As we stand on the threshold of entrusting our communications to a global IP-based telephony network, it seems the perfect time to discover just how secure these networks will be and explore the issues associated with their security.
Phone system security concerns started in the 1960’s. Initially it was a pastime amongst enthusiasts who discovered that playing certain tones through telephone receivers made the telephone companies’ switches believe a call had ended, and thus got free phone calls — hence the term ‘phreaking’. Colorful stories abound regarding ‘Cap’n Crunch’ who discovered the free whistle in a cereal packet could play just the right tone to get free calls.
From Circuit To Packet
Since then telephone networks have undergone several evolutions and the security of those networks has evolved with them. With each evolution two things have remained constant; the telephone network is based on circuit-switched technology, and it is a ‘closed’ network.
• A circuit-switched network creates a dedicated path between the two parties for the duration of the call. This means that a call ties up resources throughout the network for the whole call, even if the call is silent.
• A ‘closed’ network is one for which the telecommunications operator controls how users communicate across the network. This should mean that handsets cannot access individual elements within the carriers’ network.
However, the advent of voice over IP (VoIP) changes all this in quite a dramatic way; the network is packet-switched and is, in effect, an ‘open’ network. Packet-switched means there is no dedicated path set up for a VoIP call. Individual packets are routed through the network to the destination as they appear. This allows for a more efficient network design carrying more calls over a cheaper router-based network.
Being an IP-based network, it is ‘open.’ Both terminals and network elements communicate using public protocols, meaning that potentially anyone can access and disrupt any network-based elements. In such an open network, the challenge is to allow legitimate traffic to flow freely whilst maintaining the necessary level of security.
What Is Security?
Security of a public voice service covers a wide range of areas, these include:
• Securing the network from other connected networks.
• Protecting the subscribers’ from attack.
• Protecting the subscribers privacy.
• Protecting the infrastructure from attack or misuse.
• Complying with regulatory requirements for legal interception.
Protecting The Borders
In traditional circuit-switched networks, each carrier hands off a call to a peering carrier at a distinct demarcation point. At this point, it is possible to limit the internal information passed to the neighboring network and monitor the volume of calls passing between the networks.
With the advent of global VoIP services, IP networks must be interconnected and protected in a similar way. When multimedia services cross a border, each call is actually made up of a number of streams. Devices need to understand the linkage between these streams in order to handle them correctly. Hence, a new class of equipment — session border controllers — have been designed to fill this role.
The session border controller acts as a proxy for both signaling and media as they cross the border into neighboring networks and therefore acts as a defined demarcation point for the network. A session controller acts as a ‘pinhole firewall’, opening and closing paths for media under the control of authorized signaling sources. Unexpected or unauthorized traffic is simply discarded, and true carrier-class, hardware-based session controllers will perform this at wire-speed with no loss of performance for authorized traffic. In this way, IP-level Denial of Service (DoS) attacks can be compartmentalized, thus limiting the scope of their disruption.
One feature of VoIP calls is that certain packets can accumulate information about the network elements that it has crossed, thus providing anyone snooping this information with a roadmap of the network — valuable information if you are planning to disrupt that network. The session controller eliminates this problem by removing all internal network information and presenting itself as the originator of the call — this is called topology hiding.
Protecting The Subscribers
In order to be able to both make and, most importantly, receive calls, the subscriber must be identifiable within the public network. The subscriber’s IP phone registers with a server, which advertises the subscriber’s presence. This means the subscriber’s phone is an easily identifiable target. A second valuable role carried out by session controllers is to act as the public point of presence, or proxy, for the subscriber. This provides privacy for the subscriber as their real address is known only to the session controller.
In this way, any attack directed at the subscriber is now handled by the session controller, a dedicated hardware device built to the exacting standards of carriers. The session controller offers a high level of protection by handling attacks directed at individual subscribers and also by preventing a loss of service caused by attacks designed to saturate the access network with rogue traffic.
Denial of Service attacks need targets, the real addresses of subscribers are never revealed within the IP packets crossing the network, thus making it considerably more difficult for hackers to identify potential targets. Some types of attacks, known as Distributed Denial of Service (DDoS) attacks, cause disruption by generating large amounts of traffic from many sources: the session controller identifies and blocks these attacks before they enter the access network.
Managing Access & Service Theft
Access networks are usually dimensioned to handle typical Web browsing, downloads, and e-mail traffic. These types of traffic are not particularly sensitive to variable delays and remain relatively unaffected by over-booking. However, multimedia traffic is sensitive to both delay and variations in delay. As a result, over-booking of access networks can lead to a significant degradation in the quality of multimedia services. This problem can be minimized by policing the multimedia traffic that is admitted into the access network. This maintains the quality for all calls.
The session controller can also police individual calls to ensure the bandwidth being used in a call complies with the requested resources, thus reducing the opportunity for service theft. Excessive SIP signaling rates can also be restricted thus limiting attempts to overrun a device.
Protecting The Infrastructure
Many elements within a VoIP network could be subject to attacks both at the IP level and at an application level. The actions taken to protect the borders and the subscribers also protect vital infrastructure elements. Since a subscriber registering with the VoIP service is given the address of the session controller by the DNS, it is the address of the session controller that is advertised not the softswitch. Thus any malicious signaling traffic directed at the softswitch can be policed and if necessary, rate limited by the session controller. For example, invalid or inappropriate packets are simply discarded, while surges in apparently valid signaling can be rate limited, thus relieving pressure on the softswitch.
Agencies such as FCC and ETSI are starting to insist that VoIP networks should comply with the same regulatory requirements as their circuit-based counterparts. These requirements can be diverse and country specific, but in general encompass Lawful Intercept (LI) and Emergency Call handling (ECH).
Lawful Intercept capability dictates that given the correct authorization, a user’s communications must be intercepted. Within any network it must be done without the user being aware. All calls that the user makes traverse a session controller and this device can be used to duplicate the relevant signaling and media streams. As Lawful Intercept requirements evolve, the same methods can be used to encompass the interception of Instant Messaging, video, etc.
Emergency Call Handling requires that when a subscriber dials 911, their call is routed to the most appropriate Emergency Call Center, generally based on the location of the caller. If the subscriber is not able to convey their location, due to illness etc., then the Emergency Call Center must be able to trace where the call originated. This is done by interrogating the Broadband RAS to map the user’s IP address to their actual details.
The Global Multimedia Net
As carriers evolve and expand their service offerings, the adopted underlying network of choice remains IP. Standards for deploying and interconnecting multimedia in both wireless and wireline networks such as IMS and TISPAN are being developed and are gaining momentum. Running through all these standards is the need to build a secure, reliable and controllable network.
So, perhaps the days of worrying about a phreaker with plastic whistle are gone, but as networks have evolved so have the threats. Security remains a cornerstone of good network design, and session controllers are establishing themselves as the key component for ensuring IP networks maintain the familiar standards associated with the PSTN. IT
David Gladwin is marketing manager at Newport Networks. For more information, please visit www.newport-networks.com.
If you are interested in purchasing reprints of this article (in either print or HTML format), please visit Reprint Management Services online at www.reprintbuyer.com or contact a representative via e-mail at firstname.lastname@example.org or by phone at 800-290-5460.