Sam Srinivas
Imagine that your telephone conversations are sometimes overheard by other
people, and that your calls are frequently disconnected, forcing you to redial,
especially when you are on important, long-distance business calls. Imagine also
that you need to buy special devices that plug into your home telephone jack to
prevent eavesdropping and to protect your phone from being used by strangers to
harass others.
Unacceptable? Yes! Why then is this type of service quality still commonplace
for Internet connectivity? We suffer from an almost daily barrage of viruses,
worms and other intrusions and are forced to deploy products to protect us
against Internet threats and disruptions.
This comparison between telephone service and Internet performance is not
just a theoretical analogy. Increasing numbers of people and companies are
migrating to VoIP. VoIP is being relied upon for mission-critical voice calls,
yet the "telephone" service is now open to vulnerabilities of the
Internet, including denial of service (DoS) attacks and other exploits that
hijack control of the network.
Much of the value of the traditional phone system is in its rock-solid
reliability and the expectation that it is relatively private and secure. If
this perception was compromised, the consequences would undermine caller usage
volumes and carrier revenue. So, to provide similar, if not better, levels of
security and reliability for VoIP systems, vendors have been incorporating
security features in protocols and equipment. However, that does not necessarily
mean that the network implementers and administrators are using security
features as well as they could.
Protecting the foundation
Due to the pervasive connectivity provided by IP, and as the range of threats is
broad, the first step toward reliable IP-based telephony is to protect the
underlying infrastructure. Protecting the routers is the first natural step.
Routers are the cornerstones of an IP network and need to be properly
secured. The most obvious opportunity for a security breach is with router
administration. If an attacker can gain control of a router (for instance, by
logging onto the administration user interface), the entire network can be
compromised.
Therefore, stringent security measures must be available as part of the
router feature set and be properly implemented. These include RADIUS technology
and two-factor authentication, ideally with encrypted administrative session
traffic so that sensitive information cannot be intercepted.
Attackers are also becoming competent in attacking protocols between routers.
This type of network traffic must also be secured. There are standard procedures
for doing so, though network administrators often overlook some of the details,
leaving vulnerabilities out in the open.
Additional gear can be implemented to protect the network. Intelligent
firewalls that ensure only legitimate traffic is passed are important
investments. So is the time taken by the system administrators to carefully
analyze their network and configure appropriate filtering rules. When the
networks are not properly secured because administrators have cut corners,
hackers will have room to move.
Protecting the application
Aside from securing the underlying foundation, the VoIP service itself must be
protected. The service introduces VoIP-specific devices -- such as media
gateways, softswitches and PBXs - and protocols -- including H.323, SIP and RTP
-- into the topology.
All of these present additional points for potential abuse. Their protection
requires more stringent inspection of network traffic by advanced tools; simple
packet-filters cannot provide the level of detail required. This type of
intelligence is usually not integrated into telephony equipment, and is provided
via a purpose-built firewall, a security component in the router, or a dedicated
session border controller (SBC). Sometimes, networks use two or even three of
these to provide more security.
"Pinholing" is another important concept in strong VoIP security.
To "pinhole" an application session means to open up a temporary
conduit between two endpoints on the network (such as two VoIP end devices) and
allow the communication to take place only during the session. After the
telephony session is completed, the pinhole is closed.
This is often the duty of a stateful-inspection network firewall and
supported by a service known as an Application Level Gateway (ALG). A firewall
designed to be used in a VoIP setting should have ALG capability. Firewalls for
VoIP should also cater to security concerns from network address translation
(NAT), traffic rate limiting, intrusion detection and prevention (IDP) and
topology hiding.
Protecting your mission-critical asset
As technologies encompassed by VoIP constantly change, network administrators
need to always be aware of the latest developments and, from a security
standpoint, to understand any potential weaknesses that attackers might exploit.
VoIP provides excellent return on investment (RoI) and is built on top of
network infrastructure that is often already in place.
The good news is that VoIP security will only become easier, not harder, in
the future. In the meantime, conscientious effort toward security measures will
ensure the continued service of this essential corporate resource.
The author, Sam Srinivas, is chief technologist for Juniper
Engineering Centre/India Operations in Bangalore.