• United States

Preventing 802.11 phones from being spoofed

Apr 07, 20042 mins
Cellular NetworksNetwork SecurityVoIP

* Aruba takes on VoIP security vulnerability

Last time, I pointed out that the wireless LAN industry – standards groups and vendors alike – have been working to pave the way for high-quality, secure VoIP calls to run on 802.11 networks. Doing so involves many factors.

In the last newsletter, I discussed recent efforts to reduce latency as users roam to accommodate voice’s persnickety low-delay requirements. This time, I’ll discuss one vendor’s attempt to secure networks against wireless VoIP phones being spoofed.

Most 802.11 telephony devices are not yet Wi-Fi Protected Access (WPA)-certified. Rather, most run the older Wired Equivalent Privacy (WEP) security protocol. WEP does not include user authentication or dynamic encryption keys, which is why it was deemed unfit for enterprise-class 802.11 networks and replaced with WPA.

So as WEP devices, wireless VoIP handsets can be considered the “weak link” in the WLAN security infrastructure. The issue isn’t so much protecting the sanctity of phone conversations as it is to guard against the potential for VoIP phones to masquerade as a data device and become a network security hole.

For its part, Aruba Wireless Networks has added a stateful firewall to its WLAN switch AirOS management software. The software can inspect a packet header (and follow an application flow across dynamic Layer 4 ports) to verify that traffic being generated from a given device is indeed a voice flow. This prevents a data device from spoofing a VoIP handset and potentially injecting harmful packets into a network, says Keerti Melkote, Aruba’s vice president of product marketing.

The same approach applies in the case of a softphone – a telephony application running on a PC that renders the PC both a data device and a phone. The stateful flow classification capability looks in the IP header and determines whether a packet’s payload is voice or data.

In addition to security, this has quality-of-service (QoS) benefits, in that softphone traffic can be prioritized across the network ahead of data traffic generated by the same device. Generally, it’s the device itself – the handset – that automatically marks packets for high priority by virtue of the fact that it is a physical phone. In the case of a PC that is acting both as a data and voice device, though, another capability is required to distinguish between the two flow types.