S 4.288 Secure administration of VoIP terminals

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Like the VoIP middleware, the VoIP terminal devices must also comply with numerous security policies. One difference between the security safeguards for the middleware is how these safeguards are securely configured.

Trustworthy firmware updates

Many VoIP terminal devices offer the ability to update their firmware automatically. It must be ensured that new firmware is only installed to the terminal devices after successfully checking the authenticity and integrity of the code. If the manufacturer provides checksums for the updates or signs the update packages digitally, the checksums or signatures must be checked before installing the update. If the manufacturer does not provide any checksums, it must be ensured that the updates are only obtained from trustworthy sources.

Trustworthy configurations and digital certificates

Most VoIP terminal devices offer a variety of configuration capabilities. Examples of such capabilities include local configuration on the terminal device, web-based configuration by accessing a web server integrated into the terminal device, and automatic configuration by "pulling" the configuration from a http(s) or TFTP server.

Local configuration capabilities are seldom used in practice. They should be protected by a password. If they are not used, they should be disabled. Furthermore, access to the web-based configuration should only be possible using a password and this access should be obtained using a secure connection, for example using SSL or TLS. Additional protection is obtained using client certificates to authenticate the clients.

Automatic configuration via a TFTP server should not be used and should be disabled instead, since this configuration method is not secure enough. In particular, automatic selection of a TFTP server during the DHCP boot procedure provides an attacker with numerous points of attack.

Automatic configuration should only be performed via an HTTPS server. The HTTPS server should provide authentication in the form of a certificate that can be checked by the end device before loading the configuration. The server certificate is usually installed manually on the terminal device the first time it is put into operation.

Security functionality

Many VoIP telephones offer the ability to use password-based access control using one or more control levels (e.g. a user must log in or enter a password to obtain authorisation to dial an outside line). It must be decided if users will only be permitted to use the telephone after logging in. If password protection is disabled, only emergency calls should be permitted. To prevent use by unauthorised persons, the users must also block their telephones when not at their desk, even if only for a short time.

Security functions such as login passwords or passwords for dialling an outside line must be thoroughly tested to see if they are properly implemented before being used in the production environment. These authentication mechanisms should be used by the users. However, the users must be informed of their vulnerabilities. Otherwise, there is a risk that the terminal devices will only appear to be secure.

Softphones are generally operated on standard PCs that are also used to perform other tasks. These PCs must also be administrated in such a way that an appropriate level of IT security is achieved on them. This includes, for example, implementing safeguards to ensure that the microphone cannot be activated by third parties. If this requirement is not fulfilled, the microphone could be used by an attacker for the purpose of eavesdropping.

Due to the large number of possible points of attack offered by complex workstation systems, softphones should not be used on workstations when the protection requirements are high or very high.

The documentation of the components will often contain information on the supported security functions. The security functions actually activated must be documented.

Review questions:

• Are the authenticity and integrity of firmware, updates, and patches verified before installation to the terminal devices?
• Are unneeded functions of the terminal devices disabled in the configuration settings?
• When using the local configuration: Is access to the local configuration protected by recognised access features?
• When using the web-based configuration: Is access to the web-based configuration secured using secure paths and access features?
• When using the automatic configuration: Are the communication partners mutually authenticated prior to configuration?
• When using the login function: Do the users block their terminal device during periods of absence and are emergency services also available without login?
• Are the security functions of the terminal devices tested before productive use?
• Use of softphones: Does the level of security of the IT system the softphone is operated on correspond to the security requirements of the organisation?
• In the event of high or very high protection requirements: Is the use of softphones avoided?
• Are the security mechanisms and the parameters used documented?