I am going to make weekly posts with excerpts from our Voice and Unified Communications: State of Security Report. It is available at:
There are a number of reports and surveys on general data security. These are good reports, but only mention voice, VoIP, and UC security in passing. I believe this is because UC security in terms of a data-only security issue, hasn’t really developed yet. These data-oriented reports don’t focus on the application-level issues that affect UC networks (harassing calls, toll fraud, social engineering, TDoS, etc.).
Some reports are based on surveys. The report we generated is based upon data from hundreds of UC security deployments. The report includes 3 major sections:
- Threat overview – where the threat is now and why it is getting worse.
- Threat taxonomy – provides a simplified taxonomy of the key (less than 10) threats.
- Real-world data – data and information that backs up our threat assessment.
We also make predictions of where the threats are going.
Voice network security has been an issue for years for enterprises, with voice application threats such as toll fraud, social engineering, harassing calls, and modem abuse posing the largest threats. However, with the proliferation of VoIP/UC in both the service provider and enterprise networks, the threat to voice networks has dramatically increased. This is not because VoIP itself is being attacked through packet vulnerabilities, but rather that VoIP creates many new vectors of attack and makes the overall voice network more vulnerable and hostile. Attackers do not target VoIP per se; they leverage VoIP to perform the same voice application attacks they have been perpetrating for years. Even the PSTN, which used to be mostly a closed network, has become much more hostile due to the proliferation of VoIP call origination: it is increasingly resembling the Internet from a security standpoint. Also, social networking sites such as Facebook and Twitter are being used to organize mass calling campaigns, creating a new method of generating harassing calls or even Denial of Service (DoS) attacks.
The following diagram illustrates several concepts, including how campus/internal VoIP has changed (and not changed) the voice network threat level.
This diagram and the two that follow use a simplified enterprise voice network to illustrate several concepts. In this voice network, the IP PBX is shown as a collection of servers providing various functions. This is typical of a modern IP PBX, which uses many different devices to provide different services. A large enterprise often duplicates this configuration for each site, likely using equipment from multiple vendors. The diagram also shows different user devices, such as IP phones, softphones on the data VLAN, fax machines, modems, and legacy phones.
Internal/Campus VoIP systems are complex and involve many servers and components. A typical IP PBX has many devices and many protocols that are exchanged over the internal network. Large enterprises have many separate systems, configurations, and equipment from multiple vendors. These systems offer many operating systems, network stacks, applications, protocols, and configurations to attack. The primary threats to these systems are different forms of Denial of Service (DoS) and eavesdropping.
The major IP PBX and VoIP vendors are progressively doing a better job of securing their systems, including improving default configurations and offering security features, such as encryption. However, security is often not the primary consideration during deployment of new voice network systems, and quite a few vulnerabilities exist. This is especially true for critical devices, such as call control, media gateway, and support servers. It is also particularly true for highly critical voice applications, such as contact centers.
Internal VoIP vulnerabilities are similar to those in other critical internal enterprise applications. Different forms of DoS and eavesdropping represent the greatest vulnerabilities. An attacker with internal network access and the right motivation and tools can attack these devices. However, if an attacker has internal access to a corporate network, broader security issues are present than just voice security. The good news, and this is very important, is that other than disruption and selected eavesdropping scenarios, no significant financial incentive exists to exploit these internal vulnerabilities. Virtually no publicized, real-world attacks have occurred on internal/campus VoIP networks. SecureLogix has conducted numerous internal/campus VoIP network assessments and identified only a few actual attacks, and these focused on an existing voice application attack not unique to VoIP—toll fraud. SecureLogix recommends that enterprises always follow good data networking security practices when deploying internal/campus VoIP systems. These best practices include defining a corporate security policy, prioritizing network security, securing critical servers, and using the security features each vendor provides. However, the threat level does not justify deployment of specialized VoIP security devices to secure the internal/campus VoIP network.
As shown in the diagram above, the connection to the service provider is still TDM in the majority of enterprises. The IP PBX uses an integrated or separate device that provides the media gateway function. The diagram also shows the Public Voice Network, which is an evolution of the PSTN, where much of the call origination and transport uses VoIP. The real threat lies in the connection to the Public Voice Network. Attackers do not attack VoIP itself; rather, they attack the voice application and network, often using VoIP to enable, simplify, and/or reduce the cost of the attack. The real threats to voice networks are the types of attacks that are always present at the voice application layer, whether the underlying network is legacy TDM, VoIP, or a combination. Attackers exploit voice networks for a reason, such as stealing usage, engaging in social engineering, harassing users, instigating disruption, and making money. They do not care what the transport technology is, unless, of course, VoIP makes it easier to execute the attacks.
As shown in the above diagram, the major threats to enterprise voice networks are toll fraud, social engineering, and modems. These threats have been high for years, and VoIP availability is either making them worse or keeping them constant. Threats such as harassing calls and Telephony DoS (TDoS) have historically been a medium threat, but as described in subsequent sections, are getting worse.
The diagram above shows a voice firewall on the connections to the Public Voice Network, because that is the best practice for dealing with the most critical threats. The diagram also shows attackers lurking on both the internal network and in the Public Voice Network.