But it's not as scary as it seems for cash-strapped SMBs with limited IT staffs. Most of the tuning required to secure VoIP involves the same efforts as hardening Internet and Web connections your company probably already has in place. And most of that work can be handled by your existing network staff, even without a dedicated information security department.
Even if your SMB doesn't host its own Web site or Internet service, like a larger enterprise, it still has connections to the Internet through conventional routers. Handling VoIP for them should be a snap.
Security comes first
Before delving into the four best practices for securing VoIP and how to apply them to SMBs, be aware of the overall security issues around VoIP.
There are three major security concerns around VoIP, and they're the same security issues as those for IP traffic, in general. The three issues are:
- Lack of authentication.
- Spoofing, and exposure of unencrypted data.
- Unwanted traffic similar to email spam, which in the VoIP world is called SPIT, or spam over Internet telephony.
VoIP can also serve as an entry point into your company, just like any other Internet connection, for viruses, spyware and malware. But this isn't a specific problem of VoIP. Denial-of-service (DoS) attacks are also possible via VoIP but, again, this is a general IP protocol issue and not just a VoIP concern.
IP traffic isn't authenticated. It moves freely over the Internet and can come from anywhere. This is a problem inherent in the TCP/IP protocol. For VoIP, it means a malicious user could fake, or spoof, your company's IP address and appear on the caller ID of an unsuspecting customer. This tactic is known as VoIP phishing, which, like its email counterpart, is meant to entice customers to give up confidential account information over the phone to thieves posing as your company employees.
IP traffic moves in the clear by default. It can be easily picked up by conventional packet sniffers like Wireshark (formerly Ethereal), dsniff, Ettercap and their ilk. Any conversations on your new shiny VoIP phones can be eavesdropped by sniffing unencrypted traffic traveling over the Internet. Unlike regular phone lines, which require some effort to tap through the phone company, VoIP can potentially expose your SMB to the whole world just by being on the Internet.
And, just as spam is delivered via email, junk voicemail messages can be pumped into your company through VoIP, clogging your SMB's phones with SPIT. This is in addition to a DoS attack against your company, just like any other from the Internet, through your VoIP connection.
So, what's an SMB to do to protect itself from the dangers of VoIP? Here are four suggestions:
- First, run all your VoIP traffic through a separate Internet connection and separate voice and data traffic into their own network segments. Use a VLAN to separate voice and data. This can prevent an attack via the data stream from the Internet leaking into your voice system, using your VoIP network to attack your primary network. Set up separate servers dedicated just to VoIP traffic and firewall them apart from the rest of your network. For VoIP connections between different buildings, use a virtual private network (VPN) to authenticate users to prevent spoofing.
- Second, avoid cheap VoIP systems that can be installed on an ordinary desktop or workstation. As tempting as it might be to a cost-conscious SMB, these systems are highly insecure since they can be easily compromised and used as a back door into your network. Go for a real VoIP system from a major provider like Vonage Holdings Corp. or Avaya Inc., which integrates with your existing routers and can be handled by your existing network staff.
- Third, encrypt any VoIP traffic to keep it confidential and prevent eavesdropping by network sniffers. VoIP encryption is getting better but it can just as easily be set at the router or gateway level and then tunneled through IPSec. This should put less of a strain on your SMB staff members, who may already be setting up these types of connections for your VPN.
- Lastly, put VoIP servers in a secure physical location, as you would for your other networking equipment. Ideally, if space permits, the equipment should be in its own equipment room separate from that other networking equipment.
Like the rest of your network servers, baseline security controls should be in place for your VoIP system. Here's how:
- Make sure all routers and servers hosting your VoIP system have been hardened and all unnecessary services turned off and ports closed.
- Restrict access to VoIP servers to only system administrators and log and monitor all access.
- Use intrusion detection systems to monitor malicious attempts to access your VoIP network.
- Employ a defense-in-depth of strategy with multiple layers of security, including dedicated VoIP-ready firewalls.
Implementing VoIP is not as scary, or as much of a burden, as it seems. Most of the tasks for securing VoIP can be handled by your existing IT staff, since it is already integrated into your network.
Joel Dubin, CISSP, is an independent computer security consultant in Chicago. He is a Microsoft MVP in security, specializing in Web and application security, and the author of The Little Black Book of Computer Security available from Amazon. You can visit his blog, The IT Security Guy, at www.theitsecurityguy.com.
This was first published in November 2006