WHITE PAPER

1

Why IP Telephony—Now?

In the last five years, advances in networking technologies have enabled convergence oftelephony as an application on IP networks. Enterprises have taken advantage of IPtelephony for a variety of business-critical benefits:

• Cost savings due to toll bypass and bandwidth consolidation

• Simplified voice network engineering

• Reduced legacy PBX equipment requirements

• Consolidation of wiring infrastructures for voice and data via Ethernet

• Consolidation of directory and other infrastructure data for voice and data

• Natural mobility by leveraging inherent IP network capabilities such as DHCP and DNS,IP based wireless enterprise networking and remote access through the Internet

• Appearances on multiple phones to simplify lives of users who work from different loca-tions including office, conference rooms, remote locations, and home

• Client devices such as IP phones that are more user-friendly, feature-rich, and standards-based than their TDM equivalents

• Availability of new applications and services resulting from increased speed-to-marketproduct development

• Integration with applications due to web-friendly interfaces supported by IP telephonyprotocols such as SIP

IP Telephony Security—A Double-edged Sword?

C O N T E N T S

Why IP Telephony—Now?...............................1

A Double-edged Sword? ................................2

Vulnerabilities in IP Telephony .........................2

Distributed Denial of Service ...........................3

Eavesdropping ................................................4

Toll Fraud........................................................5

Spam..............................................................6

Virus...............................................................6

Summary ........................................................7

• Smart network, dumb devices• Locally-delivered features• Scale via hardware investment• Some of the bandwidth, all of the time• Location-specific addressing• Rigid 10-digit numbering plan• Voice only• Conferencing - hardware dependent

“508-323-1187”

“972-396-0049”“Peter@3com.com”

“Peter@3com.com”

• Smart devices, dumb network• Globally-delivered features• Scale independent of hardware• All of the bandwidth, some of the time• Location-independent addressing• Flexible, mnemonic numbering plan• Voice, video, real-time collaboration• Conferencing via software

PSTN IP

3Com NBX V30003Com NBX V30003Com NBX V3000

Premium-priced T1 service

Local PBX

Services defined on each PBX port

Central convergence applications suite

Global service definitions

Figure 1. Convergence transforms te lephony.

Today, enjoying the benefits of using anycombination of modern computers, software,and networks is not without its challenges.There are several attacks that impact clientserver systems, including IP telephony serv-ices within an IP network. The following listof five threats are particularly significant:

• Distributed Denial of Service (DDoS)• Eavesdropping• Toll fraud• Spam• Virus

Threats and best practice responses can beidentified based on four broad layers of func-tionality within IP telephony architecture—network, session control, applications, andendpoints. (See Figure 2.)

• Endpoints—phones, clients, and gatewaysare vulnerable to distributed denial ofservice attacks as hosts that enableviruses, toll fraud, and eavesdropping.

• Applications—like endpoints, softwareproducts running on computers can bevictims or hosts in distributed denial ofservice and virus attacks or as spam targets.

• Session Control—IP telephony systems havecentralized software services to coordinatenetwork resources for the interaction ofapplications and endpoints.

• Network—wireless access points, switches,and routers are vulnerable to packet floodscaused by viruses and distributed denialof service attacks.

WHITE PAPER: IP TELEPHONY SECURITY—A DOUBLE-EDGED SWORD

2

Most of the benefits of IP telephony are dueto architecture-enabled transformation oftelephony. Such transformation is enabled byimplementing telephony and other conver-gence applications in location independentapplication servers. These servers can bedeployed anywhere on the IP network as longas performance requirements are satisfiedand connectivity exists between the serversand their clients (other applications and end-user devices).

Because IP telephony is implemented usingclient-server architecture based on the well-known, well-publicized, and open InternetProtocol, it is subject to the same securityvulnerabilities of any IP network-basedclient server system. The problem with stan-dards is that they’re open: open to thirdparties, open to university researchers, opento systems manufacturers, and of course,open to unintended consequences—likehacker attacks, viruses and toll fraud.

Despite this exposure to unintended conse-quences suffered by exposed IP telephonysystems, proprietary systems that don’t relyon open standards are considered even lesssecure. Open systems such as IP or SessionInitiation Protocol (SIP) leverage the power

of collective security. Viruses, worms, andsystem vulnerabilities can be minimized oreven avoided by the rapid dissemination ofinformation through industry associationslike the Computer Emergency ReadinessTeam (www.cert.org) at the SoftwareEngineering Institute.

Fortunately, the benefits of standards-basedIP telephony outweigh the cost of unintendedconsequences. To help enterprises blunt thedouble-edged sword of IP telephony imple-mentations, this white paper offers thefollowing information:

• Components of IP telephony systems thatare vulnerable to security threats

• Possible security threats in an IP network

• Impacts of the security threat on IPtelephony systems

• Solutions optimized to cost-effectivelyprotect each of the vulnerable componentsof the IP telephony system

Enterprises can reduce the cost of securityexposures and the uncertainty resulting fromlack of knowledge on the subject. Well-armed,they can protect and defend themselves.

A Double-edged Sword?

Vulnerabilities in IP Telephony

IP Telephony Module

IP PhoneWi-Fi IP Phone GatewayConvergenceCenter Client

IP ConferencingIP Messaging IP Presence

SwitchWireless Access Point Router

IP Contact Center

Endpoints

Applications

Session Control

Network

FIGURE 2 . Security r isks categorizedby four infrastructure layers

3

WHITE PAPER: IP TELEPHONY SECURITY—A DOUBLE-EDGED SWORD

OverviewDistributed Denial of Service (DDoS) attacksare designed to flood a target computer,network, or network link with an over-whelming number of spurious servicerequests or malformed packets, preventingthe reasonable handling of legitimate packetsand service requests. Hundreds or thousandsof computers contribute a tiny portion oftheir processing power to this distributedassault, making detection of the resultingmayhem difficult. In aggregate, they form aconsiderable threat.

These attacks use a network of unsuspectingagents (computers) to deposit simple agentprograms that listen for attack commands on innocuous Internet Relay Chat services,leveraging identified operating systemvulnerabilities. Handlers recruit and controlthese networks of agents. On command fromthe client, they unleash them onto the target.

Common attacks involve:• exploiting mechanisms such as the

Internet Control Message Protocol (ICMP)which is used for router-to-host communi-cations and is intended as a method forproviding feedback to the host aboutcommunications environments

• transmitting a volume of connectionrequests to the target from phony IPaddresses that are never acknowledged in order to overflow the connectionmanagement buffer

• delivering User Datagram Packets (UDP) torandom ports on the agent with forgedsource; the target naively and unnecessarilyprocesses the packets, discovers that thereis no application waiting for the UDP, andthen sends a response packet to the target

• broadcasting forged ICMP echo packets tosubnets with the target forged as thepacket source; the hosts on the subnetsrespond to the target with ICMP echopackets and overwhelm the target host,network, or network link with boguspackets to cause the denial of service

ImpactClients such as PC based soft-clients and IPphones, as well as telephony and convergenceapplications servers using operating systemsor other foundation software platforms withwell known vulnerabilities are affected byDDoS. DDoS attacks cripple client and servercomputing systems by causing them toperform unproductive tasks and denyingthem any resources to perform their intendedfunctions. Left unchecked, such attacks can

render telephony systems inoperable. Inaddition, they can cause enormous amountsof unproductive traffic within the network,denying any bandwidth, routing, or switchingresources for transport of telephony controland media traffic such as voice or video.

SolutionProtocol tuning in endpoints, applications,and session control: Software engineers need to establish bufferlimits on attempts at malformed packetassembly and session initiation requests. A favorite technique of DDoS attacks is toconsume server resources through floodingthe server with service requests or malformedpackets which consumes processor cycles andleaves no capacity for legitimate applications.

Support for IEEE 802.1Q:Modern network switches today supportIEEE 802.1Q virtual LAN (VLAN) services tosegment IP telephony traffic from othernetwork applications and sources. Thisdegree of internal isolation makes it moredifficult for compromised PCs or applica-tions to affect IP telephony VLAN-attachedendpoint devices.

Support for seamless service continuity:To maintain quality telephony service for theenterprise and optimize security precautions,communications networks should includefast failover session control services that willquickly backup modules elsewhere in theenterprise network if needed.

Preventing attack damage:A new product category, the intrusionprevention system, is a powerful combinationof control software and silicon that performsvery fast and very deep packet inspection.Vulnerabilities in protocols such as SIP andH.323, traffic signatures of attacks, and evenpacket anomalies can be detected and haltedin milliseconds before the protected applica-tions and systems are affected. The DigitalVaccine® service closes the gap between vulner-ability reporting and network inoculation.

Operational PracticesBest practices in enterprise security combineproducts and business practices.

For example:• Implementing a policy of not exposing IP

telephony session control servers to theInternet

• Use of telephony protocol cognizant fire-walls (such as SIP-capable firewalls) toisolate an enterprise IP telephony systemfrom the Internet

Distributed Denial of Service

The 3Com® Convergence ApplicationsSuite runs on a specially tuned, reduced3Com Linux operating system where non-essential services are turned off.

The 3Com switch portfolio can automat-ically recognize 3Com IP phones andinsert them into the IP telephony VLAN.

3Com solutions support traffic shapingand packet prioritization for audioquality. The 3Com VCXTM IP TelephonyModule supports 3Com Voice BoundaryRouting, assuring high availability andlow-cost backups and failovers.

• Deployment of VPN routers or proxyservers to traverse firewalls and balancesecurity with user convenience and cost

• Deployment of IP telephony VLANs for IPphones, gateways, applications, and sessioncontrol servers to minimize cross-applicationperformance risks

• Use of an intrusion prevention system tocomplement the LAN switching fabric byresponding to packet anomalies, protectingknown vulnerabilities, and recognizingperformance signatures of attacks

WHITE PAPER: IP TELEPHONY SECURITY—A DOUBLE-EDGED SWORD

4

OverviewEavesdropping is not a new or specialattribute of IP telephony. Years ago, it wascommon for users to share a party line andlisten, often inadvertently, to their neigh-bors’ conversations. As recently as 1995,analog radio scanners enabled listening topolice and emergency networks to hearabout the burglary down the street or car-chase at the south end of town. Analog cellphones were so open that anyone could eaves-drop on cellular conversations, includingsignificant political or business discussions.

At first glance, aspects of IP implementa-tions would appear to make eavesdroppingparticularly easy. In IP telephony networks,packets are routinely duplicated for auditpurposes or packet assembly function. Thus,audio signals that are transported as packetscan be stored for later retrieval and recombi-nation into cohesive speech. Associating suchspeech packets with a conversation, however,requires retrieval of telephony call or sessiondetails which occurred asynchronously andperhaps through a different network pathcompared to the speech packets, and corre-lating them with the reassembled speechpackets. Therefore, while it is technicallyfeasible in IP telephony networks to eaves-drop, in practice it is quite hard.

ImpactThe endpoints and the session control layersare most likely the targets of eavesdroppingattacks—one of the endpoints, the gateway,the IP phone, or the PC client is probablythe only component directly in the path ofthe audio stream. The network layer trans-ports all the packets of the corporation, sofinding specific IP telephony packets ofinterest may be difficult.

The session control layer is a point of attacksince it knows which endpoints are commu-nicating with each other at any moment intime. It could provide the interloper withenough information to induce the networkto yield those specific packets or authorizeduplicate packet streams to a third IP endpoint.

SolutionEncryption is commonly thought to be themost effective tool against eavesdropping, but it is not without a significant cost inprocessor time, inconvenience, and interoper-ability. Some of these issues can be alleviatedwith standards-based encryption systems.

In IP telephony, the packet stream is mostoften delivered as Real-Time Protocol (RTP).Secure RTP (SRTP)—a current InternetEngineering Task Force (IETF) draft—provides a security profile for RTP specificallyaddressing IP telephony applications that addsconfidentiality, message authentication, andpacket replay protection to the packet,

SRTP is intended to secure only RTP and theReal-Time Control Protocol (RTCP) streams,not to provide a full network security archi-tecture. SRTP uses the RTP/RTCP headerinformation, along with the AdvancedEncryption Standard (AES) algorithm, toderive a keystream algebraically applied tothe RTP/RTCP payload. SRTP calls for theHash-based Message Authentication Code(HMAC) - SHA1 algorithm to be used forpacket authentication.

There are additional component interactionsthat can strengthen privacy protection. Thesession establishment dialog, commonlyusing Session Initiation Protocol (SIP), is alsostandardized within a privacy implementationas SIPS and defined in IETF RFC 3261. WithinSIPS, call control messages are transmittedwithin a Transport Layer Security (TLS)encrypted session, at least through the hostileIP environments where prudent policy mightindicate the advantage of strong privacyprotection in session initiation dialogs.

Easier and less costly protection can beachieved with a modern Ethernet switchfeature called automatic virtual LANsegmentation (implemented as IEEE 802.1Q).This technique logically restricts access andpacket flow to well-defined and well-under-stood endpoints. Devices on the IP telephonyVLAN are segmented separately from deviceson another VLAN and their two traffic flows

Eavesdropping

5

WHITE PAPER: IP TELEPHONY SECURITY—A DOUBLE-EDGED SWORD

3Com wireless switching solutionsenable cross-domain mobility for IPtelephony over Wi-Fi environments.

do not mix. Performance impacts and issuesin one VLAN do not impact the other VLAN.Endpoints receive only those packets towhich they are entitled.

The latest generation of wireless LAN envi-ronments assure over-the-air privacy usingIEEE 802.11i. The standard enables strongprivacy, message integrity, and authenticationservice. Furthermore, rapid setup of virtualLAN tunnels to maintain addressing and RTPflow integrity let wireless switches deliver callhand-offs from access point to access pointor from subnet to subnet. This functionalityenables IP telephony deployments over awireless LAN campus to deliver performancethat is consistent with user expectations setby public cellular network service.

In addition, wireless switch managementcapabilities help detect, neutralize, andmanage rogue or interfering access pointsthat users may encounter.

Operational PracticesUsing network features like VLAN segmen-tation to protect against infiltration of thelogical segment makes the eavesdropper’stask more difficult.

Implementing 802.11i authentication serv-ices and wireless switching within Wi-Fienvironments are essential to successful IPtelephony mobility within the enterprise.

Generally, encryption is required only wherethe risk of eavesdropping exceeds the cost ofproviding privacy service. A useful guide-line is the availability of encrypted e-mailwithin the enterprise. Contents of e-mailsare often far more critical and private thancontent shared in a phone conversation.Therefore, one can expect an enterprise toencrypt e-mail before being concerned aboutlack of encryption in IP telephony.

OverviewToll fraud is long distance service theft witha long history of practice and profitability.Although the attractiveness of stealing longdistance (LD) minutes has been diminishedby falling LD rates in Canada, the UnitedStates, and most European countries, inter-national dialing is a choice target even today.

Fraud happens as a result of:

a. “social engineering”—employees or autoattendants unwittingly transfer callers tooutside lines or to premium 900-styleinformation services

b. voice mailbox theft—the message “hello”pause “yes” pause “I accept the charge”is recorded on the mail box, allowingthird-party pay calls to be sent to themail box to get permission

c. calling-card number theft—video captureof dialers or line bridging of public payphones to obtain dialed digits for unau-thorized use and resale

d. reconfiguration of PBXs—hacking throughthe maintenance modem, resulting in theability to configure unauthorized extensionsto forward to trunks for long distance theft

ImpactEndpoints and applications are most oftentargets of toll fraud because they enablefeatures for call forwarding and social engi-neering. Applications, and in particular voicemail, are also targets for toll fraud perpetrators.

SolutionFeatures for avoiding toll fraud are readilyavailable in typical IP-PBX and PBX products.

Operational PracticesA critical best practice that can be imple-mented to avoid toll fraud is trainingreceptionists and call center employees insocial engineering avoidance. Trainingshould include information about the cost oftoll fraud, the techniques used to perpetratethe fraud, steps to avoid the fraud, andprocesses for reporting incidences shouldthey occur.

Another practice is to shutdown all unas-signed voicemail boxes and take steps toeducate users in password selection—avoidsimple, easily stolen passwords such as thedefault password or 1-1-1-1. Periodic passwordrotation procedures and aging mechanismsdo increase the number of calls into IT helpdesks, but also increase security.

Most IP PBXs do not have maintenance portsfor remote modem dialup. IP-PBX supportprofessionals often choose to use theirbrowsers with VPN enterprise networkaccess for remote support service or foraccess to the management system dialog.Therefore, methods for accessing the PBXmaintenance ports deserve examination.

Toll Fraud

WHITE PAPER: IP TELEPHONY SECURITY—A DOUBLE-EDGED SWORD

6

OverviewSpam—unsolicited e-mail—was recentlyregulated in the United States by theCANSPAM Act of 2003. Most spam iscommericial advertising, often for dubiousproducts. However, as every user can attest,spam is a problem of epidemic proportionson the Internet. Because e-mail accounts canreceive ten times more spam than legitimatee-mail, major Internet Service Providers suchas AOL, MSN, Earthlink, and Yahoo! haveimplemented strategies and technologies toreduce the volume of junk mail arriving intheir users’ inboxes. Market estimates indi-cate that between 38% and 80% of alle-mail in North America, more than 11billion pieces of e-mail, is spam.

Users are spending significant time, money,and IT resources dealing with spam-relatedissues. Spam comsumes bandwidth andstorage space. It also acts as a launching padfor virus attacks on enterprise networks.And, though instances have not yet beenreported, an IP telephony version of spamcalled spit can deliver unsolicited advertisingas voice mail or interrupt conversations withinjections of nuisance or nonsense words.

ImpactSpam most directly affects the applicationslayer. Some applications such as voice mailas e-mail or read-me services integrate withe-mail services, making them particularlyvulnerable to spam.

Solution The Simple Mail Transport Protocol (SMTP)feature should be disabled when read-me e-mail service is not required or enabled asan appropriate feature. All other applicationsshould send, but not receive e-mail. And toreduce the incidence and productivityimpacts of spam, enterprise e-mail serverscan include anti-spam enhancements ormodules such as spam-assassin or the 3Com®

Email Firewall appliance.

Operational PracticesE-mail management practices can minimizespam production, distribution, and its effecton IP telephony systems and user services.Effective best practices ensure that authenti-cation services require server accounts andpasswords for sending messages from theSMTP server and receiving them from thePOP3 or IMAP4 servers.

Analytical services can remove messageswritten in common spam techniques—such as using all capital letters, includingforbidden terms—and delete known harmfulattachments or extensions. Spam can also becombated by the use of black lists that denymail from domains of known spammers.

OverviewViruses are resource-consuming softwareprograms that deliver no real value to thecomputer owner. Some are harmless ornuisances, while others can harm networks,applications, operating systems, and data.Examples include:

• lengthy e-mails warning of viruses andrecommending precautions that don’t workor will cause PC problems, minor or serious

• programs that send themselves to alladdressees in an e-mail address book

• spyware that transmits every keystroke orparticipate as agents in Distributed Denialof Service attacks

ImpactViruses plague all layers. They clog thenetwork with unnecessary and uselesspackets and messages, and they exploitweaknesses in the operating systems of

session control applications that lead tonetwork instability. Viruses also act aslaunching pads for DDoS attacks.

SolutionThe most obvious solution for avoidingviruses and their potentially devastatingimpact is to avoid IP telephony productsbased on operating systems with wellknown vulnerabilities.

Microsoft Windows operating systems mayhave the most publicized vulnerabilities dueto their popularity, large community of inde-pendent software developers (ISV), andcomprehensive Microsoft documentation.Even in cases where a well-known vulnera-bility has been effectively solved by Microsoft,many Windows installations continue to bevulnerable due to the complexity of Windowsinstallation. Windows places special burdenson installation. IT staff must ensure that the

Spam

Virus

7

WHITE PAPER: IP TELEPHONY SECURITY—A DOUBLE-EDGED SWORD

dozens of available security patches areinstalled correctly and up-to-date. Therefore,Windows platforms are often the favoritetarget of the nefarious virus developmentcommunity.

Windows platforms may be unavoidable in theenterprise desktop environment, but shouldbe critically evaluated for use in the serverfarm and for mission-sensitive applications.

Depending on the market segment served,operating systems may be tightly coupled tothe IP telephony system hardware; such isthe case with the 3Com NBX® IP TelephonyModule for small businesses and mediumenterprises. Using the VxWorks real-timeoperating system derived from a UNIX distri-bution, NBX systems have been successfullydeployed in over 19,000 environments withouta single case of virus attack. A tight couplingof the platform and the application can alsoassure a high degree of security with theadded benefit of simplifying and acceleratinginstallation and maintenance.

In the larger enterprise market, the 3ComVCXTM IP Telephony Module featuressubstantial security enhancements to theLinux operating system such as built-in firewall packet filtering and severe restric-tions on available or used platform ports.The VCX solution gives customers the use ofindustry-standard processors and industrial-grade high-performance applications. And3Com Voice Boundary Routing1 can helpassure seamless backup and failover of VCX

IP telephony modules so that phone usersare protected from service disruption.

Preventing attack damage:As already described, the intrusion preventionsystem can prevent virus attacks that exploitvulnerabilities in protocols such as SIP andH.323, traffic signatures of attacks, and evenpacket anomalies. The IPS proactively detectsattacks and prevents them at the networklevel in milliseconds before the protectedapplications and systems are affected. TheDigital Vaccine service closes the gap betweenvulnerability reporting and network inocula-tion. This automatic inoculation methodologyreduces reliance on the manual applicationof complex patches and virus definitions toserver and client systems, mandated by soft-ware platform and operating systems vendors.

Operational PracticesDespite their prolific attributes, viruses inenterprise networks can be controlled throughvigorous hygiene procedures that remove orquarantine known infectious objects onincoming e-mail.

Commercial anti-virus programs from compa-nies like Symantec or McAfee can be deployedon user desktops. These applications providecontrol of common viruses through active,background tasks such as file and processinspection. Most often these products providesubscription services available as individualor enterprise-wide licenses. The productsperiodically can check for updates that areautomatically downloaded and deployed onthe computer.

As one of many applications that rely on IP networks, IP telephony implementations arevulnerable to several well-known security threats. The following table indicates five threatsthat may affect IP telephony system components.

To protect the integrity of its brand, infrastructure, business processes, operations, and IPtelephony infrastructure—and the trust of employees, partners, and customers—organizationsmust be responsive to changing threats. They must track adoption of periodic security audits,participate in industry collaborative efforts such as the federally-funded Carnegie-MellonUniversity Software Engineering Institute’s CERT (www.cert.org), and implement securityawareness initiatives within their user community. IT professionals should also become familiarwith collaborative projects such as the non-profit VoIP Security Alliance (www.voipsa.org)which is dedicated to sharing research, knowledge, tools, and best practices.

Summary

1 See the 3Com white paper Voice Boundary Routing: The Case for IP Telephony in Branch Networks, 2004 at http://www.3com.com/voip/whitepapers.html

The 3Com TippingPoint IntrusionPrevention System (IPS) delivers wire-speed deep packet inspection alongwith a Digital Vaccine service that canquickly adapt to new virus threats.

The 3Com Email Firewall strips awayunproductive spam and viruses beforethey contaminate corporate e-mailservers.

DDoS EAVESDROPPING TOLL FRAUD SPAM VIRUS

Endpoints (clients)

Applications (servers)

Session Control (servers)

Network (infrastructure)

✓✓

✓ ✓✓✓ ✓✓✓

✓✓

✓

✓✓✓

WHITE PAPER: IP TELEPHONY SECURITY—A DOUBLE-EDGED SWORD

3Com has been a major contributor to the convergence industry since 1998 when the 3Com NBXsolution liberated users of business telephone systems from the tyranny of complexity. In 1999, thecompany developed an architecture for a distributed softswitch for AT&T and brought the firstcommercially-deployed carrier softswitch to market. The 3Com VCX platform (2003) and the3Com Convergence Applications Suite (2004) indicate the company’s continuing focus on trans-forming business through innovation.

As a founding member of the VoIP Security Alliance and with over 16,000 patents (plus morethan 500 pending), operations in over 45 countries around the globe, a market-leading portfolio,and over 19,000 systems deployed worldwide, 3Com is changing the way business speaks.

3Com Corporation, Corporate Headquarters, 350 Campus Drive, Marlborough, MA 01752-3064

To learn more about 3Com solutions, visit www.3com.com. 3Com is publicly traded on NASDAQ under the symbol COMS.

Copyright © 2005 3Com Corporation. All rights reserved. 3Com, the 3Com logo, Digital Vaccine, and NBX are registered trademarksof 3Com Corporation. Exercise Choice and VCX are trademarks of 3Com Corporation. All other company and product names may betrademarks of their respective companies. While every effort is made to ensure the information given is accurate, 3Com does notaccept liability for any errors or mistakes which may arise. Specifications and other information in this document may be subjectto change without notice. 503152-001 04/05