SUBSCRIBE TO TMCnet
TMCnet - World's Largest Communications and Technology Community

CHANNEL BY TOPICS


QUICK LINKS




A Proactive, Systems-Level Approach to VoIP Security

Call Center VoIP Security

Call Center VoIP SecurityCall Center VoIP Security
February 08, 2006

A Proactive, Systems-Level Approach to VoIP Security

Bogdan Materna, Contributing Editor



By Bogdan Materna, TMCnet's Secure VoIP Deployment Columnist
 
The complex nature of VoIP infrastructure demands a unique approach to security.  VoIP networks consist of a wide range of components and applications such as telephone handsets, conferencing units, mobile units, call processors/call managers, gateways, routers, firewalls and specialized protocols which operate across multiple layers of the network.  As a result, a systems-level approach is required, in which security is built into all the infrastructure layers and coordinated via a centralized control center.

 
With unique challenges and types of attacks, VoIP clearly requires a more sophisticated approach to security than those used to secure existing data networks. Solutions based simply on network-centric devices and signature-specific applications simply cannot address the real-time nature or complexity of VoIP infrastructure.  Furthermore, in protecting VoIP networks against attack, VoIP is further complicated by the fact that it is the first IP service where human-based response is not sufficient an automated response.
 
A system-based approach that combines network and host-based security devices and applications with a sophisticated, system level threat mitigation system is required to efficiently protect the entire VoIP infrastructure.  In building a systems-level approach to VoIP security, unified VoIP-specific security consists of three functional components: prevention, protection and mitigation.
 
Prevention
 
Prevention enables organizations to proactively identify and fix VoIP-specific vulnerabilities before they impact users. A commonly used approach from the data security world, vulnerability assessment (VA) is particularly effective as a proactive strategy.  By performing a VoIP VA in the lab, before any VoIP equipment and applications are deployed, organizations are able to verify vendor claims and identify security flaws early in the deployment cycle. Executing a VoIP VA of all components prior to the commissioning of the VoIP infrastructure is recommended as interactions and dependencies between VoIP applications and devices could potentially create additional security vulnerabilities not visible during earlier assessments in the lab. Once VoIP is deployed, periodic or continuous vulnerability assessments should become the cornerstone of an overall proactive VoIP security strategy. Once security vulnerabilities are identified they should be addressed by appropriate actions such as patching, re-configuration and network tuning. These actions should be clearly defined as part of the company’s overall security policy to provide a framework for dealing with any possible threats to VoIP security.
 
Protection
 
Within the VoIP network, various security architectures and solutions should be deployed to protect VoIP services from security threats during their life cycle. Any security architectures and solutions deployed must be “VoIP aware” so they do not impact service quality and reliability. Multi-layer security infrastructure that provides both perimeter as well as internal network protection is ideal. In most cases, it will consist of a number of security devices and host-based applications to protect VoIP networks such as SBCs, VoIP Network Intrusion Prevention Systems (NIPS), VoIP DoS defenses, VoIP Network Intrusion Detection Systems (IDS), Host IPS’s, AAA servers, encryption engines and VoIP anti-virus software. All the devices and applications have to be coordinated via a higher level application providing a unified view of the end-to-end VoIP infrastructure.
 
Mitigation
 
It is already widely accepted that no matter how good the prevention and/or protection in place may be, sooner or later an attacker or worm will successfully penetrate the defenses and impact VoIP infrastructure. While to date there have not been any widely publicized VoIP security attacks, as VoIP becomes more mainstream, it is a matter of when -- not if -- widespread attacks will occur. 
 
Currently, a combination of human intervention and security management tools are being used to mitigate the impact of these attacks. As the VoIP market matures, and VoIP-specific attacks become more prevalent, these methods will not be sufficient as VoIP networks cannot tolerate multi-hour or multi-day downtimes if they are required to support 99.999% availability (five minutes of downtime per year). Expect to see solutions emerge that are designed to provide real-time, automated VoIP security mitigation solutions to keep services running in the presence of major security threats such as SPIT, DoS or fast-spreading worms.
 
Threat mitigation systems should be able to respond autonomously to the detected security threats and keep their impact at the levels where VoIP services can still function, albeit at lower QoS. While VoIP threat mitigation systems are not currently available, they will become a key part of the VoIP security infrastructure in the next two to three years, and should be planned for.
 
Conclusion
 
A proactive, systems-level approach which focuses on prevention, protection and mitigation will provide organizations with the flexibility required to meet evolving VoIP security needs.  The complexity of VoIP networks, combined with its real-time nature demands a proactive approach in which all levels of the network are secured against attack. In deploying VoIP, security must be addressed as part of an overall strategy, or organizations will be forced to deal with the financial and business consequences that come with recovering from a security breach.
 
About the Author
Bogdan Materna is the CTO and VP of Engineering at VoIPshield Systems (www.voipshield.com) He can be reached at [email protected] or (613) 224-4443. 
 




Call Center VoIP Security
Call Center VoIP Security





Technology Marketing Corporation

2 Trap Falls Road Suite 106, Shelton, CT 06484 USA
Ph: +1-203-852-6800, 800-243-6002

General comments: [email protected].
Comments about this site: [email protected].

STAY CURRENT YOUR WAY

© 2024 Technology Marketing Corporation. All rights reserved | Privacy Policy