Chapter 10. Security and Monitoring

Like the Web, email, and other Internet communications tools, IP telephony can be secured. This fact is one of its biggest appeals over old-school telephone equipment. Security means enforcing system policy, recording instances of abuse for forensic and litigation purposes, encrypting or otherwise hiding sensitive information in transit, bolstering call-management systems' resilience to exploitive attacks and computer viruses, and securing the access perimeter of the VoIP network.

Security tools and enforcement practices for VoIP applications are the same, essentially , as those for other IP-based apps, because they run on the same network. The security objective of VoIP systems is largely the same as those of other IP-based systems: in a nutshell , preserve the operational status of the system.

There are many threats to this objective and many countermeasures to the threats. Policy enforcements points, like firewalls, protect lower layers of the network, while authentication systems like RADIUS and application proxies provide higher-layer security. This chapter describes how to secure and harden a VoIP server, the basics of DMZs, how to enable logging of VoIP traffic with iptables, how to tweak the logging configuration of Asterisk, and how to log and monitor VoIP network traffic.

10.1. Security in Traditional Telephony

One of the big misconceptions about VoIP telephony applications is that they are inherently insecure. In truth, the VoIP technology family provides scores more security options than conventional telephones do. If anything is insecure , it's the old voice paradigm.

In the PSTN, there are several aspects of security: access control, call accounting/billing, and features. In these key aspects, the PSTN relies on the intrinsic characteristics of its own design as security controls.

10.1.1. Access Control

The PSTN permits network access via the physical loop componentthe cable connection from the CO to the customer premises. This means that a person who has access to the customer's phone lines can place calls as though he is that customer. A friend comes over to your house, picks up your phone, and makes a call. The telephone company assumes he is authorized because he is there . While primitive, this is the basis of access security on the PSTN.

By comparison to a modern data network, this access control approach seems lax, but it's the way the PSTN has always done it. Indeed, even on PBXs and high-capacity voice circuits, physical logistics is still the most common method of controlling access to legacy telephony apps.

To overcome this weakness, some CO switches and PBXs can require users to dial a password of DTMF digits before a call can be placed or before certain telephone area codes can be dialed (for a quick review on phone numbers , refer to Chapter 4). Or the phone company can be made to force you to use a long-distance code before you can dial LD calls. Some telephone companies offer what's called a receive-only phone line, which controls outbound calling by not allowing it at all. Lots of PBXs let you limit outgoing calls on a phone-by-phone basis.

10.1.1.1 Snooping

With a lineman's set, a device used to test telephone circuits, and a pair of alligator clips, it is possible to clandestinely listen in on a PSTN subscriber's phone calls. This technique, while illegal, is quite easy to do, even from outside the subscriber's demarc. All that is needed is a point in the last-mile loop to tap in with the receiver, such as a cross-connect block or splice box. Since the signals transmitted from the CO to the D-frame are analog, snooping on endpoint legs of an analog CO switch (or PBX) is quite easy. All one needs is access to the right cabling. To prevent this kind of snooping, telephone cables tend to be buried or high up on poles where they are tough to access, and cross-connect points, if aboveground, are usually inside of sturdy, locked enclosures.

10.1.1.2 Phreaking

Of course, the ability to send DTMF digits is itself a bit of a security measureafter all, services on the PSTN are accessed by dialing them. And the only devices that can transmit DTMF digits are telephones, right? Well, not exactly. Tone generators are small handheld devices that allow the transmission of DTMF digits and other tones so that, for example, calls can be stolen from a public pay phone. So, in this case, access control is easily broken. This type of exploit, which carries the slang name phreaking , is considered the root of modern-day hacking.

The cell phone network has been abused by phreakers, too. Though cell phones have device-specific electronic serial numbers encoded into their firmware, it is possible, though difficult, to program an unauthorized phone with a different serial number so that it can make calls using a legitimate user 's account. This practice is sometimes called cell phone phreaking . Now, there are better administrative measures to counteract phreaking than there were at the beginning of the cell phone era. Indeed, now that many of the cell carriers send voice signals digitally, they are able to interleave and encrypt them so that phreaking is more difficult.

10.1.2. Call Accounting and Billing

When you pick up the phone, dial the pizza place, state your order, and hang up the phone, a number of call accounting events are recorded. The PSTN, with help from SS7, records:

• Which number you dialed

• When you dialed the phone number

• When the call was connected

• The duration of the call

• When the call was disconnected

These bits of data are not crucial just to the billing process; they're also important because of what they indicate forensically. When a person's use of the phone system is used as evidence in court or during disputes between a phone company and its customers, call-accounting data is critically important.

10.1.3. Features

To address security concerns, telephone companies have implemented a number of calling features that improve privacy. Such features include caller ID , which allows the receiving party to know who is attempting to call her so she can decide whether or not to answer, and privacy management , which forces the caller to record his name so that the receiving party can decide how to handle the call without having to greet the caller.

Of course, while the phone company can increase security by providing privacy, it also provides security for anonymous callers , in the form of things like caller ID blocking . Security means different things to callers than it does to receivers. Yet, both are valued subscribers to the PSTN, so minimizing their aggravation of one another has become a regulatory headache . It's a losing battle, because the telephone company wants to protect privacy while also allowing anonymitytwo concepts that are in conflict.