VoIP Security Basics
In this topic we will discuss some VoIP security basics. the main components of security includes authentication, authorization, availability, confidentiality, and integrity the protection will always need to be discussed.
Authentication
The authentication process in most VoIP deployment occurs at the session layer. When an endpoint connects to the network or places a phone call, authentication takes place between the VoIP phone and support servers, such as SIP Registrars, H.323 gateways, or IAX Asterisk servers. Media protocols, such as RTP or the media portion of IAX, do not require authentication because it already occurs at the session setup portion of a call. While the use of authentication is always a good thing, the use of insecure or poor authentication mechanisms is not. Unfortunately, SIP, H.323, and IAX all use weak authentication mechanisms.
The most common default authentication types for each signaling protocol are:
SIP Digest authentication
H.323 MD5 hash of general ID (username), password, and timestamp
IAX MD5 hash of password and the challenge
Authorization
Authorization on VoIP can sometimes be used for security purposes. For example, limiting certain VoIP endpoints’ ability to dial specific phone numbers may be desirable. Permitting only certain devices to join the VoIP network also may help protect VoIP networks. It should be noted that authorization values are rarely used in enterprise VoIP deployments and are easy to bypass. Nonetheless, the following list shows what entities can be used for authorization parameters
E.164 alias Each H.323 endpoint contains an E.164 alias. The E.164 alias is an international number system that comprises a country code (CC), a national destination code (NDC), and a subscriber number (SN). An E.164 alias can have up to 15 alphanumeric values and can be set either dynamically by a gatekeeper device or locally by the endpoint itself.
MAC Machine Access Control addresses are on every Ethernet-enabled (Layer 2 in the OSI model) device. These addresses are sometimes used to authorize certain devices on VoIP networks.
URI SIP really does not have an authorization value, but the Uniform Resource Identifier (URI) is a value that each SIP User Agent contains. The value can be used to authorize endpoints. Similar to SIP, IAX does not have an authorization value, but the URI can also be used.
Availability
VoIP networks need to be up and running most of the time, if not all of the time. Unlike with other IT-managed services, such as email, calendaring, or even Internet access, users have grown to rely on telephones 100 percent of the time. Usually, users can tolerate hours when “the network is down,” but they will not be very patient when they hear “the telephones cannot be used because of a Denial of Service attack.” Having the ability to make reliable telephone calls is almost a mandate for VoIP. The methods used to ensure the VoIP network remain available are shown in the following list.
QoS Quality of Service is used with VoIP. QoS contains quality requirements for certain types of packets and services. In many situations, audio packets are given priority over data packets using QoS.
Separating data networks and voice networks Voice networks are often placed on a separate network and/or VLAN, isolating them from data packets. While the Internet is not a series of tubes that could get clogged up, separating the voice networks can isolate them from issues that appear on data networks, such as an unresponsive switch/router.
Encryption
The encryption of VoIP traffic can occur at multiple places, including signaling or media layers. Because authentication occurs at the signaling layer and the audio packets are used at the media layer, encrypting VoIP traffic in two different segments is often required. For example, protecting the signaling but not the audio leaves the actual communication unprotected; however, protecting the media and not the signaling layer leaves the authentication information unprotected. In all situations, the following items can be used to encrypt VoIP networks:
IPSec Point to Point IPSec gateways can be used to protect VoIP traffic over public or untrusted networks, such as the Internet. It should be noted that IPSec is often not used between endpoints because of the limited support for an IPSec client on VoIP clients.
SRTP Secure Real Time Transfer Protocol can be used with Advanced Encryption Standard (AES) to protect the media layer during VoIP calls.
SSL VoIP protocols can natively be wrapped with SSL (SIPS) or with Stunnel (H.323) to protect signaling protocols.