Book Excerpt: Securing VoIP Networks

In this book excerpt, the authors describe how to intrusion detection can help you handle VoIP issues.

Intrusion Detection and VoIP

Although intrusion detection techniques and products have matured during the last decade, the evolution of Internet multimedia applications, such as VoIP, has introduced a new opportunity for research in intrusion detection. There are two categories of intrusion detection systems (IDSs): signature based and anomaly based. Signature-based IDSs identify malicious activity by inspecting individual packets and matching a pattern to a known signature. Anomaly-based IDSs identify attacks by analyzing aggregate streams of network traffic and performing pattern matching based on predefined traffic heuristics (for example, if activity occurs within normal or abnormal parameters). Both approaches have strengths and weaknesses, but they are effective when used appropriately. One fundamental limitation of current IDS techniques is the orthogonal approach for inspecting and correlating network traffic to identify malicious activity. For example, a typical IDS system is configured to look for specific properties in a protocol (for example, UDP, TCP, HTTP) that match certain rules. In addition, the inspection can be extended to a specific application and analyze the contents of an application message (for example, Web application queries, SQL queries).

VoIP communications use a combination of protocols to relay signaling messages, and they can use dynamically allocated ports. In addition, different routes can be used for signaling or media traffic. These properties introduce challenges to the existing IDS systems. Although they can detect some of the VoIP-related attacks using current techniques, they cannot yet detect attacks such as call or session hijacking, call-flow manipulation, or media manipulation. For example, the Snort IDS uses signature-based techniques to detect malicious activity associated with SIP signaling (see Listing 8.1). These rules include detection for attacks such as SIP signaling flooding, port scanning against SIP ports, SYN floods, and others.

The IDS needs to be able to detect the following:

* DoS; through application resource exhaustion (for example, attacks against the signaling or key management protocols)
* Masquerading of signaling and media messages
* Detection of malformed messages
* Call-flow manipulation attacks (for example, message reordering, insertion, deletion)
* Access control and authorization attacks (for example, authentication replay attacks, application functionality violation attacks, bid-down attacks)
* Fraud

Therefore, in addition to using some of the existing IDS techniques, new methods need to be developed to identify attacks associated with Internet multimedia applications.

Event correlation is one technique that can be used in VoIP to aggregate events from multiple agents that reside on VoIP network elements, including phones, SIP proxies, gateways, and SBCs. Event correlation techniques rely on the characteristics of the network and transport layer, which is insufficient. Instead, correlation techniques need to be developed to incorporate characteristics from the protocols used to support multimedia applications. One research effort that attempts to address this issue is SpaceDive, in which a hierarchical approach to event correlation is used. 4

Another approach is based on protocol state machines. 5 This approach inspects the state transitions associated with the protocol state machines rather than the properties associated with the protocols and network traffic. The protocol state machine is developed from the protocol specification in which state and transition are clearly defined. Because VoIP communications are depended on protocol state transitions, any deviation from normal communication patterns can be flagged and analyzed for malicious activity.

Although these techniques are promising and help establish the direction, additional attention should be given to expedite research and product development to meet the forthcoming demand.