The VoIP security checklist

Voice over Internet Protocol (VoIP) implementations are becoming more common. As a result, more networks and legacy systems are being connected to public networks, allowing organizations to reduce costs and improve their offerings while allowing users to enjoy a variety of new and advanced services.

Various analyst firms project different growth percentages for the VoIP market, but they all agree that VoIP implementations are growing fast and are expected to grow even faster. One should remember that while the voice part of VoIP is more important for services and user experience (voice quality and latency), the IP part is important for data security.

Security is an important consideration when implementing VoIP because each element in the infrastructure is accessible on the network like any computer and can be attacked or used as a launching point for deeper, internetwork and inside-the-organization attacks.

Rising risk factors

VoIP calls are susceptible to denial-of-service (DoS) attacks, hacked gateways leading to unauthorized free calls, call eavesdropping and malicious call redirection. VoIP also presents certain specific security challenges. Both parts of a VoIP call -- the call setup messages and the actual call media stream -- must be inspected. The fact is that more security bugs related to VoIP were reported this year alone than in all the years prior to 2004 combined.

More than one protocol

There are several protocols that are entitled to carry the name "VoIP protocol." VoIP experts will advocate different protocols because they have different advantages, but when it comes to security, there are several considerations that are common to most VoIP protocols. Using security best practices will eliminate additional risk factors and attack vectors.

VoIP and security vulnerabilities

A VoIP infrastructure adds private branch exchange systems; gateways; proxy, registrar and locator servers; and phones to the IP backbone network. Each VoIP element, whether it's an embedded system or an off-the-shelf server running a commercialized operating system, is addressable and accessible over the data network like any other computer.

Each VoIP element contains a processor running software and a TCP/IP stack that can be attacked. Attacks on data communications can come through the IP voice infrastructure and vice versa. DoS attacks targeting weak VoIP elements could flood the network with bogus voice traffic, degrading network performance or shutting down both voice and data communications.

A gateway that has been hacked might be used to make unauthorized free telephone calls. Unprotected voice communications could be intercepted and stolen or corrupted. Unswitched voice packets can be sniffed out and listened to in real time. PC-based soft phones, phones that use software to convert a desktop PC into an IP-based phone, are vulnerable to eavesdropping if the PC is infected with a Trojan horse that snoops into LAN traffic. VoIP exploits can be used to launch bounce attacks against servers and hosts in the so-called DMZ or even worse, serve as a convenient launch site to attack more business-critical network components in the internal LAN. In short, VoIP opens voice communications to the same types of security threats that expose data communications to attacks.

VoIP's security challenges

VoIP presents unusual security challenges. A VoIP phone call has two parts -- the exchanged signaling messages that set up the call and the media stream that carries the "voice." The signaling and media pathways are separate, requiring logical connections between two parties that are communicating using VoIP.

The following are some tips for ensuring secure VoIP:

1. Choose the VoIP protocols carefully. There are pros and cons to using various protocols and vendors for VoIP equipment. Make sure selected equipment meets your requirements, not the other way around. Changing requirements in order to support specific vendor equipment is a bad habit.
2. Turn off unnecessary protocols. There are enough unknown vulnerabilities that might be exploited with the protocols used. There is no need to extend the hackers' window of opportunity by enabling unnecessary and unused protocols and services. This should be implemented for the VoIP protocols as well as other services provided by the VoIP equipment.
3. Remember that each element in the VoIP infrastructure, accessible on the network like any computer, can be attacked. Even if it looks like telephones and terminals, VoIP elements are software components running on hardware. Make sure that it's possible to manage the underlying operating system. Due to the development life-cycle considerations, some of the VoIP management systems are based on older versions of vulnerable operating systems. Make sure that it's possible to protect those elements as well.
4. Divide and conquer works well for VoIP networks. It's highly recommended to separate the VoIP and other IP-based infrastructure using physical or logical separators.
5. Authenticate remote operations. VoIP terminals can be remotely upgraded and managed. Make sure that you use only authorized personnel from authorized locations (based on IP addresses and unique usernames). The last thing you need is a remote attacker managing your services.
6. Separate VoIP servers and the internal network. Several security devices can't fully understand the VoIP signaling commands. As a result, they may open dynamic communications ports, leaving the network vulnerable to bounce attacks. This will allow an attacker to penetrate other business-critical network elements in the internal LAN.
7. Make sure the VoIP security system can track the communications ports by reading inside the signaling packets to discover the ports selected and enable two endpoints to send media packets to each other. It's even more important that the security system is capable of understanding and enforcing the proper chain of operations. Otherwise, even a naive, yet effective DoS attack can disconnect users by forging disconnect messages. A security system must prevent such attacks.

8. Use Network Address Translation (NAT), even if in some cases, it poses a special problem for VoIP. NAT converts internal IP addresses into a single, globally unique IP address for routing across the Internet. The added value of hiding the network is invaluable. A security solution should allow you to enable NAT on the internal network, as well as allow callers from outside the network to find users with dynamic and nonroutable IP addresses.

9. Use a security system that performs VoIP specific security checks. A security system must be able to look inside the VoIP stream, analyze the call state and check for the service content, making sure that all parameters are consistent and make sense according to your business needs.

Sharon Besser is the security solutions manager at Check Point Software Technologies Ltd. He is responsible, among other things, for VoIP security product management. He can be reached at Sharon@checkpoint.com.