Voice-over Internet Protocol (VoIP) communications are supported by a complex environment of standards. Transmission Control Protocol/Internet Protocol (TCP/IP) is involved in the transport of communication, and other critical protocols are involved in the voice aspects of the communications.
A number of protocols should be considered when reviewing the security of a VoIP network:
- H.235v2 (November 2000)—Includes support for elliptic curve cryptography, Advanced Encryption Standard (AES), digital signatures and shared secrets; it was developed by the International Telecommunication Union (ITU) to cover encryption and security for H.323-related communications.
- H.235v3—Supports encrypted Dual Tone Multi-Frequency (DTMF), object identifiers for AES, stream cipher encryption, authentication-only mode for firewall/Network Address Translation (NAT) traversal and direct-routed calls
- Session Initiation Protocol (SIP)—Created by the Internet Engineering Task Force (IETF) and used for initiating a twoway communication, SIP is text-based and simplifies communications. It is an application-level protocol that exists independently from the protocol layer. The Internet Society’s request for comments (RFC) 3261 describes the security features on SIP, including the use of PGP encryption. SIP can be protected using S/MIME, Transport Layer Security (TLS), IPSec, and SIP Authenticated Identity Body (AIB).
One feature common to the different standards used is that the signaling and the actual real-time data are transmitted via different channels across the same network. Additionally, the same network is used to transport a number of other communications and sessions, shared with corporate functions such as e-mail, web browsing and file access.
VoIP Infrastructure Risks
The VoIP network inherits all the vulnerabilities linked with the underlying data network; it also shares the problems with the data network. A denial-of-service (DoS) attack is a typical example of this situation, as any excessive load on the data network affects the VoIP service. Attackers may use a data network attack to cause failures on the VoIP network.
The operating systems of all elements within the VoIP network must be hardened to avoid security incidents; regardless of the function, intruders may be able to exploit security problems on the components.
VoIP networks share some vulnerabilities with conventional phone systems. Intruders may be able to exploit vulnerabilities leading to toll fraud. This is a common situation within voice networks and causes significant economic losses.
IP phones also pose a significant risk to internal security. Intruders may be able to exploit vulnerabilities on the IP phones, using them as a platform for attacking the corporate network, capturing information, exploiting other systems or causing a distributed denial-of-service (DDoS) attack against the local network.
Some common SIP vulnerabilities include:
- Hijack registration—This type of attack is based on the lack of any security mechanism that ensures the validity of SIP requests. Intruders are able to impersonate the originator and deregister or add information into the communication exchange.
- Impersonation of server—Attackers can impersonate the remote server in some communications, including the user agent request. Intruders can embed their own information into the communication path and appear as the valid destination or participant on communications.
- Message body exploitation—Intruders may be able to change the payload on the message body; this can be used to modify session keys and content exchanges. Intruders may be able to use this attack to capture sessions or eavesdrop on a communication exchange.
Risks to the VoIP Service
There are a number of risks specific to the VoIP environment, including the following:
- IP phone hijacking—Intruders may be able to take control of the IP phone and change the configuration parameters, including modifying the greeting and call-forwarding configuration.
- Modification of accounting data—Intruders may be able to manipulate the data used to control accounting functions, charging calls to a different phone or even eliminating the charges completely. This type of attack would seriously compromise the integrity of the VoIP environment.
- Phone-based DDoS—Intruders may use all the IP phones within a corporate network to launch a DDoS or phishing attack using a recording and dialing hundreds of numbers to try and play a message or to clog the lines of a victim. Thousands of simultaneous calls may bring down the victim’s phone system.
- Change caller ID—Intruders may be able to modify the caller ID records to impersonate valid users.
- Identity theft—Intruders may exploit vulnerabilities on the VoIP environment to impersonate a user, redirect calls to a secondary phone and gather information to support the identity theft process.
- Session hijacking—Intruders may be able to hijack an ongoing call and redirect it to a different end point. This can also be used for intercepting or monitoring the calls.
- Insertion of content—Intruders can exploit weaknesses on the communication when in cleartext, and insert data into the stream including the contents of a .wav file.
VoIP Availability, Confidentiality and Integrity
In terms of availability, end users are accustomed to a relatively always-on service from desktop phones. The VoIP service must provide an equivalent level of service to be accepted.
Corporate bandwidth must be protected and controlled to ensure the availability of the VoIP service. Additionally, all the individual components of the VoIP service must be deployed to withstand failures of other components and operational problems. High availability and reliability must be embedded in the environment during architecture design.
Network latency must be controlled to keep it within the acceptable levels; any transmission delay longer than 150 milliseconds may cause quality degradation on the communication.
In terms of confidentiality, VoIP calls must be protected from unauthorized access; this will reduce the chances of unauthorized interception or modification of the calls. The underlying communication protocols are capable of protecting the VoIP-related packets and ensuring that the call is protected end to end. By using encryption mechanisms, confidentiality can be ensured.
Integrity is another byproduct of using the encryption mechanisms. Although the VoIP protocols and communication systems are not created to ensure the protection and integrity of the VoIP payload, encryption mechanisms can be deployed to avoid any third-party modifications.
Countermeasures Within the VoIP Network
Some of the general countermeasures required for the VoIP network are:
- Physical security—This applies to the network, data center, hardware and equipment used for the VoIP service.
- Encryption of traffic—The VoIP traffic must be encrypted to avoid unauthorized access to the calls and modification of contents and session information.
- Segmentation—The critical VoIP components must be added to a dedicated virtual local area network (VLAN) where additional controls can be deployed, including VoIP-aware firewalls and intrusion detection system (IDS)/intrusion prevention system (IPS) protections.
- Duplicate TCP/IP services—In case of Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS) and other shared resources, it is useful to have separate servers for the VoIP and data networks. This will be useful in case of simple DoS attacks targeting the service on one of the two networks.
- Filter traffic—VoIP-aware firewalls should be deployed, and the switches and routers should be configured to filter unauthorized traffic. In an ideal configuration mode, the network must be able to allow only expected traffic on the specific VLAN where needed and between the valid elements. SIP traffic on the data network may not be allowed, and DHCP requests between IP phones must be blocked. Only valid protocols should be allowed, filtering out unnecessary protocols.
- Hardening—All operating systems and applications must be hardened following best practices and vendor recommendations.
- Separation of traffic—The VoIP and data traffic must run on separate VLANs. This will provide an initial protection to attacks within the two services and will create a virtual separation between the two.
- Deployment of application-aware filters—These can be used to identify the type of calls being made, restrict fax/data traffic on VoIP lines, block outbound international traffic, block calls on lines that are not allocated to employees, log caller activities and provide additional filtering capabilities.
VoIP networks have a number of inherent security vulnerabilities that can be easily exploited by intruders. The number of VoIP networks is growing constantly, thus increasing the possibility of VoIP elements becoming a prime target for large-scale attacks. Additionally, the maturity of exploit tools and complexity of attacks is continually changing, allowing intruders to cause more damage with less resources and time.
However, it is possible to have a safe VoIP environment. This is achieved by ensuring that all elements are properly hardened, communications are filtered, and VoIP-aware elements are used for filtering and analyzing communications between different networks. VoIP services can be protected and they can converge with data networks; however, security must be considered while designing and deploying the service.
Internet Society, RFC 3261, www.isoc.org
Henning, T.; A. Resetko; "Security in Voice-over IP Networks," Alcatel-Lucent, 2006
Ransome, James F.; John W. Rittinghouse; VoIP Security, Elsevier, 2005
David Ramirez, CISM, CISSP, BS 7799 LA
joined Alcatel-Lucent’s Security Consulting Practice in March 2005. His responsibilities include technology, innovation and thought leadership within the practice. He has been invited to speak about security at numerous international conferences, including TeleEvo Moscow 2006, TeleManagement World Nice 2007 and EEMA European Identity Conference Paris 2007. He began his career in 1995 as a networking specialist. Subsequently, he joined a consulting company managing the information risk management practice implementation. In 2002, he moved to a UK risk management company as part of its new information security division. In that role, he was responsible for developing the methodologies for the practice, covering penetration testing and ISO 17799 compliance, including disaster recovery. Ramirez wrote an Internet Protocol Television (IPTV) security chapter for a book on IPTV in June 2005 and is currently preparing an IPTV security book to be published by Wiley in December 2007. He has also written articles for several magazines and newspapers on the subject of security.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.