There has been an exponential increase in the use of mobile devices over the past decade. While this has led to high telecom penetration levels in the country, it has also resulted in several security-related concerns. Wireless communication is less secure than wireline and mobility involves higher security risks than stationary devices. Therefore, security has become the biggest concern for today’s mobile communication systems. Advanced mechanisms are needed to protect voice-based communications and the singular features introduced by 3G services.
These concerns are more acute at the enterprise and corporate levels as a minor glitch can have severe repercussions. With companies increasingly adopting VOIP for their corporate telephony infrastructure, the complexity of maintaining secure networks has increased.
Solutions for voice-related threats
Several voice network threats have been identified and various mechanisms are available for mitigating them. Some of the common threats on voice networks are:
• Toll fraud – The use of corporate resources by internal or external individuals for making unauthorised toll calls.
• Denial of service (DoS) attacks – Attacks typically aimed at the data network and its components that can have a severe impact on voice calling capabilities.
• Impersonation exploits – A caller changes call parameters such as the caller ID to make the call appear to have originated from a different user. The caller ID may be used to gain a level of trust about the caller, who may then proceed to access private information that is not accessible otherwise.
• Eavesdropping – The ability of a hacker to sniff packets relating to a voice call and replay the packets to hear the conversation.
Areas of security focus for voice networks include network infrastructure (network access, control plane and data plane); end-user devices (IP phones, videophones and softphones); call management; and voice applications.
Network infrastructure
Migration from voice to data networks necessitates the evaluation of the existing network infrastructure’s security standards. Since voice relies on the availability of the network to provide services, infrastructure security should protect the network from inappropriate or malicious use of resources, which would impact network availability for voice transport.
A common example of a network security breach is a DoS attack, which floods the network with non-productive traffic, keeping the routers and switches from being able to properly respond to production data. Most DoS attacks, worms and viruses are aimed at data devices such as PCs, servers, routers and switches. Eventually, their activity will impact the flow of voice packets across the infrastructure.
The solution to this is to ensure that the network is protected from malicious activity by implementing firewalls and other security products, and actively identifying and blocking illegitimate traffic in real time while allowing legitimate traffic to be processed as required. Network infrastructure security devices and processes include firewalls for restricting access to the internal network, intrusion detection systems for monitoring the existence of intrusions, intrusion prevention systems for reducing the ability of any malicious action, and authentication servers that restrict access capabilities of the user.
Most security policies include multiple devices and processes for comprehensive coverage. There is no single security solution for the network and its traffic. In addition to basic infrastructure security, the following technologies provide additional security for voice traffic:
• Virtual local area networks (VLANs) – These separate the voice VLAN from the data VLAN. Traffic sent over the voice VLAN is not visible to data users or users of other voice VLANS. This prevents some aspects of toll fraud, DoS attacks, eavesdropping and packet interception.
• Encryption – All aspects of voice communication can be encrypted to provide additional security. The voice payload can be encrypted or voice can be transmitted over a virtual private network that provides encryption and authentication services.
• Access control lists – Access lists define which users should have access to network resources, and can control the amount of traffic generated by specific users. These capabilities help protect against toll fraud and eavesdropping, and can minimise DoS attacks.
• Port security – Port security is used to control internal access to corporate resources. The corporate policy may restrict access to voice resources from ports in areas that are open to the general public. Port security might direct an unknown user to the guest VLAN, which has fewer calling privileges than a departmental voice VLAN.
• Access control server – Additional security may require users to log on to an access server, which will verify their authenticity and allow or restrict their action based on predefined profiles.
End-user devices
End-points such as the IP phone typically need to register with a central server to acquire software images and configuration information. Other voice end-points include video devices and voice applications running on the PC. Key focus areas for securing end-point devices include:
• Device authentication – Both the VOIP server and the IP phone need to verify that the other party is a trusted end-point on the network. This is achieved through the use of certificates between the end-point and the server, each verifying the other’s identity prior to accessing the resource.
• Image and configuration file authentication – Verifying the authenticity of files on the trivial file transfer protocol server prior to download enables IP phones to protect against the use of tampered files that may lead to security breaches. Both images and configuration files can be validated.
• Secure signalling – Once both parties have verified each other’s authenticity, the signalling stream between the end-point and the VOIP server can be encrypted so that reconnaissance attacks do not glean any information during the call set-up. Secure signalling uses transport layer security and is based on public key infrastructure availability.
• Secure voice – Secure real-time transport protocol (SRTP) is used to secure the voice payload once a call is set up. SRTP ensures confidentiality by encrypting the packet contents and provides integrity by checking whether the contents of a packet have changed en route.
• Phone hardening – Like the PC, an IP phone is a user interface. A settings key on the phone can be used to display the current configuration of the IP phone and the servers it connects to. An administrator can view information about the phone through a graphic user interface using a remote connection. An end-user can plug a laptop into the PC port of a phone and access the internal corporate network. This is an area of concern as it can be an avenue for reconnaissance attacks to gather sensitive network details. The settings key can be restricted to show only basic phone information. Remote access to phone information can be disabled and the PC port of a phone can be disabled to ensure that no user can connect to the internal network via the phone.
Call management
Central call servers are the heart of telephony services. Call servers operate on physical server devices, or can be a part of the internetwork operating system of a voice-enabled router. Care must be taken during the design phase to ensure that if a server becomes unavailable, a backup server can take over the control of the IP phone. Depending on the level of availability required, a company may have both secondary and tertiary servers configured for each end-point device.
Voice applications
Voice applications and servers can be the targets of attacks. These applications include call processing servers, voicemail servers, integrated conferencing servers and interactive voice response servers. Multiple techniques can be used to secure voice applications. These include:
• Server administration – A key component for securing servers is assigning appropriate levels of administrative access. Most administrators should get read-only access with read-write access only to areas that are under their control. General read-write access should be provided to a trusted few.
• Secure server management – Users should be required to log in with proper credentials prior to gaining access to administrative interfaces. In addition, some applications use hypertext transfer protocol secure to protect against snooping by unauthorised persons.
• Hardening the operating system – Server operating systems enable a default set of services at the time of installation. Any service that is not required by resident applications should be disabled. Operating system patches should be applied immediately to disable any known vulnerabilities.
Security solutions for 3G networks
Five security feature groups can be defined for 3G networks, each aimed at specific threats. These security groups are network access, network domain, user domain, application domain, and visibility and configurability domain.
The network access security features provide users secure access to 3G services, and, in particular, protect against attacks on the (radio) access link. The network domain security features enable nodes in the provider domain to securely exchange signalling data and protect against attacks on wireline networks. The user domain set of security features secure access to mobile stations while application security features enable applications in the user and the provider domains to safely exchange messages. The visibility and configurability features help in informing the user whether a security feature is in operation or not, and whether the use and provision of services should depend on the security feature. Different solutions are deployed to meet security standards that meet at these five levels.
Network access security
In order to ensure security at the access level, user identity confidentiality needs to be maintained. This is done through different mechanisms. For example, it is ensured that the international mobile subscriber identity of a user cannot be eavesdropped on the radio access link. Further, the user location confidentiality property on the access domain ascertains that the presence or the arrival of a user in a certain area cannot be determined by eavesdropping on the radio access link while the user intractability features prevent an intruder from deducing whether different services are delivered to the same user.
To achieve these objectives, the user is normally identified by a temporary identity to the visited serving network. To avoid user traceability, which may lead to the compromise of user identity confidentiality, the user should not be identified for a long period through the same temporary identity.
Security features related to entity authentication at the access level are provided through features like user authentication, a property which ensures that the serving network corroborates the identity of the user. The network authentication property is provided at the access level to ascertain that the user is connected to a serving network that is authorised by the operator. This includes the guarantee that this authorisation is recent.
To achieve these objectives, it is assumed that entity authentication should occur at each connection set-up between the user and the network. Two mechanisms – an authentication mechanism using an authentication vector delivered by the user’s operator to the serving network, and a local authentication mechanism using the integrity key established between the user and the serving network during the previous execution of the authentication and key establishment procedure – are deployed for entity authentication.
Security features like the cipher algorithm and key agreements, confidentiality of user data (data cannot be overheard on the radio access interface) and confidentiality of signalling data (data cannot be overheard on the radio access link) are used to ensure data security on 3G networks.
The following security features are provided with respect to the integrity of data on the network access link:
• For ensuring integrity of data on the network access link, features such as the integrity algorithm agreement, integrity key agreement and origin authentication are employed on the networks. The integrity of signalling data ensures that the mobile station and the serving network can securely negotiate the integrity algorithm that they will use subsequently.
• Also, data integrity and origin authentication of signalling data help to verify that the data has not been modified in an unauthorised way since it was sent by the sending entity and that the data origin of the signalling data received is indeed the one claimed.
User domain security
User-to-user services identity module (USIM) authentication and USIM-terminal link features on 3G networks are deployed to prevent a security breach on the user domain. User-to-USIM authentication ensures that access to the USIM is restricted until the USIM has authenticated the user. Hence, access to the USIM can be restricted to an authorised user/s. To achieve this, users and the USIM must share a secret that is stored securely in the USIM. Users can access the USIM only if they have the code.
The USIM-terminal link ensures that access to a terminal or other user equipment can be restricted to an authorised USIM. To this end, the USIM and the terminal must share a secret code that is stored securely in the USIM and the terminal. If a USIM fails to prove its knowledge of the secret, it will be denied access to the terminal.
Application security
The USIM application toolkit needs to be incorporated for application security. The toolkit enables operators or third-party service providers to create applications that are resident on the USIM. There is a need to secure messages that are transferred over the network to applications on the USIM while the level of security is selected by the network operator or the application provider.
Security visibility and configurability
Although the security features should be transparent to the user, for certain events, greater user visibility of the operation of the security features should be provided. This can be achieved through a number of features that inform the user about security-related events such as indication of access network encryption (the property through which the user is informed whether the confidentiality of user data is protected on the radio access link, especially when non-ciphered calls are set up); and indication of the level of security (the property through which the user is informed about the level of security that is provided by the visited network, especially when a user is handed over or roams to a network with a lower security level [3G to 2G]).
Configurability is a property through which a user can configure the provision of a service, depending on whether a security feature is in operation. A service can only be used if all security features, which are relevant to that service and are required by the configuration of the user, are in operation. Some of the configurability features are enabling/disabling user-USIM authentication and accepting/ rejecting incoming non-ciphered calls.