In a recent story published on the Yahoo business wire, you can read about recent testing performed on IP telephone systems by consulting company Mier Communications. You can even read about the entire set of tests performed at Network World (http://www.nwfusion.com/reviews/2004/0524voipsecurity.html?page=1) including coverage of IP-based phone systems from Avaya and Cisco. But what I found interesting about these stories addresses the question: "What constitutes real IP telephony or VoIP security testing nowadays?"
In fact, even all the major VoIP vendors apparently don't know the answer to this question, either. Though Mier invited all of the top five vendors in the IP Telephony/VoIP space, only Cisco and Avaya agreed to participate in testing. To put the various systems through their paces, a four-person team of experts used hacker tools and attacks already documented or available on the Internet to try to break into them. To my way of thinking, this puts Mier's tests into the general category of penetration testing, with an outright emphasis on known vulnerabilities and exploits. This should provide a reasonable assessment of system security, but it's also important to recognize that this kind of approach—which essentially sticks to "tried and true" attacks, scanning techniques, and so forth—can't anticipate the kind of security breakthroughs or insights that truly gifted hackers can (and occasionally do) attain.
Attacks were also limited to end-user data ports (presumably on PCs or phones) or to an IP phone connection, on the presumption that IP phone system attacks are most likely to originate in a normal office or cubicle environment. Again, this seems like a reasonable approach given that most operations police office space and unused ports much less carefully than they control access to server racks, equipment rooms, and other facilities where infrastructure elements likely reside.
The objective of the Mier testing was to disrupt phone communications, using various scanning and footprinting techniques to learn as much as possible about IP telephony networks, and then to launch likely attacks against them. In consulting with half-a-dozen third-party security firms, the Mier team concluded that their battery of techniques and attacks "...were of moderate intensity."
Along the way, they also discovered which capabilities appeared to improve phone system security and reduce attack vulnerability, including:
- Firewalls with stateful inspection of VoIP call controls were able to fend off attempts to spoof control instructions, or other attempts to assert (unauthorized) call conrol.
- TCP handshake monitoring helped to make sure TCP connections were completed or quickly timed out, thereby avoiding SYN flood vulnerabilities (a common DoS/DDoS attack technique).
- Call control protocols that used encryption and TCP transports proved more secure and less vulnerable than those that used UDP and no encryption.
- Traffic policing and committed access rates also proved effective at fending off DoS/DDoS attacks.
- Phone systems that implemented port monitoring and DHCP snooping (to observe addresses and activites of new systems as they enter the network) proved much less vulnerable to attack.
- Dynamic ARP inspection stopped ARP cache poisoning and ARP spoofing attacks as well.
- Sender authentication tools made identity checks more robust, and blocked impersonation attacks.
In general, systems that take a more proactive stance to monitoring network activity, apply address or identity based controls to manage device (and user) access, and those that provided outright security management features performed much better than those that did not. This points the way down the path that IP phone system vendors must tread if they wish to provide reasonable IP telephone system security.
Ed Tittel is a regular contributor to numerous TechTarget Web sites, and the author of over 100 books on a wide range of computing subjects from markup languages to information security. He's also a contributing editor for Certification Magazine, and edits Que Publising's Exam Cram 2 series of cert prep books. E-mail Ed at firstname.lastname@example.org.