S 4.289 Restricting the accessibility via VoIP

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

It is only advisable in a very limited number of cases to allow access to the VoIP components of a government agency and/or company directly from the internet. Direct access, for example by establishing a connection to an internal IP address, opens numerous possible points of attack. For this reason, it must be decided how people from outside will be permitted to contact the organisation using the VoIP architecture.

It must first be checked if establishing direct VoIP connections from the outside should even be permitted at all. It is often sufficient to allow connections to be established from the outside using a line switching telephone network. In this case, no internal VoIP components should be accessible from the public data network. Access from the public data network should also be impossible using the gateway operated between the public line switching telephone network and the local VoIP network. However, there are disadvantages when access from the outside by external communication partners using VoIP is prohibited in general. Even if the communication partners are connected to a public data network, they will still need to establish a connection using the public line switching telephone network in this case. The costs incurred are generally higher than when establishing a connection directly to a VoIP address, for example to a SIP URL. Since accepting this disadvantage comes in conjunction with many other advantages, especially in applications critical to security, accessibility from the outside using VoIP should be examined critically.

SPIT (Spam over IP Telephone) is also avoided when connections from the outside are only permitted using the public line switching telephone network. Since SPIT cannot be transmitted inexpensively using the data network in this case, the call will cost just as much as a call to a user who does not use VoIP.

However, if establishing connections to or from the public data network is to be allowed nevertheless, the decision, including the residual risks, must be documented. Furthermore, the corresponding security safeguards must be implemented. For example, all data traffic can be transmitted via a concentrator responding to connection queries like a proxy server and then forwarding them to the next system, for example to another server or directly to a terminal device. When using a concentrator, the following aspects should be taken into consideration:

Both the signalling information and the voice information transmitted between the public and private data networks must be transmitted using the concentrator. Establishing individual connections should be prevented entirely. The packet filters and security gateways must also be configured in such a way that VoIP communication with external communication partners can only take place using a concentrator. For example, the concentrator could be operated in the demilitarised zone (DMZ) of the security gateway. This way, establishing direct connections from the local network to the public network and/or from the public network to the local network is completely prevented.
Due to the lack of a signalling standard, it is recommended to provide support for as many signalling protocols as possible to the outside. For this reason, it should be possible to operate the concentrator as a gateway between the protocol used in the local data network and the protocols available to external users.
To prevent misuse, establishing a connection from the internal data network to the external data network should only be possible after authentication is provided on the concentrator.
The concentrator should not be used for connections within the local data network.
It must be specified which functions should be offered to external callers in addition to the voice communication function.
The concentrator should detect and reject signalling and voice packets that do not conform to the protocol (for example data packets that are too long).
Since direct access to the concentrator from the public data network is possible, emphasis must be placed on the security-critical configuration.
Communication partners from the public data network must know the IP address of the concentrator to establish a connection to it. For this reason, it makes sense to publish the address of the concentrator by entering this address in the DNS server of the government agency and/or company.
The reception, processing, and forwarding of the voice and signalling information may require large amounts of resources. For this reason, an adequate number of network connections and adequate system resources must be provided.
If high requirements are placed on the availability of the access, the concentrator should be designed redundantly. When using a redundant design to distribute the load, the remaining systems must be able to provide sufficient resources to compensate for a possible failure.

For this, many manufacturers offer partially proprietary systems. An alternative from the Open Source environment that meets many of these requirements is the Asterisk software telephone system, which can be operated as an appliance. Another advantage of using a concentrator is that the problems arising from the use of NAT (Network Address Translation) are avoided.

Review questions:

Is there a rule governing the way external communication partners may establish contact?
Connection establishing using a line switching telephone network: Is access to the VoIP architecture restricted according to the security policy?
Admissible connection establishment from or to the public data network: Have security safeguards according to the security policy been implemented?
Admissible direct connection establishment between terminal device and data network: Is there a risk analysis for the VoIP interface?
Use of a concentrator: Are all signalling and voice information between the public and the private data networks passed over the authorised concentrator?