Companies implementing Voice-over-IP (VoIP) technologies to cut communications costs shouldn't overlook the security risks associated with a converged voice and data network. Tempted by the thought of lower phone bills, centralized management and rapid deployment, VoIP security and network integrity are often neglected. There are numerous weak points to consider in a VoIP network - the call servers and their operating systems, the phones and their software, even phone calls themselves are vulnerable.

This article examines the issues and complexities of deploying a secure Voice- and Video-over-IP network, and how a VoIP-capable firewall can address these concerns.

Evolution of the Firewall in a VoIP Network

The traditional role of a firewall in a VoIP network is undergoing a radical evolution.

In the past, its primary job was simply to "behave well." VoIP relies on the predictable static availability of IP-based resources across the Internet, while the firewall's strong desire to keep ports closed as well as its network address translation (NAT) functionality inherently breaks the VoIP network. Through pinholing and other techniques, security vendors have found ways to interoperate with VoIP infrastructures.

With network-based threats getting ever more sophisticated, however, the firewall has evolved from behaving nicely to enabling and protecting the complete infrastructure. From end-user devices such as IP-based phones, soft-phones and wireless communications devices to infrastructure equipment such as H.323 gatekeepers and SIP proxy servers, there's a lot of exposure in an organization-wide VoIP deployment. From simple denial of service (DDoS) attacks aimed at limiting the availability of the IP-based voice infrastructure to full-blown application-layer attacks targeting the VoIP protocols themselves, the threats are very real...and growing.

Elements of a Secure VoIP Infrastructure

For any successful VoIP implementation, three key factors have to be considered: VoIP security, VoIP network interoperability/protocol support, and VoIP vendor interoperability.

The big security factors that have be considered in any deployment are access, availability and implementation.

Access

VoIP calls are vulnerable to session hijacking and so-called man-in-the-middle attacks. Without proper safeguards, an attacker can intercept a VoIP call and modify its parameters/addresses. This opens up the call to spoofing, identity theft, call redirection, and other attacks.

Even without modifying VoIP packets, attackers can eavesdrop on conversations carried over a VoIP network. If VoIP packets are traveling unprotected over the Internet, attackers can access the information they carry.

With a standard public switched telephone network (PSTN) connection, intercepting conversations requires physical access to phone lines or access to the private branch exchange (PBX). Voice/data networks, on the other hand, which typically use the public Internet and the TCP/IP protocol stack, don't provide the physical wire security of phone lines. By gaining access and monitoring network traffic at certain points on a network infrastructure (such as to/from a VoIP gateway), an attacker can capture and reassemble VoIP packets. Publicly available tools such as Vomit (http://vomit.xtdnet.nl/) can convert these packets into a .wav file so an attacker can eavesdrop or even record and replay conversations.

Availability

The availability of a VoIP network is also a big concern. PSTN availability has reached 99.999% - attackers need physical access to telephone exchanges or have to cut the phone lines to have any impact. A simple DDoS attack aimed at key points of an unprotected VoIP network can disrupt, or worse cripple, voice and data communications.

VoIP networks are especially susceptible to DDoS attacks such as:

• The Malformed Request DDoS: Carefully crafted protocol requests can exploit a known vulnerability resulting in partial or complete loss of service. Attackers can not only crash the target but gain control over it.
• DDoS on media: VoIP media is carried in Real-Time Protocol (RTP) packets, and is vulnerable to any attack that congests the network or slows the ability of an end device (a phone or gateway) to process the packets in real-time. An attacker who has access to the part of the network where media is present simply needs to inject a large number of media packets or high Quality of Service (QoS) packets to contend with legitimate media packets.
• Load-based DDoS: A DDoS attack doesn't necessarily need to use malformed packets to achieve its goal. Flooding a target with legitimate requests can easily overwhelm a poorly designed system. Even without an actual VoIP request, a DDoS attack such as TCP SYN Flood can prevent a device from accepting calls for long periods of time.

Implementation Problems

VoIP encompasses a large number of standards - such as the Session Initiation Protocol (SIP), H.323, the Media Gateway Control Protocol (MGCP) and H.248. These are complex standards that leave the door open to bugs in the software implementation. With PSTN, phones are just dumb terminals - all the logic and intelligence resides in the PBX. There's not a lot an attacker can do to disrupt access to a PSTN network.

With VoIP, the same bugs and exploits that hamper every operating system and application available today can also hit VoIP equipment. Remember, many of today's VoIP call servers and gateway devices are built on vulnerable Windows and Linux operating systems. One only has to look at the CERT advisories that have been issued for H.323 (CERT-H.323) or SIP (CERT-SIP) to see the number of vulnerabilities that have been found and the dozens of vendors affected by them.