Savvy VoIP Security
I recently had the opportunity to talk with Stephen Mank, the COO of Qovia, Inc., a provider of VoIP equipment monitoring and management tools. VoIP has become a major focus for many organizations for 2006, and VoIP security remains a hot topic.
Brent: What impact will security have on VoIP adoption?
Stephen: If properly understood and implemented, it really shouldn't have much impact. Realize that this is not just another IP application; understand how it is different, particularly with its real-time requirements; and take a multi-layered approach to solving the problem. (See chart.)
Multi-Layered VoIP Security Overview
| Layer | Use in VoIP Systems | Vulnerability | Protection |
| Application Semantics | Registration, software download, call mgmt., billing, dial plan, email, conferencing, voice mail, user identity, contacts list | SPAM, viruses, hijacking, eavesdropping, toll fraud, application specific DOS & spoofing, identity theft | Very little today. |
| Session &Transport | SIP, SCCP, RTP, MGCP, H323, CDP, AXL | Protocol specific DOS & spoofing, man-in-the-middle | SRTP, TLS, SSL |
| Data Network | IP, UDP, DHCP, DNS, TFTP, ARP, SNMP, HTTP | Network DOS & Spoofing, man-in-the-middle, etc. | Standard IPSEC procedures, Intrusion Protection |
| Physical Devices | Phones, servers and gateways | MAC spoofing, Rogue Devices | Control physical access, Rogue detection |
Source: Qovia, Inc.
Brent: Are we ready to secure VoIP? What best practices should organizations follow to protect the confidentiality, integrity and availability of their VoIP deployments?
Stephen: The following steps toward securing VoIP should be taken into consideration:
Physical Security
* If you have a separate VoIP network (or VLANs) make sure only phones are on it
* Include phones in your 'asset tracking' strategy. Know when new ones 'show up'!
* If you need 'phone mobility' be sure you can discriminate between valid and 'rogue' phones
Transport & Session Security
* Enable Transport Label Security (TLS) for encrypting call signaling (not supported by all call managers).
* Enable Secure Real-Time Transport Protocol (SRTP) for encrypting call streams (not supported in all phones).
* Caution: Some management and monitoring tools do not work well with encryption. Check with your vendors first!
* Caution: Just because the phone thinks the call is encrypted doesn't mean you are protected end-to-end!
IP Network Security Policies
* Caution: Most firewall-based security solutions impose a variable latency on traffic when scanning for content patterns. This can significantly impact your call quality.
* Differentiate traffic by ToS and monitor network performance for VoIP ToS (or CoS if IPv6) with close scrutiny of unusual traffic 'bursts'.
VoIP Application Security
* Track Voice Mail usage with particular focus on rapid increases in mailbox usage.
* Track Gateway usage.Attack scenarios may originate as an external call through your gateways.
* Use 'active call testing' to verify system availability and performance. This is often the first sign of an attack.
* Make VoIP E911 support part of you security strategy. If you accurately know the location of every phone, you are ahead of the game!
Brent: When IPv6 arrives, how will it likely impact the security of VoIP in the future?
Stephen: It will address a number of issues that exist on the data network layer and in turn, both will ease the implementation of and improve the protection of VoIP in these environments. However improved, it still only represents a 25% solution. Today, the tools exist to achieve closer to a 75% solution - insuring substantially better-protected VoIP implementations.
Brent: How prolific will VoIP become? How serious will VoIP vulnerabilities become?
Stephen: I think the rate of adoption in the mainstream enterprise environment is off to a really solid start and will only increase. I don't think it is at the point of critical mass as most organizations only have somewhere in the 33% penetration range. As implementation and management tools improve, this number will climb. When it does, I would expect to see more interest in exploiting VoIP vulnerabilities. In particular, what company pushing SPAM today wouldn't jump all over the ability to deliver Spam over IP Telephony or SPIT? To me, hitting the voice mail of your target audience as well as the email is a home run - extreme SPAM or SPAM on steroids!
Brent: How far away is VoIP-based malware, and what will be the likely impact for VoIP users? How can they best defend against such incidents?
Stephen: I think it runs parallel with the previous answer. To help control VoIP malware threats organizations should implement VLANs, properly configured firewalls, traffic understanding and recognition, implementing SRTP, TLS, and SSL, and rogue detection. These are all integral parts of a robust VoIP security solution.
Thanks to Stephen for talking with me, and I hope we have been able to lay out a basic best practices approach for VoIP security. VoIP is an exciting new technology with some serious rewards and risks. Careful planning and traditional security vigilance will likely prove to be effective tools in helping your organization manage its implementation.
ITworld.com, Security Strategies
pasmith
Kindle news: pricing, business models and ... source code?
mulderjoe
Cell phone gaming: In search of good mobile games
jfruh
The guts of the iPhone 3GS
Enter your caption for this week's cartoon! The winner will receive a $25 Amazon gift card. Go now!
Essential JavaFX
Get started building rich Web apps quickly with an introduction to the power of JavaFX key features -- scene node graphs, nodes as components, the coordinate system, layout options, colors and gradients, custom classes with inheritance, animation, binding, and event handlers.Enter now!
The Nomadic Developer
Consulting can be hugely rewarding, but it's easy to fail if you are unprepared. To succeed, you need a mentor who knows the lay of the land. Aaron Erickson is your mentor, and this is your guidebook. Enter now!
