Securing your VoIP network

“As the initiator of the IEEE 802.1X standard, and of HP ProCurve’s worldwide security vision and strategy, how can ProCurve’s ProActive Defense help to protect not only the data network, but also VoIP and IP phones added to the network?”

ProActive Defense is ProCurve's security strategy for automating protection, detection and response in a network, within a trusted network infrastructure. What makes ProActive Defense unique is that it simultaneously combines both a security offense and defense for IT assets, based on group based policies for detecting and responding to internal network security threats, and leveraging technologies embedded into the switches or access points

The offense (ProActive) side is access control for network usage. The defense side is the embedded threat management within the trusted network infrastructure.

The challenges of VoIP security

There's no doubt that VoIP enhances employee productivity and provides an efficient and cost-effective telephony solution for organisations. However, it’s also true that adding IP phones to a network creates new security challenges, due to the fact that in most cases VoIP shares the same network as the data network.

The most common VoIP security challenges are:

1. Access control
2. Denial of Service
3. IPBX attacks
4. Listening

To address these challenges, it is important to consider the following

• Building a secure and robust network Infrastructure that is trusted, making sure that all network devices belong to you, and are managed securely with appropriate methods and protocols such as panel security, SSHv3, Radius authentication. It is also important that the network is robust with ASIC resiliency that enables to switches that enables switches to continue to operate even under malicious attack or network misconfiguration. Furthermore you should ensure switch level resiliency and failover mechanism on key components such as power supplies, fans, fabric and management modules, and network architecture resiliency with link redundancy and VoIP server protection.

• Controlling access to the network, in particular with authentication of the IP Phone using MAC authentication as a minimum, and preferably IEEE 802.1X.  

• Dynamic implementation of security at the edge of the network infrastructure based on group policies using results of RADIUS authentication and latest discovery protocols such as LLDP-MED. This enables you to virtualise your network infrastructure and dynamically set VLAN, packet filtering firewall rules, rate limiting, or QoS. For example, you could assign VoIP phones to a VoIP application-based group policy and define so that your VoIP phones communicate only with the call manager, and only communicate in SIP, H.323, or SKINNY, for example, to further protect against a data-based attack.

This prevents phones, printers, or other devices from being used as launching points for an attack on the VoIP network. This also ensures a VoIP phone can not be used to launch an attack on other application servers or end user machines, and with application protection is unable to even attack the call manager using a data protocol.

• Network visibility with sFlow packet sampling technologies that offer distributed L2 to L7 visibility. sFlow makes it possible to monitor quality of service (QoS) on the network, including loss and jitter; pinpoint any unusual behavior; and diagnose problems for effective resolution.

• Threat protection with built-in IDS and IPS capabilities within network switches prevents any impact on performance or jitter that an IPS appliance may introduce, or using sFlow samples to detect viruses and track their spread as well as to identify who is scanning the network.

• Reporting capabilities for accurate inventory, as well as providing the right level of information for the auditor, demonstrating that the correct security policies are enforced.

HP ProCurve ProActive Defense provides the solutions to manage and automate of all of these aspects of VoIP security.

The future
The ideal approach to securing VoIP on your network in the future will be for both the desktop PC and the IP phone to independently authenticate and run encryption over the Ethernet cable. The recently ratified standard IEEE 802.1AE (MACSec), for link layer encryption and on-going improvements to 802.1X, will be essential for this solution.

Paul Congdon is CTO for HP ProCurve Networking, as well as an HP Fellow, one of the elite HP employees recognized as pioneers in their fields. He is responsible for specifying, architecting and designing ProCurve network infrastructure and software products and he heads ProCurve’s worldwide security strategy.