Security Best Practices for Enterprise VoIP Preventing Attacks and Managing Risk A Sipera White Paper September 2007
Summary To take full advantage of unified communications (UC), enterprises are extending their voice over IP (VoIP) network to soft phones, WiFi/dual-mode phones and other devices. At the same time, they are connecting to service providers using Session Initiation Protocol (SIP) trunks, creating federations with other enterprises, and integrating collaboration, multimedia and presence applications. By leveraging its internal IP PBX to handle external calls using VoIP and adding unified communications applications, enterprises can decrease costs, improve collaboration and ensure business continuity. But, many enterprises have yet to realize the potential security implications of extending their VoIP network over public and/or untrusted networks. There are a number of security best practices that must be followed to prevent attacks and minimize risk in order to extend VoIP securely. Some of these best practices can be borrowed from the data world and include: ensuring security patches are up-to-date, installing the latest anti-virus software, encrypting the traffic for privacy, and authenticating the users. But if you assume this is the end of the story and existing data security measures are enough to protect your unified communications, then this white paper would not be needed. Enterprises must understand that VoIP and UC applications have unique security requirements to data networks that need to be addressed to ensure your unified communications infrastructure is protected. At the same time, VoIP/UC threats, which are very different from data threats, can allow hackers to carry out spoofing and denial-of-service attacks, unwanted reboots, unauthorized toll calls (toll fraud), and to take over the device and either steal or delete confidential data that raises compliance and risk management concerns. This white paper will look at these VoIP/UC-specific security requirements and in particular threats targetting the enterprise VoIP/UC network and users including reconnaissance, eavesdropping, spoofing, denial of service (DoS), VoIP spam, and VoIP-to-data exploits. Once identified, this paper will explore VoIP/UC security best practices, the shortcomings of existing data security products in satisfying those best practices, and the requirements for a comprehensive VoIP/UC security solution.
Introduction Traditionally, threats from VoIP and unified communications do not make it to the list of the top information security issues. Such lists contain threats like system probing, e-mail attacks, default password attacks, and sniffing. However, like any complex computer network, VoIP/UC networks have their own unique security challenges that must be addressed. To give a simple example, standard security best practices recommend the separation of the voice virtual local area network (VLAN) from the data VLAN to prevent traffic from one network to reach another network. However, unified communications enable soft phones to be installed on the data VLAN but talk to hard VoIP phones on the voice VLAN. Completely blocking the traffic between the two VLANs will prevent this communication. Consequently, IT administrators may end up allowing traffic between the two VLANs freely but, if not monitored, it also allows worms, viruses and other attacks to cross over and vice-versa. While some enterprises may not deploy soft phones today, VoIP soft phones are an integral part of any unified communications framework. At the same time, enterprises could introduce other issues by extending the IP PBX to VoIP remote users working at home or integrating WiFi/dual-mode phones that may connect to any untrusted access point. Finally, to get the full benefits of unified communications, enterprises must open their VoIP/UC networks to their service provider using SIP trunks to bypass the PSTN or create federations among partners and bypass the service provider all together. In all these cases the VoIP/UC network is now open and exposed to untrusted networks, devices, or users. Therefore, because of the inherently open nature of unified communications, one cannot ignore VoIP/ UC threats while investing other resources to protect critical assets and confidential data residing on the data network. Equal importance must be given to protecting VoIP/UC devices to achieve comprehensive security across the enterprise. This paper outlines a number of potential attacks that puts VoIP/UC among the top information security concerns for CIOs/CSOs and looks at the VoIP security best practices for preventing them and managing risk. Benefits of Extending Unified Communications Real-time, unified communications have a significant and obvious appeal for enterprises and end-users because they allow the Internet and existing data networks to become a cost-effective transport for things most people want to do such as: placing voice calls, participating in video conferences, exchanging instant messages (IMs), and a host of other communications applications. In addition enterprises are embracing VoIP and unified communications to increase productivity and improve collaboration. Security Best Practices for Enterprise VoIP 2
But the true potential of these business applications have yet to be realized as most are deployed in a closed network. These benefits can be increased tenfold if the IP PBX and its real-time communications are extended outside the enterprise to remote and mobile workers, branches, and soft phones along with connecting to service providers using SIP trunks. More importantly, cost-savings, business continuity, mobility, and the trend towards outsourcing are compelling enterprises to open up its communications infrastructure beyond the enterprise perimeter, as shown in Figure 1. REMOTE WORKER Cost reductions & capital savings; Employee Lifestyle VOICE/DATA CENTER(S) IP PBX IP PBX Cost reductions; Disaster recovery & business continuity Internet VISP Mobile Worker WAN/VISP PSTN Cost reductions; Productivity & collaboration HEADQUARTERS Cost reductions & capital savings; Business continuity BRANCH(ES) Figure 1: Extending the IP PBX can help the enterprise realize many business benefits. By extending VoIP to remote workers and connecting branch offices, the enterprise can drastically decrease telecommunications charges by leveraging its internal IP PBX to handle calls to/from such locations without needing any telecom provider and route international calls over the Internet at much lower rates. Mobile workers can also significantly reduce plan overages and roaming charges while enjoying true mobility, with one phone and number, by using WiFi/dual-mode phones. But cost is only part of the appeal, these new communications applications enable increased efficiencies and collaboration with integration of soft clients and IT infrastructure such as Microsoft OCS into one converged network. Plus connecting to your service provider using a SIP trunk gives enterprises the ability to implement a crucial business continuity and disaster recovery plan. VoIP is Different These benefits do not come without a significant tradeoff as we can see by taking a step back and looking at what happened with Internet-based applications and communications. Because the Internet is an open system, any user can freely connect to it at any time from any place with little effort or oversight. This makes the Internet an untrusted network and a fertile breeding ground for a wide variety of malicious Security Best Practices for Enterprise VoIP 3
and unauthorized activities that can affect any enterprise, group, or user. Network protocols, operating systems, web browsers, e-mail clients and other applications are persistent targets of attacks. Real-time Peer-to-Peer Protocol and Feature Rich VoIP and Unified Communications are Different Separate signaling and media planes Low tolerance to false positives/negatives, non-availability and/or low quality Maintain call states in real-time for thousands of users with minimal QoS impact Figure 2: VoIP and Unified Communications are very different than data applications At the same time, it s important to understand that unified communications, including VoIP, are very different than web applications and email, as shown in Figure 2. VoIP/UC is real-time by its very nature and involves maintaining several dozen states for thousands of users with minimal QoS impact. The protocols themselves, such as SIP, are feature-rich and involve the use of separate signaling and media planes which allow devices to talk peer-to-peer rather than the traditional client-server methods of the data world. Finally, there is an extremely low tolerance to false positives/negatives, non-availability or low quality as compared to the data world. It s easy to see that unified communications demand unique security best practices and a security solution that not only borrows applicable best security practices from the data world but adds specific VoIP/UC protection techniques that take into account the real-time, peer-to-peer, and feature-rich nature of these session-based protocols. But before we look at these VoIP/UC security best practices, it helps to understand the unique threats that a VoIP/UC network may face. VoIP/UC Security Risks and Vulnerabilities are Different As enterprises move to deploy unified communications, the traditionally closed phone network is now open to Internet-based software and connectivity. While this offers tremendous value and ubiquitous connectivity as shown above, it also makes the communications network prone to attacks similar to other Internet-based devices. More importantly, unlike other IP-based clients, the IP-based phone acts like a server in that it is always ready to receive calls so anyone can send unsolicited message to it and either ring it, cause a denial of service, or launch a variety of other attacks. Security Best Practices for Enterprise VoIP 4
In fact, VoIP networks have thousands of unique vulnerabilities that can be exploited to launch a variety of attacks. Over the last 4 years, the Sipera VIPER lab, which is comprised of knowledgeable VoIP and security developers, architects, and engineers, has identified over 20,000 threats that can be launched against SIP, UMA and IMS networks both endpoints and servers. Unique VoIP attacks as catalogued by Sipera VIPER Lab Signaling attacks on infrastructure SIP UMA IMS Fuzzing 3543 >20000 BNF Impractical Errors >4000 Syntax Errors >6000 Delimiter Errors >6000 Field Value Errors >3000 Context Dependent errors >1000 State Dependent errors >500 Reconnaissance 5 8 8 Floods >30 47 >60 Distributed floods >30 32 >40 Total >20565 3630 >20108 Signaling attacks on end users SIP UMA IMS Misuse/spoofing 19 8 19 Session anomalies 4 4 4 Stealth 2 2 7 Spam 2 2 6 Total 27 16 36 Media attacks RTP/RTCP/RTSP Fuzzing 10 Floods 4 Misuse/spoofing 7 Total 21 Table 1: Unique SIP, UMA and IMS vulnerabilities as catalogued by Sipera VIPER Lab All told, enterprises need to be aware of, and effectively protect their network from, these attacks against their infrastructure and the additional ones against end-users which are unique to unified communications. Some of the more prevalent and potentially damaging VoIP-specific threats include: Reconnaissance Unlike traditional phone networks, discovering VoIP endpoints and servers available on the corporate network is very easy and is generally the first step towards exploiting vulnerabilities and penetrating the network. Several well-known scanning tools may be used to discover VoIP endpoints and nodes in the network. Security Best Practices for Enterprise VoIP 5
Spoofing Several VoIP phones may accept requests from random source IP addresses without authenticating the sender. This vulnerability can be used to send spoofed messages directly to the phone. Either source IP address or application level information like caller ID can be spoofed. Additionally, malformed messages may be directed to the phone to exploit vulnerabilities. Eavesdropping There are several tools which may sniff data over networks. If the signaling and/or media traffic used for voice communication is not sufficiently encrypted, it may be possible to capture media packets and reconstruct an intelligible conversation. Weak Authentication Authentication mechanisms used in VoIP infrastructures may have implementation flaws. For example, it may not cross-check username in credentials with username requesting service access allowing usernames and caller-ids to be spoofed. Easy caller ID spoofing simplifies social engineering attacks. Signaling and Media Manipulation Unencrypted signaling channels can be easily sniffed to inject spoofed messages and either disconnect or redirect voice communication. Similarly, injecting specially crafted low volume media packets may be possible in unencrypted media channels to degrade voice quality. DoS/DDoS Flooding the phone with spoofed requests is a very simple and effective way to overwhelm the phone s protocol stack and cause denial of service (DoS). Some phones may even reboot when under such an attack. In the case of distributed DoS (DDoS) attacks, the attacker(s) will use multiple sources to launch the assault or a single source masquerading as multiple sources to attack the target system. Unique to VoIP phones is a low volume attack, called stealth DoS that causes the phone to ring continuously. VoIP Spam / Phishing VoIP spam or Spam-over-Internet Telephony (SPIT) is unsolicited and unwanted bulk messages broadcast over VoIP to an enterprise network s end-users. The cost of launching millions of such spam calls is greatly reduced compared to the cost using traditional telephone network. Additionally, phishing attacks have been seen which ask un-suspecting users to go to a particular web-site or call a specific number to verify their personal details and account information. Security Best Practices for Enterprise VoIP 6
Fuzzing Malicious users employ fuzzing techniques to create maliciously formatted messages to exploit vulnerabilities like buffer overflow, format string, and other implementation flaws. Several phones accept requests from random source IP address making it easier to send malicious packets to the phone directly by bypassing security mechanism employed at the server. Service Theft/Fraud Using spoofing, replayed authentication credentials and a whole host of other techniques it may be possible for hackers to steal the VoIP service for their own financial gain. A well-publicized incident of this occurred in June 2006 when Edwin Pena was charged for allegedly defrauding VoIP service providers to garner as much as $1 million from un-suspecting customers. Regulatory and Compliance Depending on the industry, unified communications may be subject to various regulatory requirements. In the US the most high-profile acts that may apply include the Sarbanes-Oxley Act (SOX), the Gramm- Leach-Bliley Act (GLBA), or the Health Insurance Portability and Accountability Act (HIPAA). Because your VoIP network is subject to all of the same security threats as the data network and several unique ones as outlined in this paper it s important to see how these regulatory requirements apply to your specific industry. VoIP-to-Data Exploits Even with fully deployed, traditional data security in place, it is also possible to launch a buffer overflow which allows an attacker hacker to take control of an enterprise softphone and get access to all the data that is stored on the victim s laptop. Furthermore, the attacker can also do following damage to victim s laptop: Copy the confidential data to a remote computer Delete the data Deny access to the data Change system registry Shutdown or reboot the laptop New VoIP-specific Threats The threats above are unique to VoIP when VoIP is compared to traditional phone systems and should obviously be a major concern to the enterprise as they transition their TDM network to VoIP/UC. While many of these threats are similar to data threats, such as spoofing, eavesdropping, and weak authentication, there are also new VoIP threats that are not found in either TDM or data networks and may be of bigger concern to the enterprise and require new VoIP/UC security best practices. These new VoIPspecific threats include: Security Best Practices for Enterprise VoIP 7
Gaining access to the network using a VoIP phone: The LAN port available on several VoIP phones can directly connect a malicious laptop to the private LAN. Exploiting the management interface of the VoIP phone: Several phones can be accessed over http and used to get into private call records and to initiate unauthorized calls. Negotiating less secure signaling and media encryption options: Unless a policy is enforced to ensure all calls are setup for media to be encrypted in the first place, a malicious phone that refuses to use SRTP will result in unencrypted media between the phones which makes it easy to eavesdrop into the coversation. Voicemail flooding: Unless a time-of-day based policy is applied, a VoIP voicemail server can be flooded with un-solicited messages to fill up everyone s voicemail boxes. Adopting and Enforcing VoIP/UC Security Best Practices So far, we have discussed numerous vulnerabilities in VoIP/UC applications that can be exploited to steal service, cause a denial of service, eavesdrop on the conversation, steal confidential data and cause other damage to data and VoIP networks. These attacks can be from external sources such as hackers, malicious users and spammers or internal threats from disgruntled employees, infected PCs or email attachments. Despite these concerns, the enterprise should not shy away from extending their IP PBX and deploying unified communications. These issues are easily addressed through up front planning and assessment of risk, ongoing maintenance and proper configuration of the infrastructure, and installing a comprehensive VoIP security solution which proactively solves many of these security best practices. The best practices below may seem straightforward enough but, in spite of this white paper and several other documents on this topic, they are not always enforced or correctly followed. The reasons behind this may be budgets, time, misunderstandings, or even just apathy towards security. Whatever the reasons, leaving VoIP/UC networks unprotected makes it and the co-existing data networks vulnerable to numerous security threats. To truly secure data and VoIP/UC networks, enterprises must adopt and enforce some security best practices that are borrowed from data security but there are also new and unique VoIP/UC-specific security best practices that are even more important and will be explored first. Perform a VoIP/UC vulnerability assessment As part of your VoIP/UC planning, a thorough security assessment should be performed to identify the risks and potential vulnerabilities. These services should start with the discovery of all VoIP/UC Security Best Practices for Enterprise VoIP 8
assets, protocols, and applications on the networks which are then analyzed using the most up-to-date vulnerability information databases. If possible, a penetration test of the applications, infrastructure and devices themselves should be conducted to ensure they are protected from VoIP/UC-related attacks. Implementation of strong UC policies Defining groups and applying policies for each provides an additional layer of security within the VoIP/UC network and allows the enterprise IT manager to control who talks to whom using which device and from which network. To implement this best practice, it s imperative to be able to apply granular UC security policies based on network, user, device and time of day. This enables the policies to not only be strong but also flexible and ensure applications, users and devices are controlled. Police interconnection points with VoIP/UC-specific firewall VoIP/UC relies on opening and closing a range of media ports while signaling protocols use well-known ports on the firewall. To maintain security between the enterprise network and the Internet or between data and voice VLANs, firewalls that are VoIP-aware and track call state must be deployed to dynamically handle NAT (Network Address Translation) and inspect all traffic that goes through it. Even better, deploying a VoIP/UC security product that can simplify existing firewall rules and minimize the number of ports that must be opened makes the system even more secure. Apply sophisticated VoIP/UC-specific intrusion prevention techniques When implementing an intrusion prevention system, enterprise should look for those that are aware of the complex nature of VoIP/UC protocols, and can conduct detection, mitigation and prevention in realtime. Further, such a device should also be able to understand user behavior, as this is the most effective method of analyzing and eliminating false positives/negatives, which can be extremely damaging to the VoIP/UC service and user experience. Together, this intrusion prevention system (IPS) functionality proactively protects the VoIP/UC service from attacks, misuse and service abuse. Other VoIP/UC security best practices There are some additional best practices that are specific to VoIP/UC which are crucial to addressing the new VoIP-specific threats that are not seen in either TDM or data networks and include: Ensuring QoS while enforcing security. Disable LAN ports on VoIP phones since these ports can be used to connect a laptop and get directly onto enterprise LAN. For example, what if such a port is on a public lobby phone. Disable unencrypted signaling and media options on all phone to enforce TLS and SRTP encryption of the signaling and media at all times Have a strategy to keep the phone system available during emergencies Apply time-of-day security policies since some behavior which is not suspicious during day can be suspicious at night in a VoIP/UC system. Security Best Practices for Enterprise VoIP 9
Data security best practices needed for VoIP/UC Along with these new VoIP/UC-specific security best practices above, the following best practices borrowed from the data must also be implemented: Keep security patches up to date: Inadequate patching exposes the VoIP and data network to risks that could easily be avoided. Many attacks target software vulnerabilities and flaws in the implementation to achieve very specific and potentially damaging aims. A very systematic approach to monitoring and installing patches from the vendor must be formed and religiously followed to protect your assets. Install and maintain a good anti-virus system: Ensure all laptops, servers and other devices have a sophisticated anti-virus systems installed and updated regularly to prevent viruses, worms and other malware from affecting both the data and VoIP network. While existing anti-virus solutions do not adequately protect against VoIP attacks because it does not recognize them, you do want to ensure that a virus or worm does not impact the VoIP/UC network or applications from the data side as the infrastructures converge. Enforce strong authentication and encryption wherever possible: It s imperative that all signaling be encrypted but just as important is that all media be encrypted to ensure privacy and confidentiality of the conversation. At the same time, all end-points should be verified using digest, certificates or ideally 2-factor authentication techniques. Inbound calls should only be accepted from trusted or verifiable sources. Secure WiFi access points: Anyone implementing a WiFi network knows that you need to secure it and ensure only authorized endpoints have access and the traffic is encrypted. Now with WiFi/ dual-mode phones being deployed in the enterprise, similar precautions need to be taken to ensure no rogue devices gain access to the network for either VoIP or data communications. Use VLANs to keep voice and data traffic separate: By segmenting voice and data traffic using virtual LANs, VoIP traffic is prioritized resulting in lower latency and better quality. VLAN separation also helps to prevent data attacks from affecting the VoIP network. However, if you re rolling out soft clients, enabling Microsoft OCS or incorporating other collaboration applications then this separation will be far less effective as you need to allow voice traffic to go on the data VLAN and vice-versa which means you need to police the interconnection point. Security Best Practices for Enterprise VoIP 10
Comprehensive VoIP/UC Security Sitting at the edge of the enterprise network or in front of the IP PBX, as shown in Figure 3, a dedicated, comprehensive VoIP security applicance can address the most important and VoIP/UC-specific issues raised above and ensure best practices are followed. Hacker VOICE/DATA CENTER(S) IP PBX IP PBX Centralized EMS Spammer REMOTE WORKER VoIP Remote User Security SIP Trunk Security Internet IP PBX Security VISP Mobile Worker WAN PSTN Rogue Device HEADQUARTERS Infected PC Rogue Employee BRANCH(ES) Figure 3: A comprehensive VoIP security appliance can be deployed within the enterprise network to protect the IP PBX and securely enable VoIP remote users and SIP trunks. Such a purpose-built appliance must solve firewall/nat traversal, simplify firewall rules, terminate encrypted traffic to the enterprise when the VoIP phone is external to the enterprise, and offer finegrained policy enforcement to apply different security and call routing rules, based on user, device, access network and time of day. But, most importantly, any dedicated VoIP security solution should offer VoIP-specific IPS functionality to protect against signaling and media vulnerabilities through sophisticated security methodologies while maintaining the highest media quality. UC Threat Prevention UC Policy Compliance Secure UC Access Figure 4: Comprehensive VoIP/UC security includes 3 core pieces of functionality. Security Best Practices for Enterprise VoIP 11
The ideal comprehensive VoIP/UC security solution would incorporate three core pieces of functionality, as shown in Figure 4: UC threat prevention to ensure unique VoIP/UC attacks are proactively recognized, detected, and eliminated; UC policy compliance to enforce granular polices to all UC traffic based on user, device, network and time of day; and secure UC access to guarantee the privacy and authentication of all UC traffic to the enterprise and limit the number of ports open on existing firewalls. This functionality for comprehensively securing unified communications must include the following features: VoIP/UC Threat Prevention Floods and fuzzing prevention: Protection from volume based denial of service attacks and malformed message fuzzing attacks. Customized scrubbing rules detect and remove malformed messages which may crash, make it vulnerable or degrade the performance of the VoIP systems (servers and end points). Media anomaly prevention: Selectively enables the media traffic and enforces rules on the type of traffic carried based on the negotiated signaling and other configured policies (for example prevent video, prevent modem/fax). This also prevents bandwidth abuse. Spoofing prevention: Various validation techniques are applied to detect and prevent device and caller ID spoofing including the use of fingerprints for different protocol fields/messages which trigger further validations and verifications. Stealth attack prevention: Based on behavior learning, the product can detect nuisance/annoying calls to individual users and selectively block these calls. Stealth attacks are typically undetectable by traditional data security devices and SBCs that rely on rate-limiting. Reconnaissance prevention: It must monitor source behavior to detect application layer scans and block out the attackers. Spam protection: Unlike email spam, where the email content is available to perform text analysis, VoIP spam must be prevented by blocking a call even before the actual message is delivered. Compute and maintain network-wide caller trust scores and apply various policies to detect and protect against spammers, including VoIP Turing tests to identify machine generated calls. Signature updates: New signatures for detecting new known and potential attacks must be easily added to a central attack signatures database and automatically distributed to all appliances in the network. VoIP/UC Policy Compliance Whitelist/Blacklist: Used to allow/block specific endpoints based on caller identity, SIP URI, IP Address, or device name. Entire domains can also be blocked. Signaling Firewall: Signaling rules allow you to define the action to be taken (allow or deny) for each type of signaling request and response message. Signaling rules allow fine grained control over protocol headers, methods, and requests. Security Best Practices for Enterprise VoIP 12
Media Firewall: Media rules allow you to enforce RTP media packet parameters such as codec types (both audio and video), codec matching priority, firewall rules and NAT considerations. Application Control: Application rules allow you to enforce which types of and how many unified communication sessions are allowed for applications such as: voice, video, and/or IM. Call Routing Policies: Routing rules allow fine grained control over inbound packet transport settings, name server addresses and resolution methods, next hop routing information, and outbound packet transport types. Secure VoIP/UC Access Message integrity: Message integrity means that the recipient is assured that what they receive is exactly what the sender transmitted. This is achieved by standard HMAC techniques used in TLS and SRTP Privacy: Privacy prevents unauthorized network users to eavesdrop on data sent to and from the network by encrypting it, thereby assuring confidentiality to authorized users. This is achieved by standard encryption algorithms used by TLS and SRTP. Authentication: Authentication identifies the parties exchanging information and ensures each party can be sure of whom they are communicating with. This is achieved by using two-factor authentication such as RSA SecurID, exchanging digital certificates and/or encrypted password based digest authentication techniques. Replay protection: Replay protection ensures that transmitted data cannot be captured and replayed at another time. This is achieved by integrity protection of sequence numbers or random nonces. Firewall/NAT traversal: Media uses ephemeral UDP ports that need to be open during the call. Enforce signaling/media integrity by allowing media traffic to use only the negotiated port numbers while blocking all non-negotiated ports to prevent media attacks. And for remote users behind NAT, the VoIP Firewall must keep the port mapping on the remote NAT refreshed to be able to successfully connect new calls. Secure Firewall Channel: Tunnel VoIP/UC traffic to the IP PBX to ensure only one port is open in the internal firewall and that there is no access to other data services. This functionality is crucial to simplifying firewall rules and ensuring the security of the system making it a key advantage over traditional firewalls. Call Admission Control: Set limit on maximum number of simultaneous calls, bandwidth usage, and call rate for each network, domain, and user group. Security Best Practices for Enterprise VoIP 13
Limitations of Existing Data Security Solutions Traditionally, the security industry reacts to attacks by developing a collection of piecemeal solutions to protect the enterprise. To date, data threats have been effectively mitigated to manageable levels by the deployment of a number of increasingly sophisticated solutions including firewalls, Intrusion detection/intrusion prevention system (IDS/IPS), network access control (NAC), anti-spam filters and others. This approach will never work for VoIP and unified communications. Many of the security products which are currently available primarily focus on remediating data threats only and/or they claim to be upgradeable to support VoIP in addition to their main data protection responsibilities. It is a big challenge, if not impossible, to achieve and maintain usable QoS in VoIP/UC deployments if multiple, distributed devices are used to secure VoIP since each such device adds latency, delay, and jitter to real-time traffic. However, as shown above, implementing a comprehensive security solution to deal with both internal and external threats from application-level DoS/DDoS attacks, spoofing, eavesdropping and others is a formidable challenge. As mentioned at the outset, the biggest mistake an enterprise can make with securing its VoIP/UC infrastructure is to assume that existing data security products are enough to protect the network and endusers against attacks. At best these data security solutions protect against OS, IP and TCP layer vulnerabilities and attacks such as TCP syn flood, exhaustion of resources with multiple TCP, UDP DoS attacks, HTTP attacks, TCP Fin/Rst close socket attacks and others. They may also offer privacy and authentication if the traffic is being encrypted and end-points are trusted. But these traditional solutions are not effective for application-level vulnerabilities in that they cannot provide the needed functionality to effectively detect and protect against VoIP-specific attacks such as floods, protocol fuzzing, stealth, and VoIP spam. The table below maps the VoIP security requirements outlined above and shows which ones are covered by the existing data security products. Security Best Practices for Enterprise VoIP 14
Comprehensive VoIP Security Firewalls IPSec VPNs Data IDS/IPS NAC Floods/fuzzing prevention - Not VoIP/UC - Not VoIP/UC Media anomaly prevention - Not VoIP/UC Spoofing prevention Stealth attack prevention - Not VoIP/UC - Not VoIP/UC - Does not bind TLS identity with VoIP identity Reconnaissance prevention - Not VoIP/UC - IP level only VoIP Spam protection - Not VoIP/UC Whitelist/Blacklist - IP Level only - Not VoIP/UC Signaling Firewall - Not VoIP/UC granular app-level control Media Firewall - Not VoIP/UC codec enforcement Application Control - Not VoIP/UC - IP level only Call Routing Policies Message integrity Privacy Authentication Replay protection Firewall/NAT traversal Secure Firewall Channel Call Admission Control remote NAT - IP level only Table 2: Existing data security products offer only a small fraction of the functionality required for comprehensive VoIP security In addition to not offering all the required functionality, it is easy to see that these data security products do not integrate well with a VoIP/UC network due to the fact that the delay introduced by these device exceeds the security budget (budget is 10 ms for signaling and 50 μs for media) allowed to still ensure toll quality transmission. In most cases, these devices use a store and forward method to examine the traffic which is just not feasible in the real-time world of unified communications. To quickly summarize the points above, existing data security solutions are decidedly deficient in a number of critical ways: they cannot meet the real-time needs of VoIP/UC; they are very limited in detecting VoIP/UC-specific attacks; and they result in a higher TCO as you need to upgrade/deploy multiple boxes. Existing security measures for IP networks are at best only effective for traditional types of traffic (web access, e-mail, etc.). However, as VoIP/UC becomes increasingly more prevalent and feature-rich, the need for more effective and robust VoIP/UC security solutions becomes obvious. Security Best Practices for Enterprise VoIP 15
Why SBCs Do Not Equal VoIP/UC Security Due to the obvious shortcoming of data security products to offer the required functionality for VoIP/ UC security, enterprises have begun to explore other options, namely Session Border Controllers (SBCs). According to Wikipedia, an SBC is defined as follows: A Session Border Controller is a device used in some VoIP networks to exert control over the signaling and usually also the media streams involved in setting up, conducting, and tearing down calls. Within the context of VoIP, the word Session in Session Border Controller refers to a call. Each call consists of one or more call signaling streams that control the call, and one or more call media streams which carry the call s audio, video, or other data along with information concerning how that data is flowing across the network. Together, these streams make up a session, and it is the job of a Session Border Controller to exert influence over the data streams that make up one or more sessions. The word Border in Session Border Controller refers to a point of demarcation between one part of a network and another. As a simple example, at the edge of a corporate network, a firewall demarcs the local network (inside the corporation) from the rest of the Internet (outside the corporation). A more complex example is that of a large corporation where different departments have security needs for each location and perhaps for each kind of data. In this case, filtering routers or other network elements are used to control the flow of data streams. It is the job of a Session Border Controller to assist policy administrators in managing the flow of session data across these borders. The word Controller in Session Border Controller refers to the influence that Session Border Controllers have on the data streams that comprise Sessions, as they traverse borders between one part of a network and another. Additionally, Session Border Controllers often provide measurement, access control, and data conversion facilities for the calls they control. As you can see in the above definition, the word security or protection is not mentioned once as a key capability or even requirement for SBCs. These devices do offer key capabilities around secure UC access and are an integral part of a service provider or carrier network in terms of peering, billing and other internetworking functionality. However, any enterprise that expects their SBC to prevent sophisticated application-level VoIP/UC attacks and enforce granular policies for compliance and other reasons will find the product sorely lacking. Again, in the table below, SBCs are analyzed in terms of the required functionality for VoIP/UC security. Security Best Practices for Enterprise VoIP 16
Floods/fuzzing prevention Media anomaly prevention Spoofing prevention Stealth attack prevention Reconnaissance prevention VoIP Spam protection Whitelist/Blacklist Signaling Firewall Media Firewall Application Control Call Routing Policies Message integrity Privacy Authentication Replay protection Firewall/NAT traversal Secure Firewall Channel Call Admission Control Comprehensive VoIP Security SBCs Rate limiting only Signaling only Signaling only Signaling only Table 3: Session Border Controllers offer some functionality required for secure UC access but they do not offer the protection required for comprehensive VoIP security Conclusion There is no stopping the move by enterprises to extend their IP PBX to soft phones, WiFi/dualmode phones, VoIP remote users, and SIP trunks to enable a whole host of unified communications applications. The business benefits any enterprise can realize by making this move are just too compelling to ignore. Yet, many enterprises have yet to realize the potential security implications of extending their VoIP/UC network over public and/or untrusted networks. This white paper has outlined a number of security best practices that must be followed to prevent attacks and minimize risk. Some of these best practices come from the data world and include ensuring security patches are up-to-date, the latest anti-virus software is installed, encrypting the traffic for privacy and authenticating the users. Security Best Practices for Enterprise VoIP 17
But new best practices, such as applying sophisticated VoIP-specific intrusion prevention techniques and policing interconnection points with VoIP-specific firewalls, must be added to these to ensure VoIP-specific security requirements are addressed and your unified communications infrastructure is protected, available, and meeting the quality needs at all times. The VoIP threats outlined in this paper are very different from data threats and can allow hackers to carry out application-level spoofing and denial-of-service attacks, unwanted reboots, unauthorized toll calls (toll fraud), and to take over the device and either steal or delete confidential data which raises compliance and risk management concerns. In light of these considerations and to meet best practices, a comprehensive VoIP/UC security system that offers complete VoIP/UC threat prevention with real-time performance and backed by a VoIP/UC research lab must be employed. Together, these practices proactively protect the enterprise network from VoIP attacks, misuse and service abuse which networks and end-users face today and in the future. Security Best Practices for Enterprise VoIP 18
About Sipera Systems Sipera Systems provides enterprises and service providers with comprehensive VoIP/UC security solutions that protect, control and enable real-time unified communications. The Sipera IPCS products combine VPN, Firewall/SBC, Intrusion Prevention, Anti-Spam, Compliance and Troubleshooting functionality for VoIP systems in a single device. This securely enables IP PBXs, VoIP remote users, SIP trunks, data/ voice VLANs, hosted VoIP services and IMS or UMA-based networks. Comprised of top vulnerability research experts, the Sipera VIPER Lab concentrates its efforts towards identifying VoIP vulnerabilities, while Sipera LAVA tools verify networks readiness to resist attacks. Founded in 2003, Sipera is headquartered in Richardson, TX. Visit http://www.sipera.com. Sipera Systems 1900 Firman Drive Suite 600 Richardson, TX 75081 USA Phone: 214 206 3210 Fax: 214 206 3215 www.sipera.com Copyright 2007 Sipera Systems, Inc. All rights reserved. Sipera, Sipera IPCS and related products, Sipera LAVA and Sipera VIPER are trademarks of Sipera Systems, Inc.