VoIP Security Best Practice (Version: 1.2) NEC Corporation
Liability Disclaimer NEC Corporation reserves the right to change the specifications, functions, or features, at any time, without notice. NEC Corporation has prepared this document for the exclusive use of its employees and customers. The information contained herein is the property of NEC Corporation and shall not be reproduced without prior written approval from NEC Corporation. UNIVERGE is a registered trademark of NEC Corporation. Some of the NEC products identified in this document may not be available in certain regional markets. Please contact your NEC representative for availability. 2005-2006 NEC Corporation MS-DOS, Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation. All other brand or product names are or may be trademarks or registered trademarks of, and are used to identify products or services of, their respective owners.
Contents 1. Introduction...1 1.1 Abstract... 1 1.2 Audience... 2 1.3 Authors... 2 1.4 Acknowledgments... 2 2. General Model of Secure VoIP Systems...3 2.1 VoIP Infrastructure... 5 2.1.1 Key Components... 5 2.1.2 Common Threats... 6 2.1.3 Design Guidelines... 7 2.1.4 Threat Mitigation... 7 2.2 Network Infrastructure... 9 2.2.1 Key Components... 9 2.2.2 Common Threats... 10 2.2.3 Design Guidelines... 10 2.2.4 Threat Mitigation... 10 2.3 User Access Infrastructure... 12 2.3.1 Key Components... 12 2.3.2 Common Threats... 12 2.3.3 Design Guidelines... 12 2.3.4 Threat Mitigation... 13 2.4 Secure Management Infrastructure... 15 2.4.1 Key Components... 15 2.4.2 Common Threats... 15 2.4.3 Design Guidelines... 15 2.4.4 Threat Mitigation... 15 3. Small Office System Model...16 3.1 Internet Edge... 17 3.1.1 Key Components... 17 3.1.2 Threats... 17 3.1.3 Design Guidelines... 18 3.1.4 Threat Mitigation... 18 3.2 Intranet... 19 3.2.1 Key Components... 19 3.2.2 Threats... 19 3.2.3 Design Guidelines... 20 3.2.4 Threat Mitigation... 20 4. Large Enterprise Office System Model...21
4.1 Centralized IP-PBX Model... 21 4.1.1 Internet Edge... 22 4.1.1.1 Key Components... 22 4.1.1.2 Threats... 23 4.1.1.3 Design Guidelines... 23 4.1.1.4 Threat Mitigation... 23 4.1.2 Enterprise Server Farm... 24 4.1.2.1 Key Components... 24 4.1.2.2 Threats... 24 4.1.2.3 Design Guidelines... 24 4.1.2.4 Threat Mitigation... 25 4.1.3 Main Office... 26 4.1.3.1 Key Components... 26 4.1.3.2 Threats... 26 4.1.3.3 Design Guidelines... 26 4.1.3.4 Threat Mitigation... 27 4.1.4 Branch Office... 27 4.1.4.1 Key Components... 28 4.1.4.2 Threats... 28 4.1.4.3 Design Guidelines... 28 4.1.4.4 Threat Mitigation... 28 4.2 Distributed IP-PBX Model... 29 4.2.1 Branch Office... 30 4.2.1.1 Key Components... 30 4.2.1.2 Threats... 31 4.2.1.3 Design Guidelines... 31 4.2.1.4 Threat Mitigation... 31
1. Introduction 1.1 Abstract Network security represents an apex of concern for every organization these days. Regulations are both vastly increasing and coming to pass in most regions. Security breaches may damage reputations and loss of business opportunities; and, while the IP telephony solutions can produce a new style of office communication and reduce network costs, it adds complexity onto development and maintenance. Corporate networks are vastly impacted due to the unique network nature of IP telephony systems and the coexistence of data traffic and voice traffic. The purpose of the UNIVERGE VoIP Security Best Practices series is to illustrate basic guidance for secure deployment and maintenance of the UNIVERGE telephony systems. This document is Volume II of a series of Security Best Practice for designing and implementing secure IP telephony systems. Volume II provides general examples for designing secure IP telephony systems in accordance with the principles provided in the Volume I. Volume II also presents an overview of the secure IP telephony architecture, and then details the specific modules that make up the actual network design. This document begins with an overview of secure VoIP system architecture. The VoIP system is composed of four infrastructures, VoIP, network, user access and secure management infrastructures. Key components and security threats of each infrastructure are explained in section 2. After explaining every infrastructure, sections 3 and 4 provide two network examples for a small office and large enterprise network. These examples are useful for system integrators to design and implement secure VoIP system. 1
1.2 Audience The UNIVERGE VoIP Security Best Practices series is intended for network and system managers. Although this document is essentially technical, it can be read without understanding network and system details. This document is composed of volumes intended to provide proper information in proportion to your purpose. If you would like to understand the security overview, please refer to both Volume I and Volume II. If you are interested in integrating secure VoIP systems, refer to both Volume II and Volume III. Since comprehensive security for a corporate network includes too many aspects to cover, in this series, we focus on basic issues tailored to IP telephony systems. For example, we presume that your organization already has a security policy. NEC does not recommend deploying any security technology and device without first establishing the security policy. 1.3 Authors Mr. Teruharu Serada and Mr. Toshio Miyachi are the primary authors of this white paper. Mr. Miyachi studied network and VoIP security, providing technological expertise to the NEC Broadband Solutions Planning Division. He is responsible for assisting in the establishment of NEC s corporate strategy for product security within the NEC Corporate IT Division. Mr. Serada works within UNIVERGE product and solution planning as a network security technology expert within the UNIVERGE Solutions Promotion Division. 1.4 Acknowledgments Special thanks to Mr. Sam Safa and Ms. Laura Hammett for their technical and grammatical refinement of our manuscript. 2
2. General Model of Secure VoIP Systems VoIP systems enable the transfer of voice data over an IP network. VoIP systems also enable new applications that integrate voice and data services. VoIP system users can, for example, retrieve a phone number from a web-based directory service and make a call using a click of a mouse. VoIP systems consist of the following subsystems/infrastructures as shown in Figure 2-1 and Figure 2-2: (1) VoIP infrastructure The VoIP infrastructure provides VoIP-based telephony service to users. According to data and voice integration, the users are provided not only legacy telephony service but access to new IP telephony applications, such as a web-based telephone directory. (2) IP Network infrastructure The IP network infrastructure enables IP communication between entities. It is also deployed widely for IP communication. Since traffic for IP telephony systems is real-time in nature, QoS requirements should be taken into account. (3) User Access infrastructure The User Access network infrastructure provides the access methods to the VoIP users. Users may access the VoIP system from the Internet and/or the Intranet. Within the office, they can access the VoIP infrastructure via wired or wireless LAN. In the internet, they can access the VoIP infrastructure via remote access system. (4) Management System infrastructure The management system infrastructure provides the VoIP management functions. This enables the system administrators to configure, customize and maintain every entity of VoIP system. 3
VoIP User Access User Data Access IP Network Infrastructure VoIP Data Service Management System Infrastructure Figure 2-1 A Network Model including a VoIP System Remote access from the Internet User access network IP infrastructure (including Router, Switch and DNS servers) Other VoIP system VoIP Infrastructure IP-PBX Terminals PSTN Public VoIP Network Media/Signal gateways Application Servers Figure 2-2 A Typical VoIP System 4
2.1 VoIP Infrastructure The VoIP infrastructure provides VoIP-based telephony service to users. Compared with traditional PBXs, VoIP infrastructure provides the integration with other network applications. 2.1.1 Key Components The key components in the VoIP infrastructure are the following: (1) IP-PBXs IP-PBXs provide basic telephony features for users. The IP-PBXs set up and monitor calls, maintain the dial plan, perform phone number translation, authorize users, and coordinate the call signaling. (2) VoIP Gateways VoIP Gateways are responsible for call origination, detection, analog-to-digital voice conversion, and creation of voice packets. In addition, media gateways may provide optional features, such as voice compression, echo cancellation, silence suppression, and statistic gathering. (3) Application Servers Compared with traditional PBXs, VoIP systems allow for much tighter integration with other applications on an enterprise network. For example, voice mail service, telephone directory service and Unified Messaging Service (UMS) are implemented as VoIP network applications. These services will be offered to users through an application server. An IP-PBX provides IP-based telephony service for users. The IP-PBX can be divided into two functions: one to process the signals and one to set up calls. The IP-PBX is treated as a single entity, since almost all IP-PBXs are implemented on a single device. The UNIVERGE SV7000 and APEXi series (in Japanese market) are classified as the IP-PBXs within NEC s product portfolio. The IP-PBX provides the communication interface between the application servers, as it provides integrated telephony service to users applications. In addition to providing an interface between the users terminal, an IP-PBX also provides and interface between multiple VoIP gateways that allow communications with other organizations IP-PBXs. 5
A VoIP gateway is responsible for the connecting an IP-PBX to an external telephony network (ISDN network, Japanese 050 public VoIP network and so on). A VoIP gateway can include signal and/or media gateway functions. The signal gateway function is responsible for the translation of the VoIP call control protocol (SIP and H.323) into the legacy PSTN signal protocol (ISUP, SS7 and so on). The media gateway function mediates the media signals between the IP network and the circuit switched or traditional telephone network. While many vendors may have separate devices used to perform the media and signal gateway functions, NEC s products, such as MG(BRI), MG(PRI), MG(SIP) and MC-MG can perform both functions in a single device; therefore, this paper treats the VoIP gateway as a single entity. An Application server is responsible for providing service to VoIP applications such as Web telephone directories service, Unified Messaging Service (integrates e-mail, FAX and voice mail) and Presence Service (collects and distributes users presence information). 2.1.2 Common Threats The following represent considerable threats: General attacks from the Internet and intranet Exploits of the systems vulnerability Thefts of the equipment and information from all entities Threats specific to the IP-PBX: Unauthorized users access Call interception by a malicious user impersonating an authorized user Toll fraud attempts from the intranet users System failure caused by power failure or network down Unveiling sensitive information Person In-The Middle (PITM) attacks (A malicious user can behave as the IP-PBX or the users terminal.) Replay attacks Threats specific to the VoIP gateway: Toll fraud attempts from the Internet users DoS and various other malicious attacks from outside the LAN DoS and various other malicious attacks from within the LAN to a public network (Not assuming the position of attacker is as important as not positioning oneself as a victim, as either can cause many severe monetary or brand image losses.) Threats specific to the Application Server: Unauthorized access to the application server 6
2.1.3 Design Guidelines The traffic within a subsystem and across subsystems should be controlled adequately by the access controls. Only critical VoIP service and maintenance should be accepted, while unnecessary traffic should be dropped. IP-PBX authenticates the user to protect from the malicious user s access. Authentication ensures that services are only provided to appropriate users, protecting them from abuse and toll fraud. For traffic encryption, an encryption key agreement should be performed during the authentication process. Traffic encryption prevents the attackers from capturing the signal and media traffic, which prevent attackers from attempting to gain unauthorized access or request call termination. To mitigate the possibilities of call interception and confidential information disclosure, both signaling and media protocol communication must be encrypted. When an encryption mechanism is adopted, key parameters for encryption must be set on both the IP-PBX and the terminal. Deploying such encryption can also provide security from a malicious user trying to gain access. When an IP-PBX service stops, a user cannot utilize any VoIP services. This may result in the immediate loss of revenue or business. An IP-PBX must continue providing service despite any failures such as power failure or disaster. In order to maintain the availability of the IP-PBX during any failures, fault tolerance should be considered in the initial network design. User authentication and authorization must not only take place on an IP-PBX but also on network application servers. Such access methods can greatly reduce and deny malicious users attempting to impersonate another authorized user. 2.1.4 Threat Mitigation In general, traffic across subsystems should be controlled by access control functions within a firewall to protect from network resource consumption and attacks from malicious users. In order to maintain the confidentiality of all traffic, both signal and media streams should be encrypted. Encryption allows mitigation from information leakage threats. Each VoIP infrastructure entity should also be physically protected, preventing attackers trying to steal users confidential information. Furthermore, since VoIP gateways are typically exposed to the DoS attack threats by the nature of having a connection to external public networks, a firewall device should be considered to mitigate the possibility of such DoS attacks (i.e. UDP flood attack). A firewall can not only be used to mitigate such attacks, but also prevent the other attacks by enabling additional features, like traffic shaping and protocol anomaly detection functions. An Intrusion Detection/Prevention System (IDS or IPS) can also be adequately deployed and used to mitigate from DoS attacks and unauthorized access threats. 7
When an IP-PBX authenticates a user, malicious attacks targeted to impersonate a user are prevented and greatly reduced. Authentication must be mutual to prevent the Person In-The Middle (PITM) attacks. While the IP-PBX authenticates the user, the user can also verify whether the IP-PBX which (s)he is communicating with is the right server or not. To mitigate the possibilities of call interception and unveiling of confidential information, signaling and media protocol communication need to be encrypted. A key agreement is needed when VoIP communication is encrypted. As shown in Figure 2-3, two encryption keys must be agreed upon. One key is for call signaling encryption key shared by both IP-PBX and each terminal, and the other key is for a media stream encryption key shared by the two communicating terminals. Mutual authentication and call signaling key agreements between the user and the IP-PBX is done at the same time. A media encryption key is provided by IP-PBX or is securely exchanged between terminals. These keys should not be unveiled to anyone, including the administrators, for security reasons. IP-PBX Signal (encrypted) Signal (encrypted) Media Stream (encrypted) Signal Encryption Key Media Encryption Key Terminal Figure 2-3 Two Types of Encryption Keys Since the VoIP system software is complex (see Volume I for more information), it may include many vulnerabilities. All entities in a VoIP system must have software updating mechanism. When a vulnerability is reported by the vendor and the patch is provided, it should be applied as soon as possible. In order to maintain the availability of the IP-PBX during any failures, fault tolerance should be considered in the initial network design. The IP-PBX and application servers should have redundancy, allowing for provisioning when an accident, breakdown and/or the maintenance of equipment take place. Adopting UPS (uninterruptible power supplies) enables power failover redundancy to the VoIP system. 8
2.2 Network Infrastructure The network infrastructure is responsible for connecting each node in the VoIP system. 2.2.1 Key Components The following represent key components in the network infrastructure: Switch (layer 2, layer 3) Router Firewall These are the same components in an IP network infrastructure without the VoIP system. It is important for the VoIP network infrastructure to divide logically the whole network into voice and data network. So, a Layer 2/3 (L2/L3) switch is required with support for Virtual LANs (VLAN). The firewall has the responsibility for keeping the network secure from other networks as it is normally deployed at the point where the networks connect. The firewall applies security policy rules to control traffic that flows in and out of the protected network by utilizing packet filtering and traffic shaping features. For that reason, a firewall function should be carefully deployed. A firewall can be implemented in various ways. It can be implemented as an application level gateway, termination point for all TCP and UDP connection, and/or as a traffic filtering device which inspects and routes all incoming and outgoing packets. When an organization deploys a VoIP system on existing IP network, the firewall function required by the VoIP system can coexist with an existing firewall without violating the organizations security policy. The firewall devices that have stateful packet inspection function are now very widely deployed. If the stateful inspection technologies are used with VoIP, it has the responsibility for the following to: Protect irregular flow packets. This prevents replay and UDP flood attacks. Open and close the necessary UDP ports used by an RTP stream. These ports are usually closed and are opened when the firewall need to pass RTP traffic stream. Not all firewall devices can support NEC s SIP implementation. firewall products is listed in Volume III. A list of supported 9
2.2.2 Common Threats The following represent considerable threats within the network infrastructure: Unauthorized access and toll fraud from malicious users in the Internet or intranet users DoS attacks from malicious users in the Internet and intranet users 2.2.3 Design Guidelines It is highly recommended to physically or logically separate Voice from Data networks. VoIP system is implemented over an existing IP network; however the traffic requirements for VoIP applications are different from data. As described in Volume I, VoIP traffic, unlike data, is real-time and delay-sensitive in nature. Firewalls are used to control and filter the inappropriate traffic in the same way as they are used to secure the data network. The VoIP system consists of many subsystems that have many key components. Inter-subsystem communication and inter-components communication can be transmitted via firewalls. A firewall mitigates the possibility of DoS and unauthorized access. Some firewall products inspect the signal packets and, when needed by a media stream can open or close required UDP ports. When the VoIP communication is encrypted, the firewall cannot analyze the SDP (Session Description Protocol) payload. As a result, it may be unable to adequately open or close ports. Whether VoIP communication (or SIP signal communication) should be encrypted or not, may be dependent on the existence of a firewall in an IP network. In addition, it is also important to consider that when Network Address Translation (NAT) is used in the communication route, VoIP and/or SIP communications may not work. Since the sender s IP address is included in the SIP/SDP packets like FTP PORT mode, SIP/SDP address translation is needed. Without such a function NAT with VoIP communication may not work. Hence an alternative solution should be considered. 2.2.4 Threat Mitigation VLAN technology makes logical separation of the network easier. All entities in the network infrastructure should support VLAN. The separation of collision domains mitigates the risk from DoS attacks or packet sniffing. If the VoIP system administrator wants to improve the quality of the telephony service, QoS-enabled switches and routers are recommended to be deployed. Since VoIP system is implemented over a common IP network infrastructure, an internal malicious user can easily cause a DoS attack by sending bogus packets or replay packets. 10
To mitigate from DoS attack possibilities, it is recommended to segment the whole network into smaller sub-networks and deploy access controls within the sub-networks. Voice and data networks should be separated, moreover clients and server networks should also be separated (Figure 2-4). The communications across the sub-networks should be controlled with a Layer 3 switch (L3SW) or firewall, and only legitimate communication can be passed by that device. For an IP phone, the following represent legitimate communications: Call signal communication between the IP phone and the IP-PBX Media stream communication between terminals Illegitimate communication must be filtered. Deciding what to filter out is dependent on the type of communication system being deployed. The system integrator must confirm that the port-numbers and protocols to be used and confirm that the unnecessary communications will be filtered. RFC2827-based ingress filtering should also be carried out using such device. 802.1xbased authentication VoIP terminal sub-network VoIP server sub-network Physical protection WLAN IP phone IP phone MAC addressbased control Wireless LAN controllers L2SW IP-PBX VoIP application Servers Access Control (by Firewall or L3SW) Intranet servers PC with Softphone PCs Directory servers Data client sub-network Data server sub-network Figure 2-4 Countermeasures Against DoS Attacks In order to make DoS countermeasures more effective, it is recommended that a malicious device is unable to connect to the network. For example, a Layer 2 switch (L2SW) should perform a MAC address check before allowing a newly deployed IP phone to connect. When a wireless IP phone (ex. NEC MH210 series) is deployed, the phone should be authenticated using 802.1X protocols. In the server network, the equipment must be physically protected in order to prevent the attackers connecting the network and attacking the nodes. 11
2.3 User Access Infrastructure 2.3.1 Key Components User access infrastructure includes terminal devices and access paths as shown in Figure 2-5, through which users make use of IP telephone system service. User Terminal Device Access Path Network Infrastructure Soft-phone Hard-phone LAN Wireless LAN Remote access Figure 2-5 User Access Infrastructure A terminal device is either an IP phone or a PC-based IP phone, which is a PC with special application software and a hand-set or a head-set. In most cases, an access path is either a wired LAN or a wireless LAN. A wired LAN includes hubs and switches. A wireless LAN includes access points and authentication servers. Both LANs may include a DHCP server and a DNS server. A remote access system, which implements a secure virtual path with IPsec technology, SSL and any other, may be deployed to access an in-house IP telephone system from a remote site. Its main component is a remote access gateway such as IPSec and SSL-VPN gateway products. 2.3.2 Common Threats There are many potential threats to VoIP systems from within user access infrastructures. This includes: Eavesdropping and gathering of calling history through interception of LAN or wireless LAN False terminal devices by spoofing another terminal device Virus and mal-ware attacks from PCs connected to the same LAN or wireless LAN 2.3.3 Design Guidelines When possible, separate LAN segments into LANs for data traffic and those for voice, 12
physically or logically with virtual LAN (VLAN) capability. The WLAN is more exposed to the threat than wired LAN, since physical access to the WLAN is far easier than to the wired LAN. A radio wave from WLAN access point can be transmitted through a wall, a wooden door, a window and so on. To mitigate the possibility of un-authorized access via WLAN, perform a communication encryption (layer 2 data) and terminal or mutual authentication. This action also causes the mitigation of the possibility of DoS attack to the VoIP systems, for preventing the malicious terminals from connecting the in-house network. When choosing a remote access gateway product, it is highly recommended to check for compatibility with VoIP systems. 2.3.4 Threat Mitigation It is highly recommended that whole network is separated into data and voice networks. When IP-phone has multiple network interfaces (for PC and network), PCs may be connected to the network via IP-phone (so called daisy chaining) as shown in Figure 2-6. In such cases, IP phone can insert a VLAN tag into the packets generated by the IP phone and pass the packets from PC without inserting VLAN tag thus allowing the network layer 2 switches to separate voice from data traffic. Packet from PC (untagged) Packet from IP phone (with VLAN-tag) L2SW PC and IP phone is connected to single port. Figure 2-6 PC and IP Phone Connection 13
The following encryption and authentication features and algorithms can be used in 802.11-based WLAN system. Terminal authentication SSID authentication Shared key authentication (used together with WEP encryption) MAC address-based access control 802.1X and EAP authentication (EAP-MD5, EAP-LEAP, EAP-TLS, EAP-TTLS, PEAP) Communication encryption WEP (Wired Equivalent Privacy) 64bits key length encryption 128bits key length encryption WPA / TKIP encryption (with integrity check) WPA2 / AES CBC-MAC Protocol (CCMP) In case of WLAN usage within a corporate network, 802.1X authentication and dynamic key management mechanism (dynamic WEP, WPA and WPA2) should be used to keep the same security level as wired LAN. The SSID authentication and shared key authentication does not provide any reliable authentication. WEP does not provide enough confidentiality, because its key management is too poor for the attacker to decrypt encrypted packets. SSL-based remote access system (so called SSL-VPN) and IPSec-based remote access system (so called IPSec-VPN) is widely deployed. Both systems have their pros and cons. In general, SSL-VPN is easy to use. However SSL-VPN does not support all IP applications. The products themselves determine if the application is supported. On the other hand, all IP applications are accessible through the IPSec-VPN connections, but it requires client software installation. If the remote access system is already deployed, the system integrator must confirm whether the VoIP application is available or not through VPN connection. In order to prevent virus and mal-ware attacks from client PC, both anti-virus and personal firewall software are installed to every PC. 14
2.4 Secure Management Infrastructure In general, there are two VoIP system management security concerns: 1. How to make the VoIP system management secure 2. How to manage the security of the network including VoIP system 2.4.1 Key Components A management system consists of a manager and sensors. A manager is deployed in a network operation center (NOC). It analyzes information gathered by sensors, provides monitoring and operation interface for operators, and issues alerts when necessary. A sensor is embedded in a host system or deployed in LAN and gathers information such as system event logs and captured packets. There are several types of management systems. System management focuses on keeping the system working without abnormal interruption. Security information management system, which includes a centralized log database server, handles security-related event information and accuracy. Monitoring using sensors can include IP-PBXs, application servers, various gateways including firewalls and media gateways, and security devices like IDS and IPS. 2.4.2 Common Threats Since most systems take granted that access from a NOC is reliable, whole system becomes vulnerable once the NOC is compromised. Threats that result from spoofing as a NOC node must also be considered. 2.4.3 Design Guidelines The security level of a NOC area must be maintained high enough both physically and logically. You should protect the control path between a NOC and remotely operated nodes against spoofing. 2.4.4 Threat Mitigation Remote access to a NOC should be authenticated using strong authentication techniques such as two factor scheme. Also consider a VPN technology to protect sensitive control path between remotely operated system and a NOC. 15
3. Small Office System Model The small office system model design is represented below (Figure 3-1). system is divided into two sections. The entire Internet Edge Intranet In the Internet Edge section, the interface with PSTN and public VoIP network are added to the common small office network without VoIP. In the Intranet section, IP phones, PC-based IP Phones, and VLANs are supported. PSTN Public VoIP network Internet Edge Media/Signal Gateways IP-PBX Intranet Users * Desktop/Laptop PC * Multifunctional IP terminals Internet Router L2SW L2SW Internet Servers (mail, DNS, etc) VoIP Application Servers Intranet Servers (groupware, etc) Figure 3-1 Small Office System Model 16
3.1 Internet Edge The Internet Edge provides internal users with connectivity to the Internet, PSTN, and public VoIP network. It also provides the Internet users access to the information on public servers, and segmentation between the data and voice networks. PSTN VoIP SP VoIP Gateways (PIR, MG(SIP) etc) Stateful Packet filtering Basic Layer 7 Filtering Host DoS Mitigation Spoof Mitigation Router L2SW To intranet ISP Ingress Filtering (RFC2827) Internet Servers VLAN-based - network separation Figure 3-2 the Internet Section of Small Office 3.1.1 Key Components Key components of the Internet Edge section are following: Router Firewall (VoIP-enabled firewall) VoIP Gateways The Edge router on a corporate network can have different kinds of interfaces dependent upon the connectivity type provided by the ISP or Carrier. VoIP-enabled firewall provides network-level protection of resources, stateful filtering of traffic, and voice services. A layer 2 switch (with VLAN support) provides Layer 2 services to data and voice devices. Appropriate VoIP gateway is deployed in compliance with the PSTN. 3.1.2 Threats The following represent considerable threats to the network infrastructure: Unauthorized access and toll fraud from malicious users in the internet Toll fraud from the internet Denial of Service (DoS) IP Spoofing 17
3.1.3 Design Guidelines The Internet and public VoIP network is connected via VoIP-enabled firewall. The system is secured by the firewall to filter the packets that do not comply with the Access Control Lists (ACLs). An Edge router between the ISP and the firewall can provide many interface types such as Ethernet, ISDN and others. Unauthorized access and attacks are mitigated through filtering by the firewall. VoIP and data traffic can be separated into two VLANs using a VLAN-enabled layer 2 switch. The IP-PBX, Media/Signal gateways and IP phones reside in the voice segment/vlan. All other devices reside in the data segment/vlan. 3.1.4 Threat Mitigation Voice-enabled firewall controls access between the data and voice segments via access control and stateful inspection. The firewall also controls access from/to the Internet and VoIP Service provider. Moreover, the firewall (or Edge router) can protect the system from the DoS attacks to control the limits of traffic. RFC2827 filters are placed at the local Edge router. the IP spoofing attack. This mitigates the possibility of 18
3.2 Intranet The intranet section contains IP-PBXs, VoIP application servers, IP Phones and PCs. This section is connected with the Internet through the Internet Edge. IP-PBX Users * Desktop/Laptop PC * Multifunctional IP terminal Internet Edge L2SW VLAN-based Network separation VoIP Application Servers (UMS, voicemail, etc) Intranet Servers (Groupware, etc) Figure 3-3 Intranet Section of Small Office 3.2.1 Key Components Key components of this section are the following: VLAN-enabled layer 2 Switch IP-PBXs VoIP application servers PCs All of the entities in this section are connected through the layer 2 switch. In general, the network is divided broadly into two networks, data and voice network. IP-PBXs and IP phones belong to the voice network, while application servers and users PC belong to the data network. 3.2.2 Threats The following represent considerable threats: Packet Sniffing Call interception Unauthorized access (from the intranet) Caller identity spoofing Toll fraud Denial of Service 19
3.2.3 Design Guidelines There is no layer 3 switch in this section. All connections across the VLAN must pass through the firewall. This prevents many kinds of attacks. If the number of the nodes increases, the layer 2 switch in the center will be replaced by layer 3 switch to segment broadcast domains and avoid from broadcast storms. This architecture mitigates the possibility of packet sniffing, due to the implementation of a layer 2 switch. The application server and IP-PBX hold user information and require physical protection. Of course, the layer 2 switch is also protected physically to prevent malicious attacker from changing port assignments or port snooping. In addition to a switch-based architecture, anti-virus and personal firewall software running on PCs can mitigate the possibility of DoS attacks. 3.2.4 Threat Mitigation In order to prevent DoS attacks, all the Internet and WAN communications must pass through the firewall router. On the other hand, Virus and Worms can be blocked from infecting PCs (with software IP phones) by installing and running anti-virus and personal firewall software. At the same time, a hardware or software firewall can greatly help mitigate the possibility of the unauthorized access and toll fraud. While mutual authentication can prevent identity spoofing, communication encryption can prevent spoofing and eavesdropping attacks. 20
4. Large Enterprise Office System Model There are two models of VoIP implementation in a large enterprise office. One model is centralized IP-PBX while the other is distributed IP-PBX. The centralized model, the IP-PBX is deployed at one location, headquarter or data center. Branch employees can access the IP-PBX from the remote office without necessarily having an IP-PBX in their office. The other model is distributed IP-PBX. The IP-PBXs are deployed at each branch. Each of these models has its advantages and disadvantages. Which model should be deployed heavily depends on the customers requirements. So, the security mechanism of each model is described in this paper. 4.1 Centralized IP-PBX Model In this model, VoIP services are provided by the IP-PBX and servers from the main office. Taking into account local call emergency calls, some branches also have to interface with the PSTN network. The entire system is represented below (Figure 4-1). sections. This system is divided into four Internet Center server farm Main office Branch office Internet Public VoIP network PSTN Router firewall L2SW L3SW L2SW VoIP gateway PSTN Branch Office 1 IP-PBX (Backup) Internet Servers (DNS, mail, etc) Router Corporate intranet Router (IP-VPN, L2VPN, Internet VPN, etc.) Branch Office 2 Router Controller (Master) VoIP gateway Terminals L2SW Intranet Servers (UMS, groupware, etc) IP-PBX (Backup) VoIP gateway Terminals Main Office PSTN Figure 4-1 Centralized IP-PBX Model 21
4.1.1 Internet Edge The Internet Edge provides internal users with connectivity to the Internet, PSTN, and public VoIP network. It also provides the Internet users access to information on public servers, and segmentation between the data and voice segments. PSTN VoIP SP ISP Router Router Firewall VoIP Gateways (PIR, MG(SIP), etc) L2SW L3SW To other firm Network-based IDS/IPS Intrusion/Attack Detection Intrusion/Attack Prevention Redundant Structure Stateful Packet Filtering Basic Layer 7 Filtering Host DoS Mitigation Spoof Mitigation Public Servers (e-mail, DNS, etc) Remote Access Server Figure 4-2 Internet Section in the Centralized IP-PBX Model 4.1.1.1 Key Components Key components of the Internet section are following: Voice-enabled firewall Network-based IDS or IPS Remote Access Server Components within this section are similar to the Small Office System Model, within the Internet Edge, on page 17. The larger the enterprise becomes, the larger its VoIP system s effect on customers business. In such case, some nodes must be added to prevent security incidents or system failures. There are some cases when an IDS or IPS for public servers is already deployed. VoIP traffic going to the other external pass through the existing IP network infrastructure, so an existing IDS or IPS must detect the attack and irregular traffic flow. If there is no IDS or IPS in existing IP infrastructure, IDS or IPS should be deployed to mitigate the attacks. A Remote Access Server may be deployed in this section. Users access to the VoIP system from the Internet is established via the Remote Access Server. This method of communication allows them access to the network as if they are on the LAN (intranet). 22
4.1.1.2 Threats Threats to be considered are not influenced by the scale of the users network. All of the threats listed in the Small Office System Model, within the Internet Edge, on page 17 must be considered. 4.1.1.3 Design Guidelines Design guidelines in this section are similar to the Small Office System Model, within the Internet Edge, on page 17. The Edge router on a corporate network can have different kinds of interfaces dependent upon the connectivity type provided by the ISP or Carrier. VoIP-enabled firewall is deployed behind the Edge router to protect the attacks from the Internet. Being different from the Internet section in the small office, all traffic across this section does not pass through the firewall. Firewall and a layer 3 switch (L3SW) in front of each section have the access control list (ACL) for adequate traffic control. 4.1.1.4 Threat Mitigation VLAN enables layer 2 switches to divide this section into voice and data segment. Because of the network separation, users will continue to have access to the VoIP service when the data network is congested by a worm, virus or DoS attack. The Edge router, firewall and external connection should have redundancy, allowing for provisioning when an accident, breakdown and/or the maintenance of equipment take place. Malicious attacks from the external network are protected by the firewall. If the attacks are sophisticated and they cannot be protected by the firewall, an IDS or IPS must be deployed to mitigate the possibilities of such attacks. 23
4.1.2 Enterprise Server Farm Application Servers and IP-PBXs used by the corporate users are deployed in this section. No Internet users except the remote access workers will have direct access to enterprise servers. To Internet Edge L3SW To Intranet Part VLAN-based Network separation L2SW Firewall Stateful Packet Filtering Basic Layer 7 Filtering Host DoS Mitigation Spoof Mitigation Network-based IDS/IPS Intrusion/Attack Detection Intrusion/Attack Prevention Intranet Servers (UMS, groupware, etc) IP-PBX (Master) Figure 4-3 Enterprise Server firm in the Centralized IP-PBX Model 4.1.2.1 Key Components Key components of this section are the following: Voice-enable firewall Network-based IDS/IPS Layer 3 and Layer 2 switch IP-PBXs and servers providing the users with Computer Telephony Integration (CTI) application are in this section. Servers used in the data network (groupware servers, mail servers and so on) are also in this section. It is highly recommended that the data and voice segments are logically or physically separated. If they cannot be physically separated, they should be logically separated using VLANs. 4.1.2.2 Threats The servers used by users at the main and remote offices are set up in this section. So, Common Threats listed on page 6 which are caused by the internal LAN users must be considered also as considerable threats. External users cannot attack to this section with the exception of physical attacks. So, threats caused by the external users are NOT considered in this section. 4.1.2.3 Design Guidelines The voice-enabled firewall is set up at the edge of this section. An IDS or IPS is set 24
up behind the firewall where it will detect/block the sophisticated attacks that are not dropped by the firewall. The data and voice network is physically or logically separated. 4.1.2.4 Threat Mitigation The firewall blocks packets not intended to be used by the VoIP and data services. For example, an FTP connection to the e-mail server must be filtered by the firewall. If the firewall has a Stateful Inspection function, abnormal flow traffic is also filtered. Attacks that are not filtered by the firewall will be detected or mitigated by the IDS or IPS systems. Due to the physical or logical separation of the voice and data segments, the possibility of attacks and congestions are significantly reduced. If needed, QoS techniques are adopted for bandwidth control and threat mitigation of DoS attacks. Additional equipment need to be considered to reduce service interruptions due to power failures. Adopting PoE (Power over Ethernet) enabled switches and UPS (uninterruptible power supplies) enables power failover redundancy to the VoIP system. An IP-PBX at the main office may become unavailable due to a network outage, IP-PBX breakdown, power failures or any other event. Such service interruption scenarios can be prevented by deploying at each branch office a backup IP-PBX (e.g. SR-MGC or MC-MG(COT)) with a PSTN connection. The equipment for a remote branch is outlined in the Branch Office section on page 28. 25
4.1.3 Main Office Main office section is the segment for terminals in the main office or company headquarters. L3SW L2SW Terminals Terminals Figure 4-4 Main Office in the Centralized IP-PBX Model 4.1.3.1 Key Components Some segments are connected to the layer 3 switch or router that divides this section from the entire network. 4.1.3.2 Threats Refer to Threats on page 19. 4.1.3.3 Design Guidelines Refer to Design Guidelines on page 20. 26
4.1.3.4 Threat Mitigation The network in this section is logically or physically separated. PCs are connected to the data segments and IP phones are connected to the voice segments. Power failure countermeasures are provided in this section. Despite power interruption, some groups within the organization that use mission critical applications are expected to continue operating. Some divisions in main or branch office may place the firewall device in front of their divisions network. The division that deals with confidential information, such as the personnel department or R&D department, will have different security policies from the standard corporate security policies. They may use a firewall to implement different security levels from the security level implemented in their corporate network. As described in the General Model of Secure VoIP Systems on page 3, not all firewall devices can deal properly with VoIP traffic. If an existing firewall cannot interoperate with VoIP traffics, a new device is considered and deployed to replace the existing firewall device. 4.1.4 Branch Office Branch office section is the remote office in this model. Main office Other branch Router Terminals IP-PBX (Backup) VoIP gateway PSTN Figure 4-5 Branch Office in the Centralized IP-PBX Model 27
4.1.4.1 Key Components Key components of the branch office section are the following: IP-PBX (backup) VoIP gateway Terminals A backup IP-PBX will be used to provide failover redundancy for the IP-PBX in server farm of the main office or headquarters. It is highly recommended that network of this section should be divided into server and client network. A backup IP-PBX and VoIP gateway should be deployed on the server network. The router is set in front of this section. The Edge router in this section can have different kinds of interfaces dependent upon the connectivity type provided by VPN service provider. 4.1.4.2 Threats Refer to Threats on page 17. 4.1.4.3 Design Guidelines This section is connected to the other sections via the corporate intranet. IP-VPN, L2-VPN or Internet-VPN is selected to connect the main office to remote branches. As described in the General Model of Secure VoIP Systems, QoS requirements should be taken into account because of the real-time nature of IP telephony systems. A backup of IP-PBX and VoIP gateway is deployed at mid-large size branch offices. This enables local calls to be routed directly and enables employees in the branch offices to continue using VoIP services in case of network or IP-PBX failures. 4.1.4.4 Threat Mitigation A backup IP-PBX and VoIP gateway is deployed at a mid-large branch office. If the number of terminals in a branch office is greater than 20, an SR-MGC should be considered and deployed, otherwise a MC-MG(COT) should be used to backup the IP-PBX. 28
4.2 Distributed IP-PBX Model The security mechanisms in distributed IP-PBX model are almost the same when compared with the centralized IP-PBX model. The entire system is shown in Figure 4-6. Internet Public VoIP network PSTN Router Firewall L2SW L3SW L2SW VoIP gateway Internet Servers (DNS, mail, etc) Router IP-PBX PSTN Router Corporate intranet (IP-VPN, L2VPN, Internet VPN, etc) Branch Office 1 IP-PBX VoIP gateway Router Branch Office 2 Terminals L2SW Intranet Servers (UMS, groupware, etc) IP-PBX VoIP gateway Terminals Main Office PSTN Figure 4-6 Distributed IP-PBX Model The differences between this model and the centralized IP-PBX model are the following: IP-PBX (and related application servers) is also deployed in the branch office. The IP-PBX in the main office will only be used for the main office users, and this communicates with the end users in the main office and IP-PBXs in the remote offices. Since the difference between distributed and centralized IP-PBX model is in only remote branch office, security mechanism for remote branch office is described in this section. 29
4.2.1 Branch Office The branch office in the distributed IP-PBX model is shown in Figure 4-7. Center Office Other branch L3SW VPN-based network separation Terminals Stateful Packet Filtering Basic Layer 7 Filtering Spoof Mitigation User authentication IP-PBX PSTN VoIP gateway Figure 4-7 Branch Office in the Distributed IP-PBX Model IP-PBX(s) is deployed at branch office. This is major difference from the centralized IP-PBX model. The branch office in distributed IP-PBX model is slightly like the small office model described in the Small Office System Model on page 16. But, this model has no connections to the Internet. 4.2.1.1 Key Components Key components of the branch office section are the following: IP-PBX(s) VoIP gateway Firewall VLAN-enabled layer 2 Switch IP-PBX and VoIP gateway is providing VoIP services to remote office users. Remote office users connect to the IP-PBX to communicate with the users in the other branches or the main office. There are two network segments (server and client segment) in the office, and the firewall is deployed in the front of the server segment. If the entire branch has different security level, then a firewall should be deployed in the front of the branch network. 30
4.2.1.2 Threats Threats to be considered for branch office are the following: Unauthorized access and toll fraud from branch and remote users Denial of Service attacks by local or remote users IP Spoofing Packet sniffing Call interception 4.2.1.3 Design Guidelines This section is connected to the other sections via the corporate intranet. IP-VPN, L2-VPN or Internet-VPN is selected to connect the main office to remote branches. As described in the General Model of Secure VoIP Systems on page 3, QoS requirements should be taken into account because of the real-time nature of IP telephony systems. The remote branch network should be separated into server and client segment and the access across the segments should be controlled adequately to mitigate unauthorized access and DoS attack possibilities. Access from the other branch is also adequately controlled. 4.2.1.4 Threat Mitigation Figure 4-8 shows call flow between two terminals. Unlike the centralized IP-PBX model, signaling protocol data are sent/received across the branch. If the Edge layer 3 switch or the firewall filter the irregular packets to mitigate the attack, confirmation that IP-PBXs can communicate with the main and other branches IP-PBXs is needed. Limiting to the voice service, two kinds of traffics are passed. 1. Access to/from server segment in the branch from/to the other IP-PBXs and application servers (only signal communication and application communication) 2. Access to/from client segment in the branch from/to terminals in the other branch (only media communication) A Branch office Other Branch office 1. Call Initiate 4. Call Terminate 2. Acknowledgement 2. Acknowledgement 1. Call Initiate 3. Media Communication Figure 4-8 Call flow between two terminals 31