ITEXPO begins in:   New Coverage :  Asterisk  |  Fax Software  |  SIP Phones  |  Small Cells

Packet IN
July 2002

Security Measures In Packet Networks Create Challenges For IP Telephony


Last month�s column explored the security issues faced by VoIP carriers at the network interconnecting points with other providers� networks. This month�s column looks at the security challenges that access networks pose to the VoIP operator.

In the security chain, the access network is the weakest link and poses the greatest threat to the VoIP operator. Attacks originating from the access network can take several forms and result in varying degrees of damage. One of the most common methods is denial of service (DoS), in which a hacker floods the network with seemingly legitimate traffic and overloads or crashes critical network elements. By attacking at the signaling layer, a network server can be taken down with very little bandwidth. This is because each signaling message may involve a lot of network resources. Eavesdropping, device cloning, and protocol manipulation are other forms typically employed to gain unauthorized access to information, data, or service.

The Source Of The Problem
The access networks terminate at the subscriber premises and connect to customer premise equipment (CPE). These CPE devices can become the primary targets for security breaches because they are so physically accessible. Carriers go to great lengths to secure and protect their own network elements, but the equipment used by its customers to connect to that network is usually residing on an unsecured desktop. The sheer number of CPE elements that may reside in the customer network further complicates the problem. Every piece of customer premise equipment (CPE) is a potential point from which unauthorized network entry can be gained. Unlike standard telephones, these devices are intelligent. They have direct signaling interaction with other nodes such as call control agents, SIP registrars, and gatekeepers and can be used to launch a network attack. CPE devices are typically low-end and susceptible to software bugs. Once a hacker identifies and understands the bug, the loopholes to gain network access can be exploited easily.

Many access networks are also shared-media or broadcast networks. An IP connection, such as a coaxial cable, links the carrier with the customer site where any number of subscribers may reside. The problem with this arrangement is that traffic to and from any user is visible to all others on the network. Eavesdroppers can use packet-sniffing tools to view the traffic and intercept voice and signaling traffic from other users on the same cable segment.

Taking A Closer Look At Security
A complete security solution has to include several key elements: Mechanisms to authenticate users and devices and authorize access to network; methods to hide or encrypt critical information and data; and a method or protocol to manage the trust-relationship between multiple devices. There must also be a means to validate the authenticity of any new software before it is upgraded.

Protecting The Data In Transit
Proof of identification is critical component of any network security system. A method for authenticating network devices and to pass information securely is the public key infrastructure (PKI). PKI consists of protocols and standards that support public key cryptography, algorithms that encrypt and decrypt sensitive message information.

The PKI protocol employs a unique public/private key for each device involved in the communication. Typically, the key pair is generated and embedded in communication devices when they are manufactured. The private key is known only to the protected device and never shared. The public key is shared with all the other network devices, which need to communicate with the protected device. Any device with the knowledge of the public key can send information, and it does so by encrypting the data using the public key. This message can only be decrypted with a private key that is held by the protected device. By using a unique key pair for the CPE device and another key pair for the network-side device, signaling and voice communication in both directions can be protected.

Encryption algorithms range from the simple to the complex. Several algorithms are currently employed in commercial data networks, and the VoIP industry can benefit from this rich experience. The data encryption standard (DES), triple data encryption standard (triple-DES), and advanced encryption standards (AES) are some of the most popular methods. The size of the keys used in the algorithm determines the level of security � the larger the key-length, the better the security.

Digital Certificates
The challenge with using a key pair for encrypted communication is authenticating the public key and verifying that it truly belongs to the identified device rather than a cloned device. This is done using digital certificates, which are a critical component of PKI. Issued by a certification authority (CA), they are used to establish a user�s credentials on the network. The certificate contains information about the public key as well as the user�s name, a serial number, the period of validation, and the digital signature of the CA. One of the standards being used for digital certificates is X.509. It defines what information must be included in the certificate as well as the data format for that information.

sing a two-phase encryption process can further enhance the security. The first phase of encrypted message exchange takes place using the PKI infrastructure. During this step, the communicating devices exchange a secondary key known as traffic encryption key. The traffic encryption key is then used for encrypting the user-generated traffic such as signaling and voice.

The PKI infrastructure can also be used to authenticate software before an upgrade takes place. The new software will have embedded digital signatures. The devices authenticate these digital signatures using a known certification authority before allowing the upgrade.

Security At The Network Layer
Threats such as spoofing and DoS must be addressed at the network layer. It is much harder to impersonate a network device if there is a method in place to positively identify the source of the data. The Internet Engineering Task Force (IETF) has taken a look at this issue. It has developed IPSec � short for �IP Security� � open standards to secure the private communication over IP networks. IPSec provides network-layer encryption and authentication. Since the encrypted packets look like ordinary IP packets, they can be easily routed through any IP network without changing any of the intermediate networking devices. The end points are the only devices aware of the encryption.

Future Challenges
PKI with digital certificates and IPSec protocol offers the basic mechanism required to secure a VoIP network. However, the security issue becomes much more challenging when more complex service scenarios are considered. For example, when roaming is allowed across multiple operators� networks, the security solution must take into account the expected trust relationship between the home serving operator, the home operator and subscriber, and the serving operator and subscriber.

Secure Across The Network
Securing the access network is vital to the acceptance of VoIP as a mainstream technology. Gaining customer confidence is essential to the success of any business. In the VoIP industry, insuring the privacy and integrity of the access network is absolutely critical to winning customer trust and confidence. Security breaches at the access network level can have devastating consequences for businesses; they must be assured that the privacy and integrity of their data and voice communications are protected.

Mr. Ravi Ravishankar is director, Advanced Technology Planning, Tekelec. His focus is on defining signaling solutions and products for the next-generation packet telephony and 3G wireless networks. Tekelec is a leading developer of telecommunications signaling infrastructure, softswitches, testing and diagnostic solutions, and service applications. Please visit their Web site at www.tekelec.com.

[ Return To The July 2002 Table Of Contents ]

Today @ TMC
Upcoming Events
ITEXPO West 2012
October 2- 5, 2012
The Austin Convention Center
Austin, Texas
The World's Premier Managed Services and Cloud Computing Event
Click for Dates and Locations
Mobility Tech Conference & Expo
October 3- 5, 2012
The Austin Convention Center
Austin, Texas
Cloud Communications Summit
October 3- 5, 2012
The Austin Convention Center
Austin, Texas