VOIP

For a business, the decision whether

Voice over IP: security to implement VoIP is a complicated
one based on network capacity, possible

pitfalls equipment upgrades, and staffing and

training costs. The plunge might be
Eve Edelson less or more dramatic: using VoIP only
internally, or between IP-PBXes of
VoIP is being taken up at a significant rate. Most visibly, VoIP elimi- remote office branches, or relying
nates the notion of a long-distance call. Any service on an IP net- completely on IP- PBXes with an inter-
work faces the usual IP risks. VoIP opens telephony up to a different, face to the PSTN. At one extreme are
cheaper avenue of attack, essentially expanding the perimeter. hosted VoIP services; at the other,
open-source, do-it-yourself VoIP using
Before you dial the number, listen until you hear a steady hum. This is the dial tone. open-source PBXes such as Asterisk.
Dial correctly. With your finger firmly in the hole, pull the dial around to the finger stop. This article does not make a case one
Remove your finger and let the dial spin back. Do this until you have dialed the number. way or another, but describes some
If you get a wrong number, say you’re sorry, hang up. Check the number and dial again. security considerations. Miller1 offers
“We Learn About the Telephone”, American Telephone & Telegraph Company, 1964 guidelines for evaluating specific
business cases.
Allow X-Pro to detect your network environment, and log in with your VoIP provider.
This will take a few seconds – check the Call Status for “Logged in – Enter Phone Why is VoIP a security
Number” which indicates that you are ready to make a call. Enter the phone number, or
Session Initiation Protocol address using your keyboard, or with your mouse using the
issue?
Any service on an IP network faces
numeric keypad on X-PRO. Click the green Dial button ... See the X-PRO User’s Guide
the usual IP risks. VoIP opens telepho-
for trouble-shooting information. Included there will be useful tips to help resolve a vari-
ny up to a different, cheaper avenue of
ety of issues which may occur when using the softphone.
attack, essentially expanding the
“Guide to X-Pro Xten’s Full-Featured Softphone”
perimeter.
The first quote comes from an old for. VoIP uses compression for more
school booklet - the second, from a efficient use of bandwidth, enabling in Loss of service
downloaded manual. In 1964, a resi- principle a reduction in leased lines and A power outage means no telephone, so
dential telephone couldn’t easily be simpler network management. VoIP network components need backup
unplugged, much less replaced by a and computer telephony integration power. Note, IP phones also need more
cheap handset, and the intelligence also offer a sort of telephony API for power than traditional telephones
of the telephone system was largely enhanced applications, which can be (which do get a trickle through the
on the network. In 2004, the telephone developed without waiting for imple- copper wire), hence the development
is a computer. This offers new mentation by vendors of traditional of the IEEE Power over Ethernet
opportunities, and poses new security voice switches. Examples include standard.
challenges. real-time sales support via a Web
Voice over IP (VoIP) is transmission page, voice-mail to email, and call
of voice over a packet-oriented network forwarding.
- IP, or ATM, or frame relay - rather An increasing amount of domestic
than over the public, switched tele- and international voice traffic and pre-
phone network. While technical and
regulatory issues are still being worked
out, VoIP is being taken up at a signifi-
paid "calling card" traffic is being car-
ried by VoIP providers. VoIP works
over broadband and is being marketed
“ The telephone
network is
cant rate. Most visibly, VoIP eliminates to consumers, who face the same choice
the notion of a long-distance call. as a business - whether to consolidate itself in
Traditional telephony with PBXes (pri- and ditch the telephone line. Major tel-
vate branch exchange equipment, on- cos such as BT and Verizon are not many places
site or at a telephone company office) only becoming VoIP providers them-
required a leased analog line for each selves but shifting to packet-switched becoming a
conversation. Nowadays these connec-
tions are mostly digital, using dedicated
or shared circuits. Either way a fixed
networks, to prepare for other service
offerings. The telephone network is
itself in many places becoming a data
data network
”
amount of bandwidth must still be paid network.

4
Network Security February 2005
 VOIP

Denial of service and compromise SecuriTeam (www.securiteam.com) have worms. The defenses are those relevant
An attack on a network as a whole is included an IP phone which reboots to any IP network: to patch and patch
indirectly an attack on VoIP segments. A when its Web server gets unexpected again, to segment the network in a way
DoS attack can be mitigated by stateful input, and a PBX with a real-time OS which minimizes damage, and to throttle
packet filtering and segregation of voice which falls over under Nessus scans. hostile traffic, which may require work-
and data traffic. VoIP network compo- Many telephony management products ing with your ISP(s).
nents themselves may be dedicated hard- are software on Windows or Unix.
ware using proprietary (IOS) or real- Cisco’s CallManager - an IP-PBX - is Eavesdropping
time operating systems (VxWorks), or administered through IIS; voice mail Voice packets can be sniffed and then
may be software running on Windows or servers run or correspond with other ser- stitched together into WAV files, using,
Unix. They can be attacked in the usual vices, such as SQL Server, to maintain e.g., VOMIT ("voice over misconfig-
ways such as flooding and malformed user accounts. Desktop computers with ured internet telephone",
packets. Vulnerabilities posted at VoIP clients can also be attacked by http://vomit.xtdnet.nl). Encryption on
top of careful network design should
defend against eavesdropping.

Spoofing, toll fraud and spam over

IT (SPIT)
This is used to get free calls, or send
voice spam. Toll fraud can be mitigated
by using access control lists to prevent
access from unauthorized hosts to voice
services. An IP-PBX can be configured
to reject third-party collect calls, or calls
to area codes associated with toll fraud,
or forwarding of work numbers to off-
site locations except under defined cir-
cumstances. Mobile phones already get
text spam, and automated marketing
calls are an unwelcome fact of life, at
least in the USA. VoIP spam will be
tough to tackle, whether isolated or
broadcast.

Emergency calls
A traditional telephone jack has a regis-
tered location, but a VoIP phone num-
ber may be used anywhere on a network.
There is as yet no vendor-independent
VoIP standard for physical location of
emergency calls.

How VoIP works

This is a highly compressed treatment of
a big topic. For a VoIP transmission to
take place there must be, conceptually,
terminals or endpoints, a means of set-
ting up the call, a gateway between net-
works, and actual data transport. How
these functions are parceled out among
devices and where they sit on a network
may differ.
Figure 1: Simplified VoIP network The endpoint is the phone - a tradi-
tional telephone with an adapter, a

5
February 2005 Network Security
 VOIP

dedicated IP-phone, or computer with a the ability to prioritize voice over data
microphone. Call signaling is carried out traffic.
by a call processing manager or "IP-
PBX", which sets up the call, handles
routing, and provides configurations to
“ The main
requirements
VoIP network components should be
dedicated, both for security and perfor-
mance. The hardware should be physi-
endpoints. There are a number of sig- cally secured and unused ports disabled.
naling protocols. The two major ones are for VoIP Underlying operating systems should be
H.323 (which came first) and Session hardened by keeping them up to date,
Initiation Protocol or SIP (catching up security are to and disabling unneeded services. They
rapidly and now used by Microsoft for should be managed through secure con-
instant messaging). protect network nections (VPNs, SSH, SSL).
H.323 is an umbrella specification for Communication between network com-
multimedia, including video-conferenc- components ponents should be encrypted and
ing and ‘white boarding’. It is based on a authenticated.
centralized architecture with logical com-
and segregate Next, voice and data traffic should be
ponents which include endpoints, a gate-
way for interfacing to other networks,
an optional gatekeeper for local call
traffic
” separated, to isolate attacks on any one
segment, and should use separate
DNS/DHCP servers. Rather than a sep-
management, and a multipoint control arate physical network, the usual method
Media Gateway Control Protocol
unit (MCU) which coordinates confer- is logical separation with virtual LANs
(MGCP) or MEGACO (H.248) - han-
encing. H.323 ropes in a number of on a switch. Much then depends on
dle communication between dissimilar
other protocols, for signaling, registra- switch management. Hosts on switched
gateways, and there are also proprietary
tion of endpoints, security, and negotia- ports do not, or should not, see traffic
protocols such as Cisco's Skinny Station
tion of connection parameters. H.323 not intended for them. Switches main-
Protocol.
uses a binary format. tain a cache of MAC-IP associations,
To make a call - or access voice mail,
SIP (Session Internet Protocol) is a built through ARP queries. When a
get firmware upgrades, or even to have a
text-based protocol for multimedia and packet arrives for an unknown IP
telephone number - a VoIP client regis-
multi-participant transmissions such as address, the switch drops into hub
ters with an IP-PBX. The client sends a
voice, video and gaming. Its logical mode, sends a query out to all ports and
request to a gateway which resolves the
components are a user agent (the end- adds the responding host to the cache. If
telephone number to a network address.
point), and servers (registration, proxy the cache fills up, the switch may flush
When a connection is established using
and redirect servers) which handle regis- and re-build it, or keep the cache and act
one of the signaling protocols, the caller’s
tration of endpoints, routing and call- as a hub for other requests. A host can
voice is digitized, compressed, possibly
forwarding. SIP looks conceptually offer its MAC address without being
encrypted, and packetized using Real
simpler than H.323 but does not com- asked ("gratuitous ARP"). A flood of this
Time Protocol (RTP). RTP packets are
pletely specify how to handle VoIP traf- unsolicited information can make a
then wrapped in UDP datagrams. These
fic. It works with other IP protocols in switch fail into hub mode. A spoofed
travel directly between the participants
a distributed way, for addressing and MAC address might be used to gain
and are re-assembled by a voice process-
routing. access to a VLAN, and programs such as
ing application, based on sequence num-
Both signaling protocols use known dsniff can sniff traffic across ports. MAC
bers and timestamps in their headers.
ports or ranges of ports for call setup, address duplication will disrupt traffic.
Real-time Transport Protocol (RTCP)
but the actual conversation takes place As a defense, switches can refuse gratu-
over high UDP ports negotiated on the may be used to provide quality control,
itous ARP, and limit the number of con-
fly. The consequences for filtering are by communicating with RTP to adjust
nected hosts per port. Ports should be
discussed below. the transmission rate in case of packet
assigned to specific MAC addresses and
A gateway, which may have a number loss. unused ports disabled. Arpwatch can
of logical and possibly physical compo- monitor changes in MAC addresses.
nents, compresses and packetizes voice Securing VoIP Static IP addresses, if practical, will make
data and sends it to the IP network. It The main requirements are to protect filtering simpler.
must translate VoIP signaling protocols network components and segregate traf- A switch can be managed at the con-
to SS7, the signaling protocol used in fic. The wrinkle specific to VoIP is the sole or through VLAN(s). Management
the PSTN. It may also provide failover need to filter traffic without degrading traffic should have its own VLAN,
access to traditional telephony. This is voice quality. Because UDP provides no which should not be the "global"
by no means a complete look at tele- service guarantees, network components VLAN 1. VLAN hopping - unautho-
phony protocols. Yet more of them - must support quality of service (QoS) - rized cross-traffic - exploits permissive

6
Network Security February 2005
 VOIP

default settings. A packet's VLAN is augmented with proxy servers or appli- filtered. The original encryption proto-
specified by a tag, using a trunking pro- cation-level gateways. There are also col, WEP, is being succeeded by the
tocol such as 802.1Q, which lets a routers which incorporate VPN and IEEE 802.1x/EAP specification
VLAN extend across multiple switches. voice gateways. The whole filtering which supports stronger encryption,
If a trunk port shares a VLAN with issue can be avoided by using VPNs to authentication against a central data-
other ports, spoofed frames can be tunnel through the firewall, host to base, and more sophisticated key
made to hop VLANs. There should be host. VPNs may encrypt signaling management. Alternatively, wireless
an exclusive trunk port, possibly on its packets, voice packets, or both. In this VPNs can be used, or an access point
own VLAN. In a small network, it scenario the firewall can't examine the can redirect to a Web (SSL) server for
might pay to just use several switches traffic, so endpoints need their own authentication.
without VLANs. protection, and this approach only
Firewalls are needed where traffic works for callers with pre-configured Intrusion detection and monitoring
might legitimately flow between voice VPN clients. Hardware acceleration is The type of traffic expected on VoIP
and data networks: placing a call via an required wherever a VPN terminates, segments is pretty well characterized.
IP-PBX, retrieving voice mail from a whether at a device on the perimeter Sniffers have plug-ins for H.323 and
server on the data network, or accessing which then has to filter traffic, or at an SIP, so intrusion detection systems
IP phone. should be able to incorporate VoIP
Simpler packet filtering should be signatures. They can also catch port
enough where no cross-traffic is scanning, VLAN breaches, DoS, and
allowed. Voice segments should reject
“ Firewalls are
needed where
all traffic from offsite that would be
blocked from a data network, such as
attacks against Web services on VoIP
components. A WLAN should be mon-
itored for unauthorized access points.
SNMP, ICMP, RPC, MS-SQL, or Many network components have some
TFTP (which VoIP components may intrusion detection capabilities, and
traffic might use for upgrades). there are more comprehensive stand-
legitimately Desktop computers with VoIP clients alone wireless IDS products, which get
('softphones') connect to both voice and feedback from RF sensors planted
flow between data segments, so they should use a sepa- around a facility.
rate network interface card for the voice
voice and data VLAN. IP phones with data ports to
Conclusion
hang off a PC should support VLANs,
networks
” rather than act as hubs. Their network
settings should not automatically show
on the handset. If phones must run Web
I do not mean to gloss over these issues
by saying I think time will take care of
most of them - except spam. As the mar-
ket expands, security will become more
servers for diagnostic purposes, these
directory services. Because voice traffic integrated into VoIP protocols, and fast
should not be accessible from offsite or VoIP firewalls will become cheaper. This
uses dynamic UDP ports negotiated
without authentication. The IP-PBX can will change the financial calculus when
during signaling, defining a firewall
require users to log in to phones before deciding between VoIP/NAT firewalls
policy is difficult. NAT also breaks (or
registering them (which could be annoy- versus proxy servers, or deciding where
is broken by) VoIP. The basic problem
ing). Voice mail should require strong to terminate VPNs. The basic security
is that NAT only checks the IP header,
passwords. concepts, however, will stay the same.
but the information needed to route the
packet is inside the VoIP message. Each This article has not addressed possible
session takes two ports for signaling - Wireless vulnerabilities in specific telephony
one port each way - two more ports for Wireless presents a challenge, even applications. Those will not be caught by
the conversation and, optionally, two without VoIP. Existing security mecha- switches or firewalls which focus on sig-
more for RTCP. Multiple participants nisms - none really effective alone - do naling protocols, but they are equally
mean more ports, and many conversa- not scale well. Access points should go important. Finally, whichever signaling
tions go on at once. This is not some- on their own VLAN (WLAN) in a protocol or encryption solution is cho-
thing traditional firewalls can handle. DMZ. Each wireless access point sup- sen, it would be wise to keep a PSTN
There are, however, VoIP and NAT ports multiple domains, distinguished line for backup.
capable firewalls which can examine by an SSID. Default SSIDs are known,
each packet in context, at the applica- and in any case can be sniffed, but References
tion level, and adjust policy on the fly. should be changed to rule out acciden- M. A. Miller, Voice over IP
Alternately, existing firewalls can be tal entry. MAC addresses should be Technologies, M&T Books (2002)

7
February 2005 Network Security