SIP-enabled devices have gained widespread use in recent times. With more and more VoIP applications that use SIP as their signalling protocol being developed these days, the industry should put greater emphasis on safeguarding SIP assets against undesirable exploitations that may either degrade the quality of VoIP services or promote cyber-crime.
In converged network architecture, data and voice reside together on the same media and this is the reason why the architecture becomes vulnerable to multi-layered security threats. On the first level, such threats may come in the form of native DoS, DDoS and network scan attacks and the Malicious RTP Streams flood attack. On the second level, attack vectors exploit vulnerabilities existing in the TCP stacks of SIP servers. These threats can cause devastating impacts on SIP over TCP as attack vectors, such as TCP SYN attacks and TCP established connections floods, can easily exhaust the TCP resources of the client or server. Unfortunately, most of the existing security products fail to detect and prevent such threats in an effective manner. The third layer of risks impact the application layer that is vulnerable to specific SIP application attack vectors. SIP servers are vulnerable to attacks such as SIP server flooding that may lead to server crash, SIP Client Call Flooding that produces damaging impacts on SIP servers and client phones, and SIP brute-force and Scanning Attacks that have the potential to expose confidential information such as the server’s application and user details.
Fortunately, the IT landscape is evolving continuously and new security products, with stronger capabilities, are getting introduced. So what are those features that we should expect such security products to have? Here we go:
- The security solution should have real-time network attack prevention capabilities and it should safeguard your application infrastructure against network and application downtime, application vulnerability exploitation, malware spread, network anomalies, and information theft.
- The security solution should have the capability to protect networks completely and should come equipped with network security modules, such as DoS Protection, NBA, and IPS, which can address new and emerging security threats.
- Effective security solutions should feature multiple detection and prevention engines including the systems for signature detection, protocol and traffic anomaly detection, heuristics and behavioral analysis.
- The solution should be based also on real-time signature technology that can detect DDoS attacks, application misuse, malware spread, and network scanning without calling for human assistance and without restricting authentic user traffic.
- Advanced security solutions come equipped with a centralized attack management, monitoring and reporting system with applicability across multiple devices and locations.
- Solutions that are designed to address VoIP security should be able to address network attacks such as SYN Floods, TCP Floods, UDP Floods, RTP Floods, ICMP Floods, IGMP Floods, and high and low rate self-propagating worms. Such solutions typically come with pre-attack network probes.
- VoIP security solutions are meant to protect the internal network security components such as host-based security solutions, firewalls, and mail and web security products.
- The second layer of VoIP defense should include behavioral as well as content-based protections. The behavioral technology features bandwidth management capabilities and server-based DoS protections. They include a cluster of attack signatures that safeguard VoIP servers and clients from attacks that are geared to capitalize on known operating system weaknesses.
- Solutions deployed to promote second layer of defense should have the capability to detect TCP connection flood attacks and should feature an embedded decision engine that constantly analyzes DNS traffic and detects deviations.
- The third layer of defense should incorporate SIP behavioral analysis mechanisms that would identify known as well as unknown SIP attacks and block SIP users that were detected as the sources of malicious activities.
The third layer of defense should provide protection against SIP application attacks that may come in the form of SIP brute-force and SIP application scanning attacks, pre-SPIT activities, and SIP server and client flooding.
Additionally, an effective SIP security solution should come with a Bandwidth Management Module that would control bandwidth dynamically per client, service, or session, which would, in turn, mitigate the risks of SIP floods attacks.