[ISN] Is VoIP vulnerable?

From: InfoSec News (isnat_private)
Date: Tue Jun 25 2002 - 04:44:59 PDT

  • Next message: InfoSec News: "[ISN] Mitnick testimony burns Sprint in Vegas 'vice hack' case"

    Yes, but users say taking basic steps can limit security snafus.
    By Phil Hochmuth
    Network World, 06/24/02
    As companies increasingly replace aging PBXs with IP telephony
    equipment, they are uncovering a host of security issues that might
    not have applied to old-world phone technology.
    While businesses need to consider issues such as voice-over-IP packet
    prioritization, voice quality and call features when planning a move
    to IP telephony, basic security of the IP PBX and phones should not be
    overlooked. This is especially true because much of the VoIP gear on
    the market is based on commodity operating systems and commonly hacked
    software, experts and VoIP veterans say.
    Just ask Carnival Cruises. The company found out the hard way that
    managing an IP telephony system is different from running phone
    systems based on traditional TDM technology.
    "Our [Cisco] CallManager got hit by the Nimda virus last year," says
    Tom McCormick, senior technical analyst with the Miami cruise line.  
    "It was a demo box and it wasn't patched to protect against the latest
    Mc-Cormick says the Cisco IP PBX, which runs on a purpose-built Intel-
    and Windows-based server, was being used only by the IT department for
    evaluation, so the company's business was not affected by the crash.  
    But the incident was an eye-opener. The system, which is in the
    company's live network now, has since been patched, and is monitored
    and maintained regularly for security fixes.
    For the most part, IP PBXs from vendors such as 3Com, Cisco, Avaya,
    Nortel, Alcatel and others are servers at the core. The boxes run
    call-control software on top of standard operating systems such as
    Windows NT and 2000, Linux and Unix. All of the products have standard
    IP stacks, which make them susceptible to denial-of-service or hacker
    attacks. Many IP PBXs also include Web-based ad-min-istration clients
    or configuration tools built on Microsoft Internet Information Ser-ver
    (ISS) and Apache Web server - platforms that are constantly be-ing
    pat-ched for security holes and bugs.
    With these phone systems now connected to the same LANs and WANs as
    end users and even the public data networks, experts say IP telephony
    users must be on guard.
    "With an IP PBX, you're dealing with a server, and it's just as
    vulnerable as any other computer on your network," says Mike Homer,
    manager of lab testing at Miercom, an independent IT testing and
    consulting firm and a member of the Network World Global Testing
    "The idea of viruses or hacking might be totally new to you if you're
    coming from the TDM world to IP telephony," Homer says. But security
    has always been an issue in the telecom world, he adds, citing old
    problems such as toll fraud and other system misuse. "Those types of
    things still exist in the TDM world. It's just that IP telephony is
    new and sexy, so hacking from that standpoint is more attractive, and
    is more likely to happen than someone hacking a TDM system."
    If a company manages its IP PBX with the same due diligence as any
    other secure or mission-critical application - "such as a human
    resources application, or a server with all your customers' credit
    card information - it's not a problem," Homer says.
    On the IP PBX front line
    St. Paul, Minn., chemical manufacturer H.B. Fuller last year installed
    three redundant clusters of Cisco's Windows-based CallManager IP PBXs
    to provide IP phone connectivity to 20 remote sites over its VPN. By
    running voice over its data network, the company was able to eliminate
    12 PBXs scattered around the network and manage voice from a
    centralized location. While this provides better management and cost
    savings, security of the IP PBXs was a concern, says Kevin Wetzel,
    manager of global network services for the company.
    "On traditional PBXs, although they had PC processors in them, they
    were not necessarily as susceptible to viruses," Wetzel says. "People
    are writing NT viruses, not PBX vi-ruses, so it's a trade-off."
    Wetzel monitors his clusters of Cisco telephony servers with
    intrusion-detection software - he declined to say what kind - and is
    vigilant about keeping up with patches to the CallManager's operating
    system, which includes Microsoft IIS as an administration tool. The
    centralized management of the Cisco Call-Manager clusters also
    provides a level of security of its own, he adds.
    "We've been able to reduce the number of PBXs, and that reduced number
    of machines can make for better security," he says. "We can maintain
    the systems in a more uniform fashion than we could before."
    For Compass Bank, a regional bank with 400 branches in eight states
    throughout the South and Southwest, a mix of IP and TDM telephony is
    used to serve 20 of its offices. The bank deployed Nortel Business
    Comm-unication Manager (BCM) platforms to its branch offices, and
    connects those small-office IP PBXs to a group of Nor-tel Meridian TDM
    phone switches over a private frame relay network.
    Although the BCMs are based on NT, secur-ity is less of an issue
    because IP is only being used to replace tie lines, says Rick Nelson,
    the bank's group operations manager and senior vice president. The
    network is closed to the outside world, so viruses and external
    attacks are not issues for the VoIP system, Nelson says. That the
    telecom network is still TDM at the core also is an advantage, he
    "Security would keep me awake at night if I had a server-based system
    at the heart" of the voice network, Nelson says. "My son can hack into
    those types of machines, and he's 11. That's what's keeping me from
    making the leap to an all-IP telephone network."
    While Nelson says an all-IP telephone infrastructure - from
    server-based PBXs to IP phones - is inevitable, he will wait another
    12 to 24 months before considering a full-blown IP voice
    The County of Nevada, Calif., decided to take the all-IP plunge,
    replacing its discontinued Siemens Saturn phone switch with several
    3Com NBX systems. The IP PBXs support around 900 users in 30 county
    offices, and are connected via T-1 lines. The fact that the NBX boxes
    are sitting on the same data network as any other server does not
    concern Gary Sprigs, network services manager for the county.
    Sprigs says the Web-based administration tool makes the NBX system
    easy to access for configuring phone extensions and to configure the
    "We have a process where we regularly change the passwords," on the
    administration interface, Sprigs says. The NBX also has the ability to
    create an audit trail of who accessed the device, what was done, and
    the IP address of the user who accessed the system.
    He says the NBX devices also are kept behind firewalls, which lessens
    the chance of unauthorized system usage or abuse.
    "We treat the [NBX boxes] with the same level of protection as our
    most critical server," Sprigs says. "It's something we didn't have to
    worry about on the old phone system, but we do now."
    Locking down IP telephony
    IP telephony vendors and customers recommend these steps to manage the 
    security of voice over a data network.  
    * Separate IP PBXs on the LAN by putting the devices in different 
      domains from other servers. 
    * Isolate voice traffic onto a virtual LAN. 
    * Limit administration access to IP PBXs among IT staff, allowing only 
      a few to have access to the core operating system on a VoIP server.  
    * Limit the types of protocols that can touch the IP PBX or IP 
      telephony network when possible. 
    * Encrypt voice traffic where possible. Do not send IP voice over an 
      unmanaged or public network.  
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Jun 25 2002 - 09:12:05 PDT