Network Systems DesignLine | Remove vulnerability from SIP-based VoIP networks--Part I

Get the latest news, products and how-to information on network systems. Sign up for the Network Systems DesignLine newsletter, a weekly e-mail guide dedicated to the needs of engineers developing networking equipment and components. Here is our RSS feed.








 Network Systems DesignLine » How-To » IP Networking

 
 HOW-TO : IP Networking

Remove vulnerability from SIP-based VoIP networks--Part I

Using the OSI network layer model as a basis, here's how to derive a simplified three-layer model for SIP-based VoIP and corresponding threats and defenses.
By Vinay R. Rao, Centillium Print This Story Send As Email Discuss This Story Reprints

Page 1 of 3

Network Systems Designline
(05/22/2006 9:34 AM EDT)

Rate this article
WORSE | BETTER
1 2 3 4 5
The resurgence of interest in VoIP to provide telephone services worldwide is often credited to the use of session initiation protocol (SIP) for signaling. Both residential and enterprise VoIP services are widely deployed. IP telephony may be used either to replace the primary telephone service or to provide additional telephone lines.

IP telephony offers some dramatic benefits over traditional or plain old telephone systems (POTS), such as reduced operating costs, portability and accessibility. IP telephony has its share of problems. To date, most of the focus has been on such challenges as voice quality, latency and interoperability. Security of the VoIP network is only now being recognized as an important issue to be addressed.

Multiple security threat models exist in current implementations of SIP-based VoIP networks. These threats are further aggravated because in order to allow similar access as the public switched telephone network (PSTN), VoIP networks are often implemented over the public Internet, which is a potentially hostile environment.

The very same reasons that make SIP so popular, e.g., its similarity to hypertext transport protocol (HTTP), are also the reasons for its vulnerability. This can lead to similar problems such as identity theft, impersonation, denial of service (DOS), hijacking and theft of services, and violation of privacy and confidentiality. The good news is that many of the security mechanisms for SIP-based VoIP can be the same as those used for HTTP. The challenge is simply to make these mechanisms SIP- and VoIP-friendly. In addition, SIP and its extensions provide for a number of intrinsic security features that can be used to harden implementations.

VoIP Overview
In addition to transmitting voice, a basic telephone system transmits many signals such as off-hook, on-hook and dual tone multi-frequency (DTMF) tones for dialed digits, etc. It also needs to maintain the state of the call, and generate a dial tone, ring-back and other tones. It can be said that there are two distinct streams of information on the wire: the signaling and the voice.

In PSTNs, some of the signaling travels in-band along with the voice up to the central office where it is sent over the Signaling System 7 (SS7) network. The SS7 network is not accessible to the public. Therefore, the PSTN is relatively secure. In VoIP telephony, voice is carried by real-time protocol (RTP) and the signaling by one of the many signaling protocols such as H.323, MGCP or SIP. Both of these transport streams are sent over the public Internet or on networks connected to the public Internet. This leaves the VoIP telephone network vulnerable.

Due to the nature of the IP network, in order to use it for telephony, additional requirements must be met by a VoIP device such as:

  • User authentication: The phone is no longer physically connected to the PSTN and needs to be authenticated
  • Address translation: Translating phone numbers into IP addresses and vice-versa
  • Routing: Locating and routing to the correct service gateway for the destination phone
  • Feature translation: Transparently translating advanced phone features such as call waiting, call hold, call forwarding, etc.
  • Caller ID: Generation of and decoding and transmission of caller ID over IP
  • Call detail records: Generation and transmission of billing information for PSTN and VoIP services
  • Legal: Access to emergency services and provision for intercept by law-enforcement agencies

In addition to just providing a transparent translation of telephone services, any VoIP device (since it is connected to the Internet) should provide for mechanisms to protect from toll fraud, eavesdropping and call hijacking among other things, and maintain message integrity. This is in addition to standard network security to protect against DoS and DDoS attacks.


Figure 1. How SIP fits into the VoIP Protocol soup

SIP was not designed to provide for all of these requirements, and it is not the only protocol that the communicating devices will need. The purpose of SIP is just to make communication possible. The communication itself must be achieved by another means (and possibly another protocol). Since SIP is an IETF specification, it is designed to use other existing IETF protocols to fill in the gaps.

Page 2: next page Print This Story Send As Email Discuss This Story Reprints

Page 1 | 2 | 3


 
eSearch  

 Top 5 Most Read
 How-To Stories
1. 2. 3. 4. 5.

 Top 5 Most Read
 News Stories
1. 2.

  • Introduction to Optical Transmission Systems

    		•
  • Optimizing Embedded Systems for Broadband 10 Gigabit Ethernet Connectivity

    		•
  • Interfacing a DS3231 with an 8051-Type Microcontroller

    		•
    The entire library >>  

    		 
     Top 5 Most Read
     Product Stories
    1. 2. 3.

     Sponsor

    EE Times TechCareers
    Search Jobs

    Enter Keyword(s):


    Function:


    State:
      

    Post Your Resume
    -----------------
    Employers Area
    Most Recent Posts
    GE Corporation seeking Lead Systems Analyst in Van Buren Township, MI

    Osram Sylvania seeking Sr Applications Engineer in Danvers, MA

    Accolo, Inc. seeking User Experience Engineer in Reston, VA

    Johnson Controls, Inc seeking Project Development Engineer in Pittsburg, PA

    WhiteHat Security seeking User Interface Engineer in Santa Clara, CA

    More career-related news, resources and job postings for technology professionals


     Tech Library
    ¤ Looking for the appropriate Industry Association? This comprehensive, up-to-date list will take you to the right Web site for the help you need.

    ¤ Got a question about a standard? Here are direct links to resources detailing the industry's most important communications standards.

    ¤ Freshen up on technology, new and old, with these links to interesting and informative tutorials.

    More from TechLibrary
    Welcome to our DesignLine network of web communities. On these sites, we provide practical how-to technical information for engineers and engineering managers involved in Automotive,audio, DSP, DTV, EDA, Industrial Control, Mobile Handset, Power Management, Programmable Logic,RF,Video, and Wireless networking design. Check out the sites and let us know your thoughts.
    		 



    HOME  |  ABOUT  |  FEEDBACK  |  CONTACT
    Career Center | CommsDesign.com | Embedded.com | EE Times | TechOnline
    Planet Analog | DeepChip | eeProductCenter | Electronic Supply & Manufacturing | Webinars


    All material on this site Copyright © 2006 CMP Media LLC. All rights reserved
    Privacy Statement | Your California Privacy Rights | Terms of Service