Problem solve Get help with specific problems with your technologies, process and projects.

Securing VoIP networks with interoperable firewalls

The emergence of Voice over IP (VoIP) as an affordable alternative to traditional telephony has ushered in a new wave of network security considerations. Jonathan Zar, secretary to the VoIP Security Alliance and senior director at SonicWALL Inc., outlines the key issues.

The European Union is at the forefront of VoIP adoption. If we look at how new E1 line deployments in Europe are being set up, we see that fewer and fewer are being configured for time-division multiplexing (TDM) while more and more are being configured for IP. The ratios of IP to TDM are predicted to rise from 3:5 to parity within two years.

This is largely because organizations adopting voice, video and multimedia over IP stand to reap huge benefits in productivity and cost savings. The dark cloud on the horizon is that, without precautions, these very technologies put the whole corporate infrastructure at risk. To a large extent, global industry has embraced the need for data network security, but we are only on the threshold of understanding the potential problems of the unprotected VoIP network -- such as the phone mailbox jammed with unsolicited special offers, unauthorized eavesdropping or losing voice communications because your network has run out of bandwidth.

VoIP security concerns apply beyond VoIP-enabled organizations. Corporate officers, especially those with an eye to compliance or in highly data-sensitive areas such as finance, are increasingly placing a premium on doing business with organizations who can demonstrate that both their data and VoIP communications are unlikely to propagate digital threats. Some of the most critical issues to consider when moving from a traditional telephone service to a VoIP network are quality of service (QoS), denial of service (DoS) attacks and endpoint security.

Without a firewall, companies have no network security and the endpoints, which need a public IP address in order to function, become accessible to anyone. Alternative solutions such as traversal technology, which allows VoIP traffic to bypass the firewall, or session border controllers, have inherent limitations. Most networks already have a firewall protecting the LAN as well as connecting remote sites and users through secure VPN technology and are therefore the most popular choice when adding facilities for VoIP security. However, there are reasons why some firewalls are not so VoIP-compliant.

First, the firewall must understand the VoIP protocols it wants to protect. A small group of vendors provides virus scanning, intrusion prevention and other security services on VoIP traffic. The VoIP-enabled firewall is gaining popularity among IT managers because of its effectiveness, simplicity, and low cost.

For any successful VoIP implementation, three key factors must be considered: security, network interoperability and protocol support, and vendor interoperability.

VoIP encompasses a large number of complex standards that leave the door open to bugs in the software implementation. With standard public switched telephone network (PSTN), phones are just dumb terminals -- all the logic and intelligence resides centrally in the private branch exchange (PBX) and there is not a lot an attacker can do to disrupt access to a PSTN network. With VoIP, the same bugs and exploits that hamper every operating system and application available today can also hit VoIP equipment.

Without proper safeguards, VoIP calls are also vulnerable; an attacker can intercept a VoIP call and modify its parameters/addresses. This opens up the call to spoofing, identity theft, call redirection and other attacks. Even without modifying VoIP packets, attackers can eavesdrop on conversations carried over a VoIP network. With a PSTN connection, intercepting conversations requires physical access to phone lines or access to the PBX.

[Corporations] are increasingly placing a premium on doing business with organizations who can demonstrate that both their data and VoIP communications are unlikely to propagate digital threats.
PSTN availability has reached 99.999% -- attackers need physical access to telephone exchanges or have to cut the phone lines to have any impact. A simple DoS attack aimed at key points of an unprotected VoIP network can disrupt -- or worse, cripple -- voice and data communications.

There is also the problem of interoperability and protocol support when integrating VoIP into an existing network security infrastructure. Because of the complexities of VoIP signalling and protocols it is difficult for VoIP to traverse many types of firewalls. Firewalls need to process the signalling protocol suites that consist of the different message formats used by different VoIP systems. Just because two vendors use the same protocol suite does not mean they interoperate.

The last element in a secure VoIP infrastructure is ensuring that the firewall will interoperate with all of the VoIP devices used in the infrastructure. A partial list of devices includes IP phones, videophones, videoconferencing equipment, Session Initiation Protocol (SIP) proxies and H.323 gatekeepers. It is largely up to the security appliance vendors to ensure they interoperate with VoIP infrastructure devices.

However, VoIP is a market where, until recently, you could buy interoperability without security or buy security without interoperability. Clearly this is not an acceptable choice and it's one of the driving factors behind the rapid growth of the VoIP Security Alliance (VOIPSA). VOIPSA is a worldwide organization founded to help create global standards for VoIP technology, bringing together a worldwide network of global carriers, equipment providers, software and service companies, academics and policy experts, all working to ensure that the adoption of VoIP does not draw a train of network vulnerabilities and digital threats in its wake.

For executives managing a distributed operation -- and that can be in any vertical, for example: retail, wholesale, manufacturing, government or simply branch offices -- it makes sense to consider IP for voice and video as the best means of linking their sites, as long as these elements are factored into the planning stages. These need to be secured with firewalls at headquarters and branch, linked with either virtual private network (VPN) or Secure Sockets Layer (SSL) tunnels, while the tunnels themselves must be capable of remote management to ensure quality of service. The wins are cost savings, convenience and the ability to integrate new voice and data features on an ongoing basis.

For a VoIP installation in a large facility, chief technology officers (CTO) are looking to isolate traffic internally by department or function, so that sensitive data, including voice traffic, moves as isolated streams. In a hospital or a hotel, for example, they really want to make sure that administrative, financial, operations and guest data are all isolated from each other, and in some cases, from room to room, as well as being secured from external network threats. Executives are looking for ease of management in administering and securing the voice network, or virtual LAN (VLAN), along with the flexibility to isolate, filter and manage the content that flows within their networks.

EU research data indicates that executives as a group like to make purchases quickly once a need has been identified and funding allocated. The goal of VoIPSA is to take the guesswork out of decisions.

SonicWALL is exhibiting at Infosecurity Europe 2006 which is Europe's number one Information Security Event. Now in its eleventh year, Infosecurity Europe continues to provide an unrivalled education program, new products and services, with over 300 exhibitors and 10,000 visitors from every segment of the industry. Held on April 25 – 27, 2006 in the Grand Hall, Olympia, this is a must-attend event for all IT professionals involved in Information Security.

Dig Deeper on Unified Communications Resources

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.