W HI T E PA P E R

Hackers Are Poised to Compromise Your

Business Communications Networks

Masergy Protects
Your Business With Secure
Cloud Communications
TA B L E O F C O N T E N T S

3
INTRODUCTION
4
THE NEW THREATS
5
Unauthorized Callers
Attacks and Fraud

6
Spoofing
Unauthorized Users

7
Eavesdropping
Degrading Voice Services

8
Hardware Failures
Anomalous Behaviors

9
Attacks from Other Networks
 IN T R O D U C T IO N

Illegal access. Stolen information. Toll fraud. These

are just some of the very real attacks that threaten your
business continuity. Fortunately, there’s a better way to
protect your communications networks.
Masergy’s Unified Communications as
a Service (UCaaS) solution has been
designed to protect voice networks
against today’s most serious security
threats. It detects and mitigates
against attacks designed to steal your
information and services, and disrupt
your most important business activities.
Masergy protects its UCaaS
solution using a managed network
architecture, specialized equipment
and secure equipment configurations.
The resulting architecture helps
keep service availability high. Also,
Masergy’s fault-management and
performance-monitoring systems track
your network’s health; if an attack is
detected, Masergy’s features enable
both proactive and reactive remedies.
Masergy’s enterprise-grade UCaaS elements. Masergy also employs
helps protect your communications fault-management and network
networks with several key features. performance-monitoring systems that
Masergy’s fully managed network detect and flag impairments — so you
infrastructure uses virtually can take action quickly.
segmented voice and data networks,
user authentication and access Masergy owns and operates its own
control. voice and network infrastructure. That
means it can regularly enact proactive
Our specialized equipment includes measures to manage the quality and
intelligent-edge devices, and security of voice and data traffic on
equipment configuration includes the network — helping to keep your
redundancy and hardened network networks even safer.
Masergy UCaaS Security Overview
• Highly secure and protected service implementation
• Secure connectivity options via Layer 3 or Layer 2 MPLS/VPLS
• Enterprise session border controllers with traffic history audits
• Stateful device registration
• SSAE-16 SOC 2 Type II Certified
T HE NE W T HR E AT S

The voice-over-internet protocol (VoIP) has achieved

mainstream acceptance among businesses. These systems
transmit voice over packet-switched IP networks, delivering far
greater flexibility and tighter integration with other business
systems than traditional phone services can.

But VoIP technology also introduces new security concerns.

Because VoIP phones inhabit the same world as other network
devices, they’re also exposed to many of the same threats.
This makes VoIP phones now nearly as big a security risk as
networked computer systems. Clearly, an equally robust method
of securing these devices is required.

Masergy’s UCaaS offers 9 security measures

aimed at preventing and counteracting today’s
most serious security concerns:

• End point provisioning

• User authentication
• Stateful device registration
• Integrated security policies
• Anti-spoofing
• Password protection
• Security verification
• Data encryption
• Session border controllers

1
Unauthorized Callers
Masergy’s UCaaS solution
has been designed to protect
voice networks against today’s
most serious security threats.
It detects and prevents attacks
designed to steal your informa-
tion and services, and disrupt
your most important business
activities.
Masergy protects its UCaaS solu-
tion using a managed network
architecture, specialized equip-
ment and secure equipment
configurations. The resulting
architecture helps keep service
availability high. Also, Masergy’s
fault-management and perfor-
mance-monitoring systems track
your network’s health; if an attack
is detected, Masergy’s features
enable both proactive and reac-
tive remedies.
Masergy’s enterprise-grade
UCaaS helps protect your com-
Masergy provides feature-rich
global Cloud Communications
solutions that are inherently
resilient and infinitely scalable.
T HE NE W T HR E AT S
munications networks with sev-
eral key features. Masergy’s fully
managed network infrastructure
uses virtually segmented voice
and data networks, user authenti-
cation and access control.
Our specialized equipment in-
cludes intelligent-edge devices,
and equipment configuration in-
cludes redundancy and hardened
network elements. Masergy also
employs fault-management and
network performance-monitor-
ing systems that detect and flag
impairments — so you can take
action quickly.
Masergy owns and operates its
own voice and network infrastruc-
ture. That means it can regularly
enact proactive measures to
manage the quality and security
of voice and data traffic on the
network — helping to keep your
networks even safer.
2
Attacks
and Fraud
On a VoIP network, unauthorized
users who gain access can del-
uge the voice infrastructure with
unauthorized traffic. They can also
conduct costly toll fraud.
Masergy blocks both. To prevent
unauthorized users, Masergy re-
quires logon credentials to authen-
ticate all VoIP calls. If an unautho-
rized VoIP endpoint tries to register
with the voice service to place and
receive calls, it is blocked.
To prevent toll fraud, Masergy
tracks international call patterns. If
a customer’s international calling
pattern falls outside the norm,
Masergy follows up with the cus-
tomer to determine whether the
calls are valid.
 T HE NE W T HR E AT S

3 4
Eavesdropping
A VoIP network can be vulnerable to
eavesdroppers who intercept the packet
flow that carries calls.
To block them, Masergy offers several
approaches. One is the establishment
of a virtual local area network (VLAN) on
the user’s network. A VLAN can be used
to logically separate VoIP phones from
the user’s PC network, putting them be-
yond the reach of would-be interceptors.
Outside the customer’s LAN, Masergy’s
VoIP traffic flows are carried through a
combination of trusted Tier 1 carrier net-
works and Masergy’s core network. All
elements outside the LAN are located
within secure central offices and collo-
cation facilities, making them extremely
resistant to compromise.
Degrading
Voice
Services
VoIP performance is subject to call
degradation. Masergy improves VoIP
performance by creating virtual bound-
aries between its voice and data traffic
within the integrated network.
This also improves security. Masergy
provides logical segmentation of the
core network; this enables prioriti-
zation of voice traffic and the imple-
mentation of voice-specific security
policies. As an extra bonus, virtualized
boundaries between the voice and
data networks can prevent the very
types of data-service attacks that typi-
cally degrade voice services.

Masergy employs an extensible IP communications

system that offers enterprises a unified
communications platform for voice (VoIP), data,
video and mobile communications across all of their
global locations.
 T HE NE W T HR E AT S

Application
• Data Encryption (SSL/TLS/IPSec)
• Role-based access control (enterprise
admins, group admins, and users all
have different access rights)
• Accounting (complete user activity and
change history

5
Spoofing
Attackers can spoof IP addresses
by tricking a network element
into believing that their intrud-
ing IP packets originated from a
trusted host.
To stop them, Masergy offer built-
in features that help prevent two
• Real-time analytics with CDR details
and MOS for every call
• Authentication (Digest based,
minimum complexity
must match those of a valid user; if
they do not, the Masergy network
refuses the registration.
• Origination Spoofing: In this
type of attack, a SIP endpoint
pretends to be a user making an
outgoing call. This can be done

common types of spoofing fraud:
• Termination Hijacking: This
occurs when a Session Internet
Protocol (SIP) endpoint pretends to
be a user’s current endpoint. When
successful, all incoming calls for
that user are routed to the offend-
ing SIP device.
Masergy prevents this type of fraud
with what’s known as registration
authentication. In this process,
the user’s ID and password are
requested whenever a SIP register
is received. This ID and password
by simply sending an invitation
with the “From” header set to the
spoofed user.
Masergy prevents this with auto-
matic access-control lists. When
an invitation is sent, the Masergy
system checks whether its IP ad-
dress is contained in the automatic
access-control list. If it is not, the
packet is dropped. Masergy’s
network is also configured to
challenge SIP invitations for user ID
and password. If the provided cre-
dentials do not match, then again
the packet is dropped.
6
Unauthorized
Users
Intruders, thieves and other
unauthorized users can try to log
onto network servers and routers.
To block them, Masergy main-
tains full control of its customers
on-premises networking hardware.
For example, when Masergy in-
stalls routers, it also assigns each
device a randomly generated —
and therefore difficult-to-guess —
password. Masergy also maintains
its customers’ usernames and
passwords in a controlled data-
base available only to Masergy’s
authorized support staff.
 T HE
7 8
Hardware
Failures
Attacks can bring down network hard-
ware, preventing your staff from com-
municating and working. To prevent
this from happening, Masergy deploys
redundant infrastructure equipment
and hardened network elements.
These help protect your network
against attacks launched on the VoIP
infrastructure.
In the unlikely case that a hardware
failure or attack does disable a network
element, Masergy’s redundant de-
ployment triggers a backup system to
take over automatically. With the sole
exception of the access line, Maser-
gy deploys every network element
involved in VoIP with redundancy.
NE W T HR E AT S
Anomalous Behavior
Cybercriminals don’t behave like
other network users. To catch
report and acts to diagnose and
deal with any problems.
them before they do harm, Maser-
gy constantly monitors its VoIP Also, Masergy constantly monitors
service to verify that all systems the performance of its voice and
are running properly. Masergy also data networks, comparing the
sets traps for network criminals; performance against a baseline.
when the traps catch anomalous Any significant deviation from
behavior, Masergy’s fault-manage- this baseline is reported to the
ment system automatically detects fault-management system for ac-
and reports on it. Then, Masergy’s tion by the NOC staff. In the event
Network Operations Center (NOC) that an attack does slow down
determines the severity of each service, it is dealt with promptly.
Systems
• Intrusion detetion system
to prevent TDoS attacks
• Fraud detection system to
monitor call patterns and detect
abnormalities
• Automated software upgrades
and configuration management
• Server hardening and
interoperability testing
 T HE NE W T HR E AT S

Networks
• UCaaS infrastructure is embedded in the fabric of
Masergy’s highly reliable network architecture (no NNIs)
• Internal segmentation and network isolation
• Data encryption using SSL, TLS, IPSec
• MPL, VPLS and point-to-point secure private
connectivity options
• 100% in-sequence packet delivery with <1ms jitter - ideal
for real-time application delivery

9 About Masergy
Attacks from Other Networks
Among the many prime locations for
attackers are the borders between
networks. Typically, partners work
together to originate and terminate
calls on the public switched telecom
network (PSTN). Between them are
IP interfaces. Left unprotected, these
borders can be highly vulnerable.
Masergy protects its network bor-
ders, in part, with access-control
lists on its gateway routers. This
guards Masergy’s voice infrastructure
and its customers’ VoIP networks
against attacks originating on carri-
er networks. All internetwork VoIP
traffic must register with — and pass
through — these gateways, which
are the only entities visible from the
other networks. Also, all “unman-
aged” endpoints — that is, endpoints
not on Masergy’s managed-access
network — must pass through a ses-
sion border controller for additional
protection.
While access-control lists can ad-
equately protect a voice service,
Masergy goes one step further: It
places VoIP session border con-
trollers between its network and
those of other carriers. This makes
it possible to reduce the complexity
of the access-control lists, while also
enhancing both security controls and
quality-of-service verifications.
Masergy provides feature-rich
global unified communications
solutions that are inherently
resilient and infinitely scalable.
Through its extensible, highly
scalable IP communications
system, Masergy offers a uni-
fied digital platform for voice,
data, video and mobility com-
munications around the world.
Masergy’s solution suite tightly
integrates dispersed communi-
cations endpoints for office, mo-
bile and call-center employees.
Our customers increase their
productivity, accelerate their
business processes and improve
the levels of care they provide
their own customers.
To learn more and
contact a Masergy
representative, visit
us today

+1 (866) 588-5885 44 (0) 207 173 6900