Voice Network Security
How important is security to enterprise technology management? In a recent survey by Gartner, enhanced security is at the top of the CIO agenda in 20051. With voice platforms now integrated into the corporate network, and voice applications entrenched in everyday business operations, the burden of safeguarding voice systems now lies within the IT domain.
Rapid changes in telecommunications networks have created significant concerns for fraud detection and prevention, system abuse, unauthorized access, and content privacy. Voice systems, which encompass traditional PBXs, VoIP and multi-media servers, voice messaging and unified messaging platforms, and voice gateways, have evolved from closed and standalone to open and integrated in corporate networks. The evolution and increased complexity of these systems, combined with the migration to IP, has direct implications for security management.
How real is the threat?
Security experts agree that voice systems are open and vulnerable to security breaches. They have even stated that companies focus less on securing voice-messaging platforms than on other network components, leaving them vulnerable to attacks. In fact, the threat is often underestimated.
Corporate executives at Hewlett Packard learned a painful lesson in voice security in March 2002. A voice mail, containing sensitive information about the HP/Compaq merger from then CEO Carly Fiorina, to the company CFO, was intercepted and sent to a newspaper. Security experts have narrowed down the cause of the breach to either a successful crack of the CFO’s mailbox password or to grabbing a file from the voice-messaging server.
The Internet has only served to exacerbate security vulnerabilities. An Internet search using the keywords “security” and “voice mail” will produce over a dozen links to organizations with published directions on accessing their internal systems. In fact, telephone access numbers and even default passwords are posted to the public domain. With little effort, an individual can identify the corporate numbering plan and systematically go through a mailbox range to find an un-initialized mailbox, and then use the default password to gain access.
Administrators of telephone systems have always had to deal with fraudulent calling activity, commonly known as toll fraud. Whether from internal users who may abuse call privileges, or from external hackers who gain access from remote ports, software tools are used to pinpoint unusual and suspicious calling patterns.
Next generation communications systems, such as VoIP and multi-media servers, require the deployment of additional hardware devices, protocols, and applications, which increase the complexity and the number of access points requiring management. Further, the transmission of voice packets over corporate networks and the Internet introduces a new issue—content privacy. With voice systems on global networks, security threats now come from anywhere.
The costs of security breaches
Translating security breaches into real dollar costs is a difficult undertaking. Certainly, toll fraud costs can be quantified, since they can be identified from bills from long distance vendors. Security costs arising from compromised systems or outages are difficult to quantify, but generally equate to significant costs in terms of personnel time, employee productivity, and financial revenue losses. Costs arising from lost or stolen company information are also a factor to consider. For example, an employee that has left a financial services company can still access a voice mailbox and receive broadcast messages that are sent to a distribution list. Or a sensitive voice message that is transmitted across a network can be decoded and compromised. The costs to remedy and close security breaches usually exceed the cost of securing systems at implementation.
Points of entry
The voice network no longer is a set of separate, disparate systems housed in switch rooms. The enterprise voice network consists of a common network infrastructure, with multiple access points for end users, administrators, and applications software. Access points circumvent firewalls.
PBX Trunks
Switch toll fraud and abuse arises from external hackers who try to enter vulnerable access points such as PBX trunks and stations. For example, a hacker dials into a PBX and randomly tests trunk access codes to seize an outgoing trunk using touch pad signals. Once the trunk is seized, telephone calls can be made to any long distance number.
Direct Inward System Access (DISA) ports
These are physical ports on PBXs intended for remote access by employees with proper authorization codes, such as sales personnel. Without an internal process for removing codes once employees have left the company, access remains wide open. In addition, regular audits of remote ports are needed to ensure that external hackers are not trying to guess access codes.
Open Voice Mailboxes
Open voice mailboxes of former employees are a particular area of concern. It’s impossible for telecommunications personnel to keep up with employee terminations and layoffs, and consequently, voice mailboxes remain activated. Without consistent coordination between HR and IT, mailboxes and stations will remain available.
Another access point of messaging servers is un-initialized and abandoned mailboxes. It is easy to crack one of these mailboxes, since organizations set an obvious or easy initial password for new employees. Furthermore, there is usually a time lapse before an employee actually initializes the mailbox to change the default password.
Remote Access Ports
Voice servers utilize remote access ports for administration and maintenance. Many systems still use modems for access. These systems come configured with a standard set of logins, and rely upon the customer to change the default passwords. Often, there are special maintenance accounts that customers rarely use nor do they change passwords. Logins and passwords are published in the documentation, which is usually available on the web site of the hardware vendor.
The Internal Network
The corporate network provides access to voice systems via telnet for operations personnel. Voice systems that are IP-enabled but not segmented into separate and secure domains are vulnerable to attack from anyone on the network. In fact, IT administrators at colleges and universities frequently mention how students try to break into these systems and even succeed.
Packet-sniffing software is widely and easily available, and enables anyone to capture and view IP packet header and content information. For system access control, legacy systems are vulnerable, since they do not utilize serverside encryption for administration access, so logins and passwords can easily be captured from packets.
VoIP systems create issues of privacy as well as security. Voice terminals are identified by an IP address, which is contained in packet headers. From the network, these packet headers can be opened and read. In addition, message content can be redirected and saved to computers and then decoded. Protocols and compression algorithms are common standards, and encryption techniques can be easily broken with available tools. Concerns over privacy are more prevalent when VOIP packets are sent over the Internet.
Viruses and Other Attacks
The deployment of voice applications on Windows platforms has reduced system acquisition costs, but has added the burden of securing systems from viruses and related attacks. Firewalls, anti-virus systems, VPNs, and intrusion detection systems must be used to secure these components. Service impacts can arise from disabling and reassigning ports, re-routing traffic, or tampering with message queues. Installing patches and updates however, impacts service on operations that require high availability.
New technology doesn’t mean more secure
New VoIP technology has not translated into more secure systems; this technology has actually compounded security problems. Traditional PBXs and messaging systems were often based on proprietary operating systems with limited access points, such as a console in a switch room and remote maintenance ports accessed by modems. Information about these systems was not widely available.
The migration to industry operating systems such as Windows NT opens the door to denial of service attacks, viruses and other security issues. Messaging platforms and administration tools that used web servers such as Microsoft IIS are often the target of attacks. VoIP systems add additional areas of complexity, such as voice gateways, VPNs and other devices that in turn, increase the number of systems requiring monitoring.
There are several protocol standards that address security in VoIP networks. Two of these, Layer 2 tunneling (L2TP) and IPSec concentrate on VPN security. For VoIP traffic, IPSec provides authentication and content security for packets. Network segments with IP-enabled PBX and messaging servers should be isolated from networks that could host packet-sniffing agents. Login/password information, routing protocols and other configuration information should be restricted from network segments where sniffing is possible. VoIP hardware vendors actually recommend the separation of traffic between voice and data elements, and have provided extensive educational resources on configuration of VoIP networks. VoIP servers use packet encryption techniques between network points to provide security during message transmission. Authentication is another component that verifies the recipient of intended traffic.
Managing Voice Network Security
The first step towards securing voice networks is the establishment of a comprehensive corporate security policy. A corporate policy must identify roles and responsibilities for each level of an organization. Typically, each level will have a set of restrictions to system and information access. These access levels are often mapped into appropriate access control lists or classes of service, depending upon the underlying platform. An “Acceptable Use” policy defines the guidelines for use of corporate computer systems, information and content such as email, data, etc.
The next step is the identification of network access points and areas for security management. With the security policy, a set of standards must define access levels for groups and individuals. Methods must be developed to identify problem areas, and provide regular audits to ensure proactive control.
Finally, the ongoing management and control of voice systems must follow through with the execution of security initiatives. Unfortunately, many voice systems lack a set of inherent controls, and rely on outside tools and resources for monitoring. Built-in reporting capabilities are limited and inadequate for thorough systems analysis. Often, administrators print reports and then comb through pages of output to find specific data.
Voice systems have limited retention cycles for storing usage data—ranging from one-hour to one week of data retention, depending upon system velocity. For example, records of login activity on messaging servers may only span one to two days before the log file is overwritten. Limited data for analysis translates into incomplete “spot checks” of systems. This type of analysis, if performed at all, is often too late to identify problem areas. With complex networks that span multiple, global locations, it is impossible for operations personnel to monitor these systems 24x7. Applications software and hardware devices must fill in the gaps.
Hardware appliances
Organizations have successfully deployed several types of hardware devices to improve network security. Devices range from secure modems to security appliances that are deployed at remote access ports. These devices offer different levels of security: 1) an additional password tier; 2) modem control lists; 3) access authentication; 4) session auditing and, 5) session encryption.
An easy solution is to deploy “secure modems” at remote access ports. Secure modems are configured on both sides of the serial connection—at the voice system, and at the computers used by administrators, maintenance personnel, and even software applications. Secure modems restrict outside access, since they can be programmed to only accept connections from authorized locations.
Legacy voice messaging servers that only provide serial connectivity can be secured by replacing modems with terminal servers. The terminal server interfaces with the voice platform via an RS-232 connection to a serial port, and plugs into the local network as an IP device. Administrators and applications can access the system using the internal network.
Hardware vendors have introduced products with embedded security controls, such as login authentication and session encryption. For example, authentication technology with challenge/response methods can restrict system access to authorized personnel with private keys or smart cards. Response tokens required to complete the system login process change every 30 seconds. This extra layer of security helps to ensure against both internal and external access.
Monitoring access and usage
Regular audits of system activity such as usage, access, and events are ongoing tasks of system administrators. For voice platforms, general areas for audits include:
Call Activity
Frequent reviews of calling activity will identify possible toll fraud and misuse. Who are the users with the highest level of usage? High call or message activity may be expected for certain groups of users, such as sales, but not for the mailroom clerk. Call activity can be compared against norms and averages from users in similar classes of service.
Login Events
Event logs and other sources of activity detail provide data on:
• the user(s) accessing systems, and from which voice terminal, MAC address, or outside number,
• session duration,
• the date/time of access, and
• the port and system accessed.
Additionally, it is beneficial to track the transactions that were executed inside the system. For example, what maintenance tasks were run on a switch? Who deleted a particular mailbox?
Setting thresholds for invalid password attempts will identify possible break-ins to mailboxes. One or two occasional invalid attempts are reasonable for most environments. Repeated and frequent attempts on a mailbox are a different story.
Password Changes
For legacy systems that do not have inherent password aging, it is useful to check on the last time users changed their passwords. For example, on voice messaging systems, this information may be available in call detail records. However, the activity record is generated when the password change event occurred; it may be difficult to
obtain the list of mailboxes that have not had password changes.
Unused Resources
Identifying and removing unused system resources is part of ongoing system maintenance. For voice messaging servers, this involves removing un-initialized and abandoned mailboxes, as well as updating distribution lists to remove mailboxes of former employees.
Voice System Security Software
Voice security software has focused on specific areas of control, such as call traffic, or on point solutions that address only one type of platform. The types of information and methods for retrieval that are provided by voice equipment manufacturers can limit comprehensive systems management. Tools for managing voice platforms have typically focused on managing the application layer but for a standalone system only. Further, the proprietary nature of voice operating systems and the limited data available for analysis has made voice security a difficult and cumbersome chore.
Communications servers generate call activity records (e.g. SMDR, CDR) but cannot store them internally, so an output buffer must capture data before it is lost. For this type of data, call accounting systems provide the means to analyze call records and provide reports that identify suspicious call patterns, heavy usage, and most importantly, toll fraud.
However, call accounting systems offer a small window into systems management. For example, call records do not capture user login activity, so alternative sources of information are required to monitor system access. Further, alarm and event data, and usage activity are required to gain a complete picture of overall system activity.
Voice messaging systems store system and user activity data for short intervals. Equipment vendors provide rudimentary reports, such as individual mailbox usage for a day or a month, and it is burdensome for administrators to print and extract data for meaningful analyses. Usage data is often in a “raw” or binary file format, and requires extensive processing before reporting software can extract useful results. Often, it is necessary to cross reference data from multiple sources to provide an accurate depiction of activity. For example, taking information such as the last mailbox access, coupled with message activity for the last 90 days, translates into an accurate condition for mailbox removal.
Requirements for Voice Security Software
Software tools for managing enterprise voice networks should encompass several key requirements and objectives. These requirements should:
Support Complex Voice Network
A voice management solution should manage the entire voice network, not just one type of platform, such as communications servers. With today’s requirements, the solution must support multi-vendor, multi-platform environments. Point solutions can only address a small subset of the network, and provide a myopic view of a network segment.
Provide 24x7 Monitoring
Security management is a 24x7 operation. Software systems must be fully automated and provide near realtime data verification. Sporadic data analysis will miss critical events.
End-to-End Analysis
In order to provide complete security coverage, a solution should analyze many types of information about application and system activity. Ideally, the objective is a single architecture to manage all elements in the voice domain. For example, a total management solution will integrate all components of infrastructure management including alarm management, inventory, system and usage activity, and event notification. Checkpoint verification and system monitoring should track users from the edge of the network through to the system endpoint. The ability to monitor the entire transaction, including all events that are executed on voice platforms ensures complete accountability for maintenance and service levels.
Robust Reporting
To paint a comprehensive security picture, reports should span the entire range of system and application activity. This includes alarms and events, access and activity, and provide reports for all organizational levels. Reports that provide summary and detail information down to the transaction level ensure the right level of detail based on audience.
Support Corporate Objectives
To fit seamlessly into the corporate environment, a solution should integrate and complement corporate standards. For example, a solution can assist with removing login accounts, mailboxes, and system access when an employee has left the company. Another example may be to provide measurement results for monitoring service levels of maintenance personnel. Software can integrate with infrastructure management to identify security issues and then close the loop to secure vulnerable areas.
Event Notification
Software can trigger notifications when an event occurs and send messages to an administrator or to the Network Operations Center. Event notification should be immediate and provide all necessary information about an event. The ability to filter data so that users are not inundated with transactional events is a useful feature.
Conclusion
There are many issues in controlling voice networks. Identifying weak points, implementing software tools and hardware devices, and establishing internal procedures provide measures to secure the network. A comprehensive strategy will ultimately provide the best measures for systems management and security control. More importantly, the right tool insures that controls are proactive, consistent and automatic.