System Tips
VoIP Security Challenges
By Jeffrey T. Hicks
Principal Software Architect, NetIQ
Do a search on the Internet for "VoIP Security" and your search will come back with thousands, if not millions, of hits. VoIP security is an issue that organizations will need to address as they move to IP Telephony environments. Just as VoIP can bring organizations tremendous benefits, such as cost savings and increased productivity, it also brings its own set of unique security challenges. This article will address security challenges faced in VoIP environments and will offer tips on how to address them.
General Security Issues
As VoIP moves phone service from a separate telephony network to the IP network, it brings with it a number of general security challenges, inherent in any networked computing environment. Challenges include automation, action-at-a-distance, technique propagation and system complexity. Today, hackers who want to break into your computing systems can write programs that will automatically try again and again to infiltrate your environment. These programs can be run from anywhere around the world and can easily be shared with other hackers who want to leverage new techniques. Adding to these challenges is the fact that today's computing environments, and especially VoIP environments, are extremely complex, with multiple entry points to administer and manage.To handle these general security challenges, you must implement a set of security procedures. The first step is to manage vulnerabilities. Any computing system attached to a network can be vulnerable to attack. Keys to managing vulnerabilities include ensuring compliance to security policies, doing periodic vulnerability scans, using notification and advisory services offered by your security vendors and keeping software patches up-to-date. The next step is to defend against known attacks; monitor your firewall log files and event log files for suspicious entries and address anomalies immediately. Finally, general practices like controlling who has access to key systems and utilizing firewalls will further "harden" your systems and make them less vulnerable to attacks.
VoIP Security Issues
In addition to the general security challenges addressed above, VoIP is subject to other new security threats.Toll fraud can be a challenge with VoIP. While reputable companies look to VoIP to save toll charges, less reputable individuals or organizations look to VoIP as a way to use someone else's VoIP system to make calls for free! VoIP systems, which are part of the data network, offer much easier access to systems than traditional PBXs (private branch exchange phone systems), which operate on a separate network and are generally managed by a separate group in the organization.
Accessing private information is also a concern in VoIP environments. Today, to eavesdrop on a traditional phone call, you need a warrant and sophisticated equipment. However, with a VoIP call, especially if the call data is not encrypted, it is relatively easy for even a new hacker to sniff and redirect the traffic to easily overhear the conversation. While keeping calls private is important, protecting call detail and phone list information is also critical because of the confidential nature of the information available in these records.
Figure 1 - If hackers can capture the VoIP packets, they can
reconstruct them into a .WAV file for playback.
Finally, there are some unique VoIP security issues when it comes to general disruption, corruption and annoyances. While denial-of-service attacks can happen in VoIP environments as easily as other computing environments, there also are a number of attacks specific to VoIP applications, like call hijacking, redirection, call spoofing and SPAM over IP Telephony (SPIT).
Addressing VoIP Security Challenges
Dealing with many of the VoIP security issues outlined above involves putting general security policies in place within your organization. Securing facilities and tightening your security processes is an excellent first step in dealing with all security challenges.
In dealing with specific VoIP issues, an initial area to address is the data network-since in a VoIP environment, voice traffic will now be sharing bandwidth with data applications. Security recommendations including separating VoIP traffic where possible (e.g., isolate IP PBXs and VoIP servers on their own VLAN), using switches instead of hubs for more security features and deploying firewalls whenever possible.
A second area to address when dealing with VoIP security is your IP phones. Make sure all phones have secure passwords and watch for IP phones where the password is still the default setting or null. Not changing the password from the manufacturer makes it easy for anyone else who buys that same phone to know your password. Limit public phone usage as well by using the capabilities from your vendor to restrict calls that can be made from phones in public areas, such as your office reception area or common rooms.
Finally, an area that many organizations tend to overlook is the actual VoIP traffic. Use encryption for all external calls and, if possible, for internal calls as well. Simply encrypting traffic will make your environment much more secure. One caveat, though, is to watch network performance as you encrypt traffic. Encrypted traffic requires more device processing and can increase delay, so you may have to deal with declining Mean Opinion Scores (MOS).
VoIP security presents challenges, but these challenges are manageable with careful planning, security awareness and the recommendations outlined in this article.
Jeffrey T. Hicks is a Principal Software Architect at NetIQ Corporation. He has recently led the development teams for the award-winning Chariot® and Vivinet™ Assessor products. He has been active in the design and development of VoIP deployment, testing and management solutions for the past 5 years. In earlier jobs, Jeffrey helped develop innovative network communications software products at IBM. Mr. Hicks holds a master of engineering degree from North Carolina State University and a bachelor of science degree in computer engineering from Auburn University.
Jeff is also the co-author of Taking Charge of Your VoIP Project, available from Cisco Press.