Feature

VoIP Security

VoIP Security

Bernie Dodwell


For Voice resellers there is a lack of understanding regarding the security issues and the potential impact on their customers. What are the issues and what can resellers do to address their users concerns and increase the value of the opportunities?

Common questions include:

What are the security issues surrounding VoIP?

VoIP is an IP based protocol and carries with it the same challenges of securing IP and similar risks. VoIP presents some additional challenges due to its varying protocols, multiple communication channels, and varied deployment options. These complexities can create new opportunities for exploitation.

Since VoIP traffic is converged with data traffic travelling over IP networks, VoIP is susceptible to many of the same threats as data traffic. The most common attacks include:

•  Denial of Service - This attack is targeted at dramatically slowing network performance and can potentially shut down both voice AND data communications. It can also create buffer overflows, in order to compromise systems.

•  Voice Services Theft - Hackers use a variety of techniques to obtain free unauthorised telephone calls that end up getting billed as company VoIP usage. These attacks can potentially go unnoticed but have direct impact on an organization's bottom line.

•  Voice System Hijacking - Malicious users remotely manage devices, change settings, and even eavesdrop on phone conversations. Besides the havoc this attack wreaks on the actual VoIP system and voice communications, it presents a significant security risk for companies in terms of confidential data loss.

 

Don’t firewalls present challenges in converged voice/data networks?

Traditional network firewalls were only designed for data applications, so some have had problems handling real-time applications like VoIP, especially in dealing with Network Address Translation (NAT) and VOIP signalling. In the case of Check Point VPN-1, it understands VoIP protocols and signalling, and supports NAT in VoIP scenarios. VPN-1 enables VoIP traffic converged with data traffic while ensuring a high Quality of Service (QoS) for VoIP traffic (real-time delivery, short delay, low jitter and low packet loss across networks).

 

Will the firewall add noticeable latency to VoIP or introduce increased QoS issues?

From the firewall's perspective, VoIP is another set of protocols that must be examined, so there is no abnormal load on the firewall or associated latency when examining VoIP traffic. Since the firewall is focused on call setup and call termination (points of exploitation), the majority of the processing and overhead will occur at these points and not during the actual call when the user would be sensitive to added latency. The net effect of this is largely transparent to the user.

Vendors from both the Voice and Security markets have recognised the issues. Mitel has included a firewall in the new CXi, as do 3COM in their VCX appliance and other VoIP vendors may follow suit or strike up strategic alliances with firewall vendors. However, will these firewalls meet corporate/industry standards, be acceptable to the Security Manager and meet Information Security requirements? Security managers will have many questions – and most voice vendors are not security experts.

The firewall vendors have not stood still - Check Point has focussed on VoIP security issues in their latest VPN-1 NGX release and other vendors are specifically addressing the challenges.

There is another element to be considered. There are some 120+ IP “applications” supported by TCP/IP (SMTP, FTP,HTTP, Streaming Video etc.) No network has unlimited capacity and each IP protocol competes for available bandwidth. As network usage increases and more applications are added, so does competition for bandwidth and unless companies take steps to manage these conflicts, service levels rapidly deteriorate, business critical applications are ‘squeezed', users complain they cannot perform their duties and business performance suffers.

There are two options to solve this problem:

•  Buy more bandwidth – this only defers the problem it for a while.

•  Install a bandwidth manager e.g. Packeteer, to ensure business critical applications are always given priority for available resource and to maximise investment in bandwidth

The conclusion therefore is to combine the voice vendor's VoIP solution, a firewall with specific VoIP security focus and bandwidth management to produce a comprehensive, integrated solution. Looking ahead, there are more elements to consider e.g. intrusion prevention, authentication, mapping in physical security solutions – these are subjects for further discussion.

However, few resellers have experience of the Voice, Security and Bandwidth management (data) markets together and may be reluctant to get involved. To assist VARS, Westcon has created a packaged solution of product, training and support addressing this systems integration requirement. For the VAR, this creates a competitive edge against someone offering Voice only, increases the value of any given deal, generates higher actual and % margins and enhances customer loyalty.

Voice resellers will be forced to understand security issues as voice vendors incorporate security technologies and users demand SLA's, including high availability and security, for their business critical VoIP applications. Unless voice resellers become security aware, they are in danger of their phones not ringing…

 

www.westcon.co.uk