Voice over IP exposed

VOIP can lower telecom costs and help with network consolidation -- and cause security problems if not handled right.

Editor's note: This is the last of a three-part series on networking. The first part, which appeared in the June 13 issue of Federal Computer Week, focused on efforts to consolidate networks. The second part, which appeared in the June 20 issue, focused on satellite communications.

If you are thinking of adding voice-over-IP capabilities to your existing infrastructure without upgrading network security, think again. You could be inviting disaster. Agency officials can't expect security systems designed to protect data traffic to adequately secure their VOIP communications, experts say.

"The idiosyncrasies of voice data may strain your security system to the breaking point," said Richard Kuhn, a computer security specialist at the National Institute of Standards and Technology. "You definitely need specialized security products and different architectures when moving to VOIP."

NIST recently issued a report titled "Security Considerations for Voice Over IP Systems," which focuses on security problems and recommendations for secure communications.

Basically, with VOIP, voice data generated during a phone call moves in packets via internal IP networks or the Internet, just as Web pages and e-mail messages do.

A handful of agencies, such as the Education and Defense departments, are in various stages of deploying VOIP, seeking the lower costs and efficiency Internet telephony can offer compared with traditional phone communications.

VOIP can offer greater efficiency in a consolidated voice and data network by enabling users to receive calls on desktop computers. Users can also forward voice mail and e-mail from VOIP phones. Employees traveling to branch offices can have their full phone resources and office numbers transferred to their temporary locations. Additionally, VOIP can be used to keep communications running during a disaster or emergency, giving employees access to their phone resources from IP phones at other locations.

But as agencies explore the benefits of VOIP, they must strengthen firewalls, gateways, encryption and authentication methods, and other security components to better protect such traffic, experts say.

VOIP hubs can be hacked more easily than traditional PBX phone switches. Even if hackers can't eavesdrop on conversations, they will have access to routing data, such as the number of calls to and from each user, according to a report by the Cyber Security Industry Alliance. Moreover, automated tools can send spit, the VOIP version of spam, to all voice mailboxes within a certain range of the provider, address space or area code.

Traditional firewalls might not be as effective in blocking attacks on combined voice and data networks. Firewalls examine packets and block suspected ones at the digital communications port. However, phone calls require opening many communications ports on the firewall — some sessions may need 10 or more ports. Firewalls that aren't configured for VOIP security might leave a large number of ports continually open, increasing the network's vulnerability.

To compound the problem, voice communications are more time-sensitive than data or even video. Firewalls that look too deeply into voice packets or block too many of them can degrade the quality of phone service. Few users would notice if data packets are slow getting through the firewall, resulting in a slight delay in loading Web pages or even a short pause in a video.

But "3 [percent] to 5 percent loss of data packets in a VOIP, and your system is unusable," Kuhn said. A few seconds of latency and jitter, and users will hang up and reach for their cell phones, he said.

Kuhn said that although VOIP technology is still emerging, a sufficient number of proprietary products are available to secure a VOIP network. For example, a stateful inspection firewall, which validates traffic by inspecting the contents of packets up through the application layer, can dynamically open and close the correct ports. Still, setting up a secure VOIP network is not merely a matter of purchasing the right products. Kuhn said it requires an overall strategy in which you add to the network incrementally and test each phase as you go.

That's the plan at Education. The department's initial forays are all within its internal network.

"The current system is a hybrid," said Peter Tseronis, Education's director of converged communications and networking. "If I'm calling someone at Education, I dial a certain prefix on my phone, and it goes over the IP network. If I'm dialing out, it goes over the traditional lines."

Aside from deploying VOIP services to more users, a future step at Education might be to provide voice and video via the Internet to some users. That will allow those users to hold videoconferences and take advantage of VOIP while at home or on the road.

Many experts expect that most government agencies will follow Education's strategy of getting its internal VOIP network in place before running VOIP services on the public Internet. Roger Farnsworth, marketing manager for secure IP communications at Cisco Systems, said that besides enhancing security, restricting VOIP services to an internal network or virtual private network eliminates compatibility issues.

The industry currently supports two VOIP standards: H.323 and Session Initiation Protocol (SIP). H.323 allows dissimilar devices to communicate with one another by using a standard protocol. SIP is a standard for initiating an interactive user session that involves multimedia functions such as video, voice and chat. SIP is gradually replacing H.323, but most experts suggest buying components that can support both.

But doing so doesn't mean that agency officials will be able to easily and safely use VOIP outside their networks. "There are differences among vendors' implementations of those standards so that you can't count on two different systems interoperating the way you'd like," Farnsworth said. For example, it is difficult to use encryption with VOIP when traffic is moving across two vendors' systems, he said.

Although Farnsworth acknowledged that government agencies need to use caution in setting up their systems, they can take some comfort in the knowledge that eavesdropping on unencrypted voice communications is more difficult than capturing and reading e-mail messages via the Internet.

"It's not a trivial matter to intercept a VOIP packet stream and reassemble it and come up with usable playback," Farnsworth said.

Nevertheless, NIST experts advise users to consider using encryption at the router or other gateway instead of at the VOIP phones. Most VOIP phones are not powerful enough to perform encryption quickly. However, some newer phones offer Advanced Encryption Standard at a reasonable price.

Keeping services available

For many organizations, availability is at least as important as security. "When users pick up a VOIP phone, they have the same expectations as when they pick up a plain old telephone," said Paul Kurtz, executive director of the Cyber Security Industry Alliance. "They want an immediate dial-tone and no delay in placing a call."

For the government, expectations not only come from employees using VOIP phones but also from residents who don't know or care what technology the phones use, they just want to get through quickly.

"The phone is what enables a lot of national security and emergency services," Kurtz said. Accordingly, he and others suggest a layered approach, with sufficient redundancy built in to provide the availability appropriate to the service.

Even for agencies not involved in emergency preparedness, customer service requirements demand availability levels above 90 percent.

Lodovico Loquercio, principal network solutions architect at Nortel Federal Solutions, said a voice-grade local-area command and control network must be designed to ensure that there is no single point of failure.

"Before going live, prove that if any element fails, your session will remain up and the redundant equipment will take over in 2 seconds or less," he said.

That goal does not come cheaply. "In many cases, in order to get [99.999 percent] uptime and security, it may require a complete rip-out or at least a major refresh of technology," Loquercio said.

He estimates that for DOD to replicate its current level of voice communication service, which includes functions unique to the military and end-to-end security, it would have to spend tens of billions of dollars.

Not all agencies need that level of service, but ensuring satisfactory uptime will help sell the project to managers. Jim Dolezal, lead telecommunications consultant at Suss Consulting, expects that concerns about downtime will delay many projects for at least two years.

"I think senior managers in agencies are concerned when their [local-area network] goes out and the restore is far longer than they are initially told to expect," Dolezal said. "They don't want to have that happen to their voice communications."

In addition, he sees a cultural problem in agencies that maintain separate staffs for phone and data networks. "They are moving closer, but they are not yet one and the same, and that's what will be necessary for VOIP to work," he said.

Major VOIP vendors can provide secure, highly available enterprise-level systems, but the technology is still emerging.

"Right now, it's hard to get a complete picture of what a fully mature VOIP system that works across many government agencies and in use by private citizens will contain," Kuhn said.

So far, all solutions use proprietary elements, which limits interoperability. But Kuhn said open-system products might become available in the next two to four years. "At that point, we may be looking at a system that looks much more like the standard phone communications we're all used to," he said.

Stevens is a freelance journalist who has written about information technology since 1982.

Problems with voice over IP

Voice over IP can offer organizations lower telecommunications costs and greater network efficiency through convergence of voice, data and video. But there are some security issues that users need to address. Here are a few findings.

  • Caller ID services, including those used by first-responder organizations, are often bypassed by VOIP.
  • VOIP network hubs can be hacked much more easily than PBX phone switches. Hackers can't eavesdrop on conversations, but they will have access to routing data.
  • Automated tools can send spam over Internet telephony (spit), the VOIP version of spam, to all voice mailboxes in a given range of the provider, address space or area codes.
  • Conversations over IP can be recorded, duplicated and quickly distributed to anyone beyond the original audience.
  • Wireless devices will further complicate VOIP security.

Source: Cyber Security Industry Alliance

10 steps to build a secure voice-over-IP network

The National Institute of Standards and Technology recently issued a report titled "Security Considerations for Voice Over IP Systems." Below are 10 recommendations from that report:

  • Understand your agency's level of knowledge and training in VOIP technology before beginning a project. Also evaluate the maturity and quality of your security practices, controls, policies and architectures.
  • Consider creating separate voice and data networks to protect each one when using products designed for specific types of packets.
  • Provide a mechanism to allow VOIP traffic to pass through firewalls effectively. Use packet filters that can track the state of connections and block packets from calls that did not originate properly.
  • Consider using encryption at routers or other gateways to improve performance, instead of at the VOIP phones.
  • Make sure there is adequate physical security. Unless the VOIP network is encrypted, anyone with physical access to a local-area network could potentially connect monitoring tools and tap phone conversations.
  • Give special consideration to finding ways to provide E911 emergency services.
  • Include costs for additional power backup systems when figuring the cost of a VOIP project.
  • Avoid the use of "softphone" systems, which implement VOIP using an ordinary PC with a headset and special software. The worms, viruses and other malicious software that are common on PCs can migrate to the VOIP system.
  • If mobile devices are integrated with the VOIP system, choose products that rely on Wi-Fi Protected Access rather than Wired Equivalent Privacy, which can be cracked with publicly available software.
  • Review statutory requirements regarding privacy and record retention with legal advisers. Laws and rulings governing interception or monitoring of VOIP lines and retention of call records can differ from those for conventional phone systems.

Source: National Institute of Standards and Technology

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.