While VoIP is all the rage, VoIP security is often underplayed and frequently goes unaddressed. Not by telecom industry expert, Ike Elliott. A long time colleague and friend of mine, Ike led the creation of the first "soft switch" back in the late 1990's, a software-based phone switch running on a Sun server. What Ike pioneered, we today commonly think of as VoIP in products like Microsoft's Office Communication Server, the Asterisk open source VoIP server and many others.
Ike blogs about communications technologies and the industry on his Telecosm blog. He recently started a series on VoIP security, beginning with his post Common VoIP Security Problem - Spoof Attacks, where Ike shows how a commonly used VoIP phone adapter from Vonage and others are susceptible to spoofed incoming calls. Included in the post is some valuable information about methods of securing your VoIP system from such attacks. Here's a portion of Ike's post about this type of VoIP spoof attack.
One of the more common spoof attacks in VoIP results from unauthenticated messages. What can happen in a lot of VoIP implementations is that any computer on the Internet can send a message to your VoIP client and your VoIP client doesn't know that it is a message from a scammer or spammer.
Here's an example: Your Vonage VT 2142-VD phone adapter (from Motorola) receives a SIP INVITE message (trying to start a phone call with you) from a spam source. This particular phone adapter doesn't authenticate incoming messages, so it responds to the SIP INVITE and sets up a call with the spam source. Your Vonage phone rings and in a few seconds you are listening to a recording of someone trying to sell you Viagra. Kind of circumvents the "do not call list", doesn't it?
How do you fix this kind of problem? We have a three-layer toolbox for fighting spoof attacks:
Let's start with application layer message authentication. SIP provides an HTTP digest authentication mechanism that allows any message to be challenged. This means that the client could ask the sender to authenticate the message it just received, and the sender is required to re-send the message with credentials that the receiver can check to see if the message is legit. In our example, the Vonage client could challenge every SIP INVITE and could avoid spam calls, assuming the credential mechanism used is hard to hack.
Next: transport layer mechanisms. Transport Layer Security allows the Vonage client to authenticate the session it sets up with its SIP proxy server at the time the session is set up. This should be a bi-directional authentication, so that both the proxy server and the client are authenticated. In our example, the Vonage client could then trust any message it receives on the authenticated TCP/IP session with the Proxy Server. (Note, SIP can use either UDP/IP or TCP/IP).
Network Layer Security using IPSec extends the IP packet header to allow encryption of any higher layer protocol. You can secure all communication with a VoIP client by requiring that all traffic with that VoIP client be encrypted using an IPSec mechanism. In our example, if the Vonage client received an unencrypted SIP INVITE, it would discard it.
While you can use any of these three mechanisms in combination, that is kind of like having a belt and two sets of suspenders. Of the three, the TLS-based mechanism is my preference. It is more efficient than SIP Digest (not requiring the message overhead of challenges and responses on every message), and simpler than IPSec (not so many crypto keys and security associations to manage), and it gets the job done.
I've asked Ike to write up a few guest posts that I'll put here in my blog, and I'll keep you posted as Ike writes more about VoIP security. So stay tuned for more VoIP security information, and please have a look at Ike's Telecosm blog for more about the communications industry and technologies.
Like this? Here are more recent posts.
Windows Mobile Office 6.1 - Upgrade Done Right
Why the Vista Backlash Growing Rapidly
Who is rethinking security?
Search Engines Unsuspecting Pawns in Malware Attacks
Virtualization Center - You heard it here first
Visit Microsoft Subnet for more news, blogs, opinion from around the Web.
Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)
The Leader in Network Knowledge
Office Communications Server security
Great post by Ike and I completely agree with his sentiments. The technology exists today to protect VoIP against a wide range of attacks and commerical voice vendors should be proactive in adopting these protective measures. At Microsoft, we certainly feel this way having earned our lumps a few times in the area of security. For OCS, we adopt all of Ike's recommendations and a few more. We use Kerberos for authenticating clients, TLS for securing all of our signaling, and SRTP for encryption of all voice and video traffic. We also leveage Active Directory for an additional layer of spoofing protection by verifying the SIP URIs of our users. At the edge of the network, we've built a locked down server role to control media and signaling that goes in and out of the corporate firewall... something that previously required an SBC to secure.