Security Basics mailing list archives
RE: Question on VoIP security
From: "Hayes, Ian" <Ian.Hayes () wynnlasvegas com>
Date: Mon, 19 Dec 2005 11:34:48 -0800
-----Original Message----- From: Rodrigo Blanco [mailto:rodrigo.blanco.r () gmail com] Sent: Sunday, December 18, 2005 5:01 AM To: security-basics () securityfocus com Subject: Question on VoIP security Hello list, I am currently facing an Intranet VoIP project (will be restricted to 1 organization's Intranet, geographically disperse), from the security standpoint. So, I have to propose a security architecture for a SIP-based VoIP deployment. Vendor is still a variable, so it should be as vendor-independent as possible (but it will probably be Cisco / Nortel). Does anyone have information on the currently security practices used to protect the confidentiality, integrity and guarantee access control in the VoIP services network? If you can provide me with general principles, and perhaps links to documents describing the security problems I should consider, these would be more than welcome.
Having done a fairly large VoIP implementation that has a lot of public facing phones, we had a lot of issues we had to tackle especially when dealing with 24/7 availability and security. Obviously I can't go into the specifics here on how we did our VoIP network, but treat the security side of it as you would any data port. The good thing about having dedicated jacks for VoIP is that your work just got a little easier as the phones are all going to have the same access profile. Work with your vendor to work up a good access profile for your devices and firewall them off ruthlessly. Lock the edge down using every control you have- MAC locks, protocol locks, firewalls... you *have* to control the edge. If you can't then someone's going to plug something other than a phone into the network and it's Game Over. I really prefer having separate networks for voice vs data as it's more secure and simplifies administration a bit, and the QoS is improved on both sides as you're not competing for bandwidth. While you're at it, don't skimp on getting budget networking gear. If you're putting in a fair sized VoIP network, you're going to need bandwidth. Phones are a "public side" of IT and even the least technical person can use one and expects a certain level of quality. You *will* hear about it if calls are coming in broken or distorted, especially if it's the CEO on a call trying to show off his shiny new VoIP network to his buddies. A few bucks spent now can prevent a lot of headaches in the future. For your remote offices, I'd recommend firewall-to-firewall VPN tunnels, even if you're using point-to-point circuits. I would look to see if the system you're considering does end-to-end encryption to protect the voice data. A lot of them do now, but also look at how secure the key exchange is. Encryption is no good if an attacker is sniffing the wire and the encryption key is send in the plain before the voice part of the call actually kicks in. If you follow the basic practices for securing a data network, I really think that the holes are going to come from the phone switch itself. It's a ripe target. Look at some of the mailing lists and see if a particular vendor has a history of getting their products exploited, and ask how responsive they are to fixing holes as they are reported. Most importantly, don't let your vendors tell you that can't do something. Put all your requirements in the Requirements Doc before your vendor pool starts planning and bidding. The security portion really should be a non-negotiable deal-breaker. For everything a VoIP phone does, they're still just network devices and should be treated as such. -- Ian Hayes | Senior Systems Engineer Wynn Las Vegas 3131 South Las Vegas Blvd, Las Vegas, NV 89109 Ph (702) 770-3252 | Cell (702) 266-6002 Ian.hayes () wynnlasvegas com --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfoc_ml ----------------------------------------------------------------------------
Current thread:
- Question on VoIP security Rodrigo Blanco (Dec 19)
- Re: Question on VoIP security ilaiy (Dec 19)
- Re: Question on VoIP security Peter Wan (Dec 19)
- Re: Question on VoIP security Dave Dearinger (Dec 20)
- RE: Question on VoIP security Chris Serafin (Dec 21)
- <Possible follow-ups>
- RE: Question on VoIP security Hayes, Ian (Dec 19)
- RE: Question on VoIP security Chris Serafin (Dec 21)