Security requires constant vigilance. The security job is never finished. Security is all about the protection of resources -- data, devices, networks, applications and people. While access to these resources is the goal of the user, securing access to these resources means the administrator of the resources wants to limit, even prevent, that access. These two goals are at odds: The most secure environment is one that prevents any access, which is contrary to the business needs of an enterprise.
What's new about VoIP security?
There are several security issues with VoIP networks:
- The VoIP/IPT devices, servers, gateways and phones share the data network and inherit the data network's security problems.
- There will be data attacks on voice devices such as Denial of Service and malware.
- It is easier to eavesdrop on IP calls than on TDM calls.
- The centralized TDM PBX is gone. The VoIP/IPT resources are scattered around a network.
- The operating systems of the VoIP/IPT devices are less secure than the TDM operating systems of the past.
- Systems (PBX) administration can be located at multiple locations and can be accessed by Web browsers.
VoIP security vs. voice quality
It may not be apparent, but security tools and solutions will conflict with voice quality. The more barriers there are in the network and endpoints for security purposes, the more interference there will be with voice quality.
One of the first issues is the firewall. The firewall can block calls because it cannot process the signaling or dynamically allocate the UDP ports for the calls to pass through it. Firewalls may not read the QoS markers in the voice packet, thereby degrading the packet delivery service. Other issues include:
- Voice packets, when they pass through security devices, can cause added delay, jitter and packet loss during the call.
- Intrusion prevention systems perform considerably more processing than a firewall and have been proven to cause voice quality degradation.
- Encryption and decryption add delay to the calls.
- VPN connections encrypt the QoS markers. The routers consequently cannot deliver the needed QoS for the voice packets.
The security vs. voice quality conflict will be hard to resolve. The voice manager, obviously, does not want poor-quality calls. If the calls are poor, then why have calls travel over the data network in the first place? The security manager does not want to open the network and endpoints to security exposures that will not only compromise the voice services but weaken the data functions as well. This will require a great deal of negotiation and compromise. Security is important, but not at the cost of an unacceptable voice service.
There are two sites that demonstrate the software security threats to the data functions. These lists now include VoIP/IPT vulnerabilities. Both lists are funded by the federal Homeland Security Administration. The first is hosted at Mitre. This site has a dictionary of standardized names and descriptions for Common Vulnerabilities and Exposures (CVE). The second site hosts the National Vulnerability Database at the federal National Institute of Standards and Technology (NIST). The NIST site has about 21 additional security vulnerabilities listed every day. I searched on both sites in early February 2007 and found the number of VoIP/IPT vulnerabilities listed in the following table.
|Vulnerabilities||Number listed at
|Number listed at
|Total for all categories||22,016||22,230|
The two sites overlap but do not have exactly the same lists. The published vulnerabilities have patches available from the vendors. The sites are not as up-to-date as individual vendors' lists, so check with your vendor as well as these two sites. The NIST site also evaluates the severity of the security problem. A severity rating of 1 is the lowest and 10 is the highest. Most of the vulnerabilities are rated between 3 and 8. I strongly recommend accessing these sites in order to learn of the types of vulnerabilities that are occurring in VoIP/IPT.
Cost to the enterprise
Tangible and measurable monetary costs -- which can accrue to an enterprise when security problems occur -- will include the following:
- Staff labor and materials required to detect, repair and contain the damage to attacked resources. There is also a cost to preventing the security problem from recurring.
- Worker productivity losses while the system(s) and/or network are down. Imagine the loss of the telephone network to an enterprise.
- Lost business resulting from the unavailability of needed resources, such as the telephone, to sales personnel or customers who want to place an order. Consider a lost call center operation.
- Public relations costs to address questions from the press and public.
- The costs involved in collecting legal evidence and prosecuting an attacker.
- Legal costs incurred as a result of lawsuits, as when 911 or E911 does not work during an emergency.
- Fines and penalties incurred if the attack violates requirements such as state E911, OSHA and hospital regulations.
- Increased insurance premiums.
Case studies published in the article The Cost of Network Downtime show that one hour of downtime can cost an enterprise up to $96,632. What if the network and voice service need to be shut down for one hour to resolve a security problem? Costs that are hard to calculate include loss of the future business caused by bad publicity about the security breach, as well as the loss of market share to competitors.
VoIP security: Where do you start?
Assume an attack will occur and probably be successful. You will always have a limited budget, so you will have to prioritize the allocation of the budget. Start looking at the core components: storage, applications, servers and network. Locate the most valuable and sensitive resources. Evaluate the security risks to these resources. You need to protect these resources first. Work outward to less valuable, less sensitive resources. The suggested order of protection is the call server first, then the trunk gateway, next the media gateway, then the softphones, and finally the IP phones.
The discussion of security issues for VoIP/IPT will continue in several more tips. These tips will cover:
- Data security problems faced by VoIP/IPT implementations
- Security problems unique to VoIP/IPT
- Tools for assessing the vulnerabilities
- Countermeasures that can be implemented to improve VoIP/IPT security
- Resources for the voice and security managers
About the author:
Gary Audin has more than 40 years of computer, communications and security experience. He has planned, designed, specified, implemented and operated data, LAN and telephone networks. These have included local area, national and international networks, as well as VoIP and IP convergent networks, in the U.S., Canada, Europe, Australia and Asia.
This was first published in March 2007