November 2002

VoIP Security Challenges 
In Enterprise And Service Provider Networks

BY STEVE BAKKE

With most major telecommunications carriers currently in the process of readying voice-over-IP (VoIP) services for mass deployment, it�s clear that IP telephony is finally headed for prime time. However, the promise of mass VoIP consumption also increases the risk for widespread security violations, spawning a new sense of urgency to plug potential security holes now before hackers wreak havoc on corporate voice networks.

Until now, VoIP security hasn�t been a particularly volatile subject since most IP voice traffic remained on local and wide area enterprise networks. But as VoIP usage becomes widespread, enterprises and home users will become subject to the same security risks that have affected data networks. This is largely due to the fact next-generation voice networks are IP based and all IP protocols for sending voice traffic contain flaws.

In particular, service providers who offer business class services, including voice VPN, IP Centrex, and hosted IP PBX services, face a raft of challenges. First, they must find an acceptable method for sending VoIP traffic through enterprise firewalls, which can inhibit and even block VoIP packets due to their inherent security functions. Without a viable solution, VoIP calls remain essentially unsecured, subject to security breaches including snooping, denial of service attacks, and tapping. Moreover, unsecured IP telephony networks are vulnerable to packet flooding by hackers intent on causing service disruptions that vary in intensity from system crashes and throughput problems to system slowdowns and voice quality degradation.

FINDING THE ANSWER
In an attempt to solve VoIP security questions, enterprises and service providers have considered a variety of technologies, including IP phones with embedded security mechanisms, private or virtual LANs, intelligent routers with integrated firewalls or new protocols such as the proposed STUN standard, and voice proxy firewalls. However, for the most part these remedies have been woefully inadequate.

Placing IP phones in the enterprise without using a firewall is highly risky. Though many have integrated security mechanisms, including authentication requiring a user name and password, they can be easily hacked. Plus, they utilize public IP addresses, which also are vulnerable to unwanted intrusion. 

Deploying a VoIP solution on a private LAN behind the service provider�s own firewall is unacceptable due to the fact that most enterprises must utilize a certain number of public IP addresses, which are also vulnerable to security breaches. And most WANs used between the provider and the enterprise are based on global IP addressing, which presents a similar danger. In addition, service providers that combine traffic from several enterprises on the same network (i.e., Metropolitan Area Networks) are placing those customers at risk, since it is possible for an individual with access to one of these enterprise LANs to hack into the network of another.

Some service providers have met the problem by leveraging a private IP addressing scheme for phones and public IP addressing for all other networked devices. In this solution, phones would be connected to one virtual LAN (VLAN) and devices such as PCs, switches, and routers would be connected to another VLAN. This allows enterprises to send and receive VoIP calls in a secure manner using their own firewalls. Unfortunately for service providers, the complexity of managing separate private and public IP addresses for every customer and configuring IP phones for each user causes operational headaches and increases expense.

New voice aware firewalls have also been come under scrutiny. However, such equipment is mostly in the development stage and no available products support all VoIP standards, leaving enterprises that use them open to the same vulnerabilities previously discussed. Plus, the cost of replacing existing firewalls with new platforms is a very expensive proposition.

SECURING ENTERPRISE TRAFFIC
A far better solution involves deployment of voice proxy firewalls in the service provider�s network. Though other solutions exist, such next-generation platforms present a highly effective and cost-efficient alternative, enabling providers to ensure safe passage for voice traffic sent to their customers� networks.

Voice proxy firewalls support Media Gateway Control Protocol (MGCP), Signaling Connection Control Part (SCCP), and Session Initiation Protocol (SIP) end points and are especially effective when deployed in pairs for redundancy, with one device active and the other passive. Multiple pairs can be deployed for increased scalability.

In a paired configuration, an IP telephony application server in the service provider�s core network continuously monitors both voice proxy firewalls and switches between them in milliseconds in the event of service disruptions such as dropped calls. Using this solution, customer premise equipment (CPE) such as IP phones and access gateways are able to function in enterprises to full capability behind any standard, commercially available firewall. This is possible due to the voice proxy firewall�s ability to control command and voice packet streams sent between the provider and customer. 

During voice transmissions, all command and voice packet streams that flow between both entities pass through the voice proxy firewall, which inspects each packet and replaces embedded (private) IP addresses and ports with new (public) IP addresses/ports representing the voice proxy firewall itself. Thus, real time protocol (RTP) voice packets can be delivered to customer access gateways and IP phones existing behind enterprise firewalls.

SIMPLE CAVEATS
Generally the voice proxy firewall requires no configuration on the part of the enterprise, but rare exceptions exist. Some very large enterprises with firewalls set up to deny outbound communication must be configured with a single entry, allowing traffic to be delivered to the voice proxy firewall IP address. In addition, some firewalls cannot consistently keep MGCP and SIP sessions open during idle traffic times. In most cases, this problem can easily be remedied by setting the time out value to five minutes. However, firewalls that lack the ability to alter the time out period cannot be used. 

Service Provider Solutions
Voice proxy firewalls also provide powerful firewall capability for service providers, enabling them to prevent hacker attacks and service disruptions that can disrupt their own networks. This is accomplished via access lists and stateful packet inspection accomplished via packet validation and packet throttling, all capabilities that are integrated into the voice proxy firewall. 

Access lists limit who can make calls and help prevent service theft by those with network access. Using access lists, only packets from the specified IP addresses can penetrate the voice proxy firewall. Note that this method only applies to boot packets. Access lists enable network managers to assign various access levels to employees, for example, allowing them to make local and long-distance calls, but not international calls. Remote users could be assigned a very low access level since external users present a high security risk. 

Packet validation checks for valid source/destination IP addresses and forwards packets only after they pass the test. RTP voice packets are scanned for valid source/destination IP addresses and command packets are parsed and checked to determine their validity. The packet validation process prevents malformed packets from entering the IP telephony application server and unnecessarily consuming CPU resources. 

Packet throttling enables network managers to set a parameter corresponding to the number of boot packets per second that are allowed passage through the voice proxy firewall. This allows them to prevent packet storms from reaching the IP telephony application server.

THE DOOR TO NEW SERVICES
Deployment of VoIP technology opens a new world of communications for enterprise customers. By transporting voice traffic over packet-based networks, service providers can launch new high-margin services, including virtual PBX and IP Centrex, which promise enormous value and lower costs for enterprises. However, before opening the floodgate of new services, providers must find answers to VoIP security questions. By addressing these issues now, providers of IP voice services can avoid the security problems data providers solved the hard way, enabling them to increase profitability, lower management and operational costs, and enjoy a much more rapid return on investment.

Steve P. Bakke is founder and CTO of VocalData, Inc. VocaData is a leading provider of integrated voice and enhanced network applications that enable service providers to reliably deliver next-generation IP telephony services. For more information, visit the company on the Web at www.vocaldata.com.

[ Return To The November 2002 Table Of Contents ]