Strategies to Keep Your VoIP Network Secure

Transcription

1 V OIP NETWORK SECURITY VoIP enterprise deployments need strategies to help provide a balance between security and ease of use. Wesley Chou Strategies to Keep Your VoIP Network Secure A s VoIP technology matures, more IT departments have made the jump to integrate VoIP into their enterprise communication systems. But, before an organization fully commits to the technology, it should perform a risk assessment, paying close attention to any security measures needed to protect these IP-based voice networks. For telephone systems where controlled access throughout the communications infrastructure isn t necessary, services that leverage machines on the public Internet could be a cost-effective choice. However, for systems where secured network control is critical,voip networks based on private enterprise infrastructures should be considered. This article focuses on the security measures associated with private-enterprise-based VoIP networks. (See the Skype An Example Public Internet-Based VoIP sidebar for a short discussion on the issues associated with using public Internet-based VoIP service providers.) Certain measures extend traditional network security practices. Other measures address specific vulnerabilities unique to the VoIP realm. VOIP INFRASTRUCTURE Inside Skype An Example Public InternetBased VoIP Further Reading 42 VoIP is simply application traffic over the IP-based Internet. However, by understanding how to address the security issues involved in a voice network, you can perform any protective measures and procedures prior to embarking on a large-scale deployment. A VoIP network has its own infrastructure for traffic control and management. Figure 1 (on page 44) shows a simple VoIP network s components.the first component is the IP phone itself. The second component is a call session manager that runs one of the VoIP signaling protocols. The two standards-based protocols used in the enterprise network space are Session Initiation Protocol (SIP) defined by the Internet community; and H.323, defined by the telecommunications community. (Skype and other public Internet-based VoIP providers typically use proprietary signaling and messaging protocols.) The session manager handles call control and management, including its setup and tear down. The third component, an authentication server, authenticates system users.the fourth component required if the IP network is to interact with a traditional public switched telephone network is a gateway to convert VoIP data into traditional phone signals. Although such gateways are often simple protocol translators,some might require controllers to administrate calls. Each component in the VoIP network has its own vulnerabilities. Beyond the network infrastructure, VoIP traffic itself is an application that needs security. Not only does the voice stream need protection from eavesdroppers, but the voice mail database needs to be secured and the gateways must be monitored to prevent toll fraud. Thus, vulnerabilities faced by the VoIP network can be categorized as those related to the VoIP-specific network infrastructure, VoIP-specific application, and underlying IP network. Published by the IEEE Computer Society ITAuthorized Pro September October licensed use limited 2007 to: Jyvaskylan Ammattikorkeakoulu. Downloaded on October 16, 2008 at 05:37 from IEEE Xplore /07/$ IEEE Restrictions apply.

2 VOIP NETWORK INFRASTRUCTURE VULNERABILITIES From a network layer perspective, a VoIP infrastructure is just a data network with a particular type of application traffic. Thus, standard data encryption and authentication techniques apply. However, relying on preexisting mechanisms is not enough. Administrators need to address a VoIP network s specific components and unique network designs. Issue: standard VoIP signaling protocols might be incompatible with existing firewalls A VoIP call using SIP and H.323 is initiated in two phases: a call setup, or signaling phase, and the voice call itself. The signaling phase locates the intended callee, negotiates call parameters, and dynamically allocates IP ports for the call s voice portion. Consequently, it is only at this point that VoIP endpoints are aware of the IP ports they will use to communicate. However, firewalls only allow specific, known port traffic to pass. So, unless the firewall is aware of the ports that should be allowed through, it will block the voice traffic. Strategy 1: use firewalls that recognize signaling protocols. A firewall with the ability to understand and interpret the signaling protocols would recognize voice traffic and allow it to pass. The firewall can then parse any signaling control messages and extract the appropriate ports. All major vendors offer enterprise-class firewalls capable of parsing VoIP signaling protocols. However, a software upgrade might be required or a license paid to gain this functionality. Strategy 2: use a proxy server to send and forward VoIP traffic. Instead of an end-to-end connection, a voice call can pass through a proxy server sitting outside the secure region of both caller and callee firewalls. Each firewall-protected user can then connect to this proxy server and send all voice calls through the server. It s imperative that the proxy server itself is secured, as it sits outside the firewall. This is an appropriate approach for organizations with firewalls that can t be upgraded to VoIP protocol aware, or if the organization doesn t wish to modify or upgrade its firewalls. This approach would deviate from models using SIP or H.323 because they don t follow the proxy-server model. Skype An Example Public Internet-Based VoIP Service Provider Enterprise-level VoIP systems in use today predominantly use infrastructures based on Session Initiation Protocol (SIP) or H.323. However, small organizations might find public Internetbased VoIP systems, such as Skype (see security/guide-for-network-admins.pdf), useful without having to use a dedicated IT environment. Skype is a software-based solution that, when installed, makes the host machine a softphone. The Skype software performs discovery techniques to determine if the host is behind a firewall and/or a network address translation (NAT) device. Even if one of these is the case, the host can still initiate and receive calls (see Skype security is thorough in the respect that it uses standard, acknowledged encryption protocols to protect the data stream. However, in terms of secure use within an enterprise network, you need to consider a few issues. Skype relies on the entire Internet, not a corporate intranet, for efficient use. It uses a network of supernodes, all running Skype, which can act as proxy servers for hosts that are behind firewalls. Note that any host running Skype can be promoted to supernode status without prompting the user. While this allows for efficient use of the Internet s bandwidth and processing power, it implies that a voice call can go through an unpredictable and dynamic path and through an insecure, uncontrolled proxy server. In addition, if an enterprise does not use a firewall itself, it could find that all of the hosts with Skype have become supernodes. Skype as a host program scans ports and IP addresses to identify if it s behind a firewall or NAT devices. Although its intentions are benign, this action deliberately attempts to punch holes through firewalls intended to provide network security. Attackers could exploit these holes. As a proprietary protocol, it s difficult to determine with certainty what is going on behind the scenes. It s true that public protocols such as SIP and H.323 have the drawback of being too open and thus vulnerable to attack. However, hosts running Skype should treat the software like an OS and aggressively apply any security patches (see , ,00.asp). As noted in the main portion of this article, the use of softphones prevents the best practice segregation of the voice and data networks. With its ease of use and quick installation, Skype can provide a cost-effective solution for a small enterprise that is primarily concerned with the call integrity and has no need to secure a large enterprise network. However, enterprises requiring total control and administration of its network might find it a less desirable choice. Authorized licensed use limited to: Jyvaskylan Ammattikorkeakoulu. Downloaded on October 16, 2008 at 05:37 from IEEE Xplore. Restrictions September apply. October 2007 IT Pro 43

3 VOIP NETWORK SECURITY Figure 1. Components of a simple VoIP network. Authentication server IP phone Public switched telephone network Call manager IP network PBX gateway IP phone Gateway controller Issue: vulnerabilities of processing VoIP signaling protocols There is a twist to the aforementioned practice of using a firewall that understands VoIP signaling protocols. Since both SIP and H.323 are published, well-documented standards, some attacks might be generated with the intent of identifying and exploiting common errors in a protocol implementation.armed with public and well-defined message formats, attackers can generate malformed messages in an attempt to disrupt a signaling device. In fact, a study performed by the University of Oulu, Finland, on VoIP signaling products found that almost all vendors products had vulnerabilities in their mechanisms to parse the wellknown protocol packets (see research/ouspg/protos/testing/c07/sip/). Strategy: keep firewalls up to date with security patches and upgrades. After the University of Oulu study, all vendors immediately responded with security patches to close system holes. IT staff should perform benchmarks and negative tests on VoIP-protocol-aware firewalls to ensure that they have the most up-to-date patches. Issue: vulnerabilities due to PC-based controllers and gateways Most traditional network devices either run a proprietary OS or a standard, real-time OS that is less scrutinized than the widespread OSs found on PCs. In a VoIP deployment however, the gateway and controller components frequently run on PCs with well-known OSs. An attacker who has learned the IP address of the signaling control device or gateway might target it with a virus that could effectively halt all VoIP calls on the network. Strategy: vigilance in keeping antivirus and antimalware current. The best practice of keeping the most recent antivirus and antimalware software on such management workstations is the same as general workstation security. In other words, standard techniques such as monitoring user logins, keeping up to date with OS security patches, and restricting system access should be employed. Issue: increase in network accessibility One obvious component of network security is physical accessibility to the network.although the actual network equipment in a data center can be secured in a protected room or even a cage, the various wall jacks to that central location need to spread freely throughout an enterprise campus. Each jack represents another entry point to the entire network.when deploying desktops or stationary workstations, physical access to the data network can be controlled by restricting the number of wall jacks enabled.a VoIP deployment dramatically increases the number of such active ports. At a minimum, assuming at least one IP phone per desk, the number of active ports doubles. Even if there is not an IP phone at every desk, the active port number is likely to increase. After all, one of the advantages of IP phone deployments is that the phone can be located anywhere on the network while the phone number stays the same. To accommodate this feature, almost all wall jacks to the VoIP network should be enabled.this means the sudden creation of many more entry points to the network exposed to potentially malicious attacks. The use of wireless IP phones might reduce the requirement of enabled physical jacks. However, the basic concept is still the same. Any security policy that attempts to control or limit access to the network will need modification to allow new devices access. Strategy: harden the IP phone. If the network is hardened so that it performs access control before allowing a device onto the network, then the risk of having live wall jacks is reduced. A hardened IP phone contains a security certificate that validates the phone s integrity and ensures that only trusted devices have network access. For scaling purposes, it s imperative to implement such hardening efforts prior to widespread IP phone deployment. Issue: voice and data network crossover access If voice and data networks share subnets, then the vulnerability of open ports applies to both the voice and data network. In other words, if intruders gain access to the voice network, then they have by default gained access to the data network. 44 IT Authorized Pro September licensed use October limited 2007 to: Jyvaskylan Ammattikorkeakoulu. Downloaded on October 16, 2008 at 05:37 from IEEE Xplore. Restrictions apply.

4 Strategy: segregate data and voice networks. A good practice is to segregate the data and voice networks so they exist on different IP subnets. In this case, an increase in network accessibility is isolated to the voice network alone. Thus, an attack on one network does not necessarily result in an attack on the other network. Issue: softphone weaknesses Softphones, another major attraction of VoIP technology, are software solutions that run on standard PCs to make those PCs act like an IP phone. Similar to issues faced by hardwired IP phones and network-based firewalls, a softphone operation might not be compatible with traditional software-based firewalls running on the same host. In addition, like VoIP controllers and gateways, softphones are software applications that reside on a PC host and are thus subject to the same vulnerabilities as that host. I ve addressed these two issues previously; however, an additional problem faced by softphones is the difficulty in segregating softphone voice traffic from the data traffic. With a softphone, the voice network must share the same subnet as the data traffic. Consequently, any attack to the voice network can potentially cause disruptions to the data network and vice versa. Strategy: use softphones only in select environments. To protect against unauthorized host access to the network, a VoIP network can require that specific softphone instances access the network from registered PCs. The assumption is that a registered PC can be more diligently protected from OS or application viruses. However, the problems involving lack of network segregation aren t easily avoided. In fact, the National Institute of Science and Technology recommends disabling softphones (see VOIP APPLICATION VULNERABILITIES Aside from the network infrastructure component of VoIP deployments, you must remember that VoIP itself is an application. Not only is a VoIP network attractive to an attacker whose mission is to disrupt network operations, but it s also an attractive target to an intruder hoping for personal gain, such as access to voice mail or toll-free calling. Thus, VoIP security encompasses both the network domain as well as the host application domain. Issue: toll fraud and voice mail access The lure of toll-free calls can motivate an intruder to hack into the gateway controller. Once inside, the hacker will then initiate and authorize long distance calls. The digital voice mail repository sitting on the VoIP network is another target that intruders might find too tempting to pass up.access to this data depends largely on both the network s and the database s security. Further Reading Session Initiation Protocol: univercd/cc/td/doc/product/voice/sipsols/biggulp/ bgsipcf.htm VoIP tutorial: literature/white_papers/ pdf VoIP security report: /kuhn_2004_06_ispab.pdf VoIP Security Alliance: RFC on Session Initiation Protocol: ietf.org/rfc/rfc3261.txt H.323 specification: H.323/en Strategy: use network access and PC-based security guidelines. Hardening IP phones so that they contain security certificates and using tight password protection can mitigate unauthorized access to both gateway and voice mail servers. In addition, the use of up-to-date antispyware software and the general reduction of open IP ports on the servers reduces the risk of unauthorized access to specific server machines. General database encryption techniques can also help protect the voice mail system s integrity. UNDERLYING IP NETWORK VULNERABILITIES For all its unique qualities, certain aspects of VoIP security do fall under the umbrella of data network security. The use of encryption protocols such as Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Internet Protocol security (IPSec) can secure transfers in both data and voice networks. However, the delay introduced by such encryption is tolerated less in a voice network than in a standard data network. In addition, the end-to-end encryption of a voice stream can hide the details of the underlying signaling protocols. Without this information, a firewall scanning for VoIP ports will be unable to determine which ports to allow through. Issue: latency and jitter from the IP network s security architecture The actual performance impact of SSL, TLS, and IPSec encryption and decryption varies based on the exact algorithm used. However, latency or jitter cannot be avoided as the cryptodevice performs the mathematical operations required to manipulate the data stream. Since a voice delay of 150 milliseconds is noticeable and therefore unacceptable (see /SP final.pdf), administrators must ensure cryptodevices on the network can operate within these delay constraints at peak load. Authorized licensed use limited to: Jyvaskylan Ammattikorkeakoulu. Downloaded on October 16, 2008 at 05:37 from IEEE Xplore. Restrictions September apply. October 2007 IT Pro 45

5 VOIP NETWORK SECURITY Strategy: conduct performance benchmarking. Performing benchmarks will determine if an existing data network s firewalls, configurations, and security architecture can handle the expected peak voice load.the end-to-end latency should be no more than 150 ms. Most major vendors encryption and decryption devices meet these requirements. Issue: end-to-end encryption of signaling protocols prevents firewalls from learning dynamic ports Sign Up Today As mentioned earlier, firewalls need to understand VoIP signaling protocols. To do this, they must parse and interpret the signaling traffic. If this traffic is encrypted, then they will not know which ports to allow through. Note that the firewall s ability to operate is unaffected by end-toend encryption of the voice data stream. Strategy: configure the firewall to operate as a signaling proxy server. If the firewall can act as a signaling proxy server, then it can actually decrypt the setup messages and extract the necessary ports. In this case, the firewall will have to be benchmarked to ensure that it can decrypt and encrypt traffic, examine the messages for dynamic ports, and set up and tear down those ports at peak load. If the firewall in use does not have this capability, then a network design that incorporates a signaling proxy server can be used. In this case, some communication needs to occur between the proxy server and the firewall to update which ports are allowed. S ecurity in a VoIP network is key due to the specific vulnerabilities of both the network infrastructure and the application architecture. While simple extensions to data network security can help mitigate these vulnerabilities, performance implications might require upgrading any existing components to higher-performance devices. Wesley Chou is an engineering manager within the Application Delivery Business Unit at Cisco. Contact him at wschou@gmail.com. For the IEEE Computer Society Digital Library Newsletter Monthly updates highlight the latest additions to the digital library from all 23 peer-reviewed Computer Society periodicals. New links access recent Computer Society conference publications. Sponsors offer readers special deals on products and events. Available for FREE to members, students, and computing professionals. Visit 46 ITAuthorized Pro September October licensed use limited 2007 to: Jyvaskylan Ammattikorkeakoulu. Downloaded on October 16, 2008 at 05:37 from IEEE Xplore. Restrictions apply.