How to Heal the FUD Associated with VOIP Security

When Ari Takanen and I wrote our book, "Securing VOIP Networks: Threats, Vulnerabilities and Countermeasures," one of our main objectives was to encourage the reader to view the approach of securing VOIP communications holistically. Security is not a product, it's a process. Thus, understanding and developing that process eliminates FUD (Fear, Uncertainty and Doubt), and lays the foundation for implementing and managing the VOIP infrastructure properly, with measurable security objectives.

Furthermore, most organizations are currently focusing on deploying VOIP but they should be cognizant that voice is just one of several real-time multimedia applications. Others include video, conferencing and gaming. Thus, it is expected that organizations will deploy additional multimedia applications (i.e., video and conferencing) within the existing VOIP infrastructure. They may even develop new multimedia applications to support emerging needs. Naturally, these applications will use the same protocols that are used for VOIP (such as SIP, RTP, MGCP, RTSP and H.323) since they have been designed by standards bodies to do so. Our book emphasizes security concepts and protection mechanisms that are applicable to VOIP but that also extend to other real-time multimedia applications.

Understand your mission

Many times, when Ari and I are engaged by clients to evaluate the security of their VOIP implementations, we are asked the following question by network administrators and engineers: "What are the major security areas that I need to fix in my VOIP network?" Although a portion of the answer varies depending on the organization's mission and operational requirements, the following are considered to be the most typical areas that need to be addressed:

1. Reliability. This area is of concern not only to enterprise networks but also to carrier-grade networks, since telecommunication carriers are part of the national critical infrastructure. An attack that aims to disrupt voice communications can impact the organization's operations and, consequently, those of its clients (or subscribers in the case of carrier networks). Such attacks are prevented by combining controls at various layers including port-base access (IEEE 802.1x), network-layer access (ACLs), and deployment of network elements that support rate-limiting and signaling and media message inspection (Session Border Controllers). This layered approach is discussed in more detail in our book. In our experience, testing the susceptibility of the VOIP service from disruption helps to validate the current controls and also the organization's incident response capability.

2. Eavesdropping and voice encryption. A popular and controversial topic is whether or not organizations should encrypt VOIP communications. Based on our experience when evaluating the security of our clients' VOIP networks, for a variety of industries such as insurance, banks, energy, pharmaceuticals, consumer products and telecommunications, we discovered that the requirement for voice encryption is dictated by the organizational mission and requirements to protect communications within that organization, its clients and its affiliates. In some cases, voice encryption is necessary only for management personnel and officers of the company (or a specific company group or population). In other cases, voice encryption is required for everyone. And even then, there are cases where voice encryption is not required at all but access to the VOIP network is of concern. Thus, the confidentiality of your VOIP communications depends on your organizational mission and requirements to support its operations.

3. Fraud. Although this area has been mostly a concern for telecommunications carriers or VOIP service providers, there have been fraud cases in which an organization's enterprise network was compromised, defrauded or used in a fraud scheme. There are various fraud schemes that either take advantage of a weakness in the process through which a service is provided or via a technical vulnerability such as poor access controls, configuration or buffer overflow. Enterprise organizations can deter VOIP fraud by enforcing policies and adequate access controls. Some of these controls include a calling plan policy for international and premium numbers (such as 900 numbers), calling feature restriction (call/trunk transfer), and properly securing administrative and management interfaces. 

4. Unauthorized access. This is considered to be a fundamental condition from which other attacks can be realized, such as DoS (denial of service), eavesdropping and fraud. For example, an attacker can gain unauthorized access to a network element (such as Call Manager, PBX or voice gateway) and shut it down. This, in turn, will cause service disruption or it will install a rootkit to collect traffic or to divert media traffic to a host that is controlled by the attacker, who will ultimately eavesdrop on communications. In our discussion, we extend this concept to include unauthorized access to the VOIP network and corresponding services through signaling message manipulation. Such an attack can be used to gain unauthorized access to network services or resources. For example, an attacker may be able to manipulate signaling messages to gain unauthorized access to subscribers' voice mail or services.

Although new threats and vulnerabilities will always emerge, if you have a sound security process for managing your environment, you will be able to respond efficiently and effectively when they arise.

How to protect your VOIP network

The approach for securing VOIP networks starts from the initial design phase. Based on our experience, we see that organizations that are addressing security in the design phase minimize the inflated cost of security during the production phase. In one example we were engaged to perform a VOIP assessment for a Fortune 500 company that had a production VOIP network. During the assessment we identified security issues associated with the architecture and the VOIP protocols that it was using.

After presenting short-term and long-term recommendations to mitigate both the architectural and protocol implementation issues, the effort to complete the changes required about 13 months and close interaction with the vendor to fix some of the issues associated with the VOIP products. Although the final cost was not disclosed, all of these could have been avoided if a set of security requirements had been identified during the design phase and an evaluation of the products and deployed solution had been conducted during the pilot phase (prior to production).

If you are in the process of deploying security, especially for a large enterprise network, ensure that you define your security requirements for VOIP in early stages. Furthermore, use your security requirements as part of your RFP (request for proposal) that you send to VOIP vendors. Defining security requirements early will alleviate the perceived added cost of security at a later stage and, most importantly, lay the foundation to manage current and emerging threats.

Another important area is the architecture of the VOIP network. Network segregation using inter-VLAN (virtual LAN) filtering (not just VLAN labeling), private addressing and so on can help manage some of the known attacks.

Network controls such as port-based authentication, router filtering and SBCs are very helpful in preventing threats such as unauthorized access (including network and signaling layer), eavesdropping and fraud. As we move further into the VOIP network, another area that requires attention is the operating system controls, including firmware controls. Proper patch management, permissions, and access to administrative and management ports or service ports is critical in preventing unauthorized access. Finally, signaling and media controls including authentication of messages and confidentiality are imperative in protecting VOIP communications and maintaining user privacy.