Opinion

The VoIP security checklist

By Sharon Besser, Check Point Software Technologies

January 17, 2005 12:00 PM ET

Computerworld -

Voice over Internet Protocol (VoIP) implementations are becoming more common. As a result, more networks and legacy systems are being connected to public networks, allowing organizations to reduce costs and improve their offerings while allowing users to enjoy a variety of new and advanced services.

Various analyst firms project different growth percentages for the VoIP market, but they all agree that VoIP implementations are growing fast and are expected to grow even faster. One should remember that while the voice part of VoIP is more important for services and user experience (voice quality and latency), the IP part is important for data security.

Security is an important consideration when implementing VoIP because each element in the infrastructure is accessible on the network like any computer and can be attacked or used as a launching point for deeper, internetwork and inside-the-organization attacks.

Rising risk factors

VoIP calls are susceptible to denial-of-service (DoS) attacks, hacked gateways leading to unauthorized free calls, call eavesdropping and malicious call redirection. VoIP also presents certain specific security challenges. Both parts of a VoIP call -- the call setup messages and the actual call media stream -- must be inspected. The fact is that more security bugs related to VoIP were reported this year alone than in all the years prior to 2004 combined.

More than one protocol

There are several protocols that are entitled to carry the name "VoIP protocol." VoIP experts will advocate different protocols because they have different advantages, but when it comes to security, there are several considerations that are common to most VoIP protocols. Using security best practices will eliminate additional risk factors and attack vectors.

VoIP and security vulnerabilities

A VoIP infrastructure adds private branch exchange systems; gateways; proxy, registrar and locator servers; and phones to the IP backbone network. Each VoIP element, whether it's an embedded system or an off-the-shelf server running a commercialized operating system, is addressable and accessible over the data network like any other computer.

Each VoIP element contains a processor running software and a TCP/IP stack that can be attacked. Attacks on data communications can come through the IP voice infrastructure and vice versa. DoS attacks targeting weak VoIP elements could flood the network with bogus voice traffic, degrading network performance or shutting down both voice and data communications.

A gateway that has been hacked might be used to make unauthorized free telephone calls. Unprotected voice communications could be intercepted and stolen or corrupted. Unswitched voice packets can be sniffed out and listened to in real time. PC-based soft phones, phones that use software to convert a desktop PC into an IP-based phone, are vulnerable to eavesdropping if the PC is infected with a Trojan horse that snoops into LAN traffic. VoIP exploits can be used to launch bounce attacks against servers and hosts in the so-called DMZ or even worse, serve as a convenient launch site to attack more business-critical network components in the internal LAN. In short, VoIP opens voice communications to the same types of security threats that expose data communications to attacks.

VoIP's security challenges

VoIP presents unusual security challenges. A VoIP phone call has two parts -- the exchanged signaling messages that set up the call and the media stream that carries the "voice." The signaling and media pathways are separate, requiring logical connections between two parties that are communicating using VoIP.

The following are some tips for ensuring secure VoIP:

Choose the VoIP protocols carefully. There are pros and cons to using various protocols and vendors for VoIP equipment. Make sure selected equipment meets your requirements, not the other way around. Changing requirements in order to support specific vendor equipment is a bad habit.

Turn off unnecessary protocols. There are enough unknown vulnerabilities that might be exploited with the protocols used. There is no need to extend the hackers' window of opportunity by enabling unnecessary and unused protocols and services. This should be implemented for the VoIP protocols as well as other services provided by the VoIP equipment.

Remember that each element in the VoIP infrastructure, accessible on the network like any computer, can be attacked. Even if it looks like telephones and terminals, VoIP elements are software components running on hardware. Make sure that it's possible to manage the underlying operating system. Due to the development life-cycle considerations, some of the VoIP management systems are based on older versions of vulnerable operating systems. Make sure that it's possible to protect those elements as well.

Divide and conquer works well for VoIP networks. It's highly recommended to separate the VoIP and other IP-based infrastructure using physical or logical separators.

Authenticate remote operations. VoIP terminals can be remotely upgraded and managed. Make sure that you use only authorized personnel from authorized locations (based on IP addresses and unique usernames). The last thing you need is a remote attacker managing your services.

Separate VoIP servers and the internal network. Several security devices can't fully understand the VoIP signaling commands. As a result, they may open dynamic communications ports, leaving the network vulnerable to bounce attacks. This will allow an attacker to penetrate other business-critical network elements in the internal LAN.

Make sure the VoIP security system can track the communications ports by reading inside the signaling packets to discover the ports selected and enable two endpoints to send media packets to each other. It's even more important that the security system is capable of understanding and enforcing the proper chain of operations. Otherwise, even a naive, yet effective DoS attack can disconnect users by forging disconnect messages. A security system must prevent such attacks.

Use Network Address Translation (NAT), even if in some cases, it poses a special problem for VoIP. NAT converts internal IP addresses into a single, globally unique IP address for routing across the Internet. The added value of hiding the network is invaluable. A security solution should allow you to enable NAT on the internal network, as well as allow callers from outside the network to find users with dynamic and nonroutable IP addresses.
Use a security system that performs VoIP specific security checks. A security system must be able to look inside the VoIP stream, analyze the call state and check for the service content, making sure that all parameters are consistent and make sense according to your business needs.

Sharon Besser is the security solutions manager at Check Point Software Technologies Ltd. He is responsible, among other things, for VoIP security product management. He can be reached at Sharon@checkpoint.com.

VoIP Goes Mainstream

Stories in this report:

VoIP Goes Mainstream

VoIP: Ready for Prime Time

Snapshot: The Seattle Times Co.

VoIP Case Study: Small Project Works Out the Kinks

VoIP Case Study: Wireless Joins Hospital's VoIP Mix

VoIP Case Study: Call Centers Put on Speed Dial

VoIP Case Study: Fashion Designer Gets Hip to IP

VoIP Is Scary

The Hidden Costs, and Savings, of VoIP

The VoIP Management Challenge

Breaking Through IP Telephony

VoIP Security Rating Scale

Ground Rules for VoIP Security Testing

Laying the Groundwork for IP Telephony

Bridging the IP Migration Gap

The VoIP security checklist

VoIP Security a Moving Target

A VoIP Security Plan of Attack

Avoiding Potholes on the VoIP Path

Computerworld VoIP Data Points

Read more about Networking in Computerworld's Networking Topic Center.

Print

From CIO.com

IT Job Spotting: Top 20 Metro Areas for Tech Jobs

Facebook IPO: The Heftiest Paydays

4 Ways to Prevent Domain Name Hijacking

Cybersecurity Report Stresses Need for Cooperation

From CSO Online

Devil in the details: How to secure an offsite meeting

Rogues gallery: 9 infamous social engineers

Tools and templates: Sample security policies

Business continuity and disaster recovery basics

Additional Resources

WHITE PAPER

Forrester Consulting - Optimizing Users and Applications in a Mobile World

Solving application issues over the WAN requires careful consideration. Based on their independent research, Forrester Consulting offers recommendations on how to tackle application performance issues, insufficient bandwidth and the inability to quickly restore users in a disaster.

Read now.

WHITE PAPER

Enter the Security KnowledgeVault

Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority.

Read now.

WHITE PAPER

Cut Communications Costs Once and for All

New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs.

Read now.

Top Stories

FAQ: WOA vs. x86, which Windows tablet to pick?

The timeline's time has come

Apple files another US patent suit against Samsung

Iran blocks access to some outside websites, services

Free Insider Guide

Excel 2010 Cheat Sheet

Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.

Register for FREE now! »

Networking White Papers

Digital Transformation: Creating New Business Models Where Digital Meets Physical

Individuals and businesses alike are embracing the digital revolution. Social networks and digital devices are being used to engage government, businesses and civil...

Make the Connection: Better Network Connectivity Drives Transformation

Network connectivity is more than just plumbing. Leading organizations today see high-performance network connectivity as a critical enabler of competitive advantage, and not...

Virtualizing Government Infrastructure

All server virtualization solutions are not created equal. The more-with-less agenda for government agencies is tailor-made for server virtualization, which is evolving into...

Moving Service Management to SaaS

Today, organizations can enjoy similarly substantial benefi ts by migrating their IT service management functions to a software-as-a-service model. This paper shows how...

Achieving 360 Degree Network Visibility with Nimsoft

360° network visibility is critical for ensuring continuous availability of networks, servers, and applications-anything less could
have costly bottom-line implications.
All Networking White Papers

Networking Webcasts

Optimizing Networks for the Cloud

Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and...

Unified Communications 101

What's the best way to implement a unified communications solution for your organization?

Try the OptiView® XG on your network - FREE

The OptiView® XG is the first dedicated tablet with automated network and application analysis -- fastest way to root cause. XG raises the...

Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere

Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as...

Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere

Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and...
All Networking Webcasts

Newsletter Sign-Up

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter

Computerworld Daily News

Networking

Wireless Networking

Security

View all newsletters | Privacy Policy

IT Jobs

See All Jobs Post a job for $295

Jobs by SimplyHired

Networking White Papers | All Networking White Papers

Digital Transformation: Creating New Business Models Where Digital Meets Physical

Virtualizing Government Infrastructure

Achieving 360 Degree Network Visibility with Nimsoft

Accelerating Cloud Performance with WAN Optimization

The Changing Requirements of WAN Optimization

Wainhouse Evaluation: 8x8's Virtual Office Pro VoIP and Unified Communications Solution

Hospital Provides Secure Virtual Desktops to Clinical Staff

Cloud Computing in the Public Sector

Forrester Thought Leadership: Exploring the Potential Benefits of End-to-End Convergence of Data Center Networks

Business and technology benefits of converged I/O Networking Infrastructures

Make the Connection: Better Network Connectivity Drives Transformation

Moving Service Management to SaaS

Increase IT Performance from the Enterprise to the Cloud with WAN Optimization

Accelerating Data Migration with WAN Optimization

Resolve Top Network Conflicts

Hay Group Moves Services to Secure Private Cloud

Seven Corners Meets Travelers' Needs- Fast and Efficiently-with a Private Cloud Built on Cisco, NetApp, and Vmware

UF version: Forrester Thought Leadership: Impact of FCoE & Unified Fabric on Enterprise Storage Environments

Networking and Cloud: An Era of Change

Coca Cola: Beverage Distributor Virtualizes Data

Sponsored Links

Customized information views & Twitter events at New Fulcrum Point

E-book: Discover Business-Ready Storage Systems For Oracle Environments

Splunk translates machine data into "aha" moments for IT and the business.

Converge your infrastructure with HP. Access a valuable case study in the CI Resource Center now.

Panasonic Toughbook® mobile computers. Rugged. Reliable. Powerful.

Protect your customers with VeriSign SSL, now from Symantec

Citrix NetScaler. 2x faster 2048-bit SSL performance than F5. 50% lower SSL costs.

Cisco's Unified Fabric delivers resiliency for optimal performance. Learn More

The efficient small business server-from Colfax.

Stop backing up. Start solving forward with CommVault® Simpana® software.

Cognizant. Leading in Business, Application & Technology Services

Cisco's Unified Fabric delivers resiliency for optimal performance. Learn More

Still managing your projects with spreadsheets? Move your IT projects in the Cloud!

M.S. in Information Studies at Northwestern University

Tolly Performance Report "Citrix NetScaler with nCore Outperforms F5 BIG-IP"

ITwhitepapers.com - Access thousands of white papers on 300+ technical topics.

Leverage Your Cisco infrastructure for Superior Application Performance

Learn about the AMD Virtual Experience

"The Definitive Guide to Security Management" Chapter 1: Introduction to Security Management

Introducing: Project Icebreaker

Evolving Your Data Center for the Cloud

Get Ethernet speeds from 1 Mbps to 10 Gbps - Comcast Business Class

ExaGrid Gets High Marks in Independent Report from ESG

Converge your infrastructure with HP. Access white papers, case studies, videos and more.

Redefine Software support with HP

Citrix NetScaler. 2x consolidation. For less than F5. Shift up to the Cloud.

Ready for the Cloud? Not with F5. Shift to Citrix NetScaler. Shift up to the Cloud.

Join the Conversation. Follow Oracle EPM & BI on Twitter Today.

Arm Your Defense & Offense in 2012 with the Websense Threat Report

MIT Sloan Executive Education. innovation@work

A better way to share files, whenever, wherever. Accellion. Share Securely on the Go.

Power your Dev Teams and Accelerate Software Delivery

Connect with global CIOs now at Enterprise CIO Forum

Pinpoint root cause of network issues up to 90% faster

Download Microsoft's latest Data Protection Management tool

Not All QSAs Are Created Equal: What You Should Know Before You Buy

The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability

The AMD Virtual Experience Virtual Trade Show

"The Definitive Guide to Security Management" Chapter 1: Introduction to Security Management

Resource Center

See your link here

Skip to top

About Us

Advertise

Contacts

Editorial Calendar

Subscribe to Computerworld Magazine

Help Desk

Newsletters

Jobs at IDG

Privacy Policy

Reprints

Site Map

Ad Choices

The IDG Network:

CFOworld

CIO

Computerworld

CSO

DEMO

GamePro

Games.net

IDC

IDG

IDG Connect

IDG Knowledge Hub

IDG TechNetwork

IDG Ventures

InfoWorld

ITwhitepapers

ITworld

JavaWorld

LinuxWorld

Macworld

Network World

PC World

Copyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.