S 2.372 Planning the use of VoIP

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator, Head of IT

A basic requirement for the secure use of VoIP is appropriate advance planning. The use of VoIP can be planned in several steps according to the top-down design principle: Based on a basic concept for the overall system, specific plans are specified for subcomponents in detailed subconcepts. Not only do the aspects classically associated with the term "security" need to be planned, but also normal operating aspects that may lead to requirements in the area of security.

In the basic concept, the following typical questions should be addressed, for example:

• Should we migrate completely or only in part to VoIP? Should VoIP only be used for communication between the line switching PBX systems?
• Are there special requirements regarding the availability of VoIP or the confidentiality and integrity of the telephone calls and/or signalling information?
• Which signalling and media transport protocols should be used?
• How many users should be allowed to communicate using VoIP?
• How should we connect to the public telephone network? Should VoIP-based communication connections directly from the public data network be allowed?
• Can the security of the existing LANs be adversely affected by VoIP? Is the capacity of the existing LAN adequate for the use of VoIP? Do changes need to be made to the network architecture?

The following subconcepts should be taken into consideration when planning the use of VoIP:

• Scope of encryption: What exactly will be encrypted must be specified. For example, it may be decided that no communication in the LAN will be encrypted, but that all external telephone calls should be protected against eavesdropping and manipulation by third parties (see safeguard S 2.374 Scope of VoIP encryption). In addition, it must be decided whether the multimedia data and/or signalisation should be encrypted.
• Encryption mechanisms: If encryption was specified for individual communication routes, it must be decided how this protection can be integrated. Encryption can be performed both
  
  in the application layer, for example using H.235 or SRTP (see S 5.134 Secure VoIP signalisation and S 5.135 Secure media transport with SRTP), and in deeper layers, for example using SSL/TLS, IPSec, or VPNs.
• Component selection: To enable the implementation of the decisions made, the devices to be used must also provide support for these decisions. If no appropriate devices are available for purchasing, because it is not possible to meet all requirements, for example, the plan must be corrected. The resulting changes in the plan must be coordinated with the Security Management and documented.
• Contingency planning: The availability of the telephone system is an important requirement, and not only for the business processes. If the telephone system fails, it is not possible to call for help in case of an emergency. For this reason, appropriate precautions must be taken. Additional information on this subject can be found in safeguard S 6.100 Drawing up a business continuity plan for VoIP failure.
• Network separation: In some cases, it makes sense to logically or physically separate the VoIP network from the data network (see safeguard S 2.376 Separation of data network and VoIP network). It must be decided during the planning phase whether segmentation is necessary.
• Features: VoIP components commonly offer additional features. These features may require the operation of an additional middleware component or have other disadvantages in terms of security. Features critical to security include, for example, the ability to break in on an existing call, room monitoring functions, and the intercom mode. During the planning phase, it must be decided which features will be used.
• Administration and configuration: The people who will perform the administration and configuration should be selected well in advance. An administrator for VoIP should be appointed for this purpose. In addition, it must be decided how administration will be performed (see S 4.287 Secure administration of the VoIP middleware and S 4.288 Secure administration of VoIP terminals).
• Logging: The logging of messages from each of the VoIP components plays an important role, for example when troubleshooting and repairing malfunctions or detecting and investigating attacks. In the planning phase, the decision as to which information should be logged at a minimum and how long the logged data will be stored should be made. In addition, it must be specified whether the logged data will be stored locally on the system or on a central log server in the network.

All decisions made in the planning phase must be documented in such a way that they can be understood at any given future point in time. Note that this information usually needs to be evaluated by persons other than the author. Therefore, the information must be appropriately organised and easy to understand.

Review questions:

• Have the integrity, confidentiality, and availability requirements for the use of VoIP been defined?