July 16, 2008, 3:08 AM — The greatest challenge in VoIP security is that there are very few good example case studies available. There are some very good VoIP deployments. But try to find a white-paper with someone disclosing all the their success stories in building a perfect VoIP network. No luck! Unfortunately much of that data is hidden in confidential documents. Still, I have really loved to see VoIP security emerge and evolve from being a hindrance in VoIP deployment, into a key marketing value. Finally some of those success stories will get a chance to see daylight.
VoIP security appears very different from the perspectives of each involved person. For real-world network implementers any available techniques are absolute life-savers. Imagine yourself into the shoes of a legacy telecoms engineer. You know (and nobody believes you) that all telephony systems can be shutdown by anyone with access to the core network. You also know (even though you do not want to know) that all the last-mile engineers can listen into anyone's calls, in the same way as any legal authorities can. And this is just to name a few problems with legacy telephony. Now think VoIP, and all problems are solved (if you want to).
For managers, telephony has always been one of the biggest line items in IT (especially my CEO has always complained about my higher-than-life monthly mobile phone bills). To them, VoIP equals "free". Still, even they understand that for "free" you do not get security. The result is that to them, security in VoIP is the bad news, it equates to the costs that they would love to live without. Still, it is them who make the final decision on what gets funded and what not.
But especially for us security specialists, VoIP security is fun. Let's face it, web security is for dummies. There is nothing challenging really with Wild Wild Web anymore. But what about VoIP? Well, you need to have complex encryption schemes, different ones for different protocol layers, and different ones for various protocols running on those layers. You need at least two or three authentication servers, most probably from different vendors and preferably using as many proprietary data storage formats as possible. And think VPN, IDS, patch deployment, anti-virus, SPIT, ... Oh, I wish I had my own VoIP network also. VoIP is definitely for the best of the best in network security.
But please do not let your excitement win over reason. Fortunately you do have these three roles involved with most VoIP deployments. The legacy telecoms engineer (or should I say engineer with a background in legacy telecoms, as hopefully you are not going to get rid of him) will bring the requirements and healthy reasoning to the mix. "Why have encryption when we have never ever needed that in the past?", could be one question he will raise. "But we do need the best encryption off-loaders, and the best key escrow tools because...", this could sound like logical reasoning for the security engineer. "How much?", the manager will conclude the dialog.
Let's go back to the basics. A real process of building security into a communication network starts with threat analysis. You have to identify key threats to VoIP networks, know about attacks such eavesdropping, unauthorized access, denial of service, spoofing, and fraud; and really understand the enabling vulnerabilities in protocol design, network architecture, software, and system configuration. Understand the risk. Measure it. And decide IF it is worth pursuing for a counter-measure.
There are always advantages and tradeoffs associated with protection mechanisms built into various VoIP protocols. There are a number of available key management solutions, some fitting for others when others should choose something else. Finally, picture the complete security framework. It will be different for enterprise VoIP networks compared to what would be used in a service provider network. Then seek for guidance in the design of the VoIP architecture, especially from those who have been in the field for some time already.
Building VoIP security is a team effort. Each of us look at it from a slightly different angle. All opinions are correct. During the future weeks I will share mine in this blog.
