SIP intrusion detection and prevention: recommendations and prototype implementation

As VoIP deployment are expected to grow, intrusion problems similar to those of which data networks experience will become very critical. In the early stages of deployment, the intrusion and security problems have not been seriously considered, although they could have a negative impact on VoIP deployment. In the paper, SIP intrusion detection and prevention requirements are analyzed and an IDS/IPS architecture is proposed. A prototype of the proposed architecture was implemented using as a basis the very popular open-source software Snort, a network-based intrusion detection and prevention system. The prototype of the proposed architecture extends the basic functionality of Snort, making use of the preprocessing feature that permits analyzing protocols of layers above the TCP/UDP one. The preprocessors block is a very powerful one since it permits to implement both knowledge and behavior based intrusion detection and prevention techniques in Snort that basically adopts a network based technique. An important requirement of an IPS is that legitimate traffic should be forwarded to the recipient with no apparent disruption or delay of service. Hence, the performance of the proposed architecture has been evaluated in terms of impact that its operation has on the QoS experienced by the VoIP users.