The proliferation of data transport networks, most notably the Internet, is causing a revolution in telephony and other forms of real-time communication. Businesses that have been accustomed to having telephony traffic and data traffic separately supported over different systems and networks are now moving towards so-called “converged networks” wherein telephone voice traffic and other forms of real-time media are converted into digital form and carried by a packet data network along with other forms of data. Now that the technologies are feasible to support it, voice over data transport offers many advantages in terms of reduced capital and operating costs, resource efficiency and flexibility.
For example, at commercial installations, customer premise equipment investments are substantially reduced as most of the enhanced functions, such as PBX and automatic call distribution functions, may reside in a service provider's network. Various types of gateways allow for sessions to be established even among diverse systems such as IP phones, conventional analog phones and PBXs as well as with networked desktop computers.
A new generation of end user terminal devices are now replacing the traditional telephones and even the more recent PBX phone sets. These new sets, such as those offered by Cisco Systems, Inc. and Pingtel Corporation, may connect directly to a common packet data network, via an Ethernet connection for example, and feature large visual displays to enhance the richness of the user interface.
Even before such devices were developed, computers equipped with audio adapters and connected to the Internet were able to conduct some rudimentary form of Internet telephony, although the quality was unpredictable and often very poor. The emphasis now is upon adapting internet protocol (IP) networks and other packet transport networks to provide reliable toll-quality connections, easy call set-up and enhanced features to supply full-featured telephony as well as other forms of media transport. Some other types of media sessions enabled by such techniques may include video, high quality audio, multi-party conferencing, messaging and collaborative applications.
Of course, as a business or residential communications subscriber begins using such voice-over-packet communications to replace conventional telephony, there will naturally be an expectation that the quality of the connections and the variety of services will be at least as good as in the former telephone network. There is also an expectation that the new types of networks will be less susceptible to fraudulent use of communications service—or at least no worse than their predecessors.
However, employing a packet data transport for telephony introduces new vulnerabilities beyond those experienced with the traditional circuit-switched telephone network. The concern over security of communications in the public Internet is well known and has received considerable attention in light of countless identity thefts, hacking attacks, viruses, denial-of-service attacks, security breaches and other threats to reliable, confidential communications. These threats take on further significance as, in the case of packet telephony, the traffic streams are metered and revenue-bearing.
In response to these threats, a growing array of security countermeasures (firewalls, NAT, secure connections, encryption schemes, secure Internet protocol (IPsec), vulnerability probes) have been developed to defend against such crippling attacks on data networks.
Of course, any of these security measures that were spawned by data network security may be beneficial to the prevention of attacks in telephony data networks. One area of particular vulnerability for some packet telephony systems stems from the fact that signaling, bearer traffic, and network management communications all share the same transport network. The call control systems communicate among themselves and to the network elements (such as gateways) using the same network that carries packets of customer data. To put things simply, one may send data to any point in a packet network as long as the address of the point is known. The fact that the call control servers are coupled through the transport network opens the possibility that a fraud perpetrator might attempt to communicate directly with a network server, either to impede the operation of the server or to send mock communications requests so as to fool the server into providing free communications services. Fortunately, network security measures, such as the use of IPsec tunnels between legitimate endpoints, are largely effective against these kinds of attacks.
While data network security measures may be employed to help defend against certain types of attacks against a telephony data network, there are a variety of fraud schemes that are not detected or prevented by such measures.
Various fraud schemes are known by which fraud perpetrators are able to steal communications services. Perpetrators have been able to steal calling card numbers, open false accounts, or otherwise manipulate equipment or people to get services without paying. Many of the possible fraud schemes have been well characterized in the PSTN and various techniques have been developed for detecting and preventing such abuses.
Unfortunately, there is a common misconception among those in the industry that the use of sufficient data network security measures should prevent all manner of abuse and fraud, even in a packet telephony environment. In truth, the role of fraud monitoring can be distinct from, but complementary with, network security. Network security provides mechanisms (e.g., firewalls, authentication services, user IDs/passwords, etc.) to ensure that only authorized users gain access to network services. These security mechanisms have protection against internal abuse by authorized users and social engineering situations. As a complementary capability, fraud monitoring provides a view into the services used on the network to ensure that none of the security mechanisms have been compromised or abused. Fraud monitoring facilitates identification of vulnerabilities in the network, protects a commercial customer by minimizing unauthorized use, and protects the service provider against revenue loss.
In summary, network security focuses on fraud prevention, while fraud monitoring focuses on fraud detection. These network concerns must be addressed before customers invest in the adoption of new services and technologies. Customers are attracted to a converged solution because of the potential for new services and enhance functions, but are apprehensive about new security risks and avenues of fraud.