What''s Happening in SIP IDS/IPS Security

Ask the SIP Trunk Expert

What''s Happening in SIP IDS/IPS Security

By TMCnet Special Guest
Steven Johnson, President of Ingate Systems
  |  November 01, 2010

This article originally appeared in the November 2010 issue of INTERNET TELEPHONY

With IP attacks to steal VoIP service a genuine threat, weak passwords still providing an opportunity for malicious activity, and the potential for overloading VoIP systems a possibility, intrusion detection system/intrusion prevention system solutions for SIP have become a crucial security measure for enterprise SIP deployments.

SIP IDS/IPS is a software solution that enables the enterprise session border controller to detect denial of service attacks based on SIP, and to block malicious SIP signaling packets designed to attack certain SIP phones, servers or other devices on the enterprise LAN – including the IP PBX (News - Alert). This secures the enterprise network, as the edge device handles the attacks while the servers and other SIP devices in the network can still be used.

For DoS attack detection, the administrator specifies what should be regarded as an attack. This offers the administrator flexibility to set the criteria for the number of requests or responses per time frame as environments and functions vary, and must thus be defined individually. The rules may also be written to limit requests/responses from specific IP addresses or domains within a time period, or to block all requests/responses from an IP address or domain if it is determined that the attack is being launched from that site.

All logs can be exported for analysis and, based on the findings, the administrator can refine the rules to minimize attacks and intrusions, while also allowing normal communications to continue.

SIP IDS/IPS is just one (very important) part of the security puzzle. In SIP trunk deployments (and for all SIP applications) there are additional layers of security you can and should employ:

full SIP proxy for maximum control over SIP signaling;

transport layer security, which authenticates communication parties and encrypts the signaling on the public side, even if it is in the clear on the LAN; and

secure real-time transport protocol, which adds encryption when the voice media streams are transported outside the enterprise LAN. 

When combined with TLS, it further shields users from eavesdroppers, hackers and spoofers.

Steven Johnson is president of Ingate Systems (News - Alert) (www.ingate.com).

TMCnet publishes expert commentary on various telecommunications, IT, call center, CRM and other technology-related topics. Are you an expert in one of these fields, and interested in having your perspective published on a site that gets several million unique visitors each month? Get in touch.

Edited by Stefania Viscusi