I am going to make weekly posts with excerpts
from our Voice and Unified Communications: State of Security Report. It is
available at:
http://www.securelogix.com/sos/
There are
a number of reports and surveys on general data security. These are good reports,
but only mention voice, VoIP, and UC security in passing. I believe this is
because UC security in terms of a data-only security issue, hasn’t really
developed yet. These data-oriented reports don’t focus on the application-level
issues that affect UC networks (harassing calls, toll fraud, social
engineering, TDoS, etc.).
Some
reports are based on surveys. The report we generated is based upon data from
hundreds of UC security deployments. The report includes 3 major sections:
- Threat overview – where the threat is now and why
it is getting worse.
- Threat taxonomy – provides a simplified taxonomy of
the key (less than 10) threats.
- Real-world data – data and information that backs
up our threat assessment.
We also make predictions of where the threats are
going.
Voice network security has been an issue for years for
enterprises, with voice application threats such as toll fraud, social
engineering, harassing calls, and modem abuse posing the largest threats.
However, with the proliferation of VoIP/UC in both the service provider and
enterprise networks, the threat to voice networks has dramatically increased.
This is not because VoIP itself is being attacked through packet
vulnerabilities, but rather that VoIP creates many new vectors of attack and makes
the overall voice network more vulnerable and hostile. Attackers do not target
VoIP per se; they leverage VoIP to perform the same voice application attacks
they have been perpetrating for years. Even the PSTN, which used to be mostly a
closed network, has become much more hostile due to the proliferation of VoIP
call origination: it is increasingly resembling the Internet from a security
standpoint. Also, social networking sites such as Facebook and Twitter are
being used to organize mass calling campaigns, creating a new method of
generating harassing calls or even Denial of Service (DoS) attacks.
The following diagram illustrates several concepts,
including how campus/internal VoIP has changed (and not changed) the voice
network threat level.
This diagram and the two that follow use a
simplified enterprise voice network to illustrate several concepts. In this
voice network, the IP PBX is shown as a collection of servers providing various
functions. This is typical of a modern IP PBX, which uses many different
devices to provide different services. A large enterprise often duplicates this
configuration for each site, likely using equipment from multiple vendors. The
diagram also shows different user devices, such as IP phones, softphones on the
data VLAN, fax machines, modems, and legacy phones.
Internal/Campus VoIP systems are complex and
involve many servers and components. A typical IP PBX has many devices and many
protocols that are exchanged over the internal network. Large enterprises have
many separate systems, configurations, and equipment from multiple vendors.
These systems offer many operating systems, network stacks, applications,
protocols, and configurations to attack. The primary threats to these systems are
different forms of Denial of Service (DoS) and eavesdropping.
The major IP PBX and VoIP vendors are progressively
doing a better job of securing their systems, including improving default
configurations and offering security features, such as encryption. However,
security is often not the primary consideration during deployment of new voice
network systems, and quite a few vulnerabilities exist. This is especially true
for critical devices, such as call control, media gateway, and support servers.
It is also particularly true for highly critical voice applications, such as
contact centers.
Internal VoIP vulnerabilities are similar to those
in other critical internal enterprise applications. Different forms of DoS and
eavesdropping represent the greatest vulnerabilities. An attacker with internal
network access and the right motivation and tools can attack these devices.
However, if an attacker has internal access to a corporate network, broader
security issues are present than just voice security. The good news, and this
is very important, is that other than disruption and selected eavesdropping
scenarios, no significant financial incentive exists to exploit these internal
vulnerabilities. Virtually no publicized, real-world attacks have occurred on
internal/campus VoIP networks. SecureLogix has conducted numerous
internal/campus VoIP network assessments and identified only a few actual
attacks, and these focused on an existing voice application attack not unique
to VoIP—toll fraud. SecureLogix recommends that enterprises always follow good
data networking security practices when deploying internal/campus VoIP systems.
These best practices include defining a corporate security policy, prioritizing
network security, securing critical servers, and using the security features each
vendor provides. However, the threat level does not justify deployment of
specialized VoIP security devices to secure the internal/campus VoIP network.
As shown in the diagram above, the connection to
the service provider is still TDM in the majority of enterprises. The IP PBX
uses an integrated or separate device that provides the media gateway function.
The diagram also shows the Public Voice Network, which is an evolution of the
PSTN, where much of the call origination and transport uses VoIP. The real
threat lies in the connection to the Public Voice Network. Attackers do not
attack VoIP itself; rather, they attack the voice application and network,
often using VoIP to enable, simplify, and/or reduce the cost of the attack. The
real threats to voice networks are the types of attacks that are always present
at the voice application layer, whether the underlying network is legacy TDM,
VoIP, or a combination. Attackers exploit voice networks for a reason, such as
stealing usage, engaging in social engineering, harassing users, instigating disruption,
and making money. They do not care what the transport technology is, unless, of
course, VoIP makes it easier to execute the attacks.
As shown in the above diagram, the major threats to
enterprise voice networks are toll fraud, social engineering, and modems. These
threats have been high for years, and VoIP availability is either making them
worse or keeping them constant. Threats such as harassing calls and Telephony
DoS (TDoS) have historically been a medium threat, but as described in
subsequent sections, are getting worse.
The diagram above shows a voice firewall on the
connections to the Public Voice Network, because that is the best practice for
dealing with the most critical threats. The diagram also shows attackers lurking
on both the internal network and in the Public Voice Network.