To develop a cloud service which enhances the security of VoIP devices .
Current Corporate Network Configuration
With VIA, we aim to mitigate the vulnerabilities that might be encountered by making VIA the “gateway” and trusted source for IP telephony traffic on the corporate firewalls and local equipment. The corporate firewall will trust VIA as the definitive source of phone traffic, and VIA will provide insight and actions into the phone traffic it receives.
VIA will be able to inspect and filter VoIP traffic and act as a trusted doorkeeper, barring DDOS and dictionary attacks and blocking fraudulent call activity. Our call metrics, classification and rules will allow us to build up a historical knowledge of a customer’s traffic profile and to re-route or drop unexpected or fraudulent activity. Therefore the customer’s firewall and PBX ruleset does not have to change, and we provide the intelligent border. Using information from all our customers and honeypots allows us to generate and continuously improve fraud classification.
Our system will use parameterised historical call and message data to classify calls, and therfore generate some profiles of expected behaviour for each customer. All of a customer’s calls can then be classified and filtered based on a given criteria. e.g. if there are numerous calls to North Korea at 2am local time and the customer has not previously made “similar” calls then our system may prevent such future calls until authorised or shut down completely until there is manual intervention.
There are several major security concerns when dealing with VoIP systems2:
1. Interception of calls
2. Denial of Service Attacks (DoS) / Distributed (DDOS)
3. Theft of Service
4. Exfiltration of data via media session
We believe that a secure service needs the following capabilities:
1) SIP Authentication and A uthorisation Proxy & Master Register
2) Voice and IP Traffic parameterisation & Anomaly Detection
3) Automated Distributed Security Information Sharing
4) Ongoing threat analysis and parameterisation – Honey Pots
5) Distributed Firewall
6) Intelligent Routing
SIP Authorisation and Media Proxies Subscribers register their SIP devices with ‘VIA’ so that they can make or receive calls utilising its services. This SIP proxy will need to be able to translate SIP messages and set up media bridges for the many different device types and manufacturer firmwares
The VIA service will examine each call invite to see if it is “reasonable”, before it is passed onto or from the subscribers’ equipment. Each VIA subscriber’s equipment is thereby protected from bots and crawlers. At the very least, this will save VIA customers much needed bandwidth, and at the most from expensive hacks.
Automated Distributed Security Information Sharing As each edge device comes under attack, the system shares the IP information and the attacker profile, improving security on a realtime and ongoing basis.
Distributed Firewall A series of edge servers are co-located in data centres around the world. Initially there would be three in Ireland and the UK. These servers would operate a distributed application firewall. The subscribers call traffic would route to the closest edge server. The VoIP packets would then be inspected for pattern matching and certain characteristics from a recognized source. Any banned IP addresses would be filtered out along with dictionary attacks, DDOS attacks, bots and any web crawlers.