Advertisement

IP Telephony Security

Despite the concerns about security in networks and applications, it is useful to assess each possibility and the risks and the risk mitigation options.

There are five security aspects we need to consider:

  1. IP Telephony module access – 3Com NBX is built using WindRiver VxWorks and so is free from the security holes and virus/worm problems that vendors who built their IP PBX with Windows (Cisco). Also, since there are no security patches like Windows to install, there are no opportunities to forget to install them, or not install them. 3Com VCX IP Telephony module runs on Linux, which starts off more secure than Windows. 3Com strengthened Linux, by removing services that were not necessary to the communications function – GUI, FTP, SMTP (unless you're running the IP Messaging application) – which prevents folks from mis-configuring the product and exposing their implementation to security breeches. Tight control of IP telephony modules reduces the risk of malicious impacts.
  2. IP Telephony call control messages – the easy way to follow a packet stream, is to capture the signaling information, i.e., call control. 3Com NBX uses a 3Com-specific protocol to establish call control between the NBX gateway, or between two NBX phones. This protocol is not published and only exposed when the call recording option is engaged. 3Com VCX IP Telephony module uses SIP, which is an easily read call control message flow. The industry has developed and proposed a secure SIP called SIPS, and although 3Com plans to support it, it is not yet on the roadmap. Customer input is required to properly prioritize this feature.
  3. Network-based security – 3Com L2 management systems can automatically recognize 3Com IP phones and assign them to the voice virtual LAN. This segments voice packet flows away from any prying LAN scan. Customers can assign specific switch ports to specific IP phone MAC addresses, and in this way lock-down any other possible use of the Ethernet port. With this feature active, simply plugging in an IP phone does not deliver service. Furthermore, using 3Com security products for network intrusion, intruders can be detected and isolated before serious damage can be sustained.
  4. Role of Packet Compression – furthermore, compressing these packets (G.729 or G.711) further, reduces the ease with which packet streams can be understood. Of course, we're talking about people copying packets within your LAN and within your WAN. If the LAN or WAN is breached, there are bigger problems and more useful areas for attack than person-to-person conersations.
  5. WiFi and SIP phones – unlike DECT and other cordless technologies, WiFi includes packet-level encryption, which makes it quite hard for radio-based eavesdropping.