Marauders at the IP Gate

Spam has an equivalent in the voice world, with the appropriately unsavory title of SPIT. That includes voice calls that come at the rate of several an hour, but with no one on the other end of the line.

Sipera Systems’ Seshu Madhavapeddy

Then there’s phishing. For example, you get a call from “your bank” to verify account activity — but it’s not actually your bank, just some fraudster trying to trick you into providing your account password and social security number.

These kinds of things — along with denial-of-service (DoS) attacks, viruses and worms — that slice out PIN and financial information from voice conversations and more have become distinct possibilities thanks to the virtual nature of IP, and the IP nature of VoIP. Implementing such scams and attacks unfortunately is as easy as writing a simple piece of code — and the perpetrators often are untraceable.

The good news is VoIP attacks are still rare, which gives the industry a window during which to fortify the VoIP infrastructure before the hordes of marauding hackers descend on VoIP networks.

Seshu Madhavapeddy, president and CEO at VoIP security specialist Sipera Systems Inc., says understanding what you’re up against is the first step to fortifying the ramparts. “You have to do proactive research to think like a hacker,” he says.

“You can insert media into a stream if you have access to that stream, and as we packetize voice, anyone with access to the network has access to that data,” says Bob Hagen, director of security development at Global Crossing Ltd. “On the PSTN, the biggest threats were alligator clips and backhoes, or someone gaining entrance to the wiring closet. It’s a whole new game, now.” For instance, because SIP is an open standard, softphones and IP phones exposed to the Internet can have their SIP modules replaced by Trojan malware.

The most high-profile VoIP threat has been SPIT and spoofing — impersonating someone else’s caller ID. “You would think this is an electronic Pearl Harbor-type event waiting to happen, with all the hype,” says Adam Uzelac, senior manager of VoIP design at Global Crossing. “Ever since it became public that Paris Hilton impersonated other people via caller ID when calling Lindsay Lohan, spoofing has been news. However, it’s an important lesson: There is an assumption of trust in a voice call, which is why users have to be as wary of a phone call soliciting information as they would be with an e-mail.”

As for SPIT, Steve Lacoff, vice president of product management and marketing at Bandwidth.com Inc., says it will be a growing trend. “VoIP spam has lowered the fundamental economics for companies that want to do outbound telemarketing,” he explains. “To block it, you can set up black and white lists, but if you block it on the customer prem, it’s too late because it’s already clogging up the phone lines. Over the next 12 to 18 months, SPIT will grow as an issue, and service providers need to find a way to deal with it.”

Madhavapeddy says a danger of a different type is the more immediate concern. “Right now with VoIP, we see a mimicry of circuit voice — the phones look the same as before, the user experience is similar — it’s just that the calls are cheaper. That reality has meant that DoS attacks are for now the primary concern.”

DoS attacks can overwhelm an infrastructure and bring it to its knees. “From a single laptop you can generate enough traffic to emulate 100 million subscribers,” says Madhavapeddy. “All you need is a Pentium 4 processor.”

The threat landscape also is beginning to expand, with mobile clients, softclients, unified messaging and more creating more holes in the enterprise perimeter. “Enterprises are now realizing that they can do some very fancy things with VoIP,” Madhavapeddy says. “You can integrate with the supply chain and desktop applications, and you can communicate better with outside partners. You can create seamless, virtual offices, integrate with a mobile network, add in Wi-Fi — and, in short, do all of these unique things to create a richer, more productive environment. All of that is creating a bigger front for attacks, and so the need for security is exponentially increasing.”

How the Distributed Nature of IP Is Increasing Security Risks Source: Sipera Systems Inc. Click to Enlarge

It’s a dizzying array of concerns. “This has received a lot of attention recently, and yet it is mostly theoretical,” says Sam Curry, vice president of security management at CA. “Unlike the Internet, where users can remain anonymous, VoIP has a chance to be different, and to be traceable, although admittedly not yet. The key issue here is standards for interoperability and the global adoption of VoIP. It is hoped that VoIP doesn’t suffer many of the same pitfalls that e-mail has over the years, but the distinct possibility exists.”

Work is under way to prevent VoIP from suffering the virus-ridden fate of e-mail and the public Internet. Subscribers have their parts to play by implementing VoIP-aware premises security and educating themselves on fraud campaigns. However, the service provider also has responsibility to lock down VoIP service, particularly in a hosted scenario. “The service provider must be able to protect the user, their network and the application, which means end to end, and that has not changed,” says NexTone Communications’ Founder and CTO Sridhar Ramachandran. “Traditional methods, such as using a static firewall, are not equipped to support real-time communications requirements such as VoIP or multimedia services.”

Global Crossing’s Bob Hagen

The session border controller (SBC) has been given the task of providing the first line of defense for service providers. The SBC provides the first point of communication and defense at the edge of the network, and provides the following key security functions: DoS, distributed DoS, overload protection, access control, topology hiding, service partitioning and theft protection, monitoring alarming and reporting analytics, Ramachandran notes.

This is but one part of the threat prevention picture for carriers. “SBCs provide a secure overlay,” says Joe Curcio, vice president of product security at Avaya Inc. “That protects the point-to-point, but you also need media encryption. Most protections focus on the network layer, but it’s up to us to provide more intelligent ways to secure the applications layer.”

Ramachandran says one bright spot is that the IMS architecture has focused on security on both the access and intercarrier sides. “There is quite a bit of interest on threat detection and prevention using behavioral modeling of signaling and media,” he says. “Products sit behind the SBC or security gateway in the network and perform pattern matching of signaling protocols and media streams.”

Also, purpose-built security approaches are starting to appear in the market. For instance, at the recent 3GSM World Congress in Barcelona, Spain, NEC demonstrated a new solution for carriers focused on blocking SPIT, dubbed VoIP SEAL. Juergen Quittek of NEC Europe’s Network Laboratories says operators can use the product to track down anomalies — say, if an endpoint is making thousands of calls. It also can employ a variety of customized detection methods and security tests for calls, in a scalable way. For instance, a caller that starts speaking before a particularly long greeting is over might be classified as SPIT and routed to the equivalent of a junk mail folder. The operator can assign thresholds and rules-based handling schemes in accordance with its preference. “This solution can be customized and ready to go for a carrier in a couple of months,” says Quittek. “That’s important because SPIT has the capability of ramping very quickly. Consider that today there is more spam than regular e-mail being delivered, or the spam-generating ‘botnets’ that are found on millions of computers — that’s quite a mighty infrastructure that can be brought to bear on VoIP, although it hasn’t happened yet.”

“Users should be able to have a phone and use it safely without special education, or else VoIP adoption will grind to a halt,” he adds. “This is why service providers must consider these security threats before it’s too late.”