Take A Multilayered Approach To VoIP

It was 2006 when we last heard about a major VoIP fraud case in which a man from Miami stole minutes from multiple VoIP carriers and resold the minutes to unsuspecting clients. Not much since then. So, why is it pertinent to devote much, if any, space to VoIP security when there doesn't seem to be a problem?

Keep in mind that while VoIP is growing in popularity, it's still in the minority compared with the PSTN (public switched telephone network). That said, we are nearing the inflection point. According to a study by Infonetics, almost 1/2 of small and 2/3 of large organizations in North America will be using VoIP products and services by 2010. Somewhere between now and 2010 VoIP will surpass PSTN usage. And, it makes sense that VoIP network attacks will rise as well. Three industry experts offer their insights on the biggest threats to your customers' VoIP networks as well as some key steps you can take to make sure they're protected.

Five Threats To Your Customers' VoIP Systems
Following, in no particular order of importance, are the top five areas of vulnerability your customers face:

n DoS (denial of service) attacks. "In a DoS attack, hackers use automated tools to send a deluge of nuisance traffic to IP phones, call processing servers, or infrastructure elements," says Richard McLeod, director, unified communications, worldwide channels, Cisco Systems. "The goal is to exhaust network resources so that calls are interrupted or cannot be processed." A common motive for a DoS attack is to distract the IT staff for the purpose of executing other attacks.
n Toll fraud. This occurs when external or internal users use the corporate phone system to place unauthorized toll calls such as international calls or 1-900 calls.
n SPIT (spam over Internet telephony). This is the voice version of the e-mail spam many of us get in our in-boxes each day, which could include prerecorded calls about loans, diet pills, prescription drugs, vacation deals — you name it.
n Eavesdropping. Also known as man-in-the-middle exploits, eavesdropping occurs when an internal user spoofs the IP address of a router or PC to spy on voice traffic as well as data entered on a phone keypad (e.g. passwords) during a voice conversation. Thanks to widely available packet-sniffing tools, eavesdropping has become easier than ever before.
n Impersonation. This type of exploit occurs when a hacker steals a legitimate user's identity and then makes calls that appear to come from the legitimate user. A hacker could use this kind of spoofing, for instance, within a large organization to contact someone within accounting about an employee's personal information, such as a Social Security number or password.

Six Ways To Protect Your Customers' VoIP Systems
Effective VoIP security requires a multilayered approach comprising hardware, software, and policies. Following are six steps you can take to protect your customers' VoIP networks.

1. 802.1x. One of the first steps is to implement an authentication scheme that encompasses devices (e.g. IP phones) as well as users. "Network managers can rely on features such as multidevice and 802.1x [an industry standard for authenticating to Ethernet and wireless LANs] authentication with dynamic policy assignment to control network access and perform targeted authorization on a per-user level," says Franchesca Walker, director of enterprise solutions at Foundry Networks. "Using this standard, users can be restricted to making calls to certain destinations, and desktops/laptops that aren't equipped with the approved OS patches, firewalls, and antivirus software can be quarantined and updated before gaining access to the LAN."

2. VLAN (virtual LAN). "Separating voice traffic onto a VLAN is another way to mitigate risk," says Walker. One advantage of a voice VLAN is that it makes voice traffic invisible to internal and external users connected to data VLANs. "However, VLANs only are optimized when QoS [quality of service] is implemented," says David Wilkinson, VP of North American channel strategy at Nortel. "Certain viruses can consume all available bandwidth if left unchecked, but a simple QoS policy can be used to throttle a virus after it consumes a certain amount of bandwidth, thus preserving the voice traffic."

3. V3PNs (voice- and video-enabled virtual private networks). "A V3PN entails encrypting voice packets, so that in the event someone does gain unauthorized access to your customer's network, the hacker will be unable to eavesdrop on a conversation," says Wilkinson. "One common type of encryption is SRTP [secure real-time transport protocol], which uses a key exchange between the caller and recipient. This type of encryption is further enhanced through intrasystem signaling security [ISSS], which allows signaling between system components to be sent through an IPSec [IP security] connection."

4. Access control lists (ACLs). ACLs can be used to restrict access to specific resources, users, or network segments. "Companies can use ACLs to allow only certain users to make long-distance or international calls," says McLeod. "Or, ACLs could be used to deny access to the voice network from certain areas within a building, such as a lobby, which would prevent an outsider from using a laptop equipped with a softphone to make toll calls."

5. VoIP-friendly routers, switches, and firewalls. Even if your customers' networking hardware and software is sufficient at keeping data networks safe, you can't assume it can adequately handle VoIP traffic. There are plenty of examples of VARs that have created workarounds because a customer's firewall couldn't accommodate voice packets. "VoIP also includes a number of protocols such as SIP [session initiation protocol] and H.323, which traditional network security gear can't handle," says Walker. "VoIP networks and converged networks need to be equipped with solutions that capture the threat at the access point on the edge of the network and mitigate it quickly before it attacks the VoIP network."

Dynamic packet filtering is an important feature of a VoIP-friendly firewall. For example, access to outsiders is often restricted to port 80 for Web/e-mail traffic. Dynamic packet filtering ensures no packets enter the LAN from the Internet unless they were explicitly requested or come from an address preconfigured for authorized access.

6. Security audit. A VoIP implementation should be followed by a security audit. Consider, for example, one common feature associated with VoIP, which is receiving voice mail messages as e-mail attachments. "Without an updated security policy, users can easily forward sensitive calls to unauthorized users inside or outside the company," says McLeod. "And, what about mobile phone users? What happens if a user loses his phone containing customer names, phone numbers, and other sensitive information? A policy needs to be put in place that enables the IT department to remotely 'kill' the lost phone."

There haven't been a lot of VoIP security breeches to date. However, it's a safe bet that within the next two years we're going to start hearing more about such attacks as VoIP adoption surpasses PSTN usage. By taking precautions today, you can help your customers avoid phone downtime in the future.