Published: 27 Sep 2005
Will VoIP's shortcomings give businesses a wake-up call?
Dont' be surprised when your boss says you're about to enter the phone business.
Voice over Internet Protocol (VoIP), a specific iteration of generic Internet Protocol telephony (IPT) voice technology, is coming on strong as carriers roll out connection plans, and companies of all sizes deploy software and equipment to add services and save money.
So what's keeping security managers up at night as executives insist on wringing more productivity out of the network? Security, of course. Vendors have yet to create a complete solution that includes strong user/device authentication, end-to-end encryption and bulletproof management systems. But, hang on the line and we'll show you how to identify the security obstacles of VoIP.
At its most basic level, IPT is the technology by which phone calls are converted into packets and delivered over the same pathways that carry data across local networks, leased lines and the public Internet.
Sounds simple enough, but amid widespread agreement on how to keep your data networks secure and healthy, the simplicity--and security--disappears as your business adds voice devices to its network.
VoIP's early adopters have encountered various high-priority security concerns that best practices and standards must address. Groups such as VoIP Security Alliance are identifying potential pitfalls in heterogeneous networks, with an eye toward creating a list of common issues. But, in the end, it will be up to vendors to recognize that, for VoIP to become ubiquitous, standards must be agreed upon and adopted.
Regardless of their technology choices, businesses' problems cut across product lines and go to the heart of VoIP's implementation challenges:
IPT networks have many holes.
Everyone understands how to set up a safe data network, but there's less agreement when faced with new, IPT-related obstacles. For example, many session initiation protocol (SIP)-enabled firewalls, which ground IPT-based communication, allow the dynamic opening and closing of ports required for telephony. Not only is port 5060 active for signaling (the process of setting up and tearing down a call), but ports 1124 through 1760 will open and close automatically as calls are set up and audio begins to pass through the firewall. During calls, those ports are wide-open highways into the network.
Endpoints pose big risks.
With VoIP, the clichÉ that your network is hard and crunchy on the outside, but soft and gooey on the inside, must be thrown out the window. In the new converged network, that goo is leaking through your cracked shell.
Endpoints are where the users and devices interface with the system, and include telephones, cameras, thermostats, controllers and any other device connected to an IP-converged network. A large enterprise may have thousands of endpoints deployed--and each is a potential doorway to the network. Proper, secure authentication is essential to make sure those doorways are closed and locked to potential intruders.
For bulletproof converged networking, security must extend to each of these endpoint devices.
While vendors have tried to solve this problem--by associating a MAC address to the call manager, or requiring users to enter a PIN--many of these security precautions won't work on devices with limited computing power or memory. Currently, only a few IP telephones require authentication before use.
Remote users cause security static.
How will you secure devices in home offices and other locations outside your company's core network? Is it acceptable for remote users to connect family members to their VoIP switch? Can visitors in a public lobby or conference room use the switched port to access the network? Your company may deem these acceptable risks, but you should consider turning off the ITP-enabled port for your mobile users or disallowing traffic from that port at the next router. At the very least, during configuration, these ports should be turned on by exception only--not as the default.
Authentication and authorization fall short.
Call managers, the processing brains of an IPT network, are used to send and receive signaling that will set up a call and, once complete, tear it down. To access the call manager, you must authenticate on the system--usually with a user name and password. But, as always, simple or static passwords that access high-value servers are easy prey for attackers. Should the call manager be compromised, the integrity of the IPT network--and, potentially, its trust with other devices on the LAN--implodes.
It should be required that administrators working on the call managers log in through an authentication, authorization and accounting system as they do with every other device on your existing data network.
Hardening requirements aren't readily understood.
Most administrators understand how and why to harden servers, but few are aware of the idiosyncrasies they must account for when hardening call managers and the other network devices introduced by IPT and, more specifically, VoIP implementations. Without total control of these key elements, you can't keep systems hardened effectively.
Obviously, the network is only as secure as its weakest link, making it critical that businesses roll out the most recent patches and virus protections. Some VoIP carriers require administrators get new patches and antivirus updates from them instead of from the various platform vendors. But, latency with the carrier-released patches can keep the vulnerability window open longer for in-the-wild exploits and attackers.
Imagine a scenario in which a Trojan allows a remote user to take control of your Windows system. Microsoft will likely issue a security update quickly, but if your VoIP carrier waits as long as two days before sending you the patch, your business won't be protected until the new image is issued. Odds are your executives won't be happy when the Windows-based call manager becomes infected and you need to take it offline for remediation and re-imaging.
|Making the call for VoIP|
In a traditional data network, you're free to add all the perimeter devices you need to feel secure. If you sense a threat, you can deploy a firewall, IPS or gateway defense without worrying if data packets will still arrive in a reasonable amount of time and without noticeable disruptions.
When you add VoIP to the network, every packet that's broadcast from your telephone will have to be processed by every device on the network. Now those extra layers of network protection multiply the problem of latency--or, the amount of time that it takes a packet to travel the network from one endpoint (in this case, telephone) to another. This is a problem.
In a standard VoIP implementation, the latency budget (the amount of latency allowed before call quality suffers) is less than 150 milliseconds. You must keep track of the amount of latency added to existing networks when you roll out new protection mechanisms. Every device that touches the packet on its route will add latency, so be judicious. Most networks can accommodate necessary security devices without adding more than 150 milliseconds of latency; make sure yours can.
Meanwhile, as networks continue to converge, you have to think ahead to devices carrying even greater demands. For instance, to provide the standard 30 frames-per-second of video performance, the network has a latency requirement of less than 20 milliseconds before the picture gets choppy. Plan for this. Make sure your network can handle its lowest common latency requirement. If you're already implementing converged networking to accommodate IPT, it will only be a matter of time before other devices and priorities are added.
A Clear Connection
When phones go dead, it's a loud wake-up call of VoIP's security shortcomings.
But these concerns aside, VoIP is actually reducing IT operating expenses. The ROI can be significant, which means that, ready or not, you will likely be introducing some form of IPT soon. No implementation will be a success right out of the box, but as VoIP continues to evolve, the process will become more streamlined.
Before rolling out any new protocol or implementation on your data networks, you must understand the risks. Risk assessments of the current (pre-IPT) environment are necessary to understand and fix its vulnerabilities before potentially adding new ones. Also, make sure your existing network is built on best practices, and plan for worst-case contingencies. To ensure success, be certain that senior management knows the costs--as well as the benefits--of moving to this more robust network.
Once up and running, develop and implement a sound strategy for maintaining current patches and virus signatures for your VoIP system. When possible, disperse call manager clusters geographically; this will add integration costs, but will allow one call manager cluster to pick up the load if another goes down.
Security departments should consider installing an IPS in front of the call manager. Although expensive upfront, it will pay for itself quickly by blocking many of the security threats facing systems today. A rule-based IPS will work for the short term in lower-bandwidth networks, but, as more applications are converged, you're better off with a hardware-based IPS.
It's always a good idea to use redundant architecture. Doing so will drive up costs, but if you can't afford to be without phone service, built-in back ups are the way to go.
VoIP is a scary investment fraught with security flaws. But, if you know where to start and how to keep your systems secure, it can be a great business solution.