VoIP Gateway Security

Speaking in the most general terms, securing your VoIP traffic consists of setting up policies that ensure that the endpoints involved in communication are authenticated and authorized and that the information streams are kept private.

Authentication is the process whereby one network component (for instance, CallManager) validates the identity of another, such as a gateway or IP phone. Authentication can simply be one-way, in which case one component can trust the identity of the other but not vice versa. Authentication can also be two-way, in which case both components can be confident as to the identities of each other.

Authentication is quite important because it prevents issues that can arise when a network interloper impersonates an otherwise valid user. For instance, if Cisco IP Phones don't authenticate CallManager or other network services, it is possible that they could be provided with the IP addresses of an interloper's hacked CallManager. Calls from valid users could be routed via the compromised CallManager and maliciously redirected, or information relating to the numbers that valid users dial could be logged. On the other hand, if CallManager doesn't authenticate the devices, an interloper could introduce his own device on to the network and steal phone service or, worse, impersonate a valid user and wreak mischief in the valid user's name.

Authorization is the process whereby a network component defines what types of services that an authenticated component can access. For example, you can configure CallManager routing to provide long distance calls for certain valid users but not for other valid users.

Privacy is the process whereby communications between network components is secured from the scrutiny of unauthorized intruders. It prevents intruders from eavesdropping on conversations or capturing information such as dialed numbers from call attempts.

A secure network requires that authentication, authorization, and privacy be implemented at many layers in the network. Although Cisco IP Phones and gateways are IP devices that support various voice and video protocols, they are also fundamentally network devices. Therefore, in addition to the authentication, authorization, and privacy techniques that ensure that these devices are valid, authorized VoIP devices, for full security you must also implement security policies that allow you to secure the link layer of your network. Therefore, techniques such as 802.1x authentication allow you to ensure you admit only valid Ethernet devices to your Ethernet network, and techniques such as LEAP or 802.11i ensure that you admit only valid wireless devices to your 802.11 wireless LAN. This book, however, describes security only insofar as it relates to a device's characteristics as a VoIP device, and, furthermore, it simply provides an overview of the techniquesimplementing a secure network is a topic that can easily merit a book of its own.

As Chapter 1 indicates, any VoIP session consists of three phases. The call signaling and media control phases allow a caller to initiate a call with a called party and for both parties in the communication to exchange the information (IP address, IP ports, and media capabilities, among others). The media exchange phase consists of the actual exchange of encoded voice or video packets using Real-Time Transport Protocol (RTP). In a Cisco IP Communications network, CallManager manages the call signaling and media control connections from devices in the network, but media exchange is directly from device to device.

Authentication, Authorization, and Privacy of Signaling Connections Between CallManager and Cisco Gateways

For connections to Cisco gateways, CallManager relies on IPSec, regardless of the VoIP protocol (H.323, MGCP, SIP) that CallManager uses to communicate with the gateway. IPSec is a set of protocols developed by the IETF to support the secure exchange of IP packets. IPSec both allows CallManager and the Cisco gateway to mutually authenticate each other and to ensure the privacy of the signaling stream via Data Encryption Standard (DES). You can find detailed instructions on how to configure IPSec between CallManager and Cisco Voice Gateways at the following link or search Cisco.com for "Configuring IPSec between a server and device":

http://www.cisco.com/warp/customer/707/2000.html

CallManager provides authorization primarily through the policies that you administer in CallManager Administration. When CallManager can establish the identity of a device, it can associate the device with the network policies that you have specified for that device. For instance, calling search spaces enable you to define a routing policy on a device-by-device basis.

Authentication, Authorization, and Privacy of Media Connections Between Cisco VoIP Endpoints

VoIP endpoints send media to each other using RTP as defined in IETF RFC 1889. The IETF standard RFC 3711 defines a set of extensions to this protocol that provides for sender authentication and media privacy.

CallManager 4.1 can help negotiate SRTP sessions only for some of its devices. Of the IP phones that CallManager 4.1 supports as of September 2005, only Cisco IP Phones 7940, 7941, 7960, 7961, 7970, and 7971 support the sending and reception of SRTP streams. Of the gateway devices, CallManager can help negotiate the SRTP stream only for gateways running MGCP. The IOS command mgcp package-capability srtp-package enables you to enable SRTP on a supported MGCP gateway.

SRTP currently works with CallManager 4.1 and gateways running Cisco IOS Software Release 12.3.11. The supported IOS gateways are as follows:

• Cisco 2600XM
• Cisco 2691
• Cisco 2800
• Cisco 3640A
• Cisco 3660
• Cisco 3700
• Cisco 3800
• Cisco VG224

Cisco network modules supported are as follows:

• NM-HDV2
• NM-HD-1V
• NM-HD-2V
• NM-HD-2VE
• EVM-HD
• PVDM2

SRTP provides for privacy because it encrypts the payload using the Advanced Encryption Standard Counter Mode (AES-CM) encryption algorithm and signs the payload using the secure hash algorithm HMAC-SHA1.