Although Voice over IP (VoIP) is one of the fastest-growing and most sought after technologies in the enterprise today, enterprises may not always have in place the security measures needed to ensure a secure and assured VoIP experience. In this article, we will examine best-practices for this important task.

VoIP provides a convenient and cost-saving way to consolidate communications technology, and allow for advanced voice applications not available over legacy voice systems. Rather than maintaining two networks – a digital IP network and a TDM-based switched telephone network – enterprises can combine networks to achieve savings in long-distance voice and administration overhead.

However, because VoIP runs over an IP infrastructure, it is vulnerable to Internet threats unlike the traditional TDM network. Juniper Networks’ approach to VoIP security starts with best practices in network security and is similar to protecting any other IP network.

We must first understand all related components – including servers, IP protocols, processes and users – and use a risk analysis model to identify where risks are. Then we choose the appropriate technology or process to mitigate the risks.

In the heart of the enterprise or service provider network lies the VoIP application server – either a UNIX server or a PC running Linux. The core network also has servers running billing and user data management in support of the VoIP application.

At the perimeter are the gateway servers, which communicate with other VoIP network servers or translate calls between the VoIP and switched voice networks. On the client side are IP telephones, which translate the digital signal into voice.

Our defense strategy will be in layers, protecting each of the core, perimeter and client-side equipment, based around three main elements: authentication of those who access the network, the control process, and the technology applied to protect these components.

The first two goals can be accomplished with a formal security audit in which we identify the people involved in the operation and define security privileges to conduct certain tasks. The third task (protecting the network core of application servers and appliances) is similar to securing an internal LAN against known IP attack risks (e.g., OS vulnerability, DOS/DDOS, or other types of intrusion).

For any type of OS, you should be running the latest version, with all security patches applied, and have extraneous services and user accounts removed to control remote access.

Enterprises should also consider Intrusion Detection and Prevention Systems (IDP/IPS) to monitor traffic. An IDP examines packet traffic up to layer 7 to identify potential threats (for instance, a well-known target for a worm attack is a VoIP application with a Web interface for the administrator and Web server). An IDP could utilize various methods to detect the attack and stop threat traffic reaching the Web server by dropping the packets from the network.

Various gateway implementations can also be found at the perimeter level. Usually, servers provide user registration, identify incoming VoIP traffic and transfer calls to their destinations. The two main protocols for VoIP traffic are H.323 and SIP. Both use the Real-time Transport Protocol (RTP) for media transfer. The VoIP application would start a session using a static port for communication, and then start the media transfer using a random port. However, allowing connections to an arbitrary port is a security risk for malicious attacks. In this case, we should have the gateway sit behind a VoIP-aware firewall appliance. High throughput firewall appliances should be considered, as network latency will affect call quality.

The firewall should provide an Application Level Gateway to intercept VoIP traffic, break down the protocol, and examine what dynamic ports need to be opened by the application. The firewall would open up a pin-hole to allow media transfer during that particular call session and close the pin-hole after call completion.

At the user end, the IP phone could also generate sensitive user information and calling data, which must not be exposed to a public network. Therefore, an IP telephony device should support a strong authentication scheme for registration to the VoIP server. Additional encryption by use of a VPN tunnel should also be applied for both call set-up and media transfer.

In summary, VoIP technology offers enterprises new ways to save money and work efficiently. In order to utilize this technology, we should use a layered defense approach to understanding network threats and secure against attack. By combining best practice in defending LAN and WAN networks, enterprises can enjoy the cost and operational benefits of VoIP while minimizing the risks?