S 2.373 Drawing up a security policy for VoIP

Initiation responsibility: IT Security Officer, Top Management

Implementation responsibility: Head of IT, IT Security Officer

High expectations are placed on the availability of a telephone system. However, its confidentiality is just as important. For this reason, the secure and proper operation of telecommunication equipment is particularly important. This can only be ensured when the operational procedures are integrated into the existing security-related specifications.

The primary security-related requirements regarding VoIP as well as the security level to be achieved result from the organisation-wide security policy. They should be formulated in a security policy specifically for VoIP to add more detail to and implement the overriding and more generally formulated security policy. In this context, it must be examined whether there are any other overriding specifications, for example IT guidelines, password rules, guidelines for the IT systems the VoIP components are operated on, and specifications for internet usage, need to be taken into account in addition to the organisation-wide security policy.

All persons and groups participating in the planning, purchasing, and operation of the VoIP components must be familiar with the VoIP security policy and adhere to it while working. Like all policies, its contents and implementation should be examined regularly within the framework of a general audit.

The security policy should first specify the overall security level to be reached and provide basic information on the operation of VoIP. The following sections describe some aspects to be taken into consideration.

General regulations for the use of VoIP

All VoIP users should be informed of the potential risks and problems, as well as of the benefits associated with the use of VoIP, but also of the limits of the security safeguards implemented.

Since new security gaps in VoIP components are being made public all the time, the IT Security Management should inform themselves regularly about the current risks. It may be appropriate to inform the employees regularly about the most recent threats in order to make them aware of the risks.

When drawing up a security policy, it is recommended to proceed in such a way that the maximum requirements and specifications for the security of the systems are stated initially. These requirements and specifications should then be agreed to by all parties involved and examined in terms of their feasibility. Ideally, all aspects necessary will be taken into account. For every step rejected and specification relaxed in the second step, the reasons for the rejection or relaxation of the specification should be documented.

The following must be clearly stated in the security policy:

• whether and where VoIP components may be used,
• under what technical conditions VoIP will be used, These include in particular the specification of security safeguards, the selection and installation of the necessary security hardware and software, as well as specifications for the secure configuration of the affected IT systems.
• what information must not be transmitted using VoIP, and
• which features and functions should be supported.

Employees must be informed of the conditions under which they are permitted to use VoIP outside of the organisation, since other security regulations may apply here under some circumstances.

VoIP middleware

The following must be specified in terms of the operation of VoIP middleware:

• The specifications for purchasing devices based on a requirements profile (see also S 2.375 Selection of suitable VoIP systems) must be drawn up.
  • Rules applying to the work performed by the administrators and auditors must be formulated. The following questions should be answered to specify these rules:
  • Over which access routes are the administrators and auditors allowed to access the systems (for example, only locally on the console, using a separate administration network, or using encrypted connections)?
  • Which procedures must be documented? In what form will the documentation be produced and maintained?
  • Does the "two-man principle" apply to certain changes?
  • Can the area of responsibility of the administrator of the IT systems be separated from that of the persons responsible for the VoIP application?
• The responsibilities must be specified and organised.
  Specifications for installation and configuration such as
  
  • the initial installation procedure,
  • the check of the default settings in terms of the security threats entailed by them, and
  • the use and configuration
  must be specified and documented.

• User and role administration must be introduced or the existing administration must be extended. This includes:
  • rules for the administration of the users and roles, authorisation structures (procedures and methods of authentication and authorisation, authorisations for installation, updates, configuration changes, etc.),
  • a role concept for administration, and
  • a user administration concept. The users must be created and assigned telephone numbers. The users can be granted certain privileges such as the ability to call service numbers that charge a fee.
• Secure operation requires rules
  • for the creation and maintenance of the documentation, form, and scope of the documentation, (e.g. documented procedures, instruction manuals),
  • regarding which services and protocols are permitted and/or which are not permitted,
  • on the communication connections allowed, for example how to avoid establishing a direct connection from internal VoIP systems to public networks,
  • for performing software updates, and
  • for the specifications in the security policies of the IT systems on which the VoIP middleware will be operated.
• The specifications for secure operation should contain information such as
  • how to secure the administration (for example should access to the administration only be permitted using secured connections),
  • which encrypting signalisation and media transport protocols are to be used,
  • which tools are to be used for operation and maintenance,
  • which authorisations are to be assigned and which procedures are to be followed when updating software and making changes to the configuration, and
  • which security safeguards are to be implemented on the operating system the middleware is operated on.
• The following must be decided on for the logging procedure:
  • which events are logged,
  • where the log files should be stored, and
  • how and how often the logs should be evaluated.
• The organisation-wide data backup policy must be extended to cover the backup and restoration of data on VoIP components.
• Rules for how to react to operational disruptions, technical errors (local support, remote maintenance), and security incidents must be established.

VoIP terminal devices

In the following, specifications for the operation of VoIP terminal devices are presented.

• Specifications for purchasing devices based on a requirements profile must be formulated.
• Rules applying to the work performed by the administrators and auditors must be formulated. An example of such a rule would be that the administration of the softphones to be used must be separate from the administration of the IT system.
• Specifications for installation and configuration must be added to the security policy. The following questions should be answered in this regard:
  • Is the default configuration of the delivered hardphones adequate or should configuration during operation be possible?
  • How will changes to the configuration be made during operation when the number of terminal devices is large?
  • Which access routes are the administrators permitted to use to access the terminal devices?
  • Which parameters in the configurations of the features, for example of the call forwarding feature, are the users permitted to change?
• Specifications for the secure operation play an important role. These include:
  • methods for securing the administration (for example by only permitting access using secured connections),
  • the use of encrypting signalisation and media transport protocols,
  • tools for operation and maintenance, and integration into an existing network management system,
  • authorisations and procedures for software updates and configuration changes,
  • Specification of safeguards when a user is absent, for example transferring his/her calls and blocking his/her telephone, and
  • the secure operation of the operating system the softphone is operated on.
• In terms of contingency planning, regulations for the provision of alternative lines of communication must be added to the security policy.

The IT operating personnel is responsible for implementing the VoIP security policy; changes to and deviations from this policy must only be performed upon coordination with the IT Security Officer.

Review questions:

• Is there a security policy specifying general security-related specifications for VoIP?
• Does the VoIP policy contain specifications for operating and using VoIP components?
• Is the VoIP security policy available to all persons and groups involved and do these know the policy?