TMCnet - World's Largest Communications and Technology Community



tmc logo
November 2007 | Volume 10/ Number 11
Feature Articles

VoIP Security Monitoring and Management; What Every Security Professional Needs to Know

By Scott VanWart

The accelerated adoption and promise of Voice-over-Internet Protocol (VoIP) technology is causing much excitement among IT professionals. Whether installing the technology yourself or choosing to lease the service from a reputable provider, there can be a substantial cost savings associated with a successful VoIP implementation.

The accelerated adoption and promise of Voice-over-Internet Protocol (VoIP) technology is causing much excitement among IT professionals. Whether installing the technology yourself or choosing to lease the service from a reputable provider, there can be a substantial cost savings associated with a successful VoIP implementation.

Before getting too excited, security professionals everywhere need to know that VoIP, like any relatively new technology, introduces additional IT security concerns for the organization. Because of the underlying networking and server infrastructure VoIP introduces, organizations must prepare for both new and existing security vulnerabilities that can impact the VoIP environment. Any new networked application, including VoIP, gives standard ‘garden variety’ attacks new opportunities to wreak havoc and introduces a new class of VoIP-centric threats

While VoIP vendors focus on building some level of security into their solutions, an attacker can easily exploit a VoIP deployment using a variety of different techniques commonly found on traditional networks. This article discusses best practices to securely implement VoIP and a security monitoring and management strategy to protect a VoIP investment.

Convergence of Network and Security

The ability to converge your view of network and security information is critical in the fight against application layer attacks, worms, and hacking that can occur on the network supporting a VoIP implementation. These days, a key factor in protecting an organization’s VoIP network is continuous situational awareness of internal and external threats that can be obtained from the use of comprehensive network and security monitoring. A network and security monitoring and management strategy that combines flow-based network behavioral analysis and security event correlation to solve security and monitoring issues provides a unique window into monitoring your VoIP network against threats. VoIP networks illustrate the need for visibility across multiple service layers: the network, the application, and the security layer.

Separate Voice (VoIP) and Data Traffic

One of the most effective and important techniques in engineering a VoIP network is to segment the VoIP traffic from all other networking activity. Virtual network segmentation, recommended by major VoIP vendors, has two key advantages for your VoIP deployment:

1. The added security provided by ensuring that your VoIP traffic flows through the proper security devices and network paths.

2. Using dedicated virtual interfaces and subnets for VoIP traffic ensures that VoIP will get the dedicated bandwidth it needs to deliver high-quality phone conversations. VoIP is very sensitive to bandwidth contention, which causes packet loss, delay, and jitter that lead to dropped calls or poor call quality.

It is equally critical to ensure that data intensive business applications such as peer-to-peer and databases do not infringe upon VoIP bandwidth and affect phone conversation quality.

From a monitoring perspective, you should define your VoIP infrastructure as a unique network object so that:

• Network administrators have one clear view of VoIP network traffic flows which help to detect the origin of the VoIP traffic.

• You can easily prioritize VoIP policy or security incidents by giving high-value weightings to VoIP-related assets (such as an IP PBX) and VoIP business objects.

• You can quickly filter or search on VoIP traffic flows or associated security logs to aid in troubleshooting VoIP technical or security issues.

• You can learn the behavior of VoIP networks to allow administrators to establish appropriate policies quickly.

• You can easily produce executive and operations-level reports for VoIP security and network usage.

Detecting DoS Attacks on your IP PBX through Network Behavior Analysis

You can monitor and neutralize the two most prevalent VoIP threats by monitoring network traffic. Such intelligent monitoring of network traffic behavior can detect both Toll Fraud and DoS Attacks.

DoS attacks are generally the simplest to perpetrate and thus tend to be the most common attacks faced by data networks. Now DoS attacks are becoming more common on VoIP networks.

Most DoS attacks on a VoIP network involve bombarding the IP PBX with an extreme volume of simultaneous voice signaling requests (i.e. SIP). When the IP PBX cannot keep up with the request rate, it eventually shuts down access altogether, denying valid users (in this case IP Phones) access to VoIP services. This results in loss of productivity and ultimately loss of revenue.

Advanced traffic analysis logic is needed to identify an abnormal increase in both the number of sessions and hosts attempting to communicate with the IP PBX and combines them with a sudden increase in events from external firewalls to detect a potential DoS attack. An appropriate solution should be able to respond by either automatically blocking the attacker or by notifying the network and security teams of the threat and the assets involved, so that they can manually respond before significant damage is done.

Protecting Your IP PBX from Toll Fraud through Log Management and Event Correlation

Gaining access to the VoIP IP PBX is often the first step in committing toll fraud. This is a major threat and defending against it is a big concern for both network administrators and VoIP professionals.

Creating custom detection rules based on live network events arm the network team to defend the VoIP deployment from toll fraud. These events and alarms come from the security devices that protect the network as well as the OS and application alerts from the PBX and control server devices themselves.

Monitoring the geographic destination of VoIP traffic is another powerful solution to toll fraud. Sudden changes in the overall geographic distribution of network traffic originating from inside the VoIP network could indicate that illegal users are abusing the system to commit toll fraud. They may even be reselling these stolen long-distance services at your expense.

Enforcing Corporate VoIP Policies through Application Layer Monitoring

A major part of implementing a VoIP deployment is creating corporate policies that govern the use of the new technology. By creating a VoIP-specific business-service object to represent your VoIP network, administrators are able to detect traffic abnormalities such as applications like Peer-to-Peer that should not be running on a VoIP network.

Network Usage policies — Ensuring High Availability and Quality

To maintain high availability and quality of VoIP phone conversations across the VoIP network, it is critical to keep data applications off the VoIP-designated network architecture.

This requires an application view that provides layer 7 analysis and displays which applications traverse all network segments - including VoIP segments - and related bandwidth consumption.

Another important capability for maintaining the high availability and quality of phone conversations is monitoring the number of unique IP phones operating on the VoIP network. An over-subscribed network with too many IP phones, results in degraded conversation quality from jitter, packet loss delay, or dropped calls.

Protocol Policies - Providing Better Security

As VoIP technologies continue to develop, it is increasingly likely that one protocol will become the de facto standard as the most secure method of transporting VoIP traffic across the network. Session Initial Protocol (SIP) is quickly becoming dominant due to its IP multicast capabilities.

When phasing out old and vulnerable applications, it is imperative to prevent them from running on the network. When using a network security management platform you can quickly identify abnormal protocol usage, such as malformed SIP packets, and investigate policy violations. This ensures that the network is employing the latest in security best practices.

Application Policies - Providing Better Surveillance

It is frightening how common dangerous malware such as viruses and worms have become on PCs connected to the Internet. Many of the most popular web browsers have well-known vulnerabilities that make it possible for attackers to download malicious software without a user’s knowledge. The user may be unwittingly visiting an infected web site or receiving a malicious email.

By connecting employee PCs to the data network, the use of soft phones (such as Skype) conflicts with the need to separate voice and data traffic. This conflict along with all the malicious software result in the average PC being too high a risk for using “soft phones” on a corporate network.

Even though using software such as Skype typically violates company policies because of the potential vulnerabilities it creates on corporate networks, commercialized soft phones from large VoIP vendors may become approved components of the company’s overall VoIP solution.

Applying Regulatory Compliance to VoIP

Regulatory Compliance issues often focus on monitoring authentication data from Health and Finance Information systems. With the convergence of voice into the data network, VoIP IP PBXs and other equipment, such as voice gateways, become subject to information theft. It’s not only important, therefore, to analyze and store these logs from a security and troubleshooting perspective, you must also ensure that all log data from VoIP devices is being managed to ensure full compliance.

Regulatory Compliance has led to the need for more in-depth monitoring and better notification of users’ activities across these networks.


Deciding how to defend your organization’s VoIP network is an important decision for any company. Protecting vital information in today’s market is more important than ever and requires attention from all levels of management. If left unmonitored, the network could become vulnerable to careless employees and malicious attackers alike.

Securing your Unified Communications infrastructure hinges on the ability to be able to appropriately segment voice traffic and at the same time monitor the distinct sets of surveillance data that are relevant. Your VoIP security strategy should include the ability to see that data in a converged fashion and allow for the correlation of all important application elements along with the network and the security devices. IT

Scott VanWart is Technical Product Manager for Q1 Labs (, a leading network security management company. He can be reached at or 781-250-5800.

» Internet Telephony Magazine Table of Contents

Today @ TMC
Upcoming Events
ITEXPO West 2012
October 2- 5, 2012
The Austin Convention Center
Austin, Texas
The World's Premier Managed Services and Cloud Computing Event
Click for Dates and Locations
Mobility Tech Conference & Expo
October 3- 5, 2012
The Austin Convention Center
Austin, Texas
Cloud Communications Summit
October 3- 5, 2012
The Austin Convention Center
Austin, Texas