The dos and don'ts of VoIP security

Though there is precious little evidence of VoIP security attacks, organisations cannot afford to be complacent. Make no mistake, says Anthony Plewes, VoIP is an attractive target for hackers and malware writers.

To demonstrate the potential danger that enterprises with unsecured VoIP systems face, the Voice over IP Security Association (Voipsa) has published a list of publicly available tools that target VoIP applications. There are signs hackers are now turning their attention to voice over IP and most security commentators believe the first major attacks will occur over the next six to 12 months.

This means all enterprises need to ensure their VoIP infrastructure is protected, though this needn't be an onerous undertaking.

VoIP security webcast

Learn about the most dangerous threats, dos and don'ts and special advice for how SMEs can protect their VoIP networks. Watch the VoIP security webcast now.

The simple fact that VoIP now typically comes under the aegis of the IT department should in fact help security. Although running proprietary operating systems, PBXs were in fact open to a large range of security attacks. It was generally just a little harder to access and required specialised knowledge.

While VoIP has increased the number of people able to exploit a corporate phone system, the tools and expertise to protect the technology have also been improved.

VLANs

The first step for VoIP security is to follow data networking best practice. Ovum analyst Graham Titterington says: "Most security in VoIP is a question of good network security and housekeeping."

Enterprises should deploy the voice traffic on a separate virtual LAN, or VLAN, from the data traffic. This helps protect the voice service if there is a denial of service attack on the data network.

Chris Whitwood, network manager at University College Falmouth, which has deployed IP telephony, says: "Denial of service is a particular problem for VoIP as it can completely destroy your telephony service. To protect against this, enterprises need to use security such as intrusion prevention systems and have a well-segmented network using VLANs."

VLANs need to be properly architected to prevent packets jumping from one VLAN to the other. However, even if they are, hacking tools are available that can make packets do just that. Additional tools that will help networks in case of any attack are intrusion detection and prevention systems, which scan for rogue incoming packets, and straightforward antivirus software which can help prevent any known threats from disrupting the network.

Another best practice that needs to be extended to voice is changing the default passwords of all of the components of the system. Phones, for example, can become vulnerable if their passwords are not changed as they offer many points of entry for hackers. In addition, companies should remove all unnecessary applications from VoIP systems such as telnet and web servers. Many IP phones have web servers installed, so that configuration can be managed from a PC screen, however this leaves them exposed to the internet.

Patching is another key security chore. Because VoIP is now just another application that runs on a commercial operating system, it needs to be patched regularly along with the rest of the IT estate. Ken Munro, managing director of penetration testing company SecureTest, says: "Enterprises need to make sure that all of the firmware of the VoIP system is up-to-date. They need to have a rigorous patching regime as new vulnerabilities are found in VoIP systems every few days." (Learn more dos and don'ts in silicon.com's VoIP security webcast.)

Encryption

While there is some debate about the threat level that eavesdropping poses to VoIP, companies should consider using encryption to secure their VoIP calls. Encryption should definitely be used where there is any risk of eavesdropping such as wireless networks or remote users. Some security experts even suggest encryption is used throughout the network.

Dan York, director of IP technology at PBX manufacturer Mitel and director at Voipsa, says: "The best encryption for VoIP is secureRTP, which does not have much of a processing overhead. It is a lightweight encryption method and would be ideal in smaller businesses with fewer than 1,000 users." SecureRTP uses high-strength encryption and is used by a number of VoIP application vendors.

Remote users require an additional layer of security as they will need to traverse the firewall. One approach is to use an IPSec (internet protocol security) VPN but the processing overhead can impact on the quality of the voice service. Alternatively it's possible to use SSL technology to help tunnel through the firewall and access the VoIP system - an option that has much less impact on the call quality.

University College Falmouth's Whitwood says: "There are always concerns that conversations of remote workers could be intercepted. To prevent this we create a VPN tunnel between the user and the VoIP servers. For users to gain access to the telephony system they would need to use this VPN because it is not accessible from the outside world." (Learn more about remote workers in silicon.com's VoIP security webcast.)

Finally, in order to make sure all the good work in securing the network does not go to waste, organisations need to enforce a user-security policy that encompasses voice over IP. This needs to spell out in clear terms what responsibilities users have - for example, in keeping their passwords secret - and what applications they can download.

Adhering to a clear security policy should help prevent users from falling victim to phishing scams and other social engineering that can bypass all of the security measures enterprises put in place.