ITEXPO begins in:   New Coverage :  Asterisk  |  Fax Software  |  SIP Phones  |  Small Cells

Feature Article
November 2004

Sidebar: Security In A VoIP Environment

By Sri Ramachandran

As VoIP becomes more widely deployed in enterprises, service providers find they must address security issues long solved by other Internet technologies.
With VoIP traffic, as with data traffic, the first level of security is authentication — does the call come from a trusted party? The second level of security is authorization — does the call come from a trusted source and does the message show evidence of tampering?

However, VoIP traffic requires a different level of security to ensure that the network is secure from Denial of Service (DOS) attacks, service theft, viruses, and other problems. A new type of technology, Multiservice Session Controller technology, addresses these issues by providing security for VoIP traffic originating in enterprises to traverse carrier networks.

Dealing With DoS
Session controllers protect assets within the network against DoS attacks by looking at the rate at which VoIP packets enter the network. A signaling rate that is much higher than provisioned call rates or a very rapid increase in such rates, are warning signs of a DoS attack, and will be notified to the Network Operations Center (NOC). The session controller also looks for malformed packets and buffer overflows that may represent a DoS attack. In either case, the session controller can detect DoS and minimize damage by shutting down network access to the origin of attack.

Networks may also receive messages not intended for the service they provide. A carrier that terminates calls to area codes in the northeastern U.S., for example, may receive requests to transmit calls to California. Too many such calls, whether malicious or due to an error in service configuration, may constitute a DoS attack that the session controller can stop at the network boundary.

Looking At Packets, Outside And Inside
Session controllers, unlike older security technologies, can determine a great deal from the size, rate, and contents of VoIP packets. Session controllers can prevent service abuse and theft by determining if packets are the correct size and rate for the service being used. For example, a subscriber may have a VoIP Service Level Agreement (SLA) for 64 Kbps. The session controller can sense if the user has stopped speaking and started streaming higher-bandwidth video, and cut off service to ensure that the user abides by his SLA. A newer generation of session controllers, equipped with deep packet inspection capabilities, can also open packets up and scan their content to determine if a user is transmitting viruses or malicious content via a VoIP call.

Setting Boundaries, Breaking Barriers
The session controller employs the Transport Layer Security (TLS) protocol to ensure no one can tamper with VoIP calls. TLS also allows the service provider to create encrypted channels into the network, ensuring that no one can find and attack resources within the network.

Session controllers also enable VoIP calls to reach users cordoned off in private enterprise networks behind firewalls and network address translation (NAT) devices. These products present obstacles to the delivery of IP voice services. Current firewall technology, for example, cannot support real-time, latency-sensitive voice traffic; firewalls may allow through portions of VoIP signaling streams but not full-duplex media streams, which are dynamically negotiated in the signaling stream. Session controllers incorporate technology that punches a ‘hole’ through the NAT or firewall through which VoIP signaling messages and media can pass.

Support For Multiple Streams, New Devices
The latest generation of session controllers has policies that allow them to support separate, dynamic traffic streams on one call, simultaneously. A conference call may start out as a voice call, which has steady bandwidth, but participants may later decide to share whiteboard information via a data conference while also adding video to the call. A sophisticated session controller can support both the initially set up VoIP stream and the dynamically added video and data streams.
With the increasing trend to SIP phones, service providers should also make sure that the session controller they choose supports all of the SIP features.

A Rich Set Of Solutions For Now And Beyond
In addition to VoIP security, session controllers can deliver a much richer set of solutions, including call routing and traffic management for quality and packet prioritization. As enterprises continue to deploy IP-PBXs, service providers can utilize session controllers to set up private virtual networks (VPNs) between corporate sites for real time communications. And, as new uses for session controller technology emerge, there are sure to be even more refinements in VoIP functionality and security.

Sri Ramachandran is founder and chief technology officer at NexTone Communications. For more information, please visit the company online at

If you are interested in purchasing reprints of this article (in either print or HTML format), please visit Reprint Management Services online at or contact a representative via e-mail at [email protected] or by phone at 800-290-5460.

[ Return To The November 2004 Of Contents ]


Today @ TMC
Upcoming Events
ITEXPO West 2012
October 2- 5, 2012
The Austin Convention Center
Austin, Texas
The World's Premier Managed Services and Cloud Computing Event
Click for Dates and Locations
Mobility Tech Conference & Expo
October 3- 5, 2012
The Austin Convention Center
Austin, Texas
Cloud Communications Summit
October 3- 5, 2012
The Austin Convention Center
Austin, Texas