VoIP Encryption in the Enterprise

Transcription

1 VoIP Encryption in the Enterprise

2 Table of Contents Introduction VoIP and UC Increase Productivity and Risk Why VoIP Attacks Are on the Rise Where Does Real-Time Encryption Fit in the Broader VoIP Security Picture?... 2 Encryption of VoIP Signaling and Media The Cost of No Security (sidebar) Effectively Deploying VoIP Encryption in the Enterprise Sonus Session Border Control: Best in Class Conclusion About Sonus

3 With reduced costs and increased productivity as the carrot, and true Unified Communications as the goal, enterprises are consolidating their voice and data communications onto a single, IP-based architecture. The move toward Unified Communications, however, is forcing enterprises to re-examine the security of their Voice over IP (VoIP) capabilities. VoIP communications require unique encryption measures to defend the enterprise network against real-time VoIP-based attacks, and protect both corporate and customer information. They must also comply with government regulations and adhere to industry standards from regulatory agencies that can issue hefty fines. In addressing these goals, enterprises must plan well to implement real-time VoIP encryption or risk reducing their network s capacity. Fortunately for enterprises, VoIP security itself is not a new phenomenon, but has been practiced for years by global carrier networks. VoIP carrier networks rely on several standardized encryption protocols, including Transport Layer Security (TLS) and IPsec for SIP signaling encryption, and Secure Real-time Transport Protocol (SRTP) for RTP media encryption. While a network border element such as a Session Border Controller (SBC) usually performs this encryption, SBC devices can vary widely in how they perform this encryption. For example, some SBCs assign encryption to integrated hardware and dedicated processors, while others perform the encryption via additional hardware devices or in a general-purpose CPU. How an SBC performs signaling and media encryption can have a significant impact on VoIP network performance, from added latency to reduced call capacity. How an SBC performs signaling and media encryption can have a significant impact on VoIP network performance. This white paper examines the drivers and challenges of enterprise VoIP security, with a focus on the factors that an enterprise must consider when implementing VoIP encryption in their network. In addition, the paper covers various SBC encryption methods while highlighting the unique design of Sonus SBCs which provide exceptional network performance even under high encryption loads. VoIP and UC Increase Productivity and Risk There was a time when IT managers lost no sleep at the thought of a voice-based network attack; the migration from legacy TDM to VoIP networks changed all that. IP-based voice communications promised a new era of lower costs, higher bandwidth, and blended voice/data services. Even as that door of opportunity was opened,however, a new danger slipped in: the introduction of IP-based attacks, network intrusions, and information theft through voice communications. In the case of enterprises, the security stakes are especially high as compromised customer data can generate stiff penalties and losses totaling millions of dollars. As enterprises come to rely on real-time, session-based communications, they must also practice real-time VoIP security. This can be increasingly difficult in an environment where SIP-sniffing software is easily available on the Internet. In addition, enterprises must be careful to protect both their internal and external borders, as privacy attacks are as likely to come from internal sources, including employees and partners, as outside the corporate network. Thus the challenge for enterprises is not only protecting the network, but also balancing the interests of security with real-time network performance. The list of widely available (and often free) tools that can eavesdrop on and record VoIP and UC traffic keeps growing. Why VoIP Attacks Are on the Rise The widespread nature of the Internet and the proliferation of tools for intercepting IP packets and cracking code make it increasingly easy for attackers to monitor, record, disrupt, or modify VoIP calls and UC sessions. For example, unauthorized parties can use free network protocol analyzers to surreptitiously capture and interpret VoIP calls, record media streams for later analysis, and intercept Instant Messaging (IM) communications. Hackers use other tools like UCSniff to identify, record, and replay VoIP conversations or IP videoconferencing sessions. And the list of widely available (and often free) tools that can eavesdrop on and record VoIP and UC traffic keeps growing. The roster of potential attackers is expanding, too. Organized criminal groups both at home and abroad have found the Internet a profitable new avenue from which to mount high-tech fraud, identity theft, and extortion schemes. In fact, cybercrime can be so lucrative it has created a cottage industry of hackers-for-hire who sell their services on a contract basis around the globe. Rogue nations are also increasingly involved in Internet-based espionage and attacks on defense, civilian government, and private-industry targets.

4 Hacking into VoIP or UC sessions requires that the malicious party intercept signaling and/or media flowing between two endpoints at any of several points along the communications path. The point of attack may include: > > UC application servers; > > Call control elements such as PBXs and Automatic Call Distributors (ACDs); > > Session-layer servers and proxies such as session border controllers; > > Transport and network layer elements like routers; > > Link-layer elements including Ethernet and wireless LANs; or on the endpoints themselves via malware downloads or administrator-level remote access. Man-in-the-middle attacks are another threat on IP-based communications, in which software injects itself into the voice, video, or instant messaging stream between two endpoints, selectively altering certain packets so as to be nearly undetectable to the end users. Modifying, disrupting, or lowering the quality of IP communications can have a variety of adverse effects on the enterprise. For example, an attacker can modify or discard critical financial transactions, disrupt business operations, or reduce the quality of customer service. Where Does Real-Time Encryption Fit in the Broader VoIP Security Picture? To defend against the widest possible range of VoIP-based attacks, an enterprise VoIP security strategy should protect both the endpoint and the media itself. This can be achieved through a holistic security approach that includes: > > VPNs to logically separate voice and data traffic on the common IP network; > > Border security elements such as session border controllers to provide call admission control and protect against DoS attacks; > > Signaling and media encryption of VoIP sessions, including those sessions stored on voice messaging systems and call recording systems. While many enterprises have implemented VPN and border security technologies to protect their IP-based data networks, the encryption of VoIP signaling and media is a unique consideration that has grown in importance with the advent of more pervasive VoIP/UC implementations in the enterprise. SBCs without dedicated encryption hardware will normally encrypt traffic at the expense of session performance. Encryption of VoIP Signaling and Media The encryption of VoIP signaling and media mitigates a number of IP-based threats including passive monitoring/recording, packet decryption/modification, service/bandwidth theft, endpoint impersonation, denial of service, and escalation of network user privileges. Because signaling and media use different protocols with unique properties and constraints, VoIP networks employ Transport Layer Security (TLS) and/or IPsec for signaling encryption and Secure RTP (SRTP) for encrypting RTP media. TLS and IPsec provide bilateral endpoint authentication and secure transport of signaling information using advanced cryptography. SRTP provides encryption (and decryption) of the RTP media used in real-time IP communications such as VoIP and certain UC applications (e.g., conferencing and IM). TLS, IPsec, and SRTP encryption enable enterprises to secure VoIP communications by performing three key functions: > > Endpoint authentication: This supports the use of digital signatures (which may be proprietary or verified by a trusted third party) and pre-shared, secret-based authentication to verify the identity of session endpoints; > > Message integrity: This ensures that media and signaling messages have not been altered or replayed between endpoints; > > Privacy: Encrypted messages can only be viewed by authorized endpoints, mitigating information/service theft and satisfying both regulatory and corporate requirements for private communications. Ensuring that your VoIP security solution employs the latest encryption/decryption methods is vital to ensuring broad network/ UC interoperability in the future.

5 The Cost of No Security Everyone is familiar with the risks posed by attacks on the data side of the network: stolen credit card numbers, compromised passwords, Denial of Service, financial fraud, Social Security number theft, etc. Those same risks apply to VoIP communications as well, though they may manifest themselves in different ways such as eavesdropping, Telephony Denial of Service (TDoS) attacks, and ANI spoofing targeted to call centers. Yet these can be equally destructive, consuming valuable resources, driving down revenue, and damaging brand equity. The most serious consequence of a nonsecure VoIP network remains the exposure of confidential information: > > Private consumer data (e.g., Social Security numbers); > > Sensitive company information (sales data, marketing plans, new product details); > > Cardholder data (e.g., credit or debit card numbers); > > Patient data (e.g., diagnosis and prescription records). An enterprise security breach that discloses confidential information can result in financial penalties and other sanctions. For example, a single incidence of non-compliance in credit card processing can generate multimillion-dollar fines and liability for losses from fraud and theft. Mandated costs can also include re-issuing cards, communicating the breach to customers, and suspension of card-processing rights. Non-compliance with federal and industry security regulations can cost enterprises millions of dollars in fines, compensation, and lost revenue. Here s a partial list of regulatory measures that govern how enterprises should address VoIP security. AGENCY INDUSTRY GOALS RELEVANT VoIP/ UC ISSUES Gramm-Leach-Bliley Act (GLBA) Any company involved in financial services (banking, credit, securities, insurance, etc.) Privacy for financial services customers, including the security and confidentiality of customer records. Prevent unauthorized VoIP packet interception & decryption. Secure internal wireless networks and communications over public wireless networks. Health Insurance Portability and Accountability Act (HIPAA) Any organization that handles medical records or other personal health information. Privacy for healthcare patients: medical records, diagnosis, x-rays, photos, prescriptions, lab work, and test results. Secure authorized internal & external access to patient data. Sarbanes-Oxley Act (SOX) Public companies Security & auditing of public companies Maintain VoIP usage logs & track administrative changes. Implement strong authentication policies to prevent unauthorized system use. Federal Information Security Management Act (FISMA) Any US federal agency, contractor, or company/ organization that uses/operates an information system on behalf of a federal agency. IT security for US federal agencies. Mandates implementation of policies & procedures to reduce IT security risks. FISMA requirements for System and Information Integrity (SI) for VoIP/UC. Implement solutions to remediate security flaws; provide security alerts & advisories; protect against malicious code; detect & prevent network intrusions and malware; maintain application & information integrity. Payment Card Industry Data Security Standard (PCI DSS) Any company that issues or accepts VISA, MasterCard, American Express, Diners Club, or Discover credit or debit cards. Privacy of confidential cardholder (customer) information. Protect confidential cardholder data and sensitive information shared between employees over VoIP calls or UC sessions. Protect sensitive information stored on voice messaging or call recording systems. Track and monitor access to network resources and cardholder data.

6 Effectively Deploying VoIP Encryption in the Enterprise The presence of TLS, IPsec, and SRTP encryption may increase call latency. Therefore, signaling and media encryption must be thoughtfully integrated into the IP network traffic flow to prevent added network latency or decreased performance under load. Enterprises must weigh several considerations before they deploy VoIP encryption in their network: > > Session Performance Remember that encryption requires additional processing of signaling and media. Extra hops to a separate encryption device in the network or an SBC that performs encryption from the main CPU can add unwanted latency to realtime communications or compromise call-handling capacity. Therefore, it s important to find an encryption solution that has minimal impact on session capacity and network performance. While enterprises should consider implementing security solutions such as standalone Session Border Controllers (SBCs), enterprises should be aware that SBCs without dedicated encryption hardware will normally encrypt traffic at the expense of session performance. SBC 9000 SBC 5200 Built on GSX9000 platform Centralized routing via PSX TDM migrating to IP-PI with media transcoding Compelling migration path of gateway investment Built on pure IP platform Embedded or centralized PSX routing engine IP-IP with media transcoding Industry Leading Performance Densily FIGURE 12. The Next Generation of Border Control > > Multimedia Support As UC initiatives grow, enterprises will be required to handle a variety of multimedia sessions including voice, video, IM, and collaborative applications. To reduce cost and network complexity, enterprises should look for an SBC that has robust transcoding capabilities and supports multiple media types. > > Encryption Standards Simply put, some decryption standards are more accepted/effective than others. Ensuring that your VoIP security solution employs the latest encryption/decryption methods is vital to ensuring broad network/uc interoperability in the future. > > Disaster/Failover Recovery Network equipment failures, fiber cuts, and natural disasters happen despite the best precautions. Enterprise security systems need to be prepared for this reality with a backup/failover plan for all aspects of security including VoIP/UC session encryption. This can best be achieved by deploying SBCs in redundant, paired configurations. > > Centralized Policy Management For the reasons cited above as well as human error and operational cost, a central management console for encryption policies in the network is both desirable and essential. Sonus Session Border Control: Best in Class When it comes to VoIP network security, enterprises need a solution that protects their network and customer data without compromising real-time communications performance. As a leader in secure VoIP networks, Sonus Networks has for many years offered its customers a high-performance border solution with the hybrid TDM/IP Sonus SBC 9000 session border controller. The Sonus SBC 5200 session border controller is a pure IP appliance that meets the cost and performance requirements of enterprise VoIP deployments. The SBC 5200 is built on an IP-optimized platform that delivers plug-and-play functionality and high (99.999%) reliability. Sonus SBCs feature a unique architectural design that differs from other SBCs on the market today by aggregating all of the session border functionality security, encryption, transcoding, call routing, and session management into a single device and distributing those functions to embedded hardware within the device. For example, media transcoding on the SBC 5200 and SBC 9000 is performed on an embedded DSP farm while much of the encryption is handled on embedded cryptographic hardware, providing optimal SBC performance during real-world workloads, overloads, and attacks.

7 Because SRTP and IPsec occur lower in the protocol stack, Sonus has elected to perform these tasks on dedicated hardware within the SBC 5200 and SBC This provides much better performance during heavy encryption workloads than SBCs that use software for encryption, which can divert processing power from the main CPU. Conclusion As enterprises shift more of their critical internal and external communications to a unified, IP-based voice/data network, they are increasing their network s exposure to VoIP-based attacks. Meanwhile, the cost of not practicing secure VoIP communications is rising in the form of stricter government and industry regulations and the direct costs of lost confidential information, lost service, and lost credibility. With the trend toward real-time unified communications, the requirements of VoIP security will increase exponentially, placing added importance on solutions that deliver high scalability and high performance. Sonus SBCs provide enterprises with a cost-effective and scalable solution for VoIP security and encryption. With a unique architecture that divides security functions among multiple processors on a single chassis, Sonus SBCs deliver the highperformance encryption and security that enterprises need to navigate the future of all-ip communications safely and securely. About Sonus Sonus is a leading provider of media gateway, centralized call routing, and session border control solutions for enterprises. Sonus solutions enable enterprises to reduce their recurring telecom costs, gracefully manage the migration from legacy voice to VoIP, and mitigate business continuity and security threats for critical enterprise voice and contact center infrastructure. Sonus solutions are deployed throughout the world s largest SIP networks, driving over 5,854 SIP sessions every second.

8 Sonus Networks North American Headquarters Sonus Networks APAC Headquarters Tel: GO-SONUS 1 Fullerton Road #02-01 One Fullerton Singapore Singapore tel: Sonus Networks EMEA Headquarters Sonus Networks CALA Headquarters 4 Technology Park Drive Westford, MA U.S.A. 56 Kingston Road Staines, TW18 4NL United Kingdom Tel: Mexico City, Campos Eliseos Polanco Andrés Bello 10, Pisos 6 y 7, Torre Forum Col. Chapultepec Morales, Ciudad de México Mexico City, Mexico Tel: The content in this document is for informational purposes only and is subject to change by Sonus Networks without notice. While reasonable efforts have been made in the preparation of this publication to assure its accuracy, Sonus Networks assumes no liability resulting from technical or editorial errors or omissions, or for any damages resulting from the use of this information. Unless specifically included in a written agreement with Sonus Networks, Sonus Networks has no obligation to develop or deliver any future release or upgrade or any feature, enhancement or function. Copyright 2012 Sonus Networks, Inc. All rights reserved. Sonus is a registered trademark and SBC 5200 and SBC 9000 are trademarks of Sonus Networks, Inc. All other trademarks, service marks, registered trademarks or registered service marks may be the property of their respective owners. Printed in the USA 05/12 WP-1125 Rev. B