Back toIP CommunicationsCommunity

Securing IT networks is a serious and risky business. And the stakes are raised even higher when it comes to securing VoIP networks at the application layer. There is no all-in-one security solution for the abundance of VoIP and multimedia applications now available over packet networks, and IT managers must carefully evaluate their existing solutions and wade through the vast number of new solutions available to determine what is appropriate for their own networks.

 

IT security platforms built to protect against network-level and Web-based attacks are not designed to handle security issues at the application layer. VoIP-specific security attacks can allow unauthorized packets to run over a network, degrading performance, and can even intentionally flood a call server with requests, causing major service degradation. Standard firewalls and NAT solutions are not built to handle the upper layers of the network, and security solutions specifically designed to work with VoIP applications become necessary to maintain quality of service (QoS) within the network.

 

Some IT managers may shrug off the threat of a security attack at the VoIP application layer, believing these types of solutions are not mature or widespread enough to pose a threat yet. This is a dangerous conclusion, as IP security attacks have already been documented at the upper layers of the network. Network managers dealing with VoIP solutions face a number of different types of security threats, and application-level attacks and toll fraud at the application layer are two of the most important.

 

Security threats specific to the application layer include call and register floods, malformed packets, spam over Internet telephony (SPIT), illegal teardowns and registration hijacking. Toll fraud also falls under the application layer threats, as hackers may can unauthorized access to PBX or IP PBX lines to make illegal calls. Inbound calls may also be redirected to a media gateway to gain unauthorized access to an IP network, and unprotected IP phones may also be exploited for toll fraud.

 

The SIP and H.323 standards also pose a challenge for VoIP network administrators. VoIP call sessions using the SIP protocol use at least three port numbers. These are usually dynamic ports, making it difficult to safeguard them with traditional firewall solutions. H.323 sessions uses from seven up to 11 ports, the majority of which are also dynamic.

 

By installing gateways between secure areas of the network and those impacted by VoIP applications, IT managers can dynamically open and close firewall pinholes to only allow authorized packets to pass through. Some gateways can decipher signaling information in packet headers to properly determine how to route those messages, while others can determine whether call setup information is legitimate. These devices are typically embedded in firewalls and security platforms to specifically handle VoIP application layer security issues.

 

Session border controllers are also extremely important for securing media delivery on private networks. These devices typically sit at the edge of a carrier’s network and work with customers’ existing firewalls and security solutions to provide denial of service protection, call filtering and bandwidth management. These devices are specifically designed to handle VoIP call protocols while simultaneously dealing with high call density, resulting in maximum security without impacting performance.

 

Future articles in this series will discuss specific security solutions for various parts of the network in more detail. But one thing is clear: IT managers need to evaluate their existing security solutions to determine how they may be enhanced and modified to accommodate VoIP traffic at the application layer. Security threats at this layer cannot afford to be overlooked.