VoIP Encryption in the Enterprise

www.sonus.net
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
VoIP and UC Increase Productivityand Risk . . . . . . . . . . . . . . . . . . . 1
Why VoIP Attacks Are on the Rise . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Where Does Real-Time Encryption Fit in the Broader VoIP Security Picture? . . 2
Encryption of VoIP Signaling and Media . . . . . . . . . . . . . . . . . . . . . . . 2
The Cost of No Security (sidebar) . . . . . . . . . . . . . . . . . . . . . . . . . 3
Effectively Deploying VoIP Encryption in the Enterprise . . . . . . . . . . . . . . 4
Sonus Session Border Control: Best in Class . . . . . . . . . . . . . . . . . . . . 4
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
About Sonus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
With reduced costs and increased productivity as the carrot, and true Unied Communications as the goal,
enterprises are consolidating their voice and data communications onto a single, IP-based architecture.
The move toward Unied Communications, however, is forcing enterprises to re-examine the security of
their Voice over IP (VoIP) capabilities. VoIP communications require unique encryption measures to defend
the enterprise network against real-time VoIP-based attacks, and protect both corporate and customer
information. They must also comply with government regulations and adhere to industry standards from
regulatory agencies that can issue hefty nes. In addressing these goals, enterprises must plan well to
implement real-time VoIP encryption or risk reducing their networks capacity.
Fortunately for enterprises, VoIP security itself is not a new phenomenon, but has
been practiced for years by global carrier networks. VoIP carrier networks rely
on several standardized encryption protocols, including Transport Layer Security
(TLS) and IPsec for SIP signaling encryption, and Secure Real-time Transport
Protocol (SRTP) for RTP media encryption. While a network border element such
as a Session Border Controller (SBC) usually performs this encryption, SBC devices
can vary widely in how they perform this encryption. For example, some SBCs
assign encryption to integrated hardware and dedicated processors, while others
perform the encryption via additional hardware devices or in a general-purpose
CPU. How an SBC performs signaling and media encryption can have a signicant
impact on VoIP network performance, from added latency to reduced call capacity.
This white paper examines the drivers and challenges of enterprise VoIP security, with a focus on the factors that an
enterprise must consider when implementing VoIP encryption in their network. In addition, the paper covers various SBC
encryption methods while highlighting the unique design of Sonus SBCs which provide exceptional network performance
even under high encryption loads.
VoIP and UC Increase Productivityand Risk
There was a time when IT managers lost no sleep at the thought of a voice-based network attack; the migration from
legacy TDM to VoIP networks changed all that. IP-based voice communications promised a new era of lower costs, higher
bandwidth, and blended voice/data services. Even as that door of opportunity was opened,however, a new danger slipped in:
the introduction of IP-based attacks, network intrusions, and information theft through voice communications. In the case
of enterprises, the security stakes are especially high as compromised customer data can generate stiff penalties and losses
totaling millions of dollars.
As enterprises come to rely on real-time, session-based communications, they must also practice real-time VoIP security.
This can be increasingly difcult in an environment where SIP-snifng software is easily available on the Internet. In addition,
enterprises must be careful to protect both their internal and external borders, as privacy attacks are as likely to come from
internal sources, including employees and partners, as outside the corporate network. Thus the challenge for enterprises is
not only protecting the network, but also balancing the interests of security with real-time network performance.
Why VoIP Attacks Are on the Rise
The widespread nature of the Internet and the proliferation of tools for
intercepting IP packets and cracking code make it increasingly easy for
attackers to monitor, record, disrupt, or modify VoIP calls and UC sessions.
For example, unauthorized parties can use free network protocol analyzers to
surreptitiously capture and interpret VoIP calls, record media streams for later
analysis, and intercept Instant Messaging (IM) communications. Hackers use
other tools like UCSniff to identify, record, and replay VoIP conversations or
IP videoconferencing sessions. And the list of widely available (and often free)
tools that can eavesdrop on and record VoIP and UC trafc keeps growing.
The roster of potential attackers is expanding, too. Organized criminal groups both at home and abroad have found the
Internet a protable new avenue from which to mount high-tech fraud, identity theft, and extortion schemes. In fact,
cybercrime can be so lucrative it has created a cottage industry of hackers-for-hire who sell their services on a contract basis
around the globe. Rogue nations are also increasingly involved in Internet-based espionage and attacks on defense, civilian
government, and private-industry targets.
How an SBC performs
signaling and media
encryption can have a
signicant impact on VoIP
network performance.
The list of widely
available (and often free)
tools that can eavesdrop
on and record VoIP and
UC trafc keeps growing.
Hacking into VoIP or UC sessions requires that the malicious party intercept signaling and/or media owing between two
endpoints at any of several points along the communications path. The point of attack may include:
> UC application servers;
> Call control elements such as PBXs and Automatic Call Distributors (ACDs);
> Session-layer servers and proxies such as session border controllers;
> Transport and network layer elements like routers;
> Link-layer elements including Ethernet and wireless LANs; or on the endpoints themselves via malware downloads or
administrator-level remote access.
Man-in-the-middle attacks are another threat on IP-based communications, in which software injects itself into the
voice, video, or instant messaging stream between two endpoints, selectively altering certain packets so as to be nearly
undetectable to the end users. Modifying, disrupting, or lowering the quality of IP communications can have a variety of
adverse effects on the enterprise. For example, an attacker can modify or discard critical nancial transactions, disrupt
business operations, or reduce the quality of customer service.
Where Does Real-Time Encryption Fit in the Broader VoIP Security Picture?
To defend against the widest possible range of VoIP-based attacks, an enterprise VoIP security strategy should protect both
the endpoint and the media itself. This can be achieved through a holistic security approach that includes:
> VPNs to logically separate voice and data trafc on the common IP network;
> Border security elements such as session border controllers to provide call admission control and protect against
DoS attacks;
> Signaling and media encryption of VoIP sessions, including those sessions stored on voice messaging systems and call
recording systems.
While many enterprises have implemented VPN and border security technologies to protect their IP-based data networks,
the encryption of VoIP signaling and media is a unique consideration that has grown in importance with the advent of more
pervasive VoIP/UC implementations in the enterprise.
Encryption of VoIP Signaling and Media
The encryption of VoIP signaling and media mitigates a number of IP-based
threats including passive monitoring/recording, packet decryption/modication,
service/bandwidth theft, endpoint impersonation, denial of service, and
escalation of network user privileges. Because signaling and media use different
protocols with unique properties and constraints, VoIP networks employ
Transport Layer Security (TLS) and/or IPsec for signaling encryption and Secure
RTP (SRTP) for encrypting RTP media. TLS and IPsec provide bilateral endpoint
authentication and secure transport of signaling information using advanced
cryptography. SRTP provides encryption (and decryption) of the RTP media used
in real-time IP communications such as VoIP and certain UC applications (e.g.,
conferencing and IM).
TLS, IPsec, and SRTP encryption enable enterprises to secure VoIP
communications by performing three key functions:
> Endpoint authentication: This supports the use of digital signatures (which
may be proprietary or veried by a trusted third party) and pre-shared,
secret-based authentication to verify the identity of session endpoints;
> Message integrity: This ensures that media and signaling messages have
not been altered or replayed between endpoints;
> Privacy: Encrypted messages can only be viewed by authorized endpoints,
mitigating information/service theft and satisfying both regulatory and
corporate requirements for private communications.
SBCs without dedicated
encryption hardware will
normally encrypt trafc
at the expense of session
performance.
Ensuring that your
VoIP security solution
employs the latest
encryption/decryption
methods is vital to
ensuring broad network/
UC interoperability in
the future.
The Cost of No Security
Everyone is familiar with the risks posed by attacks on the data side of the network: stolen credit card numbers,
compromised passwords, Denial of Service, nancial fraud, Social Security number theft, etc. Those same risks apply to VoIP
communications as well, though they may manifest themselves in different ways such as eavesdropping, Telephony Denial of
Service (TDoS) attacks, and ANI spoong targeted to call centers. Yet these can be equally destructive, consuming valuable
resources, driving down revenue, and damaging brand equity.
The most serious consequence of a nonsecure VoIP network remains the exposure of condential information:
> Private consumer data (e.g., Social Security numbers);
> Sensitive company information (sales data, marketing
plans, new product details);
> Cardholder data (e.g., credit or debit card numbers);
> Patient data (e.g., diagnosis and prescription records).
An enterprise security breach that discloses condential information can result in nancial penalties and other sanctions. For
example, a single incidence of non-compliance in credit card processing can generate multimillion-dollar nes and liability for
losses from fraud and theft. Mandated costs can also include re-issuing cards, communicating the breach to customers, and
suspension of card-processing rights.
Non-compliance with federal and industry security regulations can cost enterprises millions of dollars in nes, compensation,
and lost revenue. Heres a partial list of regulatory measures that govern how enterprises should address VoIP security.
AGENCY INDUSTRY GOALS
RELEVANT VoIP/
UC ISSUES
Gramm-Leach-Bliley Act (GLBA)
Any company involved in
nancial services (banking,
credit, securities, insurance, etc.)
Privacy for nancial services
customers, including the security
and condentiality of customer
records.
Prevent unauthorized VoIP
packet interception & decryption.
Secure internal wireless
networks and communications
over public wireless networks.
Health Insurance Portability and
Accountability Act (HIPAA)
Any organization that handles
medical records or other
personal health information.
Privacy for healthcare patients:
medical records, diagnosis,
x-rays, photos, prescriptions, lab
work, and test results.
Secure authorized internal &
external access to patient data.
Sarbanes-Oxley Act (SOX) Public companies
Security & auditing of public
companies
Maintain VoIP usage logs & track
administrative changes.
Implement strong authentication
policies to prevent unauthorized
system use.
Federal Information Security
Management Act (FISMA)
Any US federal agency,
contractor, or company/
organization that uses/operates
an information system on behalf
of a federal agency.
IT security for US federal
agencies.
Mandates implementation of
policies & procedures to reduce
IT security risks.
FISMA requirements for System
and Information Integrity (SI) for
VoIP/UC.
Implement solutions to remediate
security aws; provide security
alerts & advisories; protect
against malicious code; detect &
prevent network intrusions and
malware; maintain application &
information integrity.
Payment Card Industry Data
Security Standard (PCI DSS)
Any company that issues or
accepts VISA, MasterCard,
American Express, Diners Club,
or Discover credit or debit cards.
Privacy of condential
cardholder (customer)
information.
Protect condential cardholder
data and sensitive information
shared between employees over
VoIP calls or UC sessions.
Protect sensitive information
stored on voice messaging or
call recording systems.
Track and monitor access
to network resources and
cardholder data.
Effectively Deploying VoIP Encryption in the Enterprise
The presence of TLS, IPsec, and SRTP encryption may increase call latency. Therefore, signaling and media encryption must
be thoughtfully integrated into the IP network trafc ow to prevent added network latency or decreased performance under
load. Enterprises must weigh several considerations before they deploy VoIP encryption in their network:
> Session Performance
Remember that encryption
requires additional processing
of signaling and media. Extra
hops to a separate encryption
device in the network or an
SBC that performs encryption
from the main CPU can add
unwanted latency to real-
time communications or
compromise call-handling
capacity. Therefore, its
important to nd an encryption
solution that has minimal
impact on session capacity
and network performance.
While enterprises should
consider implementing security
solutions such as standalone
Session Border Controllers
(SBCs), enterprises should
be aware that SBCs without
dedicated encryption hardware
will normally encrypt trafc
at the expense of session
performance.
> Multimedia Support As UC initiatives grow, enterprises will be required to handle a variety of multimedia sessions
including voice, video, IM, and collaborative applications. To reduce cost and network complexity, enterprises should look
for an SBC that has robust transcoding capabilities and supports multiple media types.
> Encryption Standards Simply put, some decryption standards are more accepted/effective than others. Ensuring that
your VoIP security solution employs the latest encryption/decryption methods is vital to ensuring broad network/UC
interoperability in the future.
> Disaster/Failover Recovery
Network equipment failures, ber cuts, and natural disasters happen despite the best precautions. Enterprise security
systems need to be prepared for this reality with a backup/failover plan for all aspects of security including VoIP/UC
session encryption. This can best be achieved by deploying SBCs in redundant, paired congurations.
> Centralized Policy Management For the reasons cited above as well as human error and operational cost, a central
management console for encryption policies in the network is both desirable and essential.
Sonus Session Border Control: Best in Class
When it comes to VoIP network security, enterprises need a solution that protects their network and customer data without
compromising real-time communications performance. As a leader in secure VoIP networks, Sonus Networks has for many
years offered its customers a high-performance border solution with the hybrid TDM/IP Sonus SBC 9000

session border
controller. The Sonus SBC 5200

session border controller is a pure IP appliance that meets the cost and performance
requirements of enterprise VoIP deployments. The SBC 5200 is built on an IP-optimized platform that delivers plug-and-play
functionality and high (99.999%) reliability.
Sonus SBCs feature a unique architectural design that differs from other SBCs on the market today by aggregating all of the
session border functionalitysecurity, encryption, transcoding, call routing, and session managementinto a single device
and distributing those functions to embedded hardware within the device. For example, media transcoding on the SBC 5200
and SBC 9000 is performed on an embedded DSP farm while much of the encryption is handled on embedded cryptographic
hardware, providing optimal SBC performance during real-world workloads, overloads, and attacks.
FIGURE 12. The Next Generation of Border Control
SBC 9000 SBC 5200
Built on GSX9000 platform Built on pure IP platform
Centralized routing via PSX
Embedded or centralized
PSX routing engine
TDM migrating to IP-PI with
media transcoding
IP-IP with media transcoding
Compelling migration path of
gateway investment
Industry Leading
Performance Densily
Because SRTP and IPsec occur lower in the protocol stack, Sonus has elected to perform these tasks on dedicated hardware
within the SBC 5200 and SBC 9000. This provides much better performance during heavy encryption workloads than SBCs
that use software for encryption, which can divert processing power from the main CPU.
Conclusion
As enterprises shift more of their critical internal and external communications to a unied, IP-based voice/data network,
they are increasing their networks exposure to VoIP-based attacks. Meanwhile, the cost of not practicing secure VoIP
communications is rising in the form of stricter government and industry regulations and the direct costs of lost condential
information, lost service, and lost credibility. With the trend toward real-time unied communications, the requirements
of VoIP security will increase exponentially, placing added importance on solutions that deliver high scalability and high
performance.
Sonus SBCs provide enterprises with a cost-effective and scalable solution for VoIP security and encryption. With a unique
architecture that divides security functions among multiple processors on a single chassis, Sonus SBCs deliver the high-
performance encryption and security that enterprises need to navigate the future of all-IP communications safely and securely.
About Sonus
Sonus is a leading provider of media gateway, centralized call routing, and session border control solutions for enterprises.
Sonus solutions enable enterprises to reduce their recurring telecom costs, gracefully manage the migration from legacy
voice to VoIP, and mitigate business continuity and security threats for critical enterprise voice and contact center
infrastructure. Sonus solutions are deployed throughout the worlds largest SIP networks, driving over 5,854 SIP sessions
every second.
The content in this document is for informational purposes only and is subject to change by Sonus Networks without notice. While reasonable efforts have been made in the preparation of this publication
to assure its accuracy, Sonus Networks assumes no liability resulting from technical or editorial errors or omissions, or for any damages resulting from the use of this information. Unless specically
included in a written agreement with Sonus Networks, Sonus Networks has no obligation to develop or deliver any future release or upgrade or any feature, enhancement or function.
Copyright 2012 Sonus Networks, Inc. All rights reserved. Sonus is a registered trademark and SBC 5200 and SBC 9000 are trademarks of Sonus Networks, Inc. All other trademarks, service marks,
registered trademarks or registered service marks may be the property of their respective owners.
Printed in the USA 05/12 WP-1125 Rev. B
Sonus Networks
North American Headquarters
4 Technology Park Drive
Westford, MA 01886
U.S.A.
Tel: +1-855-GO-SONUS
Sonus Networks EMEA Headquarters
56 Kingston Road
Staines, TW18 4NL
United Kingdom
Tel: +44 207 643 2219
Sonus Networks APAC Headquarters
1 Fullerton Road #02-01
One Fullerton
Singapore 049213
Singapore
tel: +65 6832 5589
Sonus Networks CALA Headquarters
Mexico City, Campos Eliseos Polanco
Andrs Bello 10, Pisos 6 y 7, Torre Forum
Col. Chapultepec Morales, Ciudad de Mxico
Mexico City, 11560 Mexico
Tel: +52 55 36010600