Security is often cited as one of the primary reasons
organisations have not deployed VoIP. Network managers need to cut
through the hype and deploy the right security to maximise the
reliability of the voice network and have a successful rollout.
The shift to VoIP changes many things. With voice the old TDM
way, the PBX was a stand alone, closed system with phones directly
connected into them. Its simplicity was also its security. Of
course, the problem with this model is that sharing applications
was difficult; moves, adds and changes were expensive and there was
no integration with the data network. A VoIP system looks a lot
like any other networked application. There's a call server, mail
server and other applications running on commercially available
hardware with IP endpoints that communicate with it. These servers
and end points communicate via an IP-over -Ethernet network
connected with switches and routers.
Since a VoIP system parallels other IP applications, the threats
to it are similar and require an understanding of how the VoIP
components are impacted.
The network
Any end point with an IP address is susceptible to network hacks
such as denial of service (DoS) attacks, which flood the network
attack and adversely impact call quality. Many professionals agree
(as do I) that DoS attacks are the single biggest threat to VoIP
deployments. DoS attacks can also overload call servers leading to
delays with call set up.
One of the most over-hyped aspects of VoIP security are
VoIP-aware firewalls. Since the majority of VoIP deployments today
are internal and do not penetrate the firewall, a better security
approach is to close the VoIP ports on your perimeter firewall. In
the rare case where VoIP traffic does leave the corporate network,
a VoIP-aware firewall should be considered.
Operating systems
IP PBXs, media gateways and other related servers are built on
standardised operating systems such as Windows or Linux or a
proprietary one. Because of wide-scale deployments of Windows or
Linux-based operating systems, these operating systems have broader
developer support and application integration possibilities. This
does not, however, leave them open to more vulnerabilities. There's
no right answer to companies as to whether organisations should use
a product based on Windows, Linux or something else. It's a matter
of choice, but if a standards-based product is used, the proper
security precautions should be taken.
The protocols
VoIP protocols such as SIP, H.323, MGCP and Megaco leave themselves
open to call hacking threats such as spoofing, impersonation and
eavesdropping. Poor implementation of these protocols leaves them
susceptible to buffer overflows. These overflows can be used to
control the mission critical systems in the VoIP environment like
media gateways and call servers.
IP PBX call servers, IP phones and softphones on
PCs
Much of the hype around the servers and end points are things like
toll fraud, spoofing and configuration hacks. While these are
important and do need to be considered, a bigger, more basic
problem is viruses. A VoIP endpoint or server that is infected by a
virus can propagate it to other parts of the network causing
performance problems and potentially damaging data. Since the
majority of VoIP deployments are internal, viruses are likely to be
spread from other corporate computers. Organisations should follow
best practices for protecting all corporate computing devices.
In addition to the items mentioned above, there are a number of
other things network managers can do to protect the VoIP
environments.
- Implement VLANs to separate voice and data traffic. Many
of the perceived VoIP threats stem from a hacker's ability to
compromise the call. The use of VLANs can resolve the majority of
VoIP concerns. It's important to note that VLANs only work with IP
phones and will not work with softphones. Windows does not support
VLAN tagging so the voice and data traffic are tagged with the same
VLAN identifier.
- Implement quality of service (QoS) to prioritise traffic in
the voice VLAN. This will prevent malicious traffic from
flooding the network and degrading the call quality. QoS should be
implemented on the LAN and WAN.
Finally, don't take hype-based approach to VoIP security. Too
many vendors and much of the media create unnecessary fear,
uncertainty and doubt (FUD) around VoIP. No network manager wants
to deploy VoIP and have a security incident compromise the call
quality so FUD-based selling works well with VoIP. Information
theft and unauthorised network access are much bigger concerns to
corporations than eavesdropping, spam over IP telephony or
unauthorised calls. Keep all the layers of your network protected
with appropriate security measures and tools and you will protect
yourselves against most of the issues that impact VoIP from a
security perspective.
Zeus Kerravala manages Yankee Group's infrastructure research
and consulting. His areas of expertise involve working with
customers to solve their business issues through the deployment of
infrastructure technology solutions, including switching, routing,
network management, voice solutions and VPNs.
Before joining Yankee Group, Kerravala was a senior engineer
and technical project manager for Greenwich Technology Partners, a
leading network infrastructure and engineering consulting firm.
Prior to that, he was a vice president of IT for Ferris, Baker
Watts, a mid-Atlantic based brokerage firm, acting as both a lead
engineer and project manager deploying corporate-wide technical
solutions to support the firm's business units. Kerravala's first
task at FBW was to roll out a new frame relay infrastructure with
connections to branch offices, service providers, vendors and the
stock exchange. Kerravala was also an engineer and technical
project manager for Alex. Brown & Sons, responsible for the
technology related to the equity trading desks.
Kerravala obtained a B.S. degree in physics and mathematics
from the University of Victoria (Canada). He is also certified by
Citrix and NetScout.