IT operations and security staff often struggle to get their arms around the problem of securing voice over IP (VoIP) and unified communications. Whether CIO, systems administrator or security engineer, it helps enormously to know what the threats are and the basic techniques and technologies for addressing them. That's what we'll cover in this tip.
Unified communications threats
Integration of all voice and video communications onto a common data network and the common desktop means that unified communications are no more secure than the enterprise desktop and data network. However, there are some threats and avenues of attack that are specific to unified communications or have new application to unified communications.
A related fear is toll fraud. IP telecommunications providers around the world lose hundreds of millions of dollars annually due to stolen services, especially long-distance services. Unified communications voice and video traffic typically now use the Session Initiation Protocol (SIP) to control calls, but the actual media stream for a call is separate from that control stream. It is possible, therefore, to use SIP to perpetrate a new kind of toll fraud. An attacker can use SIP to lie to the call manager about what kind of call it is controlling. For example, the perpetrator might tell the call manager that a call will be voice-only, but then stream high-definition video instead, essentially defrauding the system owner of the higher revenues for the video traffic.
Vishing, the VoIP-enabled form of phishing, is a third category of security concern around unified communications. Applying the basic techniques of phishing to a new toolset, vishers use spoofed Caller ID or other call information to suggest that they are calling in an official capacity from corporate or vendor IT support, or a government agency, etc., in order to get recipients to reveal confidential information over the phone.
Denial of service is an attack method that has new and specific applications in the unified communications world. While it was virtually unknown with traditional telephony, with armies of compromised zombie PCs at their disposal, today's attacker can aim to disrupt the communications infrastructure at the desktop level by swamping or crashing phones. or at the gateway level by taking out the network nodes that interface an enterprise VoIP installation with the outside world. They can also attack call managers directly by using SIP or other protocols to crash the manager with an endless flood of valid but dishonest session requests.
Another security threat that is now an increased problem for unified communications is platform compromise. No longer an issue restricted to email systems and IM, attackers can now subvert applications on servers, desktops and handhelds, or by taking over an IP phone via UC protocols like SIP or SIMPLE. From there, malicious hackers can launch all manner of attacks, including stealthy information-gathering campaigns and more brazen attempts at further compromises, denial of service or vandalism.
Securing unified communications
The problem of securing unified communications spans servers, endpoints and network infrastructures, so the enterprise must deploy defenses at all levels -- something it should already be doing, and to which unified communications only adds more urgency.
Phones should be secured like other network devices: unused services (many IP phones have Web servers embedded, for example) should be shut down, unused ports disabled, and default management passwords changed. All management should be forced through authenticated and encrypted connections, if possible.
Firewalls, router access control lists, VLANs, port-level switch security and authenticated network access comprise some of the low-level strategies IT should deploy on the network to protect IP phones and/or desktops from each other.
Host- and network-based intrusion detection is also important, for traffic to and from clients and unified communications servers. Intrusion prevention systems (IPSes), where they can be made robust enough to manage unified communications traffic without adding insupportable latency, will be another key. Especially important will be IPS or proxy servers -- focused specifically on SIP and SIMPLE -- that can look deep inside unified communications network packets and examine the actual data being sent to see not only whether it is acceptable in format and length but also to spot ill-intended data using probabilistic analysis.
IT needs to attend to standard host-level security measures too, such as firewalls, antispyware and antivirus agents. Malicious hackers always seek out the path of least resistance, so compromising unified communications systems via servers or clients instead of direct assault on network traffic makes no difference.
In the end, although specific technologies like SIP proxies and firewalls are useful in securing unified communications, it is more important to take the deployment of unified communications as yet another impetus to a well-rounded, multi-level and multi-layer defense strategy for security across the enterprise infrastructure.
About the author
John Burke is principal research analyst with Nemertes Research. With nearly two decades of technology experience, he has worked at all levels of IT, including end-user support specialist, programmer, system administrator, database specialist, network administrator, network architect and systems architect. He has worked at The Johns Hopkins University, The College of St. Catherine, and the University of St. Thomas.