S 4.7 VoIP
Description
Special signalling protocols are used to transmit signalling information, for example when receiving a call. The useful data, such as voice or video data, is transmitted with the aid of a media transport protocol. Both protocols are required to establish and maintain a multimedia connection. Some technologies use only one protocol for signalling and for transporting the media.
This module examines the security aspects of the end devices and switching units (middleware). The functionality of the components described here is the same as for the telecommunications systems described in S 3.401 Telecommunications system.
Threat scenario
A series of threats must be taken into account when using VoIP as well. Many of these threats can be traced to the data networks used for VoIP. These types of threats include the various types of attacks on confidentiality, for example sniffing, and on availability.
In general, it is true that the threat scenarios for individual components always depend on the operational scenario as well, for example when used as end devices or middleware, and that each of these threats also poses a threat to the overall system.
The following typical threats to IT-Grundschutz when using VoIP are assumed to exist:
Organisational Shortcomings
| T 2.112 | Inadequate planning of VoIP |
| T 2.113 | Inadequate planning of network capacity for the use of VoIP |
Human Error
| T 3.7 | Failure of the PBX due to operating errors |
| T 3.82 | Incorrect configuration of VoIP middleware |
| T 3.83 | Incorrect configuration of VoIP components |
Technical Failure
| T 4.56 | Failure of the VoIP architecture |
| T 4.57 | Interferences relating to the use of VoIP over VPNs |
| T 4.58 | Vulnerabilities relating to the use of VoIP end devices |
| T 4.59 | Non-accessibility of VoIP due to NAT |
Deliberate Acts
| T 5.11 | Loss of confidentiality of data stored in PBX systems |
| T 5.12 | Interception of telephone calls and data transmissions |
| T 5.13 | Wiretapping of rooms using PBX terminal devices |
| T 5.14 | Call charges fraud |
| T 5.15 | Abuse of features of PBX systems |
| T 5.134 | Lack of identification of communication partners |
| T 5.135 | SPIT and Vishing |
| T 5.136 | Abuse of freely accessible telephone extensions |
Method recommendation
To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
Since VoIP operates over a data network, module S 4.1 Heterogeneous networks must be included in any security examination. Furthermore, the active network components located in the data network must be taken into account. They are examined in module S 3.302 Routers and switches.
VoIP is most often operated on ordinary IT systems instead of on special devices, which are referred to as appliances. To operate a middleware component, the IT system needs to provide a corresponding network service. For this reason, module S 3.101 General server must be taken into account.
Softphone is a term used to refer to client software that allows a multimedia PC with a microphone to be used as a telephony end device. If a softphone is used, then module S 3.201 General clients must be applied to the client running the softphone software. Furthermore, the modules for the operating system used on the IT systems on which the middleware and the softphone are running must be taken into account as well (for example module S 3.102 Servers under Unix or S 3.209 Clients under Windows XP).
In terms of IT security, the following steps should be taken on the end devices and on the middleware:
Planning the use of VoIP
The use of VoIP must be planned carefully (see S 2.372 Planning the use of VoIP). In safeguard S 3.57 Scenarios for the use of VoIP, possible areas of application for VoIP are presented. The selection of a signalling protocol plays an important role because the various manufacturers of VoIP devices commonly support only one protocol. Since the signalling protocols are not intercompatible, the decision of which signalling protocol to use influences the selection of the VoIP components. In safeguard S 5.133 Selection of a signalling protocol for VoIP, the most commonly used protocols are described briefly.
When making a telephone call using VoIP, the same problems can arise as with every other type of communication over IP. Many of the well-known attacks on the confidentiality and integrity of IP data networks can also be used to attack VoIP communication. Protection can be provided in this case by encrypting the signalling or media transport information. Which data needs to be protected in which networks is illustrated in safeguard S 2.374 Scope of VoIP encryption. Safeguards S 5.134 Secure VoIP signalisation and S 5.135 Secure media transport using SRTP describe the method of operation used to encrypt the signalling and media transport information in more detail.
Parallel to this, a detailed guideline for the use of VoIP must be added to the general security policy (see S 2.373 Drawing up a security policy for VoIP).
Purchasing
In the next step, the end devices and the VoIP middleware are purchased. Software solutions or appliances can be used for this purpose. Based on the operational scenarios, the requirements to be placed on the products to be purchased must be formulated. Recommendations for selection can be found in safeguard S 2.375 Selection of suitable VoIP systems.
Implementation
In order for the administrators to be prepared for the introduction or migration to VoIP, they need to be adequately trained (see S 3.56 Administrator training on the use of VoIP).
Usually, the existing IP data network also needs to be adapted in addition to making the VoIP-specific changes. In some cases, it may make sense to operate two data networks in parallel. The (not always problem-free) separation of the VoIP voice network from the rest of the data network, which is described in S 2.376 Separation of data network and VoIP network, can be achieved using logical or physical segmentation. In addition, access to the VoIP components should also be secured (see safeguard S 4.289 Restricting the accessibility via VoIP). If physical separation is not implemented, then rules should be made for the prioritised forwarding of VoIP packets to prevent the network from becoming overloaded. These rules and others are presented in safeguard S 5.136 Quality of service and network management for VoIP.
Precautions must be taken particularly when accessing the network from a public network. This means, among other things, that the transition point between the public network and the private network must be modified. For example, the translation of private IP addresses to public IP addresses using Network Address Translation (NAT) can be very complex (see safeguard S 5.137 Use of NAT for VoIP). However, there are also special requirements for the security gateway, and these requirements are described in safeguard S 4.290 Requirements on security gateways for VoIP.
Operation
After the initial installation and a test operation phase, regular operations can be initiated (see S 4.287 Secure administration of VoIP middleware and S 4.288 Secure administration of VoIP terminals). To be able to react to problems, important events must be logged and evaluated. Recommendations for logging can be found in safeguard S 4.292 Logging of VoIP events.
A user-training program for telephone usage is often unreasonable and not economically beneficial, even though typical office end devices today are highly complex. However, the users should be informed of the basic threats posed (see safeguards S 3.12 Informing all staff members about possible PBX warning notices, warning symbols, and acoustic alarm signals and S 3.13 Increasing staff awareness of potential threats to the PBX for more information in this regard).
Disposal
It is often the case that the memory of the VoIP components stores information requiring protection. When disposing of these components, safeguard S 2.377 Secure withdrawal from operation of VoIP components should be taken into account.
Contingency Planning
Only regular and comprehensive data backups can reliably guarantee the ability to restore the availability of all data stored in case of malfunctions, hardware failures, or (intentional or unintentional) deletion. The necessary safeguards are described in module S 1.4 Data backup policy. Furthermore, the data backup policy must be expanded to include the data backups for the VoIP components as described in safeguard S 6.101 Data backup when using VoIP.
Some information on special aspects to take into account when drawing up the business continuity plan for a VoIP server are described in safeguard S 6.100 Drawing up a business continuity plan for VoIP failure.
The following safeguards are to be implemented when using VoIP:
Planning and design
| S 2.28 | (Z) | Availability of external telecommunications advisory services |
| S 2.372 | (A) | Planning the use of VoIP |
| S 2.373 | (A) | Drawing up a security policy for VoIP |
| S 2.374 | (C) | Scope of VoIP encryption |
| S 3.57 | (W) | Scenarios for the use of VoIP |
| S 5.133 | (A) | Selection of a signalling protocol for VoIP |
| S 5.134 | (C) | Secure VoIP signalisation |
| S 5.135 | (C) | Secure media transport using SRTP |
Purchasing
| S 2.375 | (C) | Selection of suitable VoIP systems |
Implementation
| S 1.30 | (A) | Safeguarding of data media containing data on telecommunications charges |
| S 2.29 | (B) | PBX operating instructions for users |
| S 2.376 | (C) | Separation of data network and VoIP network |
| S 3.56 | (A) | Administrator training on the use of VoIP |
| S 4.7 | (A) | Change of preset passwords |
| S 4.10 | (C) | Secure basic local configuration of routers and switches |
| S 4.287 | (A) | Secure administration of VoIP middleware |
| S 4.288 | (A) | Secure administration of VoIP terminals |
| S 4.289 | (A) | Restricting the accessibility via VoIP |
| S 4.290 | (C) | Requirements on security gateways for VoIP |
| S 5.136 | (B) | Quality of service and network management for VoIP |
| S 5.137 | (C) | Use of NAT for VoIP |
Operation
| S 3.12 | (B) | Informing all staff members about possible PBX warning notices, warning symbols, and acoustic alarm signals |
| S 3.13 | (B) | Increasing staff awareness of potential threats to the PBX |
| S 4.5 | (B) | Logging for PBX systems |
| S 4.6 | (C) | Audit of the PBX configuration |
| S 4.291 | (A) | Secure configuration of VoIP middleware |
| S 4.292 | (A) | Logging of VoIP events |
Disposal
| S 2.377 | (B) | Secure withdrawal from operation of VoIP components |
Contingency Planning
| S 6.29 | (Z) | PBX base line for emergency calls |
| S 6.100 | (A) | Drawing up a business continuity plan for VoIP failure |
| S 6.101 | (A) | Data backup when using VoIP |