To the uninitiated, IP Telephony (IPT) technologies seem accompanied by easily exploitable vulnerabilities and the threat of crippling attacks. The truth is that while IPT presents a new nature of potential security risks, enterprises have the tools available today to effectively address the majority of these. IPT security preparations should begin with network access control. 

Controlling Network Access

Enterprises need to strictly control and restrict network access to approved devices. While external network attacks represent a real risk, the most convenient way for a malicious or unwitting user to circumvent security is through a direct wired or wireless connection to the corporate IP network.

Securing an enterprise IPT deployment begins with securing the enterprise IP network. This means centrally authenticating all wired and wireless devices connecting to the enterprise LAN and Wireless LAN (WLAN) before permitting network access.

The most cost effective way for small and mid-sized enterprises (SMEs) to control network access is through port-based network access control using IEEE 802.1X. The IEEE 802.1X protocol, supported by a majority of network switches, wireless access points and IP phones, as well as Windows 2000, XP and Vista, provides a robust LAN authentication mechanism. Client devices connecting to the LAN are authenticated against a central RADIUS server, and network access and/or VLAN assignment is determined according to pre-defined settings.

Controlling network access, either through 802.1X or more complex, compliance-based network access control solutions such as Cisco's NAC Appliance, is integral to the prevention of VoIP man-in-the-middle, denial-of-service, and eavesdropping attacks. As a result, it is a fundamental step towards implementing a comprehensive, layered VoIP security scheme.

Figure 1 shows the placement of network access control technologies such as 802.1X in the industry-standard Open Systems Interconnection (OSI) Reference model with respect to other VoIP security mechanisms. 802.1X resides at the Data Link layer, where Ethernet and the 802.11-based wireless protocols operate. Comparatively, Secure Real-time Transport Protocol (SRTP), used for voice stream encryption, operates at higher layers of the Reference model.

Figure 1. VoIP Security in the OSI Model

Source: Info-Tech Research Group

Recommendations

1. Control network access with 802.1X. Network access control is a primary measure in securing the enterprise network and a future IPT deployment from internal attacks. While 802.1X implementation is strongly recommended, at an absolute minimum IP phones should be operating on a separate VLAN from other network devices to simplify performance and security administration efforts.
2. Implement 802.11i to fortify wireless security. The IEEE 802.11i protocol is essentially an extension to 802.1X with enhanced encryption and performance optimizations for wireless devices, utilizing a shared RADIUS server. For further details on implementing 802.11i, refer to the Info-Tech Advisor research note, "Implement 802.11 to Ensure WLAN Security."
3. Lock down client devices. Don't overlook the security of client devices, including workstations, IP phones, and mobile devices. Consult vendor bulletins and security resources, such as the National Vulnerability Database, for information on known hardware and software vulnerabilities and apply the latest software and firmware updates. As an example, while IP phones may be secured and operating on their own VLAN, an unaddressed vulnerability in a PC softphone application could pose a separate threat.

Bottom Line

Security planning and preparation for an enterprise IP telephony deployment can be overwhelming, and potentially very costly. Focus initial security efforts on controlling network access to get the most bang for the buck.