John Bennett, Managing Director at snom UK, looks at what you should know about security when implementing IP Telephony.
Organisations are increasingly implementing VoIP technologies, and many of them are drawn by the cost reductions, but deployments must be done in the most secure manner possible, otherwise, the sought-after cost savings could result in monetary losses if the security of the VoIP infrastructure is compromised.
The good news is that this provides an opportunity for the channel to add value and provide a solutions with proper security awareness, planning and administration. By taking the right approach to VoIP security, organisations can expect the quality, reliability, and security that we’ve come to know from the existing phone networks.
One of the most widely talked about security breaches is the denial of service (DoS) attack. A DoS attack is an assault on a network or device, denying it of a service or connectivity. Normal tasks like processing phone calls will be in jeopardy depending upon how your system handles a DoS attack. Attackers carry out a DoS attack by flooding a target with unnecessary SIP call-signaling messages, thereby degrading the service, making it unavailable to legitimate users. A hacker could easily flood your SIP server with bogus requests, making it impossible to send or receive calls. Denial-of-service attacks can disable your network, which depending on the nature of your business means that a DoS attack can effectively disable your organisation.
Toll fraud is just as much of a problem with an IP PBX as it has been with the legacy PBX world. An intruder can potentially crack your IP-PBX, register an extension, and send lots of traffic your way for termination. Oftentimes, by the time a company discovers this, it’s too late and the hacker has racked up tens of thousands of dollars in fraudulent calls.
Eavesdropping is one of the most common threats in a VoIP environment. Because most VoIP traffic over the Internet/IP Network is unencrypted, anyone with network access can listen in on conversations. Unauthorised interception of audio streams and decoding of signaling messages can enable the eavesdropper to tap audio conversations in an unsecured VoIP environment. Eavesdropping is how most hackers steal credentials; for example, customers reciting their credit card numbers to an airline booking attendant. All that’s needed is a packet capturing tool (freely available on the Internet) or switch port mirroring, and hackers can save the files, take them home, and cause disaster with the stolen information.
The topology of your system will determine how vulnerable you are to these attacks. If you are on a private network and have no remote users or use a VPN server, then you should be at minimal risk. Conversely, if you are depending upon the logic of the IP-PBX to defend you, then you must ensure that your system has automatic intrusion detection capability. Therefore, if the system is on a public IP address or if port forwarding is set up in the firewall router, then you need to ensure that you’re protected. Intrusion detection systems (IDSs) are not a new technology, but when they are used, they must act quickly; otherwise, it will be too late when an attack occurs. An IDS is a key component of an IP-PBX. The IP-PBX should monitor the CPU and send out SNMP or email alerts when it is spiking when under attack. Automatic IDS is accomplished by setting up access lists. Once an access list has been set up, the system notifies the administrator via email whenever a blacklisted IP address tries to access the system and has reached the number of tolerated attempts that has been set for that IP address.
Your first line of defense in preventing toll fraud is to assign very long, cryptic passwords to each extension. While this might be easier said than done, it is always the first thing to do.
Security Aware Dial Plans
Dial Plans limiting the dialed destination will go a long way in preventing toll fraud. Most dial plans send all the traffic out a particular trunk with a wild card * in the pattern field. While this may be okay in some cases, if you have employees who don’t need to make international calls, then prevent international calls from ever being made from their extensions in the first place.
Call Detail Records (CDR) should be kept private. If someone discovers who’s calling you and who you’re calling, it can be a competitive advantage to them. In the past, getting possession of a company’s CDRs was difficult since they were either buried in the PBX or located at the phone company. But this has all changed with IP-PBXs. Getting access to the CDRs of an IP-PBX is as easy as hacking into the system. To lock down the web interface of the system and ensure that drives can’t be shared or accessed remotely, password management is key. Also, rather than let CDRs sit in a directory until they’re needed, it’s best to get them off the system and into a secure database or email server where they can be queried later if needed.
Authentication-Based IP Addresses
If you want to take a few extra steps at securing your system, then statically configure the IP phones to your extensions. In the IP-PBX, specify which IP address can use a particular extension as a trusted IP address. VoIP toll fraud occurs in two stages:
The attacker scans the Internet to find a VoIP system.
It poses as a remote extension and attempts to make calls. By making it impossible for hackers to register and make phone calls, you’ve prevented fraud from the outset.
With the PSTN calls traversed dedicated circuits, VoIP calls are really just data going across the Internet, and this data must be protected. By using encryption techniques like TLS and SRTP, you can protect both the signaling and the media stream, preventing the conversation from being listened to with simple tools like port mirroring and an RTP trace using Wireshark. SIP packets contain information such as the IP address of the phone, the SIP server, the signaling and media ports that it’s expecting to listen on, the MAC address of the phone, and in some cases, even the management port of the phone. This is private information and should be sent over a TLS tunnel to hide it from snoopers. SRTP is a security profile for RTP that adds confidentiality, message authentication, and replay protection to that protocol. SRTP is ideal for protecting Voice over IP traffic because it can be used in conjunction with header compression and has no effect on IP Quality of Service.
If you want to increase security further, then purchase an actual certificate from a Certificate Authority (CA) like VeriSign, which is equivalent to having your documents signed by a Notary Public who is a trusted third party, verifying that you are who you say you are after looking at your identification.
Plug and Play and Certificates
Plug and play of phones on the wide area network has been driven by the need for easy and rapid deployment and provisioning by hosted service providers. The phone presents a MAC address and based upon that MAC address, the IP-PBX automatically provisions the phone so that it can make calls. However, the IP-PBX is not able to verify the MAC address of the phone since it came from the WAN (the MAC address, in this case, reflects that of the router since that’s where it came into the LAN).
Some phones can have certificates burnt in at the factory, so after a key exchange, the IP-PBX can be assured that the phone is who it says it is and that a certain MAC address belongs to a particular phone. This way, the IP-PBX does not just have to trust a phone’s authenticity; it can guarantee it.
A VPN can also be used to protect the voice conversation between the phone and the IP-PBX. VPNs have been around for a long time and IT professionals are accustomed to supporting them. However, the downside is that IPSec is the predominant protocol, and interoperability is not very wide spread among vendors. In addition to de facto standard IPSec, other technologies include PPTP and OpenSSL. VPNs are an option, though not an easy one if you have to start from scratch.
Protecting the phones can be accomplished by locking out the web interface if they are not to be used by the end user and configuring everything from the IP-PBX using Plug and Play (PnP) to the phone. If you want to go a few extra steps, then statically configure the IP phones and in the IP-PBX, specify which IP address can use a particular extension as a trusted IP address. This works well on the LAN, but not on the WAN unless the phones have static IP addresses.
VoIP Security Best Practices
While there is no such thing as a bulletproof VoIP implementation, there are a handful of features to look for when scouting out a good system for your VoIP needs, reputation is important and is sourcing your handsets from a trusted phone provider. Security aspects re high on the list of skills needed for a successful IP Telephony implementation.
There will always be those who are happy to install IP Telephony as a costs saving exercise and accept the security risks. But for service providers and for serious businesses the move to IP Telephony is more than just a cost saving exercise it is a strategic decision providing cost savings but also adding value to the business by improving communications and providing benefits such as integration between mobile and fixed line phones and between phones and business applications. The security considerations discussed here are well within the scope of a trained networking reseller and are a key element that allow the value add reseller to differentiate themselves and provide a quality service creating a long term and mutually profitable trusted relationship with the customer.