Jonathan Rosenberg, PhD, the chief technology officer Dynamicsoft, a telecommunications infrastructure vendor based in Parsippany, NJ, is co-author of the Session Initiation Protocol standard, one of the underpinnings of Voice over Internet Protocol telephony. He was recently named as a member of the Internet Architecture Board, the technical body tasked with providing oversight of the architecture, protocols and procedures used by the Internet. Ellen Muraskin, eWeek.coms VOIP and Telephony topic center editor, interviewed Rosenberg via e-mail to get his responses to the security concerns raised in Jim Louderbacks recent column, Security Holes Make VOIP a Risky Business.Isnt the security of a VOIP network a function of the SIP protocol in the first place?
Many of the attacks Jim is concerned about are something that SIP would need to (and does) protect against. For example, preventing an attacker from eavesdropping on a call is something that SIP itself provides. Preventing someone from hijacking my calls is something that SIP provides. Preventing someone from sending a flood of packets to a SIP server is not something SIP itself can stop, since the attack is not attempting to manipulate any aspect of SIP operation.
What is the best defense against a flood of packets, i.e., a denial-of-service attack?
This is prevented by purchasing hardened servers that have been thoroughly tested for such vulnerabilities, and keeping the products up to date with the latest version. It is hard to stop attacks that merely flood a server with packets in an attempt to disrupt service. Those are best handled by firewalls and intrusion detection systems.
Many IT departments think that the firewall is the one and only answer, but this is not true. Attacks can easily come from the inside (for example, through a Trojan horse that reaches a computer inside the network). Or, they can come from the outside, but be undetectable as an attack. Thus, the network needs to be protected in all places, and that means using SIPs security features, as well.
Is carrier-to-carrier handoff a true problem yet at this point? I havent seen any cases, myself where calls traverse multiple VOIP carriers, unless they gateway out and back in first.
Its not yet a problem in the consumer space (that is, calls where the consumer actually has a VOIP phone). Inter-carrier handoff is quite popular for so-called toll bypass applications, where the end users are on the traditional phone network, and the call traverses multiple SIP carriers in the core of the network. However, inter-carrier calling in the consumer space is coming soon (this year, I think).