How can you make sure your voice data travels the yellow brick road of IP telephony without being hijacked by flying monkeys and other fraudsters?

 

OK, there really aren’t bears in the woods of VoIP networking, but the flying monkey reference isn’t too far off. The thrilling convergence of voice and data means it’s a whole new day in communication expectations in terms of what business can now expect their phones to do for them. It’s also a brave new world for IT and telephony professionals in terms of how they do business and do it profitably. 

 

However,  end-users and the telephony pros aren’t the only ones learning new tricks. High tech thieves are riding the crest of this learning curve and they see VoIP as another splendid opportunity to cheat the righteous and abscond with the goods. That’s the scary part. The good news is that you can fight back and feel secure using VoIP, if you know what to do.

 

 

Telephony wouldn’t be telephony without an ever growing list of terms and acronyms. You’ve heard of spamming, hijacking, identity theft and corporate espionage. While they might sound like something out of an online personals ad, “sniffers,” “RATS,” “phreakers,” “fraudsters,” and “men in the middle” are also part of the lexicon of voice and data convergence. Understanding what these mean is the first step in securing your VoIP network.

 

Phreakers have been around since way before Internet telephony, but they now have new medium in which to practice their dark arts. Breaking into Internet phone systems can have big payoff in the sale of black market VoIP minutes. Everything is done over the Internet, from hacking into the gateway to reselling the stolen minutes to crooked wholesalers and who then resell the minutes on phone cards via e-mail to an unsuspecting public. 

 

Industry experts put the number of minutes stolen per month at 200 million; that’s $26 million dollars worth of toll fraud. Telecom fraud is enormously profitable to the practitioners. There are estimates of $35 to $40 billion dollars a year gained from illegal activities. These estimates are probably low given that phone fraud is under-reported

 

More than minutes can be taken when a network is breached thru its phone system. By hijacking the voice packets that make up IP calls (see flying monkey reference above), it is possible to replay the entire call to a listener intent on gaining access to a private conversations. PINs and SIP phone numbers can be accessed when nefarious hackers eavesdrop on these packets, resulting in identity theft or the ability to impersonate a phone user to make fraudulent toll calls or tamper with the user’s settings. It’s possible to change call forwarding numbers or voice mail messages. It’s also possible to impersonate a call recipient to gain otherwise private information.

 

 

It’s not just end-users who are vulnerable. Public and private IP operators face the same risks, plus they’re susceptible to DoS (denial of service) attacks. By surreptitiously changing an IP phone’s password, an authorized user can be prevented from making calls. A broadcast storm can also cause DoS by tying up a network’s bandwidth and possibly even crashing the host site. Service providers must also protect against viruses, worms, and breaches of user profiles that protect access to sensitive information like client accounts.

 

 

There are certain protocols, like SIP and RTP, that make VoIP vulnerable to attacks. These protocols don’t provide end-to-end protection of data. The information packets are not encrypted and do not require call-party identification. Softphones that run on laptops, PDAs and other computers can be an entry for network attacks. Even tools used to properly analyze and prioritize packets over a network (data sniffers) can be used to circumvent security measures, spy on network users, and collect sensitive information.

 

 

The good news is that the steps taken to secure other network applications also improve VoIP security. Keeping company servers and clients up to date with all the current patches and requiring authentication for all levels of users are crucial deterrents to break-ins. In addition to maintaining anti-malware and ant-tampering applications, companies also need to audit user sessions and frequently monitor all activities related to network services. SIP firewalls and dedicated voice configuration will lay the groundwork for a good defense.

 

 

Firewalls limit the kinds of traffic that can cross a network based on rules and policies established by their administrators. A SIP-aware firewall between the Internet and a company’s LAN dramatically reduces denial of service attacks.

 

Traditional network firewalls permit and deny traffic based on TCP, User Datagram Protocol (UDP) and IP header information: IP addresses, protocol types and port numbers, for example.

 

VoIP protocols require a lot of UDP (News - Alert) ports, allocating them dynamically to media streams. Traditional firewalls can’t accommodate this behavior without leaving large numbers of ports permanently open for VoIP use and other misuses. Some firewalls don’t process UDP efficiently. They don’t support QoS measures that manage latency and jitter and so cause problems and drops. 

 

SIP-aware firewalls can detect and defend against rogue SIP signaling messages, and maintain pure real time protocol media streams without adding significant latency.

 

 

Segmentation of data by function ensures security as well. A dedicated VoIP server can screen out any unauthenticated users and allow only packets compatible with voice traffic. This segmentation, also known as broadcast domain, requires that specific network nodes reach each other by broadcast at the same data layer.

 

Improved security can also deliver enhanced QoS. SIP phones perform better when segmented to their own VLAN. (A VLAN functions identically to a physical LAN but allows for network reconfiguration through software instead of changing the actual physical location of devices on a network.)

 

Firewalls can then restrict traffic crossing VLAN boundaries to only necessary protocols. This compartmentalization very effectively reduces the spread of malware from infected clients to VoIP servers, especially in Windows networks. Firewalls for compartmentalized servers can function with far simpler security policies than those protecting an entire system.

 

Endpoint security adds an outer layer of protection in VoIP deployments. Network admission techniques like IEEE (News - Alert) 802.1X port-based network access control provide an additional layer of authorization control, blocking devices from using a LAN or WLAN until they pass security checks.

 

 

Application-layer gateways (or proxies) play a useful role in VoIP deployment. Integrating SSL tunnels into SIP proxies improves authentication and adds confidentiality and integrity protection to signaling between callers and their SIP proxies. (A proxy appliance stands between clients on a LAN and the Internet and applies numerous policy-based controls to Web traffic and requests before delivering content to end users. Situated behind or in parallel with the network firewall the proxy intercepts HTTP, HTTPS, FTP, IM, SOCKS and other Web protocol traffic.)

 

SSL connections can be chained to protect signaling traffic between SIP proxies across an organization or between organizations. Businesses that relay media streams among global and local IP addresses and ports can use proxies for voice packets (real-time transport protocol, RTP).

 

Some configurations process VoIP traffic preferentially, creating IP Security (IPSec) associations that prioritize voice traffic over data. IPsec is a suite of protocols for securing IP communications via mutual authentication and data encryption.

 

Others will filter signaling traffic and RTP media streams through a Session Border Controller (SBC). Similar to email proxy, SBCs rewrite message headers to hide private network addresses, strip unknown and undesirable SIP header fields, and restrict called-party numbers. They’re also subject to RTP policy enforcement.

 

 

There is no substitute for strategic planning and vigilant supervision by the network administrator (whether on staff or outsourced), but selecting products with built- in security features makes the job easier. Epygi, a manufacturer of gateways and IP PBXs, offers products that include multiple encrypted VPNs including IPSec tunnels.

 

These products also incorporate sophisticated firewalls: intrusion detection system, NAT (Network Address Translation), policy and service-based filtering, stateful inspection and Point-to-Point Protocol over Ethernet (PPPoE, Ethernet “circuit”) connection with authentication (PAP, MS-CHAP).

 

The newest member of the Quadro family, the QuadroM32x, includes support for Secure Real-time Transport Protocol (SRTP), a profile of RTP intended to provide encryption, message authentication and integrity, and replay protection (another hacker tactic) to the data.

 

Much of the configuration necessary to add Epygi products to the network is plug-and-play. The network administrator can accomplish remote testing and VoIP diagnostics through a Web browser.

 

 

As with traditional data, voice is an attractive target for vandals and criminals. You can make their jobs a lot harder with vigilance and attention to the right details.