VoIP/IP Telephony vendor security solutions

VoIP and IP telephony vendors have been improving their security offerings over the past three years. Before that time, there was little attention paid to security. The increased awareness of security testing of the IP PBX products on the market was apparent in the article "High-End IP-PBXs: VoIP Powerhouses," which was published in the January 2006 issue of Business Communications Review.The authors of this article conducted a series of security tests on different VoIP vendors' product offerings and concluded that there are vast differences in the security product offerings on the market. They also noticed that though security is improving, there is still a lot of work to be done. The highest score a vendor could achieve on the security test run by the BCR was a 10. The five vendors that they tested scored from 6 to 9, with an average score of 7.8; not a great showing for security protection.Security solutions fall into three categories:Encrypting the signaling transmission (SIP, H.323, SCCP)Encrypting the speech transmissionProtecting the endpoints (server, gateway, phone)Signalling encryptionSignalling encryption should be the first consideration on the list of security protection tools. Signalling includes call setup, call control, access to features and functions, and limitations for user privileges. Signalling encryption protects both the server and the endpoint. The vendor choices vary from full encryption to none at all. Some of the variations are:Not all the signalling functions are encryptedSoftphones may not be includedOnly registration is protectedNon-standard solutions are offeredSome IP phones need more memory to support encryptionNot all models of IP phones could be upgraded with encryptionA Right-To-Use (RTU) license is required for the encryption functionGateways may not support encryptionIt is very important that signalling encryption be included in any VoIP/IPT RFP. This function is one of the offerings that differs from one VoIP/IPT provider to the next.Media/speech encryptionSpeech encryption is also an option in VoIP/IPT products. There are two approaches: standardised, using Secure Real Time Protocol (SRTP), and proprietary solutions. Softphones and gateways may not be supported. The lack of encryption support may be specific to a particular protocol, such as having no encrypted support when SIP is used. Look for support of 128-bit Advanced Encryption System (AES). There is probably an RTU license for this software.Integrated firewallsFirewalls are usually external appliances. In VoIP/IPT, firewall software can be installed in softphones. But be careful -- PC firewalls may interfere with the voice quality by causing longer latency in the call. There is at least one vendor that has a software firewall that can be embedded in the gateway. In either case, there is a software charge for the firewall function.Endpoint authenticationSome of the vendors depend on the LAN switches to implement the IEEE standard 802.1x with an external RADIUS server for the authentication. MD5 authentication is supported by some vendors. Encrypted key exchange may be used during registration as well as an eight-digit password. Others use a variable-length password, up to 25 digits, during the initial registration.Attack mitigationAlthough it's not possible to stop all Denial of Service (DoS) attacks, you can do something in the way of preventative maintenance. These DoS attacks can take many forms. See the tip "Manipulating VoIP Security" for tools that can create DoS attacks. One of the techniques that can be implemented in the attacked endpoint is to ignore the DoS. DoS attacks are commonly repetitive operations. An endpoint can be programmed to discover the DoS and ignore the attacking packets. For example, repetitive INVITE (call setup) packets can be an attack. The endpoint can ignore 9 out 10 of the INVITE packets and report the attack to a management system. Check with your vendor to see which endpoints, if any, can support this DoS mitigation.Standard vs. proprietaryStandard solutions may be attractive, but sometimes the proprietary solution works better. This produces the problem of interoperability. Standard security solutions may work across multiple vendors' products, thereby opening the possibilities for competition in procurement. Proprietary solutions will limit the vendor choices. Also, proprietary solutions may be short-lived as the vendors' products progress to standardised solutions.About the author: Gary Audin has more than 40 years of computer, communications and security experience. He has planned, designed, specified, implemented and operated data, LAN and telephone networks. These have included local area, national and international networks, as well as VoIP and IP convergent networks, in the U.S., Canada, Europe, Australia and Asia.