Testing and Validation
One of my favorite quotes that I have engraved into our company pens that I pass to clients is from Ronald Reagan: "Trust but verify." Since VOIP is a relatively new and somewhat complex technology for many people, there is room for error during deployment. So, although administrators strive to implement adequate security controls, it is expected that there might be some oversights. Another area to consider during evaluation is the product itself. We have seen cases where VOIP products claim to support a security control but the implementation is flawed, allowing someone to execute an attack successfully. Thus, evaluating the security of your VOIP network should be part of your deployment plan. You have to verify not only your architecture and security controls, but also the VOIP products that support your environment.The approach you should consider when evaluating the security of your VOIP network should be a holistic one. During the evaluation you need to consider testing network controls, operating system controls, and VOIP protocols and controls (signaling and media). Within this scope you need to include protocol fuzzing and message and call-flow manipulation to evaluate certain conditions (such as access bypassing, signaling relay, and signaling and media diversion). Certifications and VOIP Generally, I support security certifications because they help demonstrate an organization's maturity and consistency in maintaining a proper security posture. Nevertheless, some certifications are erroneously applied to certain environments with "adverse" effects. In our efforts to help clients evaluate and secure their VOIP networks, there have been sightings where a SAS70 certification was performed on a VOIP network. Such certifications can be counterproductive for the certifier and the certified owner. This is true especially when client data is extracted (through eavesdropping) in a SAS70-certified environment. For those unfamiliar, a SAS70 (type I or II) certification "represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes." So, before you embark on certifying your VOIP network, clarify your objectives. If you want to evaluate your VOIP network in order to identify weaknesses and strengthen your security, a focused penetration testing exercise is the right avenue. If you want to satisfy accounting audit requirements, a SAS70 is probably the right approach. Last words of wisdom: Trust but verify, properly. Peter is Principal consultant with Palindrome Technologies where he provides consulting services to government and commercial clients in Information Security and Assurance, and performs research in various areas including Next Generation Networks, Internet Multimedia Applications, Wireless and VoIP Security. Peter has been a speaker at several academic and industry conferences including SANS, Blackhat, MIS InfoSec and IEEE. He has published articles in trade magazines such as Information Security, ZDNET, Forbes, Tech Target, Wired and industry journals such as IEEE, ACM and IEC. Peter holds a Masters degree in Computer Science from Columbia University, and he is an active member of IETF, ACM and ISSA. He can be reached at firstname.lastname@example.org. Peter Thermos and Ari Takanen co-wrote the book, "Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures", which was published by Addison Wesley Professional. ISBN-10: 0321437349, U.S. SRP: $44.99.
Testing can be performed by knowledgeable staff or by a third party. But be aware that there is no product that will scan your VOIP network and identify all of your vulnerabilities completely. I've seen most-if not all-products associated with assessing VOIP networks, and their scope is focused in one area. In addition, from my experience with vulnerability scanning tools (including traditional network, Web-based and VOIP), I would say that there is no product that is able to automate several attack vectors that require human intervention. Generally, scanning products will help identify 70 to 80 percent of the issues, but the remaining 20 to 30 percent is where skillful and "creative" personnel are useful.