SECURE

REDSHIFT NETWORKS
COMMUNICATIONS
UCTM vs. NEXTGEN
ANDFIREWALL
COLLABORATIONS

Understanding Security Threats, Taxonomy and Preventive

Solutions
The emergence of Unified Communication, Collaborations, IP Voice and
Video technology is causing a fundamental shift in the telecommunication
industry. Traditional communication systems running on legacy networks are
soon being replaced by IP based systems providing numerous benefits to an
enterprise. The benefits range from low cost, ease of manageability, usability,
and open systems to leveraging from enriched software enabled services.

Voice solution vendors are making tremendous progress in tightly tying the
operation of enterprise data applications with the IP-telephony features to
improve the overall employee connectivity and business productivity. The
combination of these two previously separate worlds is being called “Unified
Communications” (UC) when the integration happens at the end user
desktop PC or “Communication-Enabled Business Processes” (CEBP) when
the integration is within an enterprise application running on dedicated
servers. As a result, higher enriched services are now possible ranging from
click-2-call applications, connection anywhere/anytime/any-device, UC
communication services such as Presence and Collaboration across any IP-
based device etc.

Enterprises must understand that while IP Voice, Video, UC&C networks and
applications present great promise, they also present unique security
requirements that are different from conventional data applications. Due to
real-time nature of communications combined with disparate open
networks, the overall network complexity and threat vectors exposure is
alarming.

This white paper attempts to narrowly focus on the numerous threat vectors
that plague these applications ranging from Voice Denial-of-Service (VDOS)
attacks, SPAM over Internet Telephony (SPIT) attacks, eavesdropping,
spoofing, number harvesting, protocol anomaly or fuzzing attacks, signal and
media manipulation attacks and toll fraud. The paper presents shortcomings
in existing security solutions and presents the requirements for
comprehensive requirements for securing Unified Communications &
Collaborations, IP Voice and Video networks, systems and applications.

Distributed by NACT Solutions, LLC - 3 Seabro Avenue Amityville NY 11701

email sales@nact.com 801 802 1306

RedShift Networks - 2603 Camino Ramon, Suite 2000 - San Ramon, California 94583
Tel: +1 925 242 2530 - Email: info@redshiftnetworks.com
Introduction
The emergence of Unified Communication, Collaborations, IP Voice and Video technology is
causing a fundamental shift in the telecommunications industry. Traditional communication
systems and applications running on legacy TDM networks are soon being replaced by their IP
counterparts providing numerous benefits to businesses. The benefits ranging from low cost of
operation, ability to quickly provision enriched software enabled communication services, provide
ease of manageability, usability and adaptability to business fluctuations and finally leveraging
from open standards and its ecosystem.

Voice and UC solution vendors are making tremendous progress in tightly tying the operation of
data applications (and UC services) with the IP-telephony features. This helps improve the overall
employee connectivity and business productivity. The combination of these two previously
separate worlds is being called “Unified Communications” (UC) when the integration happens at
the end user desktop PC or “Communication-Enabled Business Processes” (CEBP) when the
integration is within an enterprise application running on dedicated servers. As a result, higher
enriched services are now possible ranging from click-2-call applications, connection anywhere/
anytime/any-device, UC communication cloud services such as Presence and Collaboration being
offered across any IP-based device.

The stakeholders must understand that while IP Voice, Video, UC&C networks and applications
present great promise, they also present unique security requirements that are different from
conventional data applications. Due to real-time nature of communications combined with the
complex interconnect involving many entities, the overall network complexity and threat vectors
exposure is alarming.

This white paper attempts to narrowly focus on the numerous threat vectors that plague UC&C
networks and applications ranging from Voice/UC Denial-of-Service (VDOS/UC-DOS) attacks, SPAM
over Internet Telephony (SPIT) attacks, Eavesdropping, Spoofing, Number Harvesting, Protocol
anomaly or Fuzzing attacks, Signaling or Media threats, Toll Fraud and a myriad of UC
Infrastructure and Application layer threats. The paper describes the internal architecture and
technology used by the RSG Unified Communications Threat Management (UCTM) platform of
products. The UCTM gateway solutions provide comprehensive Visibility, Control and Protection of
Unified Communications & Collaborations, IP Voice and Video networks, systems and applications.

VOIP and UC Security Requirements

UC and VOIP security is vastly different than conventional data security due to the real-time
nature of the communications. The real time characteristics include: zero down time, a near close
to 100% Quality-of-Service (QOS) parameters, reliable, possess low latency overheads and be
inherently secure. Due to the complex nature of these VOIP/UC networks involving a myriad of
protocols, applications, systems and endpoints and not to discard dependence with the existing
PSTN systems, it poses formidable challenge for any new security solution to be successful. Due to
Distributed by NACT Solutions, LLC - 3 Seabro Avenue Amityville NY 11701
email sales@nact.com 801 802 1306
RedShift Networks - 2603 Camino Ramon, Suite 2000 - San Ramon, California 94583
Tel: +1 925 242 2530 - Email: info@redshiftnetworks.com
this complex network, VOIP/UC is subject to several new threat vectors not possible before and
with new security demands.. Due to such unique security requirements the underlying security

technologies are not well suited to counterattack them. The real-time reliability requirements also
need to be close to perfect. A typical response to a security attack in data world would require a
human intervention which incurs significant time delays to reduce the scope of the threat and
apply appropriate mitigation solutions. While this may be satisfactory in the data world, VOIP/UC
systems require a real-time response to security threats.

VOIP/UC is also highly sensitive to QOS parameters. If the security solution causes a noticeable
loss in voice quality or UC service experience delays, it becomes an unacceptable solution. Any
interruption in the flow of packets, reassembly or jitter will impact the quality of the voice
conversation or integrity of a UC service. In the data world, these issues are addressed by
retransmission of the lost data causing additional delays to the end user. While this may be
acceptable in the data world, a retransmission in VOIP/UC realm would indicate that the caller
would have to repeat the lost voice message, or invoke the service again. This is an unacceptable
solution.

Latency is another factor. Modern data security solutions employ encryption and/or deep-packet
inspection methods to improve security. Both these methods introduce additional time delays and
jitter to VOIP/UC packet streams, thus impacting the overall QOS.

Lastly UC networks based on open standards will continue to interact with legacy PSTN networks
using proprietary VOIP and UC protocols. This poses new set of challenges, attack vectors with a
large number of new infrastructure and security threats. With such myriad of deployment
solutions and architectures spanning multiple protocols, endpoints, systems and networks, the
complexity of threat detection and mitigation grows exponentially.

Distributed by NACT Solutions, LLC - 3 Seabro Avenue Amityville NY 11701

email sales@nact.com 801 802 1306
RedShift Networks - 2603 Camino Ramon, Suite 2000 - San Ramon, California 94583
Tel: +1 925 242 2530 - Email: info@redshiftnetworks.com
Deployment Scenarios
The previous figure shows a typical deployment scenario showing the various server farms ranging
from database servers, email servers, web servers and VOIP/Video communications servers. A
typical deployment scenario for RedShift Security Gateway (RSG) would be to sit right in front of
the UC&C server farm acting like a proxy- gateway solution inspecting both inbound and outbound
traffic. RSG provides flexibility and fine-grain handles to apply different security policies and
firewall controls either to an individual VOIP/UC application or a server farm in addition to binding
the security controls and services to either combinations of Server farms or User groups.

A typical unified service (e.g. a web conferencing session that requires registration validation)
requires communication flows that can potentially span multiple server farms, as indicated by the
arrows. The red arrows indicate the communication flows being currently protected by various
best-of-breed vendors. The green dotted arrows indicate the communication flows that will
otherwise flow naked without the RSG (placed inline). The bold green lines indicate the
communication flows being protected with RSG placed inline.

VOIP/UC Threat Taxonomy

RedShift researchers have analyzed several thousand threats and vendor vulnerabilities compiled
from various sources, such as VOIPSA group, CERT, BugTraq, internal research from CONDOR Labs
and other vulnerability postings gathered from several VOIP/UC vendors the past several years.
The author observes that VOIP/UC deployment faces a variety of threats from different entry
points and attack vectors ranging from exploiting weaknesses in L2-L4 networking layers, OS
vulnerabilities, VOIP and UC protocol implementation weaknesses, UC Infrastructure and
Application Layer attacks and/or Device configuration weaknesses. The authors have identified
sixteen such broad threat categories that can affect critical VOIP and UC networks and systems.
The rationale behind the categories is to group common threat types with similar exploit entry
methods and/or common vulnerability properties together. This helps understand the various
threat vectors better and helps formulate a common effective security solution for that category.

• Device and OS Vulnerabilities

• Device Configuration Weakness
• IP/TCP (L2-L4) Network Infrastructure Weakness
• VOIP & UC Protocols Implementation Vulnerabilities
• VOIP & UC Network Eavesdropping
• VOIP & UC Network Interception and Modification
• VOIP & UC Protocol Fuzzing Attacks
• Voice & UC Denial of Service (VDOS/UCDOS) Attacks
• Signaling Threats
• Media Threats
• SPAM over Internet Telephony (SPIT)
• UC Infrastructure Weaknesses (Voice, Media, IM, Web, UC & Collaboration)
• UC Application Layer Threats
Distributed by NACT Solutions, LLC - 3 Seabro Avenue Amityville NY 11701
email sales@nact.com 801 802 1306
RedShift Networks - 2603 Camino Ramon, Suite 2000 - San Ramon, California 94583
Tel: +1 925 242 2530 - Email: info@redshiftnetworks.com
 • Data Voice Threats
• Voice  Data Threats
• Voice Phishing

Device and OS Vulnerabilities

VOIP and UC devices such as IP phones, smart phones, UC endpoints, Call Managers, Gateways,
Registration and other Proxy servers run on an underlying operating system. If an underlying OS is
compromised, this can lead to an integrity compromise of the affected device. Most of the devices
run on traditional operating systems, e.g. Windows, Linux, RTOS etc. that are vulnerable with
numerous exploits publicly available.

A few examples in this category include:

 Several buffer overflow exploits publicly available against the Cisco IOS operating system
[1]
 Denial-of-Service (DOS) exploits triggered by fragmented UDP packets for Alcatel and
Avaya phone [2]

Device Configuration Weakness

Many attacks penetrate through VOIP/UC infrastructures due to weakness in configurations, e.g.
open TCP/UDP ports, open files shares with global read/write permissions or temporary folders
with weak permissions etc. As a result, the services running on these devices now become
vulnerable to wide variety of attacks resulting in either a loss of service or a compromise of the
device.

A few examples in this category include:

 A known Cisco SIP-based phone telnet service vulnerability that allows the telnet service
to be exploited by an attacker due to weak password permissions set on the VOIP device
[3]
 The SNMP services offered by the devices may be vulnerable to reconnaissance attacks.
Example, valuable information was gathered from an Avaya IP phone by using SNMP
queries with the “public” community name *4+

IP/TCP (L2-L4) Infrastructure Weakness

The availability of the VOIP or UC services depends on the availability of the underlying IP/TCP
infrastructure that it sits on top of. VOIP and UC protocols rely on TCP and UDP as transport
mediums and hence are also vulnerable to attacks that TCP and UDP are generally exposed to, e.g.
DOS/DDOS, session hijacking, protocol anomalies, etc. which may cause an undesirable behavior
on the VOIP services.

Distributed by NACT Solutions, LLC - 3 Seabro Avenue Amityville NY 11701

email sales@nact.com 801 802 1306
RedShift Networks - 2603 Camino Ramon, Suite 2000 - San Ramon, California 94583
Tel: +1 925 242 2530 - Email: info@redshiftnetworks.com
A few examples in this category include:

 Several publicly available tools that generate TCP and/or UDP flooding attacks
 Malformed TCP packet generators that can result in undesirable crashes

VOIP and UC Protocol Implementation Vulnerabilities

VOIP and UC protocols such as SIP, SCCP, H.323, RTP, XMPP, MSRP, TIP, VXML, UXML, IM protocols
etc. are relatively new emerging standards. Both the protocol specifications and the subsequent
vendor implementations need to mature to reduce the overall threat exposure. Examples include
parsing errors, NULL packets, anomalous packets, protocol state violations, RFC violations etc.

An example in this category includes:

 Several vulnerability discoveries in vendor implementations of VOIP products that use

H.323 and SIP by University of Finland’s PROTOS group *5+. The PROTOS work is publicly
available as such any script kiddies can download and run the tools necessary to crash
vulnerable implementations.

VOIP and UC Network Eavesdropping

These attacks allow the attacker to obtain sensitive business or personal information otherwise
deemed confidential. The mechanism is the intercepting and reading of messages and
conversations by unintended recipients. Once the information is collected and translated, various
Man-in-the-Middle (MITM) attacks can be launched, e.g. reading, inserting, modifying the
intercepted messages etc. Some examples include masquerading, registration hijacking,
impersonation and replay attacks.

Distributed by NACT Solutions, LLC - 3 Seabro Avenue Amityville NY 11701

email sales@nact.com 801 802 1306Text
RedShift Networks - 2603 Camino Ramon, Suite 2000 - San Ramon, California 94583
Tel: +1 925 242 2530 - Email: info@redshiftnetworks.com
Eavesdropping attacks describe a method by which an attacker is able to monitor the entire
signaling and/or data stream between two or more endpoints, but cannot or does not alter the
data itself.

Someone who hacked into a company's router could listen in to a board of directors' meeting and
use the information illegitimately to buy more stocks or sell the information to another institution.
The possibilities of threat risks are very large.

Example 1: Call Pattern Tracking

Call Pattern Tracking is the unauthorized analysis by any means of any traffic from or to any node
or collection of nodes on the network. It includes monitoring and aggregation of traffic for any
form of unauthorized pattern or signal analysis. Call Pattern Tracking is a technique for discovery
of identity, affiliation, presence and usage. It is a general technique that enables unauthorized
conduct such as theft, extortion and deceptive practices including phishing.

Example 2: Traffic Capture

Traffic Capture is the unauthorized recording of traffic by any means and includes packet
recording, packet logging and packet snooping for unauthorized purposes. Traffic capture is a basic
method for recording a communication without the consent of all the parties.

VOIP and UC Network Interception and Modification

These attacks are focused towards compromising the integrity of a VOIP or UC service. The attacks
are very targeted and hard to detect. The end outcome of the attack can range from a loss of
reputation, brand name, leakage of sensitive information etc. Some examples include
Collaboration Session hijacking, Redirecting existing media conversations to attacker machine,
classic man-in-the-middle (MITM) attack, Broadcast hijacking, Identity theft, Conversation
alteration, Impersonation and Toll Fraud.

Example: Toll Fraud

Toll fraud happens when a hacker gains illegitimate access to a VoIP network and allows
unauthorized users to makes calls to a premium rate number, e.g. repeated long distance calls to
international toll numbers. VoIP systems are particularly vulnerable to toll fraud because they
form an integral part of an enterprise's IP network, unlike PBX systems that are closely monitored
and managed by separate groups. VoIP toll fraud attacks can lead to serious financial damage and
loss of reputation in a remarkable short period of time.

Distributed by NACT Solutions, LLC - 3 Seabro Avenue Amityville NY 11701

email sales@nact.com 801 802 1306
RedShift Networks - 2603 Camino Ramon, Suite 2000 - San Ramon, California 94583
Tel: +1 925 242 2530 - Email: info@redshiftnetworks.com
In the example above, the hacker illegitimately hacks into an IP-PBX system to steal calling minutes
and make free long distances calls to Dad (in London), Mom (in Tokyo) and Uncle (in Delhi). A
sophisticated hacker can also sell the stolen minutes to a thriving black market resulting in
unsuspecting users buying and making illegitimate calls making the source of toll fraud detection
much harder.

VOIP/UC Protocol Fuzzing Attacks

Fuzzing is a popular black-box testing method employed by software vendors to improve
robustness and performance of the code. Fuzzing, as a term, relates to negative tests that are
designed to test what the software should not do. These tests range from input fuzzing, protocol
state fuzzing or structural fuzzing often resulting in a crash, denial-of-service or degradation.

There are several hundreds of such tools available in the web today that any one can download
and run it against a VOIP/UC network. Few examples of open-source tools include PROTOS [5] and
SiVUS [6]. Commercial tools include Spirent ThreatEX [7] and CodeNomicon [8]. A malicious user
can run these tools against any VOIP/UC network in a matter of minutes resulting in varied threat
risks ranging from application crash, information leaks or a denial of service.

VOIP/UC Denial of Service (VDOS/UCDOS) Attacks

Distributed by NACT Solutions, LLC - 3 Seabro Avenue Amityville NY 11701

email sales@nact.com 801 802 1306

RedShift Networks - 2603 Camino Ramon, Suite 2000 - San Ramon, California 94583
Tel: +1 925 242 2530 - Email: info@redshiftnetworks.com
Voice/UC DOS/DDOS attacks can be one of two kinds, (1) resource starvation or (2) resource
unavailable. The resource starvation usually happens due to flooding attacks originating either
from a single source or multiple sources. A naïve attacker can flood the destination server with
several control packets hogging significant CPU bandwidth making the victim server launching the
VOIP or UC service totally unusable. The DDOS attack is a variant of DOS, whereby the attacker
uses multiple sources to collectively generate and send excessive number of flood packets to the
victim server, often with fake and randomized source addresses, so that the victim server cannot
easily identify the flooding sources.

The second attack type (more of stealth DOS category) uses a carefully crafted mechanism to
exploit a specific vulnerability (e.g. buffer overflow, shell code, forge a BYE request, send
malformed or fuzzed inputs etc.) to one of the networking facing process resident on the victim
server or VOIP/UC endpoint thereby making it unusable, often leading to a crash or an
compromise on the VOIP/UC service integrity.

UC-DOS attacks can range from one of several kinds ranging from Presence state flooding,
Message Waiting Indication (MWI) flood attacks, sudden upsurge in Music-on-Hold messages,
Unified Messaging (UM) flooding attacks with sudden upsurge in emails indicating new spurious
Voice messages etc.

Signaling Threats
The signaling protocols if not properly authenticated, encrypted and without proper authorization
controls can result in several threats ranging from:

 Identification of VoIP/UC devices

 Protocol enumeration (SIP register, options, and invite methods) and VoIP war-dialing
 Vulnerability scanning of VOIP/UC endpoints
 Number harvesting and Call pattern tracking
 Authentication cracking and guessing
 Caller ID spoofing: techniques, services, and scenarios
 Signaling manipulation attacks: Registration (removal, addition, and hijacking methods)
and Redirection attacks
Distributed by NACT Solutions, LLC - 3 Seabro Avenue Amityville NY 11701
email sales@nact.com 801 802 1306
RedShift Networks - 2603 Camino Ramon, Suite 2000 - San Ramon, California 94583
Tel: +1 925 242 2530 - Email: info@redshiftnetworks.com
  Signaling teardown resulting in denial-of-service
 Advanced Man-in-the-Middle (MITM) signaling attacks and scenarios

Media Threats
Employing video communications over IP networks greatly enhances an organization’s
collaboration points. Ensuring that IP network is ready for video is critical to realizing the full
business benefits of Unified Communications. However, media infrastructure suffers from several
threat vectors that range from:

 Exploiting weaknesses in Video Infrastructure

 Exploiting weakness in IP Video protocols and network
 Inserting malicious code/scripts in the media payloads
 Exploiting vulnerabilities in Video Applications – e.g. Media Players, Browser-based Media
streaming etc.

Examples include

• Video DOS/DDOS Attacks

– The attacker sends a flood of RTP/RTCP packets towards a target [endpoints,
servers] resulting in a denial-of-service
• Video SPAM
– The attacker sends a Video SPAM message [e.g. Viagra message] to simultaneous
end nodes
• Video Eavesdropping
– Eavesdropping of Video traffic or DTMF tones using video or DTMF sniffer tools
(MITM Attack)
• Video Replay (or Redirect) Attack –
– An attacker intercepts a live video conference, e.g. presented by the CEO; replays
an earlier private conversation of him with investor
• Video Hijack
– An attacker can intercept a live RTP video conferencing stream, hijack it with
another video clip [e.g. porn]
• Video Teardown
– An attacker tears down an existing video session using a carefully crafted packet
• Video Recording
– An attacker illegitimately intercepts and record live video traffic using packet
capture tool [e.g. Wireshark] and save this into a .WAV/.AVI file that can then be
replayed at will

SPAM over Internet Telephony (SPIT)

SPAM over Internet Telephony (SPIT) has potential to grow to be a big problem like its email
counterpart. With the increasing deployment of IP solutions, it is expected that SPIT will be an
attractive choice for a spammer due to its low cost and pervasiveness of the internet.
Distributed by NACT Solutions, LLC - 3 Seabro Avenue Amityville NY 11701
email sales@nact.com 801 802 1306
RedShift Networks - 2603 Camino Ramon, Suite 2000 - San Ramon, California 94583
Tel: +1 925 242 2530 - Email: info@redshiftnetworks.com
Conventional SPAM methods adopted by telemarketers require a human presence manually
dialing the phone numbers and making the voice connections. This changes drastically with IP
networks, as even a simple computer script can now flood corporate phone systems without
adequate protection.

The above figure shows an example where a telemarketer floods corporate VOIP phones with
Viagra SPAM messages. There is a general perception that Voice SPAM will suffer the same fate as
Email SPAM. Most of the VOIP deployments today are confined to restricted zones with limited
internet access, once they become available to open networks and to the reach of spammers, the
problem will exponentially worsen.

UC Infrastructure Threats (Voice, Media, IM, Web, UC &

Collaboration)
UC infrastructure comprising of a complex network of servers, protocols, users and endpoints
need to enforce strict policy lockdown measures to reduce the attack exposures. Few examples in
this category include:

 Unauthorized Use of Voice Assets (IP PBX, IP Phone etc)

 Fraudulent/ wasteful employee calling activity
 Privilege escalation of VOIP or UC services from Users with lower privileges
 Excessive use of bandwidth heavy services
 Weak controls on VOIP/UC services such as FAX over IP, VOIM, video chats
 Weak controls on IM or Media services
 Exploit weak administrative access levels
 Weak IP-PBX controls and threats – e.g. Blind Transfer, Auto Attendant override, Music on
Hold threats, Call forwarding, Do-Not-Disturb attacks

Distributed by NACT Solutions, LLC - 3 Seabro Avenue Amityville NY 11701

email sales@nact.com 801 802 1306
RedShift Networks - 2603 Camino Ramon, Suite 2000 - San Ramon, California 94583
Tel: +1 925 242 2530 - Email: info@redshiftnetworks.com
UC Application Layer Threats
UC applications such as Presence, Unified Messaging, Collaboration, Conferencing, IVR, ACD,
Telepresence etc. also suffer from threats if proper security enforcements are not properly
enforced. Few examples include:

 Presence -- Illegal Presence state manipulation

 Presence -- Unauthorized Presence state monitoring
 Presence -- Protocol content manipulation resulting in invalid states
 Presence -- Publishing invalid presence states
 Presence -- Presence masquerading (or spoofing) Continuous Presence state publish
(DDOS attack)
 UM – Illegal Voicemail Reconstruction, retrieval, broadcast
 UM -- Fax Reconstruction and broadcast
 UM -- Message Waiting Indication (MWI) attacks
 UM -- Email SPAM on Voice mail systems
 UM -- Address Book Attacks (MS)
 UM -- Protocol Attacks/Vulnerabilities
 UM -- DOS on Voice mail systems, email systems, fax machines etc
 Conferencing -- Illegal Join/Leave attacks
 Conferencing -- Policy definition attacks
 Conferencing -- Moderator or Floor control attacks
 Conferencing -- Conference session Hijacking or Illegal use of conferencing functions
 Collaboration -- Collaboration session Hijacking, Altering or Routing
 Collaboration -- Eavesdropping
 Collaboration -- Remote User attacks, e.g. DOS attack, Teardown
 Collaboration -- Identity Spoofing/Theft attacks
 And many more.

Distributed by NACT Solutions, LLC - 3 Seabro Avenue Amityville NY 11701

email sales@nact.com 801 802 1306

RedShift Networks - 2603 Camino Ramon, Suite 2000 - San Ramon, California 94583
Tel: +1 925 242 2530 - Email: info@redshiftnetworks.com
Data  Voice Threats
The beauty of converged networks is that voice over IP is 'just' another application running on the
data network. Unfortunately from a security viewpoint, this means that it will also be affected by
all the attacks that affect data networks, even if they are not deliberately targeting voice over IP.

The most significant specific threat to VoIP is denial of service (DOS) because this can bring a data
network to its knees and shut down all applications running on it - including VoIP. This means that
affected users could be without phone service until the network is backed up. Specific threats
include buffer overflow exploits, malicious SQL or command injection [11] and Cross-site scripting
attacks [10].

The security bugs that plague data applications will also affect VOIP/UC users because
VOIP/UC is just one another application facing the internet making the network vulnerable
to malicious users.

Voice  Data Threats

Specific kinds of threats are also possible from Voice realm to Data realm especially with advanced
UC applications such as Unified Messaging that connects several aspects of user mobility and
connectivity using different form factors. Few examples include:

 Intercepting Voice messages going to a specific User, intercepting and illegitimately

broadcasting them to as Voice-Emails to all users
 Automated IVR systems that take voice inputs, translate them as data inputs to certain
Web Application (or a Web Service) when not properly sanitized can result in Data threats
or nuisance.

Voice Phishing
Voice phishing works very similar to email phishing; It is a new form of identity theft which tricks
ones into revealing personal information when the scammer replaces a website with a telephone
number, or is able to redirect the traffic going to genuine Bank’s PBX to a Fake PBX *as shown in
the example below]. In the case of the former, the message will be marked urgent and will ask one
to respond quickly. Once, the naïve user starts punching his personal information, e.g. social
security number, driver’s license, credit card numbers or Bank ATM’s number, the digits are
retrieved from the payloads using some advanced tools.

Distributed by NACT Solutions, LLC - 3 Seabro Avenue Amityville NY 11701

email sales@nact.com 801 802 1306
RedShift Networks - 2603 Camino Ramon, Suite 2000 - San Ramon, California 94583
Tel: +1 925 242 2530 - Email: info@redshiftnetworks.com
Drawbacks to Today’s UC/VOIP Security
The above table maps the above mentioned threat bucket categories against current protective
solutions ranging from DOS/DDOS appliances, SBC, Data Firewalls, Anti-SPAM devices, IDS/IPS
appliances, HIPS/DB firewalls and UCTM. The green boxes indicate full protection while orange
indicates partial protection with remaining boxes indicating no protection at all.

To address complex security and deployment challenges mandated by VOIP networks and UC
applications is a formidable challenge. Existing solutions are deficient in a number of ways:

 They cannot function in real-time except SBC

 They cannot process encrypted traffic except SBC
 They cannot do deep packet inspection (or examination) of VOIP protocols such as SIP,
H.323, SCCP and RTP
 They cannot protect against zombie or malware attacks spreading from end-user such as
click-2-call applications
 They cannot keep up and provide adequate protection for higher UC and CEBP services
and features
 They have high percentage of false-positives and false-negatives which is tolerable in data
applications but not for real-time applications
 Most existing protective solutions are offered as piece-meal solutions employing multiple
security solutions such as firewalls, IDS/IPS, DOS appliances and other security devices that
Distributed by NACT Solutions, LLC - 3 Seabro Avenue Amityville NY 11701
email sales@nact.com 801 802 1306
RedShift Networks - 2603 Camino Ramon, Suite 2000 - San Ramon, California 94583
Tel: +1 925 242 2530 - Email: info@redshiftnetworks.com
 are upgraded to support VOIP in addition to data protection. These devices are not well
suited to address complex VOIP and UC application layer attacks
 The additional devices also result in multiple hops in the network leading to additional
time delays questioning their overall viability to meet VOIP quality-of-service requirement

Comprehensive UC/VOIP Security

A comprehensive VOIP security solution while meeting the mandatory requirements for real-time
communications such as real-time performance and QoS should also provide best-of-breed
security technologies that ensure that VOIP, UC and CEBP security threats are pro-actively
recognized, detected and remediated. The authors strongly feel that in order to meet complex
security requirements for VOIP, UC and CEBP traffic comprehensively, a solution should have the
following characteristics:

 Deep packet inspection capabilities from Layer 3 up to Layer 7 VOIP and UC traffic
 Advance correlation of protocol state and security events across the different layers and
security modules
 Heterogeneous architecture comprising of both proactive and reactive solution elements
 One VOIP security solution – not a slapstick of several piecemeal solutions
 Tightly integrated with IP-PBX and other communication infrastructure elements – easy to
deploy and manage
 Low latency using advanced software, hardware and system acceleration techniques
 Near-zero False-positives and False-negatives
 Comprehensively address VOIP, UC and CEBP application security threats
 Easy integration with 3’rd party vendor solutions providing UC and SOA services (e.g.
Microsoft, SAP, BEA, IBM)
 Provide visibility to all VOIP and UC traffic
 Provide control to all UC services, Applications and Assets

Some of the core UCTM security features include:

 Protection against Voice DOS/DDOS threats

 Protection against VOIP SPAM (SPIT)
 Protection against War-dialing threats
 Protection against UC Application layer threats such as Toll Fraud, Collaboration Hijacking
and Number Harvesting
 Protection against Eavesdropping threats
 Provide VOIP Intrusion Prevention capabilities with signatures support
 Provide full termination, stateful and deep packet inspection of VOIP, UC and CEBP traffic
 Provide protection against protocol anomaly or fuzzing style of attacks
 Protection from Data Threats such as SQL injection or Cross-Site Scripting attacks
 Provide sophisticated Application Behavioral Learning
 Automatic learning and enforcement of positive behaviors
 Control and Visibility
 Not be a single point of failure in the network
Distributed by NACT Solutions, LLC - 3 Seabro Avenue Amityville NY 11701
email sales@nact.com 801 802 1306
RedShift Networks - 2603 Camino Ramon, Suite 2000 - San Ramon, California 94583
Tel: +1 925 242 2530 - Email: info@redshiftnetworks.com
  Provide complete examination of both encrypted and plain-text traffic

Conclusions
Current VOIP security solutions fall into 2 broad categories, (1) Session Border Controllers (SBC)
and (2) Data Security products. The SBC sitting at the edge of the voice network provide basic VOIP
protection capabilities such as Authentication, Encryption and port/ACL filtering. SBC do not have
the horse-power and intelligence to perform deep packet inspection capabilities analyzing higher
VOIP and UC protocol traffic, an essential requirement for protection against VOIP and UC layer
threats.

The data security products do limited deep packet inspection and provide basic DOS/DDOS and
protocol anomaly protection but are simply not geared to address the real-time challenges and
increased complexity of VOIP networks. The QoS requirement for real-time communications (2 ms
for signaling and 100 µs for media) is also a hard deployment challenge to satisfy.

In essence, a new best-of-breed product category is required to comprehensively address the

VOIP, UC and CEBP security while strictly adhering to the real-time deployment requirements. The
device should be easy to deploy, real-time performance and posses advanced security techniques
and technologies to protect VOIP, UC and CEBP applications against a wide array of threat vectors
and security risks.

References
[1] Cisco Call Manager Windows 2000 Workstation Service Buffer Overflow
http://www.cisco.com/warp/public/707/cisco-sa-20040129-ms03-049.shtml

[2] Miercom VOIP Security Assessment, http://www.miercom.com/?url=products/spreports

[3] Cisco IP Phone Compromise, http://www.sys-

security.com/archive/papers/The_Trivial_Cisco_IP_Phones_Compromise.pdf

[4] Breaking Through IP Telephony, http://www.nwfusion.com/reviews/2004/0524voipsecurity.html

[5] PROTOS, Security Testing of Protocol Implementations

http://www.ee.oulu.fi/research/ouspg/protos/

[6] SiVUS, The VOIP Vulnerability Scanner, http://www.securityfocus.com/tools/3528

[7] Spirent ThreatEX, http://www.spirentcom.com/analysis/technology.cfm?WS=325&SS=118&wt=2

[8] CodeNomicon, Defensics VOIP Security Testing product, www.codenomicon.com

*9+ SNORT™ Implementation Manual,

http://www.snort.org/docs/snort_manual/2.6.1/snort_manual.pdf
Distributed by NACT Solutions, LLC - 3 Seabro Avenue Amityville NY 11701
email sales@nact.com 801 802 1306
RedShift Networks - 2603 Camino Ramon, Suite 2000 - San Ramon, California 94583
Tel: +1 925 242 2530 - Email: info@redshiftnetworks.com
[10] Cross-Site Scripting Attacks, Mookhey et al.

http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-mookhey/old/bh-us-04-
mookhey_whitepaper.pdf

[11] SIP Message Tampering, The SQL Injection Code Attack, Dimitris et al.

http://www.snocer.org/Paper/camera-ready_soft_com.pdf

About RedShift Networks

Redshift Networks is the leader in Secure Communications and Collaborations solutions, the industry’s first
comprehensive security solution for IP Voice, Video and Unified Communications & Collaboration (UC&C)
networks, systems and applications. The Core team is comprised of world-class executives from leading
communication and system companies like Avaya, Cisco, SGI, Alcatel-Lucent, HP, Secure Computing and
Ascend. RedShift’s Board of Advisor’s include some of the leading figures in the world of technology and
academia. Founded in 2007, Redshift is headquartered in Silicon Valley with operations in India. Visit
www.redshiftnetworks.com.

Author
Srinivas Mantripragada, CTO & VP, Products, RedShift Networks

Distributed by NACT Solutions, LLC - 3 Seabro Avenue Amityville NY 11701

email sales@nact.com 801 802 1306
RedShift Networks - 2603 Camino Ramon, Suite 2000 - San Ramon, California 94583
Tel: +1 925 242 2530 - Email: info@redshiftnetworks.com