VoIP and IP telephony vendors have been improving their security offerings over the past three years. Before that time, there was little attention paid to security. The increased awareness of security testing of the IP PBX products on the market was apparent in the article "High-End IP-PBXs: VoIP Powerhouses," which was published in the January 2006 issue of Business Communications Review.The authors of this article conducted a series of security tests on different VoIP vendors' product offerings and concluded that there are vast differences in the security product offerings on the market. They also noticed that though security is improving, there is still a lot of work to be done. The highest score a vendor could achieve on the security test run by the BCR was a 10. The five vendors that they tested scored from 6 to 9, with an average score of 7.8; not a great showing for security protection.Security solutions fall into three categories:Encrypting the signaling transmission (SIP, H.323, SCCP)Encrypting the speech transmissionProtecting the endpoints (server, gateway, phone)Signalling encryptionSignalling encryption should be the first consideration on the list of security protection tools. Signalling includes call setup, call control, access to features and functions, and limitations for user privileges. Signalling encryption protects both the server and the endpoint. The vendor choices vary from full encryption to none at all. Some of the variations are:Not all the signalling functions
Requires Free Membership to View
are encryptedSoftphones may not be includedOnly registration is protectedNon-standard
solutions are offeredSome IP phones need more memory to support encryptionNot all models of IP
phones could be upgraded with encryptionA Right-To-Use (RTU) license is required for the encryption
functionGateways may not support encryptionIt is very important that signalling encryption be
included in any VoIP/IPT RFP. This function is one of the offerings that differs from one VoIP/IPT
provider to the next.Media/speech encryptionSpeech encryption is also an option in VoIP/IPT
products. There are two approaches: standardised, using Secure Real Time Protocol (SRTP), and
proprietary solutions. Softphones and gateways may not be supported. The lack of encryption support
may be specific to a particular protocol, such as having no encrypted support when SIP is used.
Look for support of 128-bit Advanced Encryption System (AES). There is probably an RTU license for
this software.Integrated firewallsFirewalls are usually external appliances. In VoIP/IPT, firewall
software can be installed in softphones. But be careful -- PC firewalls may interfere with the
voice quality by causing longer latency in the call. There is at least one vendor that has a
software firewall that can be embedded in the gateway. In either case, there is a software charge
for the firewall function.Endpoint authenticationSome of the vendors depend on the LAN switches to
implement the IEEE standard 802.1x with an external RADIUS server for the authentication. MD5
authentication is supported by some vendors. Encrypted key exchange may be used during registration
as well as an eight-digit password. Others use a variable-length password, up to 25 digits, during
the initial registration.Attack mitigationAlthough it's not possible to stop all Denial of Service
(DoS) attacks, you can do something in the way of preventative maintenance. These DoS attacks can
take many forms. See the tip "Manipulating VoIP Security" for tools that can create DoS attacks.
One of the techniques that can be implemented in the attacked endpoint is to ignore the DoS. DoS
attacks are commonly repetitive operations. An endpoint can be programmed to discover the DoS and
ignore the attacking packets. For example, repetitive INVITE (call setup) packets can be an attack.
The endpoint can ignore 9 out 10 of the INVITE packets and report the attack to a management
system. Check with your vendor to see which endpoints, if any, can support this DoS
mitigation.Standard vs. proprietaryStandard solutions may be attractive, but sometimes the
proprietary solution works better. This produces the problem of interoperability. Standard security
solutions may work across multiple vendors' products, thereby opening the possibilities for
competition in procurement. Proprietary solutions will limit the vendor choices. Also, proprietary
solutions may be short-lived as the vendors' products progress to standardised solutions.About the
author: Gary Audin has more than 40 years of computer, communications and security experience. He
has planned, designed, specified, implemented and operated data, LAN and telephone networks. These
have included local area, national and international networks, as well as VoIP and IP convergent
networks, in the U.S., Canada, Europe, Australia and Asia.
This was first published in June 2007