Problem solve Get help with specific problems with your technologies, process and projects.

Securing VoIP networks with defense in depth

To ensure secure, reliable voice communications and reap the benefits of convergence, corporations must understand the security risks and formulate strategies to mitigate them.

The economics of voice over IP (VoIP) are so compelling that many enterprises are moving to VoIP for intra-office...

calls, international calls, and, as phone quality has improved, to handle overall corporate voice communications. However, VoIP presents many new security risks and challenges that have, until recently, taken a back seat to voice quality and cost-efficiency concerns among vendors and users. The fact is, VoIP networks are susceptible to all the same security risks as traditional IP data networks --including denial of service (DoS) attacks, viruses, worms, unauthorized access, privacy, and spoofing -- as well as a host of others. And for companies that have converged voice and data networks, an attack on either system can be catastrophic, affecting the entire communications network.

Dave Roberts

To ensure secure, reliable voice communications and reap the benefits of convergence, corporations must understand the security risks and formulate strategies to mitigate them. Following are some examples of how many common security threats affect voice networks.

Denial of service, viruses, and worms: Many VoIP systems rely on Windows operating systems, and thus are susceptible to DoS, virus, and worm attacks. One attacked component can bring down an entire phone system and serve as a starting point from which the attack can spread throughout the converged voice and data network.

Toll fraud and unauthorized access: Theft of service, or "phreaking," has long been a problem in traditional phone networks. This risk in converged VoIP networks increases due to the open nature of many enterprise data networks and vulnerability to service theft via spoofing or man-in-the-middle attacks.

Spoofing: Unauthorized access to the VoIP network allows attackers to spoof known source or destination addresses of VoIP terminals, creating both privacy and theft-of-service risks.

Port scanning: Port scanning is a common first step in many attacks on VoIP and data networks. Detecting and preventing this activity can stop attacks before they happen.

Data networks have witnessed dramatic proliferation of new Internet-borne attacks and malicious activities in recent years, and the threats are predicted to increase in 2004. VoIP networks are not immune. Today's attacks are able to bypass perimeter security, exploit many data and VoIP vulnerabilities and then run unimpeded throughout the network. While there's no silver bullet in security, one effective way to minimize the proliferation of fast-moving attacks is for enterprises to adopt a layered, defense-in-depth security strategy.

With defense in depth, the network is segmented into secure zones protected by layers of firewall, intrusion prevention, and other security services. This enables organizations to logically separate and secure voice and data networks in front of individual voice and data components and between interactive points in the network. Unlike perimeter security functions, these zones can inspect and broker access between VoIP and data interaction points, detect attacks that bypass perimeter security, and prevent rapid spread throughout the converged network.

Providing defense in depth with security appliances in even a moderate-sized network can require dozens to hundreds of security devices. Adding more routers, firewalls, and intrusion prevention systems to the network introduces latency to the voice stream and degrades voice quality -- unacceptable by-products of a sensible security plan.

Virtualized security systems offer one solution for implementing layered security in VoIP networks while preserving voice quality. With a virtualized security system, users can place firewall, intrusion prevention, and other security resources exactly where they are needed in the converged voice and data network -- all with point-and-click simplicity. These virtual services meet logical security needs with fewer physical devices, so a layered security model is more cost-effective to deploy and easier to manage. In comparison to traditional single-function security devices, a virtualized security system introduces minimal latency to voice streams, because it reduces the number of parsing and reassembly points a packet traverses when traveling through the network.

By using a virtualized defense-in-depth solution to segment and secure zones within the network, users can protect themselves from widespread damage wrought by VoIP application layer attacks, call interception and packet sniffing, unauthorized management access, toll fraud, DoS attacks, and broadcast storms. A VoIP network with defense-in-depth security can effectively contain attacks that make it past the perimeter and minimize damage to critical communications assets.

VoIP networks introduce a variety of new risks that corporations must address to secure their most important communications infrastructures. Mitigating these risks requires layered, defense-in-depth security. Virtualized security systems can help make layered security a reality while cost-effectively maintaining voice quality. The convergence of voice and data networks has changed the security landscape significantly, and making defense in depth a part of this new landscape is a necessity for users planning to migrate to VoIP.

This was last published in March 2004

Dig Deeper on Network Security Best Practices and Products

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.