Enterprises are starting to roll out IP telephony solutions, aiming to
reap the benefits of convergence in the LAN and the WAN, and of converged
applications. With online security breaches doubling every year, enterprises
need to address IP telephony system security.
IP telephony is an application that runs on the IP network, albeit one
that is very time sensitive and that is critical to the running of the
business. Just like other applications, IP telephony systems can be
subjected to a number of attacks. For example:
- Denial of Service can overload an IP telephony communications server or
client.
- Ping of Death can disrupt operations by sending multiple pings to VoIP
devices.
- Port scanning can find vulnerabilities in VoIP clients and servers.
- Packet sniffing can record and/or intercept conversations.
- IP spoofing can misrepresent the source or destination of the media or
signaling stream.
- Viruses, worms, Trojan horses, and time-triggered bombs can attack
servers and clients.
There have already been cases of hackers taking over IP clients, due to
lack of administration passwords in one case, and due to vulnerabilities
associated with unauthenticated configuration server access in another.
Like any application, a risk assessment of IP telephony needs to be done
to assess its intrinsic value, to understand the implications of loss, and
to formulate a security policy. We can start this assessment by making some
key observations on telephony and data security in general. First of all,
telephony is a critical business function and therefore, like the network
itself, the telephony system as a whole must be protected from security
attacks. Secondly, we trust the public voice network and live daily with the
inherent vulnerability of the public cell phone systems. Thirdly, we trust
PBX networks, the critical components of which are locked away in a telecom
room. In addition, IT organizations have spent a lot of effort to minimize
toll fraud and misuse of the voice network for personal calls.
On the data side, we also rely on physical security to ensure that only
employees have access to the internal network, and we trust that information
sent over LANs, campus nets and over physical and virtual private lines are
generally secure. Most enterprises have established security policies that
all data transmissions to employees and remote offices over the Internet
need to be encrypted and authenticated. Likewise, critical customer
interactions over the Web are protected via SSL.
Traditionally, telephony users are only required to authenticate
themselves for off-net access, using a feature called Direct Inward System
Access (DISA). On the other hand, it is not uncommon to require data users
to use multiple user IDs and passwords for network and application access.
This complexity runs counter to securing the telephony environment, and is
not acceptable to users whose expectation is instant dial tone.
From the above, a number of key principles in securing IP telephony can
be identified:
- Enterprise IP telephony systems rely on the IP networking
infrastructure to be secured from a data perspective, and to be engineered
and designed to meet the latency and reliability requirements of telephony.
- Enterprise IP telephony Communications Servers are business critical
and must be physically secure, and protected from internal and external
attack.
- Secure authentication of VoIP clients must be provided, but simplicity
must be maintained.
- Encryption of voice is a requirement when extending the enterprise
over the Internet and other insecure media.
- A holistic approach to security must be taken across the entire
telephony environment including VoIP clients and servers, application
servers (e.g., for unified messaging and contact centers) and traditional
PBXs.
- Enterprise IP telephony solutions operate within the confines of the
enterprise, interworking with the public network over circuit switched
connections. End-to-end VoIP connectivity between public phones and phones
within the enterprise is not a short-term need.
Securing Application And IP Telephony Communications Servers
The heart of the IP telephony system is the communications server, which
could be standalone, or integrated as in the case of IP-enabled PBXs or new
office-in-a-box solutions. Equally important are application servers
delivering contact center, multimedia applications, and unified messaging.
Security starts with the operating systems (OS). Telecommunications
vendors have traditionally built highly robust communications networks,
using proprietary or commercially available real-time OSes and UNIX. The
former are secure in that they have no back doors to the outside world,
while the latter is considered reasonably robust. Not surprisingly, however,
the most common OS in the data world is also used extensively for
application servers supporting IP telephony and communication intensive
applications: Windows NT. These use a hardened version of Windows NT with
off-the-shelf security software for functions such as anti-virus protection,
intrusion detection, and login audits. Hardening Windows NT starts with the
requirements that server cloning should be avoided and that the media from
which the operating system is downloaded must be trustworthy, and goes from
there.
From a management perspective, a physically dedicated Ethernet port
configured as on a virtual LAN (VLAN) should be configured, with all
non-management traffic blocked at the routing level via access lists and
firewalls. Off-net access for suppliers, system integrators, and/or VARs can
be provided via IP VPNs. Unused ports (e.g., for consoles or remote modem
access) should be turned off. Only authorized application software should be
run on these servers. Multiple levels of privileges (monitor, configure,
control) should be supported for authenticated operational personnel. User
passwords must be securely stored and password formatting and change
management strictly controlled. Management traffic (such as billing
information) can be optionally encrypted even for internal transmission
again through IP VPN technology.
Securing VoIP Clients
IP telephony solutions support a broad range of clients and access
configurations, including IP wired and wireless telephones and PC-based soft
clients. When connected to an IP network, these are vulnerable to attack.
However, there are significant differences in how risk is minimized for IP
telephones and for PC-based soft telephony clients.
IP telephones are custom-built appliances. In most cases, there is no
storage or asset on the phone itself to protect, other than its presence on
the network as a trusted device. The identification of the caller and the
call itself are the assets to be protected. These telephony appliances most
commonly use a thin client protocol, which relies on the Communications
Server for feature/functionality and security. In some cases, vendors rely
on XML in the VoIP set for feature operation -- clearly a vulnerability
point.
VoIP soft-clients reside on user PCs with other applications and other
assets, all typically running on a Windows OS. A successful attack can be
costly, since there are many valuable assets on the PC, including
applications, and business, financial, and personal data. The common
practice is to use one or a number of security applications, providing
personal firewalls, anti-virus detection, and IP VPN clients. These can
protect VoIP soft clients as well as data applications.
Securing VoIP In The Wiring Closet And Across The Campus
There are two ways of wiring IP devices into a campus network: shared
media and dedicated switched Ethernet. The general industry direction is
towards the latter complemented by VLANs, this driven by traffic growth,
security, and manageability requirements. Wireless LANs (WLANs) offer a
third alternative, which are exploding in environments such as in education
and healthcare.
With the introduction of IP telephony, it is highly recommended that VoIP
soft clients and VoIP appliances are connected to dedicated switched
Ethernet environments properly. This minimizes VoIP latency variation by
eliminating CSMA-based contention resolution inherent in shared media
Ethernet. With this approach, the potential of other desktops eavesdropping
on VoIP (and data) calls is eliminated. In addition, VoIP telephones can be
logically grouped in their own VLANs, in order to ease manageability.
IP telephony can significantly enhance the productivity of users using
WLANs, by extending telephony feature/functionality from the desktop to, for
example, the conference room or classroom. Because of the hostile nature of
these WLANs, the recommended architecture is to secure voice and data
traffic over at least the wireless segment, and to authenticate the user
before allowing communications. This can be done by configuring an IP
telephony soft client with an IP VPN client on the laptop. Alternatively,
with some WLAN IP phones, encryption and authentication is built in; for
example, Symbol�s WLAN IP phones support 128-bit Wireless Equivalent Privacy
(WEP) encryption between the client and the wireless access point, and
Kerberos authentication.
Securing Branches For IP Telephony
Branches are connected into the enterprise network through physical or
virtual private lines, or through IP VPNs. These branches may be configured
with direct Internet access, requiring a firewall to protect both data and
IP telephony environments. There are a number of approaches to supporting
remote office and branch IP telephony solutions. These include VoIP
telephones and soft clients supported off an office-in-a-box solution in the
branch, or off a centralized communications server (e.g., at a regional
site). In any case, it is recommended that VoIP traffic is run securely over
an IP VPN established for data. For highly scalable and reliable branch
networking, it is important to provide a mesh of branch-to-branch secure
tunnels over the Internet, to minimize delays.
Securing Remote Access For IP Telephony
Remote access VPNs are mainstream today in securely leveraging the
Internet for employee, partner, and customer data access. IP telephony can
significantly enhance the productivity of remote users, whether working at
home, in a hotel, or on the road, in all cases extending telephony
feature/functionality from the desktop to the remote location. The VoIP soft
client should go through the IP VPN client on the laptop (and ultimately on
a suitably equipped PDA). This same configuration would be used to take
advantage of WLAN access points in hotels, airports, and convention centers.
Conclusions
IP telephony systems can be made secure, through OS hardening, by
securing network management, and by taking advantage of the technologies put
in place for data security (notably switched Ethernet and IP VPNs). The cost
of further securing IP telephony must be commensurate with the business cost
of loss. As with any new application, IT should update its overall security
policy and ensure that it is consistently implemented across technologies,
processes, and organizations.
Tony Rybczynski is director of strategic enterprise technologies for
Nortel Networks with 30 years experience in networking. For more
information, visit the company�s Web site at
www.nortelnetworks.com.
[ Return
To The December 2002 Table Of Contents ]
|