S 4.287 Secure administration of VoIP middleware

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

VoIP middleware basically consists of server systems that need to be protected by the same security safeguards as those used for other server systems. Furthermore, additional security safeguards must be applied to counteract the special threats involved when using VoIP systems.

VoIP components need to be configured securely before they are put into operation for the first time. The initial installation procedure must be documented. In the following, several aspects are presented that must be taken into consideration for secure configuration and administration.

Features

VoIP systems, just like traditional PBX systems, offer a number of different features. Before initial operation of a VoIP system, it must be clarified which features and functionalities are available and which are actually needed (see S 2.372 Planning the use of VoIP). The features not needed, as well as those which can affect security must be disabled. Features which can affect security include, for example, the ability to break in on an existing call, room monitoring functions, and the intercom mode.

Administration and access

Administration and configuration of the middleware must always be performed at the console or using a secure connection. Administration can be performed using a Secure Shell (SSH) or an encrypted VPN connection, for example.

Many VoIP systems offer the ability to configure the system using a web interface. The web server installed to this end may also pose an additional security risk. For this reason, it is recommended to operate the web server for a web-based configuration interface on the non-critical middleware, for example on a gateway or gatekeeper. Web-based configuration should always be performed in a secure environment, for example using SSL or TLS.

When planning the administration concept, a role concept should be developed containing a range of different authorisation levels. At least two people should be assigned to every role so that a substitute can be arranged when necessary.

VoIP components such as softphones or middleware applications are commonly installed on standard PCs running widely used operating systems. The people assigned to administrate the operating systems should de different from those assigned to administrate the VoIP applications.

Configuration changes should be logged by the system in such a way that manipulations can be detected quickly. The logged data itself must be secured in such a way that it is impossible to manipulate it. Administrators should not have any access to this data either, if this is possible. To protect the logged data, they can be stored, for example on WORM media, or access to them can be restricted to the auditors only.

Backup

A comprehensive data backup policy is a primary requirement to be able to secure and quickly restore the availability, but also to be able to check the integrity quickly at any time. It must be ensured in this case that when personal data are stored, for example private connection data, they are stored in such a way that they are protected against unauthorised access, for example by storing them in encrypted form.

Software security

It must be ensured that the software used is always up-to-date and that any security-relevant patches are installed immediately. This applies especially to the operating system used.

It must be guaranteed that only original updates and patches are installed. This applies to the purchasing procedure, for example when purchasing from the website of a manufacturer, as well as to the transmission to the VoIP components. By implementing the following safeguards, manipulations during transmission can be made more difficult and/or easier to detect:

• checksum comparisons
• use of secure lines of communication
• use of certificates

The correct implementation of the software is a deciding factor for the reliability of the overall system. In particular, the vital functions of the telephone system such as relaying calls and the gateway function in digital telephone networks should be subjected to a special evaluation process for this reason.

It is therefore desirable for the software providing the basic functionality of the telephone system, e.g. relaying calls and the gateway function in digital telephone networks, to be designed based on a proven model and to be checked by an independent authority.

Operating system security

The VoIP components should be designed in such a way that different services are operated on different servers (see also S 4.97 One service per server). However, it is not always possible to completely separate the services, especially on compact stand-alone systems usually only consisting of one hardware component.

The operating system used should be designed as a minimal operating system (see S 4.95 Minimal operating system) and the number of applications run on the middleware should be kept as low as possible. Every additional application may contain vulnerabilities that can be exploited for attacks. For this reason, it must be checked carefully which applications are actually needed. Unneeded applications must be uninstalled. Software only needed for installation purposes (for example compilers) should be deleted directly after installation. Unneeded network services should also be disabled and access to the remaining network services must be restricted using local packet filters.

Review questions:

• Is the default configuration of the VoIP components changed before initial productive operation?
• Have unneeded features and feature which affect security such as breaking in on an existing call, "room monitoring", and the "intercom mode" been disabled?
• Is the middleware only administrated and configured at the console or using secure connections?
• Use of VoIP middleware: Is there an administration concept containing a role concept with different authorisation levels?
• Does the administration of the operating system level and the VoIP application level correspond to the role concept and the authorisation structure?
• Use of VoIP middleware: Do the logged data indicate security incidents?
• Is the logged data protected by suitable security safeguards?
• Use of VoIP middleware: Are backups containing personal data protected against unauthorised access?
• Use of VoIP middleware: Are the software components used kept up to date based on regular updates from trustworthy sources?
• Use of VoIP middleware: Is there a rule regarding the separation of services and servers?
• Is the system hardened sufficiently by using a minimal operating system and by only using the "necessary applications"?
• Has it been examined which applications are needed and have unneeded applications or network services been uninstalled, disabled, or restricted regarding their access?