|
|
|
|
| Read more articles on: |
|
|
 |
|
Imagine that your telephone conversations are sometimes overheard by other people, and that your calls are frequently disconnected, forcing you to redial, especially when you are on important, long-distance business calls. Imagine also that you need to buy special devices that plug into your home telephone jack to prevent eavesdropping and to protect your phone from being used by strangers to harass others.
Unacceptable? Yes! Why then is this type of service quality still commonplace for Internet connectivity? We suffer from an almost daily barrage of viruses, worms and other intrusions and are forced to deploy products to protect us against Internet threats and disruptions.
This comparison between telephone service and Internet performance is not just a theoretical analogy. Increasing numbers of people and companies are migrating to VoIP. VoIP is being relied upon for mission-critical voice calls, yet the "telephone" service is now open to vulnerabilities of the Internet, including denial of service (DoS) attacks and other exploits that hijack control of the network.
Much of the value of the traditional phone system is in its rock-solid reliability and the expectation that it is relatively private and secure. If this perception was compromised, the consequences would undermine caller usage volumes and carrier revenue. So, to provide similar, if not better, levels of security and reliability for VoIP systems, vendors have been incorporating security features in protocols and equipment. However, that does not necessarily mean that the network implementers and administrators are using security features as well as they could.
Protecting the foundation
Due to the pervasive connectivity provided by IP, and as the range of threats is broad, the first step toward reliable IP-based telephony is to protect the underlying infrastructure. Protecting the routers is the first natural step.
Routers are the cornerstones of an IP network and need to be properly secured. The most obvious opportunity for a security breach is with router administration. If an attacker can gain control of a router (for instance, by logging onto the administration user interface), the entire network can be compromised.
Therefore, stringent security measures must be available as part of the router feature set and be properly implemented. These include RADIUS technology and two-factor authentication, ideally with encrypted administrative session traffic so that sensitive information cannot be intercepted.
Attackers are also becoming competent in attacking protocols between routers. This type of network traffic must also be secured. There are standard procedures for doing so, though network administrators often overlook some of the details, leaving vulnerabilities out in the open.
Additional gear can be implemented to protect the network. Intelligent firewalls that ensure only legitimate traffic is passed are important investments. So is the time taken by the system administrators to carefully analyze their network and configure appropriate filtering rules. When the networks are not properly secured because administrators have cut corners, hackers will have room to move.
Protecting the application
Aside from securing the underlying foundation, the VoIP service itself must be protected. The service introduces VoIP-specific devices -- such as media gateways, softswitches and PBXs - and protocols -- including H.323, SIP and RTP -- into the topology.
All of these present additional points for potential abuse. Their protection requires more stringent inspection of network traffic by advanced tools; simple packet-filters cannot provide the level of detail required. This type of intelligence is usually not integrated into telephony equipment, and is provided via a purpose-built firewall, a security component in the router, or a dedicated session border controller (SBC). Sometimes, networks use two or even three of these to provide more security.
"Pinholing" is another important concept in strong VoIP security. To "pinhole" an application session means to open up a temporary conduit between two endpoints on the network (such as two VoIP end devices) and allow the communication to take place only during the session. After the telephony session is completed, the pinhole is closed.
This is often the duty of a stateful-inspection network firewall and supported by a service known as an Application Level Gateway (ALG). A firewall designed to be used in a VoIP setting should have ALG capability. Firewalls for VoIP should also cater to security concerns from network address translation (NAT), traffic rate limiting, intrusion detection and prevention (IDP) and topology hiding.
Protecting your mission-critical asset
As technologies encompassed by VoIP constantly change, network administrators need to always be aware of the latest developments and, from a security standpoint, to understand any potential weaknesses that attackers might exploit. VoIP provides excellent return on investment (RoI) and is built on top of network infrastructure that is often already in place.
The good news is that VoIP security will only become easier, not harder, in the future. In the meantime, conscientious effort toward security measures will ensure the continued service of this essential corporate resource.
The author, Sam Srinivas, is chief technologist for Juniper Engineering Centre/India Operations in Bangalore.
|