Voice over IP is rapidly becoming mainstream in many small, medium and large-sized businesses. A critical network component to deploying VoIP—the IP PBX—already outsells traditional PBX systems in the enterprise, and VoIP as a managed service is becoming increasingly popular with small and medium-sized businesses. VoIP affords substantial savings to both businesses and service providers compared to the PSTN while being just as robust and reliable. But is VoIP service as secure as the PSTN? And if not, can VoIP services be “hardened” so that vulnerabilities are found and fixed before being publicly identified and exploited?

Unlike the circuit-switching PSTN, which evolved to become quite secure, VoIP hinges on the timely routing of IP packets through IP-PBX systems that create numerous opportunities for hackers to exploit. Even newer IP-based session border controller (SBC) systems, designed to provide the necessary protections, are themselves vulnerable to exploit. Security as an overriding process—not simply a product—remains the primary concern of businesses and service providers operating VoIP networks. With the complex interactions between a wide variety of products involved in the VoIP service, there are a large number of potential weaknesses and good reason for concern.

A new tool, the security analyzer, now makes it possible to automate the assessment of security readiness for any VoIP software or hardware destined for a network-based service offering. Product developers benefit from a more thorough process for their design, development and deployment efforts. They can save on their operational costs because repairing products in the field ties up customer support and, ultimately, customer revenue. Those customers also benefit by using a security analyzer because they proactively determine potential weakness unique to their network before they purchase, upgrade or reconfigure these networked products.

Security analyzers detect both known and previously unknown vulnerabilities in any VoIP product, including SBCs, softswitches, proxies, media gateways, VoIP phone handsets and PC-based VoIP software. Both cable operators and leading North American service providers want to ensure these diverse products are unified in their goal of delivering 99.9999% network uptime, avoiding customer loss or interruption of any networked triple-play application. Several providers have previously been required to pay costly service level agreement (SLA) credits to large enterprise customers due to service downtime or product security weaknesses. Many of these service availability issues and security weaknesses could have been avoided through the use of security analyzers

As a result of costly service downtime or customer loss, both cable operators and service providers turned to Mu Security for security analyzers to proactively measure their service availability and security readiness of all IP-connected applications and systems. Every production network is unique, and product vendor suppliers are simply unable to account for every system or application setting where weaknesses are exposed. While defense in depth using security applications is helpful, successful attacks the exploit new vulnerabilities on a daily basis prove layered security as one step of the total required solution.

One cable operator customer has even found VoIP product testing using the Mu Security approach ensured a tenfold increase of service availability uptime. Using the Mu-4000 Security Analyzer, another service provider customer found that triple-play products containing new vulnerabilities and derivatives of existing ones are quickly discovered, documented and corrected before causing service downtime.

Managed security service providers (MSSPs), service providers and carriers already have existing test and analysis methods that are quite valuable. These methods include penetration testing, vulnerability scanning, protocol fuzzing and external scripting. Security analyzers automate and complement these processes. To discover, document and provide full remediation tools, security analyzers now play an important role with these users. For example, by dynamically creating and applying a mind-boggling 10 million protocol attack mutations. These mutations can encompass dozens of combinations of authentication and transport protocols to pinpoint potential vulnerabilities in critical network products to discover and then remediate sources of system and service downtime.

Imagine if the Alliance force in Star Wars had a security analyzer to beat back the Dark Side of the Force. The destruction of the Death Star through its security weakness would have been only the tip of the Alliance’s eventual domination.

Security analyzers follow this approach exactly by placing the power into good hands. Instead of allowing hackers to run outsourced QA, these tools perform security analysis on VoIP products in a lab environment that is more revealing than assessments made on the production network. These automated processes, detailed reporting and remediation tools combine to make securing VoIP networks more proactive. As a result of proactive analysis, service availability is maintained at the highest levels, information theft is reduced and ultimately unexpected service downtime is minimized to reduce customer churn and loss of revenue.