SUBSCRIBE TO TMCnet
TMCnet - World's Largest Communications and Technology Community

CHANNEL BY TOPICS


QUICK LINKS




SOA Web Services

SOA/Web Services

 

SOA/WEB SERVICES FEATURE ARTICLES


March 20, 2007

Security Practices for Enterprise Internet Telephony

By Alan Rosenberg, BlueNote Networks


VoIP has exploded in the enterprise in recent years. At the beginning of the decade nearly all PBX (News - Alert) line shipments were TDM based. By 2004 VoIP line shipments equaled TDM line shipments. Today VoIP accounts for the majority of PBX line shipments.

 
Most enterprise VoIP traffic is transported over private IP networks. Many companies are excited by the prospect of carrying voice over the public Internet as well. Internet telephony promises numerous functional, global reach and economical benefits.
 
Enterprises can exploit the Internet to inexpensively connect remote offices, extend corporate communications services to telecommuters and mobile workers, and improve interactions with customers and partners. But concerns over VoIP security have prevented many enterprises from leveraging the public Internet to carry voice.
 
Internet telephony applications are subject to numerous types of threats, including: 
  • Eavesdropping. Attackers can intercept media streams to listen in on private telephone conversations or IVR sessions such as bank-by-phone calls. Attackers may tap into a call in real-time or use virus programs based on Vomit1 to record and forward calls as audio files.

  • Unauthorized access. Attackers can gain access to corporate communications services for free long distance or international calling.

  • Denial of service attacks. Attackers can bring down corporate communications services for malicious purposes.

  • Call hijacking.  Attackers can redirect calls and impersonate a legitimate caller.

  • Unauthorized management access. Attackers can gain access to provisioning and administrative systems for fraudulent purposes.
By implementing appropriate security measures enterprises can ward off these threats and deliver voice services over the public Internet in a secure and reliable manner. When protecting your communications infrastructure it is important to secure all layers of the network and consider all potential points of vulnerability.
 
Physical protection is the first step in a secure Internet telephony solution. Every precaution should be taken to guard against unauthorized access to servers, routers, network wiring closets, network backbone segments, and any other critical components.
 
The second step is to implement best practices for network design and operation, including segregating voice and data networks. Placing voice and data traffic on virtually separate VLANS with non-routable addresses and using access control lists to further segregate voice and data devices prevents malicious data applications from capturing or altering voice traffic.
 
Next secure the boundary between the private and public networks using VoIP-aware firewalls, session border controllers, or security-capable business communications platforms. Strong perimeter security guards against application-level threats, unusual calling patterns, and denial of service attacks.
 
Implement strong user authentication and authorization methods to prevent unauthorized service access. Look for an IP telephony solution, or business communications platform, that works with incumbent enterprise authentication services such as Microsoft (News - Alert) Active Directory, RADIUS or LDAP. Consolidate adds, moves, and changes and reduce security risks by utilizing common administrative tools for voice and data users. Rigorous authentication and authorization policies eliminate toll fraud and other service abuse concerns.
 
To provide conversation privacy and to protect against call hijacking (man-in-the-middle attacks) encrypt both the media and signaling streams. For SIP-based solutions Secure RTP (SRTP) and Transport Layer Security (TLS) offer standards-based media and signaling encryption, respectively.
 
SRTP provides encryption, message authentication and integrity and replay protection for RTP data. It standardizes on the use of AES (Advanced Encryption Standard) as its encryption algorithm.
 
TLS protects SIP signaling messages against loss of integrity, confidentiality and against replay, and ensures that no third party may eavesdrop or tamper with any message. TLS utilizes proven digital certificate and public key cryptology technologies.
 
When considering an overall solution, it is important to evaluate the security capabilities of the IP telephony service delivery platform, or business communications platform, as well as the telephone instruments (hard phones or soft phones), as some manufacturers do not support standards-based security protocols such as TLS and SRTP.
 
Finally, when selecting a service delivery platform, don’t forget about management security. Hackers can abuse and take down services by gaining access to provisioning and management systems. Many VoIP platforms offer browser-based applications for provisioning and management, and for end-user self-service selection. But be certain browser-based applications can be delivered securely over the Internet, by implementing strong passwords and by using SSL, HTTPS or other appropriate security protocols.
 
By taking a carefully planned, multi-faceted approach to security, enterprises can safely transport VoIP traffic over the public Internet. With security concerns removed, businesses can utilize the full power of the Internet to extend services globally to nomadic workers and telecommuters, to better reach customers and partners, and to more economically connect distant offices.

1. Vomit is an open source software utility that converts VoIP sessions into WAV audio files. It is often associated with VoIP eavesdropping attacks.

 
Alan Rosenberg is director of Product Line Management for BlueNote Networks (News - Alert). With BlueNote SessionSuite platforms, enterprises, ISVs and partners can quickly and easily embed interactive real-time communication services into a range of commercial or custom software applications, Web sites and internal business processes using industry-standard interfaces and technology. He can be reached at [email protected].

SOA/WEB SERVICES





Technology Marketing Corporation

2 Trap Falls Road Suite 106, Shelton, CT 06484 USA
Ph: +1-203-852-6800, 800-243-6002

General comments: [email protected].
Comments about this site: [email protected].

STAY CURRENT YOUR WAY

© 2024 Technology Marketing Corporation. All rights reserved | Privacy Policy