VoIP Security and Your IP Phone
Concerns about massive growth of telephone tapping incidents has led to a growing demand for IP telephone handsets that provide VoIP security.
Trefor.net welcomes VoIP Week contributor David Kirsopp, Technical Director snom UK Ltd
An IP-PBX can be reached from potentially anywhere in the world, and your communications network is vulnerable if not properly secured. As such, making sure you enhance security through your choice and implementation of your IP handsets is one of the security measures you should be considering when introducing VoIP into the organization’s network infrastructure.
Concerns about massive growth of telephone tapping incidents has led to a growing demand for secure telephone handsets. The practical availability of secure telephones is restricted by such factors as politics, export issues, incompatibility between different products, and high prices.
When the VoIP traffic over the Internet is unencrypted, anyone with network access can listen in on conversations. Unauthorized interception of audio streams and decoding of signaling messages can enable an eavesdropper to tap audio conversations in an unsecured VoIP environment, a common threat. And eavesdropping is how most hackers steal credentials and other information; for example, customers reciting their credit card numbers to an airline booking attendant. All that’s needed is a packet capturing tool, freely available on the Internet, or switch port mirroring, and hackers can save the files, take them home, and cause disaster with the stolen information.
Equally or more dangerous than the hacking of the phone calls themselves is that the phone system may enable entry into the company network, and thus the phone connection becomes as portal to all data within the company.
Of course, there are solutions and safeguards that can reduce or even eliminate security weaknesses within VoIP systems.
Authentication-Based IP Addresses
Static configuration of your IP phones to your extensions will prevent easy access by intruders into a conversation. Specifically, you can specify at the IP-PBX which IP address can use a particular extension as a trusted address.
Unlike PSTN calls which traverse dedicated circuits, VoIP calls are really just data going across the Internet…data that must be protected. By using encryption techniques like TLS and SRTP, you can protect both the signaling and the media stream, preventing others from listening in on the conversation using simple tools such as port mirroring and an RTP trace.
SIP packets contain private information: the IP address of the phone, the SIP server, the signaling and media ports that it’s expecting to listen on, the MAC address of the phone, and in some cases even the management port of the phone. This information should be sent over a TLS tunnel to hide it from snoopers, who though they will be able to see TLS packets will have no idea what’s in them.
Well-designed IP phones provide secure SIP signaling via TLS and audio stream encryption by incorporating SRTP (Secure Real-time Transport Protocol), a security profile that adds confidentiality, message authentication, and replay protection to the RTP protocol. SRTP is ideal for protecting Voice over IP traffic because it can be used in conjunction with header compression and has no effect on IP Quality of Service. These factors provide significant advantages, especially for voice traffic using low-bit rate voice codecs such as G.729. Ensure your phones provide TLS-based SIP signaling (SIPS) with a SIP proxy server and audio stream encryption using secure RTP based on 128-bit AES. SIPS not only prevents message manipulation and eavesdropping, but it also assures the proxy server of the identity of the client phone; hence, identity spoofing threats are also subdued by this mechanism. Some phones, including those produced by snom, also use AES in counter mode (AES-CM) for secure RTP, which creates a unique key stream for each RTP packet and thus makes it almost impossible for eavesdroppers to retrieve the original RTP stream from the encrypted SRTP stream.
Secure Media (over UDP)
If you want to increase security further, then purchase a certificate from a Certificate Authority (CA) like VeriSign, which is equivalent to having your documents signed by a Notary Public who is a trusted third party, verifying that you are who you say you are. Getting the certificate into the IP phones is currently the tricky part, as some phone vendors are not burning them in at the factory using the MAC address as part of the key.
Plug and Play and Certificates
Plug and play of phones on the wide area network is nothing new. The phone presents a MAC address, and based upon that MAC address the IP-PBX automatically provisions the phone so that it can make calls. The IP-PBX, however, is not able to verify the MAC address of the phone since it came from the WAN. In this case, the MAC address reflects that of the router as that is where it came into the LAN. This is a security risk, however some handsets have certificates burnt in at the factory, so after a key exchange the IP-PBX can be assured that the phone is who it says it is and that a certain MAC address belongs to a particular phone.
Alternatively, security can be guaranteed from a central point independently from the individual applications and end devices. The advantages of this centralized approach is that it will be a one-off implementation with low maintenance costs and the possibility to secure communications from multiple manufacturers. One option for centrally provided security is a Virtual Private Network (VPN), which are typically used for connections with field bases employees in which a company network connects the branch offices to the computer centre or connects geographically separate servers or computer centers.