> Introduction to VoIp security

VoIP Protocols
Two major VoIP and multimedia suites dominate today: SIP and H.323. Others (like
H.248) exist, and we will discuss some of them in this book, but these are the two
major players. For simplicity, I will define SIP and H.323 as signaling protocols.
However, whereas H.323 explicitly defines lower level signaling protocols, SIP is
really more of an application-layer control framework.The SIP Request line and
header field define the character of the call in terms of services, addresses, and protocol
features.
Voice media transport is almost always handled by RTP and RTCP, although
SCTP (Stream Control Transmission Protocol) has also been proposed and ratified by
the IETF (and is used for the IP version of SS7, known as SIGTRAN).The transport
of voice over IP also requires a large number of supporting protocols that are used to
ensure quality of service, provide name resolution, allow firmware and software
upgrades, synchronize network clocks, efficiently route calls, monitor performance, and
allow firewall traversal.We talk about these and others in more detail in Chapter 8.
SIP is a signaling protocol for Internet conferencing, telephony, presence, events
notification, and instant messaging. SIP is an IETF-ratified response-request protocol
whose message flow closely resembles that of HTTP. SIP is a framework in that its
sole purpose is to establish sessions. It doesn’t focus on other call details. SIP messages
are ASCII encoded. A number of open source SIP stacks exist.
H.323, on the other hand, is an ITU protocol suite similar in philosophy to SS7.
The H.323 standard provides a foundation for audio, video, and data communications
across IP-based networks, including the Internet.The H.323 protocols are
compiled using ASN.1 PER. PER (Packed Encoding Rules)—a subset of BER—is a
compact binary encoding that is used on limited-bandwidth networks. Also, unlike
SIP, H.323 explicitly defines almost every aspect of call flow.The only open source
H.323 stack I am aware of is the OpenH323 suite.
Both protocol suites rely upon supplementary protocols in order to provide
ancillary services. Both protocols utilize TCP and UDP, and both open a minimum
of five ports per VoIP session (Call signaling, two RTP, and two RTCP.) Both protocols
offer comparable features, but they are not directly interoperable. Carriers tend
to prefer H323 because the methods defined by H.323 make translation from ISDN
or SS7 signaling to VoIP more straightforward than for SIP. SIP, on the other hand, is
text-based, works better with IM, and typically is implemented on less expensive
hardware. H.323 has been the market leader, but SIP rapidly is displacing H.323.
In Table 1.2, many of the more recent protocols that you will find in a VoIP environment
are listed.We will talk about these and others in more detail in Chapters 8
and 13.
Table 1.2 VoIP-Related Protocols
Acronym Support VoIP Protocol
RTSP Real Time Streaming Protocol for media play-out control
RSVP Resource Reservation Protocol
STUN Simple Traversal of UDP through NAT
TURN Traversal Using Relay NAT
ICE Interactive Connectivity Establishment
SDP Session Discovery Protocol
TLS Transport Layer Security


VoIP Isn’t Just Another Data Protocol
IP Telephony utilizes the Internet architecture, similar to any other data application.
However—particularly from a security administrator’s point-of-view—VoIP is different.
There are three significant reasons for this:
■ Voice conversations can be initiated from outside the firewall. Most clientdriven
protocols initiate requests from inside the firewall. Figure 1.1 shows
the basic message flow of a typical Web browsing, e-mail, or SSH session.
■ The real-time nature of VoIP—get there a second too late, and the packet
is worthless.
■ Separation of data and signaling. Sessions, particularly unknown inbound
sessions, that define addressing information for the data (media) channel in
a discrete signaling channel do not interact well with NAT and encryption.
In Figure 1.1, a request is initiated by a client on the internal side of the firewall
to a server daemon residing on a host external to the firewall. Firewalls that are
capable of stateful inspection will monitor the connection and open inbound ports if
that port is associated with an established session. Application Layer Gateways (ALGs)
will behave in a similar manner, proxying outbound and inbound connections for
the requesting internal host. For the firewall administrator and the user, the session
completes normally, and is as secure as the firewall’s permissions allow.
In Figure 1.2, the request-response topology is different from the message flow
shown in Figure 1.1. In this figure, an external host (IP Phone, PC softphone, etc.)
attempts to place a call to an internal host. Since no session is established, stateful
inspection or ALG firewalls will not allow this connection to complete.We talk
about this in much more detail in Chapter 13.
`
INTERNAL
EXTERNAL
REQUEST
RESPONSE
Figure 1.2 Inbound VoIP Message Flow
There are other differences.VoIP’s sensitivity to adverse network conditions is
different enough quantitatively from that of most types of data traffic that the difference
is qualitative. Real-time applications, including VoIP, place requirements on the
network infrastructure that go far beyond the needs of simple best-effort IP transport.
Each VoIP packet represents about 20 ms of voice on average. A single lost
packet may not be noticeable, but the loss of multiple packets is interpreted by the
user as bad voice quality.The simple math indicates that even a short IP telephone
call represents the transport of large numbers of packets. Network latency, jitter
(interpacket latency variation), and packet loss critically affect the perceived quality
of voice communications. If VoIP is going to work, then the network has to perform
well—period.
Network engineers are accustomed to data network outages. Users, for the most
part, don’t suffer outages well, but they tolerate them. Users will not be as forgiving
with their phone service. Even though cellular telephones seem to have the extraordinary
characteristic of dropping connections at the least appropriate or convenient
time, enterprise IP telephony users expect their phones to work all the time.
Availability is a key VoIP performance metric.

A New Security Model
Access to network services is now more important than ever.The growing availability
and maturity of Web services combined with advanced directory integration
makes it easier to integrate information systems between business partners.
Companies are moving their applications out from behind the firewall and onto the
edges of their networks, where they can participate in dynamic, Internet-based transactions
with customers and business partners.The network perimeter is becoming
impossible to define as Intranets, extranets, business partner connections,VPN
(Virtual Private Networks), and other RAS (Remote Access Services) services blur
the definition of a trusted internal user; and critical corporate data may be located
on handhelds, laptops, phones—anywhere.
VoIP distributes applications and services throughout the network. In a VoIP
environment, IP phones (obviously) are distributed throughout the infrastructure as
well.These devices incorporate microcontrollers and digital signal processors in order
to perform voice compression and decompression, line and acoustic echo cancellation,
DTMF (Dual Tone, Multi-Frequency—Tone Dial) detection, and network
management and signaling. IP phones are smart, and depending upon the vendor, IP
phones act as clients for a number of network protocols.This means that the number
of network ingress/egress points will increase, and that processor cycles and
memory—intelligence—are shifted to the logical edge of the network.This is a
reversal of the traditional security model, where critical data is centralized, bounded,
and protected.
This means that from a strategic viewpoint, converged networks, regardless of
whether they are based upon H.323, SIP, or some other protocol, require a new way
of thinking about information security (see Figure 1.3).
Figure 1.3 The New Security Paradigm
“Trust no one” is an obvious bit of overstatement since every functioning system
has to trust someone at some point or it won’t work at all.A more concise (but not
as catchy) axiom might be:“Don’t assume you can trust anyone.”The point here is
this—Any system administrator, user, or device must be authenticated and authorized,
regardless of its location, before it is able to access any network resources.
Period.