1 VoIP Telephony Network Security Considerations TR Standards Project: PN URV Title: VoIP Telephone Network Security Architectural Considerations Source: 170 West Tasman Dr. San Jose, Ca USA Cisco Systems, Inc. Contact: Phone: Fax: Bob Bell Date: November 6, 2001 Distribution To: TIA TR41.4 and TIA TR ice This contribution has been prepared to assist TIA Standards Committee TR-41. It is offered to the committee as a basis for discussion and is not binding on Cisco Systems or any other company. The recommendations are subject to change in form and/or numerical value after further study. Cisco Systems specifically reserves the tight to at to, or amend, the quantitative statements contained herein. hing contained herein shall be construed as conferring by implication, or otherwise, any license or right under patent, whether or not the use of information herein necessarily employs an invention of any existing or later issued patent. The contributor grants a free, irrevocable license to the Telecommunications Industry Association (TIA) to incorporate text contained in this contribution and any modifications thereof in the creation of a TIA standards publication; to copyright in TIA s name any standards publication even though it may include portions of this contribution; and at TIA s sole discretion to permit others to reproduce in whole or in part the resulting TIA standards publication.
2 1. Introduction VoIP Security Network Security Architectural Considerations As an aid to discussion of the interconnectedness of the various components of a typical enterprise network, it is important to define the various segments of the network that may interconnect. The following description divides this typical network into 7 segments and associates a color with each segment. It is important to remember that this division is relative to the VoIP components of the network. In practice, there may be several subdivisions of each of these network segments. It is assumed for this discussion that there exists an isolation gateway between each of these components. Some may be structured on dedicated VLANs or physical LANs. The isolation gateways include devices such as routers and firewalls. VLANs may also exist within the switches. It is assumed for the purposes of this document that another, invisible network segment also exists. This special segment is the network intrusion detection segment and contains sensors and evaluation elements. These devices are not specifically defined within this document. 2. Network Segments Each of the following network segments contains similar devices. Physically, these segments may exist as separate physical LANs or as VLANs or aggregates of either or both types of topologies. Network segments are described as one of three categories. These are 1) service crucial, 2) service important, and 3) service neutral. This grading is relative to the functioning of the VoIP system and does not assume the importance of other network elements in relation to other enterprise missions. Service crucial network segments are those whose disruption would incapacitate the system. Thus, if elements in a service crucial segment are subject to a DoS attack, the entire VoIP phone system would cease to function. Service important network segments contain elements whose operation markedly enhances the functionality of the system. These would include conference bridges or IVR systems for internal use. Disruption of elements of this segment would cause significant loss of functionality within the systems but calls could still be made. Service neutral segments are those containing elements that do not significantly impact the VoIP system. Loss of a data server would not significantly impact the VoIP system as an example. 2.1 Central Call Control and Related Components Segment (Blue Network) This segment contains the call manager cluster and the database publisher. It can also include CTI servers and other devices that do not receive VoIP media streams. In addition, the CallAgent security registrar is contained within the Blue network. This network provides the signaling control for the system and the associated processes. This is a service crucial network segment Bob Bell Page 1 11/6/2001
3 2.2 Peripheral VoIP Elements Segment (Yellow Network) This segment contains those endpoints that receive VoIP media traffic. These include such items as DSP farms and Voice Mail. It also includes the VoIP Gateways and phones. It excludes VoIP devices that reside on both the Voice and Data networks. Thus, this grouping does not include PC-based VoIP Terminals. This is a service crucial or a service important network segment depending on the configuration and business plan. 2.3 Voice Associated Work Stations Segment (Green Network) This segment contains general-purpose devices that span both the Voice and Data networks. This includes the PC-based VoIP Terminals running on a workstation, attendant consoles, and other devices of this sort. This is a service important or service neutral segment depending on configuration. 2.4 Administrator Data Segment (Black Network) This segment contains the network administrators workstations and may also contain the user authorization and authentication systems used within the total network. This is a service crucial or service important network segment depending on configuration. 2.5 General Intranet Data Segment (Orange Network) This segment contains those workstations and servers comprising the Data Network infrastructure. There is a separate hierarchy of service crucial and service important, etc. units. In relationship to the VoIP system that is being profiled here, this network segment is service neutral at most. 2.6 Bastion Segment (White Network) This segment contains the servers and related infrastructure that allows access to services within the Internet. This includes HTTP proxies, mail forwarding servers, and Voice Portals. This segment, if it contains elements used within the VoIP systems is a service important segment. Otherwise, this segment is service neutral at most. 2.7 Internet Segment (Red Network) This segment is the Internet. It is a service neutral segment at best from the standpoint of the VoIP system. This segment should be considered armed and dangerous, and suspect under all conditions. 3. Segment Interconnection Mapping The following sections describe the information flows from one segment to the others. This mapping helps to identify the access controls needed for the information flows and also identifies the volume of information flow. 3.1 Blue Network This network segment contains the CALLAGENT and associated servers and processes. Internal communications within the network consists of inter-cluster communications, and signaling traffic. The endpoints should authenticate each other but privacy is probably not a big issue unless the cluster elements are remote from one another. Bob Bell Page 2 11/6/2001
4 To Yellow Network This information flow consists of signaling flows. The endpoints should authenticate each other. For high criticality units such as the DSP farms or Gateways, the endpoints shall authenticate to each other. For highly mobile devices, e.g. IP phones, the endpoints shall authenticate to each other. Signaling privacy is a significant concern as the keying information for the media privacy is contained in that information flow. If there is media traffic, because the CALLAGENT processor is providing the conference bridge capabilities for example, this downgrades the security of the blue network To Green Network This also consists primarily of signaling traffic. Because these devices represent a bridging of the Voice and Data networks, their links shall be authenticated and monitored to prevent these platforms from being used as attack platforms To Black Network There are two classes of information flows related to the Black network. These are composed of 1) user authentication traffic (e.g. RADIUS requests), and 2) Administration actions. The former traffic type is the more numerous and must follow the guidelines established for that type of traffic. It may include routing this traffic type through IPSEC tunnels or other restrictions. The latter traffic type must be authenticated and encrypted since internal information and machine structure is revealed in these messages. SSH or HTTPS are the recommended mechanisms for providing this protection To Orange Network Contact between the Blue and Orange networks should be extremely limited of at all. Such contact, in the case of user administration of their phone databases shall occur only over HTTPS or SSL/IPSEC protected linkage preferably using digital certificates as the means to authenticate. No other contact shall be allowed To White Network Contact to Internet based services such as stock quotes should terminate on a proxy server in the Bastion Network Segment. Information that is forwarded to the phones from these servers should do so on IPSEC controlled tunnels that terminate in the service conduits of the CALLAGENT. Certificate Revocation List updates from Cisco should also terminate in a Bastion server and be relayed to the CALLAGENT cluster via IPSEC controlled tunnels. No other contact is envisioned To Red Network No contact with the red network is allowed. 3.2 Yellow Network This network segment contains the phones and other media endpoints. Because this network segment is more available, greater security requirements exist. All devices must authenticate not only signaling events but also any images or other information Bob Bell Page 3 11/6/2001
5 purportedly from the blue segment must be signed digitally and validated before allowing them to become active within the elements of this network segment. Because of the centralized signaling scheme of the CALLAGENT system, the only internal communications between elements of the Yellow network should be media streams. These streams should be authenticated using HMAC techniques to assure integrity and origin. No other information flows between elements of this network segment are envisioned To Green Network Communications flows with the Green network are envisioned to be only media streams and should follow the same guidelines as the internal Yellow network flows. No other communications between elements of the Green network are envisioned To Black Network As with the Blue network above, all contact with the Black network is strictly limited by the operating rules of that network. A discussion of these rules is beyond the scope of this document To Orange Network The only contact with the Orange network is for the user to manage items on his own phone. This contact is envisioned to occur only over HTTPS secure, authenticated data flows. The authentication should be using standard HTTPS means. No other contact is envisioned To White Network No direct contact with the White network is envisioned. All messaging that uses this network should use the service conduits of CALLAGENT To Red Network No direct contact with the Red network is allowed. 3.3 Green Network This network contains elements that may bridge between the Voice and Data networks. As such, this network segment represents the point of highest threat to the CALLAGENT VoIP system. Peer communications follow the same guidelines as the Yellow network. However, this network is monitored very carefully for signs of attack. It is desirable that two IP interfaces exist for elements of this network segment. The first resides on the Green network segment. The second is homed on the data segment To Black Network Contact with this segment follows the strict rules of the Black segment. These rules are beyond the scope of this document To Orange Network Contact with the Orange network should only occur on the second network interface, if it exists. If a second physical network is not possible, then the use of VLAN separation is strongly recommended. If that is not possible, traffic from the orange network should be fully screened and controlled. Bob Bell Page 4 11/6/2001
6 To White Network Contact with the White network for the Green interface should not exist. All services requiring contact with the White network for the VoIP applications should come via the service conduits of the CALLAGENT To Red Network No direct connections with the red network are envisioned. 3.4 Black Network This administrative network has a set of strict guidelines for contact between it and the other network. That set of guidelines is under control of the enterprise network security personnel and is beyond the scope of this document. 3.5 Orange Network All contacts between the Orange network and those above it in this document are contained in previous sections. There is only one special case, that of an Orange device being connected to the switch in the back of the phone. All other contact is beyond the scope of this document To Yellow Network In the case of an Orange device connecting to the switch of a Phone, the Orange device shall not be allowed to transmit on any VLAN other than the base VLAN. All other IEEE 802.1u addresses should be blocked at that switch. This is to prevent the Orange device from assuming the role of a higher element and masquerading as a Blue network element. No other contact is envisioned except as described previously To White Network Contact with the White network should follow the security policies of the enterprise systems administrators To Red Network Contact with the Red Network should follow the network security guidelines established by the Systems Administators. 3.6 White Network Among other types of devices, the White network contains the proxy servers for services present on the phones. The information flows from these servers to the CALLAGENT servers are discussed above. No other communications flows are envisioned. Please note that it is extremely important that these servers be protected with Host-based intrusion detection systems as well as other anti-attack measures. The structure of a Bastion network is beyond the scope of this document To Red Network Contact with the Red network should follow the security policy of the systems administrators. 3.7 Red Network Under normal conditions, there should be no direct contact between elements of the Red network and any other elements within the VoIP System. Bob Bell Page 5 11/6/2001
7 4. Summary Tables From/To Blue Yellow Green Black Orange White Red Blue Simple Stringent Stringent Tightly None Yellow Stringent Stringent Stringent/ Green Black Orange White Stringent Tightly Stringent/ None None Media Only Red None None Table 1 Authentication None None None From/To Blue Yellow Green Black Orange White Red Blue Yes Yes HTTPS/ IPSEC None Required SSL/TLS Yellow YES Media Media None None None Only Only Green Yes Stringent/ Media Only HTTPS/ SSL/TLS Black Orange HTTPS/ SSL/TLS None HTTPS/ SSL/TLS White IPSEC None Red None None Table 2 - Privacy Bob Bell Page 6 11/6/2001