Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

VoIP vulnerabilities: Why firewall protection is not enough

Voice over Internet Protocol (VoIP) systems need to be protected by more than just firewalls. Learn more in this podcast.

In the past, many companies relied on intrusion detection systems and firewalls to protect their data and Voice over Internet Protocol (VoIP) systems. However, today's experts are saying that's not enough to protect against certain VoIP vulnerabilities. In this podcast, our expert will discuss various VoIP security threats and methods to protect against them.

SPEAKER: Zeus Kerravala, senior vice president of enterprise research, Yankee Group Research Inc.

BIOGRAPHY: Kerravala manages Boston-based Yankee Group's infrastructure research and consulting. His areas of expertise involve working with customers to solve their business issues through the deployment of technology. Before joining Yankee Group, Zeus was a senior engineer and technical project manager at Greenwich Technology Partners, a leading network infrastructure and engineering consulting firm.

Play now:
Download for later:

VoIP vulnerabilities: Why firewall protection is not enough

  • Internet Explorer: Right Click > Save Target As
  • Firefox: Right Click > Save Link As

Read the full transcript of this podcast below:

VoIP vulnerabilities: Why firewall protection is not enough

Karen Guillermo:  Hello, my name is my name is Karen Guillermo, the Editor of SearchCIO.com, and I'd like to welcome you to today's expert podcast on VoIP Vulnerabilities: Why Firewall Protection is Not Enough.

I'm joined today by Zeus Kerravala, Senior Vice President of Enterprise Research for Yankee Group.

Zeus manages Yankee Group's infrastructure research and consulting. His areas of expertise involve working with customers to solve their business issues through the deployment of technology. Before joining Yankee Group, Zeus was a Senior Engineer and Technical Project Manager for Greenwich Technology Partners, a leading network infrastructure and engineering consulting firm.

Welcome Zeus.

Zeus Kerravala:Thanks Karen.

Karen Guillermo:  As I mentioned earlier, we're here today to talk about VoIP vulnerabilities. Zeus will spend the next 10 to 15 minutes discussing the various security threats and how to protect against them. Zeus, the floor is yours.

Zeus Kerravala:  Thanks. I think VoIP security is really an interesting topic. I think security in the VoIP environment is a very broad term and it can be used to describe anything from actual network security, which I think does impact VoIP because obviously now voice is riding on your data networks. Two, it's a more VoIP specific thing, things like protecting against eavesdropping, authentication, how to protect the IP phone. So there are general network security trends and then there are also VoIP specific security threats to look at.

And so I think that is one of the reasons I think you, VoIP security remains such a challenge for many companies because of the breadth of it. I think most organizations are really sure where to start.

If we look at VoIP adoption though, from our latest survey, we know that about 80 percent of companies that we poll have used voice over IP somewhere in the organization. Now that might be in one department, one branch, the lab environment, test and development, whatever, but it's about, but eight out of 10 companies have tinkered with VoIP.

However, only about 10 percent of organizations have deployed voice across the organizations. That is committed the company to VoIP, bet the farm on voice as their long term voice strategy. Now, when you look at that, the 80 percent number, you might think that VoIP adoption's very strong. If you look at the 10 percent number, you might think they did options very poor, but I think what that shows is that we are in the very beginning of this long march towards voice over IP.

If we look at the challenges to VoIP and why companies haven't deployed more voice over IP, network security generally winds up at, if not the top, in the top three concerns. In our last survey they actually wound up the number one concern. 34% of respondents cited security concerns as the main concern about deploying VoIP.

Interestingly enough, the second most common answer, at 31%, was uncertainty of voice quality. Now, you might look at that as more of a network management issue, but if you understand that there are many security things that can happen that can impact the performance of the network which can degrade voice quality, things like denial of service attacks, worms, things like that, you understand that security can play a big role in not only guaranteeing the delivery of voice and the authenticity of it, but also the quality of voice.

So I think, when you think about security, think about it in two camps: one being performance, and one being security, and you want to be able to address both of those things as it goes through your deployment. And there's actually a number of other challenges around cost and single point of failure and things like that that also fall under VoIP security as well, but it is by far the biggest challenge facing network managers.

Now, as I said, it's a very broad term. The threats to VoIP when you use the WAN or the LAN to carry voice traffic vary quite greatly, and what I'd like to walk through in the rest of this podcast is how you think about it, how you structure it, what you might do and what you might want to do.

So, I think the same process that you follow with security that you use to predict the data network from worms and denial of service attacks also protect your IP telephony applications. For networks that have a reasonable level of business security the value of VoIP outweigh the risks, so I think if you're sure of the security you have in network, then you should go ahead and deploy it.

Organizations though, that can't protect their data networks, I think, should be very cautious on their deployment of VoIP until they can.

Many companies, as I mentioned, cite concerns about security as the key reason for delaying implementations too. So they get started and then they delay it because of VoIP. I think these concerns are understandable, given that in most organizations that the telephony environment is the most mission-critical applications and most widely deployed and historically very reliable. So you're also fighting a history when you go to deploy these things.

I think there are some things that you're going to have to have, like, things protecting against denial of service attacks and things. I think many of the recommendations for making VoIP secure are already proven best practices in data only networks. So if you're a telecom manager, I think, consult with your network manager to make sure those things are in place, and I think this is because the expected attacks in the VoIP world are very similar to those that were expected in the data world.

So, I think, you know, much of what we've seen in the past we'll continue to see, but it will have a bigger impact on the voice network.

In traditional data networking, attacks are targeted at servers and in the VoIP world it's no different. You have call servers and conferencing servers and media servers. In the traditional networking world where they're focused at the end points and in the traditional networking world that is known as a PC or laptop or maybe even a mobile device today, and then in the voice world that is an IP phone, and in the traditional networking, data world, that is the network. And also, another point of attack, and the network, of course, is what the voice rides on.

So, as converged networks become more common, I think the attacks will be targeted not just at your Oracle server, but your IP PBX, not just at your PC, but also your VoIP handset, and then the network, of course, will follow.

So two key issues, I think, that can, I mentioned, that dictate extra focus in a conversion environment are protecting, using security to protect against the real time nature of voice traffic. So, for example, a DOS attack, or a worm, would increase network latency to the point where the voice traffic becomes completely unintelligible, and if you exceed that 125 millisecond barrier, the call does become that. And so you can even use QOS in a way to protect against it if you happen to get a DOS attack, but ultimately you want to stop it.

So that's the performance side, and then if you think of all the new signaling protocols that are being used, like SIP and MegaCo, to deliver voice, most organizations that adopt VoIP will introduce these new protocols into the networks, SIP being the most common one, and then there are also a number of proprietary protocols, things like Cisco Skinny, that augment SIP, that can be used too. And by manipulating the different protocols, hackers can steal services, disrupt sessions or launch other malicious attacks.

So that would be the more protection side of security. So those are the things to think about. So, I'm going to walk through the different layers that I talked about now. So, first of all, I think protecting the IP PBX server is extremely important. So, it is a server in your organization. It may be sold to you as an appliance, but make no mistake, this thing's a server with software loaded on it.

If you look at what Microsoft just launched with OCS, that is server software that's going to run just on standard hardware. There are companies like interactive intelligence already that do that. So this is becoming a software game running on servers.

Now, the same best practices and protection methods that you use to other mission critical servers, should also apply to the IP PBX. It's no different. And I find it interesting when companies don't do that because it, in many ways it's the same. For servers, today we deploy firewalls and I think firewalls are still needed with IP PBX's. The behavior of VoIP signaling protocols dictate the need for firewalls that are IP telephony aware. So it's not a traditional firewall that you just want to use, but one that is SIP or H323 aware and that these, the VoIP firewalls can allocate these ports dynamically during a call set up.

The firewall has to be able to scan VoIP messages and open ports for calls that are only approved by the call server, and when the call disconnects the firewall must be able to close the session and all the open ports as well. And since most IP PBXs tend to use proprietary protocols today to speak with family of IP phone board, companies also must use firewalls to support explicitly those proprietary protocols.

Now, I mentioned Cisco Skinny being the most common one, but others have their own proprietary protocols. So does Nortel. Many vendors will look at these and call these SIP extensions, but they are still proprietary.

Over time, I think you'll see SIP become a lot more feature rich which will obviate the need for proprietary protocols, but they're still there.

I think intrusion prevent systemsare must. Network-based IPS, they complement firewalls, they use a network-based approach to protect the IP PBXs against DOS attacks and other types of attacks. So, the IPS that you use should be able to block all the different signaling protocols that are anomalous in behavior.

So, if you notice an overly large abundant of maybe a voice protocol that you don't use, then shut that down. But an IPS system will do that much better than a firewall. And, of course, there's also host intrusion prevention systems, and these are a little different. It's similar to the network one, but it actually runs on the server itself, and I think what these do is they protect the server from some sort of intrusion that might not have been caught by the network based device. So, in a way it's a little bit belt and suspenders, but you want to protect yourself the most, and these are things that are very commonly done in the data world to protect business applications. And again, I don't think it should be a whole lot different.

Now if you're using a hosted solution or an IP-centric solution, the access link to the carrier should also be protected using a network-based intrusion prevention system and a firewall as well. So, keep that in mind, that if you're going to use a hosted service, you should protect that. The carrier may offer it, but if they don't, be sure to check for it yourself.

So, the network, the second layer I talked about, an you want to be able to protect the network against attacks, and what you're trying to do with network security is preserve the real time nature of voice traffic, and that's extremely important for voice obviously and this is where things like worms and DOS attacks come into play, and now you can do a couple of things to do this, and these are more traditional networking things but there are security implications as well.

So, first things first, use VLANs. VLANs separate voice traffic from data network traffic, basically putting it on a whole separate virtual land. This is only possible when using IP telephony handsets. I think when you use soft phones and things that traffic goes to the desktop. Voice and data traffic gets tagged, unfortunately, with the same identifier, but you can put all your IP phones in a separate VLAN, and what this does is it takes all the traffic originating from the IP phones to the call server and separates it from the rest of the network.

Now, in the event that you do get too much traffic though, run QOS. So what QOS does is it will prioritize all your voice traffic, or if you use the VLAN, all the traffic in your voice VLAN, ahead of all other traffic, and what this does is it makes sure that it can't be overrun with bandwidth spikes from other different types of traffic, some of it being malicious, or even some of it being just normal business traffic, right? I was talking with one organization, that they had somebody who was listening to the radio on their PC over the browser. Now, that was causing a lot of spikes in traffic. This is where if you use QOS in conjunction with VLAN, the IP phones would not have been susceptible for it.

The third thing that I mentioned, I mentioned the servers, the network, and the third thing is in the data network are obviously the end points, and that is the IP phone itself. I think most organizations will deploy a combination of IP phones and soft phones, and you need to think about protecting those.

So, from and IP telephony handset perspective, end point security, for the most part isn't presently available for a lot of IP telephony handsets, nor do the independent agent-based systems that run on PCs exist for these devices. You'll see them over time. If you're making a decision I'd certainly push the vendor on it. I know vendors like Cisco actually offer, if you use an all-Cisco environment the phone actually has to authenticate to the network itself and that helps with some protection.

But most users don't actually use their IP phones to surf the web or download executables, so I think the risk to IP handsets is somewhat negligible, although be aware of it, and like I said, when you talk to your vendor, look at the road map for IP telephony handset security and authentication.

When it comes to soft phones, what I would do is I would consider using best practice laptop security configuration on all my PCs. So using end point security software, you can use things like centrally-managed personal firewalls and anti-virus software, but you also might want to consider using some sort of desktop host-based intrusion prevention system.

I think what you'll find is that soft phones are very sticky. Users tend to like them, and what you don't want to have happen is the user becomes sort of dependent on it, but then have something happen where they can't use it.

A lot of people also ask me about encryption. I think the best protective measure against IP telephony eavesdropping is to encrypt the voice traffic but do it selectively. Eavesdropping, I think, in most environments, and the vendors that sell this encryption software might now want me saying this, but it’s somewhat overrated. I think it’s unlikely in most environments. I think if you're going to tap a line I think there are a lot more interesting applications to steal data from, things like CRM systems, accounting systems more so than VoIP, but if you are a government institution, maybe a law firm, a commercial bank, and you have to do this, deploy, encryption is the best way to protect against it.

And really, it's no more difficult to protect your VoIP traffic, encrypt that than it is any other one. So, eavesdropping in a LAN-based environment is done using some sort of intermediate device. So there's a physical security element to this as well, that you want to make sure your IP PBX, isn't in a wiring closet, but in a data center, and that any odd devices that you see are actually removed from the network.

But, as a general rule, if you already encrypt data traffic, then encrypt the voice traffic. If you're not encrypting the data traffic, then I don't really think you need to encrypt the voice traffic. Organizations that use encryption should test its performance first to ensure that the overhead associated with encryption and decryption doesn't actually deteriorate the voice quality.

So, in summary, again, when you go about deploying security technologies in your voice environment, think about it like you think about your data network. In your data network you have servers. In the voice network you have call servers. In the data network you have PCs, you have IP phones. The networks important to both, and I think if you take it from this approach, I think you can have a successful deployment. I think it'll help you prioritize what to deploy and when not to deploy, and like I said, if you focus on the things that protect against quality and guarantee of delivery first and then maybe get to some of the other things down the road, like eavesdropping protection, or spam over IP, that'll come down the road, but like I said, focus on protecting it like you protect the data network and I think for the most part you'll have a successful deployment and a successful roll out.

Karen Guillermo:  Okay. And on that note, that concludes today's podcast. Thank you again to Zeus Kerravala for speaking with us today, and thank you all for listening. Have a great day.


Dig Deeper on Enterprise network and wireless management