Bogdan's Blog

Myth #5 - My VoIP infrastructure is secure because...

"I have deployed VoIP infrastructure using proprietary protocols and applications from vendor X. They assured me that my VoIP is fully secure."

This is good, but how do you know? There are hundreds of known vulnerabilities related to all VoIP vendors. And most of the vendors does not even talk about security until they finalize the sale.

I suggest you start with a good risk analysis process. Identify your corporate assets that are vulnerable  because they are stored/transmitted over VoIP infrastructure. Any revenue generating services you provide to your customers using telecommunication network. Internal business processes that relay on Unified Communication. And remember your data networks could be attacked through VoIP exploits and vice versa.  Once you established your risk areas you can define the ways to minimize the risks associated with security breaches.

A commonly used approach from the data security world, vulnerability assessment (VA) is particularly effective as a proactive way of finding security problems and fixing them before they become real problems.  By performing a VoIP VA in the lab, before any VoIP equipment and applications are deployed organizations are able to verify the vendor claims and identify security flaws early in the deployment cycle. Executing a VoIP VA of all components prior to the commissioning of   
the VoIP infrastructure is recommended as interactions and dependencies between VoIP applications and devices could potentially create additional security vulnerabilities not visible during earlier assessments in the lab. Once VoIP is deployed, periodic or, where required, continuous vulnerability assessments should become cornerstone of an overall proactive VoIP security process. Once security vulnerabilities are identified they should be addressed by appropriate actions such as patching, re-configurations and network tuning.

Within the VoIP network, various security architectures and solutions should be deployed to protect VoIP services from security threats during their life cycle. Any security architectures and solutions deployed must be “VoIP aware” so they do not impact VoIP service quality and reliability. It is recommended deploying multi-layer security infrastructure that provides both perimeter as well as internal network protection. In most cases, it will consists of a number of security devices and host based applications. A comprehensive VoIP aware protection security infrastructure should include VoIP aware firewalls, Session Border Controllers (SBC), VoIP Intrusion Prevention Systems (VIPS), VoIP DoS defenses, VoIP Network Intrusion Detection Systems (IDS), Host VoIP IPS, VoIP Network Access Control (VNAC) and VoIP Anti-SPIT. All the devices and applications have to be coordinated via a higher level application providing unified view of the end-to-end VoIP infrastructure.

Review all your security processes, procedures and training materials. The existing security related processes should be reviewed and modified to accommodate specific requirements of VoIP networks. Also, the compliance and auditing processes should include VoIP as a component. For example, only certified VoIP soft-client should be used on the network. Also phone conversations that are confidential should only be allowed on encrypted links to prevent eavesdropping. GLBA compliance could require providing documented vulnerability assessment results and mitigation steps undertaken to address the discovered vulnerabilities.

If you implement these recommendation you'll be able to report to your management that your VoIP infrastructure is pretty secure and you should be able even to prove that.