VoIP "telephone" services are open to the vulnerabilities of the Internet. VoIP Security Threats include DoS and Distributed DoS Attacks; unauthorised access to administration systems for toll and credit card fraud or identity theft; eavesdropping by unauthorised agents... VoIP (Voice-over-Internet Protocol) "telephone" services are open to the vulnerabilities of the Internet. Many threats may even be more acute because VoIP architectures are complex and hierarchical with many networked components such as IP PBXs, application servers, media gateways, and IP (Internet Protocol) phones.

VoIP networking also relies on numerous protocols, some of which remain poorly defined, and all of which introduce their own security risks.

VoIP Security Threats include DoS and Distributed DoS Attacks; unauthorised access to administration systems for toll and credit card fraud or identity theft; eavesdropping by unauthorised agents; and application-level attacks for registration hijacking, illegal teardowns, register floods, call floods, malformed packets, harassing calls and spam over Internet telephony (SPIT).

Best practices security measures The following comprise a best practices approach to VoIP security: 

1. Maintain current patch levels Inadequate software patching exposes networks to unnecessary risk.

Programmatically monitoring and installing patch releases can form an important bulwark for your network, your applications, and your investments. 

2. Install a good antivirus system and update it regularly.

Antivirus systems protect voice components, and data systems that are very vulnerable to attack. Some firewalls integrate antivirus functionality with specific VoIP implementation and management features. 

3. Apply state-of-the-art intrusion detection and prevention systems.

Intrusion Detection and Prevention (IDP) systems protect against threats at the application and network layers. Sophisticated IDP incorporates protocol anomaly detection, attack signature recognition, backdoor detection, and regular expression pattern matching; to give zero day protection against worms, Trojans, spyware, keyloggers, and other malware. IDP is best deployed on multi-protocol VoIP system components such as IP PBXs, media servers, and call accounting systems. 

4. Install application-layer gateways between trusted and untrusted zones.

Application-Layer Gateways can dynamically open and close firewall pinholes to maintain VoIP security. Some devices can read and interpret signaling information in message headers and monitor call setup messages to determine legitimacy, if designed to do so. ALG deployment should be considered protocol by protocol. For VoIP, the protocols are H.323, SIP and MGCP. 

5. Enforce SIP security by means of authentication, authorisation and IPSec.

SIP gives VoIP networks call processing features and functions but, like HTTP and SMTP, it is text-based, easily spoofed and vulnerable to Spam over Internet Telephony (SPIT), registration hijacking, malicious impersonation of valid User Agents to a registrar; unauthorised call transfer; and unauthorised access to directory information. Securing SIP transactions requires strong authentication, authorisation and IPSec. Proxy servers and user agents can be configured to identify and perform authorise every request. IPSec provides network layer security by encrypting and authenticating all SIP packets. Integrated Firewall / VPN provides stringent authentication, authorisation and IPSec encryption; while deep inspection allows SIP source IP limitation. 

6. Establish policy-based security zones to isolate VoIP segments.

Security zoning can isolate voice network devices and virtually segregate voice networking segments by defining intra-office, local and long-distance/international zones, or H.323, SIP and MGCP zones; limiting the impact of attacks and breaches while enabling faster identification of, and corrective action against, the root problems. 

7. Run VoIP traffic on VPNs to minimise eavesdropping risk on critical segments.

Eavesdropping can be prevented on VPNs and selective VPN encryption can transparently encrypt a call made to a destination with decryption capability, and proceed without encryption for calls to destinations without decryption. 

8. Use VLANs to prioritise and protect voice traffic from data network attacks.

Virtual LANs (VLANs) help prevent data network attacks from affecting voice traffic, but they lack user authentication and tools such as dSniff can create VLAN tags and turn the switched system into a shared medium. To fully isolate voice from data, IP phones sharing a physical cable connection with PCs must support the IEEE 802.1Q standard for trunking between VLANs. Where IP phones and PCs coexist on separate subnetworks, isolation can be achieved using a voice-aware firewall. 

9. Apply encryption selectively.

Evaluate encryption of VoIP signaling and/or media streams. Where there's risk of eavesdropping, consider phone encryption. The potential for performance issues to compromise the overall value and utility of a VoIP network must be weighed against the heightened security encryption enables.

10. Protect against UDP flooding.

UDP (User Datagram Protocol) flooding occurs when UDP packets are sent to slow down and stop a system. The best prevention is specialised firewalls that have UDP flood protection. 

11. Develop a holistic security programme.

Security zoning and configuration can optimise VoIP performance and protection with methodical security policies and procedures. Resources need to be monitored constantly to track known vulnerabilities and properly secure the network, and non-secure forms of remote access must be disabled on all VoIP components, with patches maintained to ensure efficient and safe operation. Protect against "phishing" attacks that manipulate an unsuspecting insider into disclosing secured information or granting inappropriate network access, by establishing policies and procedures for all personal interactions.

By Andy Miller