Bogdan's Blog

This is the third installment of the VoIP security myths series. In the previous two I talked about common security myths related to VoIP network topology and deployment. In the following blogs I will analyze issues surrounding VoIP security infrastructure.   

 
Myth #3 - My VoIP infrastructure is secure because...

"I have a solid security infrastructure on my data network and VoIP is part of it."

Enterprises deploying VoIP have already invested significant resources in securing their data networks using a combination of security applications, devices and processes. The problem is that VoIP can't be secured by just simply extending data security infrastructure.

Key to understanding this statement is the fact that VoIP is not just another data application. It operates differently than data services. For example, in order to establish real-time communication VoIP is using various signaling protocols such as SIP to identify the calling parties, define call characteristics and ring the phone. Once the call is established conversation is carried over IP network using packetized voice. Signaling protocols have their own specific characteristics such as dynamic assignment of ports for RTP traffic. There are also issues related to NAT impact on signaling protocols. Existing data security solutions are not designed to deal with these issues. New, specialized devices such as VoIP aware firewalls and SBC (Session Border Controllers) have to be deployed.

While the signaling phase is handled by PBX/Call Manager, in most implementations RTP traffic is routed in Peer-to-Peer (P2P) mode between calling parties, completely bypassing PBX/Call Manager. From security point of view it is very difficult to protect end-points using P2P communication. Firstly, RTP traffic is a stream of packets with random, binary content created by digitizing human speech. Secondly, all the VoIP phones regardless of the vendor and geographical location are using this protocol. Thirdly, it flows directly between phones without any centralized controllers. And then what if RTP could be exploited by hackers, even over PSTN? How do you protect millions of end-points many of them mobile using P2P?

VoIP applications and devices introduce hundreds of new vulnerabilities (see my Myth #1 blog) that the existing security protection applications are simply not able to recognize. No matter how many gigabits of traffic per second they process existing data IPS/IDS, HIPS, Anti-virus applications just don’t have the signatures that would enable them to recognize and stop these exploits.

The high VoIP sensitivity to QoS parameters such as packet loss, jitter and delay requires all the in-line security devices to be optimized to minimize impact on VoIP QoS. Many of the data security in-line applications are rated based on their ability to process gigabits of traffic per second. Since VoIP isn’t bandwidth intensive application minimizing impact on QoS parameters is far more important. In addition the VoIP in-line devices should be able to match Busy Hour Call Attempts (BHCA)/Call per Second (CPS) capabilities of the PBX/Softswitches they protect.

And then you have SPIT (Spam over Internet Telephony). While conceptually it is similar to email spam there is one significant difference. Existing anti-spam applications can analyze the entire email including the header and the content resulting in pretty good false-positive ratios and high efficiency. In the VoIP world we could relatively easily analyze information carried by the signaling protocols. The problem is that it could also be easily spoofed or altered. So to achieve the same efficiency as the existing anti-spam applications we should also analyze the content of voice conversations. What it really means is to intercept the conversation in real time and analyze the speech against pre-defined speech patterns. But what if these patterns span hundreds of packets - you need to wait for all them to arrive before you could analyze the content. And then you have to insert them back into voice stream or drop the call if it is identified as SPIT. And if there are thousands of SPIT calls per second massive amounts of processing power/DSP will be required to preserve VoIP QoS. Bottom line: this is a very difficult technical problem to solve.

Most of the enterprises have a set of security policies and procedures. But again they are applicable to the data networks. Do you need to update them to cover VoIP and Unified Communication? I bet you do. Do you have policies related to voice mail passwords? PBX configuration passwords? Using soft-phones while traveling? Using Skype to call your business from abroad? Skype clients running on Blackberries?

In the companies I worked for we always had IT department including security group and telecommunication department taking care of the phone system. They never talked to each other since the data and voice had separate infrastructures. This is changing now but does your telecommunication department have full understanding of IP networking and security?  Do your IT and security staff have good understanding of voice communication? If they do you are very lucky. If not, make sure they work together well otherwise you will have a lot of problems implementing VoIP security infrastructure and policies.

User education is also very important. People usually are suspicious of any unusual emails or web sites. But what if they see Caller ID showing someone calling from their HR department asking for personal information? I am sure they will provide all the required information. Or Legal department asking for specific patent information? Yes, they will give all the details. What about IT department calling and asking for the laptop password? Are they going to say no? Caller ID spoofing is extremely easy to do and people still trust the phone system.  The end result is that VoIP should be seen the same way as email or web browsing – use with caution.

To have a solid data security infrastructure is a good thing. But it will not help you too much in securing you VoIP and Unified Communication. Having knowledgeable IT and security personnel is great. But without having good understanding of telecommunications you may not be able to implement even basic VoIP security policies and infrastructure.