RE: Question on VoIP security

["Hayes, Ian" <Ian.Hayes () wynnlasvegas com>]

> -----Original Message-----
> From: Rodrigo Blanco [mailto:rodrigo.blanco.r () gmail com]
> Sent: Sunday, December 18, 2005 5:01 AM
> To: security-basics () securityfocus com
> Subject: Question on VoIP security
>
> Hello list,
>
> I am currently facing an Intranet VoIP project (will be restricted to
> 1 organization's Intranet, geographically disperse), from the security
> standpoint. So, I have to propose a security architecture for a
> SIP-based VoIP deployment. Vendor is still a variable, so it should be
> as vendor-independent as possible (but it will probably be Cisco /
> Nortel).
>
> Does anyone have information on the currently security practices used
> to protect the confidentiality, integrity and guarantee access control
> in the VoIP services network?
>
> If you can provide me with general principles, and perhaps links to
> documents describing the security problems I should consider, these
> would be more than welcome.

Having done a fairly large VoIP implementation that has a lot of public
facing phones, we had a lot of issues we had to tackle especially when
dealing with 24/7 availability and security.

Obviously I can't go into the specifics here on how we did our VoIP
network, but treat the security side of it as you would any data port.
The good thing about having dedicated jacks for VoIP is that your work
just got a little easier as the phones are all going to have the same
access profile. Work with your vendor to work up a good access profile
for your devices and firewall them off ruthlessly. Lock the edge down
using every control you have- MAC locks, protocol locks, firewalls...
you *have* to control the edge. If you can't then someone's going to
plug something other than a phone into the network and it's Game Over.

I really prefer having separate networks for voice vs data as it's more
secure and simplifies administration a bit, and the QoS is improved on
both sides as you're not competing for bandwidth. While you're at it,
don't skimp on getting budget networking gear. If you're putting in a
fair sized VoIP network, you're going to need bandwidth. Phones are a
"public side" of IT and even the least technical person can use one and
expects a certain level of quality. You *will* hear about it if calls
are coming in broken or distorted, especially if it's the CEO on a call
trying to show off his shiny new VoIP network to his buddies. A few
bucks spent now can prevent a lot of headaches in the future.

For your remote offices, I'd recommend firewall-to-firewall VPN tunnels,
even if you're using point-to-point circuits.

I would look to see if the system you're considering does end-to-end
encryption to protect the voice data. A lot of them do now, but also
look at how secure the key exchange is. Encryption is no good if an
attacker is sniffing the wire and the encryption key is send in the
plain before the voice part of the call actually kicks in.

If you follow the basic practices for securing a data network, I really
think that the holes are going to come from the phone switch itself.
It's a ripe target. Look at some of the mailing lists and see if a
particular vendor has a history of getting their products exploited, and
ask how responsive they are to fixing holes as they are reported.

Most importantly, don't let your vendors tell you that can't do
something. Put all your requirements in the Requirements Doc before your
vendor pool starts planning and bidding. The security portion really
should be a non-negotiable deal-breaker. For everything a VoIP phone
does, they're still just network devices and should be treated as such.

--
Ian Hayes | Senior Systems Engineer
Wynn Las Vegas
3131 South Las Vegas Blvd, Las Vegas, NV 89109
Ph (702) 770-3252 | Cell (702) 266-6002
Ian.hayes () wynnlasvegas com



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfoc_ml
----------------------------------------------------------------------------