- Security TWENTY
- Women in Security Awards
It’s time to bury dedicated hardware-based security says Paul German, pictured, CEO, VoipSec, the Voice over Internet Protocol (VoIP) security product company. He insists vendors should call time on this dated and dangerous approach to voice network security.
Virtualisation and software defined networking have transformed the IT infrastructure landscape over the past decade. As organisations look to minimise their hardware footprint, improve network flexibility and decouple applications from the infrastructure to gain agility and flexibility, the era of dedicated hardware-based solutions is over.
Yet when it comes to securing the essential VoIP network, the vast majority of voice technology vendors still insist on deploying a hardware based Session Border Controller (SBC) – despite the cost and complexity of deployment and a clearly flawed security model. The hardware SBC deployment is not only at odds with today’s virtual environment but the ‘implement once, update never’ approach leaves organisations at risk of toll fraud and corporate espionage.
Today’s function-first approach to technology is reflected in every element of the infrastructure. The emphasis is on getting the right tool for the job first, from CRM to intrusion detection, and then deploying that tool in a way that is as efficient, agile and scalable as possible.
This shift has been underpinned by a fundamental transformation in IT strategy – networks are agile and quickly deployed; and applications can be delivered quickly, in any location and scaled to meet an organisation’s requirements. From virtualised hardware – now standard in most data centres – to network function virtualisation and software defined networking, the hardware and network infrastructure has become decoupled from the application; and the application itself is increasingly located anywhere across the cloud.
This decoupled approach clearly demands a different approach to security. Security can no longer be defined by network controls because those networks are virtual, disparate and remote. When organisations access applications via an Internet address the physical location is increasingly unknown. Security needs to be elastic and flexible, whether it is spanning from one server in one data centre or 100 servers spread across five data centres.
Dated and dangerous
Where, then, does the hardware based, dedicated Session Border Controller (SBC) fit in to this model? Quite frankly, it doesn’t. It is an approach to securing the VoIP network firmly rooted in the past that is fundamentally flawed on many levels. Obviously, the vendors’ failure to reflect the function driven model embraced by the vast majority of organisations today is a problem. Insisting on a dedicated hardware SBC constrains an organisation’s virtualisation strategy. How can a company quickly spin up new cloud based voice applications, for example? Where does the SBC fit into a decoupled infrastructure? As organisations look to gain the cost, agility and scalability offered by hardware and network virtualisation, the hardware SBC is clearly a problem.
Even more concerning, however, is that this approach is flawed from a pure security perspective. These hardware SBCs are considered both one off investments and one off deployments. Yet as every security best practice model will attest, with a constantly changing threat landscape failure to undertake routine updates will leave the organisation vulnerable.
To be effective, security solutions need to reflect both the emerging risk and the current deployment trend. And that means a software only model that is continually updated to mitigate the evolving threat landscape. Software based SBCs, either on premise or in the cloud, also explore community led intelligence about threats and risk experiences to rapidly disseminate new threat information and best practice. This combination of routine product updates with shared intelligence ensures an attack on a single organisation can be quickly transformed into a patch or update that protects every business from the new risk.
This collaborative, community approach increasingly underpins the security market. From AV to monitoring, the way in which vendors interact with customers is changing fast. In addition to specific communities, vendors are offering portals that enable any customers to share experiences, insight and ideas. Security is not static – and it is this desire to share knowledge that is increasingly key in developing an ever expanding range of capabilities and enabling vendors to create solutions that will safeguard businesses globally from every new zero day threat.
Moreover, this collaborative, software based – and increasingly cloud based – approach lends itself to the creation of specific solutions to evolving threats – such as the rise in voicemail hacking. While voicemail systems are, in theory, password protected, the vast majority of users never reset the password from the default – either 1234 or 0000. With the door wide open, it is easy for hackers to gain access to the voicemail, at which point it is a simple step to compromise the system to accept and make international collect calls. The business will only discover the problem when the next bill arrives – a fact that is contributing towards the $4.4 billion lost due to PBX hacking according to the Communications Fraud Control Association (CFCA).
The continuous update and collaborative software model enables vendors to respond to the emerging threats by, for example, providing specific voicemail protection modules that can be provided as part of a cloud based SBC to identify breach attempts, lock down the voice network and alert the organisation. In addition, the solution will log rogue numbers identified across the cloud based network, rapidly creating a database of blacklisted numbers that can be deployed by all organisations to further protect against voicemail hacking attempts.
The failure of the hardware SBC is not only compromising the evolution of the IT infrastructure but adding untenable business risk. According to NEC, 84% of UK businesses are considered to be unsafe from hacking, and attacks on VoIP servers represented 67% of all attacks recorded against UK-based services according to Nettitude. Risks such as toll fraud are well known. But how many organisations also realise that the voice network can be compromised to eavesdrop sensitive communications with malicious intent such as harassment or extortion? Or to gain access to private company and customer contacts? While hackers are cashing in on the widespread adoption of VoIP, the vast majority of SBC vendors are simply failing to respond. They still advise an implement once model. They fail to update customers on the evolving threat landscape – such as the rise in voice mail hacking. And, they cannot support the agile, decoupled infrastructures now required. So just what is the value of a hardware based SBC?