VoIP Security Best Practice (Version: 1.2) NEC Corporation
Liability Disclaimer NEC Corporation reserves the right to change the specifications, functions, or features, at any time, without notice. NEC Corporation has prepared this document for the exclusive use of its employees and customers. The information contained herein is the property of NEC Corporation and shall not be reproduced without prior written approval from NEC Corporation. UNIVERGE is a registered trademark of NEC Corporation. Some of the NEC products identified in this document may not be available in certain regional markets. Please contact your NEC representative for availability. 2005-2006 NEC Corporation MS-DOS, Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation. All other brand or product names are or may be trademarks or registered trademarks of, and are used to identify products or services of, their respective owners.
Contents 1. Introduction...1 1.1 Abstract... 1 1.2 Audience... 2 1.3 Authors... 2 1.4 Acknowledgments... 2 2. General Model of Secure VoIP Systems...3 2.1 VoIP Infrastructure... 5 2.1.1 Key Components... 5 2.1.2 Common Threats... 6 2.1.3 Design Guidelines... 7 2.1.4 Threat Mitigation... 7 2.2 Network Infrastructure... 9 2.2.1 Key Components... 9 2.2.2 Common Threats... 10 2.2.3 Design Guidelines... 10 2.2.4 Threat Mitigation... 10 2.3 User Access Infrastructure... 12 2.3.1 Key Components... 12 2.3.2 Common Threats... 12 2.3.3 Design Guidelines... 12 2.3.4 Threat Mitigation... 13 2.4 Secure Management Infrastructure... 15 2.4.1 Key Components... 15 2.4.2 Common Threats... 15 2.4.3 Design Guidelines... 15 2.4.4 Threat Mitigation... 15 3. Small Office System Model...16 3.1 Internet Edge... 17 3.1.1 Key Components... 17 3.1.2 Threats... 17 3.1.3 Design Guidelines... 18 3.1.4 Threat Mitigation... 18 3.2 Intranet... 19 3.2.1 Key Components... 19 3.2.2 Threats... 19 3.2.3 Design Guidelines... 20 3.2.4 Threat Mitigation... 20 4. Large Enterprise Office System Model...21
4.1 Centralized IP-PBX Model... 21 4.1.1 Internet Edge... 22 4.1.1.1 Key Components... 22 4.1.1.2 Threats... 23 4.1.1.3 Design Guidelines... 23 4.1.1.4 Threat Mitigation... 23 4.1.2 Enterprise Server Farm... 24 4.1.2.1 Key Components... 24 4.1.2.2 Threats... 24 4.1.2.3 Design Guidelines... 24 4.1.2.4 Threat Mitigation... 25 4.1.3 Main Office... 26 4.1.3.1 Key Components... 26 4.1.3.2 Threats... 26 4.1.3.3 Design Guidelines... 26 4.1.3.4 Threat Mitigation... 27 4.1.4 Branch Office... 27 4.1.4.1 Key Components... 28 4.1.4.2 Threats... 28 4.1.4.3 Design Guidelines... 28 4.1.4.4 Threat Mitigation... 28 4.2 Distributed IP-PBX Model... 29 4.2.1 Branch Office... 30 4.2.1.1 Key Components... 30 4.2.1.2 Threats... 31 4.2.1.3 Design Guidelines... 31 4.2.1.4 Threat Mitigation... 31
1. Introduction 1.1 Abstract Network security represents an apex of concern for every organization these days. Regulations are both vastly increasing and coming to pass in most regions. Security breaches may damage reputations and loss of business opportunities; and, while the IP telephony solutions can produce a new style of office communication and reduce network costs, it adds complexity onto development and maintenance. Corporate networks are vastly impacted due to the unique network nature of IP telephony systems and the coexistence of data traffic and voice traffic. The purpose of the UNIVERGE VoIP Security Best Practices series is to illustrate basic guidance for secure deployment and maintenance of the UNIVERGE telephony systems. This document is Volume II of a series of Security Best Practice for designing and implementing secure IP telephony systems. Volume II provides general examples for designing secure IP telephony systems in accordance with the principles provided in the Volume I. Volume II also presents an overview of the secure IP telephony architecture, and then details the specific modules that make up the actual network design. This document begins with an overview of secure VoIP system architecture. The VoIP system is composed of four infrastructures, VoIP, network, user access and secure management infrastructures. Key components and security threats of each infrastructure are explained in section 2. After explaining every infrastructure, sections 3 and 4 provide two network examples for a small office and large enterprise network. These examples are useful for system integrators to design and implement secure VoIP system. 1
1.2 Audience The UNIVERGE VoIP Security Best Practices series is intended for network and system managers. Although this document is essentially technical, it can be read without understanding network and system details. This document is composed of volumes intended to provide proper information in proportion to your purpose. If you would like to understand the security overview, please refer to both Volume I and Volume II. If you are interested in integrating secure VoIP systems, refer to both Volume II and Volume III. Since comprehensive security for a corporate network includes too many aspects to cover, in this series, we focus on basic issues tailored to IP telephony systems. For example, we presume that your organization already has a security policy. NEC does not recommend deploying any security technology and device without first establishing the security policy. 1.3 Authors Mr. Teruharu Serada and Mr. Toshio Miyachi are the primary authors of this white paper. Mr. Miyachi studied network and VoIP security, providing technological expertise to the NEC Broadband Solutions Planning Division. He is responsible for assisting in the establishment of NEC s corporate strategy for product security within the NEC Corporate IT Division. Mr. Serada works within UNIVERGE product and solution planning as a network security technology expert within the UNIVERGE Solutions Promotion Division. 1.4 Acknowledgments Special thanks to Mr. Sam Safa and Ms. Laura Hammett for their technical and grammatical refinement of our manuscript. 2
2. General Model of Secure VoIP Systems VoIP systems enable the transfer of voice data over an IP network. VoIP systems also enable new applications that integrate voice and data services. VoIP system users can, for example, retrieve a phone number from a web-based directory service and make a call using a click of a mouse. VoIP systems consist of the following subsystems/infrastructures as shown in Figure 2-1 and Figure 2-2: (1) VoIP infrastructure The VoIP infrastructure provides VoIP-based telephony service to users. According to data and voice integration, the users are provided not only legacy telephony service but access to new IP telephony applications, such as a web-based telephone directory. (2) IP Network infrastructure The IP network infrastructure enables IP communication between entities. It is also deployed widely for IP communication. Since traffic for IP telephony systems is real-time in nature, QoS requirements should be taken into account. (3) User Access infrastructure The User Access network infrastructure provides the access methods to the VoIP users. Users may access the VoIP system from the Internet and/or the Intranet. Within the office, they can access the VoIP infrastructure via wired or wireless LAN. In the internet, they can access the VoIP infrastructure via remote access system. (4) Management System infrastructure The management system infrastructure provides the VoIP management functions. This enables the system administrators to configure, customize and maintain every entity of VoIP system. 3
VoIP User Access User Data Access IP Network Infrastructure VoIP Data Service Management System Infrastructure Figure 2-1 A Network Model including a VoIP System Remote access from the Internet User access network IP infrastructure (including Router, Switch and DNS servers) Other VoIP system VoIP Infrastructure IP-PBX Terminals PSTN Public VoIP Network Media/Signal gateways Application Servers Figure 2-2 A Typical VoIP System 4
2.1 VoIP Infrastructure The VoIP infrastructure provides VoIP-based telephony service to users. Compared with traditional PBXs, VoIP infrastructure provides the integration with other network applications. 2.1.1 Key Components The key components in the VoIP infrastructure are the following: (1) IP-PBXs IP-PBXs provide basic telephony features for users. The IP-PBXs set up and monitor calls, maintain the dial plan, perform phone number translation, authorize users, and coordinate the call signaling. (2) VoIP Gateways VoIP Gateways are responsible for call origination, detection, analog-to-digital voice conversion, and creation of voice packets. In addition, media gateways may provide optional features, such as voice compression, echo cancellation, silence suppression, and statistic gathering. (3) Application Servers Compared with traditional PBXs, VoIP systems allow for much tighter integration with other applications on an enterprise network. For example, voice mail service, telephone directory service and Unified Messaging Service (UMS) are implemented as VoIP network applications. These services will be offered to users through an application server. An IP-PBX provides IP-based telephony service for users. The IP-PBX can be divided into two functions: one to process the signals and one to set up calls. The IP-PBX is treated as a single entity, since almost all IP-PBXs are implemented on a single device. The UNIVERGE SV7000 and APEXi series (in Japanese market) are classified as the IP-PBXs within NEC s product portfolio. The IP-PBX provides the communication interface between the application servers, as it provides integrated telephony service to users applications. In addition to providing an interface between the users terminal, an IP-PBX also provides and interface between multiple VoIP gateways that allow communications with other organizations IP-PBXs. 5
A VoIP gateway is responsible for the connecting an IP-PBX to an external telephony network (ISDN network, Japanese 050 public VoIP network and so on). A VoIP gateway can include signal and/or media gateway functions. The signal gateway function is responsible for the translation of the VoIP call control protocol (SIP and H.323) into the legacy PSTN signal protocol (ISUP, SS7 and so on). The media gateway function mediates the media signals between the IP network and the circuit switched or traditional telephone network. While many vendors may have separate devices used to perform the media and signal gateway functions, NEC s products, such as MG(BRI), MG(PRI), MG(SIP) and MC-MG can perform both functions in a single device; therefore, this paper treats the VoIP gateway as a single entity. An Application server is responsible for providing service to VoIP applications such as Web telephone directories service, Unified Messaging Service (integrates e-mail, FAX and voice mail) and Presence Service (collects and distributes users presence information). 2.1.2 Common Threats The following represent considerable threats: General attacks from the Internet and intranet Exploits of the systems vulnerability Thefts of the equipment and information from all entities Threats specific to the IP-PBX: Unauthorized users access Call interception by a malicious user impersonating an authorized user Toll fraud attempts from the intranet users System failure caused by power failure or network down Unveiling sensitive information Person In-The Middle (PITM) attacks (A malicious user can behave as the IP-PBX or the users terminal.) Replay attacks Threats specific to the VoIP gateway: Toll fraud attempts from the Internet users DoS and various other malicious attacks from outside the LAN DoS and various other malicious attacks from within the LAN to a public network (Not assuming the position of attacker is as important as not positioning oneself as a victim, as either can cause many severe monetary or brand image losses.) Threats specific to the Application Server: Unauthorized access to the application server 6
2.1.3 Design Guidelines The traffic within a subsystem and across subsystems should be controlled adequately by the access controls. Only critical VoIP service and maintenance should be accepted, while unnecessary traffic should be dropped. IP-PBX authenticates the user to protect from the malicious user s access. Authentication ensures that services are only provided to appropriate users, protecting them from abuse and toll fraud. For traffic encryption, an encryption key agreement should be performed during the authentication process. Traffic encryption prevents the attackers from capturing the signal and media traffic, which prevent attackers from attempting to gain unauthorized access or request call termination. To mitigate the possibilities of call interception and confidential information disclosure, both signaling and media protocol communication must be encrypted. When an encryption mechanism is adopted, key parameters for encryption must be set on both the IP-PBX and the terminal. Deploying such encryption can also provide security from a malicious user trying to gain access. When an IP-PBX service stops, a user cannot utilize any VoIP services. This may result in the immediate loss of revenue or business. An IP-PBX must continue providing service despite any failures such as power failure or disaster. In order to maintain the availability of the IP-PBX during any failures, fault tolerance should be considered in the initial network design. User authentication and authorization must not only take place on an IP-PBX but also on network application servers. Such access methods can greatly reduce and deny malicious users attempting to impersonate another authorized user. 2.1.4 Threat Mitigation In general, traffic across subsystems should be controlled by access control functions within a firewall to protect from network resource consumption and attacks from malicious users. In order to maintain the confidentiality of all traffic, both signal and media streams should be encrypted. Encryption allows mitigation from information leakage threats. Each VoIP infrastructure entity should also be physically protected, preventing attackers trying to steal users confidential information. Furthermore, since VoIP gateways are typically exposed to the DoS attack threats by the nature of having a connection to external public networks, a firewall device should be considered to mitigate the possibility of such DoS attacks (i.e. UDP flood attack). A firewall can not only be used to mitigate such attacks, but also prevent the other attacks by enabling additional features, like traffic shaping and protocol anomaly detection functions. An Intrusion Detection/Prevention System (IDS or IPS) can also be adequately deployed and used to mitigate from DoS attacks and unauthorized access threats. 7
When an IP-PBX authenticates a user, malicious attacks targeted to impersonate a user are prevented and greatly reduced. Authentication must be mutual to prevent the Person In-The Middle (PITM) attacks. While the IP-PBX authenticates the user, the user can also verify whether the IP-PBX which (s)he is communicating with is the right server or not. To mitigate the possibilities of call interception and unveiling of confidential information, signaling and media protocol communication need to be encrypted. A key agreement is needed when VoIP communication is encrypted. As shown in Figure 2-3, two encryption keys must be agreed upon. One key is for call signaling encryption key shared by both IP-PBX and each terminal, and the other key is for a media stream encryption key shared by the two communicating terminals. Mutual authentication and call signaling key agreements between the user and the IP-PBX is done at the same time. A media encryption key is provided by IP-PBX or is securely exchanged between terminals. These keys should not be unveiled to anyone, including the administrators, for security reasons. IP-PBX Signal (encrypted) Signal (encrypted) Media Stream (encrypted) Signal Encryption Key Media Encryption Key Terminal Figure 2-3 Two Types of Encryption Keys Since the VoIP system software is complex (see Volume I for more information), it may include many vulnerabilities. All entities in a VoIP system must have software updating mechanism. When a vulnerability is reported by the vendor and the patch is provided, it should be applied as soon as possible. In order to maintain the availability of the IP-PBX during any failures, fault tolerance should be considered in the initial network design. The IP-PBX and application servers should have redundancy, allowing for provisioning when an accident, breakdown and/or the maintenance of equipment take place. Adopting UPS (uninterruptible power supplies) enables power failover redundancy to the VoIP system. 8
2.2 Network Infrastructure The network infrastructure is responsible for connecting each node in the VoIP system. 2.2.1 Key Components The following represent key components in the network infrastructure: Switch (layer 2, layer 3) Router Firewall These are the same components in an IP network infrastructure without the VoIP system. It is important for the VoIP network infrastructure to divide logically the whole network into voice and data network. So, a Layer 2/3 (L2/L3) switch is required with support for Virtual LANs (VLAN). The firewall has the responsibility for keeping the network secure from other networks as it is normally deployed at the point where the networks connect. The firewall applies security policy rules to control traffic that flows in and out of the protected network by utilizing packet filtering and traffic shaping features. For that reason, a firewall function should be carefully deployed. A firewall can be implemented in various ways. It can be implemented as an application level gateway, termination point for all TCP and UDP connection, and/or as a traffic filtering device which inspects and routes all incoming and outgoing packets. When an organization deploys a VoIP system on existing IP network, the firewall function required by the VoIP system can coexist with an existing firewall without violating the organizations security policy. The firewall devices that have stateful packet inspection function are now very widely deployed. If the stateful inspection technologies are used with VoIP, it has the responsibility for the following to: Protect irregular flow packets. This prevents replay and UDP flood attacks. Open and close the necessary UDP ports used by an RTP stream. These ports are usually closed and are opened when the firewall need to pass RTP traffic stream. Not all firewall devices can support NEC s SIP implementation. firewall products is listed in Volume III. A list of supported 9
2.2.2 Common Threats The following represent considerable threats within the network infrastructure: Unauthorized access and toll fraud from malicious users in the Internet or intranet users DoS attacks from malicious users in the Internet and intranet users 2.2.3 Design Guidelines It is highly recommended to physically or logically separate Voice from Data networks. VoIP system is implemented over an existing IP network; however the traffic requirements for VoIP applications are different from data. As described in Volume I, VoIP traffic, unlike data, is real-time and delay-sensitive in nature. Firewalls are used to control and filter the inappropriate traffic in the same way as they are used to secure the data network. The VoIP system consists of many subsystems that have many key components. Inter-subsystem communication and inter-components communication can be transmitted via firewalls. A firewall mitigates the possibility of DoS and unauthorized access. Some firewall products inspect the signal packets and, when needed by a media stream can open or close required UDP ports. When the VoIP communication is encrypted, the firewall cannot analyze the SDP (Session Description Protocol) payload. As a result, it may be unable to adequately open or close ports. Whether VoIP communication (or SIP signal communication) should be encrypted or not, may be dependent on the existence of a firewall in an IP network. In addition, it is also important to consider that when Network Address Translation (NAT) is used in the communication route, VoIP and/or SIP communications may not work. Since the sender s IP address is included in the SIP/SDP packets like FTP PORT mode, SIP/SDP address translation is needed. Without such a function NAT with VoIP communication may not work. Hence an alternative solution should be considered. 2.2.4 Threat Mitigation VLAN technology makes logical separation of the network easier. All entities in the network infrastructure should support VLAN. The separation of collision domains mitigates the risk from DoS attacks or packet sniffing. If the VoIP system administrator wants to improve the quality of the telephony service, QoS-enabled switches and routers are recommended to be deployed. Since VoIP system is implemented over a common IP network infrastructure, an internal malicious user can easily cause a DoS attack by sending bogus packets or replay packets. 10
To mitigate from DoS attack possibilities, it is recommended to segment the whole network into smaller sub-networks and deploy access controls within the sub-networks. Voice and data networks should be separated, moreover clients and server networks should also be separated (Figure 2-4). The communications across the sub-networks should be controlled with a Layer 3 switch (L3SW) or firewall, and only legitimate communication can be passed by that device. For an IP phone, the following represent legitimate communications: Call signal communication between the IP phone and the IP-PBX Media stream communication between terminals Illegitimate communication must be filtered. Deciding what to filter out is dependent on the type of communication system being deployed. The system integrator must confirm that the port-numbers and protocols to be used and confirm that the unnecessary communications will be filtered. RFC2827-based ingress filtering should also be carried out using such device. 802.1xbased authentication VoIP terminal sub-network VoIP server sub-network Physical protection WLAN IP phone IP phone MAC addressbased control Wireless LAN controllers L2SW IP-PBX VoIP application Servers Access Control (by Firewall or L3SW) Intranet servers PC with Softphone PCs Directory servers Data client sub-network Data server sub-network Figure 2-4 Countermeasures Against DoS Attacks In order to make DoS countermeasures more effective, it is recommended that a malicious device is unable to connect to the network. For example, a Layer 2 switch (L2SW) should perform a MAC address check before allowing a newly deployed IP phone to connect. When a wireless IP phone (ex. NEC MH210 series) is deployed, the phone should be authenticated using 802.1X protocols. In the server network, the equipment must be physically protected in order to prevent the attackers connecting the network and attacking the nodes. 11
2.3 User Access Infrastructure 2.3.1 Key Components User access infrastructure includes terminal devices and access paths as shown in Figure 2-5, through which users make use of IP telephone system service. User Terminal Device Access Path Network Infrastructure Soft-phone Hard-phone LAN Wireless LAN Remote access Figure 2-5 User Access Infrastructure A terminal device is either an IP phone or a PC-based IP phone, which is a PC with special application software and a hand-set or a head-set. In most cases, an access path is either a wired LAN or a wireless LAN. A wired LAN includes hubs and switches. A wireless LAN includes access points and authentication servers. Both LANs may include a DHCP server and a DNS server. A remote access system, which implements a secure virtual path with IPsec technology, SSL and any other, may be deployed to access an in-house IP telephone system from a remote site. Its main component is a remote access gateway such as IPSec and SSL-VPN gateway products. 2.3.2 Common Threats There are many potential threats to VoIP systems from within user access infrastructures. This includes: Eavesdropping and gathering of calling history through interception of LAN or wireless LAN False terminal devices by spoofing another terminal device Virus and mal-ware attacks from PCs connected to the same LAN or wireless LAN 2.3.3 Design Guidelines When possible, separate LAN segments into LANs for data traffic and those for voice, 12
physically or logically with virtual LAN (VLAN) capability. The WLAN is more exposed to the threat than wired LAN, since physical access to the WLAN is far easier than to the wired LAN. A radio wave from WLAN access point can be transmitted through a wall, a wooden door, a window and so on. To mitigate the possibility of un-authorized access via WLAN, perform a communication encryption (layer 2 data) and terminal or mutual authentication. This action also causes the mitigation of the possibility of DoS attack to the VoIP systems, for preventing the malicious terminals from connecting the in-house network. When choosing a remote access gateway product, it is highly recommended to check for compatibility with VoIP systems. 2.3.4 Threat Mitigation It is highly recommended that whole network is separated into data and voice networks. When IP-phone has multiple network interfaces (for PC and network), PCs may be connected to the network via IP-phone (so called daisy chaining) as shown in Figure 2-6. In such cases, IP phone can insert a VLAN tag into the packets generated by the IP phone and pass the packets from PC without inserting VLAN tag thus allowing the network layer 2 switches to separate voice from data traffic. Packet from PC (untagged) Packet from IP phone (with VLAN-tag) L2SW PC and IP phone is connected to single port. Figure 2-6 PC and IP Phone Connection 13
The following encryption and authentication features and algorithms can be used in 802.11-based WLAN system. Terminal authentication SSID authentication Shared key authentication (used together with WEP encryption) MAC address-based access control 802.1X and EAP authentication (EAP-MD5, EAP-LEAP, EAP-TLS, EAP-TTLS, PEAP) Communication encryption WEP (Wired Equivalent Privacy) 64bits key length encryption 128bits key length encryption WPA / TKIP encryption (with integrity check) WPA2 / AES CBC-MAC Protocol (CCMP) In case of WLAN usage within a corporate network, 802.1X authentication and dynamic key management mechanism (dynamic WEP, WPA and WPA2) should be used to keep the same security level as wired LAN. The SSID authentication and shared key authentication does not provide any reliable authentication. WEP does not provide enough confidentiality, because its key management is too poor for the attacker to decrypt encrypted packets. SSL-based remote access system (so called SSL-VPN) and IPSec-based remote access system (so called IPSec-VPN) is widely deployed. Both systems have their pros and cons. In general, SSL-VPN is easy to use. However SSL-VPN does not support all IP applications. The products themselves determine if the application is supported. On the other hand, all IP applications are accessible through the IPSec-VPN connections, but it requires client software installation. If the remote access system is already deployed, the system integrator must confirm whether the VoIP application is available or not through VPN connection. In order to prevent virus and mal-ware attacks from client PC, both anti-virus and personal firewall software are installed to every PC. 14
2.4 Secure Management Infrastructure In general, there are two VoIP system management security concerns: 1. How to make the VoIP system management secure 2. How to manage the security of the network including VoIP system 2.4.1 Key Components A management system consists of a manager and sensors. A manager is deployed in a network operation center (NOC). It analyzes information gathered by sensors, provides monitoring and operation interface for operators, and issues alerts when necessary. A sensor is embedded in a host system or deployed in LAN and gathers information such as system event logs and captured packets. There are several types of management systems. System management focuses on keeping the system working without abnormal interruption. Security information management system, which includes a centralized log database server, handles security-related event information and accuracy. Monitoring using sensors can include IP-PBXs, application servers, various gateways including firewalls and media gateways, and security devices like IDS and IPS. 2.4.2 Common Threats Since most systems take granted that access from a NOC is reliable, whole system becomes vulnerable once the NOC is compromised. Threats that result from spoofing as a NOC node must also be considered. 2.4.3 Design Guidelines The security level of a NOC area must be maintained high enough both physically and logically. You should protect the control path between a NOC and remotely operated nodes against spoofing. 2.4.4 Threat Mitigation Remote access to a NOC should be authenticated using strong authentication techniques such as two factor scheme. Also consider a VPN technology to protect sensitive control path between remotely operated system and a NOC. 15
3. Small Office System Model The small office system model design is represented below (Figure 3-1). system is divided into two sections. The entire Internet Edge Intranet In the Internet Edge section, the interface with PSTN and public VoIP network are added to the common small office network without VoIP. In the Intranet section, IP phones, PC-based IP Phones, and VLANs are supported. PSTN Public VoIP network Internet Edge Media/Signal Gateways IP-PBX Intranet Users * Desktop/Laptop PC * Multifunctional IP terminals Internet Router L2SW L2SW Internet Servers (mail, DNS, etc) VoIP Application Servers Intranet Servers (groupware, etc) Figure 3-1 Small Office System Model 16