Premise; Agreement that the future IP network will be a convergent services network. Agreement that there is value to incorporating VoIP into the IP network. VoIP Enabled PBXs are “different” than server based VoIP systems. Fundamental question is to consider the impact of incorporating VoIP into a convergent IP network architecture, specifically in regards to security. Start the dialog on issues, mechanisms, policies, etc. leading to “best practices”.
Key is understanding the affect of a mix of services (data, voice, video, mobile) on a single IP based network architecture. There is experience, in particular with data traffic, but less with VoIP and video. Just emerging is the impact of mobile wireless devices on the convergent IP network.
Not a comprehensive list. Most are traditional issues, but E-911 is a issue directly related to the introduction of VoIP.
An extended example is QoS.
Example Jitter buffers, 150 ms one-way latency. 802.1p/Q VLAN tagging standard embedded QoS also in IP telephones (layer 2). Differentiated Services (DiffServ) at Layer 3 100 Mbps desktop and 1 Gbps backbone
Snooping- eavesdropping. With authenticated access to the specific VLAN to which IPT packets are assigned and the ability to defeat the Data Link Layer (2) protection mechanisms that defend against these menaces, it might be possible to intercept unencrypted RTP packets. UDP is not much help at the network layer. Intercept at the switch by mirroring the port traffic. Digital certificates incorporated into an increasing array of devices, including telephone handsets, can ensure that device process only those commands that originate from trusted sources.
Voice over Internet Protocol (VoIP) Security Affects on the IP Network Architecture [email_address] Conference ICS – Wireless Group Meeting Tempe, Arizona February 6, 2005 Jose J. Valdes, Jr. Colorado State University
“ Today’s networks are being architected with converged, real time, voice, data, and video applications in mind.” (1)
“ It is this ability to integrate voice, data, and video applications using a single network infrastructure that makes deployment of IP telephony platform a essential step toward creating a next-generation network.” (1)
The next-generation network has different and extended architectural requirements, in part because of VoIP, e.g., security.
ITU – T H.234 v2 & v3 defines different security profiles for product interoperability under the H.323 suite of protocols’ Annex D, E, and F. Suite designed for real time audio, video, multimedia, and data.
SIP security features described in RFC 3261 (IETF). Designed for VoIP and updated for video and messaging.
Some will argue that these protocols were designed from different perspectives.
Broadcom. “Critical Steps for Successful VoIP Deployment.” White Paper October 2004 Broadcom Corporation Irvine, CA.
Shore, Joel. “IP Telephony Security: An Overview.” NetworkWorld URL: [email_address]
Kuhn, R.D., Walsh, T.J., & Fries, S., “Security Considerations for Voice Over IP Systems: Recommendations of the National Institute of Standards and Technology.” National Institute of Standards and Technology, Gaithersburg, MD. January 2005.
Cisco. “Internetworking Technology Handbook.” 2003. URL: http://www.cisco.com/univercd/cc/td/doc/cisintwrk/ito_doc (26 October 2004)
Tucker, G.S., “Voice Over Internet Protocol (VoIP) and Security.” GIAC Security Essentials Certification (GSEC), v1.4c, option 1, 26 October 2004