Paul German, CEO st VoipSec, argues that the time has come to bury hardware-based security solutions for VoIP networks, where the ‘implement once, update never’ approach is leaving organisations open to significant risk.
When it comes to securing the essential VoIP network, the vast majority of voice technology vendors still insist on deploying a hardware based Session Border Controller (SBC) – despite the cost and complexity of deployment and a clearly flawed security model. The hardware SBC deployment is not only at odds with today’s virtual environment but the ‘implement once, update never’ approach leaves organisations at risk of toll fraud and corporate espionage.
Paul German, CEO at VoipSec, insists vendors should call time on this dated and dangerous approach to voice network security.
“Today’s function-first approach to technology is reflected in every element of the infrastructure. The emphasis is on getting the right tool for the job first, from CRM to intrusion detection, and then deploying that tool in a way that is as efficient, agile and scalable as possible.
This shift has been underpinned by a fundamental transformation in IT strategy – networks are agile and quickly deployed; and applications can be delivered quickly, in any location and scaled to meet an organisation’s requirements. From virtualised hardware – now standard in most data centres – to network function virtualisation and software defined networking, the hardware and network infrastructure has become decoupled from the application; and the application itself is increasingly located anywhere across the cloud.
This decoupled approach clearly demands a different approach to security. Security can no longer be defined by network controls because those networks are virtual, disparate and remote. When organisations access applications via an Internet address the physical location is increasingly unknown. Security needs to be elastic and flexible, whether it is spanning from one server in one data centre or 100 servers spread across five data centres.
Where, then, does the hardware based, dedicated Session Border Controller (SBC) fit in to this model?
Quite frankly, it doesn’t. It is an approach to securing the VoIP network firmly rooted in the past that is fundamentally flawed on many levels.
Obviously, the vendors’ failure to reflect the function driven model embraced by the vast majority of organisations today is a problem. Insisting on a dedicated hardware SBC constrains an organisation’s virtualisation strategy. How can a company quickly spin up new cloud based voice applications, for example? Where does the SBC fit into a decoupled infrastructure? As organisations look to gain the cost, agility and scalability offered by hardware and network virtualisation, the hardware SBC is clearly a problem.
Even more concerning, however, is that this approach is flawed from a pure security perspective. These hardware SBCs are considered both one off investments and one off deployments. Yet as every security best practice model will attest, with a constantly changing threat landscape failure to undertake routine updates will leave the organisation vulnerable.
To be effective, security solutions need to reflect both the emerging risk and the current deployment trend. And that means a software only model that is continually updated to mitigate the evolving threat landscape. Software based SBCs, either on premise or in the cloud, also explore community led intelligence about threats and risk experiences to rapidly disseminate new threat information and best practice. This combination of routine product updates with shared intelligence ensures an attack on a single organisation can be quickly transformed into a patch or update that protects every business from the new risk.
A collaborative, software based – and increasingly cloud based – approach lends itself to the creation of specific solutions to evolving threats – such as the rise in voicemail hacking. While voicemail systems are, in theory, password protected, the vast majority of users never reset the password from the default – either 1234 or 0000. With the door wide open, it is easy for hackers to gain access to the voicemail, at which point it is a simple step to compromise the system to accept and make international collect calls.
The continuous update and collaborative software model enables vendors to respond to the emerging threats by, for example, providing specific voicemail protection modules that can be provided as part of a cloud based SBC to identify breach attempts, lock down the voice network and alert the organisation. In addition, the solution will log rogue numbers identified across the cloud based network, rapidly creating a database of blacklisted numbers that can be deployed by all organisations to further protect against voicemail hacking attempts.
While hackers are cashing in on the widespread adoption of VoIP, the vast majority of SBC vendors are simply failing to respond. They still advise an implement once model. They fail to update customers on the evolving threat landscape – such as the rise in voice mail hacking. And, they cannot support the agile, decoupled infrastructures now required. So just what is the value of a hardware based SBC?