When Ari Takanen and I wrote our book, “Securing VOIP Networks: Threats, Vulnerabilities and Countermeasures,” one of our main objectives was to encourage the reader to view the approach of securing VOIP communications holistically. Security is not a product, it’s a process. Thus, understanding and developing that process eliminates FUD (Fear, Uncertainty and Doubt), and lays the foundation for implementing and managing the VOIP infrastructure properly, with measurable security objectives.
Furthermore, most organizations are currently focusing on deploying VOIP but they should be cognizant that voice is just one of several real-time multimedia applications. Others include video, conferencing and gaming. Thus, it is expected that organizations will deploy additional multimedia applications (i.e., video and conferencing) within the existing VOIP infrastructure. They may even develop new multimedia applications to support emerging needs. Naturally, these applications will use the same protocols that are used for VOIP (such as SIP, RTP, MGCP, RTSP and H.323) since they have been designed by standards bodies to do so. Our book emphasizes security concepts and protection mechanisms that are applicable to VOIP but that also extend to other real-time multimedia applications.
Understand your mission
Many times, when Ari and I are engaged by clients to evaluate the security of their VOIP implementations, we are asked the following question by network administrators and engineers: “What are the major security areas that I need to fix in my VOIP network?” Although a portion of the answer varies depending on the organization’s mission and operational requirements, the following are considered to be the most typical areas that need to be addressed:
1. Reliability. This area is of concern not only to enterprise networks but also to carrier-grade networks, since telecommunication carriers are part of the national critical infrastructure. An attack that aims to disrupt voice communications can impact the organization’s operations and, consequently, those of its clients (or subscribers in the case of carrier networks). Such attacks are prevented by combining controls at various layers including port-base access (IEEE 802.1x), network-layer access (ACLs), and deployment of network elements that support rate-limiting and signaling and media message inspection (Session Border Controllers). This layered approach is discussed in more detail in our book. In our experience, testing the susceptibility of the VOIP service from disruption helps to validate the current controls and also the organization’s incident response capability.
2. Eavesdropping and voice encryption. A popular and controversial topic is whether or not organizations should encrypt VOIP communications. Based on our experience when evaluating the security of our clients’ VOIP networks, for a variety of industries such as insurance, banks, energy, pharmaceuticals, consumer products and telecommunications, we discovered that the requirement for voice encryption is dictated by the organizational mission and requirements to protect communications within that organization, its clients and its affiliates. In some cases, voice encryption is necessary only for management personnel and officers of the company (or a specific company group or population). In other cases, voice encryption is required for everyone. And even then, there are cases where voice encryption is not required at all but access to the VOIP network is of concern. Thus, the confidentiality of your VOIP communications depends on your organizational mission and requirements to support its operations.
3. Fraud. Although this area has been mostly a concern for telecommunications carriers or VOIP service providers, there have been fraud cases in which an organization’s enterprise network was compromised, defrauded or used in a fraud scheme. There are various fraud schemes that either take advantage of a weakness in the process through which a service is provided or via a technical vulnerability such as poor access controls, configuration or buffer overflow. Enterprise organizations can deter VOIP fraud by enforcing policies and adequate access controls. Some of these controls include a calling plan policy for international and premium numbers (such as 900 numbers), calling feature restriction (call/trunk transfer), and properly securing administrative and management interfaces.
4. Unauthorized access. This is considered to be a fundamental condition from which other attacks can be realized, such as DoS (denial of service), eavesdropping and fraud. For example, an attacker can gain unauthorized access to a network element (such as Call Manager, PBX or voice gateway) and shut it down. This, in turn, will cause service disruption or it will install a rootkit to collect traffic or to divert media traffic to a host that is controlled by the attacker, who will ultimately eavesdrop on communications. In our discussion, we extend this concept to include unauthorized access to the VOIP network and corresponding services through signaling message manipulation. Such an attack can be used to gain unauthorized access to network services or resources. For example, an attacker may be able to manipulate signaling messages to gain unauthorized access to subscribers’ voice mail or services.
Although new threats and vulnerabilities will always emerge, if you have a sound security process for managing your environment, you will be able to respond efficiently and effectively when they arise.
How to protect your VOIP network
The approach for securing VOIP networks starts from the initial design phase. Based on our experience, we see that organizations that are addressing security in the design phase minimize the inflated cost of security during the production phase. In one example we were engaged to perform a VOIP assessment for a Fortune 500 company that had a production VOIP network. During the assessment we identified security issues associated with the architecture and the VOIP protocols that it was using.
After presenting short-term and long-term recommendations to mitigate both the architectural and protocol implementation issues, the effort to complete the changes required about 13 months and close interaction with the vendor to fix some of the issues associated with the VOIP products. Although the final cost was not disclosed, all of these could have been avoided if a set of security requirements had been identified during the design phase and an evaluation of the products and deployed solution had been conducted during the pilot phase (prior to production).
If you are in the process of deploying security, especially for a large enterprise network, ensure that you define your security requirements for VOIP in early stages. Furthermore, use your security requirements as part of your RFP (request for proposal) that you send to VOIP vendors. Defining security requirements early will alleviate the perceived added cost of security at a later stage and, most importantly, lay the foundation to manage current and emerging threats.
Another important area is the architecture of the VOIP network. Network segregation using inter-VLAN (virtual LAN) filtering (not just VLAN labeling), private addressing and so on can help manage some of the known attacks.
Network controls such as port-based authentication, router filtering and SBCs are very helpful in preventing threats such as unauthorized access (including network and signaling layer), eavesdropping and fraud. As we move further into the VOIP network, another area that requires attention is the operating system controls, including firmware controls. Proper patch management, permissions, and access to administrative and management ports or service ports is critical in preventing unauthorized access. Finally, signaling and media controls including authentication of messages and confidentiality are imperative in protecting VOIP communications and maintaining user privacy.
Testing and Validation
One of my favorite quotes that I have engraved into our company pens that I pass to clients is from Ronald Reagan: “Trust but verify.” Since VOIP is a relatively new and somewhat complex technology for many people, there is room for error during deployment. So, although administrators strive to implement adequate security controls, it is expected that there might be some oversights.
Another area to consider during evaluation is the product itself. We have seen cases where VOIP products claim to support a security control but the implementation is flawed, allowing someone to execute an attack successfully. Thus, evaluating the security of your VOIP network should be part of your deployment plan. You have to verify not only your architecture and security controls, but also the VOIP products that support your environment.
Testing can be performed by knowledgeable staff or by a third party. But be aware that there is no product that will scan your VOIP network and identify all of your vulnerabilities completely. I’ve seen most-if not all-products associated with assessing VOIP networks, and their scope is focused in one area. In addition, from my experience with vulnerability scanning tools (including traditional network, Web-based and VOIP), I would say that there is no product that is able to automate several attack vectors that require human intervention. Generally, scanning products will help identify 70 to 80 percent of the issues, but the remaining 20 to 30 percent is where skillful and “creative” personnel are useful.
The approach you should consider when evaluating the security of your VOIP network should be a holistic one. During the evaluation you need to consider testing network controls, operating system controls, and VOIP protocols and controls (signaling and media). Within this scope you need to include protocol fuzzing and message and call-flow manipulation to evaluate certain conditions (such as access bypassing, signaling relay, and signaling and media diversion).
Certifications and VOIP
Generally, I support security certifications because they help demonstrate an organization’s maturity and consistency in maintaining a proper security posture. Nevertheless, some certifications are erroneously applied to certain environments with “adverse” effects. In our efforts to help clients evaluate and secure their VOIP networks, there have been sightings where a SAS70 certification was performed on a VOIP network. Such certifications can be counterproductive for the certifier and the certified owner. This is true especially when client data is extracted (through eavesdropping) in a SAS70-certified environment. For those unfamiliar, a SAS70 (type I or II) certification “represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes.”
So, before you embark on certifying your VOIP network, clarify your objectives. If you want to evaluate your VOIP network in order to identify weaknesses and strengthen your security, a focused penetration testing exercise is the right avenue. If you want to satisfy accounting audit requirements, a SAS70 is probably the right approach.
Last words of wisdom: Trust but verify, properly.