April 2004
VoIP Security: Stakes Get Higher As
Deployments Grow
BY JOEL A. POGAR
With the world awash in VoIP headlines over the past few months,
mainstream media are declaring 2004 to be the year of Voice over Internet
Protocol, or VoIP for short. Lost in the noise, however, are real concerns
about VoIP security � concerns that should be growing as VoIP
implementations carry more and more of our voice communications.
VoIP technology has come a long way in recent years, no longer the
�science project� one RBOC CTO called it just two years ago. Vast
improvements in quality of service and reliability have made its deployment
practical across enterprise and public networks alike. With the convergence
of voice and data networks, come cost-saving benefits, communication
flexibility, and the promise of new productivity-enhancing applications.
ANOTHER MOUNTAIN TO CLIMB
But VoIP security still has a ways to go. By itself, VoIP does not
introduce any new vulnerabilities security experts haven�t seen before; it
only poses new security issues they have to manage. In a traditional analog
environment, physical access to a switch or wiring closet was usually needed
to intercept communications between two parties. Today sending packetized
voice over a data network can make voice communication more accessible and
easier to intercept, especially given the range of malicious toolsets any
hacker can find on the Internet.
From a risk management perspective, running VoIP over your data network
effectively puts a firm at risk of losing both its voice and data
communications, if the data network suffers a catastrophic failure. The
impact to a business could then be greater for a prolonged outage of both
systems rather than having separate systems. Of course, fail-over redundancy
plus comprehensive business continuity and disaster recovery plans can
mitigate that risk.
VoIP SECURITY THREATS
Many of the already well-known security vulnerabilities can adversely
impact voice communications and need to be guarded against. The most
significant concerns in a VoIP environment are:
� Denial of Service (DoS) Attacks: Endpoints, such as IP telephones, and
VoIP gateways (SIP proxies), can be bombarded with SYN or ICMP packets in an
attempt to disrupt communications.
� Call Interception: Unauthorized monitoring of voice packets or
Real-Time Transport Protocol (RTP).
� Signal Protocol Tampering: In the same category as call interception, a
malicious user could monitor and capture the packets that set up the call.
By doing this, they can manipulate fields in the data stream and make VoIP
calls without using a VoIP phone. Or, they could make an expensive call
(e.g., international) and make the IP-PBX believe it originated from another
user.
� Presence Theft: Impersonation of a legitimate user sending or receiving
data.
� Toll Fraud: The ability of a malicious user or intruder to place
fraudulent calls.
� Call Handling OS: The call handling software of many IP-PBX systems
relies on operating systems, or operating system components, that may not be
secure. For example, the use of Microsoft IIS as a Web-based configuration
tool for the IP-PBX may introduce significant vulnerabilities in your VoIP
environment.
While eliminating all of these threats is impossible, they can be
contained sufficiently in a few straightforward steps. For example,
techniques to minimize your exposure to a Denial of Service (DoS) attacks
are well documented and widely available. Following these guidelines will
reduce your network�s exposure to DoS traffic your network and your overall
vulnerability to a DoS attack. Signal Protocol Tampering, as mentioned
above, could be considered a DoS attack depending on how it is executed.
Of course, encrypting VoIP traffic will prevent the unauthorized
interception of VoIP calls. In the past that�s been easier said than done,
but rapid advances in digital signal processing along with new capabilities
in the two key VoIP protocols, SIP and H.323, are promising end-to-end call
encryption in the future.
Presence theft offers a unique challenge in today�s VoIP environment. The
best countermeasure for presence theft is strong authentication, such as
two-factor authentication. Strong authentication at the IP endpoint is
another emerging technology, which will be available soon. The U.S.
government is especially interested in Public Key Infrastructures (PKI) to
help ensure the person to whom an official is talking is in fact that
person. For now security features built into the SIP and H.323 protocols
such as address authentication, CSeq and Call-ID headers are the best
defenses available.
PAST FORWARD
To manage the threat of toll fraud, it is important that IP-PBX
administrators employ the same call restrictions on an IP-PBX as they would
a traditional TDM-PBX. International calling, blocking 900 numbers and so
forth should all be employed on an IP-PBX. These systems are just as
vulnerable, if not more, to the traditional �phreaking� attacks seen on TDM
systems.
Finally, and perhaps the most critical issue, is the operating system
security of the call handling software. Many call handling systems run as
applications or services on Microsoft or Linux platforms. These applications
are installed and deployed without regard for the security of the underlying
operating system.
That�s why it is critical to ensure that the OS of your call handling
software is not using any unnecessary services � FTP, for example � and has
all available security patches applied.
The only caveat here is to make sure that disabling these services will
not adversely impact your VoIP system. While an administrator might think an
HTTP server is not needed and disable it, that server could be a required
component for remote configuration or administration. Check with your VoIP
vendor before making any operating system changes or applying any OS
patches.
BEST PRACTICES
To minimize the security risks in a VoIP environment, the following best
practices are recommended:
Virtual LANs
Keeping voice and data on separate VLANs is a good idea for increasing
performance and security. VLANs that can segregate VoIP from data traffic
can offer some QoS benefits as well as add another layer of complexity for
an attacker trying to �sniff� or capture packets off the network.
Unauthorized devices or spoofing can be mitigated if the switch/router can
deny forwarding packets for devices with MAC addresses/IP addresses that do
not match lists of �allowed devices.� However this measure is invalidated
with soft phones running on PCs since these are allowed devices that reside
on the data network.
What�s more, the best practice for securing a voice VLAN is to control
the traffic between the voice and data VLAN using filtering and/or
firewalls. This can prevent DoS attacks and spoofing as well as providing
general filtering that limits malicious footprinting.
Finally, it�s a good idea to use RFC 1918 addresses for IP phones to make
external scanning for voice devices very difficult and to ensure that no
packets can ever be routed out of the corporate network.
Encryption
Wherever possible and practical, implement encryption through VPNs or any
method available to you. On one hand, encryption potentially can delay voice
packets and adversely affect the performance of VoIP on your network �
especially with multiple encryption points. On the other hand, if a network
is operating efficiently, the overhead of the encryption should have little
impact the performance of the VoIP system. Risks to voice quality can be
minimized even more by employing hardware crypto systems rather than those
performed in software.
Direct Firewall Support
If VoIP traffic will be traversing a firewall, make sure your firewall is
capable of direct support for SIP or H.323. If you have to �open� a port to
allow these protocols through, then your firewall does not adequately
support VoIP.
Reverse Proxies
Segment your VoIP traffic from your data traffic and considering using a
multimedia gateway or reverse proxy. These devices offer greater security
and are designed to handle VoIP traffic more efficiently than a traditional
firewall.
Secure OS Of Call Handling Software
Use a commercial scanning tool to �probe� the call servers in your VoIP
system. If any critical or high-level vulnerabilities arise, contact your
vendor to have them corrected as soon as possible. Care should be taken to
allow only necessary services to run and to limit the number of listening
ports that could be attacked. This might warrant placing core VoIP devices
in a �safe zone� behind a firewall or a router with access filters.
Routine Monitoring
Managed services are a good idea for firms without the resources to keep
an eye on their networks. It also makes sense when your VoIP system becomes
mission critical. You should establish daily, weekly and quarterly
milestones of activity to watch for. This ensures your system is performing
adequately and that your VoIP has not been compromised.
Sound Security Practices
If already in place, a good data security program � strong passwords,
anti-virus protection, reliable backup and so forth � gives firms that much
of an advantage when implementing VoIP and should be maintained rigorously
at all times thereafter.
This year may well be the year of VoIP but clearly security issues common
to the data world will need to be contained if its promise and potential
isn�t destined to be deflated by hackers and miscreants looking for another
playground. The good news is that proven data security practices can be
applied to VoIP and that rapid technology advances will enable much more
security capabilities in the near future.
Joel A. Pogar is National Practice Manager Secure Network Services
at Siemens Information and Communication Networks Inc. For more information,
please visit www.icn.siemens.com.
If you are interested in purchasing reprints of this article (in
either print or HTML format), please visit Reprint Management Services
online at www.reprintbuyer.com or
contact a representative via e-mail at
[email protected] or by phone at 800-290-5460.
[
Return
To The April 2004 Table Of Contents ]
|