Live Show Report IP Telephony Security
Scott Bradner I'm presently sitting in a session at the Next Generation Networks Conference in Boston entitled "IP Telephony Security: Threat and Countermeasures." Moderated by Scott Bradner, university security officer for Harvard University (pictured at left, Scott is a...
November 3, 2004
I'm presently sitting in a session at the Next Generation Networks Conference in Boston entitled "IP Telephony Security: Threat and Countermeasures." Moderated by Scott Bradner, university security officer for Harvard University (pictured at left, Scott is a proud Macintosh user, interestingly enough), this panel session hopes to answer the following questions:
Is it possible for an enterprise VoIP system to be as secure as a traditional PBX system?
What's the best way to balance the need of VoIP services with the needs of law enforcement (wiretapping)?
Is it feasible to apply existing telephone industry best practices to VoIP service?
What regulatory and standards efforts are under way to support E911?
The panelists are:
Ashley Johnston, director of marketing for VoIP at Texas Instruments
Dr. Ramesh Lakshmi-Ratan, president of VocalTec
Bruce Robertson, senior manager, Network Design, CTO's Office at Nortel Networks
What follows are my notes from this session. I hope you find them helpful.
--
For Ashley Johnston, director of marketing for VoIP at Texas Instruments, there are four security goals for VoIP:
privacy
integrity
authentication
non-repudiation
The basic system in place now needs to secure both signaling and voice media. And all equipment may be wired or wireless. It's structured like so:
Telephony interface (circuits) --> DSP (voice/media sec) --> Micro (signal security) --> IP network --> Micro --> DSP --> land or mobile phone.
Thinking about key exchanges, when you type in a password, you'd like it to be easy. But if you do that for every system, you expose yourself quite a bit. On the other end of the scale, you use a very difficult password from IT, which you write somewhere so you won't forget it. In either case, you're in trouble. So we need a key exchange that makes sense for the application we're using. There are a few options available here:
Symmetric Keys
Public Keys
Hybrid Keys
Diffie-Helman (DH)
And for encryption, there are three types available:
DES/3DES
AES (Rinjndael)
Rivest Cipher (RC4)
For wireless LAN security for VoIP, the industry has evolved from WEP to WPA and now to 802.11i (the holy grail) and 802.1x.
Interesting note: Regardless of how you secure VoIP, performance is the biggest factor. Algorithms like AES takes 50 ms, Key generation takes 500 ms. An IPSec exchange takes one to five seconds on each end.
--
Dr. Ramesh Lakshmi-Ratan, president of VocalTec, did not want to talk about technologies and how-tos. Instead, he shared with us his "musings and personal insights of a well-worn engineer who's been trying to do this for a long time."
VoIP started at the core of what we call class-4 networks. It was just a means of transport between trusted endpoints (between telephony gateways). As VoIP migrates to the edge, you can now do amazing things like eight-way conferencing. But you can also do dangerous things from a business point of view because of a number of challenges:
security
routing
QoS
interoperability
billing
management
spam
Here's how security maps out for him:
Network security: firewalls, NAT, PAT, VPN
Call security: authentication and authorization, SIP
Transport: IPSec
Device security: hardening, access control
Customer security: billing and customer care, securing user details
Lawful interception
On VoIP moving to the edge: It's currently based upon the Internet model where we'll have very capable, smart pieces of equipment at the edge and dumb equipment in the middle (utility), providing core services (connectivity, discovery, etc.) just like the Internet. The benefits are many, but there are problems with this architecture:
Unsolicited, unwanted communications
DoS attacks
Spam viruses
Protocol variants
IP address handling
Instead, we should look to service providers, which can create what we call a walled garden approach, similar to the old CompuServe/AOL networks, where you look to your direct provider for protections. ATT just announced, for example, a managed network that makes the Internet a security appliance for you. The same could be applied to VoIP services.
The bottom line is that the world is not just a network. It never will be again and never was, really. Now the difference is that it's not just a net of physical networks; rather, it's a set of relationships (maybe some of them are embodied in packets and servers that register clients) where business models are shifting from physical networks to virtual collections and relationships, from hardware to software.
--
Bruce Robertson, senior manager, Network Design, CTO's Office at Nortel Networks, discussed things much more from a solution level for an enterprise-level network. Hey that's us!
Nortel has developed four levels of security, which it can tailor to a specific target market.
Minimum: for small enterprises where level of trust exists totally within the infrastructure
Basic: for small to medium, multi-site enterprises where the level of trust is in the infrastructure and in the MAN/WAN provider
Enhanced: for large enterprises where the level of trust is within the infrastructure but not within the MAN/WAN provider. Traffic must be encrypted. This service features the Secure Voice Zone (a completely new feature for Nortel), protecting voice servers
At this point, Bruce introduced something extremely unreadable and possibly untranslatable.
The Secure Voice Zone (SVZ) technology employs a stateful firewall and uses application level gateways for H.323 and SIP traffic. Nortel will employ this SVZ at two locations, between two end points (at the service provider level).
You May Also Like