Best Practices in VoIP Security
Don't forget to secure your VoIP network
Implementing voice over IP (VoIP)? Don’t forget the challenge of securing VoIP networks.
One resource for formulating an enterprise VoIP strategy is a new report from the National Institute of Standards and Technology (NIST), “Security Considerations for Voice Over IP Systems.”
The guidelines come as lower costs and improved sound quality are driving many organizations to use VoIP. As the report notes, “More recent VoIP systems have sound quality equivalent to conventional phones, especially if standalone VoIP phones are used.” While the report is aimed at U.S. government agencies, enterprises may also find the guidelines useful for evaluating security concerns prior to a VoIP rollout.
Of course low cost, not security, is the driver for most VoIP installations. In general, voice communications can be operated at lower cost using VoIP than with the traditional Public Branch Exchange (PBX) system. From a technology standpoint, VoIP also allows greater degrees of integration with business productivity tools, including videoconferencing software. For example, some VoIP capabilities already ship as part of Microsoft’s NetMeeting software, which is included with Windows. On the Macintosh platform, Apple’s iChat includes VoIP functionality. Numerous products target both of those platforms, as well as Linux.
Yet VoIP’s lower operating costs and flexibility comes with a security downside—“added complexity in securing voice and data,” notes NIST. “Because VoIP systems are connected to the data network, and share many of the same hardware and software components, there are more ways for intruders to attack a VoIP system than a conventional voice telephone system or PBX.” Security precautions must be taken. Specifics, however, depend upon exactly how VoIP is deployed.
Don’t Choose a VoIP Standard
In many ways, VoIP today resembles the early days of the Internet: specifically, the 1980s through the early 1990s, says NIST. “Competing protocols and designs for the infrastructure of the Net flourished at the time, but as the purpose of the Internet became more defined with the emergence of the World Wide Web and other staples of today’s Net, the structure and protocols became standardized and interoperability became much easier.” Expect the same to happen with VoIP.
When it comes to picking the kind of VoIP to use, NIST recommends organizations support both of the competing standards: SIP and H.323. While the latter’s installed base is larger, “new technologies and new protocol designs have the ability to change VoIP,” and SIP brings some improvements, including easier security. Don’t count either one out.
It’s not clear whether one will best the other, so support both, the organization recommends. “In today’s non-standardized VoIP environment, organizations looking to integrate several VoIP networks ought to support both protocols,” notes NIST. To help, several vendors already offer technology for multi-protocol telephony. Hence, “organizations moving to VoIP should seek out gateways and other network elements that can support both H.323 and SIP. Such a strategy helps to ensure a stable and robust VoIP network in the years that come, no matter which protocol prevails.”
Choose Your VPN
While organizations shouldn’t just pick one standard, NIST does recommend choosing between firewall-based VPNs (such as IPsec VPNs) or end-to-end VPNs. Unfortunately, it’s not as simple as that—organizations must also make firewall-related decisions, since VoIP relies on sending and receiving data packets from outside the network. “The question becomes, should one build firewalls with ALGs [Application Layer Gateways], proxies, firewall-control proxies, and IPsec functionality to facilitate this, or simply tunnel all VoIP traffic straight through the firewall with a VPN,” says NIST. The report outlines the security benefits and drawbacks of each approach.
Another concern is scalability. “The use of VPNs has been touted by many industry articles as the definitive solution to the tribulations posed by firewall and NAT traversal in tunnel mode,” NIST reports. Yet most case studies, NIST asserts, focus on small-scale IPsec VPN implementations, and “VoIP phones are not used in the volume needed to overwhelm the crypto-engines or congest the network enough to cause a significant downturn” in quality of service. It warns a large-scale IPsec VPN rollout might not support an enterprise VoIP deployment.
On the other hand, taking the opposite approach—using VoIP-aware firewalls and end-to-end VPN sessions—could be prohibitively expensive. Furthermore, “such protocol-specific hardware would need to be upgraded each time standards evolve,” according to NIST.
The report proposes a third system, albeit one “that has not been fully developed yet.” It’s a hybrid of the two approaches, and works with either SIP or H.323. Setup information is communicated via a gateway or firewall—necessarily VoIP-aware—and the actual call is handled via VPN tunneling and encryption. This approach lets the firewall handle network protection while letting IPsec handle data security and protection—playing to both of their strengths. Even so, “no expanded study has been done on the ramifications of this hybrid approach.”
Don’t neglect the privacy implications of recording employees’ calls, or retaining records of who called whom and when. These laws and mandates differ by state and industry. For example, government agencies must retain call information for 36 months, per federal regulations.
VoIP also introduces privacy hazards not found in conventional phone systems. While a PBX can be tapped, this endeavor requires a physical connection to the telephone network.
By contrast, VoIP lines could be tapped via malicious software, or communications intercepted en route. “With VoIP, opportunities for eavesdroppers increase dramatically, because of the many nodes in a packet network,” notes NIST. It warns a “packet capture tool or protocol analyzer,” attached to the VoIP network segment could be used to eavesdrop. It recommends applying best practices from the physical security realm to ensure attackers can’t get physical access to network segments. Furthermore, it recommends disabling hub functionality on IP phones, and automatically alerting a security administrator should an IP phone be disconnected.
Finally, don’t forget default passwords, warns NIST. As with so many firewalls and routers, VoIP switches often ships with well-known default passwords, making it easy for attackers to access the equipment remotely, then mirror the packets to listen in on conversations. NIST recommends organizations consider disabling port mirroring to prevent this. In addition, “if possible, remote access to the graphical user interface should be disabled to prevent the interception of plaintext administration sessions.”
VoIP Growth Brings Focus on Security Holes
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.