Tip

Old security measures won't stop VoIP hackers

This year, many companies that have piloted Voice over Internet Protocol (VoIP) on internal networks are expected to extend IP telephony to customers, suppliers and the public.

"As businesses have pure IP voice connections going out, there will be many more security problems," said Matthias Machowinski, enterprise voice and data directing analyst at Campbell, Calif.-based Infonetics Research. He said he envisions such bad scenes as spam that makes IP phones ring constantly, e-mail viruses shutting down VoIP systems entirely, and spoofs inundating the displays of IP phones.

IP-based voice networks require new security strategies and pose cultural issues not faced when protecting data networks.

Until now, VOIP has largely been implemented inside organizations on internal networks protected by IP security policies and tools, safe inside virtual private networks (VPNs).

    Requires Free Membership to View

For more information

VoIP Resource Center

VoIP: Is it inevitable?

"The trouble is that those traditional perimeter security measures won't be able to protect external VoIP networks very well," said Andrew Graydon, security requirements committee chair of the VoIP Security Alliance and chief technology officer at BorderWare Technologies Inc., an Irving, Texas-based IT security vendor. "Yes, they protect data network layer, a part of VOIP, but they can't handle VoIP's real-time IP traffic."

IT, phone home

Traditional data network security and monitoring practices won't gain user acceptance, either. "We expect our enterprise systems to monitor and block e-mail, but we expect everyone to be able to call us on the telephone," Graydon said.

People accept that e-mails, files or packets may be delayed a few seconds by security scans. With phone calls, people won't tolerate delays, said Steve Mank, chief operating officer at Qovia Inc., a Frederick, Md., VoIP management systems vendor.

Users will also rebel against VoIP if downtime occurs. "We have different expectations for e-mail versus phones," Machowinski said. "We understand that the Internet may go out sometimes, or our e-mail server may not be accessible. Our phones, we expect to work all the time."

The challenge for administrators is to deliver security models for VoIP that don't interfere with the ways people use phones. "Otherwise, they won't use it," Graydon said.

Peeling the VoIP security onion

A first line of defense for IP voice networks is a Session Initiation Protocol (SIP)-enabled firewall working in conjunction with existing firewalls. "A SIP perimeter device can provide full application-layer security with authentication and protection against transport and protocol attacks," Graydon said.

More defenses are needed to protect other layers of the VoIP stack, which include physical devices, applications and session/transport technologies. Here's Mank's list of each layer's vulnerabilities and protection needs:

Physical devices: This layer includes phones, servers and gateways, which are vulnerable to spoofing and rogue device attacks. Protective measures include asset tracking, which is needed to make sure all phones are accounted for and unauthorized phones aren't added, and controlling physical access to phones.

"Be sure you can discriminate between valid and rogue phones," Mank said. "Make sure that all your voice traffic is on a separate VLAN from your data traffic. Make sure there is nothing but phones on the endpoints."

Application semantics: The application semantics layer handles registration, call management, conferencing, voice mail, user identity, contacts list and more. Threats at the application layer include spam, viruses, hijacking, eavesdropping, toll fraud, application-specific denial of service and spoofing, and identity theft.

This is a tricky layer to protect, because so many different applications are involved. Generally speaking, an obvious indicator of trouble is increased call volume.

"Voice traffic patterns become very predictable over time," Mank said. "If you spot a sudden anomalous spike in traffic, it's a good bet that someone is doing something you don't want them to."

Other protective measures for the application semantics layer include tracking gateway usage and active call testing, checking for odd entry activity or changes in system availability and performance.

Session and transport: This layer of VOIP includes protocols such as SIP, CCP (Cisco Discovery Protocol), Media Gateway Control Protocol, Real-time Transport Protocol, Signalling Connection Control Part, AVVID XML Layer, Secure Real-time Transport Protocol (SRTP), and Transport Layer Security (TLS).

They are vulnerable to protocol-specific denial-of-service and spoofing attacks. Security can be addressed through use of emerging standards, like SRTP, which encrypts endpoint-to-endpoint access spots; TLS, which encrypts call manager to call manager, and Secure Sockets Layer, which encrypts communications between call managers and gateways.

In general, Mank believes that most firewall-based security solutions impose a variable latency on traffic when scanning for content patterns. This can have a significant impact on your call quality.

Plan well, or pay later

With voice, as with data networks, security is only as good as your plan and policies. Build the VoIP policies on the foundation of the strong security policies you've created for the existing data network.

"With comprehensive and enforced security policies in place, VoIP systems can be deployed with the same piece of mind as e-mail," Graydon said.

Maxine Kincora is a technology writer in Berkeley, Calif. She can be reached at mckincora@msn.com.

This tip originally appeared on SearchCIO.com.


This was first published in July 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.