VoIP
has exploded in the enterprise in recent years. At the beginning of the decade nearly all PBX (News - Alert) line shipments were TDM
based. By 2004 VoIP line shipments equaled TDM line shipments. Today VoIP accounts for the majority of PBX line shipments.
Most enterprise VoIP traffic is transported over private IP networks. Many companies are excited by the prospect of carrying voice over the public Internet as well. Internet telephony promises numerous functional, global reach and economical benefits.
Enterprises can exploit the Internet to inexpensively connect remote offices, extend corporate communications services to telecommuters and mobile workers, and improve interactions with customers and partners. But concerns over VoIP security have prevented many enterprises from leveraging the public Internet to carry voice.
Internet telephony applications are subject to numerous types of threats, including:
-
Eavesdropping. Attackers can intercept media streams to listen in on private telephone conversations or IVR sessions such as bank-by-phone calls. Attackers may tap into a call in real-time or use virus programs based on Vomit1 to record and forward calls as audio files.
-
Unauthorized access. Attackers can gain access to corporate communications services for free long distance or international calling.
-
Denial of service attacks. Attackers can bring down corporate communications services for malicious purposes.
-
Call hijacking. Attackers can redirect calls and impersonate a legitimate caller.
-
Unauthorized management access. Attackers can gain access to provisioning and administrative systems for fraudulent purposes.
By implementing appropriate security measures enterprises can ward off these threats and deliver voice services over the public Internet in a secure and reliable manner. When protecting your communications infrastructure it is important to secure all layers of the network and consider all potential points of vulnerability.
Physical protection is the first step in a secure Internet telephony solution. Every precaution should be taken to guard against unauthorized access to servers, routers, network wiring closets, network backbone segments, and any other critical components.
The second step is to implement best practices for network design and operation, including segregating voice and data networks. Placing voice and data traffic on virtually separate VLANS with non-routable addresses and using access control lists to further segregate voice and data devices prevents malicious data applications from capturing or altering voice traffic.
Next secure the boundary between the private and public networks using VoIP-aware firewalls, session border controllers, or security-capable business communications platforms. Strong perimeter security guards against application-level threats, unusual calling patterns, and denial of service attacks.
Implement strong user authentication and authorization methods to prevent unauthorized service access. Look for an IP telephony solution, or business communications platform, that works with incumbent enterprise authentication services such as Microsoft (News - Alert) Active Directory, RADIUS or LDAP
. Consolidate adds, moves, and changes and reduce security risks by utilizing common administrative tools for voice and data users. Rigorous authentication and authorization policies eliminate toll fraud and other service abuse concerns.
To provide conversation privacy and to protect against call hijacking (man-in-the-middle attacks) encrypt both the media and signaling streams. For SIP-based solutions Secure RTP
(SRTP) and Transport Layer Security (TLS) offer standards-based media and signaling encryption, respectively.
SRTP provides encryption, message authentication and integrity and replay protection for RTP data. It standardizes on the use of AES (Advanced Encryption Standard) as its encryption algorithm.
TLS protects SIP
signaling messages against loss of integrity, confidentiality and against replay, and ensures that no third party may eavesdrop or tamper with any message. TLS utilizes proven digital certificate and public key cryptology technologies.
When considering an overall solution, it is important to evaluate the security capabilities of the IP telephony service delivery platform, or business communications platform, as well as the telephone instruments (hard phones or soft phones), as some manufacturers do not support standards-based security protocols such as TLS and SRTP.
Finally, when selecting a service delivery platform, don’t forget about management security. Hackers can abuse and take down services by gaining access to provisioning and management systems. Many VoIP platforms offer browser-based applications for provisioning and management, and for end-user self-service selection. But be certain browser-based applications can be delivered securely over the Internet, by implementing strong passwords and by using SSL, HTTPS or other appropriate security protocols.
By taking a carefully planned, multi-faceted approach to security, enterprises can safely transport VoIP traffic over the public Internet. With security concerns removed, businesses can utilize the full power of the Internet to extend services globally to nomadic workers and telecommuters, to better reach customers and partners, and to more economically connect distant offices.
1. Vomit is an open source software utility that converts VoIP sessions into WAV audio files. It is often associated with VoIP eavesdropping attacks.
Alan Rosenberg is director of Product Line Management for BlueNote Networks (News - Alert). With BlueNote SessionSuite platforms, enterprises, ISVs and partners can quickly and easily embed interactive real-time communication services into a range of commercial or custom software applications, Web sites and internal business processes using industry-standard interfaces and technology. He can be reached at [email protected]. Lightweight Directory Access (LDAP) | X |
Directory Services and Directories are specialized search/retrieval services created in often hierarchical (tree-structure like systems) such as in a master/slave or client/server arrangement. That ...more |
Time Division Multiplexing (TDM) | X |
TDM divides transmission channels into time-separated channels. TDM was designed to provide each channel with a fixed amount of bandwidth. The tutorial explains more....more |
Session Initiation Protocol (SIP) | X |
SIP is the real-time communication protocol for VoIP. SIP is a signaling protocol for Internet conferencing, telephony, presence, events notification (emergency calling) and instant messaging.
SIP...more |
Real Time Transport Protocol (RTP) | X |
Real-time Control Protocol is used in VoIP signaling and RTP is used to send and receive the voice. However, RTCP/RTP are used with other protocols. Voice is generally encapsulated in UDP without re...more |
Voice over IP (VoIP) | X |
A real-time communications system that converts voice into digital packets containing media and signaling data that travel over networks using Internet Protocol....more |