The Value of VoIP Security

As telephony continues to migrate to Voice Over IP (VoIP), enterprises will continue to use a hybrid network, consisting of both circuit-switched and VoIP equipment. During this transition, existing security issues with circuit-switched networks will continue and new issues will emerge with VoIP.

Circuit-switched network vulnerabilities include toll fraud, theft of service, attacks on authorized modems, use of unauthorized modems, and eavesdropping in the Public Switched Telephone Network (PSTN). These issues will persist as long as the circuit-switched network is present -- and some, such as toll fraud and theft of service, may become much more severe.

These security issues, along with the emerging VoIP vulnerabilities discussed in this article, are best addressed with a unified security approach that addresses both circuit-switched and VoIP security.

VoIP Deployment Scenarios

Virtually any VoIP deployment has some number of vulnerabilities, depending on the vendor selected, the configuration used, and the deployment scenario selected. Deployment scenarios include:* Campus VoIP. Most VoIP deployments involve purchase of an IP PBX, or IP-enabling an existing PBX, and using some number of IP phones and softphones. Typically, all external calls would go through a media gateway to the PSTN. VoIP, therefore, does not extend to the Internet or some untrusted network. This implies that an attack on the VoIP network must originate within the internal network -- it can't come directly from the Internet. This deployment scenario is often extended to carry VoIP calls over a Wide Area Network (WAN) to save toll charges between sites. Some enterprises also use VoIP to extend voice services to remote workers -- although the threat to the VoIP system increases if the remote sites are not secure. For example, a compromised remote worker PC can become infected with a virus/worm and attack the enterprise voice network.

* IP Centrex/Hosted IP. This scenario involves a service provider managing the IP PBX and providing VoIP services from their network. No voice Customer Premise Equipment (CPE) is present, other than IP phones. In this scenario, the internal threat still exists -- along with a threat from the service provider's shared/untrusted network.

* VoIP Trunks. Eventually VoIP trunks will replace existing circuit-switched access circuits (T1s, PRI, analog) and voice services will come from the Internet or some untrusted network. In this scenario, the voice network can be attacked directly from the untrusted external voice network.

VoIP Vulnerabilities

IP inherits the security advantages -- and disadvantages -- of the IP network. While VoIP is a unique service even on the IP network, its security is typically only as good as that provided for any IP service such as web and email services. These critical services have security vulnerabilities and are often targeted for attack.For example, now the voice service is vulnerable to worms, viruses, and Denial of Service (DoS), which have not previously been issues with the circuit-switched network. Additionally, there are many more individuals who know how to attack an IP system. This includes individuals who know how to find vulnerabilities, how to develop exploits, and "script kiddies" who execute an attack without really understanding the impact.

VoIP is a service residing on the shared IP network; as such, it's accessible by users on the Local Area Network (LAN) and, directly or indirectly, by users on the Internet.

Technologies like switched Ethernet and Virtual LANs (VLANs) provide some separation, but are not guaranteed. Much of the promise of VoIP involves integration of voice with other applications, so VoIP will generally have to be accessible. VoIP signaling, which is how services and calls are controlled, is available on the IP network and is usually present on well-known IP ports. The same is true for supporting services, such as administration, which is often provided through a web server.

VoIP requires more components and software than a traditional circuit-switched network. Components include IP PBXs, supporting servers, media gateways, switches, routers, firewalls, cabling, IP phones and softphones. More components mean greater potential for vulnerability. VoIP components often use general-purpose operating systems, which tend to have more vulnerabilities than purpose-built operating systems. Some IP PBXs use databases and web servers, which can also have vulnerabilities.

There are also many VoIP "standards," including the Session Initiation Protocol (SIP), H.323, the Media Gateway Control Protocol (MGCP), H.248, and vendor-proprietary protocols/versions. There are also multiple version of these protocols in use.Many of these standards are complex and their implementation will have flaws -- which leads to vulnerabilities. This is due to the complexity of the standard and vendor "rush to market."

Protocols can be either implemented by the vendor (which means they have to focus on building a secure implementation) or purchased from a "stack" vendor (in which case vulnerabilities are shared among any system using the stack). The figure below illustrates the basic layers of software used in an IP PBX -- any of which can have vulnerabilities.

IP PBXs are not your closed switches of yesterday. They include many layers of software that can create vulnerabilities, including VoIP "standards" like Session Initiation Protocol (SIP), H.323, the Media Gateway Control Protocol (MGCP), H.248, etc. Many of these standards are complex and their implementation will have flaws. Protocols can be either implemented by the vendor (which means they have to focus on building a secure implementation) or purchased from a "stack" vendor (in which case vulnerabilities are shared among any system using the stack).

An implementation flaw is a programming mistake, such as not properly checking the size of a protocol request, which, when exploited, can result in the following issues:

* Remote access. An attacker obtaining remote (often administrator level) access.* Malformed request DoS. A carefully crafted protocol request (a packet) exploiting a vulnerability which results in a partial or complete loss of function.

* Load-based DoS. A "flood" of legitimate requests overwhelming a poorly designed system. Due to their critical role in providing voice service and the complexity of the software running on them, IP PBXs are the primary target for attackers. Some of their vulnerabilities include:

* Operating system attack. Exploits a vulnerability in an operating system. An attack that makes use of this vulnerability, while perhaps not directed toward a VoIP system, can nevertheless create issues.

* Support software attack. Exploits a vulnerability in a key supporting software system, such as a database or web server. An example is the SQL Slammer worm, which exploited a vulnerability in the database used on a specific IP PBX.

* Protocol attack. Exploits a vulnerability in a protocol implementation, such as SIP or H.323. An example is the vulnerability in the H.323 implementation in Microsoft's ISA Server. * Application attack. Exploits a vulnerability in the underlying voice application, which is not filtered by the protocol implementation.

* Application manipulation. Exploits a weakness in security, such as weak authentication or poor configuration, to allow abuse of the voice service. For example, registration hijacking or toll fraud.

* Unauthorized access. Occurs when an attacker obtains administrative access to the IP PBX.

* Denial of Service. Either an implementation flaw that results in loss of function or a flood of requests that overwhelms the IP PBX. For examples of DoS against SIP components, see:

www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/These same types of vulnerabilities are present with other components in a VoIP network, depending upon the software used. DoS on signaling is a common problem, as shown in the research described in the URL provided above.

DoS on media is also a serious problem. VoIP media, which is normally carried with the Real-Time Protocol (RTP), is vulnerable to any attack that congests the network or slows the ability of an end device (phone or gateway) to process the packets in real time. An attacker who has access to the portion of the network where media is present simply needs to inject large numbers of either RTP packets or high Quality of Service (QoS) packets, which will contend with the legitimate RTP packets.

Users expect voice calls to be private, as opposed to email or Instant Messages (IM), which are usually not expected to be private. Although some VoIP calls are encrypted, most are not. Additionally, encryption without strong authentication can not guarantee privacy because participants can't be sure an attacker is not performing a Man-In-The-Middle (MITM) attack and accessing the media.

If an attacker does gain access to the unencrypted media, simple tools such as VOMIT can be used to listen to audio.

General Recommendations* Use some form of host-based intrusion detection to detect attacks.

* Deploy a voice-optimized firewall to protect the IP PBX from attackers on the LAN and Internet.

* Build a switched network. This not only improves performance, but also makes it more difficult for an attacker to access end points.

* Make use of VLANs to help segregate traffic.

* Secure all networking components, including switches, routers, etc.* For campus VoIP, configure Internet firewalls and other security systems to prevent VoIP from entering or leaving the internal network.

* Limit the number of calls traveling over the WAN to the media gateway or any shared resource that could be overloaded by a DoS attack.

* Consider additional firewalls and security products to control or monitor traffic on the network. Specialized Firewalls

Deployment of VoIP-optimized firewalls and security gateways at key points in the network is also recommended. Locations include between the IP PBX and the phones, at the WAN perimeter, and Internet/Service Provider perimeter. A VoIP-optimized firewall performs the following functions:

* Provides voice application-level security by monitoring signaling for attacks. If the signaling is encrypted, the VoIP-optimized firewall must be able to decrypt the signaling.* Provides 99.999% uptime and insures latency is not added to media sessions.

* Interfaces with the existing data firewall, if appropriate.

* Monitors the signaling and performs protocol-aware NAT and media session management.

* Preserves QoS markings.

* Interoperates with circuit-switched firewalls to allow hybrid security during migration to VoIP.Among other things, a VoIP-optimized firewall: provides voice application-level security by monitoring signaling for attacks; insures latency is not added to media sessions; and interoperates with circuit-switched firewalls to allow hybrid security during migration to VoIP.

Don't Forget The Phones

It is also important to secure IP phones and softphones. Phones are the most common component in a VoIP network -- and the easiest to exploit. Recommendations for securing phones includes:

* Purchase phones that offer strong security, such as strong authentication/encryption for signaling and media.

* Update/set administrator passwords to a strong value.* Set passwords used for registration (or related functions) to strong values, as opposed to a common string or a "mechanical" setting, such as a simple variant of the extension.

* Disable any remote access features, such as telnet.

* Use strong authentication for any web-based access to the phone.

* Disable local administration of the phone.

* Secure the phone firmware upgrade process.* Enable logging if possible.

Insist on using strong authentication for softphones in order to prevent a rogue application from attacking the voice network.

Setting Standards

Finally, certain security standards can be used for strong authentication and encryption. These standards can allow secure interoperation between components and are slowly being adopted by vendors:

* Transport Layer Security (TLS). Provides point-to-point encryption and authentication of a TCP/IP session, such as that used between an IP PBX and a phone. * Secure RTP (SRTP). Provides encryption of an RTP (media) session.

* IP Security (IPsec). A Layer 3 means for encryption and authentication.

* S/MIME. Used to encrypt and protect the integrity of SIP messages.