Take a multi-layered approach to VoIP security

Despite the growing popularity of VoIP, security remains an obstacle to more widespread adoption. However, you can make VoIP as secure as traditional phone systems by taking a multi-layered approach to securing your VoIP network. Deb Shinder walks you through the process.

Popular IP networking models divide the network communications process into layers—to make it easier to understand, implement, and troubleshoot. Whether it's the seven-layer model of the International Organization for Standardization (the OSI model) or the four-layer model developed by the U.S. Department of Defense (the DoD or TCP/IP model), a good understanding of the protocols that operate at each layer is essential to securing all IP communications—including VoIP.

A multi-layered approach to security of any kind works best. For example, you've probably taken a multi-layered approach to protect your home and possessions from burglars: You erected a fence around the perimeter with a locked gate, placed a large dog in the yard in case someone got through the fence, put deadbolts on the doors and windows in case that person got past the dog, installed a security alarm system in case the person managed to pick the locks, and placed valuables in a safe in case someone circumvented all of your other security measures.

Likewise, the best way to protect your VoIP network is with multiple layers of security mechanisms that place as many obstacles as possible in the path of potential intruders. Let's discuss some ways to create a multi-layered VoIP security strategy.

Define the perimeter: Voice/data network separation

Before you can practice perimeter security, you need to have a defined perimeter. The first step in creating a secure VoIP network is to separate it from your data network.

While total integration may seem ideal in terms of ease of management and interoperability, it's less than ideal when it comes to security. Your best bet is to logically segregate the voice and data networks using VLAN-capable switches—that means an attack on the data network won't bring your VoIP system down with it.

Follow these steps:

  • Put VoIP phones on a separate VLAN with nonroutable (private) addresses.
  • Don't allow interaction between Internet-connected PCs and VoIP components.
  • Use access control lists (ACLs) to prevent communications between VLANs.

Secure the perimeter: VoIP-aware firewalls

Perimeter protection in an IP network usually means a firewall, but just any old firewall won't do for a VoIP network. You need a firewall specifically designed to handle VoIP traffic. In other words, it needs to be able to recognize and parse VoIP protocols, perform deep inspection of the VoIP packets, and analyze the VoIP payload to discover patterns that indicate attacks.

For example, if your VoIP implementation uses Session Initiation Protocol (SIP), the firewall should be able to perform the following actions:

  • Monitor inbound and outbound SIP messages for application-level attacks.
  • Support Transport Layer Security (TLS).
  • Perform SIP-aware NAT and media port management.
  • Detect unusual calling patterns.
  • Log details of SIP messages, especially for unauthenticated calls.

Protect VoIP gateways

The gateway is a point where data enters or leaves the VoIP network; gateways also connect unlike networks, such as the IP network and the public switched telephone network (PSTN). You should use strong authentication mechanisms and access controls at the gateways to control who can make and receive calls through the VoIP system, who can perform administrative tasks, etc.

Lock down the physical layer

The physical layer of the network includes the media over which IP packets travel. This can be Ethernet, fiber-optic cabling, or in the case of wireless VoIP, the airwaves. Limiting access to the media (as well as the VoIP servers and endpoints) is just as important for a voice network as for a data network.

Intruders who have access to the media—either by plugging into a switch or hub, tapping the cable itself, or intercepting wireless transmissions—can use "sniffer" software to capture the packets containing the voice data and signaling information. They can then use readily available tools such as VOMIT to reassemble the data and eavesdrop on conversations—or even make changes to the communications and use them in replay attacks.

Follow these steps:

  • Control access to call servers by keeping them in a locked room.
  • Restrict access to endpoints (i.e., hard phones or soft phone programs installed on computer workstations).
  • Secure cabling by running it through conduits and walls.
  • Limit wireless interception with strategic location of access points, limitations on signal strength, use of blocking materials to contain wireless signals within the building, etc.

Secure the network layer

You can use IPSec encryption to protect your VoIP data as it travels over the network; if attackers get past your physical security precautions and intercept VoIP packets, they won't be able to decipher the contents. IPSec uses Authentication Header (AH) and Encapsulating Security Payload (ESP) to provide authentication, integrity, and confidentiality of IP transmissions.

IPSec for VoIP (VoIPSec) uses IPSec in tunnel mode to secure the identities of both endpoints. IPSec can make your VoIP communications even more secure than a traditional landline.

Lock down the session layer

You can use TLS to protect VoIP session initiation to ensure that calls are set up securely and secure VoIP call traffic. TLS provides an encrypted channel between two endpoints, and it operates between the network layer (where IPSec works) and the application layer.

TLS uses digital certificates and public key cryptography. This means each endpoint must have a certificate issued by a trusted certification authority (CA)—either an internal CA such as a Windows server running certificate services for calls within the organization or a public CA such as VeriSign for calls outside the organization. RFC 3261 defines a method for sending SIP over TLS channels called Secure SIP (SIPS).

Protect the application layer

You can use Secure RTP (SRTP) to encrypt the media at the application layer. RFC 3711 defines SRTP, which provides the following security mechanisms:

  • Message authentication
  • Confidentiality
  • Replay protection
  • Protection against DoS attacks to the RTP stream

You can use SRTP, which uses the AES cipher to protect VoIP communications on both wired and wireless networks.

Summary

Security is still a major concern for organizations considering a VoIP implementation. Despite the growing popularity of VoIP, security remains an obstacle to more widespread adoption.

Because of the public nature of the IP network and its protocols, VoIP is inherently more vulnerable to attack than the traditional phone network. By taking a carefully planned, multi-layered approach to securing their VoIP networks, however, companies can make VoIP as secure as—or even more secure than—traditional phone systems.

Want more tips and tricks to help you plan or optimize your VoIP deployment? Automatically sign up for our free VoIP newsletter, delivered each Monday!

Deb Shinder is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. She currently specializes in security issues and Microsoft products, and she has received Microsoft's Most Valuable Professional (MVP) status in Windows Server Security.