Creating a secure VoIP infrastructure
deploying VoIP should note the security risks associated with it. by Bhaskar
With the growing demand for converged networks where voice,
video and data co-exist, organisations are embracing VoIP to reduce costs and
improve their offerings in delivering voice services and lower operational costs
for long distance and other phone services. Companies adopting VoIP should also
note the inherent security risks associated with VoIP as each element in the
infrastructure is accessible on the network like any computer and can be exposed
to worms, buffer overflows, and more.
Traditional security solutions are unable to cope with the
requirements of voice on the data network because of the complex and diverse
nature of VoIP protocols, and the need is for a perimeter security solution
which is VoIP aware and that can make intelligent security decisions to protect
the VoIP network from attack.
Organisations embracing VoIP should check for a solution
that delivers the advanced technologies needed for organisations to deploy VoIP
without sacrificing security.
Enabling VoIP protocols
VoIP implementations use multiple protocols like H.323, SIP,
MGCP, and SCCPall of which function completely differently and interact
with security in ways that traditional firewalls cannot handle. Also the need
is to inspect both parts of a VoIP callthe call setup messages and the
actual call media stream. Added to this is the usage of both static ports and
random dynamic ports, coupled with
encoding of H.323 traffic. This clearly demands the need
for a security solution that is highly aware of VoIP protocols and how these
protocols work. A deeper awareness of VoIP combining broad protocol support
with dynamic opening of ports based on the state and context of the conversation
is an essential feature. Incorporating detection and stoppage of malicious VoIP
activity without administrator interaction, recognition and enforcement of context
on traffic supporting VoIP features such as call forwarding, hold and call transfer
In converged networks
A VoIP infrastructure may comprise private branch exchange
systems, gateways, proxies, phones and more. The components may be embedded
or off-the-shelf servers running a commercialised operating system, and are
addressable and accessible over the data network and are vulnerable to DoS attacks,
gateway hacks might be used to make unauthorised free telephone calls and sniffing,
eavesdropping and more attacks are possible.
If traffic deviates from the normwhen an attacker tries
to exploit vulnerabilitydetection and shifting should be done automatically
and steps should be taken to preemptively prevent the attack from taking place.
This should include validation of VoIP sessions to an expected pattern of behavior,
prevention of DoS attacks, reduction of the ability for outside parties to access
VoIP conversations for theft of service or call hijacking through the use of
VoIP handover domains.
A deeper understanding of how VoIP
protocols are supposed to operate is essential
Delivering voice quality
A major concern for VoIP deployments is maintaining a high
level of voice quality people are used to from traditional phone services. Two
main reasons that degrade the quality of VoIP services are latency caused due
to the way routers process the packets and jitter due to delay in receiving
VoIP packets being irregular causing packets to arrive out of order or not arrive
at all and encryption done at the endpoint or at the security gateway.
Enterprises should be able to gain integrated Quality of
Service to minimise jitter and latency caused by applying the needed security.
It should also provide a number of different strategies through which companies
can ensure high-quality voice communications. By the use of these methods in
combination, organisations should be able to deliver high voice quality. Likewise,
the option for organisations to use weighted priorities to ensure that VoIP
traffic is allocated a larger amount of bandwidth than discretionary traffic
is desirable. Additionally hardware acceleration to enhance encryption performance
is required in order to reduce jitter caused by cryptographic processes.
Solving the NAT problem
Network Address Translation (NAT)one of the most prevalent
security measures in use todayposes a special problem for VoIP. Commonly
used in perimeter firewalls to conserve IP addresses and disguise the internal
network structure, NAT converts internal IP addresses into a single, globally
unique IP address for routing across the Internet. In the process it modifies
the address at the network layer (layer 3) of a packet to reflect the mapping.
However, VoIP protocols embed the IP addresses at the application
level as well as the network level, thus creating difficulties in routing signaling
or media traffic from an endpoint behind a NAT gateway. For incoming calls this
is a problem as the externally routable address can be shared between many hundreds
The ideal solution should enable companies to use their existing
network architecture to coexist with VoIP without the need to stop using NAT
and privately routable IP addresses. The solution should maintain a VoIP user
database that is synchronised with the information found on a signal routing
device. This calls for an IP phone to register itself with a signaling device
before placing calls, and with this, the solution should recognise the registration
request and record the necessary information in its internal database. This
registration enables calls from outside the protected network to phones whose
addresses are translated using Hide NAT (many-to-one NAT).
The author is Sales Manager (Indian Sub-continent), Checkpoint
Software Technologies Ltd