VoIP security monitoring gets proactive

Converged VoIP and data networks are costing enterprises a lot of money, but still they're left with one question: "Is it secure?"

For Alphonse Edouard, IT vice president for Dune Capital Management, an investment firm, VoIP has become a cornerstone of business. So ensuring its security is imperative.

"For a great deal of what we do, voice is very important," Edouard said.

Dune Capital Management started by deploying VoIP. "Then the 'work anywhere' concept came into play," he said.

Dune needed a way to ensure call quality and to monitor the network to guarantee that it's secure.

"We all know VoIP is very susceptible to hackers," Edouard said. In the past, he has used QRadar from Q1 Labs to monitor flow data and network traffic. Eventually, he started to monitor VoIP quality of service (QoS). But as Dune Capital became more and more dependent on VoIP, the company needed to ensure that enough bandwidth was allotted and also had to find a way to monitor VoIP traffic separately from data traffic, though the two share a network.

A new QRadar module specifically designed for monitoring VoIP networks fit the bill, Edouard said. The VoIP module combines network behavior analysis and security event correlation to monitor across the network protocol, application and security services layer of a VoIP network.

For more information Read about a new book that exposes VoIP hacking Find out how some VoIP safeguards may already be in place

According to Q1 Labs vice president of marketing Tom Turner, companies are struggling to monitor VoIP traffic together with the security devices that protect it. Turner said that without effective monitoring, VoIP is subject to bandwidth contention and traffic jitter while also opening itself up to potential security threats such as toll fraud, man-in-the-middle attacks, and denial of service (DoS) or other IP PBX attacks.

QRadar's VoIP module gives users a set of security event correlation rules, application signatures and specific VoIP security reports. These are designed to help users better monitor their VoIP application traffic and correlate events from security devices protecting the network, while detecting and reporting on threats specific to VoIP applications and servers.

"Voice is an increasingly critical component of customer networks," Turner said. "In order to correctly monitor and secure VoIP applications, customers need to be able to unify their view of the network, the applications on that network and the security products that defend those applications."

According to Turner, the module offers:

• VoIP correlation rules, which correlate events taken from multiple VoIP source devices such as call managers, IP PBXs and voice gateways. The rules detect toll fraud attempts and DoS conditions against PBXs and other voice control services.
• Daily, weekly and monthly VoIP-event summary reports, which detail the number of VoIP-associated security and policy events that are being created on a network, an indicator of overall VoIP network health.
• Executive VoIP reports, which offer a high-level look at VoIP network activity, VoIP security event data and network behavior data in a combined overall view.

Edouard said he can monitor traffic at the port to compare charges against the phone bill. The module also leverages not having 10 different products monitoring the VoIP and data network, detecting anomalies, sounding alerts and generating reports.

"I can ensure that all calls are crystal clear and everything works fine," he said. "I can also ensure that VoIP traffic is secure."