Ingate Ups Ante on SIP/VoIP Security
Ingate Systems has proven its stripes since arriving on the scene in June 2001generating positive attention for its SIP-friendly enterprise firewalls and its SIParator hardware, which SIP-enables existing firewalls. *
With a new product release this month, Ingate ups the ante on VoIP security, delivering a suite of new capabilities to expand upon its existing safeguards.
"More people are now using SIP, and as that begins to happen the bad guys out there will find ways to try to exploit it," said Steve Johnson, president of the Hollis, New Hampshire company, which remains a wholly owned subsidiary of Swedish parent Ingate Systems AB.
Anticipating a growing number of attacks against enterprise VoIP, Ingate has built three new features into its Enhanced Security Module. The first is encryption capability, which will enable customers to require encryption on all network traffic. In addition to signaling encryption, the security feature also will allow for media encryption. Thus, even a successful snooper would find the media unintelligible.
As with security enhancements in general, Johnson said, this feature should be of special interest to financial, medical and other institutions where privacy is at a premium.
A second enhancement is aimed at preventing denial of service (DoS) attacks, in which attackers will attempt to swamp a system with requests and thus shut it down. Ingate addresses the problem by allowing the user to limit the number of sessions that can be initiated from a single domain or IP address.
Users also can direct the system to protect itself from DoS attacks when the number of setups from all domains reaches some critical capacity. In either case, however, users will need to balance the desire to protect alongside the need to serve. In applying stringent limits, "you could in fact reach the point where you are the one denying service. So the trick is to set these limits to the point where the probabilities are that all your valid calls will be getting through," Johnson said.
The third upgrade has to do with intrusion prevention and detection, especially as it refers to malformed or suspicious packets.
Ingate does this to some extent already, examining incoming packets for known or suspected defects. The new solution goes a step further, looking beyond the surface appearance and digging into a packet's inner structure.
"We are going to look much deeper into the packet, to establish rules around known threats or known malformed packets that come in. We will look inside the packets for those sorts of things and, when detected, we will prevent those packets from getting through," Johnson said.
Just in case some newly created piece of malice slips past the guards before Ingate has put in place rules for its prevention, the solution is designed to catch the packet on its outbound leg and to stop it before it clears the gate, thus keeping the network safe while a new rule is being crafted.
These capabilities come on top of a number of other security measures already built into Ingate solutions. For example, Ingate will secure the network address translation (NAT) between the public internet and the private space inside the network. In addition, Ingate firewall users can set rules as to who can enter the network, using a range of control and filtering tools.
"We don't leave any ports open, we don't leave any private IP addresses exposed and we give our customers the ability to control who has access to their network for voice conversations," Johnson said.
Ingate says its latest security iteration puts it ahead of the pack, but the pack is not far behind. As SIP becomes ever more visible, a growing number of vendors no doubt will step up to the plate with security offerings.
Johnson says the Ingate business plan calls for the company to distinguish itself not just through its advanced security technologies, but even more so through the breadth of its overall offerings.
"There are people offering just security solutions and none of the rest," he said. "We do a lot in terms of routing, in terms of normalizing SIP traffic between the PBX and the SIP trunking service provider, and we have the ability to let people work from home and still be able to get to their SIP servers on the work network."
Beyond just security, "we have lots of capability in our box," he said.
* Editors note: SIP-based IP communications are notoriously incompatible with traditional network firewallsespecially those employing Network Address Translation or NAT.