Comprehensive VoIP Security for the Enterprise: Not Just Encryption and Authentication
A Sipera WhitepaperMarch 2006
Summary
As enterprises and operators role out real-time Internet Protocol (IP) communications applications such as Voice-over IP (VoIP), instant messaging (IM), video and multimedia, the need to protect end-users and network infrastructures from multiple catastrophic attacks, misuse, and abuse of session-based protocols is becoming imperative.
At the same time, the encryption and authentication that many advertise as VoIP security only scratches the surface of the required protection. In fact, there are many VoIP-specific vulnerabilities that have been discovered, along with thousands of threats that can be launched against SIP/UMA/IMS networks, that encryption and authentication alone do not address.
This white paper will look at a number of these threats that target the enterprise network and users including reconnaissance, Denial of Service (DoS)/Distributed Denial of Service (DDoS), Stealth DoS/DDoS, Spoofing and VoIP spam in order to explore the unique methods and techniques to protect VoIP infrastructure as well as end users from threats that endanger the continued exchange of time-critical, business-sensitive information.
Comprehensive VoIP Security for the Enterprise 2
Introduction
Real-time, Internet Protocol (IP) communications applications have a significant and obvious appeal
for enterprises and end-users because they allow the Internet and existing data networks to become
a cost-effective transport for things most people want to do such as: placing voice calls, participating
in video conferences, exchanging Instant Messages (IMs), and a host of other communications
applications. It can also allow you to realize the benefits of using a Session Initiation Protocol
(SIP) trunk for hosted Voice over IP (VoIP) services. But cost is only part of the appeal, these new
communications applications enable increased efficiencies and collaboration with integration of
soft clients on PCs, IT infrastructure such as Microsoft Live Communication Server (LCS) and voice
extranets into one converged network, as shown in Figure 1.
Figure 1: Adding VoIP to the enterprise network
These benefits do not come without a significant tradeoff as we can see by taking a step back and
looking at what happened with IP networks. Because the IP network is an ‘open’ system, any user
can freely connect to it at any time from any place with little effort or oversight. This makes the IP
network a fertile breeding ground for a wide variety of malicious and unauthorized activities that can
affect any enterprise, group, or user. Network protocols, operating systems, web browsers,
e-mail clients and other applications are persistent targets of attacks.
Traditionally, the Internet security industry reacts to these attacks by developing a collection of
piecemeal solutions to protect the enterprise from attacks. As a result, threats have been effectively
mitigated to manageable levels by the development and deployment of a number of increasingly
sophisticated solutions including firewalls, Intrusion detection/intrusion prevention system (IDS/IPS),
anti-spam filters and others.
LCS Integration
Soft ClientsSIP PhonesCall Managers
Road WarriorVoice Extranets
SIPServer ISP
Internet
SIPTru
nk
Data VLANVoIP VLAN
Comprehensive VoIP Security for the Enterprise 3
However, problems still persist and if history is any indication, IP communications applications will
also be subject to many of the same security threats that are prevalent in traditional Internet data
applications, and to many additional ones as well. These new attacks include deliberate application-
specific assaults against the VoIP infrastructure and end-points, such as denial of service (DoS) and
distributed denial of service (DDoS) attacks as well as stealth attacks and VoIP spam.
Because of these risks, many enterprises have deployed their VoIP infrastructure as an “island”
utilizing a separate Virtual Local Area Network (VLAN) to protect it against these attacks, but this
does not allow them to realize the full potential of IP communications applications. Even worse
from a security perspective, some enterprises feel they are safe by simply using the encryption and
authentication techniques embedded into the VoIP infrastructure. While this is important, encryption
and authentication do not protect against a variety of external threats from malicious users and
spammers as well as internal threats from infected PCs. Frequently, these malicious endpoints are
“authorized” users of VoIP and will easily pass the authentication and encryption hurdles.
At the same time, it’s important to understand that IP communications applications, such as VoIP,
are very different than web applications and email, as shown in Figure 2. VoIP is real-time by its very
nature and involves complex state machines which may need to track several dozen states at the
same time. The protocols themselves, such as SIP, are feature-rich and involve the use of separate
signaling and media planes which allow devices to talk peer-to-peer rather than the traditional
client-server methods of the data world. Finally, there is an extremely low tolerance to false positives
and negatives as compared to the data world.
Figure 2: IP Communications applications are very different than data applications
VoIP is Different
Separate signalingand media planes
Peer-to-Peer
Real-time
Protocol and Feature RichLow tolerance to falsepositives & negatives
Complex state machine(several dozen states)
Comprehensive VoIP Security for the Enterprise 4
It’s easy to see that IP communications applications demand a security solution that not only
“borrows” from the best security functionality of the data world but adds specific VoIP protection
techniques that take into account the real-time, peer-to-peer, and feature-rich nature of these
session-based protocols.
VoIP Risks and Vulnerabilities
VoIP networks have thousands of unique vulnerabilities that can be exploited to launch a variety of
attacks. In fact, the Sipera VIPER lab, which is comprised of the most knowledgeable and capable
VoIP and security developers, architects, and engineers, has identified over 20,000 threats in the
last two years that can be launched against SIP networks, as shown in Table 1.
Table 1: Unique SIP vulnerabilities as catalogued by Sipera VIPER Lab
All told, enterprises need to be aware of, and effectively protect their network from, these attacks
against their infrastructure and the additional ones against end-users which are unique to IP
communications applications. These application-specific threats are in addition to attacks such as
call hijacking, fraud and eavesdropping that are secured using encryption and authentication. Let’s
look at some of the more prevalent and potentially damaging VoIP-specific application level attacks.
Reconnaissance Attacks Pre-DoS attacks are probes conducted against a network to ascertain its vulnerabilities, the
behavior of its equipment and users, and what services might be available for exploitation or
disruption. Once this information has been gathered, focused attacks against the network’s
assets, services, and users can then be launched. This type of ‘intelligence gathering’ or
‘probing action’ is often the first thing an attacker will do when attempting to penetrate a
particular network.
Types of reconnaissance attacks include call walking and port scanning. Call walking is a type of
reconnaissance probe where a malicious user initiates sequential calls to a block of telephone
Attacks on infrastructure SIP
Fuzzing
Reconnaissance
Flood
Distributed Flood
Misuse/spoofing
Total
>20000
5
>30
>30
n/a
>20065
7
n/a
2
n/a
6
15
MediaAttacks on end-users
Misuse
Session Anomalies
Stealth
Spam
Total
8
4
2
2
16
SIP and Media
Comprehensive VoIP Security for the Enterprise 5
numbers in order to identify what assets are available for further exploitation. Port scanning
is similar to call walking in that sequential probes are made against a block of destinations.
However, port scanning does not target end-users as call walking does, but instead targets a
group of sequential ports in a network.
Depending upon the responses that are received, the attacker then can determine which exploit
attempts might or might not work to breach the network. Using these methods, an attacker can
easily identify and gather the domain names and URLs of SIP-enabled devices that populate the
network and launch attacks against those devices.
Floods and Distributed Floods Flood DoS and DDoS attacks are those attacks whereby a malicious user deliberately sends a
tremendously large amount of random messages to one or more VoIP end-points from either a
single location (DoS) or from multiple locations (DDoS), as shown in Figure 3. Typically, the
flood of incoming messages is well beyond the processing capacity of the target system, thereby
quickly exhausting its resources and denying services to its legitimate users.
In the case of DDoS attacks, the attacker(s) will use multiple sources to launch the assault or a
single source masquerading as multiple sources to attack the target system. If the system(s) from
which the DDoS attack originates have themselves somehow been compromised, then they are
referred to as zombies.
Oftentimes, however, a flood may be caused by a valid reason (such as a power failure
precipitating a flood of SIP end-point registrations or a flood caused by an improperly configured
SIP phone).
Figure 3: Malicious users can launch DoS and DDoS flood attacks against end-users or infrastructure
SIP Phone
DoS Attack on End-point DDos Attack on Call Server
SIP Server
Zombies
Malicious UserMalicious User
Comprehensive VoIP Security for the Enterprise 6
Protocol Fuzzing Fuzzing is a legitimate method of testing software systems for bugs and is accomplished
essentially by providing an application with semi-valid input to see what its reaction will be.
Then appropriate fixes can be implemented, if necessary.
Malicious users, however, employ this same methodology to exploit vulnerabilities in a target
system. They do this by sending messages whose content, in most cases, is good enough that the
target will assume it’s valid. In reality, the message is ‘broken’ or ‘fuzzed’ enough that when the
target system attempts to parse or process it, various failures result instead. These can include
application delays, information leaks, or even catastrophic system crashes.
Misuse Misuse involves taking over someone’s call or making calls on their behalf which is more
commonly called spoofing. This is done by deliberately inserting fake data into the source IP
address-field portion of the packet to hide the true source of the call. In this way the attacker
can ‘spoof’ a legitimate user and hijack the current session which results in the call either being
redirected or terminated, as shown in Figure 4. Spoofing results in misuse/abuse of the system
and a denial-of-services (DoS) to the legitimate user.
Figure 4: Malicious user hijacks the current session and redirects the call
Original Call Session
ResultingCall Session
Caller BCaller A
ResultingCall Session
Malicious User
Comprehensive VoIP Security for the Enterprise 7
Session Anomalies Session anomalies occur when the messages do not come in the correct sequence and therefore
neither the end-points nor the call server know how to handle the calls. When hackers or
malicious users do this intentionally, it will result in a session abuse for the VoIP system, similar
to misuse.
Stealth Attacks Stealth attacks are those in which one or more specific end-points are deliberately attacked from
one (DoS) or more (DDoS) sources, although at a much lower call volume than is characteristic
of flood-type attacks. In addition to VoIP spam, detection of stealth attacks is vital for VoIP
systems as they have the potential to be far more annoying than what we are familiar with in the
data world. VoIP security solutions need to be more sophisticated and use different techniques to
protect against stealth and VoIP spam.
VoIP Spam VoIP spam or Spam-over-Internet Telephony (SPIT) is unsolicited and unwanted bulk messages
broadcast over VoIP to an enterprise network’s end-users. In addition to being annoying and
having the potential to significantly impinge upon the availability and productivity of the end-
point resource, high-volume bulk calls routed over IP are often very difficult to trace and have the
inherent capacity for fraud, unauthorized resource use, and privacy violations.
Figure 5: Unique VoIP threats exist from both internal and external sources
Infected PC
LCS Integration
Soft ClientsSIP PhonesCall Managers
Road WarriorVoice Extranets
SIPServer
VoIP VLAN
ISP
Internet
SIPTru
nk
Data VLAN
Bad GuysSpammer
Comprehensive VoIP Security for the Enterprise 8
These attacks can be from external sources such as hackers, malicious users and spammers or
internal threats from disgruntled employees, infected PCs or email attachments, as shown in
Figure 5. What’s required to protect against them is a proactive approach to anticipating
and cataloguing the threats and attacks and then to use this expertise as the foundation of a
comprehensive solution which protect against them. The VoIP security solution must also have the
ability to be updated with vaccines against previously unidentified threats.
Drawbacks to Today’s VoIP Security
Although core VoIP assets and related infrastructure can be protected to a certain degree from direct
assault through a variety of currently available techniques, such as hardening the underlying IP
network and deploying session border controllers (SBCs), none can protect against the increasing
sophistication of attacks against the numerous vulnerabilities inherent in VoIP and related IP
communications applications.
Implementing a comprehensive security solution to deal with both internal and external threats from
DoS, DDoS, stealth and spam is a formidable challenge. As mentioned at the outset, the biggest
mistake an enterprise can make with securing its VoIP infrastructure is to assume that encryption
and authentication are enough to protect the network and end-users against attacks. This is not to
say that authentication and encryption are not important, but they do not protect against zombie and
hacker attacks.
As well, viruses, worms and other malicious activities frequently utilize end-user equipment to
penetrate the network, even when perimeter security mechanisms like firewalls and session border
controllers are employed. Complicating the matter further, new and emerging technologies such
as IM now represent an ever larger emerging threat to networks that completely bypass perimeter
defense devices. This has led enterprises to look for alternative security solutions.
Many of the security products which are currently available primarily focus on remediating threats by
employing various disparate technologies such as firewalls, IDS/IPS, and other security devices that
are upgraded to support VoIP in addition to their main data protection responsibilities. An example
of how a typical VoIP security solution is deployed using these equipment elements to mitigate the
inherent vulnerabilities of an IP network is shown in Figure 6.
Comprehensive VoIP Security for the Enterprise 9
Figure 6: Typical multi-product VoIP security solution
At best these solutions protect against OS, IP and TCP layer vulnerabilities and attacks such as TCP
syn flood, exhaustion of resources with multiple TCP, UDP DoS attacks, HTTP attacks, TCP Fin/Rst
close socket attacks and others.
These traditional solutions are not at all effective for application-level vulnerabilities in that they
cannot provide the needed functionality to effectively detect and protect against VoIP-specific
attacks such as floods, protocol fuzzing, stealth, and VoIP spam. At the same time, they cannot
protect against vulnerabilities that may be found in encrypted traffic as they are unable to decrypt
and analyze the traffic in real-time.
As well, because this solution represents a layered-approach to network security, in addition to the
extra hardware (application-aware firewall, IDS/IPS, and DoS protection systems) required to secure
the network, additional software must also be installed at different points to allow the hardware
components to function properly and to coordinate security monitoring and reporting functions.
Not only do these additional levels of complexity add more points of potential vulnerability, it’s easy
to see that they do not integrate well with a VoIP network due to the fact that the delay introduced
by every device collectively exceeds the security budget (2 ms for signaling and 100 µs for
media) allowed to still ensure toll quality transmission. As well, many of these devices use a store
and forward method to examine the traffic which is just not feasible in the real-time world of IP
communications applications.
DoSFilter
IDS/IPS
Fire-wall
Road WarriorVoice Extranets
SIPServer ISP
Internet
SIPTru
nk
Data VLAN
LCS Integration
Soft ClientsSIP PhonesCall Managers
VoIP VLAN
Spam Filter
Comprehensive VoIP Security for the Enterprise 10
To quickly summarize the points above, existing solutions of this type are decidedly deficient in a
number of critical ways:
• they cannot function in real-time;
• they cannot process encrypted traffic;
• they do not have the capacity to detect attacks on end users;
• they result in a higher TCO as you need to upgrade multiple boxes; and
• they cannot keep in sync with new IP features or applications offered by the VoIP
infrastructure vendors.
Existing security measures for IP networks are at best only effective for traditional types of traffic
(web access, e-mail, etc.). However, as VoIP becomes increasingly more prevalent and feature-rich,
the need for more effective and robust security solutions becomes obvious.
Comprehensive VoIP Security
Instead of deploying ineffective ‘point’ solutions, a complete security solution is required that
seamlessly incorporates all existing approaches into a single, comprehensive system, as shown in
Figure 7.
Figure 7: Single, comprehensive VoIP security solution
Anti-Spam
ComprehensiveSecurity Solution
for IPCommunications
Applications(VoIP, IM, Video,
Multimedia)
OS IP Web database
OS IP Web email
OS IP Web
OS IP Web
OS IP database
Firewall
Network Level Correlation
Intrusion Detection System
Intrusion Prevention System
Denial of Service Prevention
Comprehensive VoIP Security for the Enterprise 11
When deployed in the enterprise, this single, comprehensive device replaces the 3 or 4 point
solutions at each location in the network, as shown in Figure 8. In most cases a firewall will still be
deployed to protect against layer 3 and 4 attacks but not the long list of VoIP specific application
level ones that were discussed above. You can immediately see the operational simplicity and
obvious cost-effectiveness compared to the solution in Figure 6.
Figure 8: Simplified, comprehensive VoIP security solution for enterprise
The ideal comprehensive VoIP security solution would incorporate the best practices of data
security, from firewall, IDS/IPS, DoS prevention, network level correlation and spam filtering, while
implementing sophisticated techniques to ensure unique VoIP threats are proactively recognized,
detected, and eliminated. This single solution for securing IP Communications applications would
also include the following features:
Real-time performance All of this functionality needs to be incorporated into a single device that is built from the ground
up using specialized hardware for real-time performance. The appliance must be able to decrypt
packets at wire-speed so that the network can be protected against threats that exist even in
encrypted traffic. And it must securely store and manage these encryption keys in a separate,
tamper-proof, hardware module.
Not a point of failure It’s also preferable that the device functions as a “bump-on-a-wire” so that no configuration
changes are required to either the call manager, the VoIP phones or to any other element in the
IP network. Another high-availability feature is fail-safe port bypass functionality which ensures
the device is never an additional point-of-failure in the network.
SIP Trunk
Road WarriorVoice Extranets
SIPServer ISP
Internet
Data VLAN
LCS Integration
Soft ClientsSIP PhonesCall Managers
VoIP VLAN
Comprehensive VoIP Security for the Enterprise 12
Sophisticated behavior learning and verification An ability to continuously learn call patterns and end-point fingerprints, in addition to being
able to constantly analyze raw event data based upon specific user-definable criteria and take
automatic action, would give the security solution the ability to evolve and adapt on its own to
effectively counter any new or existing threat. This would vastly increase its level of effectiveness
in ensuring that vulnerabilities are mitigated before any threat can proliferate.
This level of sophistication is really the only way to identify both stealth attacks and VoIP spam
which are vital for any VoIP security system. These types of attacks and service abuse are difficult
to detect as the real-time nature of VoIP does not allow the security system the luxury of storing
the call while it’s analyzed before sending it on as is the case with email.
The VoIP security system needs to identify and verify these anomalies in real-time before passing
on the call. Once a potential anomaly is detected, it should be scrutinized further using various
verification techniques to determine if it is in fact an attack which should be dropped or Spam
that should be sent to a specific bulk voice mailbox.
Detection of VoIP spam Machine-generated calls are a popular tool for mass marketing concerns, although the recipients
of their messages more often than not find the calls to be highly intrusive and annoying. In
addition, machine-generated calls are oftentimes used as automated attack tools by malicious
users to overwhelm a system and deprive its legitimate users of services. Machine-generated calls
can be detected by performing sophisticated VoIP Turing tests in the suspected traffic, as shown
in Figure 9. However, when combined with behavior learning and verification, the VoIP Turing test
can be used selectively rather than before every call which minimizes its intrusiveness.
Figure 9: VoIP Turing tests distinguish between machine and human callers
Human Can Meet Challenge Machine Can't Meet Challenge
1. incoming call
3. answers question
2. challenge caller
1. incoming call
2. challenge caller4. rings phone
Timed out:BLOCKED
What is the numberbetween 1 and 3?
What is the numberbetween 1 and 3?
2
Ring.. Ring
Comprehensive VoIP Security for the Enterprise 13
With a VoIP Turing test, the caller is challenged to respond to a question (i.e. What is the number
between 1 and 3?) which the machine cannot do. This test is very similar to the Turing tests that
you may have seen on the web when you buy tickets or register for email addresses. Many times
you are asked to enter some random numbers or letters that have been smudged like you see here.
By entering these letters, the web site doing the challenge is assured you are a human and not a
machine trying to buy blocks of tickets or register hundreds of email addresses.
Network level intelligence A network level intelligence node needs to collect and correlate multiple events and activities
from different nodes and end-points in the network to accurately detect attacks which otherwise
might have escaped unnoticed if reported only by a single point in the network. This capability
can inspect the sequence and content of messages to detect protocol anomalies and any
instances of end-point scanning.
The primary purpose of the intelligence node is to receive the variously formatted event and alarm
reports from the different security components in the network and to store, normalize, aggregate
and correlate that information into a comprehensive format. It then passes the attack information
back to the security nodes which take the action needed to protect the network and end users, as
shown in Figure 10. This allows distributed attacks to be effectively detected and mitigated.
Figure 10: Network level intelligence gives all nodes the same information in real-time
Challenge Calls toSubscriber D briefly
Subscriber D
Sipera IPCSDevice 3
Anomaly Detected:Far more calls being received thanSubscriber D's learned behavior suggests
Sipera IPCSDevice 1
Sipera IPCSIntelligence
Sipera IPCSDevice 2
Comprehensive VoIP Security for the Enterprise 14
Not only would a single, comprehensive security solution completely replace each of the individual
VoIP security components required by the traditional solution, it inherently capitalizes on the fact
that its fundamental design philosophy is based upon a comprehensive monitoring and protection
paradigm for real-time communications. This allows the single device to protect the network
infrastructure and its end-users against attacks and other unauthorized user behavior in real-time and
ensures that vulnerabilities are mitigated before any threat can proliferate.
Conclusion
Currently, VoIP security solutions are merely an extension of existing data security products and
fail to adequately address the increasing complexity of VoIP networks. These traditional products
are simply not equipped to address the real-time, mission-critical nature of IP communications
applications and provide, at best, a piecemeal approach where an entire network is not secured,
leaving significant parts of it exposed and vulnerable to attack.
Unlike data communications, VoIP is a real-time service and requires security infrastructure to
provide automated, immediate security responses to preserve the high availability and quality-
of-service (QoS) expected by telephony users. In light of these considerations, any effective and
comprehensive VoIP security system must offer:
• comprehensive protection with real-time performance
• easy deployment and not be a point-of-failure
• automatic user behavior learning
• network level intelligence
• effectively handle VoIP spam; and
• interoperability with major VoIP infrastructure vendors.
At the same time, each of these features must be provided to the network in a manner that does not
exceed the allowable security budget (2 ms for signaling and 100 µs for media) that ensures a high
QoS to the VoIP and multimedia user.
In the end, the only way to provide the required level of protection is to incorporate a variety of
sophisticated VoIP-specific security techniques and methodologies that include anomaly detection,
filtering, behavior learning, and verification into a single, comprehensive security device. Together,
these practices proactively protect the enterprise network from VoIP attacks, misuse and service
abuse which networks and end-users face today and in the future.
About Sipera Systems
Sipera Systems, Inc., the leader in pure security for VoIP, mobile and multimedia communications,
enables enterprises and operators to protect end users and network infrastructures from potentially
catastrophic attacks, misuse, and abuse of real-time, session-based protocols. Comprised of
top vulnerability research experts, the Sipera VIPER™ lab concentrates all of its efforts towards
identifying SIP, UMA and IMS vulnerabilities. This expertise forms the foundation of Sipera IPCS™
products which protect IP communications applications and the Sipera LAVA™ tools which verify
networks readiness to resist attacks. Founded in 2003, Sipera is headquartered in Richardson, TX.
Visit http://www.sipera.com.
Sipera Systems 1900 Firman Drive
Suite 600
Richardson, TX 75081
USA
Phone: 214 206 3210
Fax: 214 206 3215
© Copyright 2006 Sipera Systems, Inc. All rights reserved. Sipera, Sipera IPCS and related products, Sipera LAVA and Sipera VIPER are trademarks of Sipera Systems, Inc.
www.sipera.com