IP Phone Security
IP Phone Security ensures IP Telephony is not compromising the business
She’s back again. Guest editor Lesley Hansen discusses what needs to be considered in ip phone security design.
VoIP or IP phone security is a hot topic. Security attacks continue to evolve and attackers find ever more sophisticated ways of attacking systems. VoIP is only an application running on the IP network, and therefore it inherits the security issues of the IP network. This means VoIP security is only as reliable as the underlying network security and if the IP network has security vulnerabilities, these can be exploited once VoIP is implemented.
The goal of every IP network component manufacturer should be to build a product that maintains a high level of security and provides relevant data to tools to monitor the system for attacks. Once the system in in place ongoing IP telephony security maintenance is primarily related to the IP PBX or telephony servers; keeping up-to-date with operating system and third-party service packs to eliminate well-known security holes, implementing critical support patches on servers, updating anti-virus definitions to protect against well-known worms and viruses and performing daily backups of servers with periodic data recovery tests.
But the IP handset is an important point of access into the IP network. End points such as IP handsets provide a point of vulnerability and a number of standard exist to secure the telephony network, but these are not always supported in the IP Handset, and where supported they are not always implemented by the network manager.
Avoiding Denial of Service Attacks
Denial of Service (DoS) attacks can take down telephony. A distributed DoS (DDOS) attack is a concerted and coordinated effort to flood a network with requests. Though the attacked network may not be penetrated, these attacks can “busy” a system rendering it unusable. To protect against this it is important while implementing the IP handsets to ensure that ports are not unnecessarily left open, all unnecessary ports and services should be shut down and unused services should be deactivated. This is where interoperability partners become key.
For example PBX manufacturers like 3CX and Vodia Snom 1 and Asterix PBXs support the Snom security settings from the handset – out of the box. This means there are no configuration requirements so delivering a rapid roll out while ensuring the system is up and running with full security and minimum disruption or delays. Not all PBX manufacturers and IP handset vendors will be interoperability partners. To ensure a wide number of PBXs can be supported and provide the business with a high degree of choice handset vendors should work with the TLS and SRTP standards for configuration setup.
TLS and SSL encrypt the data of network connections in the application layer. They use X.509 certificates and hence asymmetric cryptography to authenticate the other party with whom they are communicating, and to exchange a key. This session key is then used to encrypt data flowing between the parties.
Protect Against Unauthorised Access
When deploying an IP telephony system IT personnel and voice administrators need to take appropriate measures to prevent threats such as toll fraud. Toll fraud refers to internal or external users using the corporate phone system to place unauthorized toll calls. Toll fraud can occur with both TDM and IP-based voice systems and a standard method of protecting against it is the ability to control call type’s for example banning mobile or international calls.
This call control is sometimes handled by low cost routing within the PBX but it can also be done within the IP handset dial plans. A handset with this capability helps to protect against telephone fraud even when the PBX does not have low cost routing.
Ideally in a well-designed handset the telephone will provide security beyond that provided by the firewall. Security at the handset ensures protection from people on the inside network who have physical access to phones and can bypass the firewall. This means the handsets provide a higher level of security against phone tapping/unauthorised access. Supporting the 8021x standard helps avoids fraudulent use of the network and protects against 3rd party/un-authorised devices. Handsets that supports 8021x, where the PBX also supports the standard, will allow the device to request authentication from the switch. This ensures that if a device connecting to the switch does not have the credentials then the switch does not allow access.
Encryption Against Eavesdropping
VoIP systems that don’t use encryption make it relatively easy for an intruder to intercept calls. Any protocol analyser can pick and record the calls without being observed by the callers. In man-in-the-middle attacks, an internal user spoofs the IP address of a router or PC to spy on voice traffic as well as data entered on the phone keypad during a voice conversation, such as passwords. After copying the information, the user forwards the voice traffic to the intended destination so that neither the sender nor the recipient knows that the conversation was intercepted. Typical motives include espionage and harassment.
Eavesdropping has become easier because of widely available packet-sniffing tools. The method used to combat this is encryption. Provided that both the handset and the PBX supports the standards, encryption ensure that the audio and the signalling traffic are both protected. Products can be configured as enabled for security so that signalling is in TLS and audio in SRTP. These security encryption standards means that all communications from the handset to the PBX/Server is protected from snooping and tapping.
Greater levels of encryption are available but at a cost. At the top of the pile Secusmart in Dusseldorf provides an encryption technology currently used by the German government that can be incorporated into the IP Handset, these handsets are forbidden for sale to counties under embargo and the end users need to be checked and validated before despatching handsets. At CeBit a Snom handset with GSMK Cryptophone technology was presented, this provides an internationally accepted secure IP handset solution that sells to sells to organisations such as military, government, pharmaceutical and broadcasting where the information has such a high value that the increased cost for the handset and call manager with encryption is justified.
Once end points with the required standards are selected, for many organisations attention to detail during set up and use of passwords, plus a controlled rollout of the handsets and strictly following instructions when installing the endpoints plus using the SRTP protocol or VPN tunnels to increase network security will provide a secure solution without the additional investment in these higher levels of encryption.
Other posts in our IP phone design week:
Check out all our VoIP posts here.