VoIP Encryption in the Enterprise - Sonus Networks

Hacking into VoIP or UC sessions requires that the malicious party intercept signaling and/or media flowing between twoendpoints at any of several points along the communications path. The point of attack may include:> > UC application servers;> > Call control elements such as PBXs and Automatic Call Distributors (ACDs);> > Session-layer servers and proxies such as session border controllers;> > Transport and network layer elements like routers;> > Link-layer elements including Ethernet and wireless LANs; or on the endpoints themselves via malware downloads oradministrator-level remote access.Man-in-the-middle attacks are another threat on IP-based communications, in which software injects itself into thevoice, video, or instant messaging stream between two endpoints, selectively altering certain packets so as to be nearlyundetectable to the end users. Modifying, disrupting, or lowering the quality of IP communications can have a variety ofadverse effects on the enterprise. For example, an attacker can modify or discard critical financial transactions, disruptbusiness operations, or reduce the quality of customer service.Where Does Real-Time Encryption Fit in the Broader VoIP Security Picture?To defend against the widest possible range of VoIP-based attacks, an enterprise VoIP security strategy should protect boththe endpoint and the media itself. This can be achieved through a holistic security approach that includes:> > VPNs to logically separate voice and data traffic on the common IP network;> > Border security elements such as session border controllers to provide call admission control and protect againstDoS attacks;> > Signaling and media encryption of VoIP sessions, including those sessions stored on voice messaging systems and callrecording systems.While many enterprises have implemented VPN and border security technologies to protect their IP-based data networks,the encryption of VoIP signaling and media is a unique consideration that has grown in importance with the advent of morepervasive VoIP/UC implementations in the enterprise.SBCs without dedicatedencryption hardware willnormally encrypt trafficat the expense of sessionperformance.Encryption of VoIP Signaling and MediaThe encryption of VoIP signaling and media mitigates a number of IP-basedthreats including passive monitoring/recording, packet decryption/modification,service/bandwidth theft, endpoint impersonation, denial of service, andescalation of network user privileges. Because signaling and media use differentprotocols with unique properties and constraints, VoIP networks employTransport Layer Security (TLS) and/or IPsec for signaling encryption and SecureRTP (SRTP) for encrypting RTP media. TLS and IPsec provide bilateral endpointauthentication and secure transport of signaling information using advancedcryptography. SRTP provides encryption (and decryption) of the RTP media usedin real-time IP communications such as VoIP and certain UC applications (e.g.,conferencing and IM).TLS, IPsec, and SRTP encryption enable enterprises to secure VoIPcommunications by performing three key functions:> > Endpoint authentication: This supports the use of digital signatures (whichmay be proprietary or verified by a trusted third party) and pre-shared,secret-based authentication to verify the identity of session endpoints;> > Message integrity: This ensures that media and signaling messages havenot been altered or replayed between endpoints;> > Privacy: Encrypted messages can only be viewed by authorized endpoints,mitigating information/service theft and satisfying both regulatory andcorporate requirements for private communications.Ensuring that yourVoIP security solutionemploys the latestencryption/decryptionmethods is vital toensuring broad network/UC interoperability inthe future.

The Cost of “No Security”Everyone is familiar with the risks posed by attacks on the data side of the network: stolen credit card numbers,compromised passwords, Denial of Service, financial fraud, Social Security number theft, etc. Those same risks apply to VoIPcommunications as well, though they may manifest themselves in different ways such as eavesdropping, Telephony Denial ofService (TDoS) attacks, and ANI spoofing targeted to call centers. Yet these can be equally destructive, consuming valuableresources, driving down revenue, and damaging brand equity.The most serious consequence of a nonsecure VoIP network remains the exposure of confidential information:> > Private consumer data (e.g., Social Security numbers);> > Sensitive company information (sales data, marketingplans, new product details);> > Cardholder data (e.g., credit or debit card numbers);> > Patient data (e.g., diagnosis and prescription records).An enterprise security breach that discloses confidential information can result in financial penalties and other sanctions. Forexample, a single incidence of non-compliance in credit card processing can generate multimillion-dollar fines and liability forlosses from fraud and theft. Mandated costs can also include re-issuing cards, communicating the breach to customers, andsuspension of card-processing rights.Non-compliance with federal and industry security regulations can cost enterprises millions of dollars in fines, compensation,and lost revenue. Here’s a partial list of regulatory measures that govern how enterprises should address VoIP security.AGENCY INDUSTRY GOALSRELEVANT VoIP/UC ISSUESGramm-Leach-Bliley Act (GLBA)Any company involved infinancial services (banking,credit, securities, insurance, etc.)Privacy for financial servicescustomers, including the securityand confidentiality of customerrecords.Prevent unauthorized VoIPpacket interception & decryption.Secure internal wirelessnetworks and communicationsover public wireless networks.Health Insurance Portability andAccountability Act (HIPAA)Any organization that handlesmedical records or otherpersonal health information.Privacy for healthcare patients:medical records, diagnosis,x-rays, photos, prescriptions, labwork, and test results.Secure authorized internal &external access to patient data.Sarbanes-Oxley Act (SOX)Public companiesSecurity & auditing of publiccompaniesMaintain VoIP usage logs & trackadministrative changes.Implement strong authenticationpolicies to prevent unauthorizedsystem use.Federal Information SecurityManagement Act (FISMA)Any US federal agency,contractor, or company/organization that uses/operatesan information system on behalfof a federal agency.IT security for US federalagencies.Mandates implementation ofpolicies & procedures to reduceIT security risks.FISMA requirements for Systemand Information Integrity (SI) forVoIP/UC.Implement solutions to remediatesecurity flaws; provide securityalerts & advisories; protectagainst malicious code; detect &prevent network intrusions andmalware; maintain application &information integrity.Payment Card Industry DataSecurity Standard (PCI DSS)Any company that issues oraccepts VISA, MasterCard,American Express, Diners Club,or Discover credit or debit cards.Privacy of confidentialcardholder (customer)information.Protect confidential cardholderdata and sensitive informationshared between employees overVoIP calls or UC sessions.Protect sensitive informationstored on voice messaging orcall recording systems.Track and monitor accessto network resources andcardholder data.

Effectively Deploying VoIP Encryption in the EnterpriseThe presence of TLS, IPsec, and SRTP encryption may increase call latency. Therefore, signaling and media encryption mustbe thoughtfully integrated into the IP network traffic flow to prevent added network latency or decreased performance underload. Enterprises must weigh several considerations before they deploy VoIP encryption in their network:> > Session Performance —Remember that encryptionrequires additional processingof signaling and media. Extra“hops” to a separate encryptiondevice in the network or anSBC that performs encryptionfrom the main CPU can addunwanted latency to realtimecommunications orcompromise call-handlingcapacity. Therefore, it’simportant to find an encryptionsolution that has minimalimpact on session capacityand network performance.While enterprises shouldconsider implementing securitysolutions such as standaloneSession Border Controllers(SBCs), enterprises shouldbe aware that SBCs withoutdedicated encryption hardwarewill normally encrypt trafficat the expense of sessionperformance.SBC 9000 SBC 5200Built on GSX9000 platformCentralized routing via PSXTDM migrating to IP-PI withmedia transcodingCompelling migration path ofgateway investmentBuilt on pure IP platformEmbedded or centralizedPSX routing engineIP-IP with media transcodingIndustry LeadingPerformance DensilyFIGURE 12. The Next Generation of Border Control> > Multimedia Support — As UC initiatives grow, enterprises will be required to handle a variety of multimedia sessionsincluding voice, video, IM, and collaborative applications. To reduce cost and network complexity, enterprises should lookfor an SBC that has robust transcoding capabilities and supports multiple media types.> > Encryption Standards — Simply put, some decryption standards are more accepted/effective than others. Ensuring thatyour VoIP security solution employs the latest encryption/decryption methods is vital to ensuring broad network/UCinteroperability in the future.> > Disaster/Failover Recovery —Network equipment failures, fiber cuts, and natural disasters happen despite the best precautions. Enterprise securitysystems need to be prepared for this reality with a backup/failover plan for all aspects of security including VoIP/UCsession encryption. This can best be achieved by deploying SBCs in redundant, paired configurations.> > Centralized Policy Management — For the reasons cited above as well as human error and operational cost, a centralmanagement console for encryption policies in the network is both desirable and essential.Sonus Session Border Control: Best in ClassWhen it comes to VoIP network security, enterprises need a solution that protects their network and customer data withoutcompromising real-time communications performance. As a leader in secure VoIP networks, Sonus Networks has for manyyears offered its customers a high-performance border solution with the hybrid TDM/IP Sonus SBC 9000 session bordercontroller. The Sonus SBC 5200 session border controller is a pure IP appliance that meets the cost and performancerequirements of enterprise VoIP deployments. The SBC 5200 is built on an IP-optimized platform that delivers plug-and-playfunctionality and high (99.999%) reliability.Sonus SBCs feature a unique architectural design that differs from other SBCs on the market today by aggregating all of thesession border functionality—security, encryption, transcoding, call routing, and session management—into a single deviceand distributing those functions to embedded hardware within the device. For example, media transcoding on the SBC 5200and SBC 9000 is performed on an embedded DSP farm while much of the encryption is handled on embedded cryptographichardware, providing optimal SBC performance during real-world workloads, overloads, and attacks.

Because SRTP and IPsec occur lower in the protocol stack, Sonus has elected to perform these tasks on dedicated hardwarewithin the SBC 5200 and SBC 9000. This provides much better performance during heavy encryption workloads than SBCsthat use software for encryption, which can divert processing power from the main CPU.ConclusionAs enterprises shift more of their critical internal and external communications to a unified, IP-based voice/data network,they are increasing their network’s exposure to VoIP-based attacks. Meanwhile, the cost of not practicing secure VoIPcommunications is rising in the form of stricter government and industry regulations and the direct costs of lost confidentialinformation, lost service, and lost credibility. With the trend toward real-time unified communications, the requirementsof VoIP security will increase exponentially, placing added importance on solutions that deliver high scalability and highperformance.Sonus SBCs provide enterprises with a cost-effective and scalable solution for VoIP security and encryption. With a uniquearchitecture that divides security functions among multiple processors on a single chassis, Sonus SBCs deliver the highperformanceencryption and security that enterprises need to navigate the future of all-IP communications safely and securely.About SonusSonus is a leading provider of media gateway, centralized call routing, and session border control solutions for enterprises.Sonus solutions enable enterprises to reduce their recurring telecom costs, gracefully manage the migration from legacyvoice to VoIP, and mitigate business continuity and security threats for critical enterprise voice and contact centerinfrastructure. Sonus solutions are deployed throughout the world’s largest SIP networks, driving over 5,854 SIP sessionsevery second.

Sonus Networks –North American Headquarters4 Technology Park DriveWestford, MA 01886U.S.A.Tel: +1-855-GO-SONUSSonus Networks – EMEA Headquarters56 Kingston RoadStaines, TW18 4NLUnited KingdomTel: +44 207 643 2219Sonus Networks – APAC Headquarters1 Fullerton Road #02-01One FullertonSingapore 049213Singaporetel: +65 6832 5589Sonus Networks – CALA HeadquartersMexico City, Campos Eliseos PolancoAndrés Bello 10, Pisos 6 y 7, Torre ForumCol. Chapultepec Morales, Ciudad de MéxicoMexico City, 11560 MexicoTel: +52 55 36010600The content in this document is for informational purposes only and is subject to change by Sonus Networks without notice. While reasonable efforts have been made in the preparation of this publicationto assure its accuracy, Sonus Networks assumes no liability resulting from technical or editorial errors or omissions, or for any damages resulting from the use of this information. Unless specificallyincluded in a written agreement with Sonus Networks, Sonus Networks has no obligation to develop or deliver any future release or upgrade or any feature, enhancement or function.Copyright © 2012 Sonus Networks, Inc. All rights reserved. Sonus is a registered trademark and SBC 5200 and SBC 9000 are trademarks of Sonus Networks, Inc. All other trademarks, service marks,registered trademarks or registered service marks may be the property of their respective owners.Printed in the USA 05/12WP-1125 Rev. B