Introducing Secure and Highly Available VoIP Communications Services (SNOCER)

Spotted this post from Dave Piscatello the other day. I'd read the post, but wanted to review the actual document before I mentioned it here.

SNOCER - Secure and Highly Available VoIP Communications Services

A colleague at BCR forwarded a hyperlink to the SNOCER project. The project abstract describes SNOCER as "a general secure and high available software architecture for VoIP infrastructures. Security is achieved through the utilization of Intrusion detection sys-tems enhanced for VoIP traffic plus extended VoIP servers that perform advanced traffic monitoring. Additionally, we propose to increase server throughput through the use of an advanced DNS caching solution."

SNOCER is a defensive approach to VoIP security. It doesn't propose security extensions that might mitigate the growing spectrum of attacks against VoIP endpoints and infrastructures but it does offer a helpful taxonomy of attacks and, more importantly, measures an organization can take to detect and block attacks, and identifies an intriguing toolkit for deploying these measures.

Find a draft of SNOCER here.

I've downloaded and read the 74 page PDF. I think it's worth sharing a couple of excerpts from the document itself -

From the Introduction
In the context of the SNOCER project a set of tools and solutions will be implemented aiming to protect the infrastructures of VoIP providers against malicious use and denial of service attacks on the one hand. On the other hand, we will be further aiming to provide solutions for increasing the availability and reliability of the used VoIP components. In the first deliverable D2.1 [1] we have described possible security threats that a VoIP provider has to face, including threats concerning the SIP proxy, and supporting services including DNS/ENUM, STUN or RTP proxies. We have compared current solutions to handle non-VoIP centric solutions to deal with Denial-of-Service attacks. We have also investigated reasons for VoIP network failure and presented an overview of server backup strategies that can be applied for SIP proxies, including possibilities to transfer authentica-tion information between redundant servers.

Clearly this is an initiative aimed at VoIP service providers rather than enterprise businesses, but some of the fundamental areass of concern apply to both. Threats will be widely shared between these two communities, although defensive strategies may be quite different. A service provider contractually bound to SLA contractual requirements will likely implement more stringent service protection mechanisms than a mid-sized company might require.

From the Architecture Overview
To secure the VoIP Infrastructure to be resilient against unsolicited traffic and minimize service downtime we propose an architecture as described in Figure 1. The design is based on five key concepts:

Bastion host: This host acts as a gatekeeper of the operator’s internal VoIP net-work. Its primary task is to detect basic attacks targeted at the VoIP system and deny access for unsolicited traffic.

Enhanced SIP proxy: We propose to enhance a SIP proxy in two ways. An inte-grated IDS system will be able to detect more sophisticated SIP proxy attacks, which the bastion host might have missed. Further, we optimize the proxy’s per-formance through the addition of a specialized DNS module in order to enhance the throughput capabilities.

High availability network: Key components of the VoIP network will be secured through an internal high availability network providing failover capabilities to these components.

Operator console: The status of the enhanced VoIP infrastructure will be con-trolled in a centralized way.

Attack tools: A set of specially designed attack tools will be utilized to test and improve the defence capabilities of the architecture.

This extensive draft document was co-authored by:
Tasos Dagiuklas (University of Aegean)
Dimitris Geneiatakis (University of Aegean)
George Kambourakis (University of Aegean)
Dorgham Sisalem (Fraunhofer Fokus)
Sven Ehlert (Fraunhofer Fokus)
Jens Fiedler (Fraunhofer Fokus)
Jiří Markl (Nextsoft)
Michal Rokos (Nextsoft)
Olivier Botron (Telip)
Jesus Rodriguez (VozTelecom)
Juntong Liu (Embiron)

I think it's well worth evaluating as we look into infrastructure support and protection for converged service networks. It's certainly the sort of thing the VOIP carriers should be involved with.