 |
| VoIP Security Lockdown |
But as VoIP deployments continue their meteoric rise both in residential and business, VoIP security is going to become much more critical.
Here's a good primer on VoIP security that came out in the latest issue of Internet Telephony Magazine that you should go check out:
Internet Telephony Feature Article: How Secure Is VoIP?
p.s. If you don't subscribe to Internet Telephony Magazine, you should.It's free (in print form) in the U.S.And if you are international, TMC recently launched a digital PDF version that you can download.It contains all the same graphics, charts, architecture diagrams as the print magazine. It even includes the advertisements if you are so inclined to check those out.Actually the ads are pretty important. I learn about a lot of new VoIP companies that often launch their product within Internet Telephony Magazine, since it is the first VoIP magazine (launched in 1996).Seeing ads is also a gauge of the company's financial strength and well-being before you 'plop' down cash on a company that may not be around in a year or two.
VOIP Security Tips
- Encrypt VOIP traffic and run it over a VPN.
- Make sure that server-based IP-PBXs are locked down and protected against viruses and denial-of-service attacks.
- Make sure you've properly configured and tightened policies on your firewalls for the best security. Check to see if your networking and security vendors support SIP and the H.323 voice protocol. (SIP is more important these days)
- You may wish to segment voice and data traffic by using a virtual LAN. This will limit the threat posed by packet-sniffing tools and minimize disruption in the event of an attack.
- Use proxy servers in front of corporate firewalls to process incoming and outgoing voice data.
Check out these interesting VoIP Security resources:
VoIP Security
VoIP Security article.VoIP Security Conference
VoIP Security News
VoIP Security Challenges In Enterprise And Service Provider Networks
VoIP Security: Stakes Get Higher As Deployments Grow
Also, here's a sample article within Internet Telephony Magazine discussing VoIP security just to demonstrate some of the great VoIP security articles you can read if you subscribe to this magazine:
VoIP Security Challenges In Enterprise And Service Provider Networks
With most major telecommunications carriers currently in the process of readying voice-over-IP (VoIP) services for mass deployment, it's clear that IP telephony is finally headed for prime time. However, the promise of mass VoIP consumption also increases the risk for widespread security violations, spawning a new sense of urgency to plug potential security holes now before hackers wreak havoc on corporate voice networks.
Until now, VoIP security hasn't been a particularly volatile subject since most IP voice traffic remained on local and wide area enterprise networks. But as VoIP usage becomes widespread, enterprises and home users will become subject to the same security risks that have affected data networks. This is largely due to the fact next-generation voice networks are IP based and all IP protocols for sending voice traffic contain flaws.
In particular, service providers who offer business class services, including voice VPN, IP Centrex, and hosted IP PBX services, face a raft of challenges. First, they must find an acceptable method for sending VoIP traffic through enterprise firewalls, which can inhibit and even block VoIP packets due to their inherent security functions. Without a viable solution, VoIP calls remain essentially unsecured, subject to security breaches including snooping, denial of service attacks, and tapping. Moreover, unsecured IP telephony networks are vulnerable to packet flooding by hackers intent on causing service disruptions that vary in intensity from system crashes and throughput problems to system slowdowns and voice quality degradation.
FINDING THE ANSWER
In an attempt to solve VoIP security questions, enterprises and service providers have considered a variety of technologies, including IP phones with embedded security mechanisms, private or virtual LANs, intelligent routers with integrated firewalls or new protocols such as the proposed STUN standard, and voice proxy firewalls. However, for the most part these remedies have been woefully inadequate.
Placing IP phones in the enterprise without using a firewall is highly risky. Though many have integrated security mechanisms, including authentication requiring a user name and password, they can be easily hacked. Plus, they utilize public IP addresses, which also are vulnerable to unwanted intrusion.
Deploying a VoIP solution on a private LAN behind the service provider's own firewall is unacceptable due to the fact that most enterprises must utilize a certain number of public IP addresses, which are also vulnerable to security breaches. And most WANs used between the provider and the enterprise are based on global IP addressing, which presents a similar danger. In addition, service providers that combine traffic from several enterprises on the same network (i.e., Metropolitan Area Networks) are placing those customers at risk, since it is possible for an individual with access to one of these enterprise LANs to hack into the network of another.
Some service providers have met the problem by leveraging a private IP addressing scheme for phones and public IP addressing for all other networked devices. In this solution, phones would be connected to one virtual LAN (VLAN) and devices such as PCs, switches, and routers would be connected to another VLAN. This allows enterprises to send and receive VoIP calls in a secure manner using their own firewalls. Unfortunately for service providers, the complexity of managing separate private and public IP addresses for every customer and configuring IP phones for each user causes operational headaches and increases expense.
New voice aware firewalls have also been come under scrutiny. However, such equipment is mostly in the development stage and no available products support all VoIP standards, leaving enterprises that use them open to the same vulnerabilities previously discussed. Plus, the cost of replacing existing firewalls with new platforms is a very expensive proposition.
SECURING ENTERPRISE TRAFFIC - SECURITY IS CRITICAL
A far better solution involves deployment of voice proxy firewalls in the service provider's network. Though other solutions exist, such next-generation platforms present a highly effective and cost-efficient alternative, enabling providers to ensure safe passage for voice traffic sent to their customers' networks.
Voice proxy firewalls support Media Gateway Control Protocol (MGCP), Signaling Connection Control Part (SCCP), and Session Initiation Protocol (SIP) end points and are especially effective when deployed in pairs for redundancy, with one device active and the other passive. Multiple pairs can be deployed for increased scalability.
In a paired configuration, an IP telephony application server in the service provider's core network continuously monitors both voice proxy firewalls and switches between them in milliseconds in the event of service disruptions such as dropped calls. Using this solution, customer premise equipment (CPE) such as IP phones and access gateways are able to function in enterprises to full capability behind any standard, commercially available firewall. This is possible due to the voice proxy firewall's ability to control command and voice packet streams sent between the provider and customer.
During voice transmissions, all command and voice packet streams that flow between both entities pass through the voice proxy firewall, which inspects each packet and replaces embedded (private) IP addresses and ports with new (public) IP addresses/ports representing the voice proxy firewall itself. Thus, real time protocol (RTP) voice packets can be delivered to customer access gateways and IP phones existing behind enterprise firewalls.
SIMPLE CAVEATS
Generally the voice proxy firewall requires no configuration on the part of the enterprise, but rare exceptions exist. Some very large enterprises with firewalls set up to deny outbound communication must be configured with a single entry, allowing traffic to be delivered to the voice proxy firewall IP address. In addition, some firewalls cannot consistently keep MGCP and SIP sessions open during idle traffic times. In most cases, this problem can easily be remedied by setting the time out value to five minutes. However, firewalls that lack the ability to alter the time out period cannot be used.
Service Provider Solutions
Voice proxy firewalls also provide powerful firewall capability for service providers, enabling them to prevent hacker attacks and service disruptions that can disrupt their own networks. This is accomplished via access lists and stateful packet inspection accomplished via packet validation and packet throttling, all capabilities that are integrated into the voice proxy firewall.
Access lists limit who can make calls and help prevent service theft by those with network access. Using access lists, only packets from the specified IP addresses can penetrate the voice proxy firewall. Note that this method only applies to boot packets. Access lists enable network managers to assign various access levels to employees, for example, allowing them to make local and long-distance calls, but not international calls. Remote users could be assigned a very low access level since external users present a high security risk.
Packet validation checks for valid source/destination IP addresses and forwards packets only after they pass the test. RTP voice packets are scanned for valid source/destination IP addresses and command packets are parsed and checked to determine their validity. The packet validation process prevents malformed packets from entering the IP telephony application server and unnecessarily consuming CPU resources.
Packet throttling enables network managers to set a parameter corresponding to the number of boot packets per second that are allowed passage through the voice proxy firewall. This allows them to prevent packet storms from reaching the IP telephony application server.
THE DOOR TO NEW SERVICES
Deployment of VoIP technology opens a new world of communications for enterprise customers. By transporting voice traffic over packet-based networks, service providers can launch new high-margin services, including virtual PBX and IP Centrex, which promise enormous value and lower costs for enterprises. However, before opening the floodgate of new services, providers must find answers to VoIP security questions. By addressing these issues now, providers of IP voice services can avoid the security problems data providers solved the hard way, enabling them to increase profitability, lower management and operational costs, and enjoy a much more rapid return on investment.
