Last week, we talked about securing the network plane, and this week, we talk about controlling the perimeter. In line with the Pareto principle, securing the network and the perimeter accounts for 80% of the enterprise-critical aspects of communication security. Here are the key risks that you have to be aware of at the perimeter.
The Border is a difficult place
Risks from Direct Internet connectivity
Assume you have a remote office in Podunk, somewhere in the middle of nowhere. It’s impossible to get a leased line there because the CLEC is just too slow and incompetent. You decide to use the normal internet to carry voice traffic between your Podunk and New York offices. This makes life easier but also exposes your organization’s traffic to all third parties that carry the traffic between the two offices.
Risks to Wide area network (WAN) links
If you are a nationally or globally distributed organization that uses leased lines to connect remote offices, you are exposed to the potential risk of exposing your internal networks to the outside world, simply by traversing over third-party networks. A compromise here is potentially catastrophic and at that point, not only is your communication network exposed but so are all your other data and systems.
Risks to Gateway Devices
Signaling gateways
As calls move from an IP-based corporate network to public networks (and vice versa), signaling gateways translate call information between IP-based systems and carrier protocols such as SS7 and others. Attackers love to compromise signaling gateways because of their wealth of information and control. A compromised gateway not only causes disruption to the call network, but it also yields information such as network topology and subscriber information.
Media gateways
When calls move between IP-based corporate networks and public networks, media gateways translate the media streams between the IP-based systems and carrier media protocols. Media gateways interact closely with signaling gateways – after all, it is the signaling gateway that tells the media gateway what to do with the media stream. The risk from a compromised media gateway is obvious – attackers get access to direct feeds of voice and video – they can choose to listen in, disrupt, or do both.
How to protect the perimeter
Drawing inspiration from the NSA VVoIP security guidelines, here are some things you can do:
- Use SBCs at the perimeter – unlike firewalls that do not understand and cannot inspect communication protocols, SBCs do understand them and provide a greater degree of protection to the network.
- Use virtual private networks (VPNs) when traffic is traversing third-party networks.
- Ensure that the VPNs support separation of data and voice networks.
- When traversing third-party networks, put SBCs at the traversal points.
- Regardless of whether you use trunks or public internet, encrypt all communications that exit your network.
- Place signaling and media gateways in a DMZ off an SBC interface.
- Keep signaling gateways in their own separate VLANs, ensuring that endpoints cannot directly communicate with them and must use the VOIP server as an intermediary.
- Use NAT and other methods to hide your network topology.
- Always inspect all calls before allowing them into the internal network. Look at where they are coming from – and use blocklists to prevent known spam and scam numbers to make calls.
Of course, even though perimeter control helps, we still need to look at more than control. Each of the points mentioned above are designed to prevent attacks and breaches, but as infosec folks keep saying, “It’s not a question of if you will be breached, it’s a question of when”. And when you do get breached, the game is to identify the breaches quickly. Ensure that the signaling gateway logs all calls, with details such as origin, destination, time of connection, length, and so on, for future analysis in case of compromise.
Have more questions? Send me an email at securityeducation@assertion.cloud