• Home
• Archives
• Newsletter
• Career Center
• White Papers
• Contact

Hot IT Jobs

Hiring to Process Orders for Big Brands, Data Entry. $45/Hr

Team Lead/Java Programmer in Tampa, FL needed

Senior Technical Support Engineer with Junior Programming Exp

Software Engineer

Systems Engineer II (Open Source)

VoIP Security

Best Practices for VoIP Security

One technique for a converged network is to virtually separate voice and data traffic.

By Scott VanWart

The ability to converge the view of network and security information is no longer just “nice to have” in the fight against application-layer attacks, worms, hacking, spyware and data theft. These days, situational awareness of internal and external threats is needed to protect an organization’s network completely and continuously. A network and security monitoring strategy that combines flow-based network behavioral analysis and security event correlation to solve security and monitoring issues provides a unique window into monitoring an organization’s voice-over-IP (VoIP) network against threats. VoIP networks illustrate the need for visibility across multiple service layers: the network, the application and the security layers.

One of the most effective and important techniques in engineering a converged network is to structure it to virtually separate VoIP traffic from normal data traffic. This design choice has two key advantages for a VoIP deployment:

• additional security provided by ensuring that VoIP traffic flows through the proper security devices and network paths; and
• using dedicated virtual interfaces and subnets for VoIP traffic ensures that VoIP will get the dedicated bandwidth it needs to deliver high-quality voice.

Equally critical is ensuring that data-intensive applications such as peer-to-peer and gaming traffic do not infringe on VoIP bandwidth and affect voice quality.

From a monitoring perspective, administrators should define VoIP infrastructure as a unique network object so that:

• network administrators have one clear view of VoIP network traffic flows, which helps to detect the origin of the VoIP traffic;
• VoIP policy or security incidents can be prioritized by giving high-value weightings to VoIP-related assets (e.g., IP PBX) and VoIP business objects;
• filtering or searching on VoIP traffic flows or associated security logs aids in troubleshooting VoIP technical or security issues;
• the behavior of  VoIP networks can be learned to allow administrators to establish appropriate policies quickly; and
• executive- and operations-level reports can be produced for VoIP security and network usage.

Organizations can monitor and neutralize the two most prevalent VoIP threats by monitoring network traffic. Along with toll fraud, denial-of-service (DoS) attacks can be detected via intelligent monitoring of network traffic behavior. DoS attacks are generally the simplest to perpetrate and thus tend to be the most common attacks faced by data networks. Now, DoS attacks are becoming more common on VoIP networks.

Most DoS attacks on a VoIP network involve bombarding the IP PBX with an extreme volume of simultaneous voice-signaling requests (i.e., session initial protocol, or SIP). When the IP PBX cannot keep up with the request rate, it eventually shuts down access altogether, denying valid users (in this case IP phones) access to VoIP services.

Advanced traffic-analysis logic is needed to identify an abnormal increase in both the number of sessions and hosts attempting to communicate with the IP PBX, and combines them with a sudden increase in events from external firewalls to detect a potential DoS attack. An appropriate solution should be able to respond by either automatically blocking the attacker or by notifying the network and security teams of the threat and the assets involved, so that they can manually respond before significant damage is done.

Creating custom detection rules based on live network events arms the network team to defend the VoIP deployment from toll fraud. These events and alarms come from the security devices that protect the network, as well as the OS and application alerts from the PBX and control server devices themselves.

Monitoring the geographic destination of VoIP traffic is another solution to toll fraud. Sudden changes in the overall geographic distribution of network traffic originating from inside the VoIP network could indicate that unauthorized users are abusing the system to commit toll fraud. They may even be reselling these stolen long-distance services.

A major part of implementing a VoIP deployment is creating corporate polices that govern how the technology will be used. By creating a VoIP-specific business-service object to represent the VoIP network, administrators are able to detect traffic abnormalities (such as applications like peer-to-peer) that should not be running on a VoIP network.

To maintain high availability and voice quality across the VoIP network, keeping data applications off the VoIP-designated network architecture is critical. To do this, an application view that provides Layer 7 analysis is needed. This displays what applications are traversing all network segments–including VoIP segments–and how much bandwidth is being consumed.

Another important capability for maintaining high availability and voice quality is monitoring the number of unique IP phones operating on the VoIP network. When the network is over-subscribed with too many IP phones, voice quality can suffer from jitter, packet loss delay or dropped calls.

As VoIP technologies continue to develop, one protocol will likely become the recognized standard as the most secure method of transporting VoIP traffic across the network. SIP is quickly becoming dominant due to its IP multicast capabilities.

When using a network security management platform, administrators can quickly identify abnormal protocol usage, such as malformed SIP packets, and investigate policy violations. This ensures that the network is employing the latest in security best practices.

Most employee PCs are connected to the data network, which means the use of soft phones (such as Skype) conflicts with the need to separate voice and data traffic. This conflict, along with the potential for malicious software infecting desktops, results in the average PC being too high a risk for using soft phones on a corporate network.

Even though using software such as Skype typically violates company policies because of the potential vulnerabilities it creates on corporate networks, commercialized soft phones from large VoIP vendors may become approved components of the company’s overall VoIP solution.

Regulatory compliance issues often focus on monitoring authentication data from health and finance information systems. With the convergence of voice into the data network, IP PBXs and other equipment, such as voice gateways, become subject to information theft. Analyzing and storing these logs is important from a security and troubleshooting perspective, as is ensuring that all log data from VoIP devices is being managed to ensure full compliance.

Scott VanWart is technical product manager for Q1 Labs, Waltham, Mass.
For more information: (click here)