Securing Enterprise Communications

By: Richard “Zippy” Grigonis

It can sometimes appear that networks are actually becoming more complicated, and there are more of them every day. In such an environment, literally any kind of organization finds itself worrying about maintaining control over signaling, media, routing policies, and above all, security in all its forms.

After all, adopting a full suite of today’s IP communications applications demands that an organization make changes to its firewall/NAT (Network Address Translation) device, IP PBX (News - Alert), private IP addresses, numbering plan, and perhaps other components and their software. New questions arise as to how user and caller privacy can be maintained end-to-end, both in terms of the privacy of the caller/callee and the media of the communications session itself.

Session Border Controllers (SBCs) appeared early on in the history of commercial VoIP, since they enabled voice calls to penetrate firewalls. But SBCs, which are generally installed at network borders (between peering service provider networks, or between the service provider network and enterprise/residential networks) also can enforce security, Quality of Service (QoS) and can serve as an admission control mechanism over IP communications sessions. Indeed, some sort of border control functionality is always involved in security, such as firewall/NAT traversal (local and remote), security policy enforcement based on fine-grained UC policies, and threat protection functionality to prevent denial of service, spoofing, and stealth attacks.

One of the more famous makers of SBCs is Acme Packet (News - Alert), with its 635 customers in 92 countries, including 89 of the world’s top 100 service providers. Their Net-Net family of SBCs, multiservice security gateways and session routing proxies supports multiple applications in service provider, large enterprise and contact center networks—from VoIP trunking to hosted enterprise and residential services to fixed-mobile convergence. They satisfy critical security, service assurance and regulatory requirements in wireline, cable and wireless networks; and support multiple protocols—SIP (Session Initiation Protocol), H.323, MGCP (Media Gateway (News - Alert) Control Protocol), NCS (Network-based Call Signaling) and H.248 — and multiple border points — involving access, interconnect, and data centers.

Acme Packet’s Vice President of Marketing and Product Management, Seamus Hourihan (News - Alert), says, “In our enterprise initiative, which can include contact centers and U.S. federal government projects, SIP trunking is driving many applications. That’s what we call Border Point Number One in today’s SBC world. There are three other network borders that either need protection or will need it in the future. The second is the Internet border where we support remote workers. These could be people who travel all the time, people who are nomadic at some level, people who work from home, and in some cases even corporate remote offices. This is clearly an untrusted network and there are special requirements. The third border point is the internal border to your private network, which involves your IP PBX or your unified communications servers, that provide call and session control. This third border is the border between that application/service infrastructure and the internal users. In particular, in many financial accounts, the IT/networking group is usually so security conscious that they don’t trust anybody, even though what you’re doing is internal to their private network. The fourth border is the ‘hosted services border’, which is the border to a service provider that may be offering services that you as an enterprise use, such as audioconferencing, or a WebEx or Raindance, or videoconferencing. It could be your external interface to your Salesforce.com (News - Alert) server infrastructure, where you’re voice enabling that with such things as ‘click to call’, or it could be a hosted contact center where your center’s resources are external to your internal network.”

“As I said, most of the activity is driven by the SIP trunking border,” says Hourihan, “and secondarily by the Internet, and then the private network. Security itself has many dimensions. Security is like insurance – you have to assess what the risks are and what exactly you want to protect. Not every company is the same. If you’re a retail banking company with a contact center, or a brokerage services company that has a virtual contact center that taps into local Fidelity offices, there may come a time when you lose your ability to handle incoming calls or make outbound calls. In such cases you’re in real trouble, because those are revenue-generating activities. In contact, if a manufacturer such as Acme Packet were to lose communications capability for time interval, it would be annoying, but not devastating.

So, when talking about security, the biggest impact from a threat perspective is losing the ability to receive or send calls, or create sessions as a result of attacks that can occur when you connect to the outside world via your SIP trunking border. Problems can also occur because of misconfigured equipment, either in your private network or your trunking partner. Then there are overloads. When an enterprise buys an IP PBX or a set of servers to host unified communications, they don’t buy the largest available telecom service to connect to them – even if they did, no service has infinite capacity from a signaling perspective. People buy what they think they need. But in the world of IP it’s possible to find oneself in overload conditions.”

Acme Packet’s Director of Product Marketing, Jonathan Zarkower, adds, “Let’s assume for example, that we had an IP PBX here at Acme Packet, and it was running on a low-end server platform. Let’s also assume that our headquarters building loses power. When the power returns, every SIP phone in the building would re-register simultaneously, generating an extreme load condition on the IP PBX. Unless that was protected appropriately with an SBC or sized with capacity to handle that, you would have a situation where that could basically experience a continuous outage for a long period of time. Transiting from that back to full operation can have security consequences.”

Securing SIP Trunks

It’s interesting that Acme Packet would list SIP trunking as the primary network border point of concern today, since its finally becoming a popular way to achieve cost effective communications, thanks to the ability of SIP trunks to avoid the PSTN and its costly TDM (Time-Division Multiplexing) trunks and gateways. Organizations of all sizes can use SIP trunks to route calls over a network operator’s IP backbone and a single IP connection for all communications.

Another company, Sipera Systems (News - Alert), has a sharp focus on SIP trunking security and how an enterprise can deploy a comprehensive, real-time unified communications security solution that offers wide-ranging threat protection, strict policy enforcement, robust access control, and privacy, all in a single security appliance. Indeed, the Sipera IPCS family of security appliances offers real-time UC security that addresses issues associated with SIP trunk deployments. The Sipera IPCS appliances are built with Sipera’s VIPER engine technology; they can secure SIP trunks by serving as the demarcation point for the enterprise VoIP and UC network and enforcing fine-grained security policies. The IPCS appliances also protect against SIP and RTP-based threats by blocking them at the enterprise perimeter and maintaining the privacy of the internal network, caller/user IDs, and communications. However, the Sipera IPCS can still do firewall/NAT traversal to simplify SIP trunk deployment. In fact, a single Sipera IPCS security appliance can be deployed at the customer premise between the internal and external firewalls, providing network security, enforcing security policies, and handling other SIP trunk deployment issues for the enterprise network.

The Sipera IPCS product acts as a trusted host in the DMZ (Demilitarized Zone), an area outside the corporate firewall where one or more computers can be found acting as proxy servers in that they can intercept traffic and broker requests for the internal LAN, adding an extra layer of protection. for computers behind the firewall. IP signaling traffic to the enterprise is received by the external firewall and can be sent to a Sipera IPCS, which processes the signaling information. If the SIP signaling traffic is encrypted, the Sipera IPCS security device decrypts all TLS-encrypted traffic and looks for anomalous behavior before forwarding the packets through the internal firewall to the appropriate IP PBX to establish the requested call session.

Once a valid call has been set-up, RTP packets are allowed to flow through the external firewall to the Sipera IPCS product, which decrypts the SRTP traffic (if required) and looks for anomalous behavior in the media before passing on the RTP stream to the intended recipient.

How Secure is “Secure”?

We now live in a world of freely available open source telephony code, not to mention mobile employees who have brought about the projection of IP communications beyond the main office and to softclients, WiFi (News - Alert)/dual-mode phones, remote IP phones, and web phones. Enterprise networks thus become more complicated and are more susceptible to security breaches and a plethora of threats including Denial of Service (DoS)/Distributed Denial of Service (DDoS), Stealth DoS, spoofing and VoIP spam. Even so, by bringing the latest security technologies (i.e., intrusion prevention and detection) to bear on the problem and by enforcing the best possible practices, VoIP, video, IM and various other IP communications applications can continue to send time-critical, business-sensitive information across today’s networks with only moderate fears regarding potential security problems. IT

Richard Grigonis (News - Alert) is Executive Editor of TMC’s IP Communications Group.

Acme Packet - (www.acmepacket.com)

Sipera Systems - (www.sipera.com)

» Internet Telephony Magazine Table of Contents