In these tough economic times, VoIP (Voice over IP) can appear very appealing as a means of reducing monthly phone costs. But before rushing into an implementation, you need to consider the security and cost implications.
By moving your telecommunications onto the same network as your data and Internet traffic, VoIP traffic can be attacked, hacked, intercepted, re-routed and degraded just like any data packet on your network. Your handsets become another node on the network that needs protecting.
Spammers are attracted to VoIP, too, because it's cost-effective for them. SPIT, or spam over internet telephony, is more successful than email spam as most users now have email spam filters in place. Even the spam message that do get through are usually deleted without being opened, based solely on the sender's name or subject. It's very difficult to filter SPIT, however, because voice is real-time. Only after listening to part of the call can a user recognize whether it's spam.
Securing VoIP: Preparations
Business executives and IT managers should be aware of the security implications of putting voice, data and video traffic on to a single network, and be able to handle the increase in both the complexity of the network and the criticality of the traffic. For a start, your network infrastructure will need to support the session initiation protocol (SIP) and the International Telecommunication Union's H.323 voice protocol, which are used to control the VoIP communications. In order not to compromise existing security, you will need to deploy encryption, real time detection and monitoring, and regular audits.
Regarding changes to your network setup, you may need to use mandatory access-based controls for device authentication. IP permit lists and static IP address assignment may also be necessary to restrict access to managed devices. Strict network authentication and password policies should be enforced for all VoIP users, and all VoIP traffic should be encrypted and transmitted over a virtual private network where possible.
VoIP can also inherit vulnerabilities from your existing infrastructure, including the network, operating system, or Web server that VoIP applications are running on. All infrastructure devices need to be hardened and of high performance; otherwise VoIP Quality of Service (QoS) can be affected. Users will naturally expect VoIP services to be available when needed; therefore maintenance windows need to be planned very carefully to minimize downtime. As you can see, as network traffic gets more critical, so does the management of the system.
Securing VoIP: Necessary features
VoIP applications can require a lot of bandwidth and disrupt the use of other protocols so it's important to choose a VoIP product with the capability to prioritize important traffic or set limits on traffic that has lower importance. The StoneGate Firewall/VPN appliance from StoneSoft Corp. is a good example of a centralized management system, which uses bandwidth management to ensure important traffic always has priority over non-business-related traffic. Protocol validation and misuse detection also help protect communications from malicious traffic.
Session border controllers (SBCs) can also be used to manage VoIP calls to and from different protected networks. They may act as a firewall or carry out Network Address Translation. A key function of SBCs involves hiding the network topology, which prevents the discovery of network configuration information and how calls are routed.
Most VoIP servers, such as a session initiation protocol (SIP) proxy, are open to external networks so that endpoints may access the servers to request calls. Such an arrangement means that the topology of the service network is partially visible and vulnerable. An SBC encapsulates the core network and provides a single logical interface for external networks. It can also protect against denial-of-service attacks by allowing secure traffic, limiting uncertain traffic, and denying insecure traffic. Overload prevention is a similar task.
These are all important responsibilities as your network has a fixed bandwidth. VoIP makes networks potentially more prone to congestion and denial of service attacks, malformed messages, and Quality-of-Service abuse whereas standard circuit-switched public telephone networks provide Quality-of-Service guarantees.
Eavesdropping on VoIP data and changing the information is much easier compared to the abuse of traditional phone lines, particularly for an internal attacker with a packet sniffer, such as Wireshark. The freely available tool allows users to intercept and potentially modify network packets. (The other way of intercepting communications is compromising an access device such as a Layer 2 switch and forwarding the data on to the attacker. This is why physical access to all network devices should be tightly controlled and monitored.) To limit the threat posed by a packet-sniffing attack, all media packets should be encrypted.
Zfone, a secure VoIP phone software product, lets you make encrypted phone calls over the Internet. Its principal designer is Phil Zimmermann, the creator of PGP. The device uses a new protocol called ZRTP and is available as a plugin for soft VoIP clients, effectively converting them into secure phones. The ZRTP protocol has been submitted to the IETF as a proposal for a public standard, and the source code is published.
Finally, VoIP telephones typically depend on mains electricity, whereas traditional residential analogue phones are connected directly to telephone company phone lines which provide a direct current. This configuration puts VoIP at the mercy of power failures, so an alternate power supply needs to be considered if VoIP is to become a mission-critical service within your organization.
About the author: Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.
This was first published in August 2009