This content is part of the Essential Guide: The VoIP basics every enterprise should know

Layered security approach can thwart VoIP attacks

A strategically placed firewall within your network infrastructure can help mitigate VoIP attacks. But encryption and proxy services add enhanced security.

Companies have long used firewall appliances to protect and isolate their networks from internal and external security...

threats. And ever since Voice over IP (VoIP) emerged on the global market, security vendors have expanded their products and services to meet its demands.

While attacks are more sophisticated in exploiting any weakness in a VoIP system, firewalls have progressed and become smarter in defending against VoIP attacks. Most firewalls on the market understand VoIP protocols, such as Session Initiation Protocol (SIP), and monitor control packets between endpoints and SIP servers.

In many cases, firewalls are strategically placed in the network so no external hosts have direct access to the VoIP call control systems, SIP proxy or other critical VoIP components. The firewall continuously monitors all traffic to and from the IP telephony data center.

All SIP/VoIP requests run through the firewall. With the help of an intrusion detection system (IDS) or intrusion prevention system (IPS), the firewall examines application-level information -- including SIP invite and SIP disconnect commands -- and instantly blocks any suspicious traffic that is not conforming to the organization's security policies.

The network diagram below depicts a firewall strategically placed within an organization's network infrastructure, allowing it to monitor all connections and sessions to the "inside zone" (IP telephony data center), "DMZ zone" and "outside zone."

Firewall strategically placed within an organization's network infrastructure to help mitigate VoIP attacks

Even though firewalls are used to secure VoIP services, security is not just about placing a firewall with an IDS/IPS and configuring it to catch and mitigate all VoIP attacks to your infrastructure.

VoIP security: A layered security approach

VoIP security can be approached using various methods; however, security experts would agree that the layered security approach is the proper way to secure a VoIP infrastructure, simply because the services offered originate from the IP telephony data center and pass on to the access layer where hosts (IP phones) and users connect.

In addition, VoIP services usually extend to remote sites and mobile clients via the Internet -- also used for free or low-cost overseas calling via SIP providers.

Deploying a single solution that is cost-effective and easy to deploy and administer is no longer a valid approach to VoIP security.

With the layered approach, you'd build security layer upon layer starting from the user-facing access ports (Layer 2), which is where workstations and IP phones connect, and then move toward the data center core where the IP telephony services run (Layer 3 and above).

Layer 2 and Layer 3 (IP/routing) security is extremely important within any organization's network infrastructure, since several VoIP attacks can be used against the infrastructure to expose the VoIP telephony service, allowing attackers access to all VoIP resources and components. Some common Layer 2 and Layer 3 attacks are: VLAN hopping, STP manipulation, DHCP server spoofing, MAC address spoofing, IP address spoofing and ARP poisoning/spoofing.

While the IP telephony endpoints connect directly to the access layer of the network infrastructure, the main VoIP components and services -- the IP PBX and telephony applications like messaging, presence and contact centers -- usually connect at the core layer. This setup can vary depending on network size and design.

Firewalls with built-in IDS/IPS capabilities are usually deployed right before the core layer, so they can examine and intercept all traffic to the core. When services are extended to the Internet, things become slightly more complicated, as encryption is required. This is where next-generation firewalls shine by providing Transport Layer Security (TLS) and/or IP phone proxy services.

VoIP firewalls and TLS proxy

TLS is an encryption method to encrypt SIP signaling payload. When sending or receiving SIP requests from a public network such as the Internet, it's mandatory that all traffic is encrypted. Once a call is set up, SRTP is used to deliver the encrypted audio and video over the IP network.

With TLS proxy services, TLS connections are terminated by both ends on the firewall. The SIP signaling is decrypted, carefully inspected, and then encrypted again for the connection to the destination. TLS proxies are very popular lately, as they perform true inspection of all SIP signaling while maintaining the signaling encryption between both ends:

Firewall with TLS proxy enabled

VoIP firewalls and IP phone proxy

IP phone proxy is used mainly when standalone IP phones are required to connect back to the headquarters and have access to the organization's VoIP services. In this case, the firewall and remote endpoint device (IP phone at home) are configured to encrypt SIP signaling via TLS and voice/data stream via SRTP. The encryption terminates on the firewall appliance, but communication from that point to the internal network (internal phones or IP PBX) is unencrypted. Another way to think of the IP phone proxy service is a half-TLS proxy service as encryption exists only between the firewall appliance and remote node.

Firewall with IP phone proxy

If your organization is lucky enough to have a VoIP telephony infrastructure but does not own the necessary hardware/firewall to adequately protect its VoIP investment, now would be a great time to start looking at the market's offerings.

Next Steps

VoIP security fundamentals tutorial

VoIP turns up the heat on firewalls

VoIP vulnerabilities: Why firewall protection is not enough

Dig Deeper on VoIP QoS and Performance