“Today, every e-mail is scoured and scanned in the enterprise,” notes Mark Collier, CEO of SecureLogix. “The same will be true of VoIP.” But to get there you’ll need a sophisticated firewall that monitors VoIP traffic at the application level.
Most present-day VoIP systems run on the internal LAN only, interfacing with the outside world via VoIP gateways and PSTN trunks. However, that’s likely to change over the next few years as companies take advantage of the growing number of VoIP trunk offerings from major carriers. When that happens, companies will have to upgrade their firewalls to versions designed with VoIP in mind.
“Man-in-the-middle, eavesdropping … and spam are the types of attacks you’ll be concerned with,” says Andrew Graydon, vice president of technology for BorderWare, “and you’ll need a lot of information about voice data and packets to deal with them.”
SecureLogix and BorderWare are among the first firewall vendors to offer such solutions. BorderWare’s SIPassure appliance is a SIP-based application proxy firewall that can authenticate user connections, do deep packet inspection, and enforce user-configurable policies that protect against application-based VoIP attacks. These include malformed messages, buffer overflows, denial of service, RTP (Real-Time Transport Protocol) session hijacking, and injection of inauthentic RTP packets into existing RTP flows. SIPassure also claims to protect against identity theft and impersonation and eavesdropping, and it even boasts a number of techniques for blocking spam. “It knows that it’s not possible to receive five phone calls from the same IP address in a single second,” says Graydon. SIPassure also terminates encrypted VPN sessions and addresses SIP’s issues with NAT and firewall traversal.
SecureLogix offers protection for both legacy and IP enterprise phone systems. Collier describes the ETM (Enterprise Telephony Management) suite as a combination of a voice-application-level firewall and an IPS that works similarly to SIPassure.
The voice firewall protects against DoS and other attacks through both the VoIP and PSTN network. The IPS uses signatures and other methods to protect against abusive call patterns, including toll fraud, VoIP spam, and other pattern-based attacks. It also offers a policy-based voice recorder and usage and performance managers. Products from both vendors claim to have some voice QoS capabilities as well.
IPS vendors are also getting into the act, including Tipping Point -- now part of 3Com -- which claims that its IPS product line is now SIP and H.323 aware and includes real-time SIP session setup and tear-down tracking, per packet protocol anomaly detection, and VoIP QoS.
In February, NFR Security launched a VoIP protection package for its Sentivist IPS.