|
|
|
VoIP: Secure
Your Server
|
| |
Voice over IP (VoIP) technologies have been steadily gaining acceptance since
the mid 1990's when it first emerged. Prior to VoIP, advances in voice networks were slow and expensive. This was
because adding new features (such as three-way calling or conferencing) required that all the carrier equipment
be modified to accommodate the new feature. This is a key difference from an IP-based voice network.
A traditional voice network can be compared to the medieval messenger system, where a network of couriers delivers
messages. Each courier must understand the message in order to pass it along unaltered. The traditional voice network,
like a messenger system, requires an intelligent network.
IP voice networks are more like our postal system; the only requirement for message delivery is a legible address.
In an IP network, a message is placed in a series of envelopes called packets which are addressed to the recipient,
contain a return address and a payload - the message or a piece of the message. There are no content restrictions.
Packets traversing the network are similar to pages of a letter mailed in separate envelopes. And like the post
office, there is no guarantee that the envelopes will be transported by the same truck or arrive in the order they
were dropped into a mailbox. IP networks do not contain intelligence and therefore have inherently different security
issues than traditional networks.
The Strengths of
VoIP
There are numerous benefits to using VoIP technology. One is the ability to use a single network infrastructure
to carry data and voice. Another benefit is that improvements do not require network-wide upgrades. Client software
(rather than the network) implements new features, so enhancements are more easily achieved. The cable plant and
its maintenance are greatly simplified, as the backbone (main distribution channel) tends to be static when installing
a new drop.
The Vulnerabilities
of VoIP
There are three main vulnerabilities to IP networks and these result from its benefits. While in the traditional
voice network one has to tap into a specific circuit to eavesdrop, in an IP network any equipment connected to
the corporate LAN can identify, store and playback the VoIP packets that traverse that LAN. Just like one does
not send confidential information in a post card, one must take care to secure confidential VoIP conversations.
The use of shared media by VoIP systems opens the door to some uncertainty as to the source of a call, and may
require authentication. As in our post office comparison, anybody can drop a letter into a mailbox with your name
and return address. The anonymity of an unprotected, unauthenticated IP network makes it susceptible to hostile
use, such as prank calls, sending computer viruses or flooding the network.
Despite the above, the vulnerability of an authenticated, protected VoIP network to internal abuse does not markedly differ from traditional telephone networks.
Recommendations
Since there is no such thing as a secure IP network, only secure computing - one must secure the telephones, conversations,
computers, and servers. Set up a chain of trust for authentication (encryption), control access (passwords and
firewalls), encrypt for privacy, and employ call accounting software to establish accountability.
One can achieve some measure of security by strategically allocating sub-nets, and choosing to use IP Switches
instead of IP Hubs. However, security considerations should not override routing and traffic accommodations. Firewalls
can and should be used to protect segments of a network from hostile traffic. This does not relieve each network
device from protecting itself and filtering out undesired communications. Physical and network access to any VoIP
server that is used to authenticate users, that controls access to the public telephone network, or that contains
potentially confidential information should be locked down and treated with the same security precautions as any
server with a confidential database.
Securing a VoIP network against employee abuse is achieved by assigning accountability. Distributing call accounting
reports and charging back for usage, as in a telephone switch network, will accomplish this.
In summary, the burden of security in VoIP networks shifts to a marked degree from the carrier to the IT or Telecom
department. VoIP network security is not a network issue but a server issue. That understood, you will reap the
full benefits of this new technology. |
| |
|
|
