December 2002

BY TONY RYBCZYNSKI

IP telephony is an application that runs on the IP network, albeit one that is very time sensitive and that is critical to the running of the business. Just like other applications, IP telephony systems can be subjected to a number of attacks. For example:

• Denial of Service can overload an IP telephony communications server or client.
• Ping of Death can disrupt operations by sending multiple pings to VoIP devices.
• Port scanning can find vulnerabilities in VoIP clients and servers.
• Packet sniffing can record and/or intercept conversations.
• IP spoofing can misrepresent the source or destination of the media or signaling stream.
• Viruses, worms, Trojan horses, and time-triggered bombs can attack servers and clients.

There have already been cases of hackers taking over IP clients, due to lack of administration passwords in one case, and due to vulnerabilities associated with unauthenticated configuration server access in another.

Like any application, a risk assessment of IP telephony needs to be done to assess its intrinsic value, to understand the implications of loss, and to formulate a security policy. We can start this assessment by making some key observations on telephony and data security in general. First of all, telephony is a critical business function and therefore, like the network itself, the telephony system as a whole must be protected from security attacks. Secondly, we trust the public voice network and live daily with the inherent vulnerability of the public cell phone systems. Thirdly, we trust PBX networks, the critical components of which are locked away in a telecom room. In addition, IT organizations have spent a lot of effort to minimize toll fraud and misuse of the voice network for personal calls.

On the data side, we also rely on physical security to ensure that only employees have access to the internal network, and we trust that information sent over LANs, campus nets and over physical and virtual private lines are generally secure. Most enterprises have established security policies that all data transmissions to employees and remote offices over the Internet need to be encrypted and authenticated. Likewise, critical customer interactions over the Web are protected via SSL.

Traditionally, telephony users are only required to authenticate themselves for off-net access, using a feature called Direct Inward System Access (DISA). On the other hand, it is not uncommon to require data users to use multiple user IDs and passwords for network and application access. This complexity runs counter to securing the telephony environment, and is not acceptable to users whose expectation is instant dial tone.

From the above, a number of key principles in securing IP telephony can be identified:

1. Enterprise IP telephony systems rely on the IP networking infrastructure to be secured from a data perspective, and to be engineered and designed to meet the latency and reliability requirements of telephony.
2. Enterprise IP telephony Communications Servers are business critical and must be physically secure, and protected from internal and external attack.
3. Secure authentication of VoIP clients must be provided, but simplicity must be maintained.
4. Encryption of voice is a requirement when extending the enterprise over the Internet and other insecure media.
5. A holistic approach to security must be taken across the entire telephony environment including VoIP clients and servers, application servers (e.g., for unified messaging and contact centers) and traditional PBXs.
6. Enterprise IP telephony solutions operate within the confines of the enterprise, interworking with the public network over circuit switched connections. End-to-end VoIP connectivity between public phones and phones within the enterprise is not a short-term need.
   

Securing Application And IP Telephony Communications Servers

The heart of the IP telephony system is the communications server, which could be standalone, or integrated as in the case of IP-enabled PBXs or new office-in-a-box solutions. Equally important are application servers delivering contact center, multimedia applications, and unified messaging.

Security starts with the operating systems (OS). Telecommunications vendors have traditionally built highly robust communications networks, using proprietary or commercially available real-time OSes and UNIX. The former are secure in that they have no back doors to the outside world, while the latter is considered reasonably robust. Not surprisingly, however, the most common OS in the data world is also used extensively for application servers supporting IP telephony and communication intensive applications: Windows NT. These use a hardened version of Windows NT with off-the-shelf security software for functions such as anti-virus protection, intrusion detection, and login audits. Hardening Windows NT starts with the requirements that server cloning should be avoided and that the media from which the operating system is downloaded must be trustworthy, and goes from there.

From a management perspective, a physically dedicated Ethernet port configured as on a virtual LAN (VLAN) should be configured, with all non-management traffic blocked at the routing level via access lists and firewalls. Off-net access for suppliers, system integrators, and/or VARs can be provided via IP VPNs. Unused ports (e.g., for consoles or remote modem access) should be turned off. Only authorized application software should be run on these servers. Multiple levels of privileges (monitor, configure, control) should be supported for authenticated operational personnel. User passwords must be securely stored and password formatting and change management strictly controlled. Management traffic (such as billing information) can be optionally encrypted even for internal transmission again through IP VPN technology.

Securing VoIP Clients

IP telephony solutions support a broad range of clients and access configurations, including IP wired and wireless telephones and PC-based soft clients. When connected to an IP network, these are vulnerable to attack. However, there are significant differences in how risk is minimized for IP telephones and for PC-based soft telephony clients.

IP telephones are custom-built appliances. In most cases, there is no storage or asset on the phone itself to protect, other than its presence on the network as a trusted device. The identification of the caller and the call itself are the assets to be protected. These telephony appliances most commonly use a thin client protocol, which relies on the Communications Server for feature/functionality and security. In some cases, vendors rely on XML in the VoIP set for feature operation -- clearly a vulnerability point.

VoIP soft-clients reside on user PCs with other applications and other assets, all typically running on a Windows OS. A successful attack can be costly, since there are many valuable assets on the PC, including applications, and business, financial, and personal data. The common practice is to use one or a number of security applications, providing personal firewalls, anti-virus detection, and IP VPN clients. These can protect VoIP soft clients as well as data applications.

Securing VoIP In The Wiring Closet And Across The Campus

There are two ways of wiring IP devices into a campus network: shared media and dedicated switched Ethernet. The general industry direction is towards the latter complemented by VLANs, this driven by traffic growth, security, and manageability requirements. Wireless LANs (WLANs) offer a third alternative, which are exploding in environments such as in education and healthcare.

With the introduction of IP telephony, it is highly recommended that VoIP soft clients and VoIP appliances are connected to dedicated switched Ethernet environments properly. This minimizes VoIP latency variation by eliminating CSMA-based contention resolution inherent in shared media Ethernet. With this approach, the potential of other desktops eavesdropping on VoIP (and data) calls is eliminated. In addition, VoIP telephones can be logically grouped in their own VLANs, in order to ease manageability.

IP telephony can significantly enhance the productivity of users using WLANs, by extending telephony feature/functionality from the desktop to, for example, the conference room or classroom. Because of the hostile nature of these WLANs, the recommended architecture is to secure voice and data traffic over at least the wireless segment, and to authenticate the user before allowing communications. This can be done by configuring an IP telephony soft client with an IP VPN client on the laptop. Alternatively, with some WLAN IP phones, encryption and authentication is built in; for example, Symbol�s WLAN IP phones support 128-bit Wireless Equivalent Privacy (WEP) encryption between the client and the wireless access point, and Kerberos authentication.

Securing Branches For IP Telephony

Branches are connected into the enterprise network through physical or virtual private lines, or through IP VPNs. These branches may be configured with direct Internet access, requiring a firewall to protect both data and IP telephony environments. There are a number of approaches to supporting remote office and branch IP telephony solutions. These include VoIP telephones and soft clients supported off an office-in-a-box solution in the branch, or off a centralized communications server (e.g., at a regional site). In any case, it is recommended that VoIP traffic is run securely over an IP VPN established for data. For highly scalable and reliable branch networking, it is important to provide a mesh of branch-to-branch secure tunnels over the Internet, to minimize delays.

Securing Remote Access For IP Telephony

Remote access VPNs are mainstream today in securely leveraging the Internet for employee, partner, and customer data access. IP telephony can significantly enhance the productivity of remote users, whether working at home, in a hotel, or on the road, in all cases extending telephony feature/functionality from the desktop to the remote location. The VoIP soft client should go through the IP VPN client on the laptop (and ultimately on a suitably equipped PDA). This same configuration would be used to take advantage of WLAN access points in hotels, airports, and convention centers.

Conclusions

IP telephony systems can be made secure, through OS hardening, by securing network management, and by taking advantage of the technologies put in place for data security (notably switched Ethernet and IP VPNs). The cost of further securing IP telephony must be commensurate with the business cost of loss. As with any new application, IT should update its overall security policy and ensure that it is consistently implemented across technologies, processes, and organizations.

Tony Rybczynski is director of strategic enterprise technologies for Nortel Networks with 30 years experience in networking. For more information, visit the company�s Web site at www.nortelnetworks.com.

[ Return To The December 2002 Table Of Contents ]