|
THE WAY WE WERE
In early VoIP deployments, carrier networks were protected at peering points using session border controllers (SBC). These devices were standalone appliances and used as an adjunct to other network elements. Since SBCs served a very specialized role in IP-Voice applications, they were often kept isolated from the rest of the network elements as carriers acclimated themselves with its functions and capabilities (Figure 1). As a by-product, the ‘standalone’ perimeter focused protection model was acceptable to carriers – in fact, it was often preferred at times due to the immaturity of the technology and the prevailing belief that the core network was secure.
As the IP-Voice market has matured, an overall consensus developed to move to a holistic security policy and architecture. This approach manifested via an integrated “best practices” model to protect the edge and core network, and is growing rapidly. The majority of best practices that are applicable for IP-Voice networks come directly from their data-only network counterparts. The security industry provides a “best practices” deployment framework for holistic security architectures known as “defense-in-depth” (DiD). Defense-in-depth is the use of multiple security solutions that are deployed at the perimeter and throughout the core network. The result is a “web” of layered protection for mitigating internal and external intrusions. By deploying a meshed security architecture, providers will ensure continued carrier-class reliability and integrity. The post-circuit based only environment will provide the function and flexibility of IP-based networks that are highly scalable and feature rich.
There are several reasons why there has been an increase in popularity of the integrated “DiD” model. The most significant reason being the ability to detect and mitigate targeted threats against any core network element regardless of source or attack vector, thus protecting the overall infrastructure. This reflects the ‘coming of age’ for a holistic security architecture for IP-Voice networks today, as more and more carriers choose multiple products for protecting their IP-Voice network. Selection of the secure edge device certainly still plays a primary role in IP-Voice network planning and deployments, but the holistic “defense in depth” security model that touches all network elements has taken off in terms of customer requirements.
MOVING FORWARD: SETTING A POLICY
To establish and expand the border of next-generation voice networks (NGN), carriers must deploy edge security solutions that continue to provide adequate protection measured against an internally developedsecurity policy and test suite (Figure 2). This policy is a documented statement reflecting a risk analysis and business impact of taking acceptable risks. The policy must address the basic questions such as “who can access what and why?”, “how vulnerable is a particular application, system, and/or device?”, and “who responds in case of an intrusion or breach?”. Historically, the prime focus of early VOIP security policies was the use of SBCs. This remains a critical protection mechanism, but what about the rest of the core network? Early security policies now must evolve to additionally take into consideration every component and their intra-network communications within the core network. As mentioned earlier, today’s carrier security policies now reflect a “defense-in-depth” architecture.
TAKING A HOLISTIC APPROACH
Today, IP-Voice security is as important for a provider’s network as are the services it provides. Standards bodies and industry consortia have established guidelines for securing IP-Voice networks. Using this industry guidance, the steps toward a secure IP-Voice network are as follows:
1. Security is a cross organizational initiative that is business goal driven. Key to the definition is the degrees of “risk vs. reward” factored into investments and deployment measures to provide a holistic security plan and policy set.
2. The resulting security policy for the foundation for an IP-Voice network threat/risk mitigation model. The model’s risks set and associated mitigation techniques come from both internal and external sources.
3. Threat mitigation is addressed via the identified “best practices” that are part of the threat/risk model focusing on secureness of all elements. This includes:
Within the core network:
- Encrypt intra-network communications
- Hardening all network elements
- Network infrastructure systems (switches, routers)
- IP-Voice related systems (application server, media server, SIP proxy, media gateway, provisioning portal)
- Strong authentication between elements using techniques such as two factor authentication
- Secure and protect provisioning and event logging.
At network demarcation points:
- Secure IP edge solutions that provide SBC feature set.
- Test/logging tools usable within the core network as well as network demarcation points.
Perform regular vulnerability assessments at peering points, of core elements, and associated protocols. Carriers should ask their vendors for comparable test results as part of their procurement/section process. There are a number of open source and commercially available tools for testing lower level (layer 3) and higher layer (layer 5) protocols. There are also general tools to test for system overload and resource exhaustion, such as those that occur during a DoS/DDoS attack. Legitimate traffic should continue to flow bi-directionally and call quality and integrity during such attacks should remain at service level agreement (SLA) levels.
Disable all unnecessary services on all elements, closing any possible “back doors” for intrusion. Once again, vendors may perform this configuration before shipping their products, but there may be a need for custom changes once installed.
Equipment selection and testing
- Initiate and complete an RFI/RFP, evaluation process. Such a process will range from several weeks to several months depending on network complexity.
- Verify functional completeness and interoperability test results. These results can be obtained from vendors, from industry consortia that host 3rd party interoperability testing, and from internal verification via lab trials.
- Seek out vendors that deliver solutions in support of a holistic security architecture.
Deploy security products in phases. Too big of a step in any deployment phase can lead to unexpected network outages, design re-work, and frustration.
| |
START WITH A SECURE IP EDGE
Secure IP Edge solutions such as SBCs give network operators the “first line of defense” on the perimeter at network demarcation points. These solutions provide policy-based control over IP-Voice sessions, furnish basic protocol (SIP, H323, SIP-I) inter-working, and defend the infrastructure against a wide range of intrusions.
Many features and practices that come from the security world are being subsumed into the IP-Voice secure edge solution. This is because an increasing number of operators are connecting to the public Internet directly to broaden their subscriber base and presence. As such, greater protection schemes are required when peering with another carrier’s private IP backbone.
Finally, more carriers are interconnecting to multiple peers and the Internet as a means to carry both wholesale and consumer IP-Voice traffic. As such, any border elements must provide protection from intrusions, Denial of Service (DoS), and Rogue RTP in addition to extensive Call Admission Control (CAC) and rate limiting based on corporate policies. These features maintain the integrity of the traffic, as well as protect the IP-Voice secure edge element itself and the core network from resource consumption risks.
PROTECTING ALL NETWORK ELEMENTS
Other members of the IP-Voice architecture (media gateways, SIP servers, Application servers, Provisioning Systems, etc.) may be configured with a commercially available operating environment (e.g. Solaris, Linux, Windows). All non-border elements must be equally hardened to protect themselves from potential internally generated attacks. Some operating environments have a rich set of embedded features such as, firewall and host intrusion detection system (HIDS), that operators can optionally enable for further system protection. Equally, configuration should include disabling unnecessary “packages”, accounts, and ports to prevent unauthorized user access.
To complement the secure perimeter, internal security can be provided using a select set of commercially available tools to protect against internal attacks (policing, metering on internal packet network interfaces), authentication verification beyond simple shared secret exchange, intra and inter domain encryption, vulnerability assessment tests tools, network and host based intrusion detection systems, and security incident management for logging and correlation of security events (Figure 3). Traditional security solution vendors can provide those tools that match the customer’s security architecture and policy. The deployment of multiple monitoring and logging tools throughout the internal network is in line with security best practices.
SUMMARY
As industry migration continues from circuit based to all IP based core networks, carriers require a robust, end-to-end security architecture. First, reliable, secure IP Edge solutions that are scalable, economical, and provide session management, call control, and security are deployed at network borders. To augment edge protection, network elements within the core network must be provisioned and hardened to protect themselves from network based, application level, and operator initiated attacks and intrusions regardless of their origin. Lastly, traditional security tools are used to provide additional security functions beyond what IP-Voice elements provide. Collectively, these form the foundation for a holistic IP-Voice security architecture.
About the Author
Bob Bradley is Product Line Manager, Security Solutions for Sonus Networks, the leading provider of carrier class IP-Voice infrastructure solutions. He can reached at rbradley@sonusnet.com.
Go Back
|
