April 2004

VoIP Security: Stakes Get Higher As Deployments Grow

BY JOEL A. POGAR

With the world awash in VoIP headlines over the past few months, mainstream media are declaring 2004 to be the year of Voice over Internet Protocol, or VoIP for short. Lost in the noise, however, are real concerns about VoIP security � concerns that should be growing as VoIP implementations carry more and more of our voice communications.

VoIP technology has come a long way in recent years, no longer the �science project� one RBOC CTO called it just two years ago. Vast improvements in quality of service and reliability have made its deployment practical across enterprise and public networks alike. With the convergence of voice and data networks, come cost-saving benefits, communication flexibility, and the promise of new productivity-enhancing applications.

ANOTHER MOUNTAIN TO CLIMB

But VoIP security still has a ways to go. By itself, VoIP does not introduce any new vulnerabilities security experts haven�t seen before; it only poses new security issues they have to manage. In a traditional analog environment, physical access to a switch or wiring closet was usually needed to intercept communications between two parties. Today sending packetized voice over a data network can make voice communication more accessible and easier to intercept, especially given the range of malicious toolsets any hacker can find on the Internet.

From a risk management perspective, running VoIP over your data network effectively puts a firm at risk of losing both its voice and data communications, if the data network suffers a catastrophic failure. The impact to a business could then be greater for a prolonged outage of both systems rather than having separate systems. Of course, fail-over redundancy plus comprehensive business continuity and disaster recovery plans can mitigate that risk.

VoIP SECURITY THREATS

Many of the already well-known security vulnerabilities can adversely impact voice communications and need to be guarded against. The most significant concerns in a VoIP environment are:

� Denial of Service (DoS) Attacks: Endpoints, such as IP telephones, and VoIP gateways (SIP proxies), can be bombarded with SYN or ICMP packets in an attempt to disrupt communications.

� Call Interception: Unauthorized monitoring of voice packets or Real-Time Transport Protocol (RTP).

� Signal Protocol Tampering: In the same category as call interception, a malicious user could monitor and capture the packets that set up the call. By doing this, they can manipulate fields in the data stream and make VoIP calls without using a VoIP phone. Or, they could make an expensive call (e.g., international) and make the IP-PBX believe it originated from another user.

� Presence Theft: Impersonation of a legitimate user sending or receiving data.

� Toll Fraud: The ability of a malicious user or intruder to place fraudulent calls.

� Call Handling OS: The call handling software of many IP-PBX systems relies on operating systems, or operating system components, that may not be secure. For example, the use of Microsoft IIS as a Web-based configuration tool for the IP-PBX may introduce significant vulnerabilities in your VoIP environment.

While eliminating all of these threats is impossible, they can be contained sufficiently in a few straightforward steps. For example, techniques to minimize your exposure to a Denial of Service (DoS) attacks are well documented and widely available. Following these guidelines will reduce your network�s exposure to DoS traffic your network and your overall vulnerability to a DoS attack. Signal Protocol Tampering, as mentioned above, could be considered a DoS attack depending on how it is executed.

Of course, encrypting VoIP traffic will prevent the unauthorized interception of VoIP calls. In the past that�s been easier said than done, but rapid advances in digital signal processing along with new capabilities in the two key VoIP protocols, SIP and H.323, are promising end-to-end call encryption in the future.

Presence theft offers a unique challenge in today�s VoIP environment. The best countermeasure for presence theft is strong authentication, such as two-factor authentication. Strong authentication at the IP endpoint is another emerging technology, which will be available soon. The U.S. government is especially interested in Public Key Infrastructures (PKI) to help ensure the person to whom an official is talking is in fact that person. For now security features built into the SIP and H.323 protocols such as address authentication, CSeq and Call-ID headers are the best defenses available.

PAST FORWARD

To manage the threat of toll fraud, it is important that IP-PBX administrators employ the same call restrictions on an IP-PBX as they would a traditional TDM-PBX. International calling, blocking 900 numbers and so forth should all be employed on an IP-PBX. These systems are just as vulnerable, if not more, to the traditional �phreaking� attacks seen on TDM systems.

Finally, and perhaps the most critical issue, is the operating system security of the call handling software. Many call handling systems run as applications or services on Microsoft or Linux platforms. These applications are installed and deployed without regard for the security of the underlying operating system.

That�s why it is critical to ensure that the OS of your call handling software is not using any unnecessary services � FTP, for example � and has all available security patches applied.

The only caveat here is to make sure that disabling these services will not adversely impact your VoIP system. While an administrator might think an HTTP server is not needed and disable it, that server could be a required component for remote configuration or administration. Check with your VoIP vendor before making any operating system changes or applying any OS patches.

BEST PRACTICES

To minimize the security risks in a VoIP environment, the following best practices are recommended:

Virtual LANs

Keeping voice and data on separate VLANs is a good idea for increasing performance and security. VLANs that can segregate VoIP from data traffic can offer some QoS benefits as well as add another layer of complexity for an attacker trying to �sniff� or capture packets off the network. Unauthorized devices or spoofing can be mitigated if the switch/router can deny forwarding packets for devices with MAC addresses/IP addresses that do not match lists of �allowed devices.� However this measure is invalidated with soft phones running on PCs since these are allowed devices that reside on the data network.

What�s more, the best practice for securing a voice VLAN is to control the traffic between the voice and data VLAN using filtering and/or firewalls. This can prevent DoS attacks and spoofing as well as providing general filtering that limits malicious footprinting.

Finally, it�s a good idea to use RFC 1918 addresses for IP phones to make external scanning for voice devices very difficult and to ensure that no packets can ever be routed out of the corporate network.

Encryption

Wherever possible and practical, implement encryption through VPNs or any method available to you. On one hand, encryption potentially can delay voice packets and adversely affect the performance of VoIP on your network � especially with multiple encryption points. On the other hand, if a network is operating efficiently, the overhead of the encryption should have little impact the performance of the VoIP system. Risks to voice quality can be minimized even more by employing hardware crypto systems rather than those performed in software.

Direct Firewall Support

If VoIP traffic will be traversing a firewall, make sure your firewall is capable of direct support for SIP or H.323. If you have to �open� a port to allow these protocols through, then your firewall does not adequately support VoIP.

Reverse Proxies

Segment your VoIP traffic from your data traffic and considering using a multimedia gateway or reverse proxy. These devices offer greater security and are designed to handle VoIP traffic more efficiently than a traditional firewall.

Secure OS Of Call Handling Software

Use a commercial scanning tool to �probe� the call servers in your VoIP system. If any critical or high-level vulnerabilities arise, contact your vendor to have them corrected as soon as possible. Care should be taken to allow only necessary services to run and to limit the number of listening ports that could be attacked. This might warrant placing core VoIP devices in a �safe zone� behind a firewall or a router with access filters.

Routine Monitoring

Managed services are a good idea for firms without the resources to keep an eye on their networks. It also makes sense when your VoIP system becomes mission critical. You should establish daily, weekly and quarterly milestones of activity to watch for. This ensures your system is performing adequately and that your VoIP has not been compromised.

Sound Security Practices

If already in place, a good data security program � strong passwords, anti-virus protection, reliable backup and so forth � gives firms that much of an advantage when implementing VoIP and should be maintained rigorously at all times thereafter.

This year may well be the year of VoIP but clearly security issues common to the data world will need to be contained if its promise and potential isn�t destined to be deflated by hackers and miscreants looking for another playground. The good news is that proven data security practices can be applied to VoIP and that rapid technology advances will enable much more security capabilities in the near future.

Joel A. Pogar is National Practice Manager Secure Network Services at Siemens Information and Communication Networks Inc. For more information, please visit www.icn.siemens.com.

If you are interested in purchasing reprints of this article (in either print or HTML format), please visit Reprint Management Services online at www.reprintbuyer.com or contact a representative via e-mail at [email protected] or by phone at 800-290-5460.

[ Return To The April 2004 Table Of Contents ]