S 2.375 Selection of suitable VoIP systems

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Purchasing Department, Administrator, Head of IT

The various manufacturers of telecommunication products offer numerous telephony solutions. In addition to devices solely intended for VoIP, analogue, and digital telephony, products supporting both architectures are also available. Examples include PBX systems for line switching networks that are equipped with an IP connection and gateways that can be switched between VoIP architecture and a public line-switching telephone network. During selection, numerous security-related aspects must be taken into account, such as support of the necessary signalling and media transport protocols, in addition to the basic functionality provided.

Before the VoIP components are purchased, a list of requirements must be created that must be used to evaluate the products available in the market. Based on the evaluation, a well-founded purchase decision can then be made that ensures the products to be purchased will meet the requirements during practical operations.

General requirements

The following lists some general requirements to be considered when purchasing VoIP terminal devices and the corresponding middleware:

1. General criteria

• Should a VoIP appliance or a solution that can be operated on a standard PC be purchased?
  
  In any case, the usually complex operating system must be configured in such a way that only the functions actually needed are enabled, the access rights are granted restrictively, and all vulnerabilities are systematically eliminated.
• Does the product support all protocols needed?
• Is training for the product offered by the manufacturer or an independent provider?
• Is there reliable information available on the reliability and availability of the hardware and software?
• Do the VoIP components meet the demands placed on them in terms of performance?
• Was the product evaluated using formal methods such as the common criteria method?
• Is the VoIP component compatible with the existing products?
• Do the VoIP components support secure logins and secure user administration?
• Does the documentation supplied with the product contain exact descriptions of all technical and administrative details?
• Is the option of concluding a maintenance contract for the VoIP components offered? It is often the case that manufacturers only provide access to updates and support services in connection with a valid maintenance contract. Can maximum reaction times for eliminating problems be specified within the framework of the maintenance contracts? Does the manufacturer offer technical customer service (hotline) that is able to provide help immediately in the event of problems?
• Is the product easy to install, configure, and use?

2. Logging

The logging capabilities offered must meet the requirements specified in the security policy at a minimum. The following aspects are of particular relevance:

• Can the level of detail of the logging function be configured?
• Does the logging function record all relevant data?
• Is access to the logged data protected by access control?
• Does the system support centralised logging? A central log server makes it easier to evaluate the logged data.
• Can logging be executed in such a way that the data protection laws are adhered to?

3. Updates

• Are updates and patches offered regularly for the product? Are security patches provided quickly after a security gap is made public?
• Can newer versions of the signalling and media transport protocols in which security problems have been eliminated and additional security mechanisms are provided be used by updating the software?
• Do the updates take into account the lower layers of the VoIP component (like the updates for an operating system) and services not directly connected to the VoIP capabilities? To eliminate existing vulnerabilities in the operating system of the appliance or IT system, these components should also be updated.
• Are updates and patches secured in such a way that the possibility of the update being replaced during transmission by a manipulated version of the update can be ruled out?

4. Administration

• Do the VoIP components support secure protocols for administration?
• Can the VoIP components be configured in such a way that the specified security objectives can be achieved?
• Can important configuration parameters be protected so that they cannot be changed by users?
• Can the VoIP components be administrated using centrally controlled management software? Is the administrative interface designed in such a way that it points out incorrect, insecure, or inconsistent configurations or prevents these?

5. Encryption

To communicate with VoIP using encryption, the devices involved must provide for the corresponding functionality. Depending on the protection requirements, though, it is possible during the planning phase to decide not to use encryption for internal VoIP communication. In spite of this, VoIP components that are equipped with encryption capabilities or for which encryption can be installed later on should still be purchased. The following aspects should be taken into account:

• Do the VoIP components support encryption of the media transport and signalling information or can the support be integrated later on?
• Can the VoIP components be operated as VPN end points?

Selection of telecommunication systems (middleware)

Telephony is often an essential business process. For this reason, high requirements are placed on its availability (among other items). The following criteria should be considered when purchasing such systems:

• Is the VoIP middleware designed to support redundancy?
• Does the manufacturer offer high-availability solutions, if necessary?
• Should one or more central devices provide the overall VoIP functionality or should several separate, independent devices be purchased?
  
  Examples of separate, independent devices include SIP registrars, proxy servers, and location servers. Systems that provide all VoIP functionality in a single, overall solution are often easier to configure. It is easier, though, to scale the system when several distributed systems are used. Since the administration of numerous devices is often more complicated, faulty configurations are more probable in this case.

Selection of the active network components

If new network components such as switches need to be purchased for the migration to VoIP, these components also need to meet special requirements. If an existing data network is to be used for VoIP, the devices must recognise VoIP packets and be able to forward them with a higher priority. If you want to be able to make telephone calls between two local networks over an insecure data network like the Internet, then additional requirements must be specified. If no encryption procedures have been implemented yet, it should be possible to connect the gateways connected to the insecure network as VPN end points, for example.

Review questions:

• Does the requirements list also take into consideration the IT security features for attaining the aimed at level of security?
• Is there a rule governing the evaluation of the hardware and software products available on the market in accordance with the requirements list?
• Is there a rule governing the performance of the purchase decision based on the basis of evaluation?