---

[The IP based services such as VoIP (with or without IMS) run over open IP networks. As such, they are susceptible to security threats similar to those in the Internet. As VoIP communications becomes widely used, the security level on it becomes essential. In this guest post, Rasa Siegberg a Senior Systems Engineer from SafeNet provides his insights to VoIP and security.]

The Great IP Migration

The venerable voice communications industry is undergoing one of the most significant evolutionary steps of its long history. The ubiquitous IP networks offer an efficient and viable alternative to the “good old” circuit-switched voice telephony in the form of Voice over IP (VoIP).

The carriers that have made (and still do so) their revenue on voice telephony are facing an ever-stiffening competition from Internet-based VoIP providers (like Skype), and are en masse embracing VoIP as the initial application of their “all IP” migration.

The migration from circuit-switched voice calls, whether over fixed or radio networks, to VoIP is largely invisible to the consumers, after all, to the end-customer a voice call is a voice call regardless of how the call is technically implemented. There are, however, some interesting issues this migration to IP has in a security context.

Who do we trust?

There exists an implicit relationship of trust between the telephony subscriber and the service providing carrier: the carrier guarantees that the calls and their content are confidential against interception and tapping, and that the billing of the subscriber is correct as per the services used.

In the circuit-switched networks of today the closed nature of the network, as well as the over the air encryption of GSM/3G voice calls, shielded the call content and signaling data from possible prying eyes. In the IP networks this situation changes dramatically as there are no guarantee of the integrity and ownership of the routers, networks, and links the IP packets may traverse.

The openness of the Internet Protocol (IP) allows a malignant 3rd party to see (and possibly modify), the packets as they come and go between the endpoints. An attacker may pose as the other peer to the endpoints – the so-called “man-in-the-middle”-attack. Attacks like this are parts of the threat models of the Internet, and as the telecommunications industry’s great migration towards the “All-IP” services model proceeds, they become all the more relevant.

Letting the guard down with IP?

In the customer’s eyes, the VoIP service is a continuation of the voice communications service. Consequently, there is little justifiable reason for the level of protection for confidentiality and integrity to decrease. The market requirements for security – confidentiality, integrity, authentication – are not decreasing – quite the contrary.

The IP based services, be they voice communications such as VoIP or other messaging services envisioned, must provide the end-customers and carriers with a security level at least comparable to that of the present generation of services. The new generation of voice services over IP must guarantee that the voice “channel” is secure against unlawful interception and wiretapping, and that the signaling and session set-up (with the SIP protocol) is secured against monitoring and manipulation by 3rd parties. This is not the case today.

IP Security for VoIP and SIP

The inherent lack of security of the IP protocol has been addressed with a set of standardized protocols for IP security (IPsec) in the Internet Engineering Task Force – the standardization body for Internet technologies. These protocols offer a powerful set of tools for implementing confidentiality and integrity protection within VoIP services. The IPsec protocol suite offers strong cryptographic protection for the IP traffic and guarantees that the data arrives in its destination without modification or inappropriate disclosure to eavesdroppers.

Integrating IPsec to the VoIP services provides the market with a VoIP service that does not imply a lapse in call confidentiality and integrity as the voice call market migrates from circuit-switched voice telephony to IP based voice services.

Addressing the Need

RADVISION and SafeNet, both leading technology vendors in their selected fields, SIP and IPsec protocol toolkits respectively, have recently teamed up to provide the market with a combined SIP + IPsec protocol offering. The pre-integrated toolkit offering of RADVISION and SafeNet place the considerable experience and expertise of these two companies at the disposal of the VoIP and IMS market, and paves a way for a generation of Secure VoIP solutions.