ITEXPO begins in:   New Coverage :  Asterisk  |  Fax Software  |  SIP Phones  |  Small Cells
April 2007
Volume 10 / Number 4
Feature Articles

Key Elements for Securing VoIP Services

By Dan Leary, Feature Articles

Enterprises are increasingly adopting IP telephony as their voice solution. While voice over IP (VoIP) offers many benefits, its use of IP as a transport makes it subject to many of the same vulnerabilities that afflict data networks. Given how mission critical voice service is — and how high people’s expectations are for dependability based on traditional phone system operation — IT needs to be aware of these vulnerabilities and take steps to protect the VoIP system.

IP telephony environments are very similar to data environments, so they require similar security measures. For example, most VoIP call managers run on variations of common operating systems, making them vulnerable to viruses, worms, denial of service (DoS) attacks, and other malware. IP phones can also fall victim to targeted attacks and be potential launch points for malware. For example, hackers can create attacks that cause VoIP phones to reboot or delete their configuration information, making the phones unusable and crippling the call manager.

VoIP threats can be grouped into two broad categories: attacks that disrupt service availability by bringing down the call manager and attacks that degrade or compromise voice quality, potentially making the VoIP service unusable. To protect VoIP devices and services against multiple types of attacks, it is important to implement the right mechanisms.

Protecting the Call Manager
If the VoIP call manager goes down, the enterprise’s entire voice system goes down. Hackers can exploit vulnerabilities in the call manager OS and even in the VoIP protocols themselves to launch a DoS or other attack against the call manager. IP phones, including softphones, can even be the launch point for such attacks, which seek to cripple the call manager, often by triggering an overload of call setups.

Several mechanisms are key for protecting the call manager. First, IT must be able to restrict which applications and protocols — even which users and devices — can reach the call manager. For instance, IT needs the ability to define policies that ensure only SIP (Session Initiation Protocol (News - Alert)) or H.323 traffic can reach the call manager.

This application-based control enables the security platform to protect the call manager from non-SIP exploitations. This protection is especially useful for softphones, where a PC is the phone. Since a computer is the basis for the calling service, softphones expose the enterprise’s VoIP infrastructure to the full range of computer- and data-based threats.

In addition to controls that limit which applications can reach the call manager, IT also needs to control which devices can access it. For example, MAC-address wildcarding and white-listing allow IT to define which devices can send traffic to the call manager. With these restrictions in place, a security platform can block any traffic destined for the call manager that was not initiated by one of the authorized IP phones.

IT should also look for a security platform that can protect the VoIP infrastructure by identifying and blocking the source of DoS attacks. DoS detection algorithms can protect against call manager overload by checking whether a user is making too many calls per second to the same destination. By continued tracking of connection attempts over time, these algorithms can accurately identify an attack and block that traffic.

The Importance of Maintaining Voice Quality
Rather than aiming to take down the call manager, some attacks attempt to disrupt the VoIP system by degrading the voice quality. Viruses, worms, and even some DoS attacks consume so much bandwidth that VoIP call quality declines, sometimes to the point of rendering the VoIP system unusable. Many such attacks originate in IP phones themselves, requiring a solution that’s close to the source, whether it is a physical phone or a desktop.

IT should look for security platforms with malware algorithms that can quickly identify both known and unknown threats and disable the infected device. These application-specific algorithms operate by distinguishing normal behavior from abnormal behavior for individual applications. For example, to detect fast-propagating worms, an algorithm can track connection attempts by application and compare those rates, over time, to typical connection-attempt rates. The algorithm triggers when the connection-attempt rate exceeds a threshold that varies based on the elapsed time.

IT needs to combat “blind” worms as well. In this case, the algorithm compares the ratio of attempted to failed connections over time and by application; a high failure ratio indicates an attack. Taken together, these algorithms enable IT to quickly contain malware attacks, including zero-hour attacks.

As with the DoS solution, IT should have the flexibility to block all traffic from an infected desktop phone or softphone or to block just the malicious application. Shutting down malicious traffic at the source prevents the bandwidth exhaustion that can make IP telephony conversations unintelligible.

Other Advantages of VoIP Security
In addition to providing key security for the VoIP environment, a security appliance may also help simplify a VoIP deployment. For example, getting detailed visibility into and control over LAN traffic on a per-user, per-application, per-flow basis can enable IT to securely separate voice from data traffic, without the need for virtual LANs.

Likewise, if a security platform offers role-based provisioning, IT can centrally define voice- and data-related access policies to ensure consistent, ubiquitous access control. For instance, deep packet inspection and fine-grained application controls may eliminate the need for a VoIP-specific firewall in some organizations.

But most fundamental, of course, is protecting the critical voice services. Convergence (News - Alert) can deliver substantial operational benefits, but the combination of voice and data services over IP connections now leaves voice susceptible to the full raft of threats and attacks that have plagued data communications for years. So in step with any VoIP deployment, IT must appropriately secure the devices and services that drive it.

Dan Leary is the Vice President, Marketing and Product Management of ConSentry. For more information, please visit the company online at


Today @ TMC
Upcoming Events
ITEXPO West 2012
October 2- 5, 2012
The Austin Convention Center
Austin, Texas
The World's Premier Managed Services and Cloud Computing Event
Click for Dates and Locations
Mobility Tech Conference & Expo
October 3- 5, 2012
The Austin Convention Center
Austin, Texas
Cloud Communications Summit
October 3- 5, 2012
The Austin Convention Center
Austin, Texas