Five Tips for Securing VoIP
Thanks to immature standards, competing protocols, and nascent products, keeping VoIP secure isn’t easy. Here’s where to start.
What’s your plan for securing voice over Internet protocol (VoIP) telephony?
Companies are replacing their public switched telephone network (PSTN) equipment with VoIP technology. Since VoIP devices rely on IP networks, security experts predict attackers will increasingly attempt to exploit VoIP vulnerabilities via the Internet.
With immature standards, competing protocols, and nascent products, keeping VoIP secure won’t be easy. Even so, you can start with these five steps: secure the data infrastructure, restrict VoIP traffic to a VLAN and monitor it, deploy firewalls to safeguard VoIP equipment and gateways, use encryption, and ensure VoIP devices are physically secure.
VoIP Attacks Still Rare
For the moment, any VoIP security efforts will have a head start on attackers. “We’re at a point in the market where [VoIP] adoption in the mainstream is amazingly healthy, but it hasn’t reached critical mass, which, by the way, is why you don’t hear a lot about security violations, and people with voice networks getting hacked,” notes Steve Mank, chief operating officer of Qovia, an enterprise IP telephony management vendor.
Experts say between 25 and 30 percent of enterprises have begun implementing VoIP, though most of them only have small rollouts. According to a report from Osterman Research, “only one in six organizations is more than halfway complete with the convergence of their voice and data networks, or are complete with this convergence.”
As that convergence increases, one recent case previews the types of VoIP attacks companies may experience. Last month, federal authorities said they arrested two men for purportedly “brute-force hacking” into the IP telephony networks of small companies, starting in late 2004. The men allegedly used the networks to route VoIP calls for their own customers, ultimately selling over “10 million minutes of Internet phone service to telecom businesses.” While the companies with hacked networks were stuck with the connection bills, the two men reportedly reaped more than $1 million in connection fees.
Rocky Road to VoIP Security
Despite the risks of using VoIP, security administrators face numerous challenges when attempting to secure it. According to “Security Considerations for Voice over IP Systems,” a report released by the National Institute of Standards and Technology (NIST), “VoIP can be done securely, but the path is not smooth.”
One current problem is simply a lack of standards. “It will likely be several years before standards issues are settled and VoIP systems become a mainstream commodity,” says the NIST report. “Until then, organizations must proceed cautiously, and not assume that VoIP components are just more peripherals for the local network.”
Indeed, any VoIP security regimen must acknowledge VoIP are not just phones but computing devices. “When you look at IP phones, they all have some operating system, some memory, some small processor,” says Mank. “You have the ability to run mini-applications that can display stock quotes, baseball quotes, and each of those mini-apps represents something that needs to be checked.”
VoIP phones, gateways, and related enterprise “soft phones”—software-only VoIP applications running on PCs, which are increasingly being rolled out to telecommuters—may also include less well-known features, such as Telnet, chat, and presence information, and enable it by default out of the box. While such functionality can be good for employees’ productivity, “the downside, just from a security perspective, is lots of ports open, lots of services running, lots of risk,” says Gary Miliefsky, founder and chief technology officer of NetClarity, which sells network vulnerability products and services. Thus network administrators must track not just vulnerabilities reported for any VoIP equipment, but also for any software running on that equipment or bundled with VoIP soft phones.
Best Practices: VoIP Security
What should security-conscious companies look for when evaluating VoIP equipment? “Our recommendation is to go for the equipment that has the administrative horsepower” to manage and log all VoIP activities, says Miliefsky.
Yet securing VoIP entails more than logging VoIP usage or even securing the underlying IP infrastructure. “Although securing the data infrastructure—having an excellent security policy and an effective implementation of it—is critical, from a VoIP perspective, it’s only 25 percent of the solution,” says Mank.
To more easily manage VoIP security, he recommends enterprises restrict all VoIP traffic to one virtual LAN (VLAN) that doesn’t carry any other data. That way, “you’ll know everything that’s on your VoIP network, so it makes it harder for someone to get on who’s not supposed to be there.”
He also advises “tracking traffic patterns” since anomalous usage—for example, middle-of-the-night calls to foreign countries, numerous log-on attempts, or dramatically increased voicemail access—may indicate the network has been subverted or is being attacked. For example, in the case mentioned above, the attackers allegedly used a brute-force password attack, trying thousands or millions of passwords until one gained access. Such behavior would not look normal in VoIP logs.
Because VoIP phones typically have an IP address (often fixed), a MAC address (always fixed), and a TCP/IP stack, Miliefsky also recommends companies rely on firewalls to “really lock down which IP and MAC addresses in your network that can get at the administrative interfaces of these systems.” Then, “set up another firewall in front of your SIP [session initiation protocol] gateway,” to restrict incoming access to the phones to just the company’s in-house VoIP equipment, and IT administrators. Since phones with a fixed-IP address are more easily exploited—attackers can guess or deduce the IP address—“that’s one good countermeasure to reduce the risk of someone breaking into it.”
To block man-in-the-middle attacks, wherein attackers eavesdrop on calls, consider encrypting VoIP communications. Mank says the two most popular approaches to encryption are the Secure Real Time Protocol (SRTP), which encrypts communications between endpoints, or Transport Level Security (TLS), which encrypts “the whole call process.”
Finally, evaluate physical security, such as who has access to Ethernet ports. “The traditional problem,” says Mank, “is administrators can’t see beyond the router and switch down to the endpoints,” to know, for example, that a VoIP is really a company-maintained VoIP phone. Indeed, “it’s possible to spoof a MAC and IP address with a soft phone just by plugging your self into an RJ44 port and getting in.” Accordingly, “you need to have a solution that gets you down to those endpoints,” to guarantee only approved devices, and users, are accessing the VoIP network.
While these five steps don’t guarantee a secure VoIP network, they will make companies more secure, and thus a less likely target for VoIP attacks.
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.