complex issue that involves many factors, including elements unique to each specific network configuration. • As with any IP based network, VoIP systems are potential targets of many types of attacks • A VoIP system can be composed of many different products – voice terminals (VoIP Phones), desktop systems, servers, gateways, firewalls, etc • Achieving robust security is a key consideration when designing an end-to-end network security architecture with high reliability and quality of service requirements. • OEMs can gain competitive advantage by ensuring their devices offer a wide range of security features that give their customers the flexibility they need to secure their unique VoIP network. General VoIP Architecture Potential Threats • Denial of Service (DoS) • Man-in-the-Middle attack • Call Hijacking • Call Termination • Password Cracking (brute force and others) Server Impersonation • Eavesdropping • Exception Packet attacks • Disturbance Call attacks against endpoints • Call Leaflet attacks • To protect against these threats, any VoIP security solution needs to perform the following functions: • Authentication – you must be able to authenticate the peer you are communicating with. • Data Protection – You must be able to protect the data being exchanged from being viewed by others • Data Integrity – You must be able to validate that the data received has not been tampered with (you actually received what the other person sent). • Non-Repudiation – You must be able to prove that the message actually came from the other person. This is especially important if the signaling message is being used to generate billing information. What to secure . . • 1. Securing the signaling channel • 2. Securing the media channel • 3. Securing the device itself • 1. Securing the Signaling Channel – If the underlying IP network is fully secure, one could argue that the signaling between the SIP terminals and the SIP server, doesn’t need to be secured. – The signaling channel can be secured relatively easily using a standard protocol such as IPSec or TLS – dependent on other system level architecture issues. IPSec, for example, is intended to secure a connection running over IP. TLS, on the other hand, is intended to secure a connection running over a reliable transport protocol, such as TCP or SCTP. • In most cases you will want to authenticate in both directions. The user needs to know that the server is actually the server (not a rogue server) and the server needs to make sure that the user is really the user, not someone trying to make fraudulent calls masquerading as the user. Such implementation flexibility needs to be available in your product. • 2. Signaling Points – signaling points, including user to access point; access point to network; and network to network, affect how security should be implemented in a VoIP device. • User access points • concern is what security mechanisms are supported in the access point(s) • If the VoIP PBX only supports TLS, then it is of no value to build an IPSec VPN client into your handset for the purpose of securing the signaling channel • SIP specifications require that SIP Servers support the use of TLS. • Access Point to Network – Within an enterprise network or within a carrier network, there may be a hierarchy of devices handling various aspects of VoIP signaling. – In the case of SIP, these may be proxy servers, registration servers, gateways, firewalls, etc. Regardless of the device, the basic requirements are the same – securing the signaling channel using one of the standard mechanisms discussed above. • Network to Network – It is likely that any VoIP network will need to interwork with other voice networks. – An enterprise may use VoIP internally, but needs to access the PSTN for all external communications. – A VoIP service provider needs to provide interworking with the PSTN to enable users to transparently communicate with non-VoIP users. • 3. Securing the Media Channel – VoIP devices normally use the Real-time Transport Protocol (RTP) 7 to handle the media streams. – RTP does not provide any mechanism for securing the media stream. – Traditional security protocols such as IPSec could be used, but in most cases the required QoS may be difficult to achieve (see Performance Considerations below). – Due to the tight requirements on performance of media streams, a small, efficient protocol is needed to handle the security. – The Secure Real-time Transport Protocol (SRTP)8 has been developed to specifically address the needs of VoIP media stream security. – SRTP provides confidentiality, message authentication, and replay protection to the RTP traffic and to the control traffic for RTP, the Real-time Transport Control Protocol (RTCP) • 3. Securing the Device – As more and more connected devices are deployed, it is becoming increasingly important to be able to remotely provision those devices, and remotely update the code base, either with new versions of existing software or with software that adds new applications and services. This is true in the VoIP market, especially as we move towards IMS (IP Multimedia Services). • As users subscribe to new services, it is often necessary to download client software to enable the use of that service. It is a vital part of the overall security process to ensure that the software being downloaded is valid CERTICOM SECURITY FOR VOIP • Certicom Security for VoIP provides developers with the tools they need to quickly and cost- effectively add strong security to their VoIP devices – SSL and IPSec protocol modules – Embedded Trust Services (ETS) for secure key storage and management, as well as for implementing Trusted Boot and Secure Provisioning – A code signing application for secure software and firmware updates • A common API that sits between the security services or applications and the cryptographic providers maximizing portability and code re-use in products with different chipsets. • Board support packages (BSPs) to expose hardware cryptographic providers in leading processors