IP Telephony Security: Do Enterprises Really Care?IP Telephony Security: Do Enterprises Really Care?

Dance like no one is watching; encrypt like everyone is.

It seems not even a week goes by where you don't read about a security breach of some type. Retailers such as Target made big news in the last year or so, while current headliners include the federal government and even Kaspersky Labs. For the most part, the attacks on these organizations targeted data such as Social Security numbers, account information, etc., that could potentially be used by the perpetrators for financial gain. The federal government hack may have had more sinister goals -- time will tell.

With cyber-attacks and security breaches increasingly prevalent, we shouldn't leave the issue of security for voice systems out of the discussion. In the days when TDM was the dominant technology, security was primarily focused on preventing toll fraud. Enterprises did not have to worry much about denial-of-service attacks. Eavesdropping was also not much of an issue as it usually required physical access to the switch room or intermediate wiring closet where someone could physically bridge a call.

Today's network-based voice systems (doesn't matter if it's premises or cloud based) has brought more attention to defending against potential exploits. How important is voice security to your organization? Regulated industries such as finance and healthcare have been required to certify they are secure on their network and other key systems for quite some time through regulations like PCI and HIPAA. In my consulting practice, clients that are in non-regulated industries are just waking up to dealing with these issues. They must balance the potential security threat with the time, effort, and dollars that may be required to mitigate the potential breaches. To these clients, I ask:

The list of potential security exploits and counter measures is large. One vendor I'm working with on a significant implementation for a client has a 68 page voice security configuration checklist. They have also hired a reputable security analysis firm to 'attack' their system, for which the process included over 10 million specific attack vectors. However, the main categories of attacks I'm worried about for most of my clients are denial of service and eavesdropping.

Denial-of-service (DoS) attacks can come in many forms. High performance session border controllers (SBCs) that are properly configured using integrated Layer 3 packet filters and traffic-rate limiters are excellent mitigation tools. Other DoS-type attacks are targeting SBC Web resources by sending bogus http services requests, exhausting the number of Web sessions available on the SBC. Procuring, configuring and maintaining an SBC is pretty much table stakes for securing enterprise class IP Telephony systems.

What about eavesdropping? Often this is accomplished by a network-based, man-in-the-middle attack, which is defined on Wikipedia as "an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other." One example of this type of attack is active eavesdropping. Man-in-the-middle attacks can be thwarted by good network security implementations such as preventing IP address spoofing. However, in some organizations the network security may not be considered adequate and the voice system must take on additional security measures such as encrypting signaling and media streams. (Andrew Prokop recently wrote an excellent No Jitter piece on building a secure SIP network for more information.)

However, encryption comes with significant complexity that is often beyond the capabilities of voice engineers. It may also cause challenges for managing the voice environment as well as require significant additional effort (establishing and maintaining the certificate authority in the case of TLS). With that being said, it may still be the right thing to do if the information being discussed on voice calls can't be risked getting hacked.

So it comes down to weighing the value of the information that might be hacked against the cost of securing it. Is it better to be safe than sorry regardless of the cost? My paranoid security friend has a saying, "Dance like no one is watching, encrypt like everyone is."

"SCTC Perspectives" is written by members of the Society of Communications Technology Consultants, an international organization of independent information and communication technology professionals serving clients in all business sectors and government worldwide.