In this book we can barely scratch the surface of the complex matter of VoIP security; therefore before we dig in, we want to steer you in the direction of the VoIP Security Alliance (http://www.voipsa.org). This fantastic resource contains an excellent mailing list, white papers, howtos, and a general compendium of all matters relating to VoIP security. Just as email has been abused by the selfish and criminal, so too will voice. The fine folks at VoIPSA are doing what they can to ensure that we address these challenges now, before they become an epidemic. In the realm of books on the subject, we recommend the most excellent Hacking Exposed VoIP by David Endler and Mark Collier (McGraw-Hill Osborne Media). If you are responsible for deploying any VoIP system, you need to be aware of this stuff.
We don’t want to think about this, but we know it’s coming. The simple fact is that there are people in this world who lack certain social skills, and, coupled with a kind of mindless greed, these folks think nothing of flooding the Internet with massive volumes of email. These same types of characters will similarly think little of doing the same with voice. We already know what it’s like to get flooded with telemarketing calls; try to imagine what happens when it costs the telemarketer almost nothing to send voice spam. Regulation has not stopped email spam, and it will probably not stop voice spam, so it will be up to us to prevent it.
If you can sniff the packets coming out of an Asterisk system, you can extract the audio from the RTP streams. This data can be fed offline to a speech processing system, which can listen for keywords such as “credit card number” or “PIN”, and present that data to someone who has an interest in it. The stream can also be evaluated to see if there are DTMF tones embedded in it, which is dangerous because many services ask for password and credit card information input via the dialpad. In business, strategic information could also be gleaned from being able to capture and evaluate audio.
Using Secure RTP can combat this problem by encrypting the RTP streams; however, Asterisk does not support SRTP as of this writing. Work is under way to provide SRTP support (a patch exists in the trunk release, but it is not known as of this writing whether this will be back-ported to 1.4).
In the traditional telephone network, it is very difficult to successfully adopt someone else’s identity. Your activities can (and will) be traced back to you, and the authorities will quickly put an end to the fun. In the world of IP, it is much easier to remain anonymous. As such, it is no stretch to imagine that hordes of enterprising criminals will only be too happy to make calls to your credit card company or bank, pretending to be you. If a trusted mechanism is not discovered to combat spoofing, we will quickly learn that we cannot trust VoIP calls.
The first thing to keep in mind when considering security on a VoIP system is that VoIP is based on network protocols, and needs be evaluated from that perspective. This is not to say that traditional telecom security should be ignored, but we need to pay attention to the underlying network.
One of the most effective things that can be done is to secure access to the voice network. The use of firewalls and VLANs are examples of how this can be achieved. By default, the voice network should be accessible only to those things that have a need. For example, if you do not have any softphones in use, do not allow client PCs access to the voice network.
Unless there is a need to have voice and data on the same network, there may be some value in keeping them separate (this can have other benefits as well, such as simplifying QoS configurations). It is not unheard of to build the internal voice network on a totally separate LAN, using existing CAT3 cabling and terminating on inexpensive network switches. It can be less expensive too.
Placing your VoIP system in a DMZ can provide an additional layer of protection for your LAN, while still allowing connectivity for relevant applications. Should your VoIP system be compromised, it will be much more difficult to use it to launch an attack on the rest of your network, since it is not trusted. Regardless of whether you deploy within a DMZ, any abnormal traffic coming out of the system should be suspect.
Hardening your Asterisk server is critical. Not only are there performance benefits to doing this (running nonessential processes can eat up valuable CPU and RAM), the elimination of anything not required will reduce the chance that an exploited vulnerability in the operating system can be used to gain access and launch an attack on other parts of your network.
Running Asterisk as non-root is an essential part of system hardening. See Chapter 11, The Asterisk GUI Framework for more information.
Even though Asterisk does not yet fully support SRTP, it is still possible to encrypt VoIP traffic. For example, between sites a VPN could be employed. Consideration should be given to the performance cost of this, but in general this can be a very effective way to secure VoIP traffic and it is relatively simple to implement.
Physical security should not be ignored. All terminating equipment (such as switches, routers, and the PBX itself) should be secured in an environment that can only be accessed by authorized persons. At the user end (such as under desks), it can be more difficult to deliver physical security, but if the network responds only to devices that it is familiar with (such as restricting DHCP to devices whose MAC is known), unauthorized intrusion can be mitigated somewhat.