Extreme Networks jumped out ahead of demand for VOIP-specific security on March 17 when it added new voice over IP protections in its Sentriant security appliances.
Although the majority of issues faced by enterprises deploying VOIP are focused on traditional threats to data network such as denial-of-service attacks or worm outbreaks, Extreme Networks created a series of new rules for the Sentriant security devices that watch for attacks against call servers, IP PBXes and media gateways. The devices also watch for intruders trying to hijack IP phones by masquerading as call servers.
While few attacks targeted at VOIP systems have been documented, the release of a book last year exposing the specific vulnerabilities of VOIP technology and how to address those has raised the level of awareness among enterprises.
“There have not been a lot of attacks yet, but people are more dependent on IP phone systems and so people are more concerned,” noted industry analyst Jon Oltsik at Enterprise Strategy Group in Milford, Mass. “We know more about the types of attacks we can expect now than we did a few years ago, so there’s more anticipation.”
The Extreme Networks Sentriant appliance, which can listen to traffic on the network and respond when it detects anomalous behavior, now supports new behavior-based rules that describe how to identify destructive behaviors and how to respond to those in the network.
The rules take into account normal traffic activity that typically occurs between IP phones and call servers. But when it detects an unusual amount of anomalies, it initiates protective measures. The measures include the cloaking threat mitigation technique and the use of the Address Resolution Protocol to redirect attack packets to the Sentriant device and away from intended targets.
The package of five new rules includes the Gatekeeper Flood rule, which protects a call server from a denial-of-service attack. “If a single device sends more than 60 packets in 60 seconds to the call server on TCP or UDP ports, it can direct all the packets to the Sentriant device, which knows to discard the packets, or respond to the [sending] device in a very slow fashion,” said Suresh Gopalakrishnan, vice president and general manager for Extreme’s Emerging Product Group, in Santa Clara, Calif.
The Session Initiation Protocol Invite Flood rule also detects denial-of-service activity by checking for more than 20 SIP invites within a 60-second period. The SIP Registration rule checks for more than five SIP registration packets going to the call server in a 10-minute period.
The TCP Service Port rule is intended to prevent laptop attacks on the call server by watching for more than 300 packets in a 60-second period from non-IP telephony devices. And the Unauthorized TFTP rule detects when TFTP traffic is coming from sources that are not call managers.
“If any device other than a designated IP PBX or media gateway tries to talk to a phone using that protocol, or it sees packets from a device that’s not a call server, we detect and stop that as well,” said Gopalakrishnan.
Extreme was prompted to create the rules in part by customers who want the ability to create their own rules using Extreme’s APIs, combined with Sentriant’s monitoring capability, said Oltsik. Customers are saying, -I want someone to take care of generic security rules and then write my own rules,'” he said.
Extreme was also prompted in part by the publishing of the book “Hacking VOIP Exposed, Voice over IP Security Secrets and Solutions,” by David Endler and Mark Collier, last year.
The rules will be available this week. Extreme plans to continue developing more rules for the Sentriant appliance.