Defense in depth for VoIP networks

As the quality of voice over IP offerings continues to improve, many organizations are beginning to adopt VoIP services to handle intra-office calls, international calls and overall corporate voice communications. Though initial uptake of VoIP has been relatively slow, the converged technology is certainly gaining momentum, with Forrester Research noting that VoIP-based phones are expected to overtake traditional phones by 2007.

The recent surge of interest in converged technologies can be chalked up to the increased performance and quality of new VoIP-based converged offerings as well as the overwhelming economic benefits. While both the economics and increased performance of VoIP are compelling, VoIP does present a slew of new security risks and challenges that must be considered when deploying a converged voice and data network.

VoIP networks are susceptible to all the same security risks as traditional IP data networks-including denial of service (DoS) attacks, viruses, worms, unauthorized access, privacy and spoofing, as well as a host of others. Therefore, as companies deploy converged voice and data networks, they must take the necessary security precautions to protect against attacks that could potentially affect the entire communications network.

To ensure secure, reliable voice communications and reap the benefits of convergence, organizations must understand the security risks and formulate strategies to mitigate them. Following are some examples of how many common security threats affect voice networks.

• Denial of Service, Viruses, and Worms: Many VoIP systems rely on Windows operating systems, and thus are susceptible to DoS, virus, and worm attacks. One attacked component can bring down an entire phone system and serve as a starting point from which the attack can spread throughout the converged voice and data network.
• Toll Fraud and Unauthorized Access: Theft of service, or "phreaking," has long been a problem in traditional phone networks. This risk increases in converged VoIP networks due to the open nature of many enterprise data networks and vulnerability to service theft via spoofing or man-in-the-middle attacks.
• Spoofing: Unauthorized access to the VoIP network allows attackers to spoof known source or destination addresses of VoIP terminals, creating both privacy and theft-of-service risks.
• Port Scanning: Port scanning is a common first step in many attacks on VoIP and data networks. Detecting and preventing this activity can stop attacks before they happen.

Data networks have suffered a dramatic proliferation of new Internet-borne attacks and malicious activities in the past five years, and despite the influx of money and technology that IT managers are throwing at the problem, the number of threats is predicted to continue to increase in 2005. VoIP networks are not immune to this epidemic. In many cases where security ends at the perimeter, these attacks are able to bypass perimeter security, exploit data and VoIP vulnerabilities and then run unimpeded throughout the network.  IT managers are quickly learning that a perimeter-only security strategy is not enough.

In today's security landscape, organizations need deep, pervasive security that goes beyond the perimeter. While there's no silver bullet in the security world, one effective way to minimize the proliferation of fast-moving attacks is for enterprises to adopt a layered, defense-in-depth security strategy.

With defense-in-depth, the network is compartmentalized and segmented into secure zones protected by layers of firewall, intrusion prevention, and other security services. This enables organizations to logically separate and secure voice and data networks in front of individual voice and data components and between interactive points in the network. Unlike perimeter security functions, these zones can inspect and broker access between VoIP and data interaction points, detect attacks that bypass perimeter security and prevent rapid spread throughout the converged network.

A defense-in-depth security strategy also enables security staff to fine-tune policies. For example, rather than putting a single intrusion detection system at the core of the network or close to the ISP access point, intrusion detection capabilities are moved closer to each of the individual assets that are being secured. This allows security staff to tune policies for the specific protocols and types of traffic on those servers.

While a layered security approach can significantly increase the protection of converged networks, to date this strategy has been prohibitive due to the high cost and effort of deploying hundreds of disparate security devices throughout the network. Even in a moderate-sized network, a defense in depth strategy can require dozens to hundreds of additional security appliances, such as firewall and intrusion prevention systems. Plus, these additions to the network can introduce latency to the voice stream and degrade voice quality, which are unacceptable by-products of a sensible security plan.

Virtualized security systems offer one solution for implementing layered security in VoIP networks while preserving voice quality. Virtualization technology allows one device to offer multiple virtualized instances of several security services, such as firewall, VPNs, intrusion detection and prevention, and more. With a virtualized security system, users can place firewall, intrusion prevention, and other security resources near each of the assets that need protection throughout the converged voice and data network-all with point-and-click simplicity.  These virtual services meet logical security needs with fewer physical devices, so a layered security model is more cost-effective to deploy and easier to manage.

While the introduction of many disparate security devices into a converged network can cause latency and reduce voice quality, virtualized security devices maintain voice quality. In comparison to traditional single-function security devices, a virtualized security system introduces minimal latency to voice streams because it reduces the number of parsing and reassembly points a packet traverses when traveling throughout the network.

By using a virtualized defense-in-depth solution to compartmentalize and secure zones within the network, users can protect themselves from widespread damage wrought by VoIP application layer attacks, call interception and packet sniffing, unauthorized management access, toll fraud, DoS attacks, and broadcast storms. A VoIP network with defense in depth security can effectively contain attacks that make it past the perimeter and minimize damage to critical communications assets. 

The convergence of voice and data networks has changed the security landscape significantly. Making defense in depth a part of this new landscape is a necessity for users planning to migrate to VoIP. Virtualized security systems can help make layered, defense in depth security a reality while reducing the cost of deploying security measures, simplifying deployment and management, and maintaining voice quality in VoIP environments.

Dave Roberts is the co-founder and vice president of strategy for Inkra Networks and may be contacted at dave@inkra.com.

Visit Inkra Networks online.