Is enterprise VoIP (voice over IP) due for a security wakeup call or are the threats mostly exaggerated? It depends on who's talking.
"The security aspects of enterprise VoIP have been overblown," says Irwin Lazar, senior analyst at the Burton Group. "There's a lot more attention being paid to the fear of attack than what is actually possible."
Roger Farnsworth, manager of marketing for Secure IP Communications at Cisco, concurs: "VoIP systems can be at least as secure as traditional voice systems, and future IP technologies and voice applications will make them even more secure."
But Mark Collier, CEO of SecureLogix, a vendor of voice management and security platforms for both traditional phone systems and VoIP, isn't completely sold. "With IP at its foundation, it's simply unrealistic to expect VoIP to be any more robust than e-mail, the Web, or DNS," he says.
Hold the phone. E-mail? The Web? DNS? Who in their right mind would move from the rock-solid service of legacy enterprise telephony to a platform that's no more secure than e-mail?
Just Another App
In fact, enterprise VoIP is essentially just another application on the IP network. The principal elements of today's typical enterprise IP telephony systems are call control servers, which usually run on an operating system such as Linux, Windows, or VxWorks; VoIP clients, which are either handsets or softphones; and VoIP gateways, which sit at the edge of the network and translate between VoIP and the PSTN. They all use some relatively standard protocols -- typically either the International Telecommunication Union's H.323 series of protocols or the IETF's SIP for the servers and clients and the MGCP (Media Gateway Control Protocol) or Megaco/H.248 protocols for gateways. And the vast majority share the data network, depend on the same routers and switches for voice packet transport, and, ideally, interface with other data applications, including messaging.
So, theoretically, at least, VoIP systems are as vulnerable to attack as other data applications. The list of potential threats is staggering and includes DoS attacks, viruses, worms, Trojans, packet sniffing, spam, and phishing. Spam? If you remember the dark days before do-not-call lists, imagine the potential of SPIT (spam over Internet telephony). "If I want to send 100 calls, I have to dial 100 times or use an autodialer," says Andrew Graydon, vice president of technology at BorderWare Technolgies. "But with an IP connection, I could upload a WAV file to a computer in the Bahamas, press a button, and send it to 2,000 employees instantly." Phishing is accomplished simply by spoofing caller ID information to masquerade as a representative of a legitimate institution.
Nonetheless, vendors and analysts emphasize that IP PBXes run on a variety of operating systems, usually stripped down and hardened, and use a mix of still-evolving standards and more proprietary protocols, such as Cisco's Skinny call control protocol, making VoIP apps more difficult to target than typical data applications.
Also potentially menacing are man-in-the-middle attacks (hackers masquerading as a SIP proxy and logging all call activity) and trust exploitation (hacking into a data server that has a trust relationship with VoIP servers to gain access to the latter). To these, add toll fraud, which is accomplished by hacking into a voice gateway and making international calls at the company's expense. Then there's eavesdropping: Users with access to the network and two free, easily available tools called tcpdump and VOMIT (Voice over Misconfigured Internet Telephones) can reassemble and convert a voice conversation over IP to a standard WAV file.
Further, VoIP systems often depend on vulnerable applications to function properly. "SQL Slammer attacked Microsoft SQL Server, but because Cisco Call Manager telephony servers depend on SQL server, it disrupted many of them, as well," Collier says.
Compared with other applications, VoIP also has its own unique challenges. In order to achieve toll-quality voice, latency cannot drop below 150 milliseconds for one-way traffic, according to David Fraley, director of Federal Practice at Gartner. "Voice encoding can take up to 30 milliseconds and a voice call over a reasonable distance [cross country] on a public IP network can take up to 100 or even 125 milliseconds." And this is before security measures such as firewalls, encryption, and intrusion prevention are added.
Most mainstream firewalls don't take VoIP into account nor do they address some of the peculiarities of SIP and H.323. For example, SIP uses at least three port numbers, only one of which is static. H.323 uses ports 7 and 11, with only two static, and both use both TCP and UDP (User Datagram Protocol) initiated from inside and outside the firewall. This means that you must open a huge number of ports on a standard firewall, which is unacceptable in terms of threat exposure. In addition to the IP addresses in the header, SIP and H.323 also embed IP addresses, so incoming calls can have problems with traditional NAT setups in firewalls and routers.
Carriers and some of the larger enterprises make use of fairly expensive devices called SBCs (session border controllers) to handle NAT and open port issues. Newer firewall products from the major firewall and IPS vendors such as Check Point, Juniper, and WatchGuard, have also started to become more VoIP-aware, implementing a technology called NAT traversal, opening and closing ports dynamically based on careful monitoring of VoIP sessions, and even implementing some QoS features, but this often means upgrading hardware and software, and requires careful shopping.
With all these potential threats and vulnerabilities, will huge numbers of VoIP users soon find themselves plagued by service interruptions and eavesdropping? To date, there have been no devastating, widely publicized attacks on enterprise VoIP systems. Why? Vendors and analysts offer several valid reasons.
Most newer enterprise VoIP solutions are closed systems in which packetized voice is running across the LAN only, and most external traffic is running across the PSTN via a gateway. "If you're running VoIP on the LAN only, it's relatively easy to get toll quality and maintain security," says Gartner's Fraley. Interoffice traffic is normally running on a protected office-to-office connection, so in many cases securing internal VoIP means hardening your call servers, switches, and gateways and protecting them with the right kinds of firewalls and IPS.
Vendors also recommend separating voice from data traffic on the LAN to protect it from malware, eavesdropping, and DoS attacks. Building a separate infrastructure for voice negates the cost benefits of VoIP. However, much of the same kind of protection comes with the 802.1Q features of your switches to put voice and data on separate VLANs, and protecting the intersection points between voice and data VLANs, such as the messaging server, with a voice-aware firewall and/or an IPS. In fact, Cisco offers a built-in IPS with recent versions of Call Manager.
"The right use of VLANs will also prevent casual VoIP snooping," says Farnsworth, adding that it becomes easier to target voice apps with appropriate security measures.
VoIP vendors and security experts say it's best to avoid softphones -- phone software that runs on a PC -- in favor of IP telephony handsets because softphones make it almost impossible to separate voice from data. Assigning an IP handset's IP address to its MAC (media access control) address is a good way to help thwart IP address spoofing. Several solutions use digital certificates for device and server authentication, and you can require passwords or PINs to access handsets. Key is encrypting voice-signaling data, VoIP management interactions, and, in high security environments, even voice streams.
These arguments make a lot of sense today, but what about tomorrow? "At the end of the day, enterprises want to use VoIP to capitalize on international call cost-savings," Graydon says. That means replacing PRIs and other PSTN trunking with VoIP trunks -- which providers such as Broadwing, Global Crossing, Level 3 Communications, and MCI already offer -- in order to route calls to a gateway closer to your international call destination. "As soon as the enterprise opens up VoIP to the Internet, they put a potentially huge security hole in their network," Graydon says. Essentially the days of closed corporate VoIP systems are over. Graydon also points out that telcos are changing their internal infrastructure from PSTN over copper to IP over fiber to cut their own costs, and moving to IP-based peering connections with other providers. "A lot of major IP convergence is happening out there in stealth mode."
Collier agrees. "Once MCI gets 1,000 customers on their VoIP network it will be considerably more difficult to control security threats," he says.
Skeptics point out that avoiding softphones and keeping voice completely separate from data is unrealistic. "The interconnection between voice and data is where all those cool converged applications will evolve over time," Collier says. Jeff Rothel, CEO of CentricVoice, a provider of enterprise VoIP services taking advantage of VoIP security solutions from BorderWare, agrees. "We plan to move forward with a host of offerings that bolt voice directly into the software layer of enterprise data applications," he says. In fact, Rothel and others see a future in which enterprises purchase a range of voice services and applications from many different providers large and small, all standardized on IP and SIP.
Rothel asserts that traditional voice providers are not particularly savvy about potential VoIP threats. "Many of them just don't understand the data world. They never had a virus take down their PSTN switch."
There are also disruptive applications such as peer-to-peer voice apps from Skype and other providers. "There's a host of VoIP apps that will likely infiltrate enterprises that don't fit into the standard enterprise VoIP model," says David Endler, director of security research at IPS provider TippingPoint, now part of 3Com, and chairman of the VoIP Security Alliance, an organization of VoIP and security vendors looking to advance security research.
Skeptics also point out that many of the security measures suggested by VoIP vendors are neither especially practical nor widely used. "Sure you can implement voice and signaling encryption and strong authentication, but they're a pain in the butt to configure," says SecureLogix's Collier. Brian Ham, CTO of Sentegrity, an IT security provider, observes that current key exchange standards such as the Diffie Hellman key agreement protocol don't scale well for widespread VoIP authentication and encryption: "If you look at forums, bulletin boards, and industry leaders, everyone is asking, 'How can we do proper key exchange?'" Sentegrity offers its own lightweight key exchange solution.
Just because there haven't been any widely publicized attacks on IP telephony yet doesn't mean they aren't happening. BorderWare has made it known that call centers and financial insitutions have already come under attack, but officials there are not about to name names.
"Typically you don't see widespread threats until a technology is widely deployed and tools are made available to the masses to automate attacks," Collier says. Endler agrees: "As applications are more widely deployed, they become sexier targets." VoIP security vendors such as BorderWare, SecureLogix, and even TippingPoint are offering specialized VoIP firewalls and IPSes that target the application layer exploits that are likely to affect VoIP down the road.
Ultimately, VoIP may start to suffer the same types of invasions that plague e-mail, instant messaging, and other types of PC communications. The good news is that VoIP and security vendors are jumping on the problems early. "There's no question that VoIP security options are getting better and better very quickly," Kuhn says, adding that the benefits of converging voice with data applications are so great that it's unlikely security issues will thwart deployment.
James Largotta, CEO of Sentegrity, agrees. "The idea behind VoIP is too brilliant," he says. "Once some of the bugs are worked out, it's pretty much a slam dunk."