May 20 2008

VoIP networks Present A New Set of Security Threats

IT shops are learning that VoIP opens up new vulnerabilities.

Photo: John Von Dorn
Prairie States' Mike D'Alton says companies deploying VoIP should focus on mitigating risk.

Most IT managers know that Voice over Internet Protocol (VoIP) systems are catching on. What’s less well known, according to research group In-Stat, is that nearly 47 percent of IT departments budget for VoIP security in their general budgets for network security, and 11 percent even have a dedicated budget for VoIP security.


What’s clear is that many businesses recognize that VoIP networks present a new set of security threats — and the smart ones are doing something about it.

“You really can’t do VoIP without thinking about the steps needed to mitigate security risks,” says Mike D’Alton, IT manager at Chicago-based Prairie States Enterprises, a third-party provider that administers medical benefits for self-insured companies.

“It’s important to have your strategy set before you put all your solutions in place,” he advises, pointing out that Prairie States hopes to move to a full VoIP system with unified communications for its Chicago headquarters and Sheboygen, Wis., call center within the next year.

D’Alton says Prairie States will probably start off by piloting a unified communications system in Chicago. At this point, the company uses AT&T’s FlexReach VoIP service for outgoing long distance andIntraLATA (local access and transport area) calls from the Sheboygen call center. They use a separate Private Branch Exchange (PBX) dedicated to voice on a traditional phone line, so for now, D’Alton is not too worried about VoIP security.

“We went into VoIP thinking more in terms of the unified communications features we wanted, plus as a way to save phone costs, but we’re really going to have to do a total cost of ownership analysis to take security into consideration,” he says.

One way to start is by getting your data networking infrastructure up to speed.

“If you build a VoIP network without a solid data network, it’s like building a house without a foundation,” says Bryon Spahn, IT systems and network architect for Webloyalty, an online-marketing services provider based in Norwalk, Conn.

“You wouldn’t buy a bunch of [low-end] hubs and say ‘I’m ready for VoIP.’ What you have to do is place VoIP on top of a solid network infrastructure, leveraging the investment you’ve made in a data network,” he explains, adding that Web-loyalty has a series of Cisco routers for its data infrastructure, and its VoIP provider is ShoreTel.

The Prevailing Threats

Spahn says he’s worked very closely with Cisco and ShoreTel to identify and counteract the most prevailing threats to a VoIP network. The top threats identified by most security experts and vendors are toll fraud, denial-of-service (DoS) attacks, spoofing and eavesdropping. Here’s a quick explanation of each threat:

Toll fraud. Internal or external callers use the company’s phone system to place unauthorized toll calls. This has been a threat for several years, but IT departments have become more sensitive to toll fraud as they roll out VoIP networks.

Denial-of-service attacks. Hackers use automated tools to send a deluge of nuisance traffic to IP phones, call-processing servers or other infrastructure elements. The goal is to exhaust network resources so that calls are interrupted or cannot be processed. The fear is that hackers disrupt phone service to divert IT staff from managing the data network.

Spoofing. The hacker steals a legitimate user’s identity so that the hacker’s phone calls appear to come from another user.

Eavesdropping. When an internal user spoofs the IP address of a router or PC to spy on voice traffic as well as data entered on the phone keypad during a voice conversation. Eavesdropping has become easier because of more widely available packet-sniffing tools, but it is fairly easy to prevent.

Stop the Threats

In-Stat senior analyst Victoria Fodale says that threats to VoIP networks come in two categories: those that breach the network through vulnerabilities in the IP PBX system and general threats that crack the network because certain network devices are vulnerable.

Because IP-PBX systems are usually installed on dedicated servers, they are subject to the same security issues that threaten other servers in the network. These types of threats can compromise the availability or deteriorate the quality of VoIP service.

Although more than 40% of businesses surveyed do not have specific plans for VoIP security, most have budgets in place.
Source: In-Stat

Photo: William Rieser/Jupiter Images

With general threats, Fodale says IT managers have to remember that IP phones run operating systems and supporting software, which make them susceptible to the same types of viruses, worms and malware that plague any computing device.

“While they offer many business benefits, a unified communications system also provides a larger attack surface with multiple points of vulnerability,” Fodale says. “Much like other networked systems, a unified communications system allows attacks to spread more readily,” she adds.

Based on interviews with users, consultants and vendors, here’s a laundry list of best practices for securing a VoIP network:

Conduct a network evaluation. Start with your core data network. Keep in mind that the VoIP network will ride on top of your data network, so lock that down tight. Webloyalty’s Spahn says make sure your data network is properly configured and that the switches are up to date on all patches. You should also look at your staffing resources and identify the employees who have experience with VoIP networks. If your group lacks experience, budget the money to get your people trained.

Segment the network into virtual LANs. VLANs separate the physical network into multiple logical networks. Prairie States’ D’Alton says VLANs can isolate your company’s voice traffic by department. Companies can choose to segment by human resources, sales, marketing, engineering and finance units; or, like Webloyalty, they can separate by level of access, physical location and type of hardware. The advantage of a VLAN is that traffic sent over the voice VLAN is not visible to insiders or outsiders connected to data VLANs. The other benefit is that data traffic cannot cross over to the voice VLAN. This strategy can prevent DoS attacks, for example, because most such attacks originate from a PC and cannot affect IP phones and call-processing servers connected to a separate voice VLAN. “By separating into its own VLAN, a phone can only impact another phone,” says Spahn. “If a DoS does happen, it just goes to another phone, not the data network,” he concludes.

Deploy some kind of encryption. Whether it’s encryption built into the VoIP routers from your vendor or a private IP network offered by a third-party provider, it’s vital that you encrypt the voice traffic. For example, to execute toll fraud, a hacker needs to obtain information about the telephony system and its legitimate users, such as the media access control (MAC) and IP addresses of the IP phones and the call-processing server. Encrypting this information as it travels across the network — especially after it’s been segmented into its own
VLAN — makes this information more difficult to obtain.

Use the port security that’s built-in on most routers. Port security limits the services that internal network users can access based on the physical port to which they connect. It can be used to limit the number of MAC addresses authorized to access the network through a given port. This makes it more difficult for someone to disconnect a legitimate IP phone, connect in its place a hub with two or more ports, and then connect an unauthorized IP phone to one of the hub ports to impersonate another user. With port security, the port rejects all MAC addresses other than the single known MAC address of the authorized user.