Trouble on the Line

By Richard Hyatt

Security Risks
So far, we’ve looked mostly at the reliability issues. Now, let’s look at the security issues related to VoIP networks. VoIP presents a security risk primarily because the service travels across the Internet, which has many extra nodes that could be vulnerable to attack compared to a standard phone network. VoIP systems are, therefore, vulnerable to threats such as denial-of-service (DoS) attacks and spoofing.

DoS. The most common threat to VoIP networks is a denial-of-service attack, in which an attacker floods a device with more packets than it was designed to handle. If there is insufficient network availability and bandwidth at the IP network level, then all services running on that network are affected. This kind of attack is frequently launched against networks running all types of applications, not just VoIP, but DoS attacks are perhaps easier to accomplish against VoIP because it doesn’t take a major attack to affect call quality by affecting latency (the amount of time voice data takes to move from endpoint to endpoint).

There are many types of denial-of-service attacks. They can be aimed at endpoints (phones), thus interfering with the user’s ability to communicate, or at a call controller, which could affect a number of phones by causing the controller to crash.

Spoofing. Spoofing occurs when an attacker mimics a server or manipulates an endpoint device to reroute calls. For example, a DHCP Server Insertion Attack takes place when a VoIP phone is joining the network and trying to connect to the proper servers to receive configuration settings. In this case, an attacker with a “rogue” DHCP server responds to the VoIP phone’s DHCP request for configuration before the legitimate DHCP server is able to. The attacker would then have the opportunity to configure the phone for other activity, such as personal use, or to secretly monitor conversations.

Many of the tools already in use to protect networks from intrusions and viruses are effective to some degree in protecting VoIP systems, but they can create other issues. For example, firewalls can block potentially dangerous IP traffic, but if they’re not designed specifically to handle VoIP traffic, they can have an adverse effect on quality of service by slowing traffic as it passes through. Encryption protocols such as IPsec and tools such as intrusion detection and prevention systems similarly raise the possibility of poor call quality as a result of latency.

As the popularity of VoIP has increased, new products are being designed specifically to eliminate these types of issues. VoIP-ready firewalls, for example, are made to streamline the movement of voice data with little or no latency.

There are also VoIP-specific network appliances that can protect DNS/DHCP services from threats that could compromise an enterprise’s operating system or application environment. Chief among these is what’s called IP Address Management (IPAM) tools.

IPAM. As with any type of computing, as complexity grows, so do security risks. Therefore, the more the network can be simplified, the more secure it can be made. The first way to raise security is to reduce the possibility of misconfigurations and simplify IP address management.

To do this, network administrators use IPAM software and hardware tools (such as the ones made by the author’s company). These tools assist engineers in designing a high availability network, and they ensure that DNS and DHCP services are kept abreast of changes. They allow administrators to take full advantage of the flexibility of VoIP networks, and, as described later, they also provide a layer of security.

Design. IPAM systems allow engineers to create a network design at a conceptual level while the solution builds all of the necessary configurations underneath. A good system will allow for editing of these configurations and should be able to handle all of the complexities associated with physical wiring requirements and configuration management and checking.

When an organization deploys VoIP, a number of things must occur. First, the organization must assign a static IP address for core application servers and media servers (these are the VoIP equivalent of a private branch exchange, or PBX, used for standard corporate telephone networks). Then it must assign blocks of dynamically assignable IP addresses to be used by VoIP clients (handsets or software phones).

Administrators must also set up authentication services to reduce the risks of spoofing, session interception, DoS attacks, or other attacks. Doing all these tasks manually is time intensive and prone to error. A IPAM system speeds the setup and deployment time while reducing the risk of configuration errors by checking configuration changes prior to deployment.

IPAM tools also help properly provision the network to avoid quality-of-service issues. They work with network devices such as switches and routers to guarantee resource availability and minimize jitter, which results when packets arrive out of sequence; a call with jitter sounds like extremely poor cell-phone reception.

Updating data. If DHCP assigns an IP address to a VoIP telephone plugged into the network, the DNS entries must be updated to reflect this new device. IPAM tools feature configuration checkers that ensure that data is updated and valid and that all of the required records are present before the configuration is deployed on the network. Some IPAM systems will also follow all of the records once the server is live to ensure that they point to actual locations.

Sharing IP addresses. IPAM tools offer an additional benefit to companies using VoIP: they allow administrators to use and move IP addresses according to priorities. For example, imagine a company with a call center in Toronto, Canada. The call center closes at 6 p.m., and after that time, the IP addresses of the call center’s phones go unused.

Using IPAM tools, an administrator can, each night after 6 p.m., reallocate those IP addresses to the company’s call center in Australia, giving that office extra bandwidth for calls. Then, when the Australia office closes, the IP addresses are returned to the Toronto call center, saving the company money because it doesn’t have to purchase additional bandwidth for the Australia office.

To prevent or mitigate the effect of denial-of-service attacks, administrators can take additional proactive steps as well. For example, they can ensure that VoIP systems have high bandwidth available so that these systems can withstand a DoS attack. Extra bandwidth can either be purchased or initially designed into the network.

Server insertion attacks can be mitigated through the use of such security measures as traffic monitoring, hardware address filtering, and intrusion detection systems, which are also typically available as features in IPAM systems. In some cases firewalls can help prevent attacks, but many types of commonly employed firewalls do not provide the deep packet inspection needed to provide effective protection, and they may cause service problems as noted earlier.

Authentication. Proper authentication procedures before a phone logs into the network can also help protect endpoints. DHCP provides part of that security by doing MAC authentication, where it checks a unique number given to each network device (called a MAC address) to ensure that it’s authorized to join the network.

IPAM solutions can manage and work with existing corporate directories such as Active Directory (a Microsoft service that manages user data, security, and resources) or LDAP (Lightweight Directory Access Protocol), which helps to locate individuals or resources on a network. Using these authentication schemes can help stop spoofing, session hijacking, caller ID spoofing, and other threats.

More than a century ago, when Bell and Elisha Gray were experimenting with the first telephones, the emphasis was on getting the technology to work properly. Security was little considered, and thanks to the way the telephone system operates, never became a major concern. On the other hand, VoIP is by nature much more vulnerable to attack. Understanding the basics and making sure security is given first consideration are the first steps toward disconnecting risk.

Richard Hyatt is chief technology officer and cofounder of BlueCat Networks, a Richmond, Ontario, Canada-based maker of DNS, DHCP, and IPAM technologies used to secure VoIP-enabled networks.



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.