For operators and service providers, delivering on the new services promised by IP-based networks and adding new ones to generate revenue presents critical security issues, similar to those encountered when deploying basic VoIP services or email. However, there are several architectural steps that can be taken in order to prevent such threats and maintain the safety of the network. From end-to-end encryption to the prevention of distributed denial of service (DDoS) attacks, SPIT (Spam over internet telephony), and viruses, products such as session border controllers have been identified as a key factor in resolving security concerns.

 

Delivering SIP-based services on the public network brings with it several potential security issues. These issues must be understood by both users and service providers, however the burden is with the service provider to offer a secure and reliable service to the user. This means they must show that the service does not compromise existing security and that the user's public presence is protected and managed. Service providers must also secure their own networks from outside attacks and service abuse. SIP can suffer from viruses and denial of service attacks, which can take down an entire network, in the same way PCs and email do.

 

Thankfully for service operators, there are lessons that can be learned from earlier technology deployments, such as email, which can offer constructive pointers as to the potential security pitfalls of migrating to a next generation network (NGN).

 

Having seen the dotcom boom and bust and witnessed the faltering steps of 3G, the telecoms sector has to ensure it approaches these potential security problems in the most effective way possible in order to guarantee mass user take up of such services. How the industry tackles security issues in the short to mid-term will have a fundamental effect on how the new generation of multi-media services will be perceived by customers. Likewise, service providers must protect their own networks from service attacks to safeguard their swift and continuous operation which is crucial to return on investment (ROI).

 

Once voice and data is converged on the network, the voice systems immediately become vulnerable to many of the same kinds of attacks that we are used to seeing on the data side. For example, phones can suddenly become destinations for SPIT. Imagine all of those annoying and unsolicited email messages transformed into a constantly ringing phoneline or the constant bombardment of text messages. Service providers would be inundated with complaints fairly swiftly and, in terms of repercussions, this is the least they could hope for if they do not invest in building a resilient and secure architecture from day one.

 

More threatening, if not more frustrating than constant SPIT intrusions, IP phone systems can be vulnerable to hackers using denial of service attacks to bombard a network or, similar to data security's 'script-kiddies', programming a company's phones to call other businesses, effectively shutting down the second company's phone systems. It is also possible to spoof a phone's IP address in order to make calls that are billed back to a particular target, whether that be an individual or a company.

 

While there hasn't yet been a widely publicised attack on voice of the kind we have witnessed on data systems, as VoIP services become popular and the underlying technology becomes more readily available, attacks are likely to increase both in frequency and creativity.

 

Should a major attack of this kind occur the ramifications could be long lasting, and in many cases, dangerous. For example, imagine that a denial of service attack targeted an IP address, bombarding the network with SIP messages until it breaks down under the volume of information. Now, imagine that the specified target is a hospital or police network, left without access to mission-critical communications and unable to perform effectively. Operations will quickly grind to a halt, posing serious consequence for all involved.

 

Frost & Sullivan analyst Jon Arnold has predicted an even gloomier outlook, claiming that VoIP hackers could do a lot more than simply disrupt a network. He believes that hackers could potentially use holes in the network to clear funds from targets, charge calls back to a different IP address or use that address to buy products over the phone.

 

However, VoIP does not have to be all doom and gloom, there are measures which can be adopted by both users and service providers alike which can both control and eliminate such threats. Firewalls can, to a certain extent, resolve several of the threats, however they achieve this security by effectively not letting any unauthorised message through the firewall, drastically reducing the usefulness of VoIP calls.

 

After all, if the user is unable to take any calls from any address they have not previously authorised, what use is a VoIP service? Alternatively, a hole can be created in the firewall to allow messages in and out. While resolving the issues around inbound calls, this hole will effectively open up the IP address to the entire network, thereby reducing your security quite extensively. There is an alternative solution to this potential problem. Session border controllers (SBCs) are able to perform a similar role to a firewall but with added intelligence, enhancing the security of multimedia networks both in the access network and in the core.

 

In the access network, they hide a user's real address, providing a managed public address. This public address can be policed, minimising the opportunities for scanning and DOS attacks. SBCs permit access behind firewalls while maintaining its effectiveness. In the core, SBCs protect both the users and the network while also policing bandwidth and quality of service (QoS) abuse. A secure and dependable VoIP service brings with it benefits to users and providers alike. It will build user confidence and create dependable revenue for the service provider.

 

By addressing the basics from day one this security need not be complex or expensive. Without it, VoIP and multimedia services uptake could falter and prove themselves to be both costly and unpopular.

 

Source: Telephony World