In its latest Internet Security Intelligence Briefing, published today, VeriSign outlines ways enterprises can shore up security when using VoIP.
The key, said VeriSign principal scientist Phillip Hallam-Baker is to consider vulnerabilities in VoIP protocols and in the ways VoIP security relates to broader enterprise infrastructure.
In short, companies should be aware that a VoIP network breach would likely affect other network infrastructure, including their data networks, said Hallam-Baker said.
I expect to see some problems caused where VoIP allows Internet criminals to access to the telephone network in ways that can’t be traced, Hallam-Baker said. That’s the type of thing that gives me concern.
Part of the problem is that VoIP protocols are not firewall friendly. That’s because VoIP protocols were designed at a time when firewalls were generally considered a temporary security measure that would be quickly superseded by encryption technologies such as IPSec which did not happen.
Also, unlike HTTP and SMTP, which use a single service port for incoming connections, the VoIP signaling protocols, including SIP, require a dynamic data connection, VeriSign said. Moreover, a VoIP packet does not have a clearly recognized signature making it difficult for a network administrator to distinguish actual VoIP traffic from the control channel for a Trojan concealed within the enterprise network, the report said.
You want to apply best practices in your VoIP deployment, Hallam-Baker said. You want to make sure that you maintain the isolation between your data network and phone network; and that you understand the consequences of making that particular change.
If not, VoIP deployment may lead to compromised enterprise firewalls, he said.
Enterprises should audit and maintain firewall configuration. One approach is to deploy a pinhole routing system to ensure VoIP signaling mechanism ports are only opened for the VOIP system and only when in use. Another is to isolate VoIP systems by keeping VoIP and data traffic separate using a different physical network or a VPN.
Enterprise need to ensure they don’t negate the value of their existing infrastructures, Hallam-Baker said.
Unlike e-mail and other Internet applications, VoIP has a couple of things in its favor as far as security goes, he said. One is that VoIP interacts with traditional telephony networks, which are much less diversified than the Internet.
In other words, there are few infrastructure players in telephony than the Internet, and the number of control points in traditional telephony is relatively small, Hallam-Baker said. Therefore, maintaining vigilant security measures may be less complicated. So, there is actually some degree of reason for hope, he said.
If we continue to take things seriously, there’s no reason why VoIP security should become chronic, he said. The biggest problem would be overconfidence and complacency. If we can avoid complacency and the idea that you can take shortcuts… then we should be fine.
