Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

VoIP/IP Telephony vendor security solutions

VoIP and IP Telephony system vendors have been improving their security offerings, but are they good enough for your VoIP implementation? Learn about the various security solutions you can implement in your VoIP network to help protect you against attacks and security issues with this tip from Gary Audin.

Protecting VoIP/IPT operation

VoIP and IP telephony vendors have been improving their security offerings over the past three years. Before that time, there was little attention paid to security. The increased awareness of security testing of the IP PBX products on the market was apparent in the article "High-End IP-PBXs: VoIP Powerhouses," which was published in the January 2006 issue of Business Communications Review.

The authors of this article conducted a series of security tests on different VoIP vendors' product offerings and concluded that there are vast differences in the security product offerings on the market. They also noticed that though security is improving, there is still a lot of work to be done. The highest score a vendor could achieve on the security test run by the BCR was a 10. The five vendors that they tested scored from 6 to 9, with an average score of 7.8; not a great showing for security protection.

Security solutions fall into three categories:

  • Encrypting the signaling transmission (SIP, H.323, SCCP)
  • Encrypting the speech transmission
  • Protecting the endpoints (server, gateway, phone)
  • Signaling encryption

    Signaling encryption should be the first consideration on the list of security protection tools. Signaling includes call setup, call control, access to features and functions, and limitations for user privileges. Signaling encryption protects both the server and the endpoint. The vendor choices vary from full encryption to none at all. Some of the variations are:

  • Not all the signaling functions are encrypted
  • Softphones may not be included
  • Only registration is protected
  • Non-standard solutions are offered
  • Some IP phones need more memory to support encryption
  • Not all models of IP phones could be upgraded with encryption
  • A Right-To-Use (RTU) license is required for the encryption function
  • Gateways may not support encryption
  • It is very important that signaling encryption be included in any VoIP/IPT RFP. This function is one of the offerings that differs from one VoIP/IPT provider to the next.

    Read other tips in the VoIP security series by Gary Audin
    How to think about VoIP security

    VoIP security -- problems inherited from data networking

    VoIP security threats -- The new world

    VoIP security -- Free IP telephony vulnerability test tools: Sniffing and manipulating the packet stream

    VoIP security -- Free IP telephony fuzzing tools

    Manipulating VoIP security

    Securing the enterprise VoIP perimeter

    VoIP/IP Telephony vendor security solutions

    Media/speech encryption

    Speech encryption is also an option in VoIP/IPT products. There are two approaches: standardized, using Secure Real Time Protocol (SRTP), and proprietary solutions. Softphones and gateways may not be supported. The lack of encryption support may be specific to a particular protocol, such as having no encrypted support when SIP is used. Look for support of 128-bit Advanced Encryption System (AES). There is probably an RTU license for this software.

    Integrated firewalls

    Firewalls are usually external appliances. In VoIP/IPT, firewall software can be installed in softphones. But be careful -- PC firewalls may interfere with the voice quality by causing longer latency in the call. There is at least one vendor that has a software firewall that can be embedded in the gateway. In either case, there is a software charge for the firewall function.

    Endpoint authentication

    Some of the vendors depend on the LAN switches to implement the IEEE standard 802.1x with an external RADIUS server for the authentication. MD5 authentication is supported by some vendors. Encrypted key exchange may be used during registration as well as an eight-digit password. Others use a variable-length password, up to 25 digits, during the initial registration.

    Attack mitigation

    Although it's not possible to stop all Denial of Service (DoS) attacks, you can do something in the way of preventative maintenance. These DoS attacks can take many forms. See the tip "Manipulating VoIP Security" for tools that can create DoS attacks. One of the techniques that can be implemented in the attacked endpoint is to ignore the DoS. DoS attacks are commonly repetitive operations. An endpoint can be programmed to discover the DoS and ignore the attacking packets. For example, repetitive INVITE (call setup) packets can be an attack. The endpoint can ignore 9 out 10 of the INVITE packets and report the attack to a management system. Check with your vendor to see which endpoints, if any, can support this DoS mitigation.

    Standard vs. proprietary

    Standard solutions may be attractive, but sometimes the proprietary solution works better. This produces the problem of interoperability. Standard security solutions may work across multiple vendors' products, thereby opening the possibilities for competition in procurement. Proprietary solutions will limit the vendor choices. Also, proprietary solutions may be short-lived as the vendors' products progress to standardized solutions.

    About the author:

    Gary Audin has more than 40 years of computer, communications and security experience. He has planned, designed, specified, implemented and operated data, LAN and telephone networks. These have included local area, national and international networks, as well as VoIP and IP convergent networks, in the U.S., Canada, Europe, Australia and Asia.

    Dig Deeper on VoIP QoS and Performance

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.