http://www.nwfusion.com/news/2002/0624voip.html Yes, but users say taking basic steps can limit security snafus. By Phil Hochmuth Network World, 06/24/02 As companies increasingly replace aging PBXs with IP telephony equipment, they are uncovering a host of security issues that might not have applied to old-world phone technology. While businesses need to consider issues such as voice-over-IP packet prioritization, voice quality and call features when planning a move to IP telephony, basic security of the IP PBX and phones should not be overlooked. This is especially true because much of the VoIP gear on the market is based on commodity operating systems and commonly hacked software, experts and VoIP veterans say. Just ask Carnival Cruises. The company found out the hard way that managing an IP telephony system is different from running phone systems based on traditional TDM technology. "Our [Cisco] CallManager got hit by the Nimda virus last year," says Tom McCormick, senior technical analyst with the Miami cruise line. "It was a demo box and it wasn't patched to protect against the latest viruses." Mc-Cormick says the Cisco IP PBX, which runs on a purpose-built Intel- and Windows-based server, was being used only by the IT department for evaluation, so the company's business was not affected by the crash. But the incident was an eye-opener. The system, which is in the company's live network now, has since been patched, and is monitored and maintained regularly for security fixes. For the most part, IP PBXs from vendors such as 3Com, Cisco, Avaya, Nortel, Alcatel and others are servers at the core. The boxes run call-control software on top of standard operating systems such as Windows NT and 2000, Linux and Unix. All of the products have standard IP stacks, which make them susceptible to denial-of-service or hacker attacks. Many IP PBXs also include Web-based ad-min-istration clients or configuration tools built on Microsoft Internet Information Ser-ver (ISS) and Apache Web server - platforms that are constantly be-ing pat-ched for security holes and bugs. With these phone systems now connected to the same LANs and WANs as end users and even the public data networks, experts say IP telephony users must be on guard. "With an IP PBX, you're dealing with a server, and it's just as vulnerable as any other computer on your network," says Mike Homer, manager of lab testing at Miercom, an independent IT testing and consulting firm and a member of the Network World Global Testing Alliance. "The idea of viruses or hacking might be totally new to you if you're coming from the TDM world to IP telephony," Homer says. But security has always been an issue in the telecom world, he adds, citing old problems such as toll fraud and other system misuse. "Those types of things still exist in the TDM world. It's just that IP telephony is new and sexy, so hacking from that standpoint is more attractive, and is more likely to happen than someone hacking a TDM system." If a company manages its IP PBX with the same due diligence as any other secure or mission-critical application - "such as a human resources application, or a server with all your customers' credit card information - it's not a problem," Homer says. On the IP PBX front line St. Paul, Minn., chemical manufacturer H.B. Fuller last year installed three redundant clusters of Cisco's Windows-based CallManager IP PBXs to provide IP phone connectivity to 20 remote sites over its VPN. By running voice over its data network, the company was able to eliminate 12 PBXs scattered around the network and manage voice from a centralized location. While this provides better management and cost savings, security of the IP PBXs was a concern, says Kevin Wetzel, manager of global network services for the company. "On traditional PBXs, although they had PC processors in them, they were not necessarily as susceptible to viruses," Wetzel says. "People are writing NT viruses, not PBX vi-ruses, so it's a trade-off." Wetzel monitors his clusters of Cisco telephony servers with intrusion-detection software - he declined to say what kind - and is vigilant about keeping up with patches to the CallManager's operating system, which includes Microsoft IIS as an administration tool. The centralized management of the Cisco Call-Manager clusters also provides a level of security of its own, he adds. "We've been able to reduce the number of PBXs, and that reduced number of machines can make for better security," he says. "We can maintain the systems in a more uniform fashion than we could before." For Compass Bank, a regional bank with 400 branches in eight states throughout the South and Southwest, a mix of IP and TDM telephony is used to serve 20 of its offices. The bank deployed Nortel Business Comm-unication Manager (BCM) platforms to its branch offices, and connects those small-office IP PBXs to a group of Nor-tel Meridian TDM phone switches over a private frame relay network. Although the BCMs are based on NT, secur-ity is less of an issue because IP is only being used to replace tie lines, says Rick Nelson, the bank's group operations manager and senior vice president. The network is closed to the outside world, so viruses and external attacks are not issues for the VoIP system, Nelson says. That the telecom network is still TDM at the core also is an advantage, he says. "Security would keep me awake at night if I had a server-based system at the heart" of the voice network, Nelson says. "My son can hack into those types of machines, and he's 11. That's what's keeping me from making the leap to an all-IP telephone network." While Nelson says an all-IP telephone infrastructure - from server-based PBXs to IP phones - is inevitable, he will wait another 12 to 24 months before considering a full-blown IP voice implementation. The County of Nevada, Calif., decided to take the all-IP plunge, replacing its discontinued Siemens Saturn phone switch with several 3Com NBX systems. The IP PBXs support around 900 users in 30 county offices, and are connected via T-1 lines. The fact that the NBX boxes are sitting on the same data network as any other server does not concern Gary Sprigs, network services manager for the county. Sprigs says the Web-based administration tool makes the NBX system easy to access for configuring phone extensions and to configure the box. "We have a process where we regularly change the passwords," on the administration interface, Sprigs says. The NBX also has the ability to create an audit trail of who accessed the device, what was done, and the IP address of the user who accessed the system. He says the NBX devices also are kept behind firewalls, which lessens the chance of unauthorized system usage or abuse. "We treat the [NBX boxes] with the same level of protection as our most critical server," Sprigs says. "It's something we didn't have to worry about on the old phone system, but we do now." Locking down IP telephony IP telephony vendors and customers recommend these steps to manage the security of voice over a data network. * Separate IP PBXs on the LAN by putting the devices in different domains from other servers. * Isolate voice traffic onto a virtual LAN. * Limit administration access to IP PBXs among IT staff, allowing only a few to have access to the core operating system on a VoIP server. * Limit the types of protocols that can touch the IP PBX or IP telephony network when possible. * Encrypt voice traffic where possible. Do not send IP voice over an unmanaged or public network. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Jun 25 2002 - 09:12:05 PDT