The security personnel who oversee and manage network and data systems and software have a never-ending job. In large enterprises, the network and endpoint/server security are divided into two separate groups. These groups have to work together but have different responsibilities.
In either case, the new responsibilities for VoIP security will require education, possibly some organizational adjustment, and expanded job descriptions. There may even be battles with existing security personnel who do not want to deal with the new VoIP security issues. For example, the firewall personnel may not want to change the firewall settings to accommodate VoIP calls. The person in charge of the DHCP may see VoIP phones and devices as a disruption and disallow VoIP devices from using DHCP to obtain an IP address. Both of these problems have already occurred.
What data security threats exist in VoIP/IPT?
Most of the people working with Ethernet and IP networks today were not around when these technologies debuted. No security was integrated into the Ethernet design. Ethernet endpoints were to be responsible for security, not the Ethernet network. The creation of TCP, UDP and IP protocols also left security to the endpoints. Security problems such as viruses were considered a novelty in 1988 and were not given serious consideration. We do not want to make the same mistake with VoIP security.
IPT vendors have been moving to common operating systems (Linux, UNIX and VxWorks), as well as continuing to use Windows. All of these operating systems will be attacked, whether they support data or voice applications. The threats to the operating systems for VoIP will be the same as those encountered for data function support.
The following data threats are not yet as prevalent for VoIP as they are in data networks, but they will become more common in the future.
- Viruses and worms (in call servers, gateways and phones)
- Trojan horses
- Port scanning (for signaling and RTP speech ports)
- Malicious executable software (even in the IP phone)
- Spoofing source identity (pretending to be the call server)
- Spyware (in IP phones)
- Password/identity cracking
- Denial of Service (both traditional DoS and new types for VoIP/IPT)
These data threats will only increase with time as more people learn about VoIP and more products are installed. IP telephony systems use the data DHCP, DNS, TFTP and NTP servers. If these servers are not well protected (they are vulnerable in many enterprises), the IPT system is also vulnerable to security threats. Verify the security of these servers with the appropriate staff before you allow the IPT system, gateways and IP phones to access them.
A good set of security resources can be found at the National Institute of Standards and Technology. Look for the following publications:
- SP 800-100, Information Security Handbook: A Guide for Managers SP 800-12, An Introduction to Computer Security: The NIST Handbook (look for the latest version)
- Draft Special Publication 800-94, Guide to Intrusion Detection and Prevention (IDP) Systems
- Draft Special Publication 800-80, Guide for Developing Performance Metrics for Information Security
Voice or data: Who should manage what?
The IPT call server is not quite the same as the data server. Data servers normally correspond with a desktop and deliver the information or service to the desktop. The call server exists for signaling, but once the call is set up, voice traffic bypasses the call server and is no longer in a signaling dialog with the IP phone. Call server security is concerned with PBX administration, call control, performance, call admission control, management, features and functions assignment, and restriction.
The security of the call server should be assigned to the same group that manages the data server security. DoS, tampering and malicious code, which are problems for the data server, will be problems for the call server as well. There will be more attempts to access the call server to modify privileges and restrictions assigned to the IP phones and gateways. An intruder may attempt to register rogue phones.
If there are firewalls in front of the data servers, there should be a firewall in front of the call server. Check with the call server vendor to determine whether third-party security software can be resident in its call server product. Some call server vendors will optionally supply their own security software but will not allow third-party security software to be resident. Resident third-party security software may impair call server performance.
IP phones with two Ethernet ports can be used to invade the data network by connecting a laptop to the second Ethernet port on the phone. Someone could disconnect an IP phone with a single Ethernet port and plug in a laptop that simulates an IP phone in order to gain unauthorized access to the data network.
Voice security may be initialized by the call server, but the voice connection security operation is the responsibility of the endpoints: phones and gateways. The endpoints can be attacked without interfering with the call server. The call server can be fooled into thinking that the endpoint security is satisfactory. The IP phones should be considered as a desktop endpoint and managed as a desktop with some unique problems. They can be attacked like any other IP device.
The gateway presents a new set of problems because it connects to legacy analog and digital phones, faxes and other analog devices, as well as PSTN trunks. Some IPT vendors offer security software in the gateway, such as an integrated firewall. The security of legacy connections has issues that will be new to the data security personnel. These issues will be covered in the next tip.
The IP side of the gateway should be managed like any other data device by the same personnel who handle the endpoints -- most likely the desktop security personnel. The desktop security personnel may be reluctant to accept this responsibility because the gateway is so different from the typical desktop.
Although the data network, server and desktop security problems will also occur in VoIP devices, the voice staff may have holes left in the VoIP security picture. The existing security personnel see disruptions caused by deploying VoIP as weakening their security controls. New policies, and probably new hardware and software, will be necessary to fully protect the IPT environment from existing data security threats.
About the author:
Gary Audin has more than 40 years of computer, communications and security experience. He has planned, designed, specified, implemented and operated data, LAN and telephone networks. These have included local area, national and international networks, as well as VoIP and IP convergent networks, in the U.S., Canada, Europe, Australia and Asia.
This was first published in March 2007