Problem solve Get help with specific problems with your technologies, process and projects.

How to think about VoIP security

Voice over IP (VoIP) brings converged networks security challenges that never existed for the data network or traditional telephony. In the first tip of his VoIP security series, industry expert Gary Audin provides an overview of these IP telephony threats, the added costs of securing VoIP, and how your organization can keep VoIP secure.

Voice over IP (VoIP) brings converged networks security challenges that never existed for the data network or traditional telephony. In this VoIP security series, industry expert Gary Audin reveals these IP telephony threats, the added costs of securing VoIP, and how your organization can keep VoIP secure.

Security requires constant vigilance. The security job is never finished. Security is all about the protection of resources -- data, devices, networks, applications and people. While access to these resources is the goal of the user, securing access to these resources means the administrator of the resources wants to limit, even prevent, that access. These two goals are at odds: The most secure environment is one that prevents any access, which is contrary to the business needs of an enterprise.

More on VoIP security
VoIP hacking exposed in new book

Old security measures won't stop VoIP hackers

Column: The myths and realities of VoIP security

Webcast: The emerging opportunity for VoIP security
Enterprises already have many security problems with their data network infrastructure, servers, desktops and software. Adding voice over IP (VoIP) and IP telephony (IPT) to the mix only compounds the security problems. VoIP and IPT will have all of the security problems that the data organization has, plus new threats and vulnerabilities.

What's new about VoIP security?

There are several security issues with VoIP networks:

  1. The VoIP/IPT devices, servers, gateways and phones share the data network and inherit the data network's security problems.
  2. There will be data attacks on voice devices such as Denial of Service and malware.
  3. It is easier to eavesdrop on IP calls than on TDM calls.
  4. The centralized TDM PBX is gone. The VoIP/IPT resources are scattered around a network.
  5. The operating systems of the VoIP/IPT devices are less secure than the TDM operating systems of the past.
  6. Systems (PBX) administration can be located at multiple locations and can be accessed by Web browsers.

VoIP security vs. voice quality

It may not be apparent, but security tools and solutions will conflict with voice quality. The more barriers there are in the network and endpoints for security purposes, the more interference there will be with voice quality.

One of the first issues is the firewall. The firewall can block calls because it cannot process the signaling or dynamically allocate the UDP ports for the calls to pass through it. Firewalls may not read the QoS markers in the voice packet, thereby degrading the packet delivery service. Other issues include:

  1. Voice packets, when they pass through security devices, can cause added delay, jitter and packet loss during the call.
  2. Intrusion prevention systems perform considerably more processing than a firewall and have been proven to cause voice quality degradation.
  3. Encryption and decryption add delay to the calls.
  4. VPN connections encrypt the QoS markers. The routers consequently cannot deliver the needed QoS for the voice packets.

The security vs. voice quality conflict will be hard to resolve. The voice manager, obviously, does not want poor-quality calls. If the calls are poor, then why have calls travel over the data network in the first place? The security manager does not want to open the network and endpoints to security exposures that will not only compromise the voice services but weaken the data functions as well. This will require a great deal of negotiation and compromise. Security is important, but not at the cost of an unacceptable voice service.

Finding vulnerabilities

There are two sites that demonstrate the software security threats to the data functions. These lists now include VoIP/IPT vulnerabilities. Both lists are funded by the federal Homeland Security Administration. The first is hosted at Mitre. This site has a dictionary of standardized names and descriptions for Common Vulnerabilities and Exposures (CVE). The second site hosts the National Vulnerability Database at the federal National Institute of Standards and Technology (NIST). The NIST site has about 21 additional security vulnerabilities listed every day. I searched on both sites in early February 2007 and found the number of VoIP/IPT vulnerabilities listed in the following table.

Vulnerabilities Number listed at
Mitre site
Number listed at
NIST site
Total for all categories 22,016 22,230
IP Telephony 347 3
VoIP 38 39
SIP 27 59
H.323 9 14
SCCP 2 2

The two sites overlap but do not have exactly the same lists. The published vulnerabilities have patches available from the vendors. The sites are not as up-to-date as individual vendors' lists, so check with your vendor as well as these two sites. The NIST site also evaluates the severity of the security problem. A severity rating of 1 is the lowest and 10 is the highest. Most of the vulnerabilities are rated between 3 and 8. I strongly recommend accessing these sites in order to learn of the types of vulnerabilities that are occurring in VoIP/IPT.

Cost to the enterprise

Tangible and measurable monetary costs -- which can accrue to an enterprise when security problems occur -- will include the following:

  1. Staff labor and materials required to detect, repair and contain the damage to attacked resources. There is also a cost to preventing the security problem from recurring.
  2. Worker productivity losses while the system(s) and/or network are down. Imagine the loss of the telephone network to an enterprise.
  3. Lost business resulting from the unavailability of needed resources, such as the telephone, to sales personnel or customers who want to place an order. Consider a lost call center operation.
  4. Public relations costs to address questions from the press and public.
  5. The costs involved in collecting legal evidence and prosecuting an attacker.
  6. Legal costs incurred as a result of lawsuits, as when 911 or E911 does not work during an emergency.
  7. Fines and penalties incurred if the attack violates requirements such as state E911, OSHA and hospital regulations.
  8. Increased insurance premiums.

Case studies published in the article The Cost of Network Downtime show that one hour of downtime can cost an enterprise up to $96,632. What if the network and voice service need to be shut down for one hour to resolve a security problem? Costs that are hard to calculate include loss of the future business caused by bad publicity about the security breach, as well as the loss of market share to competitors.

VoIP security: Where do you start?

Assume an attack will occur and probably be successful. You will always have a limited budget, so you will have to prioritize the allocation of the budget. Start looking at the core components: storage, applications, servers and network. Locate the most valuable and sensitive resources. Evaluate the security risks to these resources. You need to protect these resources first. Work outward to less valuable, less sensitive resources. The suggested order of protection is the call server first, then the trunk gateway, next the media gateway, then the softphones, and finally the IP phones.

The discussion of security issues for VoIP/IPT will continue in several more tips. These tips will cover:

  • Data security problems faced by VoIP/IPT implementations
  • Security problems unique to VoIP/IPT
  • Tools for assessing the vulnerabilities
  • Countermeasures that can be implemented to improve VoIP/IPT security
  • Resources for the voice and security managers

About the author:
Gary Audin has more than 40 years of computer, communications and security experience. He has planned, designed, specified, implemented and operated data, LAN and telephone networks. These have included local area, national and international networks, as well as VoIP and IP convergent networks, in the U.S., Canada, Europe, Australia and Asia.

Dig Deeper on Unified Communications Resources

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.