VoIP Security: The Network is the Issue
29 August 2006
All of us at Market Clarity would like to thank the industry for the reception given to our Aussie VoIP List. We have now posted this month’s update to the list, which includes several amendments requested by providers, and some new market entrants. The directory now lists more than 200 VoIP providers serving the Australian market.
- New Freebie Technology Guide: Demystifying Business VoIP Services
- New Research : Australian Satellite Market — Positioning Satellite in 2006
- New Research: Setting the Scene for Wireless — An Update on the Australian Wireless Broadband Market
- Feature Article: Practical VoIP Security
- Sponsorship Opportunities
- Upcoming Events
This Technology Guide gives readers a roadmap designed to help navigate the dizzying variety of providers offering services described as “Business VoIP”.
Demystifying Business VoIP Services was written to help business readers understand the different VoIP service architectures, and how to relate different styles of VoIP services to their own needs.
There are over 200 providers in the VoIP market, with more than 100 of these positioning themselves as offering some kind of “Business-grade VoIP”.
Now more than ever, a company planning a migration away from PSTN services needs more than a product name before it can entrust all of its voice communications to the new technology. This Technology Guide provides business managers with decision-making tools to help them understand the difference between VoIP services offering residential, business, and wholesale services.
Demystifying Business VoIP Services is loaded with diagrams and commentary that explain key aspects of VoIP services in an easy-to-understand manner, including:
- The difference between network types (Internet-based VoIP and private network-based VoIP);
- The impact network choice has on the business telephone system; and
- IP Centrex (“Hosted Voice”) services and connection models.
The Technology Guide features the following decision tools:
- An outline of the business telecommunications service requirements provides information on service features and SLAs (service level agreements).
- Business requirements as they relate to service features and network types, are provided to give readers a clear roadmap to the selection of a VoIP provider.
- Guidelines for costing and comparing telecommunications services are presented in a fill-in-the-blanks table format for an easy comparison of current and prospective voice services.
New Market Clarity Presentation Style Report: Australian Satellite Market — Positioning Satellite in 2006
This presentation-style report provides Market Clarity’s overview of the market positioning of satellite broadband services, as delivered to the ATUG 2006 Satellite Forum in August 2006.
The Australian Satellite Market — Positioning Satellite in 2006 report provides readers with an understanding of the market position of satellite broadband services, in a broadband industry where competing access technologies include DSL, Wireless Local Loop, HFC, direct Fibre, and BPL broadband.
The report offers a high-level analysis of the business models of the 556 Australian ISPs held in Market Clarity’s ISP database, including:
- The market penetration of different access technologies
- The crossover between different access technologies within ISPs
- Reference architectures for different broadband access services
- Price and service competition across different access technologies
- Satellite broadband’s future value proposition.
The report draws on research data from Market Clarity’s broadband service provider and infrastructure databases, as well as drawing on new primary research undertaken specifically for this presentation.
The Australian Satellite Market — Positioning Satellite in 2006 is a 40-page report containing 20 Figures, and is available now from Market Clarity for $495.00 plus GST.
New Market Clarity Presentation-Style Report: Setting the Scene for Wireless — An Update on the Australian Wireless Broadband Market
This presentation-style report provides Market Clarity’s overview of the Australian Fixed Wireless Broadband market, as delivered to the ACIF Future Wireless Forum in August 2006. The report offers new Market Clarity research on the technologies used by ISPs, focusing on 129 providers offering fixed wireless access. The report also contains a technical comparison of wireless technologies such as WiFi (802.11), WiMAX (802.16) and 3G mobile broadband services.
Setting the Scene for Wireless — An Update on the Australian Wireless Broadband Market provides information on:
- Growth in the number of ISPs offering FWB services.
- The mix of technologies in use among the 556 Australian ISPs held in Market Clarity’s service provider database.
- The penetration of different FWB technologies among wireless ISPs.
- Geographic spread of ISPs offering FWB services.
- The metropolitan and regional concentration of all ISPs offering wireless broadband services, and metropolitan/regional infrastructure owners.
- A state-by-state breakdown of FWB infrastructure ownership.
The report draws on an analysis of the services offered by Australia’s 129 Fixed Wireless Broadband ISPs, conducted in August 2006.
Setting the Scene for Wireless — An Update on the Australian Wireless Broadband Market is a 14-page presentation-style report costing $495 plus GST. It includes 9 Figures and 1 Table.
The problems with VoIP security start with a fundamental difference between what you expect a telephone to do, and what you expect a computer to do. The chief risks in the old world of the PSTN were interception, which still remains a risk in the world of VoIP; and the hijacking of infrastructure to make unauthorised calls (such as using tone signalling to trick old carrier switches into providing calls for free, or using paths into PABXs to make your calls on someone else’s bill).
To understand what’s important in VoIP security, we have to start by asking, “what changed?” And what changed, more than anything else, is the nature of the devices which are exposed to the public network.
The advent of modern signalling systems on the PSTN split the “public” and “private” parts of the network. The public part of the network was left to passive devices (telephones), with the network’s intelligence quarantined as a signalling network.
There is, on the Internet, far less division between “communication” and “control”. Most of the infrastructure between two Internet endpoints is visible in some way to those endpoints, and therefore vulnerable in some way.
Faced with a public network designed to carry control signals, the sensible security manager makes sure that computers don’t go on adventures. If it’s possible, the security manager should ensure that most of a computer’s communications are with other, known machines. Wherever a machine must communicate with an “unknown”, its behaviour should be strictly managed.
In other words, if your computer was a telephone, security would start with the instruction “don’t take any calls if you don’t know where they’re from”.
A telephone starts with precisely the opposite assumption. A telephone (sans intelligence) is not interested in who is calling. It merely signals its owner that there is an incoming call. A telephone is, if you like, “passively promiscuous”.
This is not insecure when the device is dumb. If you can’t send the telephone a command it will understand, then it doesn’t matter that the telephone is available to the network anytime. But constant availability makes a volatile combination when it’s mixed with the ability to hear, understand, and carry out commands.
Any company worried about VoIP security needs to keep this in mind. Unlike computers, in which the ideal state is “locked down”, a telephone is useless if it can only initiate, but can never receive calls.
Whenever the entrÃ©e is a brand-new security paradigm (warm from the innovation oven), you can bet the main course will be a brand-new security product, with some lovely systems integration opportunities as the dessert.
So rather than citing a string of security threat jargons, I’m going to look at things from the user point of view: what threats might exist under different VoIP deployment models. For the sake of simplicity, I’m going to stick to two models: private network-based VoIP, and Internet-based VoIP.
VoIP on the Private LAN and WAN
Although the popular understanding of VoIP is that it can’t exist without the Internet, my take on the business VoIP market over the last two or three years is that most “VoIP” systems are purchased to replace PABXs, and at this stage have little or no exposure to the Internet.
This kind of implementation uses the company’s private network to carry calls between offices without incurring PSTN call charges, but calls to the PSTN are made over ordinary PSTN lines, with appropriate media gateways or PSTN line cards installed in the VoIP system.
The exposure to the Internet, in this case, is very small.
Since the VoIP system and the corporate network co-exist, it’s likely that a path exists from the company’s Internet connection to the VoIP server, and it’s that path which should form the focus of a company’s external VoIP security effort.
The “threat path” can be summarised as follows: the Internet access link can provide access to the LAN; and the VoIP server/s and IP phones are visible from the LAN.
VoIP security in this implementation takes exactly the same form as the security of any enterprise application for which a path exists to the Internet. The VoIP server needs to be secured so that it is only accessible to authorised users; and the endpoints, in this case IP handsets, need appropriate restrictions on their communications.
A VoIP handset in a business environment needs very few communications paths. It needs access to a DHCP server for its IP address; it needs access to the VoIP server so it can make and receive calls; and it needs access to Port 80 communications so that users can access the phone’s internal Web server for configuration and other advanced functions (which means, for example, that the phones should use a set of addresses which are not permitted to make or respond to Port 80 calls from anywhere but the LAN).
Softphones (software-based telephony applications) have similar requirements.
Securing the server is slightly more difficult, because the server needs to communicate with more endpoints in more locations.
The first point is that like the phones, the server should only respond to communications from within the network. If a company is not using the VoIP system for Internet-connected calls, then there is no reason for it to communicate with any computer outside the enterprise LAN and WAN.
The administrator has a choice to make here, between convenience and security. If the VoIP server is strictly administered, it might lift the effort required for moves, adds, and changes. Instead of letting phones and servers discover each other, the admin might have to configure the two ends of a new device.
As with phones, most IP telephony servers have a Web administrative interface. Like the telephones, the administrative system should be locked down. It’s not enough to rely on user ID and password — the admin interface should only be visible to addresses on the enterprise network. If outside access is an absolute requirement, the enterprise must implement a VPN for the administrator, and only permit access to the VoIP server/s from within the VPN.
If the administration Web server is not visible to the Internet, then it is far less vulnerable to external attack.
In short: Think twice before you allow your company’s VoIP server to be administered over an unsecured Internet connection — no matter how strongly you’re pitched on the “convenience” of external administrative access.
Of course, blocking Internet access to your VoIP server/s also means that you may have to forgo some of the value-added features of IP-based communications; such as remote access for mobile workers, and advanced mobility features that allow end users to chose when, where, and on what device they will answer a call.
When the VoIP system is exposed to the Internet, all bets are off.
All of the jargons that confuse the VoIP security picture come into play, because the VoIP server can now be attacked directly.
Internet-borne attacks against VoIP servers include (but aren’t restricted to):
- Protocol-based Attacks — These take two forms. An attacker can use legitimate protocol functions (such as SIP invites) as the point of attack, or they may send invalid data to the server to try and induce a crash that lets them execute code on the server.
- Interception — The attacker may use various techniques to try and snoop on VoIP conversations.
- Denial-of-Service — VoIP servers and links suffer the same denial-of-service vulnerabilities that are common to any Internet-connected system.
- Hijacking — The attacker can gain access to the VoIP server as a “legitimate” user, using the enterprise system to make free calls.
- VoIP as an Inbound Attack Path — because a VoIP system opens a large number of paths through the firewall, the attacker may use the presence of a VoIP server behind the firewall as a means to gain access to the enterprise LAN and attack other systems.
The question an enterprise needs to ask is simple: How do I avoid exposing the VoIP system to the Internet?
The simplest solution to the problem is to avoid it entirely.
If it’s essential to have a path between the enterprise VoIP system and the Internet, the best solution is to seek out the right carrier or service provider.
The ideal mix of carrier services for a company contemplating Internet-connected VoIP systems is as follows:
- Access Network QoS — The service provider should support QoS-marked traffic on the access link. This will help make sure that no matter what else is happening (even a DoS attack on the Internet service), there’s always some bandwidth available for the phone system.
- VPN on the WAN — The service provider should provide private networking between offices. A good example is the burgeoning IP/MPLS market, which not only provides good security for the private WAN, but also provides QoS support for the voice traffic.
- Carrier-Hosted Internet Gateway — Instead of provisioning separate enterprise WAN and Internet access, look for a service provider that can deliver your Internet and VPN traffic on the same connection, with the Internet gateway provided by — and managed by— the service provider.
This mix of services is available from a number of service providers (for example, look for VoIP providers using a “private network” description).
And, there are a range of VoIP service topologies that can also be used in conjunction with an IP Telephony system, which Market Clarity has described in it’s new Technology Guide: Demystifying Business VoIP Services.
Soft on the Inside
Let’s make the admittedly large assumption that external security has been adequately addressed. Even so, you’re not yet out of the woods, because the VoIP system is at its most vulnerable inside the LAN.
The problem is the same with the VoIP system as with any other enterprise application: your staff need access to the system in one way or another, and this access creates vulnerabilities.
Internal users are unlikely to look for ways to crash the server or launch DoS attacks. They do, however, have the right to execute commands on the system, and some of those commands can be misused.
Thought also has to be given to the internal security of admin interfaces. While most or all systems administrators will remember to set strong passwords for access to the servers, and will remember to remove default accounts, this is not always the case.
The telephones themselves are another matter. If the telephone’s admin interface is left in its default setting, then anyone with internal access and the phone’s IP address can view what’s stored on the phone itself. In some companies this may not matter, but if the CEO’s outgoing and incoming calls and address book (if it’s stored on the phone) are considered sensitive information, then the phone should be configured so as to require a password before its Web interface can be accessed.
Market education is vital to encouraging adoption of new services.
Market Clarity can help: with our unique combination of technical and editorial expertise, we can provide technical how-to and background documents, which clearly explain new technologies and service offerings.
We can offer:
- Completely independent documents, which clearly explain the technology choices facing your customers, to help them choose between service offerings
- Professional writing, editing and presentation
- Technical expertise
For an example of similar projects, take a look at Market Clarity’s free white paper, Demystifying Layer 2 and Layer 3 VPNs.
Shara Evans, CEO of Market Clarity, has a busy conference schedule — which will give you, our customers and readers, plenty of opportunities to hear about our research studies. Here is her current speaking calendar:
How Will MVNOs Reshape the Australian Telco Market?
IQPC MVNO Summit
30-31 August 2006
SPAN-CommsDay Awards Dinner
Market Clarity has been named as a finalist in the “ Services to the Industry — Professional Services ” category.
SPAN-CommsDay Awards Dinner
31 August 2006
Grand Ballroom, Four Seasons Hotel
199 George Street
For more information and links to conference registrations, visit Market Clarity’s Events page.
Recent speaking events include:
- ATUG Satellite Conference
- ACIF Future Wireless Forum
- IIR’s Broadband over Power Lines in Australia
- ACE’s VoIP and IP Communications
- Terrapinn’s VoIP World
Research papers from these events are available for purchase.