There are three main concepts within VoIP security: vulnerabilities, threats and incidents. All three need to be evaluated and addressed in order to determine how safe and secure a VoIP network is. VoIP security also depends on where the user is in the industrial value chain.
“For carriers within domains, the security is excellent. The issues for most of them are at the peering points,” said Jonathan Zar, secretary of the VoIP Security Alliance (VOIPSA). “For residential users, the security is poor, since most of the communications are between residences across the unmanaged Internet. For large and medium enterprises in distributed facilities, most of the approved VoIP applications are running inside a LAN [local-area network] or across VPNs [virtual private networks] through the extended LAN infrastructure. If every link is on a protected LAN, and all the tunnels are VoIP capable, then the security can be fairly good.”
Many in the industry feel that properly designed, installed and maintained VoIP systems are quite secure.
“In the last five years since we have been primarily installing IP systems, there has not been a security catastrophe that has stopped customers from using VoIP,” said Chris Stegh, North American IP telephony practice leader of Avaya.
Tony Vo, product manager of IP telephony, Spirent Communications, had a different opinion. “Hacks and attacks are increasing in VoIP services due to increased public awareness of VoIP services,” he said. “We now see more eavesdropping, identify theft and service thefts, which can be done by simply intercepting VoIP signaling traffic.”
One threat to VoIP services is denial-of-service (DoS) attacks.
“If a hacker attacks the IP PBX, forcing it to respond to lots of bogus traffic, the PBX might not have enough horsepower to do its real job, which is to process calls,” said Stegh. “Avaya implements DoS prevention techniques into our IP PBX [private branch exchanges], including a built-in firewall that can block any inappropriate traffic and an intrusion-detection system, which can alert administrators should an infraction occur.”
According to Stegh, privacy and wire-tapping are also VoIP security issues.
“There are shareware tools, which you can load on a PC, span or mirror the LAN switch port of an IP phone, tap into the IP stream and replay it as a .wav file,” said Stegh. “Avaya implements 128-bit encryption on all calls, which sound like white noise when a hacker tries to eavesdrop on them.”
Though not a hacker’s prime target, VoIP does have that threat lingering overhead.
“There are some people who do wonder if their phone can get a virus. Avaya has phones with embedded operating systems,” said Stegh.
While most hackers do not take over a phone, it is something that could potentially occur.
“The nature of the threat is changing,” said Zar. “When we started VOIPSA, there was much concern about voice spam. I think this will become a problem, but quite frankly, our greatest concern today is about deceptive practices, economic loss and fraud. Overall on the ’Net, we see increased automation of attacks. It’s division of labor between people writing script tools and people using them for improper purposes.”
How can contractors combat all the possible threats to a VoIP network? Building security directly into a VoIP network is the best defense.
“Our mantra is to secure every server, device and network,” said Stegh. “Avaya hardens the Linux operating system on its IP PBX server. By stripping out all of the unneeded programs and services from the default operating system, and closing all of the unneeded TCP/IP ports of entry, the server is less at risk of attack and viruses.”
Stegh further explained how certain VoIP solutions allow for some customization, which adds further security functionality.
“We allow clients to strictly control who can access the system and anyone that does must use strong, encrypted protocols before they can enter and configure the system. We require users to authenticate to the PBX with user name and password, of course, and have multiple levels of restriction within the PBX about what numbers each user is able to call,” he said. “We encrypt not only the media stream as described, but also the signaling messages too, so that if a caller uses their keypad to punch in a bank account number and a password, the digits they dialed are not able to be decoded and used illegally.”
Another useful tool is session border control (SBC).
“With respect to security, SBC can look into IP packets and filter malicious traffic before it enters the core network,” said Vo. “To prevent DoS attacks on core network elements like Softswitches, SBC can decode the signaling and determine if the signaling is a valid call signaling. The SBC can also ensure that the overall topology is not exposed to attacks while also securing privacy of the subscriber base.”
The standard, 802.1x, is traditionally associated with wired communications, but it also helps enhance security in the wireless industry.
“802.1x is a layer two security protocol to validate that a device that plugs into the LAN is a legitimate corporate device that can access the network,” said Stegh. “This is just taking off in PCs/laptops/LAN switches and next will come to into IP phones. That way, clients will have an extra level of assurance that the phone plugging into the network is legit.”
“Triple play” is another VoIP term. It combines voice/data/video (VDV) into one platform, creating a one-stop shop for these services.
“Triple play does not concern with technical issues or standards,” said Vo. “It is a business model that service providers have taken to provide lower service costs, unified billings and customer care. As service providers start to implement and deploy triple-play services, there will be technical challenges, like security and performance, that must be overcome to provide high quality of service.”
As this market segment gains consumer acceptance and usage, VoIP security offers electrical contractors an opportunity for financial gain. The key, of course, is to get in place now to prepare for widespread usage later. One way to do that is to take courses and study standards.
“Many recommended security measures and standards proposals are available. By participating in security conferences and standards meeting, and attending vendors’ seminars/courses, contractors can plan to implement secured VoIP network services and scale to future security requirements,” Vo said.
This early involvement is critical for contractors because there are many security measures, but no one rule by which to abide. This means that a lot of recommendations regarding VoIP security are just recommendations. An understanding of the general consensus can give a leg up to those contractors serious about VoIP.
“Companies that have deployed excellent data networks, isolated them, guarded them with firewalls, IPS, malware screening, VLANs, Wi-Fi security and then have upgraded to VoIP capable firewalls are in the best position,” said Zar. “Sadly, this is still only a fraction of the total market.”
However, since the general public is jumping on the VoIP bandwagon, the issue of security will remain in the forefront. EC
STONG-MICHAS, a freelance writer, lives in central Pennsylvania. She can be reached via e-mail at JenLeahS@msn.com.
JONATHAN ZAR, secretary for VOIPSA, said the following: “We started VOIPSA to address an unmet need across the value chain in converged media.”
Its mission is to “drive adoption of VoIP by promoting the current state of VoIP security research, VoIP security education and awareness, and free VoIP testing methodologies and tools.”
VOIPSA is open to all and includes more than 100 companies. Members include major telcos, system integrators, equipment providers, software providers, IT users and members of government and research.