February 06, 2006, 4:57 PM — I recently had the opportunity to talk with Stephen Mank, the COO of Qovia, Inc., a provider of VoIP equipment monitoring and management tools. VoIP has become a major focus for many organizations for 2006, and VoIP security remains a hot topic.
Brent: What impact will security have on VoIP adoption?
Stephen: If properly understood and implemented, it really shouldn't have much impact. Realize that this is not just another IP application; understand how it is different, particularly with its real-time requirements; and take a multi-layered approach to solving the problem. (See chart.)
Multi-Layered VoIP Security Overview
| Layer | Use in VoIP Systems | Vulnerability | Protection |
| Application Semantics | Registration, software download, call mgmt., billing, dial plan, email, conferencing, voice mail, user identity, contacts list | SPAM, viruses, hijacking, eavesdropping, toll fraud, application specific DOS & spoofing, identity theft | Very little today. |
| Session &Transport | SIP, SCCP, RTP, MGCP, H323, CDP, AXL | Protocol specific DOS & spoofing, man-in-the-middle | SRTP, TLS, SSL |
| Data Network | IP, UDP, DHCP, DNS, TFTP, ARP, SNMP, HTTP | Network DOS & Spoofing, man-in-the-middle, etc. | Standard IPSEC procedures, Intrusion Protection |
| Physical Devices | Phones, servers and gateways | MAC spoofing, Rogue Devices | Control physical access, Rogue detection |
Source: Qovia, Inc.
Brent: Are we ready to secure VoIP? What best practices should organizations follow to protect the confidentiality, integrity and availability of their VoIP deployments?
Stephen: The following steps toward securing VoIP should be taken into consideration:
Physical Security
* If you have a separate VoIP network (or VLANs) make sure only phones are on it
* Include phones in your 'asset tracking' strategy. Know when new ones 'show up'!
* If you need 'phone mobility' be sure you can discriminate between valid and 'rogue' phones
Transport & Session Security
* Enable Transport Label Security (TLS) for encrypting call signaling (not supported by all call managers).
* Enable Secure Real-Time Transport Protocol (SRTP) for encrypting call streams (not supported in all phones).
* Caution: Some management and monitoring tools do not work well with encryption. Check with your vendors first!
* Caution: Just because the phone thinks the call is encrypted doesn't mean you are protected end-to-end!
IP Network Security Policies
* Caution: Most firewall-based security solutions impose a variable latency on traffic when scanning for content patterns. This can significantly impact your call quality.
* Differentiate traffic by ToS and monitor network performance for VoIP ToS (or CoS if IPv6) with close scrutiny of unusual traffic 'bursts'.
VoIP Application Security
* Track Voice Mail usage with particular focus on rapid increases in mailbox usage.
* Track Gateway usage.Attack scenarios may originate as an external call through your gateways.
* Use 'active call testing' to verify system availability and performance. This is often the first sign of an attack.
* Make VoIP E911 support part of you security strategy. If you accurately know the location of every phone, you are ahead of the game!
Brent: When IPv6 arrives, how will it likely impact the security of VoIP in the future?
Stephen: It will address a number of issues that exist on the data network layer and in turn, both will ease the implementation of and improve the protection of VoIP in these environments. However improved, it still only represents a 25% solution. Today, the tools exist to achieve closer to a 75% solution - insuring substantially better-protected VoIP implementations.
Brent: How prolific will VoIP become? How serious will VoIP vulnerabilities become?
