Security in Voice over IP Networks A comprehensive security plan incorporating VoIP is essential to protect your business Implementation of a security infrastructure helps lay a solid foundation for risk control in VoIP networks The functional and cost advantages of Internet telephony are evident. By today’s technical standards, however, Voice Over IP (VoIP) is still less secure than traditional telephony. At the same time, the hacker scene is constantly looking for new weak spots and developing ingenious methods of attack to gain access to confidential information and penetrate further into the network. Contents VoIP protocols ....................................................................................3 VoIP risks and their effects..................................................................3 Availability..........................................................................................4 Confidentiality....................................................................................4 End-devices ........................................................................................4 Attacks at protocol level .....................................................................5 Migration of data networks................................................................5 Infrastructure security risk analysis ......................................................5 Critical points of attention..................................................................7 Segmentation of networks .................................................................8 Isolation of servers or groups for certain applications..........................8 Data security ......................................................................................8 Network gateways............................................................................10 Availability and quality of service ......................................................10 Conclusion .......................................................................................10 About the Authors ...........................................................................11 Aleksei Resetko .........................................................................................11 Thorsten Henning......................................................................................11 2 VoIP protocols A large number of proprietary and standardized systems exist for VoIP. Two of the best-known VoIP protocols are H.323 and the Session Initiation Protocol (SIP)1. Both standards describe processes that enable 1 The older of the two standards, H.323, packet-based transmission of real-time data such as speech over networks was first adopted as early as 1996 by such as the Internet. The standards describe both the functions of the the International Telecommunications individual components and the processes of signalling and data Union (ITU), whereas the SIP protocol transmission. One feature common to both standards is that the signalling was standardized by the Internet and the actual real-time data are transmitted via different channels across Engineering Task Force (IETF). the same network. While details in signalling differ between the two systems, the transmission of real-time data uses the same process and the same encryptions. The Real Time Protocol (RTP), which can be combined with the User Datagram Protocol (UDP), has established itself as an effective transmission method. In the UDP protocol, the UDP channels (ports) are created dynamically as the connection is established between the end-users. This dynamic process makes it extremely difficult for traditional firewalls to guarantee security for VoIP. Only a firewall that can “understand” H.323 and SIP at application level is capable of opening the dynamically created UDP ports for the duration of the connection and then closing them again. VoIP risks and their effects Use of VoIP offers many advantages, but also places fresh demands on the security of IP networks. “Classic” telephone networks can be used as a model. They are available twenty-four hours a day, transmit speech at an acceptable level of quality and are generally considered safe from tapping, manipulation or attacks. PSTN VoIP Closed network: signalling and data are Open network: signalling and data are transmitted across private networks; transmitted over the Internet; location of end-devices are in defined locations. end-devices is not definable. Signalling not available for the end-user. End-user can modify VoIP signalling. Fixed bandwidth and quality. Bandwidth can be fixed to certain degree only; quality spill-overs. Network elements are Network elements are not reliable – reliable/controllable. stricter authentication and authorization are necessary. “Primitive” end-devices are safe from VoIP end-devices have same weak spots attack. as other IT systems. Stricter regulations. VoIP telephone calls are treated as data traffic – no specific regulations. The above table highlights the particular significance of security considerations in VoIP infrastructures. Before introducing VoIP, each company should conduct an evaluation of its security priorities. 3 Availability End-users will only accept VoIP as an alternative to conventional telephone networks if performance levels are at least equally high. Achieving such performance levels is a difficult task, as is demonstrated by the following examples. A successful denial-of-service (DoS) attack can influence transmission speed so significantly that the end-user perceives the service as not available. And in so-called ‘quality spill-overs’, VoIP telephone calls are not isolated from each other or from other data traffic, which can affect the quality (bandwidth and speed) of VoIP calls. In practice, the availability of all VoIP components must be at least Voice over IP 99.99% to be able to compete with conventional telephone networks. Although until recently the Internet Transmission delay must not exceed 150 milliseconds, including the usual and Internet protocol (IP) were only ‘network latency’, encryption, packet inspection by the firewall, routing used to transmit data, it is now and processing at application level. possible to transmit speech over the same network in a process known as Voice over IP (VoIP); other real-time Confidentiality data, such as video, can also be similarly transmitted. The functional Another critical requirement is that VoIP calls must be safe from advantages are obvious, as end- manipulation and tapping. VoIP incorporates no standard process of devices and applications can be easily encryption and verification of data integrity. In order to sufficiently combined on a common IP-based protect telephone calls a complementary solution is needed, for example network. Multipurpose end-devices IPSec or Secure RTP (see the heading ‘Data security’). which combine telephone and PC functions and access a common network will therefore become much End-devices more common. VoIP also reduces costs: a common network End-devices can be divided into two main categories: infrastructure and multipurpose end- devices mean savings for both • IP phone: looks like a normal telephone and has an operating system with network operators and users. TCP/IP stack, VoIP services and protocols • Soft phone: a PC software program that uses resources of the operating system. The user makes telephone calls via external loudspeakers or using headphones and a microphone (headset). Both categories have pros and cons in terms of security. With an IP phone the user has only limited access to the functions of the operating system. This keeps the risk of IP phone abuse relatively low. However, the management of IP phones does present a security threat: monitoring, logging or intrusion detection at operating system level is only possible to a limited degree without using additional functions. Patch management is another process that is currently not receiving the necessary attention from all manufacturers. Patching IP phones therefore represents a challenge for larger enterprises operating several hundred IP phones. Patching and managing soft phones, however, is less of a problem for most companies, as this involves standard procedures. However, the security risk here lies in the fact that the functions of the VoIP software are fairly easy to manipulate. Dialers, Trojans or spyware may be able to gain access to settings and configurations, enabling an attacker to make telephone calls at a third party’s expense, and tap or manipulate VoIP calls. Alternatively, the gaps in the VoIP software could also enable a potential attacker to access the operating system. The associated risks range from denial-of-service to identity theft. 4 Generally speaking, the security risks associated with VoIP end-devices result from their inherent “intelligence” and the fact that this requires appropriate configuration. Attacks at protocol level Due to the integrated logic in VoIP signalling protocols and the basic manipulability by end-users, there is a range of possible ways of attacking SIP and/or H.323 systems. The following list gives a number of examples: • Application source routing: VoIP calls are sent over predefined routes to reach network areas that are not accessible via normal IP routing. With this method, the attacker bypasses certain network protection mechanisms. • Taking over phone calls (‘call hijacking’): the connection is reported as unavailable and the call is rerouted. • Denial-of-service: several connections are reported