Savvy VoIP Security
I recently had the opportunity to talk with Stephen Mank, the COO of Qovia, Inc., a provider of VoIP equipment monitoring and management tools. VoIP has become a major focus for many organizations for 2006, and VoIP security remains a hot topic.
Brent: What impact will security have on VoIP adoption?
Stephen: If properly understood and implemented, it really shouldn't have much impact. Realize that this is not just another IP application; understand how it is different, particularly with its real-time requirements; and take a multi-layered approach to solving the problem. (See chart.)
Multi-Layered VoIP Security Overview
| Layer | Use in VoIP Systems | Vulnerability | Protection |
| Application Semantics | Registration, software download, call mgmt., billing, dial plan, email, conferencing, voice mail, user identity, contacts list | SPAM, viruses, hijacking, eavesdropping, toll fraud, application specific DOS & spoofing, identity theft | Very little today. |
| Session &Transport | SIP, SCCP, RTP, MGCP, H323, CDP, AXL | Protocol specific DOS & spoofing, man-in-the-middle | SRTP, TLS, SSL |
| Data Network | IP, UDP, DHCP, DNS, TFTP, ARP, SNMP, HTTP | Network DOS & Spoofing, man-in-the-middle, etc. | Standard IPSEC procedures, Intrusion Protection |
| Physical Devices | Phones, servers and gateways | MAC spoofing, Rogue Devices | Control physical access, Rogue detection |
Source: Qovia, Inc.
Brent: Are we ready to secure VoIP? What best practices should organizations follow to protect the confidentiality, integrity and availability of their VoIP deployments?
Stephen: The following steps toward securing VoIP should be taken into consideration:
Physical Security
* If you have a separate VoIP network (or VLANs) make sure only phones are on it
* Include phones in your 'asset tracking' strategy. Know when new ones 'show up'!
* If you need 'phone mobility' be sure you can discriminate between valid and 'rogue' phones
Transport & Session Security
* Enable Transport Label Security (TLS) for encrypting call signaling (not supported by all call managers).
* Enable Secure Real-Time Transport Protocol (SRTP) for encrypting call streams (not supported in all phones).
* Caution: Some management and monitoring tools do not work well with encryption. Check with your vendors first!
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
