Data security in a converged network (Part 1)
By Joel A. Pogar, Siemens Information and Communication Networks Inc.
JULY 17, 2003

Technology that allows voice over IP (VOIP) has been available for a number of years, but it has only recently been widely accepted in business. There has been a strong and growing value proposition for the replacement of traditional private branch exchange (PBX) systems with VOIP. The technology has matured considerably, and the benefits of return on investment, communications flexibility and the concept of one network are powerful drivers for companies to deploy VOIP today.

One of the most significant issues around the deployment of VOIP systems has been security. In the wake of Sept. 11, 2001, security is no longer an optional line item when ordering any high-tech system. There has been a lot of discussion around VOIP security, and there seem to be more questions than answers.

In this three-part series, some of the most common security questions and answers about VOIP will be presented. This article is intended to be vendor-neutral; therefore, specific products won't be discussed, but I will explain the major security concepts and issues when deploying a VOIP system.

What's the difference between a threat, a vulnerability and a risk?

While this question isn't specific to convergence, it's important to understand the differences among them.

A threat is an external security issue represented by a natural or man-made attack. For example, a lightning bolt is a natural attack, since the lightning can threaten the safety and security of a data network. Likewise, an external intruder is a man-made threat that attempts to compromise a network.

A vulnerability is a specific degree of weakness of an individual computer or network exposed to the influence of a threat. For example, if you haven't applied the latest security patch to the operating system of your Web server, then you have a vulnerability because that computer system is exposed to potential intruders.

A risk is the degree of probability that a disaster will occur in light of the existing conditions, and the degree of vulnerability or weakness present in the system. The key difference between a threat and a risk is that a threat is related to the potential occurrence of a security issue, whereas a risk is the probability of an incident occurring based on the degree of exposure to a threat. Risk, for security purposes, is usually calculated in dollars and cents.

It's important to realize that you may have a vulnerability, but without a threat, you have no risk. Evaluating each one of these factors is critical to knowing what security exposures you have, how critical they are and what effect they will have in your environment.

Does VOIP introduce any new security vulnerabilities to an enterprise network?

VOIP, by itself, represents a new vector for potential security issues but does not introduce any vulnerabilities that haven't been seen before. Some experts have argued that digitizing voice and placing it on a data network makes voice communications more accessible and easier to intercept. I would have to agree with this point. In a traditional, analog environment, physical access to a switch or wiring closet is usually necessary to intercept communications between two parties. By placing voice traffic on a data network, one could intercept a voice communication by capturing the associated packets as they traverse a large network. Attackers have already developed easy-to-use tools that are widely available.

There are other concerns about VOIP from a risk management perspective, such as keeping all your eggs in one basket. For example, if your data network was to experience a critical failure, you would be without voice and data communications. The impact to your business could be greater if there was a prolonged outage of both systems. Therefore, you need to ensure that your organization has adequate business continuity and disaster recovery plans.

What security threats should I be most concerned with for VOIP?

As I stated previously, there are no new vulnerabilities introduced by adding VOIP to your environment. Many of the already well-known security vulnerabilities can have an adverse impact on voice communications and need to be guarded against. The most significant concerns in a VOIP environment include the following:

Denial-of-service (DOS) attacks: Endpoints, such as IP telephones and VOIP gateways (Session Initiation Protocol proxies), can be bombarded with SYN or Internet Control Message Protocol (ICMP) packets in an attempt to disrupt communications.
Call interception: Unauthorized monitoring of voice packets or Real-Time Transport Protocol transmissions.

Signal protocol tampering: This falls into the same category as call interception; a malicious user could monitor and capture the packets that set up the call. By doing so, that user could manipulate fields in the data stream and make VOIP calls without using a VOIP phone. Or he could make an expensive call, such as an international call, and make the IP-PBX believe that it originated from another user.

Presence theft: Impersonation of a legitimate user sending or receiving data.
Fraud: The ability of a malicious user or intruder to place fraudulent calls.

The call-handling operating system: The call-handling software of many IP-PBX systems relies on operating systems, or operating system components, that may not be secure. For example, the use of Microsoft's Internet Information Server as a Web-based configuration tool for an IP-PBX may introduce significant vulnerabilities into the VOIP environment.

While it's impossible to completely eliminate all of these threats, you can sufficiently mitigate them by taking a few simple steps. There are many well-written published documents about minimizing your exposure to DOS attacks, such as this article (download PDF) from the CER T Coordination Center. Following these guidelines will reduce the amount of DOS traffic your network is exposed to and your overall vulnerability to a DOS attack. Signal tampering, as mentioned above, could be considered a DOS attack, depending on how it's executed.

Encrypting VOIP traffic, where possible, will prevent the unauthorized interception of VOIP calls. While many vendors can't encrypt traffic down to the handset today, the technology to do so will appear in the near future. However, there are several options for encrypting VOIP traffic while it's traversing the core of your network en route to its destination.

Presence theft offers a unique challenge in today's VOIP environment. The best countermeasure for presence theft is strong authentication (i.e., two-factor authentication), although few, if any, vendors can support it today. Strong authentication at the IP endpoint is another emerging technology that will be available soon. Until then, we will have to rely on some security features built into the SIP and H.323 protocols, such as address authentication, CSeq and Call-ID headers.

To manage the threat of toll fraud, it's important that IP-PBX administrators employ the same call restrictions on an IP-PBX that they would on a traditional TDM PBX. Measures such as monitoring international calling and blocking 900 numbers should be employed on an IP-PBX. These systems are just as vulnerable, if not more so, to the traditional phreaking attacks seen on time division multiplexing (TDM) systems.

Finally, perhaps the most critical issue is the operating system security of the call-handling software. Many call-handling systems run as applications or services on Microsoft or Linux platforms. These applications are installed and deployed without regard for the security of the underlying operating system. Therefore, it's critical to ensure that the operating system of your call-handling software isn't using any unnecessary services (such as FTP) and has any security patches applied. The only caveat here is to make sure that disabling these services won't have an adverse effect your VOIP system.

For example, as an administrator, you may feel that an HTTP server is unnecessary and disable it. However, that server could be a required component for remote configuration or administration. Check with your VOIP vendor before making any operating system changes or applying any operating system patches.

Joel A. Pogar is national practice manager, Information Security, Siemens Information and Communication Networks Inc.

CW Part 1