2. VoIP Security in Service Provider Environment Bogdan Materna Chief Technology Officer Yariba Systems

3. VoIP in Service Provider Environment  Large scale deployments – millions of end-points  High reliability requirements – 99,999%  Critical services – E911  Legal obligations – Lawful intercept  Security – match PSTN  Provided as a service – revenue generation

4. VoIP Security Objectives  Preserve the availability:  Prevent disruptions of the VoIP service by security threats  Preserve integrity:  Prevent malicious activities  Prevent theft of the VoIP service  Prevent fraudulent use of VoIP services  Preserve the confidentiality:  Prevent eavesdropping on signaling and media paths

5. Is VoIP Security Different?  VoIP services are real-time.  VoIP services are target of voice specific malicious activities such as toll fraud, service theft, voice spam and identity theft.  VoIP services are extremely sensitive to delay, packet loss and jitter caused by worms, viruses and DoS attacks.  VoIP services are impacted by the existing security devices such as firewalls/NAT, encryption engines and IDS/IPS.  VoIP protocols (SIP, H.323, RTP, RTCP) and applications create new ways for the intruders to attack VoIP services and infrastructure.  VoIP protocols interact with existing PSTN networks, e.g., SIP  >SS7  Wireless VoIP introduces new challenges to security infrastructure

6. Examples of VoIP Security Threats  Service impacting  Zero-day VoIP worms/viruses impacting VoIP servers, clients and QoS  Denial of Service attacks on VoIP servers (SIP) and associated services (DNS)  Buffer overflow attacks on critical VoIP applications such as SIP servers  Logical attacks on SIP – loops and spirals.  Service Theft  Toll fraud  Subscription fraud and non-payment  Private Information  Call eavesdropping, insertion and disruption  Masquerading, registration hijacking, impersonation, replay

7. An Approach to VoIP Security Prevention Security OSS VoIP Infrastructure ProtectionMitigation  Multi-layer approach  Prevention through vulnerability detection and patching  Protection through firewalls, IPS, anti-virus tools, strong authentication, encryption, etc.  Mitigation through source isolation, service/process control, rate and bandwidth control.

8. VoIP Security - Prevention  Vulnerability and risk assessment of VoIP equipment and applications prior to deployment  Vulnerability and risk assessment of VoIP infrastructure after the deployment  Periodic or continuous threat and risk audits  Automated patching and vulnerability remediation

9. VoIP Security - Protection  Subscriber access management  Call setup and transport with strong encryption  VoIP infrastructure protection via firewalls, proxies, IPS, anti-virus and DoS defense tools.  Strong authentication/authorization for access to all VoIP infrastructure and related components  Limiting physical and logical access to VoIP components via facility management and VPNs

10. VoIP Security – Mitigation  Automated response to security threats in near real time  Source isolation  Service/process control  Rate and bandwidth control  High availability and fault tolerance build into VoIP infrastructure  Disaster Recovery planning and implementation

11. Security OSS  Automated response to security threats – near real time  Fast correlation – minimal level of false/positive  Distributed architecture for scalability and reliability – carrier class system  Harden security – meets T1.276 requirements  OSS interface – seamless integration with existing management and billing applications

12. Summary  Security critical to mass scale deployment of VoIP  VoIP security requires different approach than that used for “classical” IT networks  VoIP vulnerable to new classes of attacks and potentially compromises PSTN security  Functional approach to VoIP security very promising  Prevention  Protection  Mitigation  Integration with existing OSS is critical