VoIP Security

Set Limits

Your main VoIP security policy is simple: First, don't plug any VoIP components into the network until you've made sure there won't be any communications between these devices and the Internet. And second, don't allow any communications between PCs that interact with the Internet and with the VoIP system. That's because PCs are especially vulnerable to attack and could be used to break into the VoIP system or to deny service to the voice applications. They also can commandeer VoIP phones to commit toll fraud, eavesdropping or impersonation.

If you must deviate from this policy, make sure everyone understands the risks and that the proper countermeasures are in place to mitigate them. This requires a clear understanding of security, as well as the system architecture and the VoIP protocols involved.The first step in implementing your security policy is to put all the VoIP phones on a separate VLAN (virtual LAN) and use RFC 1918 nonroutable addresses. Most VoIP phones have a built-in switch that supports the 802.1p/Q VLAN standard, which makes it possible to establish VLANs between the desktop and the nearest wiring closet switch that can extend through the network.

If the voice user's PC is plugged into the phone's switch, you can place voice and data on separate VLANs from end to end. Keep in mind that VLANs can't talk to each other unless there is routing between them, so that's one way to keep the two separate. And you can use ACLs (access-control lists) to prevent communication between VLANs as another layer of voice security. Having the voice and data on separate VLANs also simplifies setting up QoS (quality of service) for your VoIP traffic. Then it's just a matter of giving priority to the VoIP VLAN--you'll still need Layer 3 QoS for when you go through routers.

QoS is normally associated with ensuring performance, but it also plays a critical role in security. Voice and data on separate logical VLANs still share the same physical bandwidth. That means if PCs get infected with viruses or worms that, in turn, flood the network with traffic, VoIP traffic still gets priority across the shared physical pipes and doesn't fall victim to a DoS attack. ACLs and firewalls, meanwhile, can block the VoIP system from having Internet access, and vice versa.

VLANs also can mitigate eavesdropping on phone conversations. If voice packets are captured with an analyzer, it's very easy to replay the audio. The mobility and flexibility of IP make it vulnerable to a "man in the middle" attack, where the ARP (Address Resolution Protocol) is used to force traffic through a PC, which can then be captured. VLANs can stop an attack from the outside, but an inside attack is more difficult to prevent. An insider could plug a PC directly into a wall jack, configure it to be part of the VoIP VLAN and launch an attack. The best way to prevent such a breach would be to buy VoIP phones with strong encryption--and every phone needs encryption for this approach to work.You also need encryption between the phones and gateway to the PSTN. VoIP phone vendors are starting to include both media and signaling encryption in their devices. Avaya, for example, says all its phones now support encryption, and Nortel Networks says its phones will soon do the same. Encryption also thwarts other types of eavesdropping that require physical access to the infrastructure, such as port mirroring on a switch or using an Ethernet tap into a single Ethernet connection.

Of course, encryption comes at a cost: latency. That's not an issue for the LAN, but it may be one for the WAN. Another trade-off is that encrypting the signaling between phones, which occurs at the application layer, can make it difficult for firewalls operating at that layer to decipher it.

Although firewalls are essential, don't assume they can do it all. VoIP protocols can be difficult to filter. While SIP (Session Initiation Protocol) is the standard for VoIP signaling, many vendors have proprietary signaling protocols, which the firewall must understand.

The RTP (Real Time Protocol) is used for transporting the actual voice media, but there's a wide range of ports dynamically allocated for each call. The signaling protocol will communicate which RTP port should be used for a particular call. A good firewall will pick this up from the signaling protocol and open up the exact port necessary for the endpoints' IP addresses. Not all firewalls will do this, however. Some just open ranges of ports, so make sure you understand exactly how your firewall operates.

Some firewalls must deal with private addresses and NAT (network address translation), which makes securing VoIP even more challenging, especially when dealing with incoming requests to an endpoint with a private address. A firewall that understands the signaling protocol can track user registrations with the current addresses and route incoming requests accordingly. Check Point Software Technologies says its current version of FireWall-1 will do this, providing the absolute minimum level of access.Another approach is to place a firewall in front of a VoIP system specifically designed for IP voice. Ingate's firewall, for example, was designed for SIP-based VoIP systems. Ingate recently announced that its products are now certified to work with Avaya's SIP-based products. Make sure you implement VoIP systems based on SIP so you aren't tied into your VoIP vendor for security options.

And beware, firewalls can create latency and become a performance bottleneck. The servers supporting VoIP each have their own OSs with all the associated vulnerabilities, so you must make sure they're patched before you put them on your network. Keep them patched, and carefully limit access to them. Each IP phone, too, is also a computer with its own application and OS, so adopt the same preventive care for your phones, and be sure your phones come with a good patch-management system.

Making Exceptions

There are some applications that may make you consider opening up communications between the voice and data VLANs. For instance, most VoIP vendors offer desktop clients that manage the VoIP phone and provide rich presence information. Many vendors also have clients that let you monitor the phone and IM presence of other system users and publish your own availability. These features require some direct interaction between the desktop and the VoIP system, so you'll need a way to do this safely.

A firewall is the best bet here. The idea is to provide the minimum access without permitting a PC to inadvertently become a platform to explore vulnerabilities in the VoIP system. But if a worm fills up the bandwidth on the network, these applications can't be protected on the connection between the PC and the wiring closet because the data is coming from the PC and will therefore be on the data VLAN. The good news is that the VoIP phone communications will be protected as long as you've implemented QoS. But if you're using only a softphone on the PC, there's no way to provide QoS for the voice packets between the PC and the wiring closet switch.If you have telecommuters accessing the IP PBX over the Internet, a VPN is an obvious solution to prevent eavesdropping. VoIP vendors such as Zultys Technologies have products designed to facilitate VPN access to the IP PBX. Some Zultys phones create a VPN tunnel directly from the phone to the PBX. Nortel's Contivity VPN PC client can establish a VPN tunnel for one of its phones through the attached PC.

The last thing you want is to expose the IP PBX to the Internet. You can minimize the risk if you provide access only to the relevant ports and only when authenticating over the VPN--and that's only if you require authentication through an additional user login into the VoIP system. You will, of course, also want a firewall in place between the IP PBX and the VPN gateway, limiting access only to ports deemed absolutely necessary.

It's also good to have mechanisms in place to protect your VoIP system from DoS attacks aimed at the application. This won't be a big danger from the outside if an extra layer of authentication is required from the VLAN, but it could be an issue from the inside if someone gained access. With SIP, for example, sending a flood of "Register" requests could overwhelm the server. An IPS (intrusion-prevention system) can mitigate this problem, and an IPS or IDS (intrusion-detection system) can detect these attacks if it understands SIP. A good IPS also can prevent SIP-based man-in-the-middle attacks that redirect traffic through another device.

Any desktop that accesses the VoIP system must be protected. Many vendors now provide centrally managed firewalls as well as software that checks for OS patches and virus updates. This is especially important for telecommuters using IP softphones.

So don't get hung up on VoIP security problems. With a strong IP voice security policy and the right mix of security tools, there's no reason to miss out on the benefits of VoIP.Peter Morrissey is a full-time faculty member of Syracuse University's School of Information Studies and a contributing editor at Network Computing. Write to him at [email protected].