News

VoIP security fundamentals, Part 1

Gary Audin

How to think about VoIP securitySecurity requires constant vigilance. Security is all about the protection of resources -- data, devices, networks, applications and people. While access to these resources is the goal of the user, securing access to these resources means the administrator of the resources wants to limit, even prevent, that access. Enterprises already have many security problems with their data network infrastructure, servers, desktops and software. Adding VoIP and IPT to the mix only compounds the security problems.There are several security issues with VoIP networks:The VoIP/IPT devices, servers, gateways and phones share the data network and inherit the data network's security problems.There will be data attacks on voice devices such as Denial of Service (DoS) and malware.It is easier to eavesdrop on IP calls than on TDM calls.The centralized TDM PBX is gone. The VoIP/IPT resources are scattered around a network.The operating systems of the VoIP/IPT devices are less secure than the TDM operating systems of the past.Systems (PBX) administration can be located at multiple locations and can be accessed by Web browsers.VoIP security vs. voice qualityIt may not be apparent, but security tools and solutions will conflict with voice quality. The more barriers there are in the network and endpoints for security purposes, the more interference there will be with voice quality.One of the first issues is the firewall. The firewall can block calls because it cannot process

    Requires Free Membership to View

the signaling or dynamically allocate the UDP ports for the calls to pass through it. Firewalls may not read the QoS markers in the voice packet, thereby degrading the packet delivery service. Other issues include:Voice packets, when they pass through security devices, can cause added delay, jitter and packet loss during the call.Intrusion prevention systems perform considerably more processing than a firewall and have been proven to cause voice quality degradation.Encryption and decryption add delay to the calls.VPN connections encrypt the QoS markers. The routers consequently cannot deliver the needed QoS for the voice packets.The security vs. voice quality conflict will be hard to resolve. The voice manager, obviously, does not want poor-quality calls. If the calls are poor, then why have calls travel over the data network in the first place? The security manager does not want to open the network and endpoints to security exposures that will not only compromise the voice services but weaken the data functions as well. This will require a great deal of negotiation and compromise. Security is important, but not at the cost of an unacceptable voice service.Finding vulnerabilitiesThere are two sites that demonstrate the software security threats to the data functions. These lists now include VoIP/IPT vulnerabilities. Both lists are funded by the federal Homeland Security Administration. The first is hosted at Mitre. This site has a dictionary of standardized names and descriptions for Common Vulnerabilities and Exposures (CVE). The second site hosts the National Vulnerability Database at the federal National Institute of Standards and Technology (NIST).The voice staff has not encountered many security problems with traditional TDM PBXs, but voice staff may not be prepared for the new range of security issues that will become evident as the enterprise migrates to IPT or VoIP. The VoIP personnel will either have to take on their own security responsibilities or use the existing security personnel. In either case, the new responsibilities for VoIP security will require education, possibly some organizational adjustment, and expanded job descriptions.NEXT: VoIP security threats dissected

Related Topics: VoIP security, VIEW ALL TOPICS