VoIP - understanding the enemy

Justin Hamilton-Martin, 8el

Justin Hamilton-Martin VoIP security is not the horror story that some people make out - at least, it doesn't have to be. Sure, it is an important issue to consider, and for any savvy IT or network manager, VoIP security should definitely be part of their overall security strategy. And there are plenty of ways in which companies can arm themselves against threats. But the scaremongering in the press has blurred the reality. The really big challenges of enterprise VoIP are ensuring service quality and reliability, but we'll come back to that. Justin Hamilton-Martin evaluates what VoIP security is really all about and what can realistically be done to manage the situation.

Although hacking is one aspect of the VoIP threat, more probable, though not accidental, are denial of service (DOS) attacks. These can apply to VoIP in the same way that they do to data traffic. Then there's the VoIP equivalent of SPAM, charmingly known as SPIT. Imagine coming into work to 20 voice messages saying that you have won the Nigerian lottery - all sent to you at your cost. And now eavesdropping on IP calls (known as VOMIT) is the latest threat being talked about in the press.

The scale of the potential risk really depends on the kind of VoIP being used. VoIP services that exist purely on the public internet are, by their very nature, more prone to attack, simply because of the environment in which they exist. And these are the ones that have generated all the column inches in the media about security breaches, including identity theft. However, many businesses are choosing VoIP services designed to operate over private networks, or a hybrid between public and private connections, where both are locked down. These are far removed from the kind of free internet-based VoIP tools familiar to most consumers, or even early business adopters.

Different flavours of VoIP have different security issues

Within this more advanced kind of VoIP, there are two main categories: IP-PBX based solutions and managed services via IP Centrex. Both have their pros and cons. IP-PBXs can operate purely over private connections and are in essence a mini version of the traditional PBX, but based on IP. Therefore, at an infrastructure level, they are pretty secure.

Most solutions, however, involve a combination of both private and public network breakouts, but when managed by a third party, additional levels of security are inherent.

Growth of SBCs

A common mistake that companies make is to rely on VPN tunnels and a firewall to provide security protection. Voice and data should not be treated in the same way. VPN tunnels are dependent on firewalls and if that gets attacked, then the VoIP system is compromised. With a firewall, a commonly used method is to open up a large range of ports for VoIP communications, potentially leaving the voice system vulnerable to attacks, including DOS. This can bring a system to its knees pretty quickly.

Relatively new, but growing rapidly, is the use of session border controllers (SBCs) to route voice through the company's network, rather than via the firewall. This enables voice to be treated separately from data traffic, so that different rules can be applied to each. Furthermore, SBCs create one-off events - a kind of 'pinhole' - or session (hence the name). Once the session has finished, that 'pinhole' is closed, thereby not leaving ports open to potential security breaches.

VoIP services based purely on the public internet do not work with SBCs and cannot offer the same level of security.

Voicemail is a weak spot

Voicemail can be a vulnerable entry point for fraudsters and hackers, unless dealt with properly. Lots of people know how to access their voice mailboxes remotely, but very few actually remember to change their passwords, or not to choose something that is blindingly obvious: I bet I could guess many passwords and I am sure you could too. Does it really matter? Most definitely. A hacker can get into the system, and once in can basically take over the voice network to make multiple calls out, thus costing the company concerned a small fortune. We have witnessed situations when voice networks have been hijacked, often over holiday periods, and it has been weeks before this was discovered.

One way to prevent the problem happening is not to allow dial-out. For instance, within my own company's system, users can remotely access their voicemail and respond to the call line identification (CLI) that left the message. However, they cannot dial out to other numbers once in the system. Another issue to consider is who provides the voicemail service and who provides the rest of the system. If they do not integrate easily and if there are basically two sets of administration to consider, then the whole set-up can be more vulnerable.

Other defences

There are other steps that can be taken. As previously mentioned, any breakout on to the public internet increases the security risk by default, so minimising these occasions is important. For instance, internet tunnels between offices - as part of the WAN infrastructure - provide added protection. Remote users need to adhere to clear company rules and the IT manager needs to pay particular attention to monitoring communications via these outposts. In addition, ensure that the network architecture is not visible to outsiders.

Of course, one easy way in which to obviate most of these risks is to use VoIP provided by a managed third party. The network is automatically hidden, because much lies within the service provider's own private network. If using IP Centrex, for instance, it is possible for an external hacker to work out the IP address of the overall service provider, but with a managed service they cannot identify the IP address of each individual customer. The service provider can also provide remote monitoring of the service, looking for anomalies and margin fluctuations, providing users with an early alert system.

Of course, it is vital that the service provider chosen has its own belt-and-braces security in place. As well as use of SBCs, segregation of voice and data, voicemail security management and other tools, encryption has an important role to play in preventing attacks against VoIP services. Ideally, there should be two levels of authentication. Having users register on the VoIP system is not enough: they should also be linked to authenticated, pre-registered equipment.

The whole VOIP environment is a complex one: while the user interface may be deceptively simple, the technology behind it is highly sophisticated. Managing the service is a big enough task in itself without having to consider security measures too. This is why many people are opting for a managed service, whereby they are provided with an 'all in one' service.

The bigger picture

Whichever route a company chooses to go when adopting VoIP - home-grown or managed - do not forget that security is just one facet of a much bigger picture. For many companies who have, or who are experimenting with, VoIP, it is ensuring service quality, efficient rollout to end-users and service management that are the big hurdles they face. Certainly, these are areas where there is the most potential for error, largely because the organisation is dependent on what the service provider is offering in terms of technology and support. The variables in the market are massive and it pays to research available service providers very thoroughly.

But let's not lose sight of the benefits of VoIP: while cost savings are important, for many companies the flexibility, ability to add sophisticated new services and integrate with other applications are far more valuable. Take heed of security, yes, but it should not be a deterrent to VoIP adoption.

Justin Hamilton-Martin has been managing director of 8el since its inception. Prior to founding the company, Justin held senior roles within the European telecoms industry. 8el (pronounced 'A-Tel') is the trading name of Aggregated Telecom Limited. 8el is a communications provider specialising in bespoke solutions for businesses, including IP telephony, wide area network and ISP services.