At the most recent Internet Telephony Conference & EXPO West, in San Diego, VoIP security-related sessions experienced standing room only attendance — and for good reason: as IP PBXs and other IP-based communications systems make significant inroads into the enterprise marketplace, the need to secure these solutions — and the networks they rely on — becomes an increasingly vital endeavor.
Thankfully, there are a number of great resources available to offer expert tips and suggestions. One such resource is available from the Computer Security Division of the Information Technology Laboratory at the National Institute of Standards and Technology (NIST). The NIST has published an excellent report on VoIP-related security issues entitled “Special Publication 800-58: Security Considerations for Voice Over IP Systems.” This report, authored by D. Richard Kuhn, Thomas J. Walsh, and Steffen Friesand, is available at http://csrc.nist.gov/publications/nistpubs/index.html, and much of the information it provides applies not only to government agencies but to private sector enterprises as well.
This report includes a number of extremely valuable recommendations and guidelines that government and corporate IT managers should consider carefully before installing and deploying new VoIP equipment. I’ve taken the liberty of listing some of these guidelines below (but please note they have been edited for space considerations, and that interested readers should refer to the publication for the full skinny.)
1. Develop the appropriate network architecture. Recommendations include the separation of voice and data on logically different networks if feasible; disallow SIP, H.323 and other VoIP (define - news - alert) protocols at the voice gateway from the data network; use strong authentication and access control on the voice gateway system, as with any other critical network component; deploy a mechanism to allow VoIP traffic through firewalls, which can include application level gateways (ALGs) for VoIP protocols, and Session Border Controllers; employ IPsec or Secure Shell (SSH) for all remote management and auditing access, and if practical, avoid using remote management at all and do IP-PBX access from a physically secure system; and if performance is a problem, use encryption at the router or other gateway, not the individual IP phones or appliances, to provide for IPsec tunneling.
2. Ensure that the organization has examined and can acceptably manage and mitigate the risks to their information, system operations, and continuity of essential operations when deploying VoIP systems. An especially challenging security environment is created when new technologies are deployed. Risks often are not fully understood, administrators are not yet experienced with the new technology, and security controls and policies must be updated. Therefore, an enterprise should carefully consider such issues as their level of knowledge and training in the technology, the maturity and quality of their security practices, controls, policies, and architectures, and their understanding of the associated security risks.
3. Special consideration should be given to E-911 emergency services communications, because E-911 automatic location service is not available with VoIP in some cases. Unlike traditional telephone connections, which are tied to a physical location, VoIP’s packet-switched technology allows a particular number to be anywhere. This is convenient for users, because calls can be automatically forwarded to their locations. But the tradeoff is that this flexibility severely complicates the provision of E-911 service, which normally provides the caller’s location to the 911-dispatch office. Although most VoIP vendors have workable solutions for E-911 service, government regulators and vendors are still working out standards and procedures for 911 services in a VoIP environment. One must still carefully evaluate E-911 issues in planning for VoIP deployment.
4. Enterprises should be aware that physical controls are especially important in a VoIP environment and deploy them accordingly. Unless the VoIP network is encrypted, anyone with physical access to the office LAN could potentially connect network monitoring tools and tap into telephone conversations. Although conventional telephone lines can also be monitored when physical access is obtained, in most offices there are many more points to connect with a LAN without arousing suspicion. Even if encryption is used, physical access to VoIP servers and gateways may allow an attacker to do traffic analysis (i.e., determine which parties are communicating). A company therefore should ensure that adequate physical security is in place to restrict access to VoIP network components. Physical securities measures, including barriers, locks, access control systems, and guards, are the first line of defense. Also you need to make sure that the proper physical countermeasures are in place to mitigate some of the biggest risks such as insertion of sniffers or other network monitoring devices. Otherwise, practically speaking this means that installation of a sniffer could result in not just data but all voice communications being intercepted.
5. Evaluate costs for additional power backup systems that may be required to ensure continued operation during power outages. A careful assessment must be conducted to ensure that sufficient backup power is available for the office VoIP switch, as well as each desktop instrument. Costs may include electrical power to maintain UPS battery charge, periodic maintenance costs for backup power generation systems, and cost of UPS battery replacement. If emergency/backup power is required for more than a few hours, electrical generators will be required. Costs for these include fuel, fuel storage facilities, and cost of fuel disposal at end of storage life.
6. VoIP-ready firewalls and other appropriate protection mechanisms should be employed. Enterprises must enable, use, and routinely test the security features that are included in VoIP systems. Because of the inherent vulnerabilities when operating telephony across a packet network, VoIP systems incorporate an array of security features and protocols. Organization security policy should ensure that these features are used. Additional measures, in particular, firewalls designed for VoIP protocols, are an essential component of a secure VOIP system.
7. “Softphone” systems, which implement VoIP using an ordinary PC with a headset and special “softphone” software, should not be used where security or privacy are a major concern. Worms, viruses, and other malicious software are extraordinarily common on PCs connected to the Internet, and very difficult to defend against. Well-known vulnerabilities in web browsers make it possible for attackers to download malicious software without a user’s knowledge, even if the user does nothing more than visit a compromised website. Malicious software attached to email messages can also be installed without the user’s knowledge, in some cases even if the user does not open the attachment. These vulnerabilities result in unacceptably high risks in the use of “softphones” for most applications.
8. If mobile, wireless units are to be integrated with the VoIP system, use products implementing WiFi Protected Access (WPA), rather than 802.11 Wired Equivalent Privacy (WEP). The security features of 802.11 WEP provide little or no protection because WEP can be cracked with publicly available software. The more recent WiFi Protected Access (WPA) offers significant improvements in security, and can aid the integration of wireless technology with VoIP. NIST strongly recommends that the WPA (or WEP if WPA is unavailable) security features be used as part of an overall defense-in-depth strategy. Despite their weaknesses, the 802.11 security mechanisms can provide a degree of protection against unauthorized disclosure, unauthorized network access, or other active probing attacks.
9. Carefully review statutory requirements regarding privacy and record retention with competent legal advisors. You should be aware that laws and rulings governing interception or monitoring of VoIP lines, and retention of call records, may be different from those for conventional telephone systems. Certain large enterprises and government agencies should review these issues with their legal advisors.
Marc is Chief Evangelism Officer of RCG (Robins Consulting Group), a leading marketing, communications and business development consulting firm 100% dedicated to the IP Communications industry. For more information about RCG, visit http://www.robinsconsult.com, email firstname.lastname@example.org, or call 718-548-7245.