VOIP ENCRYPTION IN THE ENTERPRISE
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
VoIP Encryption in the Enterprise
www.sonus.net
Table of Contents Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 VoIP and UC Increase Productivity…and Risk . . . . . . . . . . . . . . . . . . . . 1 Why VoIP Attacks Are on the Rise. . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Where Does Real-Time Encryption Fit in the Broader VoIP Security Picture? . . . 2 Encryption of VoIP Signaling and Media. . . . . . . . . . . . . . . . . . . . . . . 2 The Cost of “No Security” (sidebar). . . . . . . . . . . . . . . . . . . . . . . . . 3 Effectively Deploying VoIP Encryption in the Enterprise. . . . . . . . . . . . . . 4 Sonus Session Border Control: Best in Class . . . . . . . . . . . . . . . . . . . . 4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 About Sonus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
With reduced costs and increased productivity as the carrot, and true Unified Communications as the goal,
enterprises are consolidating their voice and data communications onto a single, IP-based architecture.
The move toward Unified Communications, however, is forcing enterprises to re-examine the security of
their Voice over IP (VoIP) capabilities. VoIP communications require unique encryption measures to defend
the enterprise network against real-time VoIP-based attacks, and protect both corporate and customer
information. They must also comply with government regulations and adhere to industry standards from
regulatory agencies that can issue hefty fines. In addressing these goals, enterprises must plan well to
implement real-time VoIP encryption or risk reducing their network’s capacity.
Fortunately for enterprises, VoIP security itself is not a new phenomenon, but has
been practiced for years by global carrier networks. VoIP carrier networks rely
on several standardized encryption protocols, including Transport Layer Security How an SBC performs
(TLS) and IPsec for SIP signaling encryption, and Secure Real-time Transport signaling and media
Protocol (SRTP) for RTP media encryption. While a network border element such
as a Session Border Controller (SBC) usually performs this encryption, SBC devices encryption can have a
can vary widely in how they perform this encryption. For example, some SBCs significant impact on VoIP
assign encryption to integrated hardware and dedicated processors, while others
perform the encryption via additional hardware devices or in a general-purpose network performance.
CPU. How an SBC performs signaling and media encryption can have a significant
impact on VoIP network performance, from added latency to reduced call capacity.
This white paper examines the drivers and challenges of enterprise VoIP security, with a focus on the factors that an
enterprise must consider when implementing VoIP encryption in their network. In addition, the paper covers various SBC
encryption methods while highlighting the unique design of Sonus SBCs which provide exceptional network performance
even under high encryption loads.
VoIP and UC Increase Productivity…and Risk
There was a time when IT managers lost no sleep at the thought of a voice-based network attack; the migration from
legacy TDM to VoIP networks changed all that. IP-based voice communications promised a new era of lower costs, higher
bandwidth, and blended voice/data services. Even as that door of opportunity was opened,however, a new danger slipped in:
the introduction of IP-based attacks, network intrusions, and information theft through voice communications. In the case
of enterprises, the security stakes are especially high as compromised customer data can generate stiff penalties and losses
totaling millions of dollars.
As enterprises come to rely on real-time, session-based communications, they must also practice real-time VoIP security.
This can be increasingly difficult in an environment where SIP-sniffing software is easily available on the Internet. In addition,
enterprises must be careful to protect both their internal and external borders, as privacy attacks are as likely to come from
internal sources, including employees and partners, as outside the corporate network. Thus the challenge for enterprises is
not only protecting the network, but also balancing the interests of security with real-time network performance.
Why VoIP Attacks Are on the Rise
The widespread nature of the Internet and the proliferation of tools for
The list of widely intercepting IP packets and cracking code make it increasingly easy for
available (and often free) attackers to monitor, record, disrupt, or modify VoIP calls and UC sessions.
For example, unauthorized parties can use free network protocol analyzers to
tools that can eavesdrop surreptitiously capture and interpret VoIP calls, record media streams for later
on and record VoIP and analysis, and intercept Instant Messaging (IM) communications. Hackers use
other tools like UCSniff to identify, record, and replay VoIP conversations or
UC traffic keeps growing. IP videoconferencing sessions. And the list of widely available (and often free)
tools that can eavesdrop on and record VoIP and UC traffic keeps growing.
The roster of potential attackers is expanding, too. Organized criminal groups both at home and abroad have found the
Internet a profitable new avenue from which to mount high-tech fraud, identity theft, and extortion schemes. In fact,
cybercrime can be so lucrative it has created a cottage industry of hackers-for-hire who sell their services on a contract basis
around the globe. “Rogue” nations are also increasingly involved in Internet-based espionage and attacks on defense, civilian
government, and private-industry targets.
Hacking into VoIP or UC sessions requires that the malicious party intercept signaling and/or media flowing between two
endpoints at any of several points along the communications path. The point of attack may include:
>> UC application servers;
>> Call control elements such as PBXs and Automatic Call Distributors (ACDs);
>> Session-layer servers and proxies such as session border controllers;
>> Transport and network layer elements like routers;
>> Link-layer elements including Ethernet and wireless LANs; or on the endpoints themselves via malware downloads or
administrator-level remote access.
Man-in-the-middle attacks are another threat on IP-based communications, in which software injects itself into the
voice, video, or instant messaging stream between two endpoints, selectively altering certain packets so as to be nearly
undetectable to the end users. Modifying, disrupting, or lowering the quality of IP communications can have a variety of
adverse effects on the enterprise. For example, an attacker can modify or discard critical financial transactions, disrupt
business operations, or reduce the quality of customer service.
Where Does Real-Time Encryption Fit in the Broader VoIP Security Picture?
To defend against the widest possible range of VoIP-based attacks, an enterprise VoIP security strategy should protect both
the endpoint and the media itself. This can be achieved through a holistic security approach that includes:
>> VPNs to logically separate voice and data traffic on the common IP network;
>> Border security elements such as session border controllers to provide call admission control and protect against
DoS attacks;
>> Signaling and media encryption of VoIP sessions, including those sessions stored on voice messaging systems and call
recording systems.
While many enterprises have implemented VPN and border security technologies to protect their IP-based data networks,
the encryption of VoIP signaling and media is a unique consideration that has grown in importance with the advent of more
pervasive VoIP/UC implementations in the enterprise.
Encryption of VoIP Signaling and Media
The encryption of VoIP signaling and media mitigates a number of IP-based
SBCs without dedicated threats including passive monitoring/recording, packet decryption/modification,
service/bandwidth theft, endpoint impersonation, denial of service, and
encryption hardware will escalation of network user privileges. Because signaling and media use different
protocols with unique properties and constraints, VoIP networks employ
normally encrypt traffic Transport Layer Security (TLS) and/or IPsec for signaling encryption and Secure
at the expense of session RTP (SRTP) for encrypting RTP media. TLS and IPsec provide bilateral endpoint
authentication and secure transport of signaling information using advanced
performance. cryptography. SRTP provides encryption (and decryption) of the RTP media used
in real-time IP communications such as VoIP and certain UC applications (e.g.,
conferencing and IM).
TLS, IPsec, and SRTP encryption enable enterprises to secure VoIP
communications by performing three key functions: Ensuring that your
>> Endpoint authentication: This supports the use of digital signatures (which
VoIP security solution
may be proprietary or verified by a trusted third party) and pre-shared, employs the latest
secret-based authentication to verify the identity of session endpoints; encryption/decryption
>> Message integrity: This ensures that media and signaling messages have methods is vital to
not been altered or replayed between endpoints;
ensuring broad network/
>> Privacy: Encrypted messages can only be viewed by authorized endpoints,
mitigating information/service theft and satisfying both regulatory and
UC interoperability in
corporate requirements for private communications. the future.The Cost of “No Security”
Everyone is familiar with the risks posed by attacks on the data side of the network: stolen credit card numbers,
compromised passwords, Denial of Service, financial fraud, Social Security number theft, etc. Those same risks apply to VoIP
communications as well, though they may manifest themselves in different ways such as eavesdropping, Telephony Denial of
Service (TDoS) attacks, and ANI spoofing targeted to call centers. Yet these can be equally destructive, consuming valuable
resources, driving down revenue, and damaging brand equity.
The most serious consequence of a nonsecure VoIP network remains the exposure of confidential information:
>> Private consumer data (e.g., Social Security numbers); >> Cardholder data (e.g., credit or debit card numbers);
>> Sensitive company information (sales data, marketing >> Patient data (e.g., diagnosis and prescription records).
plans, new product details);
An enterprise security breach that discloses confidential information can result in financial penalties and other sanctions. For
example, a single incidence of non-compliance in credit card processing can generate multimillion-dollar fines and liability for
losses from fraud and theft. Mandated costs can also include re-issuing cards, communicating the breach to customers, and
suspension of card-processing rights.
Non-compliance with federal and industry security regulations can cost enterprises millions of dollars in fines, compensation,
and lost revenue. Here’s a partial list of regulatory measures that govern how enterprises should address VoIP security.
RELEVANT VoIP/
AGENCY INDUSTRY GOALS
UC ISSUES
Prevent unauthorized VoIP
Privacy for financial services packet interception & decryption.
Any company involved in
customers, including the security
Gramm-Leach-Bliley Act (GLBA) financial services (banking, Secure internal wireless
and confidentiality of customer
credit, securities, insurance, etc.) networks and communications
records.
over public wireless networks.
Privacy for healthcare patients:
Any organization that handles
Health Insurance Portability and medical records, diagnosis, Secure authorized internal &
medical records or other
Accountability Act (HIPAA) x-rays, photos, prescriptions, lab external access to patient data.
personal health information.
work, and test results.
Maintain VoIP usage logs & track
administrative changes.
Security & auditing of public
Sarbanes-Oxley Act (SOX) Public companies Implement strong authentication
companies
policies to prevent unauthorized
system use.
FISMA requirements for System
and Information Integrity (SI) for
VoIP/UC.
Any US federal agency, IT security for US federal
contractor, or company/ agencies. Implement solutions to remediate
Federal Information Security security flaws; provide security
organization that uses/operates Mandates implementation of
Management Act (FISMA) alerts & advisories; protect
an information system on behalf policies & procedures to reduce
of a federal agency. against malicious code; detect &
IT security risks.
prevent network intrusions and
malware; maintain application &
information integrity.
Protect confidential cardholder
data and sensitive information
shared between employees over
VoIP calls or UC sessions.
Any company that issues or
Privacy of confidential
Payment Card Industry Data accepts VISA, MasterCard, Protect sensitive information
cardholder (customer)
Security Standard (PCI DSS) American Express, Diners Club, stored on voice messaging or
information.
or Discover credit or debit cards. call recording systems.
Track and monitor access
to network resources and
cardholder data.Effectively Deploying VoIP Encryption in the Enterprise
The presence of TLS, IPsec, and SRTP encryption may increase call latency. Therefore, signaling and media encryption must
be thoughtfully integrated into the IP network traffic flow to prevent added network latency or decreased performance under
load. Enterprises must weigh several considerations before they deploy VoIP encryption in their network:
>> Session Performance —
Remember that encryption SBC 9000 SBC 5200
requires additional processing
of signaling and media. Extra
“hops” to a separate encryption
device in the network or an
SBC that performs encryption
from the main CPU can add
unwanted latency to real-
time communications or
compromise call-handling
Built on GSX9000 platform Built on pure IP platform
capacity. Therefore, it’s
important to find an encryption
solution that has minimal
Embedded or centralized
impact on session capacity Centralized routing via PSX
PSX routing engine
and network performance.
While enterprises should
consider implementing security TDM migrating to IP-PI with
IP-IP with media transcoding
solutions such as standalone media transcoding
Session Border Controllers
(SBCs), enterprises should
be aware that SBCs without Compelling migration path of Industry Leading
dedicated encryption hardware gateway investment Performance Densily
will normally encrypt traffic
at the expense of session FIGURE 12. The Next Generation of Border Control
performance.
>> Multimedia Support — As UC initiatives grow, enterprises will be required to handle a variety of multimedia sessions
including voice, video, IM, and collaborative applications. To reduce cost and network complexity, enterprises should look
for an SBC that has robust transcoding capabilities and supports multiple media types.
>> Encryption Standards — Simply put, some decryption standards are more accepted/effective than others. Ensuring that
your VoIP security solution employs the latest encryption/decryption methods is vital to ensuring broad network/UC
interoperability in the future.
>> Disaster/Failover Recovery —
Network equipment failures, fiber cuts, and natural disasters happen despite the best precautions. Enterprise security
systems need to be prepared for this reality with a backup/failover plan for all aspects of security including VoIP/UC
session encryption. This can best be achieved by deploying SBCs in redundant, paired configurations.
>> Centralized Policy Management — For the reasons cited above as well as human error and operational cost, a central
management console for encryption policies in the network is both desirable and essential.
Sonus Session Border Control: Best in Class
When it comes to VoIP network security, enterprises need a solution that protects their network and customer data without
compromising real-time communications performance. As a leader in secure VoIP networks, Sonus Networks has for many
years offered its customers a high-performance border solution with the hybrid TDM/IP Sonus SBC 9000™ session border
controller. The Sonus SBC 5200™ session border controller is a pure IP appliance that meets the cost and performance
requirements of enterprise VoIP deployments. The SBC 5200 is built on an IP-optimized platform that delivers plug-and-play
functionality and high (99.999%) reliability.
Sonus SBCs feature a unique architectural design that differs from other SBCs on the market today by aggregating all of the
session border functionality—security, encryption, transcoding, call routing, and session management—into a single device
and distributing those functions to embedded hardware within the device. For example, media transcoding on the SBC 5200
and SBC 9000 is performed on an embedded DSP farm while much of the encryption is handled on embedded cryptographic
hardware, providing optimal SBC performance during real-world workloads, overloads, and attacks.Because SRTP and IPsec occur lower in the protocol stack, Sonus has elected to perform these tasks on dedicated hardware within the SBC 5200 and SBC 9000. This provides much better performance during heavy encryption workloads than SBCs that use software for encryption, which can divert processing power from the main CPU. Conclusion As enterprises shift more of their critical internal and external communications to a unified, IP-based voice/data network, they are increasing their network’s exposure to VoIP-based attacks. Meanwhile, the cost of not practicing secure VoIP communications is rising in the form of stricter government and industry regulations and the direct costs of lost confidential information, lost service, and lost credibility. With the trend toward real-time unified communications, the requirements of VoIP security will increase exponentially, placing added importance on solutions that deliver high scalability and high performance. Sonus SBCs provide enterprises with a cost-effective and scalable solution for VoIP security and encryption. With a unique architecture that divides security functions among multiple processors on a single chassis, Sonus SBCs deliver the high- performance encryption and security that enterprises need to navigate the future of all-IP communications safely and securely. About Sonus Sonus is a leading provider of media gateway, centralized call routing, and session border control solutions for enterprises. Sonus solutions enable enterprises to reduce their recurring telecom costs, gracefully manage the migration from legacy voice to VoIP, and mitigate business continuity and security threats for critical enterprise voice and contact center infrastructure. Sonus solutions are deployed throughout the world’s largest SIP networks, driving over 5,854 SIP sessions every second.
Sonus Networks – Sonus Networks – APAC Headquarters
North American Headquarters 1 Fullerton Road #02-01
4 Technology Park Drive One Fullerton
Westford, MA 01886 Singapore 049213
U.S.A. Singapore
Tel: +1-855-GO-SONUS tel: +65 6832 5589
Sonus Networks – EMEA Headquarters Sonus Networks – CALA Headquarters
56 Kingston Road Mexico City, Campos Eliseos Polanco
Andrés Bello 10, Pisos 6 y 7, Torre Forum
Staines, TW18 4NL
Col. Chapultepec Morales, Ciudad de México
United Kingdom
Mexico City, 11560 Mexico
Tel: +44 207 643 2219 Tel: +52 55 36010600
The content in this document is for informational purposes only and is subject to change by Sonus Networks without notice. While reasonable efforts have been made in the preparation of this publication
to assure its accuracy, Sonus Networks assumes no liability resulting from technical or editorial errors or omissions, or for any damages resulting from the use of this information. Unless specifically
included in a written agreement with Sonus Networks, Sonus Networks has no obligation to develop or deliver any future release or upgrade or any feature, enhancement or function.
Copyright © 2012 Sonus Networks, Inc. All rights reserved. Sonus is a registered trademark and SBC 5200 and SBC 9000 are trademarks of Sonus Networks, Inc. All other trademarks, service marks,
registered trademarks or registered service marks may be the property of their respective owners.
Printed in the USA 05/12 WP-1125 Rev. BYou can also read
