I have had some interesting conversations with people lately regarding voice over IP (VoIP). It fascinates me as to how little people really know and understand how this technology works. But what really scares me is how this lack of information is putting organizations at risk.
The most obvious problem with VoIP is segmenting it away from the cardholder data environment (CDE). I am really disturbed by the number of organizations that have no security around their VoIP. Yes a lot of organizations have segmented the VoIP from the rest of their network, but there are no controls that stop anyone from getting into that network segment. As a result, anyone with the right set of tools can gain access to the traffic in the VoIP network segment.
The next thing that scares me is the lack of security surrounding the VoIP servers including any call recording servers. People treat these VoIP servers just like their traditional PBX. Unlike their PBX that likely ran a proprietary version of UNIX, VoIP servers are just Windows or Linux servers running a VoIP application. As a result, they are susceptible to all of the viruses, malware and everything else any other server is susceptible. However, these servers typically do not run anti-virus (performance issues) or are they hardened to any rational security standard. When they get infected or hacked, it seems to be a shock to the system administrator.
And what about the call recording technology? We keep hearing from vendors of call recording solutions that they use proprietary recording methods requiring special CODECs. While in some instances the proprietary claims are true, what we are finding more and more is that vendors are just manipulating file header information such that Windows Media Player, iTunes and the like do not recognize the file as being in a valid format. However, tools such as VLC Media Player are able to see past the header changes and recognize these files for what they are, WAV, MP3 and the like. Thus some proprietary formatting claims are all a bunch of smoke and cannot necessarily be relied upon for security or privacy. Another tell on the proprietary nature of call recordings is that, when you “convert” a recording, if the conversion software seems to be copying the recording more than actually converting it, it is likely that the header is being fixed to WAV, MP3, etc. Real audio conversions typically take more time than just copying because the file has to be fully processed.
But the final insult in this whole scenario is the lack of understanding security personnel have regarding the VoIP protocols. While VoIP call setup and teardown are usually conducted over TCP/IP (a stateful protocol), the actual call itself is conducted via streaming protocols over UDP/IP (a non-stateful protocol). As a result, when you start talking to security people about VoIP security, their knee-jerk response is to tell you that VoIP is secured by the corporate firewall. However, given that the VoIP protocols are stateless, even behind a firewall really does not provide any protection.
So you have a VoIP solution in place. What should you be doing to ensure its security if it is in-scope for PCI compliance? Here are my thoughts.
- Properly segment your VoIP from the rest of your network. This means either physically or logically separating the VoIP from the rest of your network. This also means implementing access control rules so that only those devices and people that need access to the VoIP network have access. If you are also using your VoIP phones as the network jack for a PC, make sure to VLAN that jack to something other than the VoIP VLAN.
- If you can, implement the VoIP segment without DNS and DHCP and use MAC filtering to avoid the accidental or deliberate plugging in of a PC into a network jack that is VoIP only. At a minimum, use MAC filtering to at least control what gets plugged into the LAN jack.
- Closely monitor your VoIP segment and generate alerts on any devices that are unplugged or plugged in. Also monitor for any protocols other than the VoIP protocols that your VoIP system uses.
- Do not use the last octet or any other portion of the phone’s IP address as the extension number. Yes, I know this is an easy way for the help desk to identify and troubleshoot phones, but it is also easy for an attacker to locate targets of interest, so keep that in mind when you are implementing your VoIP solution.
- Never, ever connect your VoIP network to another VoIP network outside of your explicit control. Given that VoIP primarily uses UDP/IP, you cannot expect any firewall to protect your VoIP system from anything outside of your control. Always use plain old telephone system (POTS) circuits to connect to any foreign network. I know that is not as sexy as VoIP, but how else can you protect your VoIP system from outside influences?
- Work with your VoIP vendor to harden all servers that manage the VoIP system. These are just Windows, Linux, etc. systems. Obviously you will need to do some testing of this and you may not be able to use all of the hardening items in your server hardening standard, but you would be surprised at what you can do that the vendor says will not work. Remember, they are just trying to cover their butts should a problem crop up.
- Be careful implementing VoIP on traditional PBXs. A lot of these solutions are just PCs or servers and can be easily hacked once on your network just like their full VoIP brethren.
- Get a hold of VLC Media Player or similar tool and see if you can play a recording off of your call recording system. We are getting about a 25% hit rate using VLC to play recordings. A lot of the success of this approach depends on the age of the call recording system. The newer the systems, the more likely it is that you will find that the recordings are just tweaks of existing standards.
PCI Guru 