To develop a cloud service which enhances the security of VoIP devices .

With the introduction of smartphones, softphones and teleworkers, corporate networks have become less secure as the firewalls which protect them have had to become more open to traffic. Hardware manufacturers often do not support their products after 7 years and even large corporates are not diligent in applying security patches and upgrading firmware. So a corporation may be reluctant to embrace the benefits of VoIP because it is potentially opening itself up to security threats, such as call fraud, identity hijacking, eavesdropping, VoIP tampering, Denial of Service.
Current Corporate Network Configuration
With VIA, we aim to mitigate the vulnerabilities that might be encountered by making VIA the “gateway” and trusted source for IP telephony traffic on the corporate firewalls and local equipment. The corporate firewall will trust VIA as the definitive source of phone traffic, and VIA will provide insight and actions into the phone traffic it receives.
VIA will be able to inspect and filter VoIP traffic and act as a trusted doorkeeper, barring DDOS and dictionary attacks and blocking fraudulent call activity. Our call metrics, classification and rules will allow us to build up a historical knowledge of a customer’s traffic profile and to re-route or drop unexpected or fraudulent activity. Therefore the customer’s firewall and PBX ruleset does not have to change, and we provide the intelligent border. Using information from all our customers and honeypots allows us to generate and continuously improve fraud classification.
Even with this basic security enabled, there are many circumstances in which a phone system could be compromised. Our service will mitigate these risks by using deep packet inspection, a set of parameters, and some prior knowledge. Our system will categorise and filter incoming calls and search for amomalies such as those from the same IP address at geographical areas were such calls may not be expected. Over time, using the data amassed and utilising machine learning, the system will be better able to identify and prevent inappropriate calls.
Our system will use parameterised historical call and message data to classify calls, and therfore generate some profiles of expected behaviour for each customer. All of a customer’s calls can then be classified and filtered based on a given criteria. e.g. if there are numerous calls to North Korea at 2am local time and the customer has not previously made “similar” calls then our system may prevent such future calls until authorised or shut down completely until there is manual intervention.
There are several major security concerns when dealing with VoIP systems2:
1. Interception of calls
2. Denial of Service Attacks (DoS) / Distributed (DDOS)
3. Theft of Service
4. Exfiltration of data via media session
Each month Voxbit’s cloud based phone systems have 1000’s of distinct dictionary and DDOS attacks (#2). We believe that our long experience in monitoring and managing these attacks can contribute to a valuable service. VoIP is a hostile operating environment, as it is quite easy to exploit a system vulnerabiliy and sell minutes from a hacked system to other non-discerning users. It is also possible to route calls from a hacked VoIP system to premium numbers, the bill for which the hacked system must then pay the premium number owner (#3).
We believe that a secure service needs the following capabilities:
1)  SIP Authentication and A uthorisation Proxy & Master Register
2)  Voice and IP Traffic parameterisation & Anomaly Detection
3)  Automated Distributed Security Information Sharing
4)  Ongoing threat analysis and parameterisation – Honey Pots
5)  Distributed Firewall
6)  Intelligent Routing

SIP Authorisation and Media Proxies
Subscribers register their SIP devices with ‘VIA’ so that they can make or receive calls utilising its services. This SIP proxy will need to be able to translate SIP messages and set up media bridges for the many different device types and manufacturer firmwares

Anomaly Detection
Inbound SIP traffic to a customer’s premises e.g. from their road-warriors using soft-phones from internet café’s, would have traffic routed through VIA (using the master DNS register) so that we can screen and filter traffic before it reaches customer equipment.
The VIA service will examine each call invite to see if it is “reasonable”, before it is passed onto or from the subscribers’ equipment. Each VIA subscriber’s equipment is thereby protected from bots and crawlers. At the very least, this will save VIA customers much needed bandwidth, and at the most from expensive hacks.
Automated Distributed Security Information Sharing
As each edge device comes under attack, the system shares the IP information and the attacker profile, improving security on a realtime and ongoing basis.
Ongoing Threat Analysis : Honey Pots
VIA will place ‘zombie’ VoIP phone systems in data centres around the world but not connect them to the wider phone network. Their purpose is to attract attacks to these dead end systems. The profiles from these attacks are then shared within the VIA network, blacklisting the attackers and the attack vector across all of our subscribers, further augmenting VIA’s relevance and effectiveness.
Distributed Firewall
A series of edge servers are co-located in data centres around the world. Initially there would be three in Ireland and the UK. These servers would operate a distributed application firewall. The subscribers call traffic would route to the closest edge server. The VoIP packets would then be inspected for pattern matching and certain characteristics from a recognized source. Any banned IP addresses would be filtered out along with dictionary attacks, DDOS attacks, bots and any web crawlers.
Intelligent Routing
Authorized voice traffic would be routed directly or through the most efficient route to a hosted server. The network would be capable of identifying routes with latency resulting in poor call quality and would intelligently adapt to determine a more appropriate route for any given call. The same algorithms will facilitate provision of Disaster Recovery and Business Continuity services to our customers.

Leave a Reply