Security in Voice Over IP Networks\P

Security in Voice over IP Networks

A comprehensive security plan incorporating VoIP is essential to protect your business

Implementation of a security infrastructure helps lay a solid foundation for risk control in VoIP networks

The functional and cost advantages of Internet telephony are evident. By today’s technical standards, however, Voice Over IP (VoIP) is still less secure than traditional telephony. At the same time, the hacker scene is constantly looking for new weak spots and developing ingenious methods of attack to gain access to confidential information and penetrate further into the network. Contents

VoIP protocols ...... 3

VoIP risks and their effects...... 3

Availability...... 4

Confidentiality...... 4

End-devices ...... 4

Attacks at protocol level ...... 5

Migration of data networks...... 5

Infrastructure security risk analysis ...... 5

Critical points of attention...... 7

Segmentation of networks ...... 8

Isolation of servers or groups for certain applications...... 8

Data security ...... 8

Network gateways...... 10

Availability and quality of service ...... 10

Conclusion ...... 10

About the Authors ...... 11 Aleksei Resetko ...... 11 Thorsten Henning...... 11

2 VoIP protocols

A large number of proprietary and standardized systems exist for VoIP. Two of the best-known VoIP protocols are H.323 and the Session Initiation Protocol (SIP)1. Both standards describe processes that enable 1 The older of the two standards, H.323, packet-based transmission of real-time data such as speech over networks was first adopted as early as 1996 by such as the Internet. The standards describe both the functions of the the International Telecommunications individual components and the processes of signalling and data Union (ITU), whereas the SIP protocol transmission. One feature common to both standards is that the signalling was standardized by the Internet and the actual real-time data are transmitted via different channels across Engineering Task Force (IETF). the same network. While details in signalling differ between the two systems, the transmission of real-time data uses the same process and the same encryptions. The Real Time Protocol (RTP), which can be combined with the User Datagram Protocol (UDP), has established itself as an effective transmission method. In the UDP protocol, the UDP channels (ports) are created dynamically as the connection is established between the end-users. This dynamic process makes it extremely difficult for traditional firewalls to guarantee security for VoIP. Only a firewall that can “understand” H.323 and SIP at application level is capable of opening the dynamically created UDP ports for the duration of the connection and then closing them again.

VoIP risks and their effects

Use of VoIP offers many advantages, but also places fresh demands on the security of IP networks. “Classic” telephone networks can be used as a model. They are available twenty-four hours a day, transmit speech at an acceptable level of quality and are generally considered safe from tapping, manipulation or attacks.

PSTN VoIP Closed network: signalling and data are Open network: signalling and data are transmitted across private networks; transmitted over the Internet; location of end-devices are in defined locations. end-devices is not definable. Signalling not available for the end-user. End-user can modify VoIP signalling. Fixed bandwidth and quality. Bandwidth can be fixed to certain degree only; quality spill-overs. Network elements are Network elements are not reliable – reliable/controllable. stricter authentication and authorization are necessary. “Primitive” end-devices are safe from VoIP end-devices have same weak spots attack. as other IT systems. Stricter regulations. VoIP telephone calls are treated as data traffic – no specific regulations.

The above table highlights the particular significance of security considerations in VoIP infrastructures. Before introducing VoIP, each company should conduct an evaluation of its security priorities.

3 Availability

End-users will only accept VoIP as an alternative to conventional telephone networks if performance levels are at least equally high. Achieving such performance levels is a difficult task, as is demonstrated by the following examples. A successful denial-of-service (DoS) attack can influence transmission speed so significantly that the end-user perceives the service as not available. And in so-called ‘quality spill-overs’, VoIP telephone calls are not isolated from each other or from other data traffic, which can affect the quality (bandwidth and speed) of VoIP calls.

In practice, the availability of all VoIP components must be at least Voice over IP 99.99% to be able to compete with conventional telephone networks. Although until recently the Internet Transmission delay must not exceed 150 milliseconds, including the usual and Internet protocol (IP) were only ‘network latency’, encryption, packet inspection by the firewall, routing used to transmit data, it is now and processing at application level. possible to transmit speech over the same network in a process known as Voice over IP (VoIP); other real-time Confidentiality data, such as video, can also be similarly transmitted. The functional Another critical requirement is that VoIP calls must be safe from advantages are obvious, as end- manipulation and tapping. VoIP incorporates no standard process of devices and applications can be easily encryption and verification of data integrity. In order to sufficiently combined on a common IP-based protect telephone calls a complementary solution is needed, for example network. Multipurpose end-devices IPSec or Secure RTP (see the heading ‘Data security’). which combine telephone and PC functions and access a common network will therefore become much End-devices more common. VoIP also reduces costs: a common network End-devices can be divided into two main categories: infrastructure and multipurpose end- devices mean savings for both • IP phone: looks like a normal telephone and has an operating system with network operators and users. TCP/IP stack, VoIP services and protocols • Soft phone: a PC software program that uses resources of the operating system. The user makes telephone calls via external loudspeakers or using headphones and a microphone (headset).

Both categories have pros and cons in terms of security. With an IP phone the user has only limited access to the functions of the operating system. This keeps the risk of IP phone abuse relatively low. However, the management of IP phones does present a security threat: monitoring, logging or intrusion detection at operating system level is only possible to a limited degree without using additional functions. Patch management is another process that is currently not receiving the necessary attention from all manufacturers. Patching IP phones therefore represents a challenge for larger enterprises operating several hundred IP phones.

Patching and managing soft phones, however, is less of a problem for most companies, as this involves standard procedures. However, the security risk here lies in the fact that the functions of the VoIP software are fairly easy to manipulate. Dialers, Trojans or spyware may be able to gain access to settings and configurations, enabling an attacker to make telephone calls at a third party’s expense, and tap or manipulate VoIP calls. Alternatively, the gaps in the VoIP software could also enable a potential attacker to access the operating system. The associated risks range from denial-of-service to identity theft.

4 Generally speaking, the security risks associated with VoIP end-devices result from their inherent “intelligence” and the fact that this requires appropriate configuration.

Attacks at protocol level

Due to the integrated logic in VoIP signalling protocols and the basic manipulability by end-users, there is a range of possible ways of attacking SIP and/or H.323 systems. The following list gives a number of examples: • Application source routing: VoIP calls are sent over predefined routes to reach network areas that are not accessible via normal IP routing. With this method, the attacker bypasses certain network protection mechanisms. • Taking over phone calls (‘call hijacking’): the connection is reported as unavailable and the call is rerouted. • Denial-of-service: several connections are reported as unavailable to the VoIP proxy server or disrupted by prepared data packets. • Bugs: implementation errors of individual manufacturers make it possible to attack VoIP applications and the underlying systems.

Migration of data networks

When migrating from a pure data network to a VoIP-enabled network, the existing network must first be checked. As previously described, VoIP imposes different requirements than pure data applications. The main requirements relate to quality of service (QoS) and security. In principle, a small number of changes could be sufficient to adapt a pure data network for VoIP, but it may be advisable to redesign the entire network. The challenge is to maintain the existing quality of data applications. A basic rule is to check all components in new networks or network changes for VoIP suitability, even if introduction of the VoIP system is not (yet) planned.

Infrastructure security risk analysis

A realistic assessment of VoIP-related risks can be achieved using a structured risk assessment methodology. One such established method is the X.805 standard of the International Telecommunications Union (ITU). Bell Labs helped develop this standard, which is now a standard tool in the security projects of several manufacturers. The method divides the network components into the following layers (see Figure 1): • Applications layer: applications available to the end-user; • Services layer: network services, ranging from transport services to high- level application services; • Infrastructure layer: network components such as routers, switches, point-to-point links and Ethernet.

5 Each layer has its own particular weaknesses and risks. To analyze these in more depth the three layers are further divided into three planes (see Figure 2): • End-user plane: end-user access to IT resources, privileges, etc.; • Control/signalling plane: enables the flow of information in the network, system-to-system communication, etc.; • Management plane: management, provisioning, support, etc.

This results in nine security perspectives which have the usual security requirements in terms of authentication, authorization, data conformity, etc. (see Figure 3). Summarizing the security layers, levels and requirements in a three-dimensional matrix results in a total of 72 security perspectives. Together, these represent a comprehensive security landscape without any gaps.

Applications Security

Services Security

Infrastructure Security

Figure 1 – Layers of network security

Security Layers Applications Security

Services Security

Infrastructure Security

End User Security Control/Signalling Security Management Security

Figure 2 – Security planes

6 Security Layers Applications Security THREATS

Destruction

VULNERABILITIES Services Security Corruption Removal

Vulnerabilities Disclosure can exist in Interruption each Layer, Infrastructure Security Plane, ATTACKS Dimension

End User Security Control/Signalling Security Bell Labs Security Planes 8 Security Dimensions Model Management Security is the Foundation of ITU-T X.805

Figure 3 – Bell Labs security model – ITU X.805 standard

Critical points of attention

Using the ITU X.805 standard offers security administrators or auditors a tool that quickly produces a complete overview of all relevant risks. This results in the following critical points of attention with regard to technical aspects of VoIP security: • the need for network segmentation (separation of VoIP and data networks); • dedicated DHCP servers for VoIP end-devices; • systems for stateful inspection of unauthorized access for VoIP signalling; • network gateways to Public Switched Telephone Network (PSTN) environments (configuration of session border controllers); • security of VoIP end-devices and infrastructure components and related communication links; • logging, monitoring and evaluation procedures; • organizational aspects such as incident response, operational continuity and disaster recovery planning, and patch and change management.

It should be emphasized that VoIP is a rapidly developing technology. In the near future, many other weak points and opportunities for attack will undoubtedly come to light. In view of the fact that service providers and entrepreneurs are so far devoting all their attention to functionality as a first priority while implementing security measures at a later stage, a proactive approach is essential. A risk analysis is the first step in the implementation of measures to protect against methods of attack that are as yet unknown.

Detailed security requirements can be gauged from a company's individual risk analysis. All processes and components must fulfill these requirements or be adapted accordingly. The following section lists some generally binding requirements.

7 Segmentation of networks

The classic security model of a single internal safe zone, an external unsafe zone and a ‘demilitarized’ zone has lost its validity since the spread of wireless LANs, UMTS and VoIP, and the emergence of Internet worms. It is becoming increasingly rare to consider a company network to be entirely secure. A worm which has found its way in through a single infected PC can paralyze a whole network. Notebooks with parallel Ethernet, WLAN and UMTS interfaces increase the danger of spreading viruses and worms and make it easier for attackers to penetrate the network. However, VoIP demands that the network be opened for incoming connections.

In accordance with the risk analysis, companies should create different security zones. The firewall should move from the edge of the network to within the network itself. In accordance with the applicable security regulations, the network architecture should permit the necessary communication between the individual zones.

Isolation of servers or groups for certain applications

In order to protect a SIP proxy server or an H.323 gatekeeper from attacks it is necessary to isolate it rather than place it at the centre of the network. A suitable firewall can do this, supporting VLANS and virtual firewalls for a logical segmentation of a shared physical network. In this way different servers can be logically separated from each other, each protected by a server-specific configuration. Bandwidth management at the control level effectively prevents denial-of-service attacks or the unavailability of a bandwidth-intensive application on a neighboring server.

Data security

As previously mentioned, VoIP transmission processes offer no protection against tapping or manipulation. Although technical encryption processes—such as data signing, which is used in IPSec, for instance— have been available for some time now, they are subject to certain limitations when applied to VoIP traffic. These limitations relate to the following security aspects: • authentication of call participants; • end-to-end encryption, i.e. from VoIP phone to VoIP phone; and • incompatibility between IPSec and Network Address Translation (NAT).

In PSTN networks, authentication of participants is usually not a critical aspect because the end-devices are at monitored physical locations. End- to-end encryption also does not have a high priority because the end- devices and data lines can be monitored. In addition, tapping PSTN data lines requires physical access to the infrastructure components and special hardware.

8 Each call participant must have a valid digital certificate to enable full signing of VoIP data to take place. This requires integration in a Public Key Infrastructure (PKI), which is usually quite costly in technical and organizational terms.

If IPSec and NAT are used simultaneously, the IPSec Authentication Header (AH) will no longer serve a purpose because authentication at IP level is impossible. This can be avoided by using IPSec proxies for address translation (see Figure 4), but this will make the infrastructure costlier and more complex. The same applies to scalability and integration into existing infrastructures when IPSec proxies are used.

Data security can also be ensured through encryption between two IPSec gateways and transfer of VoIP data to the LAN without encryption (see Figure 5). Generally speaking this is a practical solution, although it does not achieve the security level of end-to-end encryption. The risk of tapping and manipulation can be minimized by using: • separate VoIP VLANs; and • layer 2 Ethernet encryption.

The passage from the IPSec gateway into the LAN segment presents an element of risk because the transmission is unencrypted at that stage. End-to-end encryption should therefore be used as far as possible. However, this may present problems when IP addresses need to be converted.

Address translation

Internet

Internal IP Internal IP address: IPSec Proxy IPSec Proxy address: 10.1.1.1 20.1.1.1

Figure 4 – Address translation when using IPSec and NAT

VoIP VLAN Internal IP address: IPSec tunnel 20.1.1.1

Internet Data VLAN Internal IP Internal IP address: IPSec IPSec address: 30.1.1.1 Gateway Gateway 10.1.1.1

Figure 5 – Combination of IPSec encryption, NAT and network segmentation

9 An alternative to IPSec is Secure RTP. However, there are currently only a few VoIP end-devices which support this protocol. In any case, every participant in a VoIP network should clearly authenticate himself, for example by integration in a PKI.

Network gateways

Gateways to foreign networks place special demands on security. VoIP must allow incoming traffic access into one's own network. This gives the firewall a special status: it must "understand" protocols such as SIP and H.323 and protect the network from the weak spots in these protocols. For this reason Lucent has implemented the patented "Dynamic Pinhole" technology in its firewalls, which makes it possible to open up dynamically created RTP channels to a VoIP connection. Special application filters for H.323 and SIP protect the network from the weak points in these protocols. If it is necessary to change IP addresses, the firewall recognizes the connection between the signalling and speech channel and conducts the Network Address Translation (NAT) correctly.

Availability and quality of service

The security of VoIP networks must not be considered in isolation. The need to transmit voice data in real time makes it necessary to guarantee an end-to-end quality of service and high availability of the whole network, including its security components. The internal bandwidth management offered by the Lucent VPN Firewall, for example, prioritizes VoIP and dynamically guarantees the necessary bandwidth in relation to the bandwidth required by other traffic. VoIP packets can be marked with TOS (Type of Service) and Diffserv Bits in order to guarantee a preferential transfer within the whole network.

The redundancy of critical components and paths guarantees high availability. For example, Lucent implemented a "Stateful Failover" process in its VPN Firewall series, which reverts to the back-up system in less than 500 milliseconds in the event of firewall or connection failure. The back-up system then takes over all active connections. The user does not notice this switch-over and continues speaking as usual.

Conclusion

Over the next few years, VoIP is set to develop into a commercial necessity and replace traditional telephony in many areas. Even today, a cost-benefit analysis may come out in favor of choosing VoIP. However, by today's technical standards VoIP is still less secure than traditional telephony. Suitable measures can guarantee the required security and reduce the dangers to a minimal calculable risk. The firewall plays a central role in the this process, as it adopts additional tasks and moves from the network edge to its core. In combination with VoIP security guidelines and standards, implementation of an appropriate security architecture helps lay a solid foundation for risk control in VoIP networks. An essential element is a comprehensive security plan for the entire IT infrastructure which incorporates VoIP security as an integral part.

10 About the Authors

Aleksei Resetko Aleksei Resetko is a Security Practice Manager for Germany, Austria and Switzerland. He has over 7 years of professional experience in the areas of IT Security and IT Risk Management. Some of Aleksei’s core competencies are network and security auditing of complex enterprise networks, auditing of IT management procedures and security program development. Aleksei has in-depth experience in the enterprise, telecommunication and public sectors, including security strategy consulting, security assessment and security design.

Thorsten Henning After completion of his studies at the Fachhochschule Dortmund, Thorsten Henning has worked for major companies and vendors of IT equipment and solutions. Since 1999, Thorsten Henning has worked for Lucent Technologies as a Technical Systems Engineer. He is a dedicated specialist for VPN and Security Solutions as well as the realization of those solutions. As a subject matter expert he is well known and respected by major service providers and their end customers.

Visit our web site at http://www.lucent.com. LWS VoIP.v1 11/05

This document is for planning purposes only, and is not intended to create, modify or supplement any Lucent Technologies specifications or warranties relating to these products or services. Information and/or technical specifications supplied within this document do not waive (directly or indirectly) any rights or licenses – including but not limited to patents or other protective rights – of Lucent Technologies or others.