Security for SIP-based VoIP Communications Solutions

Transcription

1 Tomorrow Starts Today Security for SIP-based VoIP Communications Solutions Enterprises and small to medium-sized businesses (SMBs) are exposed to potentially debilitating cyber attacks and exploitation of their IP network when they use Session Initiation Protocol (SIP) services without proper precautions. This whitepaper explores the threat universe and examines various approaches to be become prepared.

2 Introduction Session Initiation Protocol (SIP) is being used widely to support innovative Voice over Internet Protocol (VoIP) communications solutions for voice, video, Unified Communications (UC), presence, IM/Chat, conferencing and more. Though VoIP solutions bring tremendous advantages, IT managers and practitioners still have security concerns centered around these technologies. Today, looking at threat of cyber attacks from possible hackers, firewalls alone are not sufficient to protect a VoIP network. Enterprises and SMBs require a robust, seamless approach to network security, covering: Motivation: Hackers employ a multitude of tactics to exploit the openness of VoIP communications solutions. Enterprises and SMBs need to understand hacker s tactics along with their motivations to secure their networks from attack. Skills: Most enterprises and SMBs fail to secure their Session Interface Protocol-based (SIPbased) VoIP communications platform due to insufficient skills, inconsistent security plans and other challenges. Strategy: SIP-based VoIP communications platforms can be safeguarded against possible cyber attacks by implementing the right strategy. Strategy will not only safe-guard SIP-based VOIP communications solutions, but will also enhance performance of VoIP for their communications. Considering these factors, it s important and necessary for enterprises and SMBs to recognize and address security issues that come up with deployment of SIP based VoIP communications solutions. A strong focus and approach to security will help overcome the inherent challenges.

3 The Threat Since SIP-based VoIP communications solutions are a gateway to an entire network, not only VoIP communications solutions are susceptible to hackers, but the entire network faces threat from cyber-criminals. It is imperative for IT practitioners to know that cyber-criminals are continuously looking to exploit SIP openness for various reasons, either to gain free services or to steal sensitive information from an enterprise network. In this section, we will explore some of the key threats that exist today Snooping corporate information Cyber-criminals spy into enterprise networks to eavesdrop on important phone and video calls, or to steal important data. This type of cyber attack, if undetected by the enterprise, will turn out to be very expensive. To gain entry into an enterprise IP network, cyber-criminals smartly position multiple messages with varied SIP variables to test network security. If they start getting a response from the network, hackers will then try to register an SIP user agent on the network. Once they are registered as an SIP user, it s easy for them to tap a voice or video conversation. 2.2 Mugging of Service he most common practice by hackers worldwide is to break into an enterprise s communications solutions and register an SIP user account. This enables them to carry out free long distance calls, as SIP registered users can access a variety of features and functionalities of SIP-based VoIP communications solutions. Hackers worldwide have been successful in breaching and exploiting SIP-based VoIP communications solutions for this purpose, as detailed specifications on the default SIP user accounts of most VoIP communications solutions are available to them.

4 2.3. Denial of Service (D0S) / distributed denial of service (DDoS) Denial of Service (DoS) attacks degrade Quality of Services (QoS) and often manifest in a variety of ways: Call drop, inability to connect calls Choking of resources like unified messaging, voic , conference bridge Deteriorated call quality on voice calls or freezing of video frames during video calls; pixilation of video Echo and jitters during conversations The most common modus operandi from hackers worldwide is to flood enterprise network with useless traffic. The additional traffic pumped on network burdens bandwidth and chokes resources available to support VoIP communications solutions. These DoS attacks can be seriously troublesome for the company under attack. Maintaining QoS is becoming an increasingly important and difficult issue for providers. As businesses use more data than ever before, it is becoming more difficult to maintain the same speed and quality on the network Other Common SIP Attacks More often, cyber-criminals use DoS attacks and breach enterprise networks to steal crucial data and information, or to disrupt communication. Other common attack techniques on SIPbased communications solutions include: SIP Registration Hijacking: An SIP registration hijack works when a hacker disables the legitimate user s SIP registration. Then the attacker sends a register request with the attacker s IP address instead of the legitimate user. Contact header information is changed by the attacker by replacing his own IP in place of the original user s. This allows the attacker to use a legitimate user s account to intercept incoming calls, reroute calls, use the account to make calls or terminate calls as they wish. Spam over Internet Telephony (SPIT): SPIT has a similar impact on SIP-based VoIP communications systems that spam or junk mail have on servers. SPIT is generated exactly like the majority of spam. SPIT messages slow down communications system performance, block voic and hamper user productivity. Session Hijacking: As most communications are protected by providing user credentials at session setup, an attacker intercepts all communications between user and VoIP communications server, or creates a new session. Hence, an attacker can do anything that a legitimate user is authorized to do on the network. This type of attack is also commonly known as Session Theft Attack.

5 Barriers to Defense Most SMBs do not employ a dedicated network security team and allocate only limited budget towards IT support and security infrastructures. Thus, it s becoming easy for hackers to target these SMBs and hackers are very sophisticated and aware of unsafe networks to target. Most enterprises and SMBs strongly believe that a firewall is enough for protection of a network and often overlook voice and video quality issues. Enterprises these days use sophisticated monitoring software on their firewall to recognize network traffic patterns, but before they identify potential problems, hackers can shut down that particular IP address and even switch their location. Generally, a firewall can only relay and control SIP signaling information and cannot orchestrate the session layer, failing traffic prioritization to meet real-time communication QoS levels. Many enterprises and SMBs simply do not understand the measures that can be taken to prevent security breaches. To prevent the disruption of communications, which can lead to gradual loss of customers or a full, highly damaging data breach, companies should prepare a proper defense for the variety of SIP trunking vulnerabilities that can impact their business.

6 Preparing a Defense Enterprises and SMBs need to start looking at the security of a network in different way. Simply by being proactive towards security, VoIP communications networks can be secured effectively against all threats. 1. The most common technique to mitigate free call attempts is Rogue, or unauthorized, RTP (Real-Time Transport Protocol) protection. Rogue packets occur due to a malfunctioning device continuing to send media packets even after termination of session, or by third-party devices due to a malfunction or malicious activity. SBCs include provisions to detect and block Rogue RTP media streams. 2. Snooping can be avoided by creating virtual LANs (VLANs) within the local network. This will maintain call privacy and can be used to segregate traffic along with encrypted media streams. 3. Additional defenses can be deployed by adopting and enforcing simple policies like resetting default usernames and passwords of VoIP communications solutions, including PBX, UC and voic . This simple change will help repel SPIT attacks from cybercriminals across the board. 4. The best practice and proven solution that is able to detect anomalies and respond to them quickly is the enterprise-grade Session Border Controller (SBC). An SBC constantly monitors network traffic along with usage pattern analysis to quickly spot an SIP attack. For example, the SBC recognizes specific IP addresses from which a huge amount of traffic is originated or may find a set of similar machines that are trying to request the same server. An SBC automatically steps in and initiates protection protocol by blocking traffic, notifying the SIP device to ignore the problem. An SBC supports standard SIP protocol for SIP trunk, SIP for far-end Network Address Translation (NAT) traversal, and s mobile and remote users of any available network access points without compromising corporate policies. The SBC protects against theft of service and toll fraud by quickly identifying and resolving network issues. Additionally, the SBC helps mitigate the bandwidth issues created by DoS and traffic flooding attacks by isolating the offending traffic and preventing it from affecting the VoIP network altogether. It ensures that valuable resources are not consumed by non-productive traffic. The SBC also helps in protecting QoS rules that have been applied to high-priority SIP-based VoIP communications solutions. An SBC ensures networks perform as designed without degrading essential services even when the network is under cyber-attack. SBCs not only secure networks against SIP attacks but also help eliminate other issues, including: Call drop, inability to connect calls Choking of resources, including unified messaging, voic and conference bridge Deteriorated call quality on voice calls, freezing of video frames during video calls and pixilation of video Observing echo or jitters during conversations

7 Conclusion As attacks become more prevalent, enterprise must do everything in their power to secure all aspects of their business. For almost all enterprises and SMBs, their VoIP communications will offer hackers a prime opportunity to exploit a weakness in the company s VoIP, SIP, or IT security infrastructure. With denial of service attacks, SIP registration hijacking, session hijacking, Spam over Internet Telephony, and other cyber-attack tactics all available to hackers to gain access to sensitive information, enterprises and SMBs require tools and tactics of their own to protect themselves. While SIP offers an excellent opportunity for enterprises and SMBs to reduce costs and ensure business continuity, it is imperative that it s deployed securely. About Panamax Bridge2Call Panamax Bridge2Call IP PBX is built around both Session Border Controller and Call Session Controller, which simplifies the installation and management process while providing enterprises and SMBs with a completely secure SIP-based VoIP communications solution. The Panamax Bridge2Call SBC offers: Secure Socket Layer (SSL - cryptographic protocol) base web access Denial of Service (DoS) protection Security ensured through a SIP-aware firewall and protocol mediation Fraud detection and prevention High availability ACL base System Access Focused on the enterprise s security Protection for your SIP trunks Secure remote endpoint access Active packet inspection Enforces a customer s unique security policies Complete network topology invisible to external threats Traffic management, QoS and call admission control to maintain high quality voice on every call. Securing voice, video and data on network SIP Trunk Internet Mobile App Firewall can restrict signaling and media destinations to the session controller Real addresses only known to the session controller SBC+CSC+DB Your public address SIP:you@net.com appears on session controller Session controller dynamically allocates media ports for calls SIP Phones

8 IP termination Everything you need to know Our Product Portfolio is as below: Panamax Inc Kew Gardens Road, Suite 1040, Kew Gardens, New York USA Call: Website: