Securing IP Telephony Systems
Networks First offers practical plan to ensure the security of VOIP traffic
March 2006: The increasing maturity of VoIP and converged network technology is driving both enterprise and smaller organisations to reconsider the relative expense of having separate voice and data infrastructures. Instead, increasing numbers of UK businesses are opting for the benefits that a converged network and application model, based on an underlying Voice over IP (VoIP) infrastructure, can offer; including reduced cost of ownership, increased business efficiency and significant user productivity gains.
Unfortunately, with IT, data and network security concerns taking up an ever greater percentage of IT Directors’ budgets, according to recent research from Gartner - with over 40 per cent of businesses last year spending seven per cent or more of their IT budget on security, as opposed to the recommended three to six per cent guideline – a number which is furthermore set to increase, there is a significant danger that organisations investing in converged networks are not properly considering or being advised on, the security implications for VoIP traffic argues .converged network service and support specialist, Networks First.
Peter Titmus, Managing Director for Networks First, comments, “The true converged network industry is really still in its infancy, with only a handful of voice and data resellers and integrators who have the combined skills to approach the implementation of a converged network in the right way. As a result, there is a danger that organisations investing in this technology are not being given appropriate advice on the security considerations that a converged network requires.”
In order to address this, Networks First has identified a set of simple, yet practical steps for end-users, resellers and systems integrators to follow in ensuring the security of a converged voice and data network.
1. Take a holistic approach
It is imperative that there is a holistic approach to IT security, so that the voice system is included in overall security risk analysis and applies ‘best practices’ as deemed appropriate, aligned to data system security measures as a minimum. These would include the following measures:-
- Use deep packet inspection techniques – IDS/ IPS or Firewall Systems at WAN / Internet ingress points to prevent multi-layered attacks breaching the core network.
- Implement robust wireless security mechanisms such as strong authentication, strong encryption and rogue access point detection.
- Deploy endpoint security on Servers and Hosts to enforce network attached devices to conform to defined enterprise and desktop security policy.
2.Assess the risks in line with business implications
Although the threats and type of attack methods for both voice and data traffic may be similar, the implications of losing part of or the entire phone system will be different in terms of a risk to business operations and costs.
Having performed a risk assessment on the implications of any given threat on the business, hardening key voice components may be necessary as well as providing conventional network based security controls.
3. Secure the network infrastructure
There are several recommended techniques for securing the network infrastructure:-
- Employ Separate Voice and Data VLANs - Mandatory Keeping the voice and data traffic separate through the use of VLANs has several advantages. The inherent isolation provided by VLANs ensures that inter-VLAN traffic is under management control and that network attached PCs cannot initiate a direct attack on voice components. Additionally, organisations should employ a separate Voice Server VLAN for key Call Processing Servers so they can be secured from un-solicited access
- Use Secure Network Management Techniques – Highly Desirable All network device and server management should be encrypted to ensure confidentiality and authenticated, for example using SSH v2. A central facility that offers secure authentication, authorisation and accounting facilities would ensure that only recognised administrators can make changes to the network configuration. This recommendation is desirable regardless of VOIP.
- Authenticate Network Access – Desirable Wireless LANs, Teleworking, and PDAs have all contributed to a widening of the network perimeter such that traditional boundary security measures may be circumvented. In order to protect the core it is desirable to authenticate any node that attempts to join the network, before allowing access to any network resource.
- Use “Voice Aware” Firewalls - Optional Stateful awareness of voice signalling protocols is essential for firewalls to maintain a secure boundary whilst being able to inspect voice traffic for potential anomalies. Not all firewalls have this capability and technicians should ensure that such firewalls support secure inspection of protocols such as SIP and H.323. Firewalls also need to treat VOIP traffic with ‘precedence’ so they do not impede voice, in terms of delay or jitter or packet loss.
4. Consider and implement additional IP Telephony security requirements
Having performed a risk assessment on the implications of any given threat on the business it may be necessary to consider these additional security enhancements for the IP Telephony system:-
- Harden IP Telephony Call Processing Servers – Highly Desirable The voice servers’ operating systems must be hardened against the possibility of direct attack.
- Harden IP Phones - Desirable IP phones should be protected from local configuration modifications that may compromise the security of the voice system.
- Encrypting voice traffic – Optional Some IP Telephony solutions now provide an option to encrypt VOIP calls so that they can remain private and can not be snooped by LAN Analysers in the voice path.
- Authenticating Telephone Users – Optional As with conventional Digital PBX Systems it may be desirable to force Telephone Users to logon to the phones themselves – using features like Extension mobility – and providing only basic internal dialling capabilities (Phone CoS) if a valid User profile is not initiated.
5. Consider external, expert advice
Many resellers and implementers of converged networks and IP Telephony solutions will have domain expertise in one area – of these, only some – and even fewer end-users, will have the relevant expertise in-house to assess the full security implications of a converged IP Telephony network.
Peter Titmus concludes, “Networks are Dynamic! One seemingly simple configuration mistake or a user downloading something they are not meant to, or changing something on the system – let alone a malicious attack from outside - could have disastrous consequences that could leave the organisation exposed and without a means of communication. By following the steps outlined, we believe that these mistakes can be avoided and that end-users and resellers alike will start to reap the full benefits of a secure, converged network.”
A full white paper Securing IP Telephony Systems – Best Practises is freely downloadable
