Secure Voice over IP (VoIP) Solutions

(1)

A P P L I C A T I O N N O T E

Secure Voice over IP (VoIP) Solutions

Delivering a robust, secure VoIP solution that counters both external

and internal threats while providing superior quality of service

(2)

Abstract

This Application Note discusses the key security challenges to consider when deploying VoIP solutions, and describes Alcatel-Lucent’s VPN Firewall Portfolio and how it meets the security requirements of today’s and tomorrow’s VoIP networks and applications.

(3)

Introduction

Creating high levels of security is essential to fully leverage VoIP technology and the many advantages it offers over traditional wireline solutions. To meet this challenge, Alcatel-Lucent’s VPN Firewall Portfolio provides a complete solution to cope with the evolving threats that can slow down the deployment and use of VoIP applications. The portfolio combines the Alcatel-Lucent Security Management Server, Alcatel-Lucent VPN Firewall Brick appliances, and deployment of the Alcatel-Lucent IPSec Client.

More specifically, Alcatel-Lucent’s unique security solution for a VoIP network provides: • VoIP application layer filtering where it is needed on the network.

• Dynamic pinholing to secure a data network while establishing VoIP calls

• Bandwidth control to maintain voice quality on busy networks — call by call, and

• Failover capabilities to assure that no voice or data session is lost in the event of network failure.

Alcatel-Lucent solutions, developed by Alcatel-Lucent’s R&D arm, Bell Labs,

offer blended communications that enable simple, seamless, secure networks that

help drive businesses forward.

Key challenges in securing a VoIP network

VoIP is moving into the mainstream. According to Infonetics Research1, the VoIP services market was $21.1B in CY07, up 52 percent over CY06. Indeed, Infonetics expects the worldwide VoIP service market to reach $61.3B by CY11. Much of this is traceable to the fact that organizations now have the opportunity to take advantage of low-cost, feature-rich VoIP solutions that can augment or even replace traditional wireline implementations.

Even so, there are some significant hurdles. Security is at the top of the list. That’s because packet-based communications are particularly vulnerable to subversive attacks and illegal usage. Current technology serving data networks makes it easier to probe voice information on a packet-based network compared to physically tapping into a circuit-switched network.

Malefactors can conduct voice tapping through the use of sniffing packets and, by manipulating packets, obtain fraudulent service subscriptions that can be used without payment or charged to another actual customer. IP networks are also susceptible to identity theft, spoofing, loss of sensitive data, denial of service attacks, and eavesdropping. Hackers launch virus and worm attacks, and malefactors manipulate the networks to conduct internal espionage. Moreover, IP PBXs can be hijacked and Windows-based servers are vulnerable, despite enhanced support for IPv6.

If network hijackers successfully address network equipment, modify databases or replicate equipment, they can shut down, jam or takeover the voice network, or manipulate packet network protocols, such as SIP, NOE, and H.323.

The challenge for network administrators is to secure the network against these many and varied threats while, at the same time, allowing the VoIP sessions to flow smoothly.

(5)

Meeting the challenge

Stateful inspection firewalls and Intrusion Detection Systems (IDS’s), commonly used for VoIP secu-rity, offer limited defenses. Ideally, a VoIP security solution will dynamically adapt network resources and security based on VoIP application requests, regardless of the signaling protocol used or whether or not the signaling or media traffic is encrypted.

A viable VoIP security solution must also:

• Understand SIP, NOE and H.323 protocols to prevent the introduction of fraudulent packets •

Conduct packet inspection during SIP, NOE and H.323 call setup to obtain the necessary infor-mation to dynamically open and close the appropriate ports

• Be aware of emerging applications that require protection – for example audio, web and video conferencing, as well as Unlicensed Mobile Access (UMA) for WiFi/cellular dual-mode handsets • Support low latency, minimal jitter and negligible packet loss to ensure call quality and customer

satisfaction

• Offer high availability to avoid loss of VoIP sessions in case of security or network device failure.

Providing the solution: Alcatel-Lucent VPN Firewall Portfolio

Alcatel-Lucent has taken a leadership role in VoIP security by offering a complete security solution that can be integrated with any existing VoIP application. Figure 1 illustrates Alcatel-Lucent’s VPN Firewall Brick-based VoIP security system.

Figure 1. Centralized Alcatel-Lucent VPN Firewall Brick-based VoIP security

ClientCare contact center Access gateway VoIP feature server Brick 1200HS VitalSuite performance management Alcatel-Lucent security management server Enterprise directory, call logs, voice mail Centralized data center

Corporate headquarters Virtual office Branch office Brick 700 Brick 50 Enterprise voice mail SIP Softphone Hosted Enterprise voice mail Messaging and database, DNS 802 gateway Gateway Gateway Gateway PBX or IP PBX Analog phones PBX or IP PBX phones • NOE, H.323 and SIP application filters

• H.225, H.245, RTP, RTCP dynamic filtering • Address and port translation

• Stateful filtering for higher performance

• VoIP sessions filtered based on authentication and services authorization

• Flexible deployment models, to protect users, proxy servers and gatekeepers from attacks • Bandwidth control: brick shapes the traffic to guarantee VoIP bandwidth between sites

SIP Softphone SIP Softphone SIP phone SIP phone SIP SIP SIP SIP/H.323 PRI PRI DSL CPE Analog lines PSTN Managed IP network PSTN

(6)

Alcatel-Lucent security solutions are based on the Alcatel-Lucent Network Security Model, which is the foundation of the ITU-T Recommendation X.805. “Security Architecture for Systems Providing End-to-End Communications.”

Alcatel-Lucent Firewall Portfolio

The Alcatel-Lucent VPN Firewall Portfolio offers a flexible platform, enabling the implementation of multiple security policies tailored to individual applications. The portfolio includes a broad range of carrier-class platforms that provide low price/performance and total cost of ownership (TCO). The Alcatel-Lucent VPN Firewall portfolio includes:

• Alcatel-Lucent Operating System (OS) based on Bell Labs development. • Alcatel-Lucent Security Management Server

• VPN Firewall Brick platforms • Alcatel-Lucent IPSec Client

Alcatel-Lucent Operating System

Alcatel-Lucent provides a real-time network Operating System (OS) based on innovative software developments by Bell Labs. The OS provides a software infrastructure for VoIP and other distributed network applications as well as traditional data protocols. It enables end-to-end connectivity over the public telephone network, the Internet, corporate networks, cable television, and satellite networks. Highly secure, the product has been designed with a very small memory footprint affording it high performance and low latency with no backdoors or security loop holes. The OS is designed purely with VPN and advanced firewall features in mind.

Alcatel-Lucent Security Management Server

Working with the Alcatel-Lucent VPN Firewall Brick®_{portfolio and Alcatel-Lucent IPSec Client}

software, the Alcatel-Lucent Security Management Server allows the rapid provisioning and man-agement of security, VPN and QoS services for thousands of users from a single console. It also provides network-wide control of multiple systems, security policies, VPN tunnels and remote clients. Totally secure remote management eliminates the need for network reconfigurations, truck-rolls, and on-site support.

The Alcatel-Lucent Security Management Server provides real-time monitoring, robust logging, and customized reporting. A single cluster of servers can support up to 20,000 VPN Firewall Brick appli-ances and 100,000 Alcatel-Lucent IPSec Client users from one console. It can also accommodate up to 100 simultaneous administrators with role-based administration and concurrency controls across the platform.

In addition to scalability, the Alcatel-Lucent Security Management Server provides carrier-grade reliability and a number of VPN authentication features, such as Internet Key Exchange (IKE) versions one and two, Advanced Encryption Standards (AES), Department of Defense Public Key Infrastructure (PKI), and X.509 digital certificates.

(7)

VPN Firewall Brick Portfolio

The VPN Firewall Brick Portfolio delivers service-level-assured advanced security, IP VPN, and QoS services for the VoIP environment. These integrated firewall/VPN gateway appliances offer unparal-leled performance. The product line consists of a series of hybrid Layer 2 and Layer 3 appliances, allowing any combination of interfaces to be set to bridge or route mode, and installed as Layer 2 mode providing secure transparency and ease of installation.

Each VPN Firewall Brick is centrally staged and remotely managed by the Alcatel-Lucent Security Management Server. For security, a VPN Firewall Brick cannot be managed through a serial cable or from a web browser. Unlike pure router-based security platforms, advanced security services can be added without costly network reconfiguration, truck-rolls or on site support.

The VPN Firewall Brick supports 801.q VLAN tagging and virtual firewalls on any interface. This means that sharing can occur securely on any device among multiple customers or applications for network-based, VoIP managed security services.

Using the advanced rules-based routing features in the VPN Firewall Bricks, integration is possible with any third-party filtering devices using pure port-based routing, which is configurable to any rule. This feature enables the VPN Firewall Bricks to distribute functions, such as URL filtering and virus scanning throughout the network to existing or best-in-class devices in those categories. The rules-based routing (RBR) feature also enables load balancing across devices providing true Distributed Universal Threat Management (D-UTM).

The application layer filters on the VPN Firewall Brick also permit the filtering and firewalling of complex protocols at the application layer (Layer 7 of the OSI Model). The common VoIP protocols, SIP, NOE and H.323 are among the many application layer filters found in the VPN Firewall Bricks. During a VoIP call setup, SIP, NOE and H.323 all dynamically open ports. If the firewall were to leave all of the approximately 64,000 applicable ports open, there would be virtually no network security at all when running these complex protocols. To secure the network while enabling the VoIP channels to open dynamically, the firewall needs to participate in the call setup and teardown. To do this, the VPN Firewall Brick acts like a passive packet sniffer, monitoring the call setup and opening the ports dynamically for an individual call only between the calling and called endpoints.

Bandwidth management

In addition to dynamic pinholing capabilities, expert bandwidth management is absolutely essential for VoIP security. Most solutions have either no bandwidth management or management at the interface level only. At the interface level, hundreds of VoIP calls may be active at any one time. If a heavy data application or download starts running on that interface, some or all of the VoIP calls could either be lost or experience a severe drop in quality.

The Alcatel-Lucent VPN Firewall Brick solves these problems by managing bandwidth at the inter-face, rule-set, rule and session level. This is a critical component when working with VoIP or any other real-time protocol, including streaming video and video conferencing. The ability to guarantee bandwidth for each individual session ensures quality of the session or VoIP call, as well as the selling of Service Level Agreements (SLAs); it also prevents hackers from exploiting VoIP sessions or ports.

(8)

Alcatel-Lucent VPN Firewall Brick high availability/failover

The Alcatel-Lucent Security Management Server includes an Alcatel-Lucent VPN Firewall Brick feature that provides automatic failover configuration to ensure VoIP calls are not dropped due to a network or device failure. The feature allows an administrator to deploy two Alcatel-Lucent VPN Firewall Brick devices as a failover pair. Both devices share the same identity, including IP address, name and virtual MAC addresses (one per port). The first device to boot, or one designated by the administrator, becomes the active device in the pair. The second device is designated the standby (passive), ready to take over should the first device fail or become unhealthy in any way.

From the administrator’s viewpoint, the two devices are treated as one; both are connected to the same LANs and wired identically. Both the active and the standby Alcatel-Lucent VPN Firewall Brick devices issue regular heartbeat messages. The heartbeat indicates the presence of an active device, and allows devices to share health, status, and priority information. If the standby device does not receive appropriate heartbeats for the active device, it automatically becomes active. The active device may also yield to the standby device, if it determines that the standby device has better LAN connectivity. Along with the heartbeats, the active Alcatel-Lucent VPN Firewall Brick continuously sends session state information to the standby device. If the standby device has to take over, it already has all of the information it needs about the active sessions in order to keep those sessions alive.

Alcatel-Lucent IPSec Client

The Alcatel-Lucent IPSec Client is specifically built to support carrier-managed IP services. When deployed with the Alcatel-Lucent VPN Firewall Brick platforms, the IPSec Client is completely integrated and centrally managed by the Alcatel-Lucent Security Management Server, simplifying administration of large-scale, remote access VPNs. The Alcatel-Lucent Bricks also support a number of mobile clients for VoIP and UTM applications.

Complete solution for total VoIP security

The combination of the Security Management Server, Alcatel-Lucent VPN Firewall Brick portfolio, and the Alcatel-Lucent IPSec Client, enables VoIP services that are secure and roust. With these security solutions, VoIP deployments can be implemented that are secure, always available, and scale to meet changing requirements.

Alcatel-Lucent is committed to user-centric security and offers a full portfolio of solutions and multi-vendor professional services to support dynamic enterprises as they evolve their risk management strategies. By leveraging innovative technologies from Bell Labs, and services teams with a global presence, Alcatel-Lucent delivers always-on security solutions that meet the needs of enterprises, small and large, in any industry. For more information, visit: www.alcatel-lucent.com/enterprise/ security.

(9)

www.alcatel-lucent.com Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein. Copyright © 2008 Alcatel-Lucent. All rights reserved. ENT2913080911 (10)

Secure Voice over IP (VoIP) Solutions