Addressing Security In VoIP

Security is the Achilles’ heel of IP networks. At least, that is the perception held by many people, in and outside of the industry alike. Indeed, reports abound of security breaches and the threat of a coming wave of security disruptions targeting VoIP networks and VoIP users has security experts scrambling to meet the danger head on.

For example, Broadband Reports posted news in 2004 regarding Cleveland-based Broadvox Direct, and a potential security breach there that could have resulted in the theft of unsecured customer data.

And, a ZDnet report from last month underscores the fact that VoIP (among other technologies) must be hitting the mainstream, “when it becomes the focus of pharming and other security attacks.”

(According to Wikipedia.org, Pharming is defined as the exploitation of a vulnerability in the DNS server software that allows a hacker to acquire the Domain Name for a site, and to redirect traffic meant for that Web site to another Web site. DNS servers are the machines responsible for resolving Internet names into their real addresses — the "signposts" of the Internet.)

The report goes on to explain: “One of VoIP’s flaws is that it is inherently vulnerable to hackers because, like e-mail, VoIP calls find their way by locating an IP address, a unique set of numbers assigned to each device connected to the Web. Yet while scores of commercial VoIP providers have quickly expanded to take advantage of the growing interest in the service, many have not implemented even basic security measures, such as encrypting phone calls.”

And with consumer VoIP subscriptions on the rise, expecting to reach up to 25 million over the next few years, it is truly fertile ground for hackers and other ne’er do wells looking to wreak havoc.

There are a number of organizations that are looking to address the issue of VoIP security. Perhaps best known is the group called VoIPSA (for Voice Over IP Security Alliance). The Alliance was conceived to fill the void of VoIP security related resources through a unique collaboration of VoIP and Information Security vendors, providers, and thought leaders. VOIPSA’s mission is to promote the current state of VoIP security research, VoIP security education and awareness, and free VoIP testing methodologies and tools.

According to a news release announcing the organization earlier this year, “The growing convergence of voice and data networks only serves to exacerbate and magnify the security risks of today’s traditional prevalent cyber attacks. Successful attacks against a combined voice and data network can cripple an enterprise, halt communications required for productivity, and result in irate customers and lost revenue. As VoIP increases in popularity, so does the potential for harm from a cyber attack. As VoIP deployments become more widespread, the technology becomes a more attractive target for hackers. The emergence of VoIP application-level attacks will likely occur as attackers become more familiar with the technology through exposure and easy access.”

According to a recent article in Internet Telephony magazine, authored by Joel Pogar, National Practice Manager Secure Network Services at Siemens ICN, there are a number of specific threats and best practices to consider when addressing VoIP security in the enterprise.

Threats
Among the more significant concerns relating to VoIP are:

• Denial of Service (DoS) Attacks: IP phones, and VoIP gateways can be bombarded with malicious packets in an attempt to disrupt communications.

• Call Intercept: Unauthorized monitoring of voice packets.

• Signal Protocol Tampering: Malicious users could monitor and capture the packets that set up the call. This would allow them to manipulate fields in the data stream and make VoIP calls without using a VoIP phone. This could be especially problematic, when used to make expensive calls and make the IP-PBX believe it originated from another user.

• Presence Theft: Impersonation of a legitimate user sending or receiving data.

• Toll Fraud: The ability of a malicious user or intruder to place fraudulent calls.

• Call Handling OS: The call handling software of many IP-PBX systems relies on operating systems, or operating system components, that may not be secure. Once compromised, this could be an avenue into other connected systems and information stores.

Best Practices
To minimize the security risks in a VoIP environment, the following best practices are recommended:

Virtual LANs
Keeping voice and data on separate VLANs is a good idea for increasing performance and security. What’s more, the best practice for securing a voice VLAN is to control the traffic between the voice and data VLAN using filtering and/or firewalls. This can prevent DoS attacks and spoofing as well as providing general filtering that limits malicious footprinting.

Encryption
Wherever possible and practical, implement encryption through VPNs or any method available to you. On one hand, encryption potentially can delay voice packets and adversely affect the performance of VoIP on your network — especially with multiple encryption points. On the other hand, if a network is operating efficiently, the overhead of the encryption should have little impact the performance of the VoIP system.

Direct Firewall Support
If VoIP traffic will be traversing a firewall, make sure your firewall is capable of direct support for SIP or H.323. If you have to "open" a port to allow these protocols through, then your firewall does not adequately support VoIP.

Secure OS Of Call Handling Software
Use a commercial scanning tool to "probe" the call servers in your VoIP system. If any critical or high-level vulnerability arises, contact your vendor to have them corrected as soon as possible. Care should be taken to allow only necessary services to run and to limit the number of listening ports that could be attacked. This might warrant placing core VoIP devices in a "safe zone" behind a firewall or a router with access filters.

Routine Monitoring
Managed services are a good idea for firms without the resources to keep an eye on their networks. It also makes sense when your VoIP system becomes mission critical. You should establish daily, weekly and quarterly milestones of activity to watch for.

Sound Security Practices
If already in place, a good data security program — strong passwords, anti-virus protection, reliable backup and so forth — gives firms that much of an advantage when implementing VoIP and should be maintained rigorously at all times thereafter.

Greg Galitzine is the editorial director for Internet Telephony magazine.

Putting Security Concerns at Ease

Spurred by the promise of greater productivity and efficiency offered by innovative applications that improve organizational processes and significantly lower costs, organizations of all sizes are quickly adopting voice over IP (VoIP) technologies. In fact, Gartner predicts that by 2009, 90 percent of all new telephony systems sold will be IP enabled. However, while CIOs and network administrators appreciate the benefits of VoIP, they also have concerns that their organization is implementing a solution that may be vulnerable to a range of security threats.

As many security experts have expected, the increase in VoIP adoption has caught the interest of hackers looking for a new challenge. VoIP involves the digitizing of voice communications, converting the digital signal into data packets and then transporting the information across an IP network, including the public Internet. Since VoIP delivers voice over the same lines as data, phone calls are now threatened by the same security challenges as data including viruses, spoofing, eavesdropping, and denial of service (DOS) attacks.

For example, Internet hackers with the capability to intercept voice packets could remove, edit, or add parts of a conversation unbeknownst to the sender. Even simple eavesdropping, which is a much more likely threat, carries the potential to cause significant damage.

In industries such as healthcare and financial services, where organizations face strict security mandates, the ramifications of a security breach are especially severe. Companies in closely regulated industries are expected to protect and monitor their systems at all times and face very strict financial and legal penalties if their systems are compromised.

Fortunately, strategies to address security issues for data networks translate very well to VoIP. By employing a series of comprehensive measures to ensure that both voice and data information is secure, organizations can minimize the risk from myriad security challenges. An effective, holistic approach to security requires constructing initiatives, protocols, and advanced monitoring technologies designed to vigilantly protect an organizations internal network infrastructure, the perimeter and the transportation method.

The first step to securing an organizations voice and data network is conducting a rigorous security audit and network assessment. A thorough security audit designed to find vulnerabilities in an existing network ensures that external forces will not compromise an organizations network.

Next steps to secure the network include implementing stringent monitoring and prevention tools and services. Existing firewalls should be reviewed and strengthened, if need be and organizations should also consider implementing intrusion detection and prevention systems as well as network monitoring services.

Companies must also consider how its employees will be efficiently authenticated when trying to access secure areas of the network. Increasingly, organizations are seeing the benefits of biometric authentication such as retinal, fingerprint, and voiceprint scans to provide a stronger defense against unauthorized access than more traditional methods such as passwords or digital certificates. While upfront costs of biometric devices are higher, the added benefits plus long-term cost-savings from reduced maintenance provides CIOs and network administrators with a compelling reason to invest.

In addition to these steps, organizations should also evaluate other tools that are available to provide additional layers of protection. While no solution can absolutely guarantee safety, a well-planned and implemented security strategy helps to ensure the reliability of the VoIP network by significantly decreasing the risk from threats such as viruses and unauthorized attacks. With a secured network, organizations are able to enjoy the benefits offered by VoIP to concentrate on achieving their fundamental business objectives.

To learn more about NECs VoIP Security solutions, please visit www.necunified.com. Mark Nagiel is Manager of Security Consulting with NEC Unified Solutions, Inc.