As VOIP systems proliferate, so, too, must the measures taken to secure them. Luckily for IT administrators, several resources are available to help them do just that.
In the book "Hacking Exposed VOIP: Voice over IP Security Secrets & Solutions," for example, authors David Endler (director of security research at TippingPoint) and Mark Collier (chief technology officer of SecureLogix) bring to life the imminent threat of VOIP attacks, describing in detail how an attacker could discover, enumerate, probe and eventually co-opt an existing voice network.
Moreover, the book provides a useful starting place for VOIP adopters to begin shoring up their own networks.
The $50, 539-page book is a must-read for IT administrators, particularly those who are managing a voice network but are not totally comfortable with the technology—and are perhaps relying too much on resellers for the stability and security of the network.
Endler and Collier also have created several tools to automate voice-specific scans and penetration attacks of commonly used end-user devices and VOIP infrastructure components. These tools, along with Google hacking tips and a database of stock voicemail recordings, can be found on the books companion Web site.
Another good resource is VOIPSA, or Voice over IP Security Alliance, which has put together a number of useful tools. The Threat Taxonomy, for example, enumerates known types of attacks and organizes them into general categories.
These include social threats, eavesdropping, or interception and modification. The group also maintains a best-practices mailing list that is still in the organizational stage but holds great promise. Data and voice ties.
The health of a VOIP network is tied to the health of the data network. Beyond throughput and latency demands, VOIP relies heavily on several legacy data services to operate correctly. For example, VOIP administrators should think about shoring up services such as DNS (Domain Name Service), DHCP (Dynamic Host Configuration Protocol) and TFTP (Trivial File Transfer Protocol)—bedrocks of the network that may have been forgotten because, in most circumstances, they just work.
All of that said, isolating voice traffic should be a priority, as malware-infested desktops or servers could be used as a launchpad for attacks against a voice system that is not otherwise exposed to Internet traffic. Maintaining separate VLANs (virtual LANs) for voice and data traffic is a worthy endeavor: It will isolate VOIP components to some extent from other endpoints, with the added benefit that QOS (quality of service) will be easier to implement.
However, VOIP implementers may have to make some hard decisions about the role of IP softphones in the network because the workstations on which they are installed should be separated from the voice network, too.
Assuring call privacy through the use of encryption (of the voice payload, call signaling or both) has been a nonstarter for many VOIP adopters because call quality has traditionally trumped security as the primary objective. Many common voice-quality monitoring and assessment tools arent effective on an encrypted stream, and IT staffers certainly cant record and play back encrypted voice calls to manually ensure call quality.
However, some new assessment tools are coming down the pike that can estimate call quality by measuring factors that can be derived from an encrypted stream, such as latency and jitter. For example, at the RSA Conference in San Francisco Feb. 5-9, AirMagnet demonstrated its AirMagnet VoFi Analyzer, which includes the ability to derive an MOS (mean opinion score) and R-values from metrics gathered without actual access to call payload.
Any of the tools mentioned here will help administrators lock down their VOIP systems, but, in general, admins must become more acquainted with the tricks of the trade. Just as they learned to use penetration testing and assessment tools for the data network, administrators must grow their skills to adapt to the vicissitudes of VOIP.
Technical Analyst Andrew Garcia can be reached at firstname.lastname@example.org.