Protect the privacy of an enterprise UC network

By Pierre-Jean Chalon , Vice President and General Manager, Asia Pacific, Sonus Networks

When developing a network security strategy, organizations must include provision for VoIP and UC, and VoIP security strategy.

A global survey of more than 200 enterprise IT professionals conducted by Sonus Networks on the topic of unified communications (UC) revealed that 78 percent of respondents had either partially or fully deployed UC solutions, with most of the remaining respondents saying their organizations are or would soon be in the planning phase.

As the concept of work anytime, anywhere continues to become more prevalent, understanding how to effectively protect an organization’s network and data becomes more important than ever, given frequent reports of data snooping and Denial-of-Service or DoS attacks.

However, with the growing uptake of UC, it is also important for organizations to consider the approach taken to secure Voiceover Internet Protocol (VoIP) and UC. This is because while a business can put in place impenetrable intrusion prevention systems to stop malicious attacks on data-centric devices with success, the same measures will render real-time communications such as VoIP and Session Initiation Protocol or SIP defenseless. Hacking into VoIP and UC can be undertaken by intercepting signalling and media transmitting at any given point between two endpoints along the communications path. Once the system is compromised, the hacker then gains free rein to enter any other part of the same system.

An attack can be carried out in several ways. Obtaining confidential information is achieved by accessing the network under a false identity or eavesdropping on private communications, while toll fraud attacks seek to hijack long-distance service by illegally logging onto the network. Sniffing media packets allows calls to be recorded, changed and replayed. The attacker can then manipulate the data in media packets to impersonate a caller, appearing as though he is working from the organization.

A Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attack can also be launched to flood the network with repeated requests in an attempt to overload the system. This prevents subscribers from effectively using the service. With Internet Protocol or IP telephony and UC, the system is also at risk of Telephony Denial-of-Service (TDoS) and UC Denial-of-Service (UCDoS) attacks. TDoS is the transmission of what appears as to be genuine call signals made into an organization but the contents of the call are often recorded messages and random noises that attempt to terminate calls. Since a traditional data security device is not session or call state aware, the frequency in which these fake Internet Protocol messages are carried out prevents any genuine communications from getting through.

Minimizing security attacks

There are several ways to overcome and minimise these attacks, such as signalling and media-encryption, the employment of rogue call protection and developing performance indicators to track and monitor data usage.

Network borders can be secured by using Session Border Controllers or SBCs to protect real-time communications. These provide call admission control, protection against DoS and DDoS attacks and ‘Topology Hiding’, an enhanced network security method that protects by terminating a received call and initiating a second call leg to the intended receiver.

Any SIP system implementation should also have end-to-end encryption, removing any weak points in the communications system.

When developing a network security strategy, organizations must include provision for VoIP and UC, and VoIP security strategy must protect the UC application, the endpoint and the media itself.

All in all, in order for organizations to survive in this ever-evolving technology landscape, they need to first recognize that a well-executed attack could mean the end of business, and the only way to thrive is toensure the highest standard of IT security.