Page 4 of 4
Consider segregating voice user agents (hard phones) from PCs and laptops used to access networked data applications. This
may prevent a successful attack against a data segment from spreading to and interfering with voice systems. Firewall performance
may be an issue when applying segmentation and policy-based compartmentalization, so plan carefully to avoid adding latency
to paths that will transport media streams.
Endpoint security adds an outer layer of security in VoIP deployments. IEEE 802.1X port-based network access control and equivalent network admission techniques provide an additional layer of authorization
control by blocking devices from using a LAN or WLAN until they pass security checks.
Administrators can choose to block devices infected with malware or that do not satisfy other admission criteria, such as
current patches and appropriately configured firewalls. They can redirect noncompliant devices to an isolated LAN segment
that offers limited services or to a LAN where softphone users can access software, patches and malware definition updates
required to satisfy admission criteria. In many cases, these security measures can be performed before authentication, to
prevent malware (keystroke loggers) from capturing user credentials.
Companies using firewalls to enforce security policy may discover that their current firewall is unsuited to the task of securing
voice and data. Traditional network firewalls are designed to permit and deny traffic based on TCP, User Datagram Protocol
(UDP) and IP header information: IP addresses, protocol types and port numbers, for example.
VoIP protocols use a large range of UDP ports and allocate them dynamically to media streams. Many traditional firewalls cannot
accommodate this behavior without leaving large swaths of port numbers permanently open for VoIP use and other misuses. Certain
firewalls do not process UDP efficiently. Others do not support QoS measures to manage latency and jitter so that VoIP calls
have toll-voice quality.
IT administrators should consider firewalls that are SIP-aware, that can detect and counterattack against SIP signaling messages,
and that can process RTP media streams without adding significant latency.
Application-layer gateways (proxies) can play a useful role in VoIP deployment. Incorporating SSL tunnels into SIP proxies is becoming a popular way to improve authentication and add confidentiality and integrity protection
on signaling messages exchanged between user agents and SIP proxies.
Many organizations are considering chaining SSL connections to protect signaling traffic between SIP proxies across their
organizations and interorganizationally as well. RTP proxies may be appropriate if your organization must relay media streams
among global and local RTP IP addresses and ports. Other organizations are choosing to take advantage of their investment
in IPSec to secure VoIP traffic between sites.
In some configurations, organizations may try to process VoIP traffic preferentially by creating IPSec security associations
that prioritize voice traffic over data. Some organizations may want to filter signaling traffic and RTP media streams through
a Session Border Controller (SBC). SBCs operate as back-to-back user agents, concatenating and applying policy to calls between
public and private user agents. In some respects, an SBC behaves like a secure e-mail proxy. It can rewrite message headers
to hide details of private networks (such as addresses), strip unknown and undesirable header SIP fields, and restrict called-party
numbers. Because media traffic flows through an SBC, RTP policies can be enforced at them.
These security measures, along with a proactive security monitoring and intrusion-detection and -prevention plan, not only
improve VoIP security, but can greatly reduce the risks to data networks as organizations introduces VoIP. Many of these measures
will continue to be useful in deployments even after security enhancements are incorporated into VoIP protocols and architecture.
Piscitello is president of Core Competence, an ICANN SSAC Fellow and author, with Alan Johnston, of Understanding Voice over
IP Security. He can be reached at dave@corecom.com.
