Hacking is a term that is often used to describe the acts of a user who trespasses on computer systems for any number of reasons. Oftentimes, intruders hack into a system or network of systems (“system”) with the intent to launch some form of attack against the system. An attacker, as used herein, refers to any user, host system, or remote host machine that hacks, trespasses, or intrudes onto a system and attempts to compromise the integrity or performance of the system.
Attackers can be very sophisticated and difficult to detect. Most attackers operate from or through a remote system or even a chain of several remote systems to obscure their identity and/or location. Attackers are often very thorough and methodical in using reconnaissance to create a detailed map of a network and identify any network vulnerabilities.
Reconnaissance typically involves a process of gathering information, scanning a target network, and probing for weaknesses in the target network before launching an attack. In the information-gathering phase, an attacker collects information about a network (e.g. a company network) in an attempt to obtain as many domain names as possible. The domain names are then used to query domain name servers (DNS servers) for network (e.g., Internet Protocol (IP)) addresses of hosts in the network. This process is sometimes called footprinting. Additionally, attackers may also perform a broad sweep of a network to probe for IP addresses assigned to additional hosts.
In the scanning phase, an attacker can learn which services are running on each host and which ports the services are using. An application service can be accessed from a network through a Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port number assigned to the application service.
In the final phase of reconnaissance, attackers search the target network specifically for resources such as device and file resources in order to acquire information about network security and network vulnerabilities.
Once the reconnaissance process has provided sufficient information, an attacker may launch an attack. There are many types of network attacks that can cause serious performance problems on a network. Attacks including, but not limited to, Denial of Service (DoS), Distribute DoS (DDoS), viruses, worms, polymorphic viruses, blended attacks, and Day-Zero threats can be launched against a network to disrupt configuration and routing information and physical network components. Attacks can also tie up and/or consume network bandwidth, host central processing unit (CPU) time, and disk space. One example of a DoS attack is a TCP flood attack. Another example of a DoS attack is a Smurf attack.
Most networks employ some form of network security to help against many of the attacks discussed above. However, many network security systems and/or devices rely on signature-based security techniques. In other words, these security systems maintain a list of known security threats, or signatures, and can only prevent or mitigate damage based on these known security threats. One problem with signature-based security is that it is not effective in preventing or mitigating unknown security threats and Day-Zero attacks. Additionally, many of today's network security systems need to be “in-line” with the network to mitigate threats and can, therefore, end up being bottlenecks or points of failure in the network.
Voice over Internet Protocol (VoIP) has special requirements with regard to Quality of Service (QoS), latency, jitter, packet loss and network availability. When adding security to VoIP to protect against attacks, such as those discussed above, all of these key metrics are disrupted. For example, a perimeter firewall is frequently used as a central location for deploying security policies, making it a significant bottleneck for traffic passing through the firewall.
Firewalls, Intrusion Detection System (IDS), Intrusion Detection Prevention (IDP), Network Address Translation (NAT)/Port Address Translation (PAT) traversal devices and VoIP gateways are incomplete with respect to converged voice, video and data networks because they cause network congestion, throughput delay and open security holes into internal Local Area Networks (LANs). Even the latest VoIP-aware firewalls cannot provide adequate throughput for VoIP traffic.