From the Experts
From the Security Experts
March 02, 2009
Interview: Radware Targets Security Risks of SIP-Based VoIP Services
SIP Trunking Report Editor
Like every other industry, the communications technology space is figuring out – be it through massive layoffs and lowered forecasts or innovative products and positive outlooks for 2009 – just how this economic recession is hitting.
Today, for example, while hearing the positive news that smartphones are
as an increasingly popular choice among users of mobile devices, we also learned that North America’s largest telecom equipment vendor today
a quarterly net loss of $2.14 billion.
Nortel Networks Corp.
for bankruptcy, recently
that it plans to sell parts of its application delivery portfolio to an integrated application solutions provider called
That company, Radware, delivers security of business-critical applications for more than 6,000 enterprises and carriers worldwide, and here’s something we learned today from Ron Meyran, its product marketing manager of security: This recession also raises the likelihood of cyber-crimes.
“As more people get laid off, they will have more time to spend on the Internet and will believe that they can get things for free – a fertile ground for scams and identity theft,” Meyran told us.
That’s one reason that Radware recently
a new line of DefensePro products.
We spoke to Meyran about DefensePro and were intrigued especially by his discussion of the need for real-time signatures, and vulnerability-based signatures, in terms of protecting VoIP services. Pay special attention to Meyran’s description of SIP vulnerabilities.
Our exchange follows.
TMCnet: We recently
to Scott Pope, a senior manager for
Cisco Systems Inc.
‘s wireless security product management, who
us that many enterprises fool themselves into thinking that WiFi Protected Access 2, or “WPA2” – a security method that’s designed to assure people that only authorized users can access their wireless networks – is all they need to protect themselves from attacks. We learned that WPA2 does cannot address hackers who enter a network from rogue access points, denial-of-service attacks, user authentication and data encryption cracking methods or network reconnaissance. Tell us: What emerging network threats do you see that are exploiting vulnerabilities that are not yet known, and so cannot be protected using traditional technology?
First let me comment that I looked into the article with Scott Pope and it was a really interesting read, finding that the same attack types and targets are now also available with a new vector – the WLAN. I strongly agree that the key to “immunize” a network against cyber attacks is “the marriage of education, behavior, and technology.”
My input: The emerging network threats we see remain the same: Information theft, malware spread, authentication defeat and denial of service.
However, we see new levels of sophistication and creativity when launching network attacks.
First, attackers use non-vulnerability-based attacks such as brute force attacks, web application hacking, application scanning and application flooding. These attacks go unnoticed by standard network security tools: they run at the application level bypassing firewalls; they run at low volume bypassing threshold -based tools; they do not exploit any application vulnerability, thus bypass anti-virus and IPS tools that rely on signature detection.
Attackers also use zero-minute attacks that exploit newly discovered vulnerabilities before a patch or a signature is available. The Conficker worm only reminds us that the security underground is an industry that still trades zero-minute vulnerabilities that can cause damage. Note that Conficker’s first hit was January 16 (9 million PCs in 24 hours) and on February 16 when the German army was hit – clearly they had the time to get a patch.
Finally, attackers target WLAN as an entry point to bypass perimeter security tools such as Firewalls, IPS and the like.
TMCnet: Another Cisco executive – Chris Kozup, senior manager of mobility solutions – told us during an
that it’s essential to invest in wireless security, even in a slower economy. In your view, what sorts of new or unique security threats is this recession bringing, if any?
When the economy slows down and people get laid off, the risk to businesses increases: there are more attackers while business profitability becomes critical.
The main trends in this recession I believe will be an increase of fraud and information theft attempts.
As more people get laid off, they will have more time to spend on the Internet and will believe that they can get things for free – a fertile ground for scams and identity theft.
Businesses that rely on on-line access to generate revenues or for their productivity are now the prime target of network attacks facilitated through large scale botnets: HTTP page floods, SIP floods, brute force attacks, application and network scanning – all target enterprise assets resulting with information leakage, business slow down and reputation loss.
The above is magnified by the fact that most of the network attacks are centrally controlled and managed by cybercrime, which increases the risk significantly. Why? Because your confidential information is now offered for sale to everyone, your application vulnerabilities are traded at fixed prices and mega Botnets rent out their services for less than $100.
TMCnet: Talk to us about
, Radware’s new, real-time intrusion prevention system. It’s interesting to us that the company is touting the product’s protection against VoIP threats. Could you characterize those threats for us?
DefensePro is the first real-time Intrusion prevention and DoS protection system that protects the application infrastructure against known attacks, emerging zero-minute and non-vulnerability network attacks that cannot be detected by static signature IPS using behavioral based real-time signatures.
Let me use the VoIP service to explain the need for real-time signatures in addition to vulnerability based signatures.
The VoIP service offers voice services over a shared IP infrastructure. The motivation to deploy VoIP rather than the traditional PSTN is cost reduction. However VoIP, based on SIP, is exposed to IP based attacks that do not exist in the PSTN.
There are SIP vulnerabilities – SIP is a protocol that includes vulnerabilities such as buffer overflows, malformed SIP packets, SIP SQL injections. There are SIP service misuse – including SIP server scans to build a data base of SIP users registered to the service and then launch Spam over Internet Telephony (SPIT); SIP brute force attacks, stealing the identity of legitimate users; SIP Invite or Bye floods that can slow down or even shut down the SIP service and more.
And there are DOS/DDOS flood attacks, or packet-based floods can degrade the voice quality carried over RTP sessions.
Using standard signature detection technology prevents exploitation of SIP vulnerabilities, but against SIP service misuse and DoS/DDoS attacks you need behavioral technology that can identify abnormal usage of an application and automatically create a real-time signature that will prevent the attack before service slow down or defeat.
This is the key advantage of DefensePro: It provides the zero-minute attacks and service misuse attacks (non-vulnerability based attacks) protection using patented behavioral analysis technology on top of standard vulnerability based attacks protection, and therefore offers the best network security solution for enterprises that rely on the Internet to generate revenues.
TMCnet: Generally speaking, how secure are business VoIP calls, in your view? In general, does the security of those calls depend on the size of the business? If so, how?
VoIP calls can be encrypted, though many users and businesses do not tend to do so. I do not think that the content of calls is the prime target as the service itself is a target to network threats.
Large enterprises and call centers will be the prime target of extortion through network attacks that can slow down the service or even shut it down completely.
Service providers are targeted, in addition, by SPIT – Spam over Internet Telephony, which may “abuse” their service with endless recorded promotional calls – this is a real-time nuisance (user don’t know who is calling them, users have to respond in real-time, calls are initiated any time of day/night).
Everyone can be the target of fraud through identity theft. It is easier to offer an international calling service and have someone else pay the bill when it’s about VoIP.
The result is that the security of VoIP systems depends upon the size of the business: the larger the business and the more it relies on VoIP, the more they will invest in network security tools. Note that small businesses in most cases, will have security applied by their service provider.
TMCnet: Based on Radware’s description, DefensePro appears to operate almost like a human brain – identifying and mitigating attacks by generating what you call “real-time” signatures through an engine. In layman’s terms, could you tell us what that means?
I have discussed some of the emerging network threats and why real-time signatures are required. Let me explain how it works in layman’s terms.
DefensePro inspects network traffic and creates baselines that represent the normal behavior of clients, servers, and networks. The behavioral-analysis engine detects abnormal patterns – network bandwidth misuse, server resources misuse, and client activity that is indicated on malware spread – and automatically creates a real-time signature that accurately mitigates an attack, using up to 20 L4-L7 header fields and operations, all with no human intervention.
To understand how the real-time signature protection engine works, let’s look into two cases of attack mitigation.
First, non-vulnerability attacks. Since these attacks do not exploit any application design flaw or bug, there is typically no signature available to counter the attack. However, since DefensePro learns traffic behavior, in the event of a non-vulnerability attack like an HTTP page flood, DefensePro is able to detect the malicious sources generating the flood as well as to identify the specific Web page under attack. DefensePro then generates a real-time signature that blocks the attacker’s access to the Web page under attack, while maintaining legitimate user access to the Web site.
Second, zero-minute attacks. These attacks exploit a vulnerability for which a signature can be created to match the attack pattern. However, given the accelerated timeline under which hackers are now exploiting application bugs, vulnerability research centers may lag behind in researching and creating signatures to counter these attacks. In the case of the Conficker worm, which exploits a buffer overflow vulnerability in the Microsoft operating system, DefensePro detects the worm propagation activity as abnormal client activity and creates a signature that blocks sessions (or packets) that exploits this vulnerability.
Don’t forget to check out TMCnet’s
White Paper Library
, which provides a selection of in-depth information on relevant topics affecting the IP Communications industry. The library offers white papers, case studies and other documents which are free to registered users.
is a contributing editor for TMCnet, covering news in the IP communications, call center and customer relationship management industries. To read more of Michael's articles, please visit his