VoIP: Don't forget about security

VoIP has many upsides but moving your telephony system to a packet-based network could leave you at the mercy of hackers. Danny Bradbury looks at how to properly secure a corporate IP telephony system against known and unknown threats.

Voice over IP (VoIP) calls offer the twin benefits of cost and convenience but there are dangers associated with moving your telephony system onto IP networks: it potentially opens them up to hacking, with disastrous results.

Commentators like Paul O'Reilly, director of sales for VoIP EMEA at network monitoring company NetIQ, say VoIP is really just another application on the network. This turns security experts such as Mike Murray, director of vulnerability and exposure at vulnerability management company nCircle, a strange shade of pale.

"You are now deploying a second computer on everyone's desk in the whole network," he says, describing the use of IP phones. "Does that change your security posture? Well, sure it does." Most IT security departments he knows are already overworked.

Running your telephony service over IP makes it one of the most mission-critical IT applications you own. Most medium-sized organisations can survive for a while if line of business applications fail but if your telephones are down, everyone may as well go home. And moving telephony to an IP network makes it vulnerable to different types of attack.

Denial of service attacks, where someone tries to hit your telephony server repeatedly with traffic, can theoretically stop a company using its VoIP system but there are other more insidious attacks, too. "It means that any box on your entire system that gets compromised can be potentially used to start tapping phones," says Murray.

VoIP users who don't properly protect their networks can look forward to attacks such as on-hook listening, where hackers surreptitiously turn on an IP phone's speaker capability to eavesdrop on your office. Or they could theoretically eavesdrop on VoIP traffic travelling across the network.

"I'm waiting to see the security tool which is a network packet sniffer that reassembles packets on the fly," Murray says. Or, if you'd really like something to keep you awake at night, think about hackers compromising the phone system and using your VoIP network to make free calls to external numbers.

Companies have to work out the threat and risk to their voice applications, says Paul King, Cisco UK's principal security consultant. Cisco breaks VoIP policy down into four areas: infrastructure, call control, the phones themselves, and components at the application level. He advocates the use of application firewalls to check that, for example, communications coming into its Call Manager application are using the right signalling protocols. For IP phones themselves, the company uses digital certificates to encrypt traffic and authenticate endpoints.

NetIQ's O'Reilly adds that security managers should use common sense practices, such as disabling advanced facilities on IP phones located in public areas such as the company foyer.

At the call control level, King argues that Cisco's Call Manager application is protected with intrusion prevention software, and serves as a secure control hub for the IP phones. That may be true but the company did patch a major security flaw in the product in July, which could make customers nervous.

The answer to such problems is to make use of multilayered security. At the infrastructure level, for example, logically partitioning voice traffic into a VLAN is a good way to help protect it from attacks that may take place over the data network.

This logical partitioning is a key security tool for Aidan Hancock, network manager at UK radio giant GCap Media. The company, formed from the merger of Capital Radio and GWR earlier this year, uses the firm's nationwide network to send broadcast signals to regional areas and to handle VoIP information, too.

To secure the network, Hancock puts access controllers in his infrastructure to separate voice traffic onto its own LAN and uses quality of service technology to filter out denial of service attacks. Before the overhaul, the company's network was badly hit by the Blaster worm, which flooded routers with junk packets.

"QoS [quality of service] is a key enabler when securing the network because we define certain types of traffic that are most likely to be generated by worm attacks, rate limiting those right at the edge of the network," he says. "You can throw a huge amount of junk at the router but quality of service lets you carry on without dropping any voice packets."

Handling current threats such as denial of service attacks is relatively easy because companies know what they are dealing with. The difficulty comes in preparing yourself against hypothetical attacks.

Spam over VoIP may not be here yet but it is a future possibility, says the Internet Engineering Task Force (IETF).

This is because many VoIP systems use the Session Initiation Protocol (SIP), which provides addresses for IP telephony users in the same way email servers provide addresses. Just as spammers can use dictionary attacks to harvest email addresses for spam, so they can harvest SIP addresses from servers within an organisation, simply by trying to call them and seeing what happens.

The IETF believes VoIP spam would be three orders of magnitude cheaper than traditional telemarketing both because of speed, capacity and call cost.

However, VoIP spam is unlikely to be a problem right now because many companies, including GCap, have closed off their VoIP networks to the outside world. Although you can reach them from a conventional PSTN phone, you cannot make a SIP call to their internal handsets from an external VoIP system.

This may be effective but it is leading to the balkanisation of internet telephony services and moves the world further away from the dream of anywhere-to-anywhere SIP-based VoIP calls.

We are at the same stage with VoIP today as we were with corporate data networks 15 years ago, when some companies decided not to connect to the internet for security reasons, according to nCircle's Murray.

"Systems generally seem to move from closed to open, and from being competitive and isolationist to co-operative," he says. "I would imagine that VoIP will follow the same model."

But until companies understand the intricacies of building security into their VoIP networks, things are likely to remain closed for the foreseeable future.