Is VoIP vulnerable?

[InfoSec News <isn () c4i org>]

http://www.nwfusion.com/news/2002/0624voip.html

Yes, but users say taking basic steps can limit security snafus.

By Phil Hochmuth
Network World, 06/24/02

As companies increasingly replace aging PBXs with IP telephony
equipment, they are uncovering a host of security issues that might
not have applied to old-world phone technology.

While businesses need to consider issues such as voice-over-IP packet
prioritization, voice quality and call features when planning a move
to IP telephony, basic security of the IP PBX and phones should not be
overlooked. This is especially true because much of the VoIP gear on
the market is based on commodity operating systems and commonly hacked
software, experts and VoIP veterans say.

Just ask Carnival Cruises. The company found out the hard way that
managing an IP telephony system is different from running phone
systems based on traditional TDM technology.

"Our [Cisco] CallManager got hit by the Nimda virus last year," says
Tom McCormick, senior technical analyst with the Miami cruise line.  
"It was a demo box and it wasn't patched to protect against the latest
viruses."

Mc-Cormick says the Cisco IP PBX, which runs on a purpose-built Intel-
and Windows-based server, was being used only by the IT department for
evaluation, so the company's business was not affected by the crash.  
But the incident was an eye-opener. The system, which is in the
company's live network now, has since been patched, and is monitored
and maintained regularly for security fixes.

For the most part, IP PBXs from vendors such as 3Com, Cisco, Avaya,
Nortel, Alcatel and others are servers at the core. The boxes run
call-control software on top of standard operating systems such as
Windows NT and 2000, Linux and Unix. All of the products have standard
IP stacks, which make them susceptible to denial-of-service or hacker
attacks. Many IP PBXs also include Web-based ad-min-istration clients
or configuration tools built on Microsoft Internet Information Ser-ver
(ISS) and Apache Web server - platforms that are constantly be-ing
pat-ched for security holes and bugs.

With these phone systems now connected to the same LANs and WANs as
end users and even the public data networks, experts say IP telephony
users must be on guard.

"With an IP PBX, you're dealing with a server, and it's just as
vulnerable as any other computer on your network," says Mike Homer,
manager of lab testing at Miercom, an independent IT testing and
consulting firm and a member of the Network World Global Testing
Alliance.

"The idea of viruses or hacking might be totally new to you if you're
coming from the TDM world to IP telephony," Homer says. But security
has always been an issue in the telecom world, he adds, citing old
problems such as toll fraud and other system misuse. "Those types of
things still exist in the TDM world. It's just that IP telephony is
new and sexy, so hacking from that standpoint is more attractive, and
is more likely to happen than someone hacking a TDM system."

If a company manages its IP PBX with the same due diligence as any
other secure or mission-critical application - "such as a human
resources application, or a server with all your customers' credit
card information - it's not a problem," Homer says.

On the IP PBX front line

St. Paul, Minn., chemical manufacturer H.B. Fuller last year installed
three redundant clusters of Cisco's Windows-based CallManager IP PBXs
to provide IP phone connectivity to 20 remote sites over its VPN. By
running voice over its data network, the company was able to eliminate
12 PBXs scattered around the network and manage voice from a
centralized location. While this provides better management and cost
savings, security of the IP PBXs was a concern, says Kevin Wetzel,
manager of global network services for the company.

"On traditional PBXs, although they had PC processors in them, they
were not necessarily as susceptible to viruses," Wetzel says. "People
are writing NT viruses, not PBX vi-ruses, so it's a trade-off."

Wetzel monitors his clusters of Cisco telephony servers with
intrusion-detection software - he declined to say what kind - and is
vigilant about keeping up with patches to the CallManager's operating
system, which includes Microsoft IIS as an administration tool. The
centralized management of the Cisco Call-Manager clusters also
provides a level of security of its own, he adds.

"We've been able to reduce the number of PBXs, and that reduced number
of machines can make for better security," he says. "We can maintain
the systems in a more uniform fashion than we could before."

For Compass Bank, a regional bank with 400 branches in eight states
throughout the South and Southwest, a mix of IP and TDM telephony is
used to serve 20 of its offices. The bank deployed Nortel Business
Comm-unication Manager (BCM) platforms to its branch offices, and
connects those small-office IP PBXs to a group of Nor-tel Meridian TDM
phone switches over a private frame relay network.

Although the BCMs are based on NT, secur-ity is less of an issue
because IP is only being used to replace tie lines, says Rick Nelson,
the bank's group operations manager and senior vice president. The
network is closed to the outside world, so viruses and external
attacks are not issues for the VoIP system, Nelson says. That the
telecom network is still TDM at the core also is an advantage, he
says.

"Security would keep me awake at night if I had a server-based system
at the heart" of the voice network, Nelson says. "My son can hack into
those types of machines, and he's 11. That's what's keeping me from
making the leap to an all-IP telephone network."

While Nelson says an all-IP telephone infrastructure - from
server-based PBXs to IP phones - is inevitable, he will wait another
12 to 24 months before considering a full-blown IP voice
implementation.

The County of Nevada, Calif., decided to take the all-IP plunge,
replacing its discontinued Siemens Saturn phone switch with several
3Com NBX systems. The IP PBXs support around 900 users in 30 county
offices, and are connected via T-1 lines. The fact that the NBX boxes
are sitting on the same data network as any other server does not
concern Gary Sprigs, network services manager for the county.

Sprigs says the Web-based administration tool makes the NBX system
easy to access for configuring phone extensions and to configure the
box.

"We have a process where we regularly change the passwords," on the
administration interface, Sprigs says. The NBX also has the ability to
create an audit trail of who accessed the device, what was done, and
the IP address of the user who accessed the system.

He says the NBX devices also are kept behind firewalls, which lessens
the chance of unauthorized system usage or abuse.

"We treat the [NBX boxes] with the same level of protection as our
most critical server," Sprigs says. "It's something we didn't have to
worry about on the old phone system, but we do now."


Locking down IP telephony

IP telephony vendors and customers recommend these steps to manage the 
security of voice over a data network.  

* Separate IP PBXs on the LAN by putting the devices in different 
  domains from other servers. 

* Isolate voice traffic onto a virtual LAN. 

* Limit administration access to IP PBXs among IT staff, allowing only 
  a few to have access to the core operating system on a VoIP server.  

* Limit the types of protocols that can touch the IP PBX or IP 
  telephony network when possible. 

* Encrypt voice traffic where possible. Do not send IP voice over an 
  unmanaged or public network.  
 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.