The most important thing a service provider can do to reduce the risk of unauthorized access is to offer VoIP with SIP. Through the use of SIP, protection against Cyber attacks can be accomplished with increasing latency in the network. As stated before, these types of attacks will only increase as the use of VoIP expands in the market place. With SIP, the service provider can better authenticate users, isolate traffic and deploy stronger/safer network elements.
Security can be provided via VPNs for access to company data. However, as VoIP/SIP Trunking calls will transverse an IP network and are generally destined to go "off net" for termination, VPN is not useful. Therefore, Broadvox and other ITSPs use authentication as the first level of defense. Authentication ensures customer calls are delivered to and from Broadvox. This prevents a third party from posing as a customer.
For a dynamic trunk, Broadvox provides a username and password to authenticate customers. As long as the customer's username and password are not compromised, nobody can pose to be the customer for either sending or receiving calls. If the customer's credentials are compromised, the customer's actual calls will still not be compromised. Rather the customer will experience a service disruption, which can be easily addressed by issuing a new password. At Broadvox, the password is never passed in clear text. Instead, Digest authentication is used, which includes a challenge-handshake based on several MD5 hashes. (An MD5 hash is a 128-bit value used to identify a file.)
Hacking into a VoIP network is much more difficult than doing so on the PSTN. There calls are easily isolated and made audible. If a hacker successfully gains access to VoIP packets, isolating the call and gaining an audible connection are nearly impossible. The hacker would need to have control over the IP network resources to accomplish this. An ITSP must develop a security architecture that covers these three areas:
• Network--Network segmentation isolates critical elements using such mechanisms as packet filters, firewalls, routing restrictions, and traffic segregation.
• Traffic--Traffic security and peer-entity authentication sustains the integrity of the network using such measures as encryption and secure protocols on management, call control signaling, and media planes.
• Element--Key telephony servers are protected through platform hardening, separation of management functions from service-critical functions, and tight access control and user authentication, authorization, and accounting.
However, all of this brings us back to the first in this series of blogs. Security begins at home.
Whether it is the business user, IT Management or service provider the greatest risk of a security violation is from a known entity or employee. Good internal security practices remain paramount in order to defeat unauthorized access and use.
See you on Monday with a new recipe!