1. CASE STUDY
Securing Enterprise VoIP Networks with Multi-Service Business Gateways
This paper discuss the security problem on voice over IP system and how to
solve those problems using Multi-Service Business Gateways, the MSBG is used for
securing enterprise networks includes securing the IP network with traditional firewall
and VPN capabilities and advanced VoIP security capabilities.
The security threats that voice over IP system can face can be classified to four
main categories:1234-
Network level threats
Media threats
Communication session threats
Application level threats
1- Network level threats:
VOIP use firewall to control network traffic, it check the incoming and
outgoing packets and then accepted or discarded them based on rules. This rules
specify type of server and available server in external network. The traffic that come
by this firewall compare with rules and then accepted or denied.
Denial of services attack is away to legitimate the server by overwhelm it by
heavy traffic, Firewall reduce the opportunities to attack the network using denial of
services attack.
Distributed denial of services (DDOS) it reduce the resources by creating
multiple attacks to preform simultaneous attack that cause resources starvation.
Solution:
Local area network have a property that solve network level threats called
virtual private network (VPN) ,VPN use to allow the external employee to access the
company LAN from outside it and allowing inter branch connectivity.
VPN depend on tunneling protocol to secure the network traffic and provide
an efficient way to transport IP traffic from one point to another by using confidential
mechanism, sender authentication and message integrity.
Therefore,VPN allow organization to maintain secure communication over
external, nonsecure network.
2. 2- Addressing media security :
In some cases secure connection must be established due to need of high security
when we send sensitive data like card number and password when the connection
between different networks another example secured VoIP.
The standard protocol for VoIP media is Real-time Transport Protocol (RTP)and there
is (RSTP) it is an enhancement of (RTP) it called Secure Real-time Transport
Protocol an RTP packet consists of a header and a payload, the header consists
information such as payload type, sequence number, etc. a payload contains a
compressed voice generated by a voice coder.
The main purpose of securing a link is to keep data more confidential and to verify
data integrity and authenticity.
Solution:
For confidentiality, the packet payload is encrypted at the sender’s side and decrypted
at the receiver’s side using the same encryption key.
For verifying authentication of message SRTP relies on a hash algorithm that
produces a unique sequence of bytes (called MAC) that are being appended to the
packet end. This schema enables the receiver to verify the integrity of payload as well
as field in the header, such as the packet sequence number, to compact replay attacks.
Addressing session level security:
In VoIP calls there are several security issues and attacks that could Violates
the privacy of the call such an example man in the middle attack and illegitimate
session attempts, man in the middles attack is the way that someone else (3rd part)
enter the VOIP call without the sender and receiver knowledge and listen to their
conversation.
The MSBG supports some unique features for the protection for real-time
communication this features are available in service provider stand-alone Sessions
Border Control (SBCs).
The SBC element within the MSBG is designed for enhancing the level of
protection delivered to voice, video and instant user messages.
SBC preform many levels security:
1- Compliment the firewall DOS protection capability by adding applications
intelligence to prevent VOIP attack. Provide deep classification for signaling
and media stream at layer 2 through layer 7.
2- Used transaction rate to ensure that SIP devices with enterprise boundaries are
not flooded with failed SIP requests, SBC is self-protect against signaling
floods.
3- Infrastructure topology hiding at all protocol layers for confidently and
prevention and services attack.
4- Used encryption such as TLS to provide user authentication and privacy.
5- Session aware access control for signaling and media using static and dynamic
ACLs.
3. 6- Monitoring and reporting include event logs, access violation logs,
management access logs, call detail records, with performance monitoring and
row packet capture ability.