Column: The myths and realities of VoIP security

Security is often cited as one of the primary reasons organizations have not deployed VoIP. Network managers need to cut through the hype and deploy the right security to maximize the reliability of the voice network and have a successful rollout.

The shift to VoIP changes many things. With voice the old TDM way, the PBX was a stand alone, closed system with phones directly connected into them. Its simplicity was also its security. Of course, the problem with this model is that sharing applications was difficult; moves, adds and changes were expensive and there was no integration with the data network. A VoIP system looks a lot like any other networked application. There's a call server, mail server and other applications running on commercially available hardware with IP endpoints that communicate with it. These servers and end points communicate via an IP-over -Ethernet network connected with switches and routers.

Since a VoIP system parallels other IP applications, the threats to it are similar and require an understanding of how the VoIP components are impacted.

The network

Any end point with an IP address is susceptible to network hacks such as denial of service (DoS) attacks, which flood the network attack and adversely impact call quality. Many professionals agree (as do I) that DoS attacks are the single biggest threat to VoIP deployments. DoS attacks can also overload call servers leading to delays with call set up.

One of the most over-hyped aspects of VoIP security are VoIP-aware firewalls. Since the majority of VoIP deployments today are internal and do not penetrate the firewall, a better security approach is to close the VoIP ports on your perimeter firewall. In the rare case where VoIP traffic does leave the corporate network, a VoIP-aware firewall should be considered.

Operating systems

IP PBXs, media gateways and other related servers are built on standardized operating systems such as Windows or Linux or a proprietary one. Because of wide-scale deployments of Windows or Linux-based operating systems, these operating systems have broader developer support and application integration possibilities. This does not, however, leave them open to more vulnerabilities. There's no right answer to companies as to whether organizations should use a product based on Windows, Linux or something else. It's a matter of choice, but if a standards-based product is used, the proper security precautions should be taken.

The protocols

VoIP protocols such as SIP, H.323, MGCP and Megaco leave themselves open to call hacking threats such as spoofing, impersonation and eavesdropping. Poor implementation of these protocols leaves them susceptible to buffer overflows. These overflows can be used to control the mission critical systems in the VoIP environment like media gateways and call servers.

IP PBX call servers, IP phones and softphones on PCs

Much of the hype around the servers and end points are things like toll fraud, spoofing and configuration hacks. While these are important and do need to be considered, a bigger, more basic problem is viruses. A VoIP endpoint or server that is infected by a virus can propagate it to other parts of the network causing performance problems and potentially damaging data. Since the majority of VoIP deployments are internal, viruses are likely to be spread from other corporate computers. Organizations should follow best practices for protecting all corporate computing devices.

In addition to the items mentioned above, there are a number of other things network managers can do to protect the VoIP environments.

• Implement VLANs to separate voice and data traffic. Many of the perceived VoIP threats stem from a hacker's ability to compromise the call. The use of VLANs can resolve the majority of VoIP concerns. It's important to note that VLANs only work with IP phones and will not work with softphones. Windows does not support VLAN tagging so the voice and data traffic are tagged with the same VLAN identifier.

• Implement quality of service (QoS) to prioritize traffic in the voice VLAN. This will prevent malicious traffic from flooding the network and degrading the call quality. QoS should be implemented on the LAN and WAN.

Finally, don't take hype-based approach to VoIP security. Too many vendors and much of the media create unnecessary fear, uncertainty and doubt (FUD) around VoIP. No network manager wants to deploy VoIP and have a security incident compromise the call quality so FUD-based selling works well with VoIP. Information theft and unauthorized network access are much bigger concerns to corporations than eavesdropping, spam over IP telephony or unauthorized calls. Keep all the layers of your network protected with appropriate security measures and tools and you will protect yourselves against most of the issues that impact VoIP from a security perspective.

About the author: Zeus Kerravala manages Yankee Group's infrastructure research and consulting. His areas of expertise involve working with customers to solve their business issues through the deployment of infrastructure technology solutions, including switching, routing, network management, voice solutions and VPNs. Before joining Yankee Group, Kerravala was a senior engineer and technical project manager for Greenwich Technology Partners, a leading network infrastructure and engineering consulting firm. Prior to that, he was a vice president of IT for Ferris, Baker Watts, a mid-Atlantic based brokerage firm, acting as both a lead engineer and project manager deploying corporate-wide technical solutions to support the firm's business units. Kerravala's first task at FBW was to roll out a new frame relay infrastructure with connections to branch offices, service providers, vendors and the stock exchange. Kerravala was also an engineer and technical project manager for Alex. Brown & Sons, responsible for the technology related to the equity trading desks. Kerravala obtained a B.S. degree in physics and mathematics from the University of Victoria (Canada). He is also certified by Citrix and NetScout.