry trends. If you look at what we believe to be the base-level standards, we believe that DNS is how the Internet ‘phone book’ finds users, websites, phones, wired and wireless devices. The term DNS also describes a protocol by which you search and find. SIP is based on DNS. So every SIP address is what we call a domain name, and when you accompany a domain name with a certificate you find what we call a secure domain name. If we’re searching for and dialing a destination with our IP softphone, hardphone, or wireless device, we’re using DNS protocols to ask, ‘Where is that destination?’. Once it has found the destination, then is there ‘keying material’? And are you authenticated or do you have permission to connect to that device on a fully authenticated and fully encrypted basis? As it happens, VirnetX has the patent that seamlessly enables this process, which is a rich set of IP, techniques and enablement that allows it to transparently take place.”

“That’s where we’re at in the industry,” says Larsen. “We’ve got the communications part of it down pat, whether it’s PBXs or hosted PBXs or services. We know that it works. Now, how do we permit mission-critical, business-level communications in a completely federated environment? It comes down to using DNS, trusting the domain names down to the device at a granular level, and then making sure that all of the devices or phones or computers have keying material available, such as a certificate or trusted domain name.”

“Let’s say you have Domain A which is an enterprise, and Domain B (News - Alert), which is an enterprise,” says Larsen. “And the current trends are that Enterprise A says, ‘I’m going to trust everything that comes from Enterprise B.’ Essentially that can be done with a certificate that is trusted from the call manager or the PBX (News - Alert) or the border controller that’s trusted. It’s where the Internet telephony traffic comes from. If I’m at B and I trust all of the traffic coming from A, then I can accept it. The issue, however is that everybody is not sitting nicely-configured behind the PBX as it was in the old days. Today, people are roaming about. They’re wireless. They have multiple devices. Their calls are not coming back through a single secure call manger. The users are certainly in a domain, but that’s a physical domain, and what we’re really talking about is a virtual domain. A virtual domain has members in it and those members have devices. The granularity issue is such that some virtual domain, let’s say it’s a company with many people, can be broken down into devices, and their respective SIP addresses that are not physically defined but cryptographically defined in a virtual world. That’s certainly a challenge.”

“VirnetX as a company understands this ‘virtuality’ – our name stands for ‘Virtual Net Exchange’,” says Larsen. “And as you start seeing the exchanges – and these aren’t physical exchanges but virtual relationships taking place – cryptography becomes the way to identify or ‘trust’ domains that are not physically but virtually defined.”

Suffice it to say, given the number of hackers and their accelerating delivery of attacks and malware, security will be a growth industry for a long time to come. IT

Richard Grigonis is Executive Editor of TMC (News - Alert)’s IP Communications Group.

Bivio (www.bivio.net)

Cloudmark (www.cloudmark.com)

Finjan (www.finjan.com)

Nominum (www.nominum.com)

VirnetX (www.virnetx.com)

» Internet Telephony Magazine Table of Contents