VoIP Security Primer
Voice over IP (VoIP) security is a branch of information security which is applied to the Voice over IP or VoIP infrastructure. The objective of VoIP security is to preserve the availability of VoIP services, the protection of VoIP carried and stored information from theft, or the prevention of fraudulent usage of voice communication (toll fraud).
VoIP operates differently than data services. For example, in order to establish real-time communication VoIP uses various signaling protocols such as SIP to identify the calling parties, define call characteristics and ring the phone. Once the call is established the conversation is carried over an IP network using packetized voice. Signaling protocols have their own specific characteristics such as dynamic assignment of ports for RTP traffic.
While the signaling phase is handled by a PBX and Call Manager, in most implementations, RTP traffic is routed in a Peer-to-Peer (P2P) mode between calling parties, completely bypassing the PBX/Call Manager. From a security perspective, it is very difficult to protect the various end-points using P2P communication given that RTP traffic is a stream of packets with random, binary content created by digitizing human speech, and that all VoIP phones regardless of the vendor and geographical location, are using this protocol. Finally, traffic flows directly between phones without any centralized controllers.
VoIP is highly sensitive to QoS parameters such as packet loss, jitter and delay. Basic VoIP characteristics such as its real-time nature and stringent QoS requirements mean that even a benign attack can significantly disrupt VoIP services. Implementing existing security techniques and technologies such as IPS, Firewalls or encryption, without taking into account the QoS impact and specific nature of VoIP protocols, could lead to a severe impact on the quality of voice communication, and in some cases, to the complete loss of voice services.
Another unique threat is voice spam or SPIT (Spam over Internet Telephony). While conceptually it is similar to email spam, there is one significant difference. Existing anti-spam applications can examine the entire email including the header and the content resulting in acceptable false-positive ratios with a high efficiency throughput. In the VoIP environment, information carried by the signaling protocols can be relatively easily analyzed, but it can also be easily spoofed or altered. Real-time speech processing and pattern matching for a large number of concurrent calls is still a problem with current technologies.
The traditional enterprise VoIP infrastructure consists of a wide range of components, applications and specialized protocols-including wireless-implemented in the form of complex networks and often globally distributed. These IP-based telecommunication networks introduce a large number of new attack vectors that in many cases impose different security requirements than traditional data security threats. VoIP vulnerabilities and exploits can be roughly classified as:
When identifying potential attack vectors, a layered model helps describe the vulnerabilities of a typical VoIP device or application as shown below. Arrows between layers indicate various attack vectors and the proximity of the attacker-e.g., whether remote or local. Clearly there are hundreds of potential attack vectors exploiting vulnerabilities at different layers both through local or remote access.
The 'threat landscape' can become complicated in a typical VoIP deployment, which may look as illustrated in the diagram below. The potential attack vectors include not only the individual devices/applications but composite attacks that exploit multiple vulnerabilities in various VoIP devices.
The deployment of a VoIP-specific security infrastructure architecture should address the following functional components:
VoIP Security Functional Components
Prevention: This step enables the proactive identification and fixing of VoIP-specific vulnerabilities before they become a problem for end-users. Periodic or, where required, continuous vulnerability assessments should become part of VoIP security procedures and processes. Once security vulnerabilities are identified, they should be addressed by appropriate actions such as patching, re-configuration and network tuning. This component is also critical to compliance and audit processes such as SOX or GLBA.
Protection: If there is a threat to the network, this step provides protection of VoIP services from any threats during their life cycle. Various security architectures and solutions could be deployed but all of them have to be "VoIP aware" so they do not impact VoIP service quality and reliability. It is recommended deploying multi-layer security infrastructure that provides both perimeter as well as internal network protection. In most cases it will consist of a number of security devices and host-based applications to protect VoIP networks such as Session Border Controllers (SBCs), VoIP Network Intrusion Prevention Systems (VIPS), VoIP Network Access Control (VNAC), anti-SPIT, VoIP DoS defenses, VoIP Network Intrusion Detection Systems (VIDS), encryption engines and VoIP anti-virus software.
Mitigation: It is a widely acknowledged fact that no matter what prevention/protection measures are taken, sooner or later, it is likely that an attacker will successfully penetrate all the defenses' and wreak havoc on VoIP infrastructure. As a result, real-time, automated VoIP security mitigation solutions are required to keep VoIP services running in the presence of major security threats such as SPIT, DoS or fast-spreading worms. These systems should be able to respond autonomously to the detected security threats and keep their impact at the levels where VoIP services can still function
Processes: The existing security related processes should be reviewed and modified to accommodate specific requirements of VoIP networks. Also, the compliance and auditing processes should include VoIP as a component. For example, only certified VoIP soft-clients on a network with encrypted links should be used to ensure phone conversations are confidential to prevent eavesdropping. GLBA compliance could require providing documented vulnerability assessment results and mitigation steps undertaken to address any discovered vulnerabilities.
People: Education is critical to the success of any security measures. Since VoIP is replacing the existing voice solutions, the end-users, telecommunication and IT groups should be aware of the potential security threats that this new technology would bring. The education process could be delivered by internal security groups or external organizations that specialize in Voice over IP and Unified Communication security.