Security | Feature

Securing Voice over IP

Sure, voice over IP can save your schools money; but don't neglect the security aspects in your rush to get it running.

• By Dian Schaffhauser
• 06/20/12

Frequently, the moment a school district has finished installing high-speed broadband and completed its network upgrade, the next area of attention a lot of IT organizations consider is voice over IP. After all, schools spend small fortunes every year maintaining legacy telecommunications infrastructure, and those that pursue E-Rate funding can add VoIP to the mix fairly easily. The benefits are many. By consolidating voice and data communications, schools can also consolidate their maintenance efforts under IT, reduce phone charges dramatically, and add functionality such as "follow me" or emailed voice messages to enable more efficient communications among teachers, staff, and parents.

What some schools don't realize, however, is that VoIP adds new security risks to the network that don't always get the same attention as other areas, such as anti-virus, firewalls, or network access.

According to security expert Paul Henry, just having a VoIP server within the data center makes the district a much more valuable target for hackers. Henry is a long-time instructor for SANS, a research and education organization that conducts security training and certifies IT professionals in security topics.

What are hackers looking for? One thing they're looking to steal is VoIP minutes. As Henry explained, hackers will break into the SIP server that hosts the VoIP system, sell discounted minutes to their clients worldwide, and then place those calls through the compromised server. SIP, or Session Initiation Protocol, is the text-based protocol that controls the communication sessions over the Internet. The SIP server is the primary vehicle for running VoIP.

Henry pointed to the case of Edwin Pena, who pleaded guilty in 2010 to federal charges of computer hacking and wire fraud. According to the FBI, Pena sold discounted service plans to multiple customers, but would route those calls through the computer networks of unsuspecting VoIP service providers. In less than a year, he stole $1.4 million in calling minutes.

We rarely hear about those cases, Henry added. The organizations involved "don't report it because they don't want to look stupid."

The Bigger Potential Problem for Schools
When Henry is called in to consult during security events, one of the first actions he does is to perform a penetration test to see if he can record the organization's internal phone calls and play them back for the client. It's not hard, he said. All it takes is the use of a basic network sniffer, such as the open source packet analyzer, Wireshark, which can record the call and save it as a playable WAV file. "They're sharing the same wire with their network communications as they are with their VoIP calls. It's trivial to access that wire. Once I [do that], I can very easily record their phone calls."

If somebody can access phone calls that haven't been encrypted and a student's personal details are being discussed in those calls, the district could be in violation of the Family Educational Rights and Privacy Act (FERPA) Act. For a district dealing with health records, it could result in a Health Insurance Portability and Accountability Act (HIPAA) compliance violation. Schools that process credit cards over the phone could be committing a Payment Card Industry (PCI) violation. In other words, in a VoIP scenario, data breaches include voice data too.

The break-in can occur at multiple points--through the SIP server; via a "soft client," the software program on a computer that lets the user make and receive phone calls; and even through the VoIP phone devices. "Anything that's got software in it is potentially vulnerable," Henry said.

Just as alarming, he added, when someone compromises a single PC within the network, he or she can potentially use that to navigate to other parts of the environment.

Common Security Blunders
Henry said he consistently sees network administrators make some common mistakes when they set up VoIP systems: "They're not using strong passwords. They're not using signed digital certificates. They're not using encryption."

The first activity he advises clients to perform is a complete penetration test "to understand where your weaknesses lie." From there, he recommends some typical steps for remediation.

• Change out weak passwords, perhaps the most frequent source of vulnerabilities.
• Properly segment the network using VLAN technology. By using a virtual LAN, the organization can share the data connection but run two communication streams, one for data and the other for voice. "If a hacker's able to compromise the data connection, he would not be able to see your VoIP traffic," Henry explained. "Even though you're running on the same wire, [the hacker] would be connected literally to a lane outside of your VoIP communications."
• Enable encryption wherever possible. Most VoIP phones today fully support encryption, Henry said. So the voice packets are encrypted as they go over the wire, and then unencrypted on the other end.
• Harden the actual server that's running the VoIP application.

If the district is working with a third-party to implement the VoIP system, Henry recommends listening closely to the vendors under evaluation. "If the vendor's primary push is how they're going to save you money, usually security comes up last. It's an afterthought. In any environment today security has to be your first consideration. You want a vendor that's going to talk about the security issues first."

Because Henry performs incident response and forensics work, he prefers to keep the projects he's been involved with under non-disclosure. Although none of those has involved schools, necessarily, there have been universities that have had break-ins involving the VoIP network. But unless the break-in exposed personal data about students or staff, "It's not a regulatory requirement to report when you've been breached via VoIP," he noted.

The bottom line is that while districts can enjoy a significant savings operating VoIP, Henry observed, "You have to consider the additional risk it exposes you to. Just by having VoIP within your environment, you're a much more attractive target to the bad guys."

Henry will be teaching the six-day SANS course, VoIP Security, at SANSFIRE 2012 in Washington, D.C. starting on July 6 and at Network Security 2012 in Las Vegas starting on September 16.