VoIP systems: Challenges And Solutions Part 4 Countermeasures & Conclusion
Countermeasures
This week is our finale to our 4 part series VoIP Systems: Challanges & Solutions. The various security issues mentioned above are major detriments to VoIP infrastructure and can cause large scale loss of money and intellectual property. Countermeasures for these security issues are given below in greater detail:
Encryption: Encryption has yet to be completely integrated into VoIP protocols – only end-to-end encryption techniques exist for current VoIP. The problem with encryption is that it may increase latency, jitter, bit error rate, error propagation and affect bandwidth. As is often the case with encryption, the implementation details are crucial to success. One should also be aware of the various levels at which encryption can be applied. Application layer encryption can provide end-to-end coverage but increase covert channel problems at firewalls and guards because of the traffics being encrypted. Virtual Private Networks (VPNs) and link encryptions can be used at the network layer but may require decryption and re-encryption at various points, leaving the message exposed briefly at some nodes. However encryption will also introduce delay, either during call setup or as latency during the session. If the encryption is not sufficiently fast, some form of voice compression may be required for effective use. IP phone to the server channel can be encrypted by using TLS. Signaling messages and voice streams are encrypted via TLS to establish secure and reliable data transfer between two systems.
Firewalls: The use of VoIP requires the adaptation of the firewalls in the network to allow access to ports used by VoIP and to allow out the various protocols VoIP use. Because an adversary could use these paths as well, configurations must be chosen carefully. Note that in this instance the concern is not so much about the impact on VoIP, as about the effect of the introduction of VoIP equipment and traffic on the security of the pre-existing data network. In a similar vein, it is unclear how VoIP can be incorporated across a network boundary protected by a guard. The inclusion of firewalls into front of VoIP traffic can also lead to performance issues for the system such as increased latency and Jitter. Firewalls can also be used to mitigate DDoS attacks against VoIP networks.
Traffic analysis: Deep packet inspection tools are essential to protect organizations from VoIP threats. VoIP packets are notoriously difficult inspect stripping useful data from the traffic requires high quality packet inspection tools. Such tools can attempt to look for hidden data within VoIP traffic, security devices such as NGFW’s and UTM’s offer deep packet inspection capabilities. These devices can analyze network traffic and attempt to detect the data leaving the network and stop it before it does.
Improved network security: Improved network security is important for VoIP security particularly to prevent call interception. Wireless networks in the enterprise should be properly secured to prevent tampering and wardriving attacks as they allow easy access to the VoIP network.
Authentication mechanisms: IP phones should carry certificates to verify its identity on the VoIP network. Ideally the certificates in IP phones are signed by certificate authority and are verified by the certificates store that is present in the server.
Apply appropriate patches: Apply appropriate patches to VoIP applications. All patches have to be applied via the ITIL framework to ensure the patches are deployed smoothly. A threat intelligence service can be subscribed to get the latest patch and its workaround in a timely manner.
Turn off unnecessary protocols: Depending upon the vendor you use for VoIP systems it should be hardened by disabling unused services in the system. This will stop intruders to exploit security vulnerabilities to a limit. Best practices and recommendations are available in all vendor sites or can be received by subscribing to a threat intelligence feed.
Physical security and awareness: VoIP gateways should be properly secured in data centres and controls should be in place to prevent unauthorised physical access to such machines. The best prevention against Vishing attacks is user awareness proper training should be given to employees to ensure that they do not inadvertently release sensitive information to malicious third parties.
Conclusion
The number of VoIP implementations in organisations is changing dramatically and many exploit tools are introduced in the market to bring down the VoIP systems. It is necessary for us to safeguard our VoIP systems by properly designing, deploying and analysing VoIP traffic on a daily basis. Organisations should be prepared to handle such types of attacks and closely consider new solutions to improve the current practice.
Wewould like to thank you for your interest in our series. Please like us on Facebook. Contact us for a free consultation, site survey, and cost analysis at (210) 402 5455 or direct dial (210) 538 9683
