THE MAGAZINE

Trouble on the Line

By Richard Hyatt

Network Basics
All networks, including both private intranets and the public Internet, rely on several protocols that define and control the way data bits find their way from point to point. These include two protocols that define the movement of data, and two that define how devices on a network communicate.

TCP/IP. Whether information is sent in the form of e-mail, voice, or video, when it travels across networks, it is broken into pieces, called packets, by the Transmission Control Protocol (TCP). TCP also provides information on how packets should be reconstructed at the end of the journey.

The Internet Protocol (IP) provides each packet with routing information that explains to the routers across the network where the packet is headed. IP is a critical element because every device connected to a network—whether it’s a VoIP telephone, a router, or a printer—needs to have a specific address in a language that IP can understand and that the rest of the network will use when referring to it. This address is called an IP address.

The combination of Transmission Control Protocol and Internet Protocol, or TCP/IP, forms the basic structure within which all other network protocols function. As packets travel toward their destination, routers along the way examine their IP data and move them to the next router depending on what route seems fastest and most efficient at that moment. That means that any two packets sent from the same starting point may travel different paths to the same destination.

This efficient means of communication is quite different from the way in which traditional phone networks work, where a circuit needs to remain open between the parties having a conversation, even when no one is speaking and nothing is being transmitted.

DHCP. When a device such as a VoIP-enabled telephone is attached to a network, it needs to be configured with the appropriate settings, including an IP address, before it will work. This configuration can be done manually, but it is typically done using Dynamic Host Control Protocol (DHCP), a technology that automatically assigns an IP address to devices connected to the network.

ost network administrators use DHCP to configure clients—which is what devices attached to the network are called—primarily because of the large number of devices that need configuration.

DHCP also helps to manage change, which is a constant in a world where many devices are mobile. In the past, when computers were all tied to a specific location (for example, a desktop computer), it made sense to configure them once and then expect that they would remain connected in the same place. This method still makes sense for nonportable items, such as mail servers, printers, and scanners; these have what are called “static” IP addresses. But mobile devices such as laptops need what are called “dynamic” addresses.

Imagine, for example, an executive using a laptop to connect to the Internet both at home and at work. Using DHCP at both locations prevents the need for manually reentering all of the network configuration information each time a connection is made.

Wireless networking makes the need for DHCP even greater, since movement between wireless access points (roaming) requires a new DHCP negotiation every time the user moves out of range of one transceiver and within range of another. Adding VoIP phones adds another layer of complexity, because they require more dynamically assigned settings than standard network devices.

DNS. While devices speak to each other in terms of IP addresses, human users have been given easier to remember address names for Web sites, such as www.securitymanagement.com. These plain English names are what users type into their browsers, but the routers that direct traffic on the Internet are unable to understand this type of syntax. Rather, they require a numeric IP address to locate the correct Web server. The Domain Name System (DNS)—essentially a very sophisticated international 411 service—provides this translation service.

To continue with the securitymanagement.com example, a query is sent by a DNS server on behalf of the requesting device to an Internet root authority server, which responds to the request with the address of an authoritative server for all “.com” addresses to ask about this address. This “.com” server responds with the address for the requested securitymanagement.com domain. The requesting device is then informed that the address for the Web server for this domain is 66.250.218.74.

DNS technology provides this service to all IP-based networks. This includes VoIP services using DNS to locate the different types of servers that make up the VoIP system on the network. Because VoIP treats voice communications simply as digital data, VoIP phones must have IP addresses and all VoIP packets must have TCP/IP routing data and instructions for the packets to be reassembled in proper order.

VoIP Challenges
VoIP scenarios can be extremely complex. Imagine an executive at a hotel in Japan using what’s called a softphone—VoIP software that allows a computer to be used as a phone. When the executive launches the softphone program, it connects to the hotel’s network and reaches across the Internet to the company’s network in the United States. It registers the softphone with the VoIP call manager at company headquarters. Then, when a call comes in to that executive’s office extension, it is automatically rerouted, instantly and without the knowledge of the caller, to the executive’s softphone in Japan.

Behind the scenes, the call is quickly and seamlessly rerouted across multiple networks and carriers, hopping between various IP addresses. This scenario becomes even more complex if an executive is carrying a PDA or Wi-Fi-enabled VoIP phone such as a Wi-Fi BlackBerry. Quality of service. Due to this complexity, it’s not surprising that configuration or other errors are common in VoIP setups. These errors can adversely affect quality of service, resulting in problems with volume and excess noise, or worse—no service at all. They can also open security holes that can be exploited by attackers. Common errors include DNS misconfigurations, attenuation, and improperly allocated IP addresses.

DNS errors. DNS is extremely important, yet difficult to get right. As a result, configuration errors are a major issue when it comes to VoIP. Giga Information Group estimated that 68 percent of public DNS servers at Fortune 500 companies are not configured correctly.

A serious DNS error will prevent the appropriate server from starting, resulting in no VoIP phone service and hours of script debugging by the configuration engineer. In a large organization, finding a single error is nearly impossible. Errors can be created quite simply by, for example, moving a phone from one office to another without notifying the administrator first.

Other types of DNS errors may allow the server to start, but will refer users somewhere other than where they had intended. Attackers can exploit these types of configuration errors by “spoofing” the IP address of a VoIP phone to gain access to the network or make a call that appears to originate from the phone of a company executive. (More security challenges are described later.)

Signal loss. Another factor that needs to be accounted for when using Ethernet (a common method of networking computers inside an organization) as a transmission medium is signal loss across distance, known as attenuation. Ethernet segments are not meant to exceed 300 feet without being repeated or retransmitted. Failure to follow this guideline for all segments leads to poor quality transmissions and signal loss.

Provisioning. Large companies typically have a huge number of IP addresses available, and the engineers who design an IP network need to decide how the IP addresses will be organized. This is part of what is known as provisioning the network.

IT managers have been using spreadsheets for this purpose for years. However, this method is complex and cumbersome. Administrators use spreadsheets to track and manage the allocation of internal static IP addresses and pools of IP addresses used for DHCP. When changes are made (for example, a new server or printer is added to the networks) the administrator must refer to the spreadsheet to see if the requisite space is available on the company’s internal network.

This may be simple for small organizations, but for larger organizations with hundreds or thousands of employees, this task becomes quite difficult. For these organizations, the spreadsheets that are used to track IP changes rarely offer an accurate reflection of the network because changes happen so frequently.

VoIP further complicates this task, because when a company switches to VoIP, it doubles the number of IP addresses needed.

High availability. Most networks were not originally designed to operate at the highly available and dedicated service levels needed to support VoIP. If a Web page takes a little longer than usual to download, this is not considered a system failure. If a voice packet takes longer than normal to arrive however, that’s a definite system failure. High availability is therefore a critical deciding factor—and one that service providers must be able to guarantee to their customers.

Redundancy. High availability refers to a type of network design where redundancies are built into equipment and services to ensure that they are always available. Redundancy is the backbone of networks, because it costs most companies money and opportunity to be down; but with VoIP, even a few seconds of downtime can be disastrous. Therefore, it’s absolutely essential that the DNS and DHCP services in VoIP have high availability. When DHCP services are unavailable, new devices attaching to the network and devices that are rebooting have no access to the configuration information they require to join the network. When DNS services fail, VoIP phones (and everything else on the network) are unresponsive and the network is rendered useless.

Comments

 

The Magazine — Past Issues

 




Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.