A converged voice and data network may sound like a fabulous idea until you remember the last time a worm or denial of service attack brought your network to its knees. Do you really want the network and your phone system to go down together?
Now turn the paranoia up a notch and imagine hackers penetrating your IP PBX or gateway to make hundreds of long-distance calls, to check your CFO's voice mail, or to forward your CEO's calls to your competitors. Or think about savvy employees using a tcpdump and a readily available Unix tool called Voice Over Misconfigured Internet Telephones (also known as VOMIT) to snoop on calls. People have come to accept all the crazy things that can happen on a data network, but they are used to a much higher level of reliability and security from their phone system, especially when you consider that it may be needed to dial 911.
There are many things you can do to make the likelihood of an attack much lower than it would be on the data portion of your network. But first, you should know that legacy PBXes are not immune to attacks, either. Hackers often gain access by dialing into administrative ports or taking over extensions and voice mail for terminated employees whose accounts haven't been deactivated. There are lots of Web sites devoted to conventional phone hacking.
That said, an IP PBX is far more likely to be affected by events that occur on the data network. VOIP (voice over IP) vendors understand this and have risen to the occasion with a variety of security features. To start, many eschew Windows in favor of VxWorks, Linux, or other operating systems with less frightening records of virus and other attacks and less constant streams of patches. They typically harden the OS, using only the services that are essential for the applications, and their "servers" are actually appliances that come preconfigured. Cisco uses a hardened version of Windows NT in its CallManager systems, for example. Most vendors also offer voice and call-control encryption over the IP LAN or WAN. Cisco even provides built-in intrusion-detection capability from its Okena acquisition.
One of the best ways to secure your VOIP LAN is to separate it from the data LAN. This separation doesn't mean you need two completely different infrastructures, but it does mean using your switches' 802.1Q capability to place them in different virtual LANs. IP phones often have their own switches and VLAN capabilities. Place your IP PBXes in different VLANs than your other application servers, protecting the segment containing your PBXes with a firewall where possible. Wherever the two segments will interact -- messaging systems, for example -- the firewall should provide protection from attacks.
Be very selective about which IT staffers are allowed access to the core operating systems of your IP PBX servers and consider using intrusion-detection and prevention systems to monitor all voice servers and segments. Stay away from PC-based IP phones wherever possible because they are vulnerable to viruses, and create a link between your data and voice segment. Implement network address translation between the voice and data segments, with private address spaces for all IP telephony devices.
Authentication -- anything from allowing access only from phones with known MAC (media access control) addresses, to personal IDs, passwords, and PINs -- can prevent someone from placing a rogue phone on the network. Also consider using static IP addresses for your IP phones, mapped to MAC (media access control) addresses. And, of course, keep up to date with the latest security patches on all your voice mail and call-processing servers and make sure you have good virus protection. Who knows? Your extra efforts on behalf of IP telephony may have a welcome spinoff effect and increase the reliability of your network overall.
Leon Erlanger is a freelance author and consultant specializing in security.