Sidebar: Security & QoS
BY Darwin Herdman
Quality of Service (QoS) issues are a critical element of IP telephony and pose a significant challenge to security professionals. We can not assume that the same security controls and measures that are currently implemented in data networks can be deployed in IP telephony environment without compromising QoS. The time-critical nature of IP telephony systems and a low tolerance for disruption and packet loss limit the utility of traditional security solutions. In many cases, voice communications are the critical in terms of business continuity and require the same confidentiality, integrity, availability, and security as traditional data communications.
Security Policies and Procedures — Secure connectivity between IP telephony-enabled devices requires a secure underlying network. Network hardening measures closely mirror those of data networks including identity management and authentication, access controls, turning off unneeded services, and enforcing secure management methods (i.e., IPSec and/or Secure Shell). Critical IP telephony infrastructure including call-processing managers, voice mail servers, voice gateways, and voice enabled routers must be subject to strict system hardening procedures and continuous security management.
Logical Separation of Voice and Data Networks — Improved QoS, scalability, manageability, and security are all supporting reasons that IP telephony and IP data devices should be deployed on two logically disparate network segments with dedicated DHCP servers. In an era of widespread and rapid propagating viruses and worms, segmentation will greatly improve the capability to deploy pro-active defenses while minimizing the potential impact of compromised systems. However, IP telephony security solutions should not rely solely on virtual local-area networks (VLANs) for network separation. Layered security “best practices” should be implemented including layer 3 access control in the distribution layer into which the IP phone connects. For those IP-based phones that support a data port to allow connection of the PC directly to the phone, ensure the phone is capable of providing enhanced layer 2 connectivity with the option to use VLAN technology to separate voice and data.
IP Voice Encryption — Securing the voice traffic required another layer of defense within the protocol level. IPsec encryption at the IP level and /or secure RTP at the transport level can address this requirement but both impact degradation of voice quality. The expansion of packet size, ciphering latency and a lack of QoS urgency in the cryptographic engine itself can cause an excessive amount of latency. If performance is an issue, recommend encryption at the router or other gateway and not the end points to provide for IPsec tunneling
Identity Verification and Trust — Device and user authentication are key elements of a secure IP telephony environment and will help mitigate toll fraud by not allowing unregistered devices to gain access to the network. Device authentication prevents rogue phones from registering onto the network and placing unauthorized calls. Locking down switched ports, segments, and services in the network will provide attack mitigation for rogue devices. If feasible, it is recommended that customers consider statically assigning IP addresses to known MAC addresses, making it increasingly difficult for attackers to hijack both addresses. Though the hacker can still compromise this solution, it complicates his/her efforts significantly.
Most IP Telephony call processing systems afford automated registration for adding new end-points (Handsets). Utilizing this functionality should be restricted to the initial configuration and bulk deployment of phones. During normal business operations, this feature should be turned off and unknown devices should be denied registration to the call processing manager and access to the voice network. Furthermore, filtering in all segments will prevent devices in unknown segments from registering on the network as well as prevent the registration of rogue call processing managers and/or voice gateways.
User authentication, although somewhat of an inconvenience, effectively mitigates attacks resulting from a spoofed MAC address and the attacker assuming the identity of a trusted user. The successful authentication of both the caller and receiver offer some level trust and of non-repudiation. All PINs and passwords should follow best practices requiring that they remain confidential and are changed frequently.
Threat Mitigation and Defense — IP telephony security is both complex and extremely difficult to maintain. The challenge is to secure this business critical without compromising quality of service (QoS). The successful deployment, monitoring and management of point security technologies such as stateful firewalls, intrusion detection systems, and intrusion prevention systems offer increase levels of assurance and improve the network’s security posture. However, the implementation of these technologies complicates every aspect of IP telephony including delaying or blocking call set-up and encryption based latency.
Firewalls — Stateful firewalls provide network-level protection for the call processing manager including stateful filtering of traffic, DoS mitigation, and spoof mitigation. When strategically placed where voice and data segments converge, stateful firewalls have proven valuable in mitigating attacks (i.e, UDP flood attacks) sourced from the data segment against the voice segment.
Intrusion Detection Systems — In addition to their proven detection signatures for IP data, intrusion detection technologies can be tuned specifically to IP voice threats such as Packet Sniffers/Call Interception, Call Identity spoofing, Tool Fraud, Repudiation, IP spoofing, Denial of Service, and application layer attacks.
Intrusion Prevention Systems — Implementation of host intrusion detection/prevention technologies is highly recommended due to the value and business critical nature of voice communication. Host intrusion prevention is preferred where applicable due to the latency in which security patches can be installed on production systems. Intrusion prevention solutions have a proven and demonstrated capability to mitigate “Day 0” attacks and at a minimum should be installed on all processing managers, voice mail servers as well as any other application servers such as E911 application servers.
Darwin Herdman is chief technology officer at Red Siren, Inc.. For more information, please visit the company online at www.redsiren.com.
If you are interested in purchasing reprints of this article (in either print or HTML format), please visit Reprint Management Services online at www.reprintbuyer.com or contact a representative via e-mail at [email protected] or by phone at 800-290-5460.
[ Return To The November 2004 Of Contents ]