Secure Voice over IP (VoIP) Networks

Transcription

1 Secure Voice over IP (VoIP) Networks How to deploy a robust, secure VoIP solution that counters both external and internal threats and, at the same time, provides top quality of service. This White Paper: Discusses the key security challenges to consider when deploying VoIP solutions Describes Lucent s VPN Firewall Portfolio and how it can meet the security requirements of today s and tomorrow s VoIP networks and applications

2 Contents Executive Summary...3 Key Challenges in Securing a VoIP Network...3 Meeting the Challenge...4 Solution: Lucent VPN Firewall Portfolio...4 Lucent VPN Firewall Portfolio...5 Lucent Operating System...5 Lucent Security Management Server...5 VPN Firewall Brick Portfolio...6 Bandwidth Management...6 Lucent VPN Firewall Brick High Availability/Failover...7 Lucent IPsec Client...7 Complete Solution for Total VoIP Security...7 2

3 Executive Summary Creating high levels of security is essential to fully leverage VoIP technology and the many advantages it offers over traditional wireline solutions. Lucent s VPN Firewall Portfolio provides a complete solution to cope with the evolving threats that can slow down the deployment and use of VoIP applications. The portfolio combines the Lucent Security Management Server, Lucent VPN Firewall Brick appliances, and Lucent IPsec Client, along with third party applications, to ensure a robust, highly secure VoIP deployment. Lucent solutions, developed by Lucent s R&D arm, Bell Labs, offer blended communications that enable simple, seamless, secure networks that help drive your business forward. Lucent s unique security solution for your VoIP network provides: VoIP application layer filtering where you need it on your network Bandwidth control call by call to maintain voice quality on busy networks Failover capabilities that guarantee no voice or data session will be lost in case of network failure Key Challenges in Securing a VoIP Network VoIP is moving into the mainstream. According to Infonetics Research 1, the IP telephony market will grow at a healthy 21 percent CAGR between now and Organizations have the opportunity to take advantage of low cost, feature-rich VoIP solutions that can augment or even replace traditional wireline implementations. 1 Enterprise Telephony Report, Infonetics Research, Nov However, there are some stumbling blocks, and security is at the top of the list. Packet-based communications are particularly vulnerable to subversive attacks and illegal usage. Current technology serving data networks makes it easier to probe voice information on a packet network compared to physically tapping into a circuit switched network. Malefactors can conduct voice tapping through the use of sniffing packets and, by manipulating packets, obtain fraudulent service subscriptions that can be used without payment or charged to another actual customer. IP networks are also susceptible to identity theft, spoofing, loss of sensitive data, denial of service attacks, and eavesdropping. Hackers launch virus and worm attacks, and malefactors manipulate the networks to conduct internal espionage. IP PBXs can be hijacked and Windows-based servers are also vulnerable despite enhanced support for IPv6. If network hijackers successfully access network equipment, modify databases or replicate equipment, they can shut down, jam or takeover the voice network, or manipulate packet network protocols, such as and H.323. The challenge for network administrators is to secure the network against these many and varied threats while, at the same time, allowing the VoIP sessions to flow smoothly. 3

4 Meeting the Challenge Stateful inspection firewalls and Intrusion Detection Systems (IDS) commonly used for VoIP security offer limited defenses. Ideally, a VoIP security solution will dynamically adapt network resources and security based on VoIP application requests, regardless of the signaling protocol used or whether or not the signaling or media traffic is encrypted. A viable VoIP security solution must also: Understand and H.323 protocols to prevent the introduction of fraudulent packets Conduct packet inspection during and H.323 call setup to obtain the necessary information to dynamically open and close ports Be aware of emerging applications that require protection for example audio, web and video conferencing, as well as Unlicensed Mobile Access (UMA) for WiFi/cellular dual-mode handsets Support low latency, minimal jitter and negligible packet loss to ensure call quality and customer satisfaction Offer high availability to avoid loss of VoIP session in case of security device failure Solution: Lucent VPN Firewall Portfolio Lucent has taken a leadership role in VoIP security by offering a complete security solution that integrates with any existing VoIP application. Figure 1 shows Lucent s VPN Firewall Brick -based VoIP security system. Centralized VoIP Security policy & QoS management, distributed protection Centralized Data Center Virtual Office ClientCare Contact Center Enterprise VoIP Network Security Lucent Feature Server 3000 Hosted Enterprise Voic Corporate HQ VitalSuite Performance Management Lucent Security Policy Manager Lucent Brick Firewall APX-1000 PRI DSL CPE Branch Office Softphone Analog Phones Softphone Phone Enterprise Voic /H.323 Lucent Brick Firewall Analog Lines PRI PRI Phone PBX or Softphone IP PBX PBX/IP Phones Enterprise Directory, Call Logs, Voic Messaging & Database, DNS H.323 and application filters H.225, H.245, RTP, RTCP dynamic filtering Address and Port translation for H.323 & Stateful filtering for higher performance sessions filtered based on authentication and services authorization Flexible deployment models, to protect users, proxy servers and gatekeepers from attacks Bandwidth control: Brick shape the traffic to guaranty VoIP bandwidth between sites. Figure 1 Centralized Lucent VPN Firewall Brick -based VoIP Security 4

5 Lucent security solutions are based on the Lucent Network Security Model, which is the foundation of ITU-T Recommendation X.805 Security Architecture for Systems Providing End-to-End Communications. This model provides a framework that supports the Lucent VPN Firewall Portfolio. Lucent VPN Firewall Portfolio The Lucent VPN Firewall Portfolio offers a flexible platform that enables you to implement multiple security policies tailored to your individual application. The portfolio includes a broad range of carrier-class platforms that provide low price/performance and total cost of ownership (TCO). The Lucent VPN Firewall portfolio includes: Lucent Operating System (OS) based on Bell Labs Inferno developments Lucent Security Management Server VPN Firewall Brick platforms Lucent IPsec Client Lucent Operating System Lucent Technologies provides a real-time network Operating System (OS) based on innovative software developments by Bell Labs called Inferno. The operating system provides a software infrastructure for VoIP and other distributed network applications. It enables end-to-end connectivity over the public telephone network, the Internet, corporate networks, cable television, and satellite broadcast. Networking and security protocols are built into the OS, and applications run unchanged across any communications network or device. The product has a very small memory footprint, allowing it to act as a stand-alone OS on information appliances and run as an application on network elements such as servers, routers and switches using UNIX or Microsoft NT platforms. The Lucent OS creates a distributed architecture that allows security policies to be created in the heart of the system the Lucent Security Management Server and instantly pushes the policies to the point on the network where they need to be enforced. The VPN Firewall Brick allows the security administrator to enforce security policies anywhere on the network. This tight connection simplifies management operations and guarantees high levels of security in a distributed network. Bell Labs Innovations and VoIP Security Lucent s VoIP security solutions make full use of Bell Labs innovations. Bell Labs has numerous patents and seminal publications in the field of security, and essentially wrote the book on firewalls. Bell Labs, the R&D development arm of Lucent, designed and built the Lucent Firewall, among the first of its kind to obtain NSA GPP (National Security Agency General Purpose Processor) certification. The Lab conducts advanced cryptography research and has developed missioncritical secure networks for the Department of Defense. Bell Lab s Internet Research Laboratory develops network mapping and analysis techniques and research on protocols, particularly as they affect network infrastructure and services. The Lab provides recommendations and analysis for vulnerabilities in cooperation with Carnegie Mellon s Computer Emergency Response Team (CERT). Lucent Security Management Server Working with Lucent s VPN Firewall Brick portfolio and Lucent IPsec client software, Lucent Security Management Server allows you to rapidly provision and manage security, VPN and QoS services for thousands of users from a single console. It provides network-wide control of multiple systems, security policies, VPN tunnels and remote clients. Totally secure remote management eliminates the need for network reconfigurations, truck-rolls, and on-site support. 5

6 The Lucent Security Management Server provides real-time monitoring, robust logging, and customized reporting. The server supports 10,000 VPN Firewall Brick devices and 100,000 Lucent IPsec Client users from one console. It accommodates up to 100 simultaneous administrators. In addition to scalability, the Lucent Security Management Server provides carrier grade reliability and a number of VPN authentication features such as Internal Key Exchange (IKE), Advanced Encryption Standards (AES), Department of Defense Public Key Infrastructure (PKI), and X.509 digital certificates. VPN Firewall Brick Portfolio The VPN Firewall Brick portfolio delivers service-level-assured advanced security, IP VPN, and QoS services for your VoIP environment. These integrated firewall/vpn gateway appliances offer unparallel performance. They are hybrid L2/L3 devices that allow any combination of interfaces to be set to bridge or route. Each VPN Firewall Brick is centrally staged and remotely managed by the Lucent Security Management Server for security reasons you cannot manage a VPN Firewall Brick through a serial cable or from a web browser. Unlike pure router-based security platforms, you can add advanced security services without costly network reconfiguration, truckrolls or on-site support. The VPN Firewall Brick supports 801.q VLAN tagging and virtual firewalls. This means that you can securely share one device among multiple customers for network-based VoIP managed security services. The components of this security solution, in combination with third-party software from Lucent trusted partners, provide completely integrated, high performance content security services including command blocking, URL filtering and virus scanning. High availability is a feature that comes standard with the VPN Firewall Brick through the use of redundant configurations. and H.323 open ports dynamically during VoIP calls and if the firewall were to leave all of these ports open there would be almost no network security. In order to secure the network and, at the same time, allow VoIP channels to open dynamically, the firewall needs to participate in the call setup and teardown. The VPN Firewall Brick inspects H.323 and VoIP traffic and opens dynamic pinholes that dynamically secure each voice call on a call-by-call basis without degrading performance. Unlike many other solutions, the VPN Firewall Brick acts like a packet sniffer, monitoring the call setup and opening the ports dynamically for an individual call only between the calling and called endpoints. Bandwidth Management In addition to dynamic pinholing capabilities, expert bandwidth management is absolutely essential for VoIP security. Most solutions have either no bandwidth management or management at the interface level only. At the interface level, you might have hundreds of VoIP calls active at any one time. If a heavy data application or download starts running on that interface, you could lose all or some of your VoIP calls or experience a severe drop in quality. 6

7 The Lucent VPN Firewall Brick solves these problems by managing bandwidth at the interface, rule-set, the rule, and session levels. This is a critical component when working with VoIP or any other real-time application, including streaming video and video conferencing. Your ability to guarantee bandwidth for each individual session allows you to ensure the quality of the session or VoIP call, and also allows you to sell Service Level Agreements to your customers. Lucent VPN Firewall Brick High Availability/Failover The Lucent Security Management Server includes a Lucent VPN Firewall Brick feature that provides automatic failover configuration to ensure VoIP calls are not dropped if a device fails. The feature allows an administrator to deploy two Lucent VPN Firewall Brick devices as a failover pair. Both devices share the same identity, including IP address, name, and virtual MAC addresses (one per port). The first device to boot becomes the active device. The second device is designated the standby, ready to take over should the first device fail. From the administrator s viewpoint, the two devices are treated as one both are connected to the same LAN and wired identically. Both the active and standby Lucent VPN Firewall Brick devices issue regular heartbeat messages. The heartbeat indicates the presence of an active device and allows the devices to share health, status, and priority information. If the standby device does not receive appropriate heartbeats from the active device, it automatically becomes active. The active device may also yield to the standby if it determines that the standby has better LAN connectivity. Also, the active Lucent VPN Firewall Brick continuously sends session state information to the standby device. If the standby device has to take over, it already has all the information it needs regarding the active sessions to keep them alive. Lucent IPsec Client Lucent IPsec Client is specifically built to support carrier-managed IP services. When deployed with Lucent VPN Firewall Brick platforms, the IPsec Client is completely integrated and centrally managed by Lucent Security Management Server, simplifying administration of large-scale, remote access VPNs. Complete Solution for Total VoIP Security Essential VoIP Applications Features If you re on the hunt for a firewall for your VoIP application or other real time solutions, there is a must have set of features you won t want to do without. They include: H.323 application layer filtering (including NAT for H.323) application layer filtering (including NAT for ) Failover capabilities including redundant firewalls to ensure quality of service with no outages ( Five Nines reliability) General Packet Radio Service (GPRS)-3G (for mobile VoIP) GPRS Tunnel Protocol (GTP)-3G Bandwidth controls at the session layer to ensure quality of service Layer two capabilities to keep the firewall in stealth mode Dynamic pinhole capabilities that open and close ports on a per call basis to ensure that the rest of the network is secured To ensure that your VoIP application is not compromised, make sure that you use a firewall that has all these essential features. The combination of the Security Management Server, Lucent VPN Firewall Brick portfolio, and Lucent IPsec Client, enables VoIP services that are secure and robust. With these security solutions from Lucent, you are able to implement VoIP deployments that are secure, always available, and scale to meet your changing requirements. 7

8 To learn more about our comprehensive portfolio, please contact your Lucent Technologies Sales Representative or visit our web site at This document is for informational or planning purposes only, and is not intended to create, modify or supplement any Lucent Technologies specifications or warranties relating to these products or services. Information and/or technical specifications supplied within this document do not waive (directly or indirectly) any rights or licenses including but not limited to patents or other protective rights of Lucent Technologies or others. Specifications are subject to change without notice. Copyright 2006 Lucent Technologies Inc. All rights reserved SecurityVoIP v Lucent VPN Firewall Brick is a registered trademark of Lucent Technologies. Inferno is a trademark of Lucent Technologies.