Last monthï¿½s column explored the security issues faced by VoIP carriers
at the network interconnecting points with other providersï¿½ networks. This
monthï¿½s column looks at the security challenges that access networks pose
to the VoIP operator.
In the security chain, the access network is the weakest link and poses
the greatest threat to the VoIP operator. Attacks originating from the
access network can take several forms and result in varying degrees of
damage. One of the most common methods is denial of service (DoS), in which
a hacker floods the network with seemingly legitimate traffic and overloads
or crashes critical network elements. By attacking at the signaling layer, a
network server can be taken down with very little bandwidth. This is because
each signaling message may involve a lot of network resources.
Eavesdropping, device cloning, and protocol manipulation are other forms
typically employed to gain unauthorized access to information, data, or
The Source Of The Problem
The access networks terminate at the subscriber premises and connect to
customer premise equipment (CPE). These CPE devices can become the primary
targets for security breaches because they are so physically accessible.
Carriers go to great lengths to secure and protect their own network
elements, but the equipment used by its customers to connect to that network
is usually residing on an unsecured desktop. The sheer number of CPE
elements that may reside in the customer network further complicates the
problem. Every piece of customer premise equipment (CPE) is a potential
point from which unauthorized network entry can be gained. Unlike standard
telephones, these devices are intelligent. They have direct signaling
interaction with other nodes such as call control agents, SIP registrars,
and gatekeepers and can be used to launch a network attack. CPE devices are
typically low-end and susceptible to software bugs. Once a hacker identifies
and understands the bug, the loopholes to gain network access can be
Many access networks are also shared-media or broadcast networks. An IP
connection, such as a coaxial cable, links the carrier with the customer
site where any number of subscribers may reside. The problem with this
arrangement is that traffic to and from any user is visible to all others on
the network. Eavesdroppers can use packet-sniffing tools to view the traffic
and intercept voice and signaling traffic from other users on the same cable
Taking A Closer Look At Security
A complete security solution has to include several key elements:
Mechanisms to authenticate users and devices and authorize access to
network; methods to hide or encrypt critical information and data; and a
method or protocol to manage the trust-relationship between multiple
devices. There must also be a means to validate the authenticity of any new
software before it is upgraded.
Protecting The Data In Transit
Proof of identification is critical component of any network security
system. A method for authenticating network devices and to pass information
securely is the public key infrastructure (PKI). PKI consists of protocols
and standards that support public key cryptography, algorithms that encrypt
and decrypt sensitive message information.
The PKI protocol employs a unique public/private key for each device
involved in the communication. Typically, the key pair is generated and
embedded in communication devices when they are manufactured. The private
key is known only to the protected device and never shared. The public key
is shared with all the other network devices, which need to communicate with
the protected device. Any device with the knowledge of the public key can
send information, and it does so by encrypting the data using the public
key. This message can only be decrypted with a private key that is held by
the protected device. By using a unique key pair for the CPE device and
another key pair for the network-side device, signaling and voice
communication in both directions can be protected.
Encryption algorithms range from the simple to the complex. Several
algorithms are currently employed in commercial data networks, and the VoIP
industry can benefit from this rich experience. The data encryption standard
(DES), triple data encryption standard (triple-DES), and advanced encryption
standards (AES) are some of the most popular methods. The size of the keys
used in the algorithm determines the level of security ï¿½ the larger the
key-length, the better the security.
The challenge with using a key pair for encrypted communication is
authenticating the public key and verifying that it truly belongs to the
identified device rather than a cloned device. This is done using digital
certificates, which are a critical component of PKI. Issued by a
certification authority (CA), they are used to establish a userï¿½s
credentials on the network. The certificate contains information about the
public key as well as the userï¿½s name, a serial number, the period of
validation, and the digital signature of the CA. One of the standards being
used for digital certificates is X.509. It defines what information must be
included in the certificate as well as the data format for that information.
sing a two-phase encryption process can further enhance the security. The
first phase of encrypted message exchange takes place using the PKI
infrastructure. During this step, the communicating devices exchange a
secondary key known as traffic encryption key. The traffic encryption key is
then used for encrypting the user-generated traffic such as signaling and
The PKI infrastructure can also be used to authenticate software before
an upgrade takes place. The new software will have embedded digital
signatures. The devices authenticate these digital signatures using a known
certification authority before allowing the upgrade.
Security At The Network Layer
Threats such as spoofing and DoS must be addressed at the network layer.
It is much harder to impersonate a network device if there is a method in
place to positively identify the source of the data. The Internet
Engineering Task Force (IETF) has taken a look at this issue. It has
developed IPSec ï¿½ short for ï¿½IP Securityï¿½ ï¿½ open standards to secure
the private communication over IP networks. IPSec provides network-layer
encryption and authentication. Since the encrypted packets look like
ordinary IP packets, they can be easily routed through any IP network
without changing any of the intermediate networking devices. The end points
are the only devices aware of the encryption.
PKI with digital certificates and IPSec protocol offers the basic
mechanism required to secure a VoIP network. However, the security issue
becomes much more challenging when more complex service scenarios are
considered. For example, when roaming is allowed across multiple
operatorsï¿½ networks, the security solution must take into account the
expected trust relationship between the home serving operator, the home
operator and subscriber, and the serving operator and subscriber.
Secure Across The Network
Securing the access network is vital to the acceptance of VoIP as a
mainstream technology. Gaining customer confidence is essential to the
success of any business. In the VoIP industry, insuring the privacy and
integrity of the access network is absolutely critical to winning customer
trust and confidence. Security breaches at the access network level can have
devastating consequences for businesses; they must be assured that the
privacy and integrity of their data and voice communications are protected.
Mr. Ravi Ravishankar is director, Advanced Technology Planning,
Tekelec. His focus is on defining signaling solutions and products for the
next-generation packet telephony and 3G wireless networks. Tekelec is a
leading developer of telecommunications signaling infrastructure,
softswitches, testing and diagnostic solutions, and service applications.
Please visit their Web site at www.tekelec.com.
To The July 2002 Table Of Contents ]