How secure is your VoIP infrastructure?

VoIP Security - A Quick Overview! 

Security Issues in VoIP

Voice over IP (VoIP) has grown beyond expectations for the last 12 years. VoIP inherits internet's security issues as an application running on Internet. New developments in Unified Communication systems, integrates voice data with multiple communication channels such as emails, messengers, live chats, etc which opens doors to new vulnerabilities which were not at all present in old PBS systems. VoIP is a young technology, on its race to maturity. Many issues in VoIP implementations have been addressed and will achieve a secure posture as it evolves!

The security of VoIP traffic can be broadly categorised into 3 groups.

1.     Platform Security

2.     Gateway Security

3.     Client Security

Platform Security

Inheritance is a natural phenomenon. Telephone system also behaves like a client server environment. A phone system running on a standard operating systems (windows, linux, etc) would inherit the OS vulnerabilities, which requires regular patching and security hardening by the system administrators.

Another candidate is the underlying network infrastructure. If a security vulnerability at network layer is neither fixed nor noticed, could result in an exploitation by a VoIP implementation on top of that weak skeleton. In most of the corporate organizations, the internal traffic is left unencrypted not to compromise on the LAN performance. But security administrators should be aware that 71% of all security or data breaches happens internally. Though all the doors from external world are locked down with proper controls, a determined disgruntled employee can eavesdrop to the voice traffic using out of the shelf software available in the local market. Out of the shelf products like VOMIT, SipSack, SuperScan, NetStumbler, SipTap, etc can snoop on internal conversations through an unencrypted medium. These types of passive attacks can be prevented by securing the call manager servers and ensuring that the voice traffic passes through an encrypted channel as well.

Gateway Security

Gateway routers and firewalls are the first level of defence from an active attack. We should admit the fact that all the firewalls in the market are not aware of VoIP protocols such as SIP, SCCP, etc. If a firewall is not VoIP aware, it might actively scan inbound/outbound traffic and block the communication. VoIP traffic is also sensitive to time, and any performance delay will result in an end to end packet drop as well. Industry is not mature enough to trigger an intelligent scanning only on voice packets. All these factors need to be considered while defining preventive rules at the gateway firewalls to harden the security traffic.

Another external candidate is the human error in defining firewall rules and Access Control Lists. Many ready-made VoIP solutions are available in the market, which would result in unattended open TCP/UDP ports which would cause a favourable environment to lodge a Dos/DDos attack which would bring down the entire gateway. Security administrators should not be generous enough to open doors for any social engineers. We should not also discard the probability of SPIT(Spam over IP Telephony). Finely crafted pre-recorded messages can be send to IP phones exploiting the basic handshake mechanism of SIP protocols. SPIT could be a nuisance more than an attack to the VoIP infrastructure.

Client Security

It’s a fact that many system administrators gracefully forget the proper patching of the IP telephone sets before deploying to the network. Though many VoIP phones uses TFTP as the protocol to update the firmware, it could be secured through proper authentication. An unprotected TFTP server will be recipe of disaster which would host a false file from an intruder. Not but the least, the information displayed in the IP phones need to be well sorted and should not be informative enough for a technology aware employee to gather information and try some scanning or enumeration techniques.

Another possible candidate to host a VoIP attack would be the wireless infrastructure. Many of the modern business demands wireless IP phones to ease the mobility. Network Administrators need to ensure that the wireless networks are secured using centralized authentication techniques and avoid giving meaningful names to the SSID, if to be broadcasted.

Security Administrators should advise Network Engineers to implement a secure VPN tunnel before extending the VoIP infrastructure to remote offices or users. Though many free VPN solutions are available in the market, it should be well thought to lock down minute holes which could jeopardize the security investment of the organization.

Some basic steps to secure VoIP infrastructure.

1.     Diligent patching of the phone system with stable firmware and security updates

2.     Review the firewall configurations and ACLs in prior to VoIP Implementation.
3.     Implement centralized network authentication for wired and wireless networks.
4.     Review the network security or perform an internal security audit before deploying the VoIP solution.
5.     Perform a security hardening of the servers at Operating System level before starting the implementation of Call Manager system.
6.     Encrypt the LAN traffic with a QoS for Voice packets.
7.     Implement certificate server for voice clients.
8.     Review the Call Manager configuration if bought off the shelf.

Though it’s a known fact that none of the security measures can prevent a determined hacker from stealing the hidden treasure, but the Data or Information is the “Life Blood” of a Business and need to be protected with utmost care and due diligence!!!