Securing Voice over IP
Sure, voice over IP can save your schools money; but don't neglect the security aspects in your rush to get it running.
- By Dian Schaffhauser
- 06/20/12
Although a 2011 Educause survey reported that only seven percent of faculty and staff use a voice over IP service, the allure of VoIP is hard for IT organizations in colleges and universities to ignore. The benefits are many. By consolidating voice and data communications, schools can also consolidate their maintenance efforts under IT, reduce phone charges dramatically, and add functionality such as "follow me" or emailed voice messages to enable more efficient communications among faculty, staff, and others.
What some schools don't realize, however, is that VoIP adds new security risks to the network that don't always get the same attention as other areas, such as anti-virus, firewalls, or network access.
According to security expert Paul Henry, just having a VoIP server within the data center makes the institution a much more valuable target for hackers. Henry is a long-time instructor for SANS, a research and education organization that conducts security training and certifies IT professionals in security topics.
What are hackers looking for? One thing they're looking to steal is VoIP minutes. As Henry explained, hackers will break into the SIP server that hosts the VoIP system, sell discounted minutes to their clients worldwide, and then place those calls through the compromised server. SIP, or Session Initiation Protocol, is the text-based protocol that controls the communication sessions over the Internet. The SIP server is the primary vehicle for running VoIP.
Henry pointed to the case of Edwin Pena, who pleaded guilty in 2010 to federal charges of computer hacking and wire fraud. According to the FBI, Pena sold discounted service plans to multiple customers, but would route those calls through the computer networks of unsuspecting VoIP service providers. In less than a year, he stole $1.4 million in calling minutes.
We rarely hear about those cases, Henry added. The organizations involved "don't report it because they don't want to look stupid."
The Bigger Potential Problem Area for Universities
When Henry is called in to consult during security events, one of the first actions he does is to perform a penetration test to see if he can record the organization's internal phone calls and play them back for the client. It's not hard, he said. All it takes is the use of a basic network sniffer, such as the open source packet analyzer, Wireshark, which can record the call and save it as a playable WAV file. "They're sharing the same wire with their network communications as they are with their VoIP calls. It's trivial to access that wire. Once I [do that], I can very easily record their phone calls."
If somebody can access phone calls that haven't been encrypted and a student's personal details are being discussed in those calls, the school could be in violation of the Family Educational Rights and Privacy Act (FERPA) Act. For a university dealing with health records, it could result in a Health Insurance Portability and Accountability Act (HIPAA) compliance violation. Institutions that process credit cards over the phone could be committing a Payment Card Industry (PCI) violation. In other words, in a VoIP scenario, data breaches can encompass voice data too.
The break-in can occur at multiple points--through the SIP server, via a "soft client," the software program on a computer that lets the user make and receive phone calls, and even through the VoIP phone devices. "Anything that's got software in it is potentially vulnerable," Henry said.
Just as alarming, he added, when someone compromises a single PC within the network, he or she can potentially use that to navigate to other parts of the environment.
Common Security Blunders
Henry said he consistently sees network administrators make some common mistakes when they set up VoIP systems: "They're not using strong passwords. They're not using signed digital certificates. They're not using encryption."
The first activity he advises clients to perform is a complete penetration test "to understand where your weaknesses lie." From there, he recommends some typical steps for remediation.
- Change out weak passwords, perhaps the most frequent source of vulnerabilities.
- Properly segment the network using VLAN technology. By using a virtual LAN, the organization can share the data connection but run two communication streams, one for data and the other for voice. "If a hacker's able to compromise the data connection, he would not be able to see your VoIP traffic," Henry explained. "Even though you're running on the same wire, [the hacker] would be connected literally to a lane outside of your VoIP communications."
- Enable encryption wherever possible. Most VoIP phones today fully support encryption, Henry said. So the voice packets are encrypted as they go over the wire, and then unencrypted on the other end.
- Harden the actual server that's running the VoIP application.
If the school is working with a third-party to implement the VoIP system, Henry recommends listening closely to the vendors under evaluation. "If the vendor's primary push is how they're going to save you money, usually security comes up last. It's an afterthought. In any environment today security has to be your first consideration. You want a vendor that's going to talk about the security issues first."
Because Henry performs incident response and forensics work, he prefers to keep the projects he's been involved with under non-disclosure. But he will admit to knowing about security break-ins at universities involving the VoIP network. Unless the break-in exposed personal data about students, staff, donors, or others, "It's not a regulatory requirement to report when you've been breached via VoIP," he noted. In other cases, it was a weakness in the VoIP system that allowed the break-in to occur in the first place, leading to the compromise of other machines in the network.
The bottom line is that while institutions of higher ed can enjoy a significant savings operating VoIP, Henry observed, "You have to consider the additional risk it exposes you to. Just by having VoIP within your environment, you're a much more attractive target to the bad guys."
Henry will be teaching the six-day SANS course, VoIP Security, at SANSFIRE 2012 in Washington, D.C. starting on July 6 and at Network Security 2012 in Las Vegas starting on September 16.