SECURING VoIP NETWORK: AN OVERVIEW OF APPLIED APPROACHES AND ANALYSIS

Michael Oche, Rafidah Md Noor Member IEEE, Abubakar Bello Tambawal and Mostofa Kamal Nasir

ABSTRACT - VoIP is becoming more and more popular and as such a potential target for hackers. Providing security for VoIP services is therefore pertinent for telecommunications. Without correct mechanisms to ensure callers authentication, transmission confidentiality and availability of the service, security of the VoIP users is at risk. The fact that VoIP relies on IP infrastructure make it vulnerable to any attack that targets the network. Consequently, whatever may be the nature of the attack, there is a good chance that the attacker is capitalizing on a weakness in the VoIP protocol being used. VoIP is different from other IP services in the sense that its security is normally treated as one of the service properties configurable by the user. This article provides an overview of CISCO VoIP security requirement, aimed at empowering public VoIP user With the strategies to mitigate threats. Keywords: AAA, CIA, PSTN, Telephony, VoIP,

2.0 INTRODUCTION Voice over Internet Protocol (VoIP) is a rapidly growing Internet service. It gained popularity as a way to cut costs of international telephone connections by transporting voice over public IP networks [1]. Today it is being implemented in many IP applications, where it enables direct, and most time free communication over the Internet to users globally. As a

consequence, VoIP technology slowly replaces traditional telephony. There are numerous attack vectors when dealing with VoIP, and since VoIP depends on the IP infrastructure any attack that targets the network can be a potential hazard for VoIP. Consequently, whatever may be the nature of the attack, there is a good possibility that the attacker is capitalizing on a weakness in the VoIP protocol being used. Providing security for this service is therefore pertinent for telecommunications. User private information, business negotiation details or even state secrets could be revealed if not well protected. Without a correct mechanism to ensure callers Authentication, transmission confidentiality and service availability, the security of VoIP users are at risk. In view of this it is pertinent and imperative to investigate VOIP security problem and evaluate the service to assure that moving telephony to a new IPbased platform does not compromise its security [2]. In most cases advances and trends in information technology typically surpass the corresponding realistic security requirements . This is no different in case of VoIP. Most efforts were till today invested in providing more advanced services and applications, with less attention paid to security. Another prevailing problem lies in users' perception of VoIP telephony, the fact that VoIP telephony idea is not completely new, it follows the exemplification of traditional telephony and its seen by the users as a replacement to traditional telephony. A replacement users presumed should provide similar security level. But unfortunately, VoIP is different, in the sense that its security is usually treated as one of the service properties configurable by the user. As such in this paper we reviewed and analyzed basic CISCO VOIP network security requirements, with the aim of empowering public VoIP users and equipping them with relevant basic tools or information on how to better secure their VOIP telephony system.

3.0 LITERATURE ANALYSIS Voice over Internet Protocol is a somehow a different technology, even though an average telecommunication user knows it concerns the Internet and is relatively cheaper, he/she probably may not know any details beyond that. The traditional telephony system since its introduction in 1878 involved three main stages, first it existed in a form of a first generic telephone network which required a constant human presence to switch and setup call. Later in 1891 [3] POTS were introduced. Plain Old Telephone System (POTS) provides for automated switching thereby completely eliminating the need for human presence. In 1970 POTS were replaced with a more advanced system known as the Public Switched Telephone Network (PSTN). Unlike POTS the PSTN uses digital signals, voice is no longer transmitted as an analogue signal as in the case of POTS but as a digital signal. This development made it possible to offer other services such as fax and other database services. The introduction of the PSTN system marks the beginning of the digital communication system and to make communication even more seamless the new PSTN was also compatible with the POTS system, which uses the lowest transmission bandwidth of 4KHz despite the fact that digital services are transported on higher frequencies [3]. Beginning from 1990 the higher bandwidth brought about as a result of digitization find their usefulness in data network access technology. Many Internet access services, like ISDN and then DSL, ADSL are now offered via the same access lines that were used for PSTN [4]. 3.1 THE ARCHTECTURE The acronym VoIP represents, Voice over Internet protocol which implies that voice packet is transported using Internet Protocol (IP), its a packet switching system. VoIP is different from the PSTN which is a circuit switched. Unlike the PSTN which irrespective of the amount of information to be sent, reserved a full transmission bandwidth. VoIP, on the other hand, is packet switched. Information that is to be sent is divided into packets and

transmitted. Only meaningful information is put into packets. Additionally each packet may travel with a different route (dynamic routing) in a transport network, as there is no single reserved path (circuit). As a consequence packet arriving at the destination may come in a different sequence, than they were sent. Also, as there is no guaranteed bandwidth, some packets may be lost. These packets are simply transported using the Internet Protocol (IP). Voice transportation using the IP works just the same way, as in any other application like WWW or email. The internet's tariffing system is based on a philosophy different from that of the PSTN. Tariffing is independent of geographical distance between the sender and receiver. Therefore, transmitting data between any two points costs the client the same amount, but in the case of traditional PSTN its different (calls are charged based on distance). Figure 1 shows four scenarios that related to the IP Network PSTN. Figure 1.1 shows scenario 1, the first VoIP applications, the application permits voice communication between two users of the Internet, and it has grown so popular to an extent that it is now used in many Instant Messaging (IM) clients, like Skype, Messenger, etc. Voice transmission over IP works just as any other Internet service and fully converged with other IM applications. The next step of VoIP development came with the calls from Internet users to PSTN fixed subscribers figure 1.2 scenario 2. The main advantage of such a telecommunication solution is that information traveled through the Internet as long as possible and are forwarded to the PSTN at the very end as close to the subscriber as possible. Thanks to this, even international calls are treated as local calls by PSTN provider. The total cost is considerably diminished [5].

Figure 1: VoIP/PSTN basic scenarios [5].

The last two scenarios (figure 1.3 and figure 1.4) might be used by providers when the need arises (whenever circumstance requires its implementation). Unquestionably, there are allot more complicated scenario cases in used, but they would merely be a variation of the four presented in Figure1. 3.2 PROTOCOLS AND CONCEPTS While introducing VoIP one has to mention some basic elements and concepts of a VoIP system. As can be seen in Figure 2 there are four basic elements of a VoIP System [5].

Terminal In a VoIP environment it refers to the end point of communication devices , usually where the calls are being terminated. A terminal could either be software base or hardware based and could also involve some automatic interaction such as voice mails. Server server is the focal point of a VoIP system. Registration of terminals and data information such as location and IP is stored here. Also the server performs some other operations such as setup call routing mechanism, authorization and accounting operation. Gateway Is the outmost edge of the VoIP network. It ensures the interoperability of the VoIP network with other networks such as converting voice calls and fax calls amidst PSTN and IP network.. Conference Bridge For multi point communication. Allows for the functionality of several communication points. Because of the high resource requirement of the conference bridge it is isolated from the server just as shown in figure 2.

Figure 2: VoIP basic architecture

4.0 SECURITY REQUIREMENTS ANALYSIS Risk assessment of Voice over IP in public networks should start with analysis of security expectations. One should state what requirements are imposed on the system. Of course before such an analysis may be performed, definitions of the basic and most widespread security requirements should be given. 4.1 GENERAL REQUIREMENTS There are many different ways to classify the security requirements. One of them is the CIA triad, which concerns three most basic security problems Confidentiality, Integrity and Availability [6]. These three issues describe properties of the communication process that happens between two parties. They are usually also considered superior requirements and all the others, mentioned in the following subsections are just requirements that help to meet

those three major ones, by covering more specific problems. CIA are basic system security requirements, but it does not mean they are simple. Confidentiality: - usually mean: restrictions on the accessibility and dissemination of information Which in case of VoIP (or generally telephony) means limited access to the information exchanged between two or more communication endpoints. It is usually accomplished by encryption of the transmitted information [6]. Integrity: - usually regards insertion, deletion or modification of information. In VoIP telephony, two integrity issues appear data and signaling. Data integrity regards the exchanged content and signaling integrity considers all the protocol information necessary for transmission handling. Compromising signaling integrity may result in compromising almost every other security requirement [4]. That is why the correctness, completeness, wholeness, soundness and compliance with the intention of the creators of the data has to be ensured. Availability: - is one of the most important security requirements that needs to be ensured. If the service is not available most of the time, the technology will not be considered feasible, reliable and trustworthy by the users. The availability of a system is usually measured in a time unit - system's uptime. In traditional telephony this uptime is at least 99,999% [6]. Providing such a low downtime on an IP based platform is an extremely challenging problem. If Availability is not guaranteed, the system will suffers from degradation or interruption in its Service to the customer as a consequence of failures of one or more of its part. Since VoIP requires a real-time transmission, already lowered quality may make the conversation impossible to be carried out.

4.2 AUTHENTICATION, AUTHORIZATION, ACCOUNTING While CIA requirements describe the properties of a communication process, the AAA regards mostly user-system interaction. It stands for Authentication, Authorization and Accounting [7], [8]. The AAA requirements are also complicated, but not as ambiguous as CIA.

Authentication: regards checking identity. There are many possible system subjects that may be authenticated. It may be the provider, end-user, or any other intermediate device. Because of that there are two basic types of authentication in VoIP: End-to-end, where only the communication end points authenticate to one another, the devices in between, or provider do not take part in the process and they are not aware of end-users identity, as most of the communication details are hidden, Hop-to-hop, which is safer and easier to implement, as devices in between also authenticate the users and one another and have access to all the communication details. However, there is an issue of trusting those devices, as we share our authentication information with them. Authentication is necessary to correctly set up the communication between endpoints. It usually includes identification of the users and verifying the integrity of messages containing authentication information [7]. Authorization: Once the end-user has been identified, his/her rights in the system have to be determined. Authorization process is necessary to check if a user (or some administrator) is allowed to perform a requested operation or access requested data. For example, it is used by providers in VoIP authorization, to find out what tariff plan should be used for a given user, what data may be accessed by him/her, etc. It is also a crucial process of accessing VoIP

server (IP-PBX) [8]. Unauthorized access and modification of configuration data may result in compromising many other security requirements. Accounting: is regarded as the activity, practice, or profession of maintaining the business records of a person or organization and preparing forms and reports for tax or other financial purposes. It is a process necessary for creating billing invoices for clients1. Because of that it is a very important issue for the provider as it wants to be paid for the service; and for the client, as he/she does not want to pay more than necessary [8]. 5.0 METHOD OF SECURING CISCO VoIP NETWORK SYSTEM Cisco maintains a set of best practices collected in a solution reference network design (SRND) document that provides guidelines for deployment and installation of the unified Call Manager. Much of Ciscos IP telephone infrastructure relies on a Cisco Call Manager (CCM) which is a software-based call-processing component of the Cisco IP telephony solution. Skinny Client Control Protocol (SCCP) is Ciscos proprietary signaling protocol used between CCM and phones. Below are Cisco approaches to mitigating security threats [9]. 5.1 CISCO DISCOVERY PROTOCOL (CDP) SNIFFING If an attacker is an insider or already has partial access to one internal network, there are varieties of passive host discovery techniques specific to a Cisco VoIP deployment that he can perform. Cisco Discovery Protocol (CDP) is a proprietary layer 2 network management protocol built into most Cisco networking devices, including VoIP phones. CDP is used particularly in a callmanager environment to discover and remove IP phones dynamically, for dynamic allocation of VLANs to IP phones and other management functions. CDP packets are broadcast on the local Ethernet segment and contain a wealth of useful reconnaissance, information transmitted in plaintext about Cisco devices, including IP address, software versions, and VLAN assignments. Most network sniffers can easily decode CDP traffic.

Cisco recommends turning off CDP on Cisco devices especially where the environment is mostly static. However, in a VoIP environment CDP can offer so much management functionality that keeping enabled where absolutely needed might be an acceptable trade-off. But from a strict security perspective, however CDP can provide attackers with a wealth of data about one network and should be disabled. Also Cisco switches and routers have security feature called DHCP snooping that will cause the device to act as a DHCP firewall/proxy between trusted and untrusted network interfaces [9]. 5.2 PROTECTING A VoIP NETWORK WITH SECURITY APPLIANCES Security appliances such as firewalls and VPN termination devices also can be used to protect voice networks. However the, one challenge of protecting voice networks with a firewall is that the administrator is unsure what UDP ports will be used to transmit the RTT voice packets. For example in a Cisco environment a UDP port for an RTP stream typically is an even number port selected from the range of 16,384 to 32, 767. Opening this entire range of potential ports could open unnecessary security hole. But Cisco firewalls that is the PIX and Adaptive security appliance (ASA) firewalls solve this problem because it can dynamically inspect call setup protocol traffic e.g. H.323 traffic to learn the UDP port to be used for RTP flows. The firewall then temporarily opens those UDP ports for the duration of the RTP connection [10]. 5.3 HARDENING VOICE ENDPOINTS AND APPLICATION SERVERS Recall that a Cisco IP phone makes a collection of configuration information freely available by pointing a web browser to the IP address of Cisco IP phone. This potential weakness can be mitigated by changing the web access parameter from enabled to disabled. Also to prevent man-in-the-middle attack, one can change the gratuitous ARP setting from enable to disable. By disabling the gratuitous ARP feature, one is preventing a Cisco IP phone from believing

unsolicited address resolution protocol (ARP) replies, which potentially could have come from an attacker claiming to be the next-hop gateway for the Cisco IP phone. Aside from voice end points, other popular attack target on voice networks includes application servers, such as Cisco UCM server. Also Cisco had already provided a hardened version of the operating system that runs on a UCM server to take care of this problem [10]. 5.4 PROTECTING A VoIP WITH AUXILIARY LANS Part of Ciscos SRND recommends segmenting the voice and data networks with logically separate VLANs. This will help restrict access to the phones and critical servers. A fundamental approach to protecting voice traffic from attackers is to place it in a VLAN separated from data traffic. This voice VLAN is often called an auxiliary VLAN. VLAN separation alone protects voice traffic from a variety of layer 2 attacks. For example, an attacker would be unable to launch a man-in-the-middle attack against the IP phones nexthop gateway. Such an attack will be mitigated, because the attackers PC would be connected to a data VLAN while the IP phone was connected to the auxiliary VLAN. Many models of Cisco IP phones include an extra Ethernet port to which a PC can attach. The attached PC communicates through the Cisco IP phone can transmit traffic in a separate VLAN (that is a data VLAN for the PC traffic and an auxiliary VLAN for the phones voice traffic) while still connecting to a single Cisco Catalyst switch port [10]. 6.0 CISCO HARDENING RECOMMENDATIONS Enabling port security on Cisco switches to help mitigate ARP spoofing. Port security is a mechanism that allows one to allocate a legitimate MAC address of known server and devise ahead of time specific to each port on the switch. Thus one can block access to an Ethernet, fast Ethernet, or Gigabit Ethernet port when the

MAC address detected is not on the preassigned list. This will help prevent ARP spoofing attack. Dynamically restrict Ethernet port access with 802-1x port Authentication. This enabling 802.1x port authentication protects against physical attacks whereby someone walking around inside the organization plugs a laptop into an empty network jack in order to sniff traffic. Enabling DHCP snooping to prevent DHCP spoofing. DHCP snooping is a feature that blocks DHCP responses from ports that dont have DHCP servers associated with them. This prevents attack by man-in-the-middle that masquerades as a valid DHCP server in order reroute traffic to his machine. Also traffic entries should be put in the DHCP-snooping binding table to be used with the dynamic ARP inspection and IP source guard that do not use DHCP. Configure IP source guard on catalyst switches. The IP source guard (IPSG) feature uses DCHP snooping to prevent IP snooping on the network by closely watching all DHCP IP allocations. The switch then allows only the valid IP address that has been allocated by the DHCP server on that particular port. This feature mitigates the ability of an attacker trying to spoof an IP address on the local segment. Change the default native VLAN value to thwart VLAN hopping. Most switches come installed with a default native VLAN ID of VLAN 1. Because attackers can sometimes perform VLAN hopping attacks if they know the VLAN IDs ahead of time, it is usually a good idea to never use VLAN1 for any traffic. Also change the default native VLAN ID for all traffic going through the switch, from VLAN1 to something hard to guess [11].

Table 1. Summaries of CISCO mitigating methods. ATTACK MITIGATION Using VLANs auxiliary Auxiliary LANs transport voice traffic in a different VLAN from data traffic. This improves voice transmission quality and assist in securing voice traffic from layer two attacks. Using firewalls Effective use of firewalls could prevent potential harmful traffic from entering a voice network while dynamically opening suitable UDP port number of distinctive RTP flows. Employing IPSec- Employing IPSec-protected VPNs to mitigate against voice signal and protected VPNs Disabling access media packet interception or modification. DESCRIPTION

web To prevent attackers from using the web access to CISCO IP phone to acquire knowledge of other servers such as the DHCP server, DNS and UCM server IP addresses, by Disenabling the web access to the Cisco IP phones, which by default is usually enabled.

Disabling gratuitous ARP

Disenabling gratuitous ARP (GARP) can check against man-in-themiddle attack. This will prevent an attacker from sending unsolicited ARP replies to a Cisco IP phones next-hop gateway in the attackers PC MAC address

Disabling unneeded services

Unneeded services such as TFTP service on a UCM server that is not acting as a TFTP server should be disabled to close any potential security holes that might exist in a system.

Figure 3 Summaries Threat Taxonomy.

7.0 CONCLUSION /FUTURE WORK There are many security requirements, but from among them in this paper only a few most important ones have been chosen to describe VoIP Cisco networks: The bottom line of the security solutions analysis is that, although there are some attacks that are extremely difficult to handle, most may be eliminated with the use of existing security measures. Correct deployment of available security solutions can make VoIP a service with security level very close to those known from the PSTN, while keeping all its advantages, like advanced services such as user control, flexibility and lower costs. However, the biggest problem of VoIP system is that those security solutions are actually seldom deployed. This problem regards most of all, end users. The truth is that most of the users do not have any idea about security threats and countermeasures in IP networks, and to make it even worse, they do not want to know. More serious threats to VoIP system may be realized due to weak end-devices protection or lack of encryption. Both are caused by users' lack of expertise and knowledge. It is, however, difficult to expect the user to be a specialist in VoIP technology just to make a phone call. Any service or application that is being offered in public network should be simple and the security taken care of by the provider. In the future researchers need to research on better VoIP security measure that does not involve the end user participation in the security process.

ACKNOWLEDGEMENTS The authors would like to thank the High Impact Research of Ministry of Higher Education of Malaysia (UM.C/HIR/MOHE/FCSIT/09) for their support.

REFERENCES
[1] ['] [%] ["] [#] [9] A. D. Keromytis, "A Comprehensive Survey of Voice over IP Security Rese rch," Communications Surveys & Tutorials, IEEE, vo!. 1", pp. #1"$#%&, '(1'. D. R. Kuhn, et al., "Security consi)er tions for voice over IP systems," NIST special publication, pp. *(($#*, '((#. K. +. ,tterste)t, "Ris- n !ysis on VoIP systems," .Sc thesis, /niversity of Ice! n), '(11. Digital subscriber line. Av i! 0!e1 http122en.3i-ipe)i .or423i-i2Di4it !5su0scri0er5!ine S. 6icco!ini, et al., "IP 7e!ephony Coo-0oo-," e)1 78R86A, '((". D. +utcher, et al., "Security Ch !!en4e n) Defense in VoIP Infr structures," Systems, Man, and Cybernetics, Part C !pplications and "evie#s, IEEE Transactions on, vo!. %&, pp. 11#'$ 119', '((&. D. Sis !em, et al., "Deni ! of service tt c-s t r4etin4 SIP VoIP infr structure1 tt cscen rios n) prevention mech nisms," Net#or$, IEEE, vo!. '(, pp. '9$%1, '((9. C. Rensin4, et al., "AAA1 survey n) po!icy$0 se) rchitecture n) fr me3or-," Net#or$, IEEE, vo!. 19, pp. ''$'&, '(('. D. 8n)!er n) .. Co!!ier, %ac$ing E&posed 'oIP1 7 t .c;r 3$<i!! 8)uc tion, '((&. .. = t-ins n) K. = !! ce, "CC6A Security ,ffici ! 8> m Certific tion ;ui)e ?8> m 9"($ ##%@," '((*. I. D cost , et al., "Security An !ysis of n IP Phone1 Cisco &:9(;," in Principles, Systems and !pplications o( IP Telecommunications. Services and Security (or Ne&t )eneration Net#or$s. vo!. #%1(, <. Schu!Arinne, et al., 8)s., e)1 Sprin4er +er!in <ei)e!0er4, '((*, pp. '%9$'##.

[&] [*] [:] [1(] [11]