NET.4.2 VoIP
Voice over IP (VoIP) refers to telephony over data networks, in particular over the Internet. Special signaling protocols are used to transmit signaling information, for example during a call...
Description
Introduction
Voice over IP (VoIP) refers to telephony over data networks, in particular over the Internet. Special signaling protocols are used to transmit signaling information—for example during a call. The actual user data such as voice or video is transmitted using a media transport protocol. Both protocols are required in each case to establish and maintain a multimedia connection. With some methods, only one protocol is required for both signaling and media transport.
Objective
This building block examines the security aspects of the end devices and switching units (middleware) of VoIP. The components described here are similar in their functionality to the telecommunications systems described in building block NET 4.1 PBX Systems.
Scope and Modeling
The building block NET.4.2 VoIP is to be applied to all communication networks in which VoIP is used. Since VoIP is operated over data networks, the requirements of building blocks NET.1.1 Network Architecture and Design Network Architecture and Design or NET.3.2 Firewall SHOULD be appropriately taken into account in addition to this building block.
This building block examines the security aspects of VoIP components and voice transmission over VoIP. If circuit-switched PBX systems exchange information with each other over a data network, this building block is also to be applied.
The specific threats and requirements of classic PBX systems and hybrid systems are examined in building block NET 4.1 PBX Systems.
VoIP software is often not operated on hardware specifically intended for it, but on standard IT. If softphones are installed on clients, the requirements of building block SYS.2.1 General Client and the operating system-specific building blocks SHOULD be taken into account. If VoIP software is operated on servers, the requirements of building block SYS.1.1 General Server SHOULD be fulfilled in addition to the requirements of the operating system-specific building blocks.
VoIP SHOULD generally be taken into account within the building blocks ORP.4 Identity and Access Management, OPS.1.1.3 Patch and Change Management, OPS.1.1.5 Logging, and OPS.1.1.2 Proper IT Administration Proper IT Administration.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for building block NET.4.2 VoIP.
Incorrect Configuration of VoIP Middleware
A VoIP-based telephone system can be affected by misconfigurations in a similar way to a circuit-switched telephone solution. For example, telephone users could be assigned incorrect telephone numbers or the entire telephone infrastructure could fail. Even tendentially non-critical errors—such as a misspelled name in the telephone directory—cannot be ruled out.
When communicating via VoIP, multiple IT systems are typically involved. If SIP is used as the initialization protocol, systems such as registrars, SIP proxy servers, and location servers are usually required for communication. If the VoIP infrastructure changes, all IT systems must be adapted. Configuration errors can easily arise in this process. Even if all services are on one server, they often must be configured individually. If only one system is changed incorrectly, the entire telephone infrastructure may no longer be usable.
Incorrect Configuration of VoIP Components
Regardless of whether VoIP components are dedicated hardware (“appliances”) or software-based systems, the configuration is decisive for the error-free functioning of the system. In addition to the signaling settings defined during planning, the transmission method for media streams plays an important role. A compression method can be used to reduce the size of data packets containing voice information.
Incorrect configuration of the transmission method can cause problems with transmission. If an inappropriate method is used and voice information is excessively compressed, voice quality often deteriorates. If, on the other hand, a method is chosen that performs too little compression, the message stream is not sufficiently reduced and the data network can become overloaded.
Interception of Telephone Calls
If telephone calls or data are transmitted unencrypted, attackers can fundamentally listen in on or read information. For example, they could tap the telephone cables directly or eavesdrop on a PBX system acting as an intermediary between the call participants. With VoIP, telephone calls and data transmissions can be intercepted even more easily than with classic PBX systems. All voice information is transmitted within a media stream—for example, using the Realtime Transport Protocol (RTP). Through techniques such as spoofing and sniffing, attackers in VoIP have all the means of attacks in data networks available to them.
With many PBX systems, callers can leave messages for recipients who are not reachable by telephone at the time of the call. Some answering machines—especially those of VoIP systems—send this information as an audio file in an email. The content of this email could be directly intercepted and listened to by an attacker.
Misuse of Freely Accessible Telephone Connections
Telephones are often operated that are not personally assigned to any user. Some of these telephones—such as those in printer rooms—are only accessible to a limited number of persons. On the other hand, telephones are often found in areas freely accessible to visitors. These include, for example, parking garages or areas in front of access control systems. If these telephones have an electronic telephone directory in which internal telephone numbers are stored, these numbers could inadvertently become publicly known.
When using VoIP telephones in freely accessible areas, additional aspects may be relevant. Because they have a high software component and are often operated in data networks that are also used for other IT applications. Attackers could therefore attempt to exploit vulnerabilities in the VoIP software or even install malware themselves through direct access to device information.
VoIP telephones must be connected to a data network. Attackers could connect a mobile IT system to this network connection and thereby potentially access the internal network protected from the outside by a firewall. They may be able to use this access for attacks on confidentiality, integrity, and availability.
Requirements
The following are the specific requirements of building block NET.4.2 VoIP. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. They SHOULD be filled insofar as this is sensible and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | IT Operations |
| Additional responsibilities | Users |
Exactly one role SHOULD be Primarily responsible. There may also be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many persons should fill these roles.
Basic Requirements
The following requirements MUST be fulfilled with priority for this building block.
NET.4.2.A1 Planning of VoIP Deployment (B)
The conditions under which VoIP is to be used MUST be defined. Among other things, a decision MUST be made as to whether there is to be a complete or partial transition to VoIP. Special requirements regarding the availability of VoIP or the confidentiality and integrity of telephone calls or the signaling information SHOULD be determined in advance. Appropriate signaling and media transport protocols MUST be selected before deployment.
A decision SHOULD be made as to whether and how the VoIP infrastructure is to be connected to public (data) networks. The capacities and the design of existing data networks SHOULD be taken into account in the planning.
NET.4.2.A2 DISCONTINUED (B)
This requirement has been discontinued.
NET.4.2.A3 Secure Administration and Configuration of VoIP End Devices (B)
Unnecessary functions of end devices MUST be deactivated. Configuration settings MUST NOT be changed without authorization. All security functions of the end devices SHOULD be tested before productive use. The security mechanisms used and the parameters used SHOULD be documented.
NET.4.2.A4 Restriction of Reachability via VoIP (B)
A decision MUST be made as to how external call partners can access the VoIP architecture. It MUST be prevented that IT systems from insecure networks can establish direct data connections to the VoIP components of the institution. If all incoming and outgoing connections are to be handled via a central IT system, it SHOULD be ensured that all signaling and voice information is exchanged between the public and the private data network only via this authorized IT system.
NET.4.2.A5 Secure Configuration of VoIP Middleware (B)
VoIP components MUST be configured so that they adequately fulfill the protection need. Default configurations of VoIP middleware MUST be adapted before productive commissioning. All installation and configuration steps SHOULD be documented in such a way that the installation and configuration can be understood and repeated by knowledgeable third parties based on the documentation. All unnecessary services of the VoIP middleware MUST be deactivated.
NET.4.2.A6 DISCONTINUED (B)
This requirement has been discontinued.
Standard Requirements
Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be fulfilled.
NET.4.2.A7 Creation of a Security Policy for VoIP (S)
The central security-technical requirements for VoIP and the security level to be achieved SHOULD be included in the institution-wide security policy. In this security policy, all general security-technical requirements SHOULD be specified in concrete terms. Furthermore, the policy SHOULD govern the specifications for the operation and use of VoIP components. The various VoIP functions—such as voicemails—SHOULD also be addressed here. The VoIP security policy SHOULD be accessible and known to all persons and groups involved.
NET.4.2.A8 Encryption of VoIP (S)
A decision SHOULD be made as to whether and which voice and signaling information is to be encrypted. In general, all VoIP data packets leaving the secured LAN SHOULD be protected by appropriate security mechanisms. Users SHOULD be informed about the use of VoIP encryption.
NET.4.2.A9 Appropriate Selection of VoIP Components (S)
Before VoIP components are procured, a requirements list SHOULD be created. Products available on the market SHOULD be evaluated based on the requirements list. This requirements list SHOULD cover all features for achieving the desired security level. Rules SHOULD be established for how products available on the market can be evaluated according to the requirements list.
NET.4.2.A10 DISCONTINUED (S)
This requirement has been discontinued.
NET.4.2.A11 Secure Handling of VoIP End Devices (S) [Users]
Users who use VoIP end devices SHOULD be informed about the fundamental VoIP threats and security measures. They SHOULD also select appropriate passwords to secure voicemails.
NET.4.2.A12 Secure Decommissioning of VoIP Components (S)
When VoIP components are decommissioned or replaced, all security-relevant information SHOULD be deleted from the devices. After deletion, it SHOULD be checked whether the data has actually been successfully removed. Confidential information SHOULD also be deleted from backup media. All labels—especially on end devices—SHOULD be removed before disposal. It SHOULD be clarified at an early stage with manufacturers, distributors, or service companies which measures for deleting security-relevant information are compatible with the contractual and warranty conditions.
NET.4.2.A13 Requirements for a Firewall for the Use of VoIP (S)
It SHOULD be checked whether the existing firewall can be adapted for the use of VoIP. If this is not the case, an additional firewall SHOULD be procured and installed for this purpose.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. The proposals SHOULD be considered when there are high protection needs. The specific determination is made within the framework of an individual risk analysis.
NET.4.2.A14 Encryption of Signaling (H)
The integrity and confidentiality of the signaling information SHOULD be ensured by appropriate cryptographic methods. Not only the user data but also the authentication data SHOULD be consistently encrypted. Access to the VoIP gateway SHOULD be restricted as much as possible by VoIP addresses and H.323 identities. Additional end-to-end security mechanisms SHOULD be used for media transport and signaling. It SHOULD be documented how signaling is protected.
NET.4.2.A15 Secure Media Transport with SRTP (H)
Media data and information for controlling this data transmitted via the Real-Time Transport Protocol (RTP) SHOULD be protected in an appropriate manner. User data SHOULD be protected through the use of Secure Real-Time Transport Protocol (SRTP) or Secure Real-Time Control Protocol (SRTCP) respectively. The security-relevant options of the protocol implementation SHOULD be documented.
NET.4.2.A16 Separation of the Data and VoIP Networks (H)
The VoIP network SHOULD be separated from the data network in an appropriate manner. Rules SHOULD be established for how to handle devices that must access both the VoIP and data networks. VoIP end devices in a VoIP network SHOULD ONLY be able to establish the intended VoIP connections to other IT systems.
Additional Information
Good to Know
The BSI has published “BSI-TL-02013 for organization-internal telecommunications systems with high protection needs” as part of its technical guidelines.
The National Institute of Standards and Technology (NIST) has published NIST Special Publication 800-5 on “Security Considerations for Voice Over IP Systems” as part of its Special Publications.