Infosec: Keeping the VoIP house in order
Mixing voice and data was never going to be straightforward.
By Jonathan Zar, SonicWALL | Techworld | Published: 22:00, 29 March 2006
The European Union is at the forefront of VoIP adoption. If we look at how new E1 line deployments in Europe are being set up, we see that fewer and fewer are being configured for TDM while more and more are being configured for IP. The ratios of IP to TDM are predicted to rise from 3:5 to parity within two years.
This is largely because organisations adopting voice, video and multimedia over IP stand to reap huge benefits in productivity and cost savings. The dark cloud on the horizon is that, without precautions, these very technologies put the whole corporate infrastructure at risk. To a large extent, global industry has embraced the need for data network security, but we are only on the threshold of understanding the potential problems of the unprotected VoIP network such as the phone mailbox jammed with unsolicited special offers, unauthorised eavesdropping, or losing voice communications because your network has run out of bandwidth.
VoIP security concerns apply beyond VoIP-enabled organisations. Corporate officers, especially those with an eye to compliance or in highly data-sensitive areas such as finance, are increasingly placing a premium on doing business with organisations who can demonstrate that both their data and voice over IP communications are unlikely to propagate digital threats. Some of the most critical issues to consider when moving from a traditional telephone service to a VoIP network are quality of service, denial of service attacks, and endpoint security.
Without a firewall, companies have no network security and the endpoints, which need a public IP address in order to function, become accessible to anyone. Alternative solutions such as traversal technology, which allows VoIP traffic to bypass the firewall, or session border controllers, have inherent limitations. Most networks already have a firewall protecting the LAN as well as connecting remote sites and users through secure VPN technology and are therefore the most popular choice when adding facilities for VoIP security. SonicWALL has been one of the first movers in integrating VoIP and security capabilities into all its devices, and in creating an architecture that behaves well in multiple vendors VoIP environments. However, there are reasons why more firewalls arent so VoIP-compliant.
First, the firewall must understand the VoIP protocols it wants to protect. A smaller group of vendors, including SonicWALL, provides virus scanning, intrusion prevention and other security services on VoIP traffic. The VoIP-enabled firewall is gaining popularity among IT managers because of its effectiveness, simplicity, and low cost.
For any successful VoIP implementation, three key factors must be considered: security, network interoperability and protocol support, and vendor interoperability.
VoIP encompasses a large number of complex standards that leave the door open to bugs in the software implementation. With PSTN, phones are just dumb terminals all the logic and intelligence resides centrally in the private branch exchange (PBX) and theres not a lot an attacker can do to disrupt access to a PSTN network. With VoIP, the same bugs and exploits that hamper every operating system and application available today can also hit VoIP equipment.
Without proper safeguards, VoIP calls are also vulnerable; an attacker can intercept a VoIP call and modify its parameters/addresses. This opens up the call to spoofing, identity theft, call redirection, and other attacks. Even without modifying VoIP packets, attackers can eavesdrop on conversations carried over a VoIP network. With a standard public switched telephone network (PSTN) connection, intercepting conversations requires physical access to phone lines or access to the PBX.
PSTN availability has reached 99.999% attackers need physical access to telephone exchanges or have to cut the phone lines to have any impact. A simple denial of service attack aimed at key points of an unprotected VoIP network can disrupt, or worse cripple, voice and data communications.
There is also the problem of interoperability and protocol support when integrating VoIP into an existing network security infrastructure. Because of the complexities of VoIP signalling and protocols its difficult for VoIP to traverse many types of firewall. Firewalls need to process the signalling protocol suites that consist of the different message formats used by different VoIP systems. Just because two vendors use the same protocol suite doesnt mean they interoperate.
The last element in a secure VoIP infrastructure is ensuring that the firewall will interoperate with all of the VoIP devices used in the infrastructure. A partial list of devices includes IP phones, videophones, videoconferencing equipment, SIP proxies and H.323 gatekeepers. Its largely up to the security appliance vendors to ensure they interoperate with VoIP infrastructure devices. In the case of vendors like SonicWALL, their devices are designed to work well with all types of VoIP equipment from the majority of well-known vendors.
However, VoIP is a market where, until recently, you could buy interoperability without security or buy security without interoperability. Clearly this is not an acceptable choice and its one of the driving factors behind the rapid growth of the Voice Over IP Security Alliance (VOIPSA). VOIPSA is a worldwide organization founded to help create global standards for VoIP technology, bringing together a worldwide network of global carriers, equipment providers, software and service companies, academics and policy experts, all working to ensure that the adoption of VoIP does not draw a train of network vulnerabilities and digital threats in its wake.
For any CXO managing a distributed operation - and that can be in any vertical for example retail, wholesale, manufacturing, government or simply branch offices - it makes sense to consider IP for voice and video as the best means of linking their sites, as long as these elements are factored into the planning stages. These need to be secured with firewalls at headquarters and branch, linked with either VPN or SSL tunnels, while the tunnels themselves must be capable of remote management to ensure quality of service. The wins are cost savings, convenience and the ability to integrate new voice and data features on an ongoing basis.
For a VoIP installation in a large facility, CTOs are looking to isolate traffic internally by department or function, so that sensitive data, including voice traffic, moves as isolated streams. In a hospital or a hotel, for example, they really want to make sure that administrative, financial, operations and guest data are all isolated from each other, and in some cases, from room to room, as well as being secured from external network threats. CXOs are looking for ease of management in administering and security the voice network, or VLAN, along with the flexibility to isolate, filter and manage the content that flows within their networks.
EU research data indicates that CXOs as a group like to make purchases quickly once a need has been identified and funding allocated. The goal of VoIPSA is to take the guesswork out of decisions.
SonicWALL is exhibiting at Infosecurity Europe 2006.