Extreme Arms to Fight VoIP Threats

Tuesday Apr 8th 2008 by Ted Stevenson

Sentriant security appliance now incorporates behavioral analysis tools to isolate and mitigate attacks on IP communications devices.

With the advent of interconnected computing networks, network security emerged as a crucial issue for businesses of all stripes. And as business networks have been called on to support more and more critical applications, particularly VoIP and other communications applications, the importance of security has only increased—or so you would think.

A recent InStat study of U.S. businesses reveals that while "over 80 percent of the respondents have deployed some type of VoIP solution in their companies," fewer than 40 percent "have specific plans for securing those deployments."

Be that as it may, vendors of network security solutions are increasingly turning their attention to VoIP-related issues. One such is Santa Clara, Calif.-based Extreme Networks, which, in addition to its core network switching infrastructure, offers the Sentriant NG, a security device that the company officially dubs a "Post Admission Control Solution."

The Sentriant, a 2U rack-mounted appliance, continually monitors network traffic, providing behavior-analysis–based threat detection and mitigation. That is, based on a set of rules, it looks for kinds of behaviors that should not be happening on a secure network—such as protocol and policy violation, or pre-attack port scanning—and takes steps to correct the situation.

Recently Extreme announced the addition of rules specifically designed to deal with threats to VoIP elements on the network—"gateway" elements such as PBXs or media gateways and VoIP phones. We spoke to vice president and general manager Shuresh Gopalakrishnan who filled us in on the Sentriant offering.

In talking with some of its partners such as Avaya, ShoreTel, and Siemens, Gopalakrishnan said, technicians at Extreme learned that although IP PBXs and similar devices are to some degree designed to resist attack—that is, to continue functioning during a denial of service (DoS) attack, for example—they are unable to do anything "to isolate or stop that attack."

"That is what we started working on—to make sure we can identify some of these threats and then isolate them—and then stop them," Gopalakrishnan said. "If you look at the VoIP security problem from a network point of view, what we see is attacks that are directed toward the IP PBX, and attacks that are directed toward the phone."

"The value proposition for our customers is that the threat detection and mitigation is very, very fast," he explained to VoIPplanet.com. "You can detect things in seconds—before the attack is full bore." This is, in part, because the Sentriant monitors network traffic continuously, unlike some competing products, which periodically sample traffic and could, thus, miss a developing attack. The Sentriant also catalogs the IP addresses of all the devices on the network, so it can tell legitimate devices from intruders. Moreover, the product "will work with any device that has an IP address," Gopalakrishnan said, making it interoperable with any vendor's switching infrastructure.

Once the Sentriant determines that an attack is being launched, it has two options for dealing with the attack:

"First, we can make the attacker send the traffic to the Sentriant," Gopalakrishnan explained. "So the attacker will think 'Oh I should be communicating with this device,' and then Sentriant, will take all the traffic and just discard it." Allowing the attack to continue (harmlessly) in this way, improves the IT administrator's chance of figuring out who (what IP address) is the source of the attack, he said.

In cases where it's not 100 percent clear that the aberrant behavior is truly an attack, the Sentriant can just slow things down, using a technique known as cloaking. "The Sentriant will respond saying 'I'm a slow device; talk to me slowly,' thus stretching the process out over time, and, again, giving the IT admin a better opportunity to figure out who or which device is the source of the traffic."

An example of a VoIP-specific rule is the Gatekeeper flood rule. This looks for any device that is sending more than 60 packets in 60 seconds to any 'gatekeeper' device on the network—a call server or media gateway—requesting services. "That's a clear indication that someone is requesting a lot more services from that call server than it's expected to do—than is normal," Gopalakrishnan explained.

Examples of rules applying to a SIP environment are the SIP Invite rule, which looks for 20 or more SIP invites within 60 seconds, or the SIP Registration rule, which is triggered by more than 5 SIP registration packets within a 10 minute period. Other rules detect attempts by non-IP devices to contact the network, requests to IP phones from any device other than the legitimate call server, and the like.

The specific rule parameters—the numbers of packets and time periods—"came out of our discussions with various partners, and reflect what they considered would be threatening behaviors," Gopalakrishnan told us. However, customers are free to tweak the rules settings as they see fit. "If the customer decides 'We want it to be 1 packet in 1 minute for SIP registrations,' then they can do that. It is completely configurable for them."

"These VoIP security rules are included with the Sentriant product now," Gopalakrishnan said. "They don't have to buy anything extra." Moreover Extreme will be expanding the repertoire of VoIP-focused rules over time.

Sentriant NG is available through Extreme's worldwide network of distributors and resellers, and—as Extreme is an Avaya Global Alliance Partner—through Avaya.

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved