Dial VoIP For Vulnerability

Phone service is abruptly cut off at a Wall Street brokerage after a hacker launches a full-scale denial-of-service attack, flooding the firm’s voice servers with registration requests. An Internet worm makes its way from a retail giant’s data network to its voice network, shutting down call centers and costing millions in lost revenue. An imposter enters the phone network of a top government agency and makes away with classified information by spoofing his caller ID.

Sound far-fetched? According to security experts, such scenarios are not only plausible, they may be inevitable as companies and government agencies around the world scrap

their traditional circuit-switched phone systems and move to voice over IP (VoIP). By sending voice calls over the Internet, companies are saving millions of dollars and gaining flexibility to provide multimedia services at the desktop. But they are also exposing their voice systems to all of the hazards that now plague data networks, including worms, viruses, denial-of-service attacks, spam over Internet telephony (SPIT), eavesdropping and fraud. And they are increasing their vulnerability to attacks against the rest of the network by creating new openings into critical infrastructure, networks and systems.

CIOs ready to take the plunge with VoIP need to understand that data firewalls alone won’t protect them. They need only look to the past to remember the state of the Internet 10 years ago, when security was usually an afterthought. That was before the Nimda and Sasser worms and countless other threats came to haunt them. To head off attacks on their voice networks, IT executives need to devise a plan that includes voice encryption, authentication, VoIP-specific firewalls, and the separation of voice and data traffic. They also need to ensure redundancy in case of power loss (most traditional phone networks already require backup, but the systems will need to be expanded with VoIP). And they will have to physically secure voice servers and other equipment from intruders.

Traditional private branch exchange (PBX) phone systems have their own vulnerabilities, and in the past hackers have broken into large phone and voice mail networks. But VoIP expands vulnerability, offering more opportunities for hackers to gain access. In a recent 93-page report on VoIP security, the National Institute of Standards and Technology notes that in most offices there are many more points to connect to a LAN than there are points to connect to a PBX box. “Based on the history of attacks on various Internet services and things we’ve seen, it’s inevitable that there will be attacks on VoIP networks,” says Rick Kuhn, a computer scientist at NIST and coauthor of the report. “Eventually, someone will find a way to take advantage of it.”

Some experts are even urging Congress to consider VoIP security implications as it starts to revise the Telecommunications Act of 1996. They believe the government may need to impose new standards or requirements for critical infrastructure, especially where it relates to emergency services or national security. “I do know that if there is a significant VoIP security event, there will be a reaction from Congress and the executive branch,” says Roger Cressey, a former White House cybersecurity official from 1999 to 2002 and now the president of Good Harbor Consulting.

CIOs who have already begun using VoIP advise those considering it to start focusing on security now. That way, they can avoid the expense and frustration of patching and fixing their systems after the fact. “You’ll be sorry if security is an afterthought with VoIP,” says Gary Heller, deputy CIO for the Arizona Healthcare Cost Containment System, the state agency that administers Medicaid. Heller recently helped install VoIP between the agency’s five metro Phoenix offices and its 11 call centers. “We’re comfortable now only because we took the time to do the due diligence and proactive monitoring that can lead to a safe VoIP environment. If we didn’t have all that, I’d be scared.” Here’s what a number of early VoIP adopters have done to realize the cost savings of VoIP and to save their companies from a potential disaster.

Full VoIP Ahead

With VoIP, PBXs—the backbone of the traditional phone system—are replaced by IP voice servers that usually run on Microsoft or Linux operating systems. These “call management boxes” deliver VoIP services and log call information—and they are susceptible to virus attacks and hackers. VoIP is even more sensitive than data when it comes to disruption and packet loss. Yet many security measures that are applied to data networks don’t work well for VoIP. For example, traditional firewalls can result in delays or blocked calls, and encryption can cause “latency” and “jitter” (packet slowdowns that can disrupt calls). As a result, security techniques must be specialized for VoIP. And it should go without saying that VoIP equipment should be placed in a secure, locked location.

Despite the perceived gaps in VoIP security, there haven’t been any reports of large-scale cyberattacks or security breaches of VoIP networks. That’s due in part to the fact that vendors and service providers are offering a wider variety of VoIP firewalls, intrusion prevention systems and other protective devices when they install the systems. VoIP adoption also is still in its early phases. According to Osterman Research, only one in 10 U.S. companies has deployed VoIP in the workplace. But that will soon change. By late 2007, the research firm predicts, 45 percent of companies will have some form of VoIP, and adoption is expected to accelerate thereafter as many large organizations will need to replace aging telecommunications infrastructures.

Already, experts say early VoIP adopters have suffered voice-line outages. For example, a Merrill Lynch manager of voice product development said at a major VoIP conference last fall that e-mail viruses including Sasser and Code Red took down the company’s VoIP network for two to four hours because it rode on top of the data network. Darrell Epps, director of the convergence and IP telephony professional services practice for NextiraOne, a consulting and integration company, confirms that some Fortune 500 companies using VoIP have already suffered from VoIP hacking incidents that have hurt company operations.

For many organizations, however, the low cost and convenience of VoIP outweigh the potential security risks and possible phone outages. Despite its previous voice-line outage, Merrill Lynch recently signed deals with Cisco and Avaya for extensive VoIP rollouts in its headquarters and branch offices. (Merrill Lynch officials did not respond to a request to be interviewed for this story.)

In addition to saving money on long-distance calls and intra-office calls, VoIP users say they will also economize by managing one converged data network instead of separate voice and data lines. VoIP is also expected to bring multimedia services to the desktop and, in some cases, improve customer service. For example, customers trying to reach a Web-based, VoIP-enabled call center would be able to click on a hyperlink to start a conversation with a live service agent. And traveling employees with VoIP can make and receive calls from their home office numbers via their laptops.

Prepare for Safe Dialing

For Steve Novak, CIO at the Chicago-based law firm Kirkland & Ellis, VoIP technology isn’t new. In his previous role at 3Com, Novak was part of the team that made one of the country’s first-ever VoIP calls at a Las Vegas trade show in 1997. “We set up an old Bell phone booth on stage and the call worked,” Novak recalls. “People were stunned and I remember thinking at the time that the technology held a lot of promise.”

Since becoming CIO at Kirkland & Ellis, however, Novak has taken a cautious approach to VoIP. Instead of moving quickly to install the technology throughout the law firm, which has offices in seven cities around the world, Novak and his team decided to move slowly and use VoIP on calls only within the company at first. VoIP security experts suggest that those new to VoIP take Novak’s approach by implementing the technology within their organizations in a slow, phased process. Then, by the time they introduce the riskier public network connections, they will be more familiar with the technology.

“The most critical success factor for VoIP is rock-solid infrastructure,” says Novak. In Novak’s case, that means improving backup power with an uninterruptible power supply system, backed up by a generator and a fully redundant network. He even suggests running power over Ethernet (PoE) to provide extra redundancy. “If you have a cable break, you can’t tolerate loss of voice,” Novak says. “Data has never been driven to the same real-time requirements.”

Now when an attorney in London calls the company’s San Francisco office, the call is routed out of a traditional PBX into the firm’s IP backbone and converted to an IP stream across a WAN. When it arrives at the destination, it’s converted into standard time division multiplexing (TDM) and sent to a legacy PBX. So while Kirkland & Ellis is eliminating long-distance charges by using the IP system, it is not yet hooking into the public network from the firm. In the current configuration, it hasn’t yet run VoIP out to the desktop in a significant way, so it is not yet taking big security risks. As the company plans to replace aging legacy telephone infrastructure during the coming years, it will move to a primarily VoIP network. “By that time we will be better prepared for the security challenges,” Novak says.

Heller of Arizona’s Medicaid agency agrees that a gradual approach to VoIP helped him prepare for the security challenges of a VoIP implementation. The agency first started using VoIP for long-distance calls between offices four years ago. After an initial period of training and piloting while the agency still had its two legacy PBX systems to fall back on, it decided to replace the system with VoIP at five of its metro Phoenix offices and 11 call centers; its remote offices are still using the PBX systems. Heller says the Arizona agency is saving $425,000 a year after scrapping the traditional circuit-switched phone system for its main offices and call centers. But first he implemented strenuous safeguards, including the encryption of voice traffic, separating voice and data networks, and using a long list of intrusion protection and antivirus products. His team also monitors the voice servers at all times.

Investing in base infrastructure and encryption can add to the cost of moving to VoIP. But Novak says that the VoIP-related investments—which in his case included moving to a pure IP network core—added to the company’s overall network security. “Purely financial savings are not enough to drive you to VoIP at this point,” he says, noting that long-distance rates have been falling. But companies that don’t move to VoIP will miss out on some important technological advantages. In his case, VoIP will increase mobility and collaboration by allowing his firm’s attorneys to reroute their voice traffic anywhere in the world while they are on the road.

Separate Your Traffic

When a virus hit the network at Worcester Polytechnic Institute (WPI) in 2004, the university’s VoIP-enabled phone system didn’t suffer. That’s because Tom Lynch, vice president of IT and CIO, and Sean O’Connor, director of network operations and security, understood that security planning was key to maintaining a reliable VoIP network. O’Connor and Lynch have spent the past year testing a Nortel VoIP system that will allow students and faculty studying abroad to communicate with the school via their laptops. The school is also migrating part of its on-campus phone network to VoIP, although for the moment it plans to maintain a hybrid system that will combine the new technology with the old by integrating the VoIP services into the college’s legacy Nortel PBX.

In addition to putting up multiple application firewalls, O’Connor and Lynch set up a virtual LAN for voice traffic to help protect it from viruses that could hit the data network. So when that virus hit the campus last year, it never made it onto the VoIP system. “The key is to separate the voice traffic from everyday Internet traffic,” says O’Connor. A virtual LAN (VLAN) can protect voice traffic by setting aside a certain amount of bandwidth and separating voice and data by creating “logical barriers.”

Bill Ashton, director of IT for the town of Herndon, Va., feels comfortable with his recently installed VoIP systems in part because he too has VLANs. Ashton recently moved six town facilities and 160 employees to VoIP telephones and plans to roll out VoIP service to the town’s public safety department this summer. However, 911 calls in Herndon will remain on analog lines to keep the call center infrastructure consistent countywide. Public safety officials have expressed concern that calls via a VoIP line may not always reach 911, and that 911 dispatchers cannot trace the location of people calling on VoIP. In early June, the Federal Communications Commission issued rules that will require VoIP service providers to warn consumers their calls may have trouble reaching a 911 operator.

Emergency services aside, Ashton says he believes VoIP is safe if installed with care. “There will be hacker attacks down the road, so it pays not to cut corners,” he says. “If there is one thing I could get fired for, it would be if The Washington Post reported that our public safety system has problems.”

VLANs, firewalls and gateways can keep intruders out of the VoIP system, but they don’t protect against internal hackers. To add another layer of security to a VoIP system, users should encrypt the “packets” just as they do with data networks. Encryption is important regardless of the protocol being used. (The two main protocols are Session Initiation Protocol, or SIP, and H.323.)

Many VoIP experts now believe that SIP is gaining momentum as the industry searches for common standards. In its basic form, however, SIP traffic is “clear text,” which means that voice traffic is vulnerable to “packet sniffers” looking for caller IDs or passwords. According to Chris Rouland, CTO at security firm Internet Security Systems, it’s as easy to intercept unencrypted VoIP calls as it is to use an iPod. By downloading software off the Internet, hackers can intercept calls “with a simple click,” he says. In order to protect caller IDs, phone addresses and account information, VoIP users need to encrypt SIP traffic.

Even so, VoIP observers say, encryption isn’t yet standard practice. “There’s a lot of unencrypted VoIP traffic out there,” says Good Harbor’s Cressey. That’s largely because encryption can be cumbersome and expensive. At Kirkland & Ellis, Novak says he spent three months working out encryption-related problems that affected VoIP call quality. In addition to extensive testing and tuning, he is now using a suite of monitoring tools that sample the VoIP network every 30 seconds and alert him if quality has dropped off.

Calculate Your Risk

For O’Connor and Lynch at WPI, migrating to VoIP involves careful calculation of how much risk they are willing to take. For example, while they are comfortable with the idea of administrators, instructors and students using VoIP for basic phone service, they have decided not to include campus security phones on the network. “We are leaving all security phones and kiosks on the copper systems, which have a higher level of reliability,” says O’Connor.

O’Connor and other early VoIP adopters say with the current state of VoIP technology, organizations need to decide early which security risks are not worth taking. These may include phones for security and emergency services. “Essential telephone services, unless carefully planned, deployed and maintained, will be at greater risk if based on VoIP,” according to the NIST report.

At WPI, O’Connor and Lynch are experimenting with “soft phones” (ordinary PCs with headsets and special software configured to make VoIP calls) for students and faculty who are studying abroad and need to communicate with the school from areas such as Namibia and Thailand. Soft phones offer a way to keep in touch from remote places at lower costs. In a recent test of the soft phones, in which the students and faculty at a facility in Australia made calls over their laptops, O’Connor says he was pleasantly surprised by the quality of service.

Others, however, might not want to take that risk. The NIST report discourages the use of soft phone systems where security and privacy are a concern. “Worms, viruses and other malicious software are extraordinarily common on PCs connected to the Internet and very difficult to defend against,” the report states.

The NIST report also warns that even if those deploying VoIP systems follow all of the recommendations by installing firewalls and intrusion detection systems and encrypting their voice traffic, they will still need locks and security guards to make sure attackers don’t get access to the servers.

Heller agrees. “It’s important with VoIP that you don’t forget about the actual physical security of your voice servers,” he says. While his legacy PBX system was housed in two large cabinets, the VoIP system uses a total of 50 voice servers to achieve complete redundancy. They are located in locked facilities, and only a few select people have access.

“VoIP has a lot of advantages, but there is no question it puts your voice system at greater risk,” says Heller. “You’ve got to watch out for new dangers.”

Senior Writer Susannah Patton can be reached at spatton@cio.com.