Security in telecommunications covers a wide range of issues. The enterprise wants to ensure that its communications systems and services are not abused. There is always the issue of toll fraud. Attackers can use the network connections to invade an enterprise’s network resources. There will always be negligent users. The protections that must be implemented go in both directions, users misusing resources and external attackers. The problems have been ongoing for years in the TDM/PSTN world. The introduction of Voice over IP (VoIP) further adds to the security issues.
Legacy/TDM Security Issues
There are a wide variety of internal and external security threats to enterprise telecom networks. Although most organizations have made significant investments in securing their corporate data networks (LANs) with Internet firewalls – Session Border Controllers (SBC), management services, and the like – few have recognized and addressed the significant and potentially devastating security issues associated with unsecured corporate phone lines and
switches connected to the PSTN.
Ironically, the majority of the internal data networks, which organizations are paying so handsomely to protect, remain highly vulnerable to back-door hacker attacks through unsecured corporate phone lines. The simple and sobering reality—one on which all too many hackers depend—is that corporate data networks are only as secure as their corresponding phone networks.
Additional threats include the significant and complex issues of toll fraud, expensive vanity/premium rate calls, line misuse and abuse, telephony system tampering, information theft, unauthorized dial-up Internet connectivity over phone lines, computer virus re-infections over phone lines, and other forms of unauthorized traffic—not to mention the multitude of new and severe threats to enterprise voice communications introduced by enterprise VoIP or IP Telephony.
The following list of questions focuses on the security, reliability, performance, and confidentiality of your enterprise voice network infrastructure and communications. This list is by no means exhaustive, but it can be used as an effective security audit and assessment tool for profiling the security posture of your corporate telecom network, and as a starting point in addressing your organization’s telecom security challenges.
Sections I through VIII discuss general telecom security issues and specific threats common to legacy PBX/TDM and IP telephony (VoIP) environments. Sections IX and X cover specific issues concerning VoIP or IP Telephony systems.
I. General Vulnerability Assessments & Security Planning
Q1. Do you maintain and periodically update a security plan for your telephony network? Strong security begins with policy and procedure development, enforcement, and ongoing review. Maintain written security policies and procedures for your voice network just as you do for your traditional data network.
Q2. Can the written security plan and its network usage policies be effectively enforced? Employ telephony security systems that automate granular, enterprise-wide security policy enforcement and real-time monitoring instead of attempting to address unauthorized modem connections and other forms of unauthorized traffic and malicious activity by relying on general call class restrictions in the PBX and manual phone station inspections.
Q3. Are periodic security vulnerability assessments performed on your voice network? Organized efforts to identify vulnerabilities by attempting to break the security of your voice network and its systems should be performed at least once a year or more frequently if attacks are detected.
Q4. Are the vulnerability assessments performed by certified, external security auditors? Third-party security professionals are more likely to perform objective and exhaustive security tests that incorporate up-to-date information regarding known vulnerabilities.
Q5. If independent assessments are performed, does the security auditor use assessment tools from third-party telecom security vendors, or “homegrown” tools? Third-party vendor assessment tools provide “best of breed” capabilities.
Q6. Does your organization subscribe to a managed telecom security monitoring service? Off-site monitoring response and remediation services will alert your organization to attacks and other security events, plus educate your internal staff on new vulnerabilities and best practice policies and procedures.
Q7. Is the assessment strictly supervised, and the resulting information well protected? Participants in the assessment, or those with access to threat documentation, will have knowledge of organization’s vulnerabilities before they can be addressed by your security/telecom staff.
Q8. Has your organization evaluated the impact that new federal and state regulations (e.g.,Sarbanes-Oxley, HIPAA, and Gramm-Leach-Bliley) have on your security plans and liabilities? The requirements of these and other regulations vary by organization and industry. Analysis may require outside legal and technical security support.
II. External Calling Threats & Cross Network Attacks
Q9. Does your PBX connect to any idle/unused trunks or spans? External callers or “phreakers” can scan or use idle/unused trunks to locate PBX weaknesses and perpetrate toll fraud or tamper with information and system operations.
Q10. Are the trunk/span maintenance features (software) turned off, disabled, or removed when in use? If not properly secured, maintenance software can be scanned and hacked by external callers or “phreakers.” The easiest and safest preventative measure is to disable or remove the software when it is not in use.
Q11. Can your PBX determine the type of incoming call (voice, fax, modem/data) at the PBX trunk port (demark between internal phone network and the PSTN)? The ability to detect and analyze call-type information for all inbound and outbound calls in real-time is essential to protecting the enterprise LAN and telephony systems from modem attacks and other forms of unauthorized traffic and malicious activity.
Q12. Can your PBX block an incoming call based on call type (voice, fax, modem/data), before the call reaches an internal device (phone, fax machine, PC, IVR, voice mail, or other system)? The ability to distinguish and enforce access and usage policies based upon call type is essential to eliminating certain categories telecom network threats, including modem attacks against the LAN over unsecured organizational phone lines. Telecom firewalls monitor and/or control all inbound and outbound calls, distinguish call type in real-time, and perform automated
enforcement of user-defined access and usage control policies.
Q13. If your PBX cannot distinguish call type (voice, fax, modem/data), has your organization deployed a telecom (PSTN) firewall capable of monitoring and controlling access into your internal phone network based on call type in front of your PBX? Telecom firewalls log all inbound and outbound calls, distinguish call type in real-time, and
perform automated enforcement of user-defined network access and usage control policies based on any call detail or characteristic, including source, destination, direction, time of call, duration–and most importantly, call type (voice, modem/Internet, fax, video, STU-III).
Q14. Can the Call Detail Recording (CDR) on your PBX or call accounting system provide realtime alerting of potential external (incoming) attacks or security problems? Although weekly/monthly post mortem reports are helpful for certain kinds of traffic pattern analysis, they do not alert on or stop external security breaches as they occur. Security alerts must be real-time or near real-time in order to provide an opportunity to prevent or minimize
damage from the breach and/or trace the attacker.
Q15. Does the CDR capture and store call-type information (voice, fax, modem, data) on all incoming calls?
Since many external security breaches occur as modem/data calls over phone lines, recorded call-type information is needed to perform proper forensic analysis. Call-type information is also required for a variety of security and service theft reports, such as long distance voice calls on fax lines.
Q16. Are your PBX maintenance ports secured to resist modem attacks? Has your organization installed telecom firewall software and features to block and report such attacks? External attackers frequently locate and call PBX maintenance ports to access the switch and perpetrate toll fraud, information theft, or system tampering. Telecom firewalls monitor and/or control all inbound and outbound calls, distinguish call type in real-time, and perform
automated enforcement of user-defined access and usage control policies based on call characteristics including direction, source, destination, call type, time of call, and duration.
Q17. Are other critical systems that utilize phone line ports for out-of-band maintenance and remote access secured to resist and report modem attacks? External modem callers can access and control a host of data network devices (e.g., routers, gateways, servers, and firewalls), and critical building systems (e.g., fire alarms, sprinkler
systems, elevators, HVAC units, valve controls, and power grids) through unsecured phone line port connections.
Q18. Beyond basic hardening of ports on your PBXs and other systems, does your organization use technology providing AAA Services (Authentication, Authorization & Accounting) for authorized access into remote phone line ports? AAA Services require PIN code-based authentication before access into the remote phone line port is authorized and allowed. Call details are recorded on authorized modem sessions, as well as unauthorized attempts to access the port, and are available for audit reporting.
Q19. Can your PBX perform real-time analysis (within minutes) on external (incoming) traffic patterns to detect, block, and alert on abnormal/unauthorized calling activities? Real-time call anomaly detection and prevention technologies alert and block a variety of hostile incoming calls, such as toll fraud, voice mail hacks, and war dialing (calls by a hacker’s] computer to a group of corporate phone numbers in an attempt to locate modem entry points into corporate devices and networks).
Q20. Are there LOGIN ID and passwords embedded in your PBX for use by vendors after a system crash? PBX vendors install access/bypass codes and procedures for their future use when troubleshooting a system. Your organization may not know about these codes, but hackers and phreakers often attempt to discover this information as a means to exploit a PBX.
III. Internal Threats, Attacks & Abuse
Q21. Does your PBX have any idle/unused line cards? Unused, installed line cards can be used to connect unauthorized devices on the corporate phone network.
Q22. Could your organization’s fax lines be used for unauthorized long distance voice calls? Many fax machines have phone receivers that can be used to complete voice calls. All fax machines have external phone line port connections. The fax machine’s external phone line is easily unplugged and reconnected to a telephone unit.
Q23. Could fax lines be used for unauthorized Internet access and data transmissions that bypass your corporate data firewall? The fax machine’s external phone lines can be attached to modems on PCs for unauthorized Internet connection/data transmission, or to open backdoors into the corporate data network when the PC is interconnected with the LAN. Insider-created backdoors are one of the leading sources of data network penetrations.
Q24. Are the line maintenance features (software) in your PBX turned off, disabled, or removed when not needed?
If not properly secured, maintenance software can be scanned and hacked. The easiest and safest preventative measure is to disable or remove the software when it is not in use.
Q25. Can employees move their laptops and connect to any phone line within your organization without notifying the telecom/PBX administrator? It is a common practice for employees to bypass the data firewall and obtain unmonitored
Internet access by connecting a laptop to the PBX.
Q26. Can your PBX or other telecom system send alerts and block unauthorized phone line access (e.g., Internet connections over phone lines) in real-time? Many organizations have written policies restricting unauthorized phone line access, such as modems on phone lines, but have no means to effectively monitor or prevent unauthorized access when it inevitably occurs.
Q27. When a previously unused line is accessed, does your PBX automatically support it with authorization by the telecom/PBX administrator? Plug and play techniques reduce labor costs, but they also expose your PBX to security
breaches. Authorization procedures should be implemented in your PBX.
Q28. Do your installed phone stations have any internal security features? Examples include sign-on features and phone locks.
Q29. Can the CDR be used to provide real-time alerts of potential internal security problems? Although PBXs provide call detail recording and often store CDR information in a local cache for historical reporting, few telecom systems provide real-time, enterprise-wide alerting on security events (e.g., unauthorized modem connections, unauthorized PBX access, and unauthorized transfer of data files over phone lines).
Q30. Does your PBX’s CDR distinguish and capture call-type information (voice, modem/data and fax) on internal calls? The ability to distinguish call type is necessary to identify and block many security threats, such as unauthorized modem/Internet connections and long distance voice calls on fax lines.
Q31. Does the CDR include the type of internal call (e.g., voice, modem/data, and fax), accessing an outside trunk?
The ability to distinguish call type is necessary to identify and block many security threats, such as unauthorized modem/Internet connections and long distance voice calls on fax lines.
Q32. Is internal traffic pattern analysis currently performed in real-time to discover abnormal calling patterns?
Few telecom systems correlate traffic to isolate abnormal calling patterns (e.g., DTMF attacks on the PBX or voice mail systems, toll fraud, external war dialing attacks against corporate phone stations) and provide real-time, enterprise-wide alerting on call anomalies in order to address the security problem as soon as it is discovered and limit the scope of the breach.
IV. Management Controls
Q33. Is there an established and maintained security configuration baseline? Development and maintenance of a standardized configuration baseline for your PBX is recommended for use as a comparison against future configurations to determine if unknown, unauthorized configuration changes have taken place. Base lining is also helpful with remediation in the event of unauthorized changes.
Q34. Is your PBX database upload and download software utility installed but inactive? In order to prevent tampering and theft, the utility should be deactivated and made available only with proper security authorization.
Q35. Is your PBX database examine and modify software utility installed but inactive? In order to prevent tampering and theft, the utility should be deactivated and made available only with proper security authorization.
Q36. Is your PBX software de-bugger and update utility installed but inactive? In order to prevent tampering and theft, the utility should be deactivated and made available only with proper security authorization.
Q37. Are the security software patches issued by your PBX vendor tested prior to installation and operation?
Untested security software can often introduce new security and operational issues. Your PBX vendor is the best source for information on updating your PBX with the latest security software.
Q38. Are the security software patches issued by your PBX vendor installed on your PBX within 3 days of issuance? Security software patches should be regularly updated with newly-released patches.
Q39. Are the security software patches issued by your PBX vendor verified to be successfully operational? Security patches should be operationally tested following installation.
Q40. Can your PBX automatically call, page, and/or email telecom managers to notify them of any potential security problems? Real-time alerts are valuable in notifying appropriate personnel of detected security breaches.
Q41. Does your PBX have undocumented maintenance features? Vendors and their support personnel develop tools and procedures, in addition to those addressed in the product manual, that help them perform troubleshooting and maintenance procedures. Your organization may not be aware of these features, but hackers and phreakers often attempt to discover them as a means to exploit a PBX.
Q42. When changes are made in the PBX configuration or phone privileges, does your PBX generate an un-alterable message describing the changes? This basic configuration management feature helps track the history of changes made to the system over time, and is invaluable in security forensics, investigations, and system remediation following unauthorized access and tampering.
Q43. Is the PBX configuration verified for correctness on a weekly basis against the work orders issued by the telecom department? Variances between actual and verified configurations can highlight unauthorized tampering and security risks.
Q44. Are read-only (CD-ROM) PBX configurations compared week-by-week to discover discrepancies? Comparing the configuration each week using a non-modifiable media shows discrepancies in the configuration, which may be a security problem or may indicate that procedures were not followed properly.
Q45. Is there a secure audit trail of alerts and alarms from your PBX? A secure (un-alterable) record of alerts and alarms can be used to discover the person and system causing the security breach.
Q46. Is there a secure audit trail of changes to your PBX and/or phone configurations? An un-alterable record of changes can be used to discover the person and system causing the security breach.
Q47. Are tamper-protection techniques used during PBX software loading and updates? Tamper-protection techniques help ensure that the PBX software is not altered as it is loaded.
Q48. Are the PBX access USERNAMES easily guessed (e.g., ADMIN, MAINT, SYSTEM, ROOT, etc.)? While convenient, these names are too obvious and very easy for unauthorized users to guess. The more unique and unrecognizable the name, the less chance the name will be guessed by an unauthorized user.
Q49. Are the USERNAMES and passwords changed frequently? User names and passwords should be periodically changed, even if there is no staff change. Although a PBX intruder may not be discovered, the USERNAME and password changes do help prevent an intrusion.
V. Physical Security
Q50. Is your PBX/switch room physically well-secured? There should be locks with pass codes and security access cards on the PBX/switch room doors.
Q51. Are your PBX maintenance consoles in a physically secure area? Physical access keys/cards should be required to access and use the console.
Q52. Is the recordable media (disks and tapes) used with your PBX stored in a physically secure area? Physical access keys/cards should be required to access and use the recordable media disks and tapes.
Q53. Is boot media (USB, disks, tapes) used to setup and start your PBX stored in a physically secure area? Physical access keys/cards should be required to access and use the boot media.
Q54. Are the physical configurations of your PBX and wiring closets verified for correctness every week? Physical checks can detect unauthorized access and tampering.
Q55. Is the PBX configuration periodically and securely stored on a read-only media (CD-ROM, encrypted disk)?
Secured configuration backups aid in base lining and remediation in the event of unauthorized changes.
Q56. Does your PBX keep a permanent read-only record of all commands and access attempts, along with operator identification information? This un-alterable record provides an audit trail for what appear to be authorized accesses to the PBX.
VI. Feature Liabilities
Q57. Are all phones given access to all available features without restriction? Access to telephony features should be authorized in order to prevent malicious use of end user devices.
Q58. Have you disabled call forwarding functions in your PBX that allow callers to access an external trunk? Call forwarding functions can be used to perpetrate toll fraud and theft of service.
Q59. Is the voice mail system’s call forwarding functions disabled? Voice mail call forwarding functions can be used to perpetrate toll fraud and theft of service.
Q60. Are call forwarding functions disabled for the Interactive Voice Response unit (IVR)? IVR call forwarding functions can be used to perpetrate toll fraud and theft of service.
Q61. Are toll calling restrictions implemented for your phone and fax lines? Without supervision of phone and fax lines by a telecom security solution possessing call-type detection capability (to distinguish between voice, fax, and modem calls), it is almost impossible to prevent toll service theft on fax lines. Telecom firewalls with call-type detection can block unauthorized long distance voice calls on fax lines.
Q62. Are toll restrictions and privileges updated when there is a status change to the phone? Updates should be performed whenever there is a change with employees and contractors, even if they remain with the organization, to ensure that the security level is still appropriate.
Q63. Does your organization modify the voice system’s feature sets on a daily basis? A less frequent modification schedule can be more tightly controlled.
Q64. Can the conference call MUTE feature be used without the knowledge of other call participants? Undetectable muting allows others to eavesdrop on calls without notification.
VII. General Administrative Issues
Q65. Is the stored CDR verified for accuracy? The CDR should be tested against a well-controlled and documented calling environment.
Q66. Does your organization receive an electronic, itemized, monthly bill from your carrier(s)? Electronic billing information is required for automated network usage and access audits.
Q67. Is the CDR automatically compared with the carrier bill each month? Differences between the carrier bill and the CDR can highlight security problems that were missed by your organization’s security personnel or your PBX (e.g., toll fraud or unauthorized network access). Billing information should also be used to compare charges to actual usage for error identification and rectification.
Q68. Does the CDR provide records of calls over the tie lines to other PBXs? Visibility into internal tie-line usage can often reveal abuse and security issues.
Q69. If there are tie lines between your PBXs, are the CDRs of the PBXs compared to each other to determine if both PBXs report the same tie line calls? The CDR should report both internal and external activity, for complete visibility into telecom security events.
Q70. Is the CDR used to flag abuse, misuse, and negligence? Even if there is no real-time alert, can the CDRs be used off line to discover abuse, misuse, or negligence? The CDR should have a correlation capability to compare results.
Q71. Are the CDR records verified by your internal departments (user mangers) that use your PBX access lines? Verification can be facilitated by posting the department bills on a web site for access by the department managers. If a manger does not look at the bills, this may indicate unrecognized security problems.
VIII. General Staffing Issues
Q72. Are the operational duties confined to the fewest possible number of staff members? The fewer individuals dealing with security, the better the security management, and control.
Q73. Is access to authentication and password codes limited to just the telecom staff? Widely-known codes increase the chance of an unauthorized individual obtaining and changing the codes and gaining what will appear to be authorized access.
Q74. Does the security department staff have physical access to your PBX for security purposes? The security department can be an additional source for verifying the security of your PBX and network.
Q75. Is the authentication code greater than ten characters and a unique and unfamiliar code? The more unusual and unrecognizable the code, the less chance it can be guessed.
Q76. Is the password at least ten characters long and a unique and unfamiliar code? The more unique and unrecognizable the password, the less chance it can be guessed.
Q77. Is the password LOGIN time out less than five to ten minutes? When a user signs on and is idle or unattended for a period of time, their access should be terminated. The user would then have to LOGIN again after the time out has expired.
Q78. Does your organization change authentication and password codes for the phone when an employee changes positions or leaves the company? Disgruntled/ terminated employees can utilize their old passwords and codes for unauthorized system access.
VoIP Security Issues
Unfortunately, as organizations migrate to VoIP, their voice security threats dramatically increase. Once you begin moving voice services onto your corporate data network, your legacy/TDM switches and phones become IP devices (i.e., networked computers), which are vulnerable to all of the Internet hacker and virus threats that currently threaten your corporate data networks.
With a VoIP network, your corporate phone system is vulnerable to Denial of Service (DoS) attacks, hacker penetrations through the Internet, computer viruses, worms, malware, virtual eavesdropping, and digital toll fraud.
Any organization attempting to secure their VoIP infrastructure and communications should begin by applying IP security “best practices” to their existing data network that will carry the new IP voice traffic. Additionally, organizations should be able to address the following security questions in Sections VIII and IX below. Again, these questions are by no means exhaustive, but can serve as a launching point to begin to characterize and address the many security issues introduced through a VoIP deployment.
IX. VoIP Internal Issues (Campus VoIP)
Q79. Is your IP PBX connected through gateways to the legacy phones within your organization? A legacy phone connected through a single port gateway could be used to connect a modem device and gain unauthorized access to the network.
Q80. Have measures been taken to protect the vital resources of your VoIP network through the addition of either an overlay security system (i.e., firewalls, IDS, IPS), security software embedded in the OS or application? Vital resources include Call Servers, Gatekeepers, Media Gateways, IP Handsets, and Single Port IP gateways supporting legacy phones.
Q81. Are the security software patches issued by your Call Server, Gateway, IP Phone, Softphone, and Web phone vendors installed within 3 days of issuance? A network is a chain, and only as strong as its weakest link. The number one line of defense against application- and OS-level vulnerabilities is provided by your system vendor. It is important to keep all system components up to date with the latest security software patches, as well as your network routing and switching hardware.
Q82. Is the signaling (H.323, SIP, or proprietary), encrypted between the Call Server or Gatekeeper and the Handsets, Softphones, or Webphones? Encrypting the signaling prevents a hacker from intercepting the setup of the message and redirecting the media streams, or tricking the endpoints into performing unauthorized activity. On the other hand, signaling encryption adds overhead and eliminates some of the flexibility in routing calls. Signaling encryption should be used after careful evaluation of all impacts and benefits.
Q83. Is the signaling (H.323, SIP, or proprietary), encrypted between the Call Server or Gatekeeper and the Media Gateways? Encrypting the signaling prevents a hacker from intercepting the setup of the message and redirecting the media streams, or tricking the endpoints into performing unauthorized activity. On the other hand, signaling encryption adds overhead and eliminates some of the flexibility in routing calls. Signaling encryption should be used after careful evaluation of all impacts and benefits.
Q84. Is the voice/speech transmission encrypted? Encrypted media streams prevent unauthorized interpretation of intercepted calls, but adds latency due to the time needed to encrypt and decrypt each packet at each end.
Q85. Can any PC be modified to act as your VoIP console? The IP address is software and can be programmed into any PC. The LAN Network Interface Card (NIC) with the MAC address can be moved, so another PC can be identified as the VoIP console. This makes it easier to gain unauthorized access and control of the IP PBX. Therefore, multiple layers of authentication should be used for critical or cost-impacting services, such as international dialing.
Q86. Is your IP PBX on a separate VLAN or separate LAN switch? This separation provides the equivalent of two LANs with no physical connection between them. If a connection between the VLAN or separate LANs is necessary, a firewall should be installed between them for security protection.
Q87. Are your data PCs and Application Servers on the same network as your IP PBX? Your data PCs and Application Servers can be used to emulate/spoof your authorized VoIP devices into thinking they are authorized devices as well. Data PCs and Application Servers can behave like phones, Gateways, and Call Servers. At the very least, VLAN support should be used to separate your VoIP network from your data network.
Q88. Can the IP PBX devices operate peer-to-peer within the organization, avoiding the Call Server/Gatekeeper? The original VoIP software such as NetMeeting, and virtually all of the free VoIP software, operated without a Call Server. Calls can be setup over an IP network from PC to PC without security and monitoring devices observing that a call is in progress. This peer-to-peer operation can be performed with H.323 and SIP signaling. Calls that operate peer-to-peer have the ability to circumvent many of the security and monitoring mechanisms that may be in place.
Q89. Can your VoIP devices deal with a Denial of Service (DoS) attack? In other words, are your VoIP devices configured to not respond to PING or ICMP messages? PING and ICMP message types can be used to flood a server or endpoint with requests, thereby] clogging the interface and preventing it from processing the application it is intended to service.
Q90. Can your VoIP devices alert on and report a DoS attack? It is important for your endpoints to be capable of\ recognizing when they are being attacked, then categorizing and reporting the attack.
Q91. Is your VoIP network on a backup power system? It is important to know how well your phone system would survive a power outage. Your handsets should be powered using PoE (Power over Ethernet) technology backed by the same
Q92. How secure is your VoIP wiring closet? Are unused ports on your hubs deactivated? Unused ports on your hubs should be deactivated until they are needed. Active and available ports could be used to provide access to the VoIP
network for unauthorized usage.
Q93. Do you have the ability to perform Call Admission Control between your high bandwidth and low bandwidth network links, in order to prevent usage and DoS attacks from overloading the network? DoS attacks are launched against network links and network switching hardware just as effectively as they are against servers and server software.
X. VoIP External Threats
Q94. Is your IP PBX connected to legacy trunking (i.e., T1, E1, PRI, analog) through Gateways? If you have legacy trunks connecting to your network, either to a media gateway or as single channel analog to faxes and modems, your phone system may be vulnerable.
Q95. Is there security hardware and/or software in your VoIP media gateway? Does your gateway have the ability to detect, prevent, or monitor for security-related issues and threats? If not, do you have an overlay security system to perform these functions? Real-time media or telecom firewalls are available to add application layer security to critical voice services.
Q96. Is your IP PBX LAN connected to SIP trunking, to other IP PBXs, and/or teleworkers? If you use an IP network to connect multiple IP PBX’s or allow remote workers access to the network via the Internet, a security vulnerability may exist.
Q97. Is your SIP trunking over the Internet? Most hacker attacks originate from the public Internet.
Q98. Is your SIP trunking over a private intranet? Verify that there are no unknown access points into your private IP network.
Q99. Is your SIP trunking over IP Centrex or a secure managed IP service? A carrier may promise you a secure environment through layer 2 and layer 3 protection and encryption mechanisms, but an enterprise should not accept communications from an untrusted carrier network without an enterprise edge firewall device that monitors this
inbound traffic and checks it against corporate security policies. Q100. Is there security software in the routers used for your SIP trunking? Routing tables can be changed, routes blocked, traffic misdirected, and routers can be crashed. A router that is optimized for VoIP traffic should at least lie on a self-healing network.
Preferably, it would also have the ability to protect itself against external attacks.
Q101. Is there a data firewall between your IP PBX LAN configuration and your SIP trunks? If you connect your LAN to a carrier’s IP network, you are vulnerable to network-based attacks unless a firewall is present to prevent unauthorized access.
Q102. Is your firewall designed to process voice signaling (e.g., H.323, SIP, MGCP, or proprietary SCCP)?
Your firewall should perform deep packet inspection at OSI application layers 5-7. This is where most application-level attacks occur against the application network delivering voice services.
Q103. Is your firewall designed to pass the signaling through without inspection? Traditional data firewalls that are not optimized for VoIP will ignore the signaling messages and pass them on without inspection. This creates vulnerabilities for DoS attacks and entry of malicious packets.
Q104. Is your firewall designed to pass the voice call, or will it block a VoIP call? Firewalls without the ability to detect a VoIP setup request do not have the ability to pass the call and will block it. At the very least, a traditional data firewall should have the ability to detect a voice call and pass it to a voice security device to perform VoIP application-specific security checks (e.g., Application Layer Gateways and Session Border Controllers).
Q105. Is a Virtual Private Network (VPN) used to carry voice signaling and encrypted voice traffic through your firewall? Encrypted calls carried over a VPN are more favorable to traversing a firewall than transmitting
in the clear using UDP transport and relying on the firewall to verify the contents of each packet.
Q106. Does your firewall act as a voice-signaling proxy? Or, alternatively, can your traditional data firewall pass VoIP traffic to a secondary voice security device (ALG) capable of acting as a security proxy?
In these instances, an outside caller contacts the firewall, and then the firewall communicates with the internal receiver of the call, with the proxy firewall acting like a receptionist for the incoming call. This protects the internal network and can support VPNs and encryption.
Q107. Does your firewall dynamically open and close the UDP voice ports for each call based upon inspection of detected call signaling requests? VoIP requires two UDP ports to be opened before a call (speech) can pass the thorough the firewall. If a firewall cannot dynamically open the UDP ports per call, then the UDP ports must be left open continuously, which obviously creates a severe security problem.
Q108. Is there an Intrusion Detection System (IDS) in place to monitor the traffic going to and from the IP trunks and/or the traffic going to and from remote teleworkers using VoIP? This IDS device is different from the data network IDS in that it must be capable of detecting application specific (i.e., VoIP) intrusions and taking appropriate actions.
Q109. Can your IDS/IPS monitor traffic and enforce VoIP-specific policies (network access, usage, and class of service restrictions)? Unlike the data network IDS, this device must be capable of detecting application-specific (i.e., VoIP) intrusions and taking appropriate actions. A policy is a rule that defines who and what traffic is allowed to pass through the firewall. If the IDS cannot audit the firewall policies, then it cannot provide alarms when there are voice intrusions. The IDS may also issue false positive alarms for valid VoIP traffic. Too many false positives may discourage the use of the IDS and it will be ignored. Therefore, the IDS must be optimized for the signaling protocol in use (i.e., H.323 or SIP).
Q110. Is there an Intrusion Prevention System (IPS) behind your firewall? Your firewall may not block all intrusions. A second device, the IPS, in tandem with your firewall, adds an extra level of intrusion blocking. The IPS must have the same application awareness and protocol intelligence built-in as the previously-discussed IDS, in order to perform effectively at the application level.
Q111. Can your IPS enforce VoIP policies? To work effectively, the IPS must be able to support VoIP policies and process VoIP signaling and voice traffic. It must have the ability to prevent access, as well as tear down calls in
progress, using appropriate protocol signal messaging when policy dictates.
Q112. Are there any RAS dial-in lines to your VoIP servers? RAS dial-in lines should employ one-time-use passwords. Unsecured maintenance ports can be used to provide access to a network or component.
Q113. Do you utilize Telnet in your network? Telnet has proven to be a highly vulnerable access technology, so its usage should be minimized as much as possible.
Q114. Does your network employ geographic redundancy in the core network? This prevents a physical attack against a primary core network from bringing down the network, and allows a geographically-separate backup core network of servers to take control of the vital network functions.
Q115. Does the IP PBX connect directly to SIP trunks? The IP PBX cannot fully protect itself from SIP trunk initialed attacks. It is highly recommended that a Session Border Controller (SBC) be placed between the IP PBX and the SIP trunk. Although there is an SBC at the provider premises, it is there for protecting the provider, not
Q116. Is there a Session Border Controller connecting the IP PBX to SIP trunks service? Although a firewall can help protect the IP PBX, a SBC does a far better job of protection by analyzing the SIP signaling which is not done by a firewall.
Q117. Does the SBC use telephone number lists to block unwanted numbers to prevent toll fraud and premium rate/vanity number use? It is difficult for the enterprise to keep track of phone numbers used for toll fraud and
premium/vanity calls. An external service that constantly updates the phone number list is necessary. There are more than 50,000 premium numbers presently in use with the list expanding every day.
Q118. Can the SBC block calls before the connection is completed? This capability can stop the toll fraud and premium calls from being completed.
Q119. Can the SBC produce analytics beyond the CDR to monitor and prevent calls using SIP signaling messages? The best method for preventing the toll fraud and premium calls is to analyze the SIP call signaling before the call is completed and informing the SBC to block the call.