This convergence results in a number of broad threats like Toll Fraud, Eavesdropping, Caller ID Spoofing, Denial of Service and yet another entry point for attacks. Toll Fraud is typically the result of poor configuration management, of the Call Manager and its peripherals; Eavesdropping is a direct result of the myriad of tools for sniffing packets and recording .wav files, while Caller ID spoofing is both a service and a problem of misleading an individual or company. Denial of Service has been a problem in traditional PBX environments, but due to the lack of access to the control, administration and voice paths, it was not seen as much, but with VoIP all the issues of DOS and DDOS come into play, plus the sensitivity due to Quality of Service and the real-time nature of voice. Finally, the additional entry points occur from having yet another set of Network Elements and Administrative systems on the data network, to opening many new pinholes on the firewalls to enable these services.
Barrie presented the major security components we need to look at “The Operating System”, “Configurations”, “VoIP Protocols” and “Support Protocols”. Each component should be assessed, the risk understood and appropriate remediation to take place.
Through the looking Glass:
Today, as a CIO or a CSO, I have a new security issue to review, the Converged VoIP network. What do I do and how do I prioritize this against my under-funded budget? Let us be practical, and start from a familiar point, the building block of any application is the Operating System (OS). We need to assess, as part of our normal course of action, its vulnerabilities; no application can be any more secure than its Operating System(s). After establishing a baseline of the OS, applying patches and working with the vendor to remediate, we can move on.
The next step will be an assessment of the iPBX, PBX or Call Managers configuration. Traditionally this has been a manual process as identified by Brian, reviewing the configurations of each subscriber to minimize the chance of toll fraud, illegal use, poor calling patterns, etc. Today tools like ETSS TM, can review the configuration and any changes to the configuration on a regular basis. This includes review of the default passwords, dialing plans, subscriber permissions and enabled features, and access to specific services.
VoIP protocols should be reviewed for inherent security risks H.323, MGCP, AIX and/or SIP. With SIP becoming one of the most prevalent VoIP protocols and operators enabling multi-media services utilizing SIP, a strong understanding of this protocol and its capabilities needs to take place. Additionally, new firewall or IPS services that perform deep packet inspection with Native SIP trunks need consideration.
The last major area is support protocols, many of these are the low hanging fruit, in the network. Currently our teams our very familiar with these services and protocols like UDP, DHCP, DNS and TFTP. Our short-term action is to educate our support teams on the interaction of these protocols and services in the VoIP environment and then perform security assessments on these supporting processes to understand dependencies and inter-actions so we may secure these avenues.
R S S feed
