In case you don't know him, Bob Bradley is the Product Manager of Security Solutions over at Sonus Networks. Bob is no stranger to security and the issues that providers and users face. I had the opportunity to ask questions and Bob clearly addressed where the responsibility lies when it comes to SIP trunking and keeping those trunks secure. On either side of that somewhat soft demarc, security continues to be important, requiring hardening, and it's still a matter of contention on who's willing to pay for what services. Are the providers providing the necessary tools in their networks and do you have the necessary elements in your network to substantiate any issues, prevent security breaches and employ QoS?Customers are adopting providers for SIP trunking services, so shouldn't the providers be held accountable for fixing the security holes?
Responsibility for SIP protocol security is evolving to be shared by end users and carriers. Historically, ISPs' primary business is to provide the pipes without the responsibility for integrity of content or more granular quality of service beyond simply making sure the Internet "pipe" is always available. But now that highly sensitive and valuable personal information is transmitted through the cloud, providers are starting to take measures to make sure that information is protected. To do this, providers are looking to combine more aggressive authentication measures with their current security practices, including firewalls and identity management, to combat attacks, all while maintaining flawless session quality. Noticeable service gaps and delays make VoIP almost unusable, so quality of service remains just as important as security.
Providers are only acting like telcos; if I can caller-ID spoof my number (as I have many times in the past) as "The White House" (switchboard), then how secure is SIP/IP trunking?
Typically, SIP is transmitted in clear text, which is in "plain English", and isn't encrypted all the way to the edge. Authentication processes can verify the origin of the data stream to confirm the user's identity, but that only solves part of the problem, and providers need to combine encryption with robust authentication and digital certification to account for the hop-by-hop nature of VoIP networks. An example of a hop-by-hop basis is the authentication process for peers at the network edge using digital certificates as part of setting up encryption session using TLS or IPSec. Longer term, providers need to consider taking advantage of techniques like federated identity, which requires users to enter their personal information once in order to gain access to other networks in the approved group, and that honors the user's authentication across management domain boundaries, making the authentication process smoother.
Right now, there isn't one solution for end-to-end integrity and authentication, and solutions like federated identity are still in their infancy. Providers should consider a more holistic approach, combining current security measures with new ones like federated identity. By using carrier-grade network border solutions, VoIP providers can ensure constant, dependable security for both existing and emerging threats.
Who pays for the security solution? (re: SIP/IP trunking services)
Often when customers are attacked through an insecure ISP cloud, the ideal fix is to add more bandwidth from the ISP site so they can "handle" hacker attacks and still maintain the quality of service required to keep their site up and running. Generally, this will require additional cost for the company to support the added service from the ISP. This goes back to the transition of responsibility from the end user to the service provider. We'll be seeing this concept more and more as security continues to be a hot button issue.
Also, there are frameworks and VOIP best practices evolving in the industry such as SIPconnect that attempt to standardize functions such as encryption and authentication for IP PBXs.
Doesn't adding more bandwidth defeat the TCO model for carrying voice on SIP trunks?
The "old method" of ISPs throwing bandwidth at the problem (at the customer's expense) doesn't work for VOIP. Customers need to expand their SLA to include not just bandwidth but QoS and link integrity for a fixed price. That's more work for the ISP but better meets the needs of the end customers.
Aren't all providers basically the same, and if not then what differentiates those using Sonus solutions over others?
Service providers are looking to differentiate themselves from competitors, and consumers demand both quality and security. Sonus's Network Border Switch protects network edges without significantly interrupting services. A proof point of this is testing performed against the Sonus NBS while undergoing various forms of floods and attacks. The test report showed that the NBS was able to mitigate these "line rate" attacks while maintaining good Mean Opinion Scores (MOS) scores for voice call quality. This will be especially important longer term as carriers provide other delay sensitive applications such as streaming video to a handset. The judicious balance of security and QoS/SLA maintenance is critical and a solution like the Sonus NBS maintains this delicate balance. By deploying these types of next-generation solutions, many of which are already proven globally in carrier environments, providers can also take advantage of value-added services such as media management and telco grade "five 9s" reliability not found in legacy session border controllers (SBC).
Tell us about SONUS's solution and IP-PBX interoperability.
Sonus' Network Border Switch recently earned SIPconnect 1.0 compliant status. With SIPconnect validation, enterprise users can seamlessly connect with other networks to enable the business services created by SIP trunking. Enterprises often find themselves trying to piece together networks from a mixture of technology acquired through mergers and acquisitions. IT directors rely on IP business trunking and SIPconnect validation to enhance flexibility and management of converged networks while improving cost savings. The Sonus NBS solution can link disparate technologies (IP, PBX, etc) to create one seamless platform. Along with SIPconnect, the Sonus NBS has been tested to interoperate with market leading IP PBXs that involved vendor proprietary mechanisms that have not yet implemented this framework.
***
Bob pointed out that the industry has some catching up to do on the side of the manufacturers. What must change is vendors must step up and meet SIP standards so that SIP services becomes what long ago was known as "Universal Service." It is more likely than not that a "security" mechanism will be adopted. I think security remains one of the potential sore points of SIP that if you don't pay now you could pay dearly later. You may not think that Caller-ID spoofing is a big deal--unless calls are being falsely billed to your account, using your network resources or represented by your company. Then again, as it is today, low-level information gathering may someday prove eventful by sniffing the networks and harvesting information from voice calls. It's easy to dismiss security because the voice guy can walk into most buildings with a butt set and announce, "I'm here to work on the phone lines." What you need to understand is that this is an old argument and mostly without merit just like the IT guys walking in and out of buildings announcing that they are there to work on the computers. The key difference is today we don't need to physically be in your building to be in your building.
SIP providers are not all the same nor do they offer "universal services" that can be had by the masses anywhere. So availability of services is hindered, and until any SIP enabled PBX can connect to any SIP provider, the road to independence remains elusive. User companies must ensure that not only are their networks up to snuff but you need to look hard at the providers and specifically what they are offering. The new network must be better than the last one. Imitation is a form of flattery but making marked improvements over the old is a better form known as competitiveness.
