Savvy VoIP Security

February 6, 2006, 04:57 PM —  ITworld.com, Security Strategies — 

I recently had the opportunity to talk with Stephen Mank, the COO of Qovia, Inc., a provider of VoIP equipment monitoring and management tools. VoIP has become a major focus for many organizations for 2006, and VoIP security remains a hot topic.


Brent: What impact will security have on VoIP adoption?



Stephen: If properly understood and implemented, it really shouldn't have much impact. Realize that this is not just another IP application; understand how it is different, particularly with its real-time requirements; and take a multi-layered approach to solving the problem. (See chart.)


Multi-Layered VoIP Security Overview


Layer Use in VoIP Systems Vulnerability Protection
Application Semantics Registration, software download, call mgmt., billing, dial plan, email, conferencing, voice mail, user identity, contacts list SPAM, viruses, hijacking, eavesdropping, toll fraud, application specific DOS & spoofing, identity theft Very little today.
Session &Transport SIP, SCCP, RTP, MGCP, H323, CDP, AXL Protocol specific DOS & spoofing, man-in-the-middle SRTP, TLS, SSL
Data Network IP, UDP, DHCP, DNS, TFTP, ARP, SNMP, HTTP Network DOS & Spoofing, man-in-the-middle, etc. Standard IPSEC procedures, Intrusion Protection
Physical Devices Phones, servers and gateways MAC spoofing, Rogue Devices Control physical access, Rogue detection

Source: Qovia, Inc.



Brent: Are we ready to secure VoIP? What best practices should organizations follow to protect the confidentiality, integrity and availability of their VoIP deployments?


Stephen: The following steps toward securing VoIP should be taken into consideration:


Physical Security


* If you have a separate VoIP network (or VLANs) make sure only phones are on it

* Include phones in your 'asset tracking' strategy. Know when new ones 'show up'!

* If you need 'phone mobility' be sure you can discriminate between valid and 'rogue' phones


Transport & Session Security


* Enable Transport Label Security (TLS) for encrypting call signaling (not supported by all call managers).

* Enable Secure Real-Time Transport Protocol (SRTP) for encrypting call streams (not supported in all phones).

* Caution: Some management and monitoring tools do not work well with encryption. Check with your vendors first!

* Caution: Just because the phone thinks the call is encrypted doesn't mean you are protected end-to-end!


IP Network Security Policies


* Caution: Most firewall-based security solutions impose a variable latency on traffic when scanning for content patterns. This can significantly impact your call quality.

* Differentiate traffic by ToS and monitor network performance for VoIP ToS (or CoS if IPv6) with close scrutiny of unusual traffic 'bursts'.


VoIP Application Security


* Track Voice Mail usage with particular focus on rapid increases in mailbox usage.

* Track Gateway usage.Attack scenarios may originate as an external call through your gateways.

* Use 'active call testing' to verify system availability and performance. This is often the first sign of an attack.

* Make VoIP E911 support part of you security strategy. If you accurately know the location of every phone, you are ahead of the game!


Brent: When IPv6 arrives, how will it likely impact the security of VoIP in the future?


Stephen: It will address a number of issues that exist on the data network layer and in turn, both will ease the implementation of and improve the protection of VoIP in these environments. However improved, it still only represents a 25% solution. Today, the tools exist to achieve closer to a 75% solution - insuring substantially better-protected VoIP implementations.


Brent: How prolific will VoIP become? How serious will VoIP vulnerabilities become?


Stephen: I think the rate of adoption in the mainstream enterprise environment is off to a really solid start and will only increase. I don't think it is at the point of critical mass as most organizations only have somewhere in the 33% penetration range. As implementation and management tools improve, this number will climb. When it does, I would expect to see more interest in exploiting VoIP vulnerabilities. In particular, what company pushing SPAM today wouldn't jump all over the ability to deliver Spam over IP Telephony or SPIT? To me, hitting the voice mail of your target audience as well as the email is a home run - extreme SPAM or SPAM on steroids!


Brent: How far away is VoIP-based malware, and what will be the likely impact for VoIP users? How can they best defend against such incidents?



Stephen: I think it runs parallel with the previous answer. To help control VoIP malware threats organizations should implement VLANs, properly configured firewalls, traffic understanding and recognition, implementing SRTP, TLS, and SSL, and rogue detection. These are all integral parts of a robust VoIP security solution.


Thanks to Stephen for talking with me, and I hope we have been able to lay out a basic best practices approach for VoIP security. VoIP is an exciting new technology with some serious rewards and risks. Careful planning and traditional security vigilance will likely prove to be effective tools in helping your organization manage its implementation.

 



ITworld.com, Security Strategies

I like it!
Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
Free books

Essential JavaFX
Get started building rich Web apps quickly with an introduction to the power of JavaFX key features -- scene node graphs, nodes as components, the coordinate system, layout options, colors and gradients, custom classes with inheritance, animation, binding, and event handlers.Enter now!

The Nomadic Developer
Consulting can be hugely rewarding, but it's easy to fail if you are unprepared. To succeed, you need a mentor who knows the lay of the land. Aaron Erickson is your mentor, and this is your guidebook. Enter now!

Featured Sponsor

AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.

In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.

On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.

Marketplace