Securing voice over IP (VoIP) networks and devices is a complex process. Given that VoIP is a new technology, security issues are not fully understood, standards and protocols are in the process of evolving, and there is no consensus yet as to a single "right solution." Signaling channels and media streams can be secured with several different technologies and a fair bit of discussion exists around possible methods. Networks can be secured with firewalls and session border controllers. Little has been said, however, about securing VoIP devices themselves. Yet, to realize a truly secure system, they must be secured.
This article will focus on securing VoIP devices, and explore a variety of techniques available to the developer to make the process less daunting. Such elements as code signing, trusted boot, and secure provisioning will be discussed. All development, however, should take into account a complete security picture, so it is important to adopt a security architecture that supports the full range of security options. By so doing, the developer can greatly simplify the task of integrating the various security layers.
Setting the stage
Although within a fully secured corporate network the risk of attacks on VoIP devices is low, it is prudent to add this layer of security to secure a conversation between a CFO and CEO on a company's financial performance. Certainly, when calls are going outside the corporate network, and traversing an unsecured network such as the Internet, security is mandatory. Users accessing the corporate network from remote locations (telecommuters) also need to ensure that their calls are protected. A simplified view of a VoIP is shown in Figure 1.
Click here for Figure 1
Within the service provider network there are additional requirements for security, securing signaling messages between the various network elements, to protect against lost service, hijacked service, toll fraud, etc. The deployment of advanced IP Multimedia Subsystem (IMS) services, such as presence-based and push-to-talk messaging, creates new security risks, especially for devices. To take advantage of the new services and applications offered by IMS, users often are required to download and install client software; software that could be affected by malicious code.
As a growing number of connected devices are deployed in the enterprise (and the home), it becomes increasingly necessary to manage those devices, remotely updating the code base either with new versions of existing software or adding new applications and services. It is a vital part of the overall security process to ensure that the software being installed is valid.
Likewise, developers want to verify at boot time that the image being loading is from a trusted source and has not been tampered with. The same scenario applies when updating drivers or provisioning information on the device.
The cast of characters
There is no shortage of security protocols and techniques that can be applied to the VoIP network. Many of these are proven solutions that have been in use for some time. Others are emerging technologies designed to address specific applications in a more efficient manner. A detailed description and comparison of the various security protocols that may be used in VoIP is beyond the scope of this article. However, a brief summary is provided as a reference for those less familiar with security protocols.
IPSec is a protocol suite in use for many years, especially for security Virtual Private Network (VPN) connections. IPSec operates at the network layer, and is used to secure Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Steam Control Transmission Protocol (SCTP) traffic. It provides message integrity, authentication, and data confidentiality. IPSec is commonly used with the Internet Key Exchange (IKE) protocol to enable devices to exchange security key information.
The Secure Sockets Layer (SSL) protocol was developed by Netscape as a means to secure Web traffic for such applications as online commerce. The protocol was later moved to the Internet Engineering Task Force (IETF) and became the Transport Layer Security (TLS) protocol. Operating at the Application Layer, it provides end-point authentication and communications privacy. In typical e-commerce applications, only the server is authenticated. By using public-key technology, both sides can be authenticated. SSL and TLS assume the use of a reliable transport layer (such as TCP).
Datagram Transport Layer Security (DTLS) protocol was developed to provide the same level of security offered by TLS for use in cases where there is no reliable transport layer (such as UDP). DTLS is based on TLS and is structured in a way to make it easy to adapt applications that use TLS to also use DTLS.
In VoIP and other media applications, the Real-Time Transport Protocol (RTP) is used to encapsulate voice packets and control their flow, but it does not add security. The Secure Real-Time Transport Protocol (SRTP) is a profile of RTP that provides for message integrity and authentication, data privacy, and replay protection.
Security protocols such as IPSec and SRTP require a mechanism to exchange security keys. IPSec typically uses IKE. The Multimedia Internet KEYing (MIKEY) protocol was developed for use in such real-time applications as VoIP that use SRTP.