Securing IP Telephony Systems

New White Paper from Networks First offers practical plan to ensure the security of VOIP traffic.

Networks First, a specialist maintainer of network infrastructures, has launched a new White Paper that provides end-users, resellers and systems integrators with a simple step-by-step guide to securing IP Telephony systems.

The increasing maturity of VoIP and converged network technology is driving both enterprise and smaller organisations to reconsider the relative expense of having separate voice and data infrastructures. Instead, increasing numbers of UK businesses are opting for the benefits that a converged network and application model, based on an underlying Voice over IP (VoIP) infrastructure, can offer including reduced cost of ownership, increased business efficiency and significant user productivity gains.

Unfortunately, with IT, data and network security concerns taking up an ever greater percentage of IT Directors budgets, according to recent research from Gartner - with over 40 per cent of businesses last year spending seven per cent or more of their IT budget on security, as opposed to the recommended three to six per cent guideline a number which is furthermore set to increase, there is a significant danger that organisations investing in converged networks are not properly considering or being advised on, the security implications for VoIP traffic.

In order to address this problem, Networks First has identified a set of simple, yet practical steps for end-users, resellers and systems integrators to follow in order to ensure the security of a converged voice and data network.

1. Take a holistic approach
It is imperative that there is a holistic approach to IT security, so that the voice system is included in overall security risk analysis and applies best practices as deemed appropriate, aligned to data system security measures as a minimum. These would include the following measures:

• Use deep packet inspection techniques IDS/ IPS or Firewall Systems at WAN / Internet ingress points to prevent multi-layered attacks breaching the core network
  
• Implement robust wireless security mechanisms such as strong authentication, strong encryption and rogue access point detection
  
• Deploy endpoint security on Servers and Hosts to enforce network attached devices to conform to defined enterprise and desktop security policy.

3. Secure the network infrastructure
There are several recommended techniques for securing the network infrastructure:

• Employ Separate Voice and Data VLANs - Mandatory
  Keeping the voice and data traffic separate through the use of VLANs has several advantages. The inherent isolation provided by VLANs ensures that inter-VLAN traffic is under management control and that network attached PCs cannot initiate a direct attack on voice components. Additionally, organisations should employ a separate Voice Server VLAN for key Call Processing Servers so they can be secured from un-solicited access
  
• Use Secure Network Management Techniques Highly Desirable
  All network device and server management should be encrypted to ensure confidentiality and authenticated, for example using SSH v2. A central facility that offers secure authentication, authorisation and accounting facilities would ensure that only recognised administrators can make changes to the network configuration. This recommendation is desirable regardless of VOIP
  
• Authenticate Network Access Desirable
  Wireless LANs, Teleworking, and PDAs have all contributed to a widening of the network perimeter such that traditional boundary security measures may be circumvented. In order to protect the core it is desirable to authenticate any node that attempts to join the network, before allowing access to any network resource
  
• Use Voice Aware Firewalls - Optional
  Stateful awareness of voice signalling protocols is essential for firewalls to maintain a secure boundary whilst being able to inspect voice traffic for potential anomalies. Not all firewalls have this capability and technicians should ensure that such firewalls support secure inspection of protocols such as SIP and H.323. Firewalls also need to treat VOIP traffic with precedence so they do not impede voice, in terms of delay or jitter or packet loss.

4. Consider and implement additional IP Telephony security requirements
Having performed a risk assessment on the implications of any given threat on the business it may be necessary to consider these additional security enhancements for the IP Telephony system:

• Harden IP Telephony Call Processing Servers Highly Desirable
  The voice servers operating systems must be hardened against the possibility of direct attack.
  
• Harden IP Phones - Desirable
  IP phones should be protected from local configuration modifications that may compromise the security of the voice system.
  
• Encrypting voice traffic Optional
  Some IP Telephony solutions now provide an option to encrypt VOIP calls so that they can remain private and can not be snooped by LAN Analysers in the voice path.
  
• Authenticating Telephone Users Optional
  As with conventional Digital PBX Systems it may be desirable to force Telephone Users to logon to the phones themselves using features like Extension mobility and providing only basic internal dialling capabilities (Phone CoS) if a valid User profile is not initiated.

5. Consider external, expert advice
Many resellers and implementers of converged networks and IP Telephony solutions will have domain expertise in one area of these, only some and even fewer end-users, will have the relevant expertise in-house to assess the full security implications of a converged IP Telephony network.

A full white paper from Networks First entitled Securing IP Telephony Systems Best Practises is freely downloadable.

Related links: (Open in a new window.)
www.networksfirst.com/

Taken from Information Security Bulletin.