Trouble on the Line
ON FEBRUARY 14, 1876, an inventor from Ohio filed a patent for a device that would transmit voice across telegraph lines. What he didn’t realize was that a mere two hours earlier, another inventor—Alexander Graham Bell—had filed a patent at the same office for the same type of invention. Despite contentions of bribery and theft, Bell, rather than Elisha Gray, is commonly remembered today as the genius behind the telephone.
Neither Gray nor Bell would likely recognize their invention today. In the 130 years since they built their first prototypes, the phone has evolved from the hand-cranked version through Touch Tone dialing and the Princess to the high-tech portable and cordless devices of today. The latest version of telephone communications is called VoIP (Voice over Internet Protocol). It allows users to take advantage of the Internet for phone calls.
Because VoIP communications travel across computer networks, they provide a host of advantages such as flexibility and low cost. Companies must recognize, however, that the networking of telephone communications also creates a new set of risks.
To help you understand the opportunities and the risks VoIP offers, we’ll first review the basics of how networks work and take a look at the challenges that face engineers tasked with building VoIP systems, as well as the tools they use to make this task simpler. We’ll then look at the setup challenges and threats presented by VoIP and examine how these can be addressed.
All networks, including both private intranets and the public Internet, rely on several protocols that define and control the way data bits find their way from point to point. These include two protocols that define the movement of data, and two that define how devices on a network communicate.
TCP/IP. Whether information is sent in the form of e-mail, voice, or video, when it travels across networks, it is broken into pieces, called packets, by the Transmission Control Protocol (TCP). TCP also provides information on how packets should be reconstructed at the end of the journey.
The Internet Protocol (IP) provides each packet with routing information that explains to the routers across the network where the packet is headed. IP is a critical element because every device connected to a network—whether it’s a VoIP telephone, a router, or a printer—needs to have a specific address in a language that IP can understand and that the rest of the network will use when referring to it. This address is called an IP address.
The combination of Transmission Control Protocol and Internet Protocol, or TCP/IP, forms the basic structure within which all other network protocols function. As packets travel toward their destination, routers along the way examine their IP data and move them to the next router depending on what route seems fastest and most efficient at that moment. That means that any two packets sent from the same starting point may travel different paths to the same destination.
This efficient means of communication is quite different from the way in which traditional phone networks work, where a circuit needs to remain open between the parties having a conversation, even when no one is speaking and nothing is being transmitted.
DHCP. When a device such as a VoIP-enabled telephone is attached to a network, it needs to be configured with the appropriate settings, including an IP address, before it will work. This configuration can be done manually, but it is typically done using Dynamic Host Control Protocol (DHCP), a technology that automatically assigns an IP address to devices connected to the network.
Most network administrators use DHCP to configure clients—which is what devices attached to the network are called—primarily because of the large number of devices that need configuration.
DHCP also helps to manage change, which is a constant in a world where many devices are mobile. In the past, when computers were all tied to a specific location (for example, a desktop computer), it made sense to configure them once and then expect that they would remain connected in the same place. This method still makes sense for nonportable items, such as mail servers, printers, and scanners; these have what are called “static” IP addresses. But mobile devices such as laptops need what are called “dynamic” addresses.
Imagine, for example, an executive using a laptop to connect to the Internet both at home and at work. Using DHCP at both locations prevents the need for manually reentering all of the network configuration information each time a connection is made.
Wireless networking makes the need for DHCP even greater, since movement between wireless access points (roaming) requires a new DHCP negotiation every time the user moves out of range of one transceiver and within range of another. Adding VoIP phones adds another layer of complexity, because they require more dynamically assigned settings than standard network devices.
DNS. While devices speak to each other in terms of IP addresses, human users have been given easier to remember address names for Web sites, such aswww.securitymanagement.com. These plain English names are what users type into their browsers, but the routers that direct traffic on the Internet are unable to understand this type of syntax. Rather, they require a numeric IP address to locate the correct Web server. The Domain Name System (DNS)—essentially a very sophisticated international 411 service—provides this translation service.
To continue with the securitymanagement.com example, a query is sent by a DNS server on behalf of the requesting device to an Internet root authority server, which responds to the request with the address of an authoritative server for all “.com” addresses to ask about this address. This “.com” server responds with the address for the requested securitymanagement.com domain. The requesting device is then informed that the address for the Web server for this domain is 18.104.22.168.
DNS technology provides this service to all IP-based networks. This includes VoIP services using DNS to locate the different types of servers that make up the VoIP system on the network. Because VoIP treats voice communications simply as digital data, VoIP phones must have IP addresses and all VoIP packets must have TCP/IP routing data and instructions for the packets to be reassembled in proper order.
VoIP scenarios can be extremely complex. Imagine an executive at a hotel in Japan using what’s called a softphone—VoIP software that allows a computer to be used as a phone. When the executive launches the softphone program, it connects to the hotel’s network and reaches across the Internet to the company’s network in the United States. It registers the softphone with the VoIP call manager at company headquarters. Then, when a call comes in to that executive’s office extension, it is automatically rerouted, instantly and without the knowledge of the caller, to the executive’s softphone in Japan.
Behind the scenes, the call is quickly and seamlessly rerouted across multiple networks and carriers, hopping between various IP addresses. This scenario becomes even more complex if an executive
is carrying a PDA or Wi-Fi-enabled VoIP phone such as a Wi-Fi BlackBerry.
Quality of service. Due to this complexity, it’s not surprising that configuration or other errors are common in VoIP setups. These errors can adversely affect quality of service, resulting in problems with volume and excess noise, or worse—no service at all. They can also open security holes that can be exploited by attackers. Common errors include DNS misconfigurations, attenuation, and improperly allocated IP addresses.
DNS errors. DNS is extremely important, yet difficult to get right. As a result, configuration errors are a major issue when it comes to VoIP. Giga Information Group estimated that 68 percent of public DNS servers at Fortune 500 companies are not configured correctly.
A serious DNS error will prevent the appropriate server from starting, resulting in no VoIP phone service and hours of script debugging by the configuration engineer. In a large organization, finding a single error is nearly impossible. Errors can be created quite simply by, for example, moving a phone from one office to another without notifying the administrator first.
Other types of DNS errors may allow the server to start, but will refer users somewhere other than where they had intended. Attackers can exploit these types of configuration errors by “spoofing” the IP address of a VoIP phone to gain access to the network or make a call that appears to originate from the phone of a company executive. (More security challenges are described later.)
Signal loss. Another factor that needs to be accounted for when using Ethernet (a common method of networking computers inside an organization) as a transmission medium is signal loss across distance, known as attenuation. Ethernet segments are not meant to exceed 300 feet without being repeated or retransmitted. Failure to follow this guideline for all segments leads to poor quality transmissions and signal loss.
Provisioning. Large companies typically have a huge number of IP addresses available, and the engineers who design an IP network need to decide how the IP addresses will be organized. This is part of what is known as provisioning the network. IT managers have been using spreadsheets for this purpose for years. However, this method is complex and cumbersome. Administrators use spreadsheets to track and manage the allocation of internal static IP addresses and pools of IP addresses used for DHCP. When changes are made (for example, a new server or printer is added to the networks) the administrator must refer to the spreadsheet to see if the requisite space is available on the company’s internal network.
This may be simple for small organizations, but for larger organizations with hundreds or thousands of employees, this task becomes quite difficult. For these organizations, the spreadsheets that are used to track IP changes rarely offer an accurate reflection of the network because changes happen so frequently.
VoIP further complicates this task, because when a company switches to VoIP, it doubles the number of IP addresses needed.
High availability. Most networks were not originally designed to operate at the highly available and dedicated service levels needed to support VoIP. If a Web page takes a little longer than usual to download, this is not considered a system failure. If a voice packet takes longer than normal to arrive however, that’s a definite system failure. High availability is therefore a critical deciding factor—and one that service providers must be able to guarantee to their customers.
Redundancy. High availability refers to a type of network design where redundancies are built into equipment and services to ensure that they are always available. Redundancy is the backbone of networks, because it costs most companies money and opportunity to be down; but with VoIP, even a few seconds of downtime can be disastrous. Therefore, it’s absolutely essential that the DNS and DHCP services in VoIP have high availability. When DHCP services are unavailable, new devices attaching to the network and devices that are rebooting have no access to the configuration information they require to join the network. When DNS services fail, VoIP phones (and everything else on the network) are unresponsive and the network is rendered useless.
So far, we’ve looked mostly at the reliability issues. Now, let’s look at the security issues related to VoIP networks. VoIP presents a security risk primarily because the service travels across the Internet, which has many extra nodes that could be vulnerable to attack compared to a standard phone network. VoIP systems are, therefore, vulnerable to threats such as denial-of-service (DoS) attacks and spoofing.
DoS. The most common threat to VoIP networks is a denial-of-service attack, in which an attacker floods a device with more packets than it was designed to handle. If there is insufficient network availability and bandwidth at the IP network level, then all services running on that network are affected. This kind of attack is frequently launched against networks running all types of applications, not just VoIP, but DoS attacks are perhaps easier to accomplish against VoIP because it doesn’t take a major attack to affect call quality by affecting latency (the amount of time voice data takes to move from endpoint to endpoint).
There are many types of denial-of-service attacks. They can be aimed at endpoints (phones), thus interfering with the user’s ability to communicate, or at a call controller, which could affect a number of phones by causing the controller to crash.
Spoofing. Spoofing occurs when an attacker mimics a server or manipulates an endpoint device to reroute calls. For example, a DHCP Server Insertion Attack takes place when a VoIP phone is joining the network and trying to connect to the proper servers to receive configuration settings. In this case, an attacker with a “rogue” DHCP server responds to the VoIP phone’s DHCP request for configuration before the legitimate DHCP server is able to. The attacker would then have the opportunity to configure the phone for other activity, such as personal use, or to secretly monitor conversations.
Many of the tools already in use to protect networks from intrusions and viruses are effective to some degree in protecting VoIP systems, but they can create other issues. For example, firewalls can block potentially dangerous IP traffic, but if they’re not designed specifically to handle VoIP traffic, they can have an adverse effect on quality of service by slowing traffic as it passes through. Encryption protocols such as IPsec and tools such as intrusion detection and prevention systems similarly raise the possibility of poor call quality as a result of latency.
As the popularity of VoIP has increased, new products are being designed specifically to eliminate these types of issues. VoIP-ready firewalls, for example, are made to streamline the movement of voice data with little or no latency.
There are also VoIP-specific network appliances that can protect DNS/DHCP services from threats that could compromise an enterprise’s operating system or application environment. Chief among these is what’s called IP Address Management (IPAM) tools.
IPAM. As with any type of computing, as complexity grows, so do security risks. Therefore, the more the network can be simplified, the more secure it can be made. The first way to raise security is to reduce the possibility of misconfigurations and simplify IP address management.
To do this, network administrators use IPAM-software and hardware tools (such as the ones made by the author’s company). These tools assist engineers in designing a high availability network, and they ensure that DNS and DHCP services are kept abreast of changes. They allow administrators to take full advantage of the flexibility of VoIP networks, and, as described later, they also provide a layer of security.
Design. IPAM systems allow engineers to create a network design at a conceptual level while the solution builds all of the necessary configurations underneath. A good system will allow for editing of these configurations and should be able to handle all of the complexities associated with physical wiring requirements and configuration management and checking.
When an organization deploys VoIP, a number of things must occur. First, the organization must assign a static IP address for core application servers and media servers (these are the VoIP equivalent of a private branch exchange, or PBX, used for standard corporate telephone networks). Then it must assign blocks of dynamically assignable IP addresses to be used by VoIP clients (handsets or software phones).
Administrators must also set up authentication services to reduce the risks of spoofing, session interception, DoS attacks, or other attacks. Doing all these tasks manually is time intensive and prone to error. An IPAM system speeds the setup and deployment time while reducing the risk of configuration errors by checking configuration changes prior to deployment.
IPAM tools also help properly provision the network to avoid quality-of-service issues. They work with network devices such as switches and routers to guarantee resource availability and minimize jitter, which results when packets arrive out of sequence; a call with jitter sounds like extremely poor cell-phone reception.
Updating data. If DHCP assigns an IP address to a VoIP telephone plugged into the network, the DNS entries must be updated to reflect this new device. IPAM tools feature configuration checkers that ensure that data is updated and valid and that all of the required records are present before the configuration is deployed on the network. Some IPAM systems will also follow all of the records once the server is live to ensure that they point to actual locations.
Sharing IP addresses. IPAM tools offer an additional benefit to companies using VoIP: they allow administrators to use and move IP addresses according to priorities. For example, imagine a company with a call center in Toronto, Canada. The call center closes at 6 p.m., and after that time, the IP addresses of the call center’s phones go unused.
Using IPAM tools, an administrator can, each night after 6 p.m., reallocate those IP addresses to the company’s call center in Australia, giving that office extra bandwidth for calls. Then, when the Australia office closes, the IP addresses are returned to the Toronto call center, saving the company money because it doesn’t have to purchase additional bandwidth for the Australia office.
To prevent or mitigate the effect of denial-of-service attacks, administrators can take additional proactive steps as well. For example, they can ensure that VoIP systems have high bandwidth available so that these systems can withstand a DoS attack. Extra bandwidth can either be purchased or initially designed into the network.
Server insertion attacks can be mitigated through the use of such security measures as traffic monitoring, hardware address filtering, and intrusion detection systems, which are also typically available as features in IPAM systems. In some cases firewalls can help prevent attacks, but many types of commonly employed firewalls do not provide the deep packet inspection needed to provide effective protection, and they may cause service problems as noted earlier.
Authentication. Proper authentication procedures before a phone logs into the network can also help protect endpoints. DHCP provides part of that security by doing MAC authentication, where it checks a unique number given to each network device (called a MAC address) to ensure that it’s authorized to join the network.
IPAM solutions can manage and work with existing corporate directories such as Active Directory (a Microsoft service that manages user data, security, and resources) or LDAP (Lightweight Directory Access Protocol), which helps to locate individuals or resources on a network. Using these authentication schemes can help stop spoofing, session hijacking, caller ID spoofing, and other threats.
More than a century ago, when Bell and Elisha Gray were experimenting with the first telephones, the emphasis was on getting the technology to work properly. Security was little considered, and thanks to the way the telephone system operates, never became a major concern. On the other hand, VoIP is by nature much more vulnerable to attack. Understanding the basics and making sure security is given first consideration are the first steps toward disconnecting risk.
Richard Hyatt is chief technology officer and cofounder of BlueCat Networks, a Richmond, Ontario, Canada-based maker of DNS, DHCP, and IPAM technologies used to secure VoIP-enabled networks.