Big Brother Is Watching

New network monitoring tools look for VoIP

While VoIP hasn’t yet been the target of a headline-grabbing zombie attack or virus, as services proliferate, concerns grow. Real money is at stake, and no service provider or enterprise wants to be the poster child for VoIP security.

At the same time, there are new ideas of exactly what constitutes a threat. Some view IP service providers — anyone offering multimedia services over the Internet — as threats to their established businesses. Some service providers would like to block the uses of free or third-party VoIP services on their access networks to prevent what they call, with no sense of irony, “revenue leakage.”

Narus Inc. has made a name for itself providing high-level security for large IP networks, such as those operated by large telecom carriers like AT&T Inc., KDDI, KPN, KT, Saudi Telecom, T-Mobile USA Inc., Telecom Egypt and US Cellular, as well as governments.

The company has just announced a reference design, developed with IBM Corp. and Brasil Telecom S.A., to identify and classify traffic by service, and to feed that information to an IBM system that can generate billing records.

Steve Bannerman, vice president of marketing at Narus, says the carrier is interested in monitoring “to ensure accountability for VoIP services moving across the network. Some services may originate on their network and terminate on another. Today there is no settlement.”

According to Bannerman, the goal is not simply to block third-party VoIP traffic “because shutting out others is a bad idea. They have recognized that if they block VoIP traffic, someone will block theirs too. So, though they would probably love to block the traffic, it’s not likely.” Bannerman adds, “Yes, they are worried about Vonage and Lingo but recognize that a lot of thinking has to go on before they come up with the best approach to deal with those guys.” The trend in VoIP, as in the rest of the Internet, is for settlement-free peering of traffic, but in traditional telecom, traffic exchanges almost always involve settlement.

The Narus product sits at the peering link between networks and examines each packet. “Our algorithms look at headers and see what the traffic is. They look for SIP headers,” Bannerman says. Such minute examination is a computationally demanding task, “but that is our secret sauce. We can, at high speed, parse traffic and send it up to higher-level applications,” such as the IBM billing application, he says.

One of the unique features of the Narus software, apart from its ability to monitor VoIP specifically, is that it not only identifies worms and viruses, but also looks at behavior across a network and correlates behavior on different links. This gives it the ability to see “trickle” attacks, where small attacks come from thousands of different sources. It also can do behavioral analysis of BGP (border gateway protocol, for routing between domains), which protects routers, the key element of IP networks.

Because it has its own signaling system, the open-source IP voice system Asterisk is not considered as at risk for attacks as some other VoIP systems. But, any system on an IP network needs protection from intrusion.

For this reason, Digium Inc., the original creator of Asterisk and pioneer of open-source telephony, and Ranch Networks Inc., provider of an IP telephony network appliance that combines security and bandwidth control for IP applications, have introduced a security code for the Asterisk IP telephony platform. The code is available for download from the Ranch Networks and Digium Web sites.

The security code gives an Asterisk server the ability to control the Ranch Networks appliance for dynamic per-call firewall control, bandwidth management, NAT traversal and RTP traffic bridging, all supporting encrypted signaling streams. The technologies separate voice, video and data traffic into multiple, secure zones without having to reconfigure IP addresses.

What this means is that the Ranch Networks appliances do not open pinholes in the firewall for a VoIP call until the Asterisk server sends a command specifically requesting that, and the pinhole is closed by the server when a call ends. Further, because the Ranch Networks device also tells the server what ports it is using for the medium, there is little chance it will not flow correctly, but unwanted traffic can be refused a bridge.

The Ranch Networks appliance further dynamically enables or disables bandwidth for voice. When phone calls are active, it can guarantee bandwidth for voice and shrinks the bandwidth for data, which not only enables the call to go through but also protects quality.

Share this article: Email, Slashdot, Digg, Del.icio.us, Yahoo!MyWeb, Windows Live Favorites, Furl
Add this article feed to: RSS, My Yahoo, Newsgator, Bloglines