VoIP Security with Inagte

Ingate’s architecture with a built-in SIP Proxy and registrar solves the problem of SIP traffic not traversing firewall by working as a proxy between the two clients. Each packet is opened, inspected and necessary rewritings are done. This gives a very secure, flexible and solid tra-versal of SIP traffic and advanced call control.
The media ports between the clients are only open between the specific clients and for the duration of the call.
The inspection of the SIP packages make sure that it is valid SIP packages and that they are not malformed in any way.
Ingate´s architecture allows the support of encrypted SIP signaling – TLS. This makes it much harder to do session hijacking and spoofing since much information is encrypted. Which me-dia ports that will be used for the communication is an example of such encrypted information. Ingate will also support encrypted RTP media streams in SW releases planned for mid 2005.
Ingate has a good architecture for security, but we believe that threats like virus and worms should be handled by experts on these specific fields. This is why we have not incorporated virus protection in our products.
We believe that the same thing will happen when it comes to VoIP. The Ingate products how-ever already do have a good basic protection being firewalls, and development processes con-tinue to further improve this protection.
We are proud to have one of the world’s largest financial institutes as our customer; on request we would be happy to provide it as reference.

Denial of Service attacks

DDoS stands for Distributed Denial of Service attack. Thousands of computers have been infected with malicious code, e.g. “Trojans” over the Internet. This code then transforms these computers into ”zombie” systems that send useless data to a selected IP-address. The system behind the IP-address thus gets flooded by traffic and goes out of its normal service.

This is not a unique problem for SIP and VoIP, but the consequences are more severe since this kind of communication is very realtime-critical.
It is a challenge to stop it since the traffic comes from many sources. It should be stopped as early as possible, for example in the Service Providers network and backbone. Being, up-stream, Service Providers are in a better position to detect and choke the traffic.

Solving the problem in the enterprise network is harder. Even if an attack can be identified locally, it can still flood the “pipe” to the server that is under attack.

Some techniques can be attempted to lessen the problem:

• Set aside extra network bandwidth and server processing capacity.
• Many distributed servers to avoid single point of attack.
• Use of multiple connections and Service Providers.

Ingate´s heritage as a Firewall supplier helps when developing systems that are less vulnerable to such attacks. For each new software release all 4200 protos tests must be passed.
http://www.ee.oulu.fi/research/ouspg/protos/

Spam over the SIP protocol
We distinguish between SPIT and SPIM.

SPIT
SPIT stands for SPam over Internet Telephones. A single “caller” can potentially send out thousands of voice messages simultaneously into phones or voicemail boxes. It is very rare on the market today, but considered as a potential future threat. One problem is that it is almost impossible to detect a SPIT without first listening to it.
Same basic techniques to prevent this, as in the e-mail world will work:

• Black-lists: calls from specific domains, users, IP-addresses are discarded.
• White lists: calls from specific user, domains, IP-addresses are allowed.

As with normal SPAM, a number of companies will specialize in the SPIT issues and supply products offering more and more advanced protection.
One of these companies is Qovia which filed the first patent for SPIT blocking technology. It claims to be able to differentiate “normal human traffic” from large scale machine-generated blast messages.
www.qovia.com.
Ingate follow the market closely on this issue and we have some plans in our short-term road map to further improve SPIT protection.
Maybe the long-term answer to this will be authentication. An interesting question is if there in the future will be third party trusted authorities (CA) that verify the callers?
Ingate has support for both encryption and authentication in its products.
The distributed architecture of the Ingate products, with CPE equipment in every branch of-fice, will also help making the system less vulnerable as there is no single point to attack. We can expect a huge creativity, both from SPAMers and companies like Ingate who try to pre-vent SPAM.

SPIM
SPIM stands for SPam over Instant Messaging. It is very similar to e-mail SPAM but more insidious, since messages may pop up automatically. It is also easier to handle than SPIT, not being as realtime sensitive as voice.
Proven methods can again be used to stop it:

• Black and White lists.
• Content filtering.
• Authentication of the user initiating the IM.

Since this communication form allows a small delay before sending the message on to the receiver, it is possible to build the same kind of filtering functions as the e-mail SPAM block-ing techniques. Ingate believe that the same companies that sells anti e-mail SPAM software will add SPIM blocking into their product portfolio. Ingate does at the moment not plan to develop any additional functions for this except for the Black/White lists and the authentica-tion support that already are present in its products.