Given the heat and energy crisis being faced in many data centers due to the rapid increase in equipment densities (without a corresponding decrease in energy effi-ciency), planning for VoIP availability must include consideration for heat and power capacities in the room where VoIP servers and gateways will be housed. Don’t omit this step only to discover after you’ve deployed that you have no power or cooling headroom for the additional equipment!
www.syngress.com
The Hardware Infrastructure • Chapter 3 85
Summary
VoIP hardware infrastructure reflects the hybridization of two worlds that are colliding:
■ A specialized voice infrastructure based on the PBX and central office cir-cuit-switching paradigm
■ A general-purpose data infrastructure based on large-scale proliferation of software-based communication solutions running over packet data networks In order to address VoIP security, a detailed knowledge of both models is essen-tial. As more people and organizations deploy VoIP solutions, securing that infras-tructure will become more crucial than ever before. Security must be considered from the design phase in every component.
Solutions Fast Track
Traditional PBX Systems
Know the PBX architecture model: PSTN over trunks to PBX (or
gateway) to lines connecting stations and other devices. VoIP solutions may not be as far away from this architecture as you think and you need to understand the architecture to assess risk.
Features are the value-add for a PBX; the way your organization uses them will either add risks or mitigate risks. Know your features.
Change the default settings. Most PBX or adjunct systems that are compromised are exploited by weak or default passwords
Make backups! Keeping up-to-date backups of your phone system are just as important as it is on your computer network.
Audit your security! PBX systems often are overlooked when security is considered, especially if it’s not in the budget.That can change quickly after a weekend of toll fraud that can create a bill of $100K or more in
international long-distance charges.
86 Chapter 3 • The Hardware Infrastructure 372_PRAC_VoIP_03.qxd 3/1/06 3:45 PM Page 86
www.syngress.com
The Hardware Infrastructure • Chapter 3 87
PBX Alternatives
Key Telephone Systems, Centrex, IP Centrex, and Host IP solutions are alternatives to PBX systems that send more of the switching intelligence offsite.
These alternatives can simplify deployment and security considerations but at the cost of flexibility and overall capability.
VoIP Telephony and Infrastructure
Huge differences exist between media servers and media gateways from different vendors. Know what class of device your organization plans to deploy so you can help develop an appropriate risk profile and mitigation plan.
Boundary traversal for VoIP will require special attention and can be handled through proxies or application-layer gateways within firewalls.
Enable WPA2 security on wireless access points and VoIP devices and consider 802.1x authentication.These devices will not have encryption or authentication turned on by default and you will need to set up supporting infrastructure.
Make sure you’ve got enough raw power, cooling, and UPS systems in place to safe guard mission-critical systems. Don’t forget that availability is a security concern!
Q: How is a PBX different from a switch in a telephone central office?
A: In many ways, the two switches serve the same basic function, but with dif-fernt target customers. PBX systems are usually smaller-scale systems with more enterprise-specific feature functionality, and tend to interconnect a larger percentage of digital and IP phones than a PSTN switch would.
Q: Do I need an analog PBX to use an analog phone or trunk? Or a digital PBX to use a digital phone or trunk?
A: No, a digital PBX or VoIP gateway can handle analog lines and trunks just fine.These signals are converted to digital signals before bing switched on a digital PBX’s Time Division Multiplexing (TDM) bus or Gateway VoIP media stream. A digital phone does require a digital PBX, but digital trunks can be split out on a channel bank for an analog switch if the signaling also is converted to an analog format.
Q: Where do the names “ring” and “tip” come from? What do they mean?
A: In the old days of telephones, operators connected calls using quarter-inch phone plugs (the same plugs that later were used with stereo headphones before the mini-phone plug became commonplace).The tip of the plug was the positive side of the circuit.The ring (or slip-ring) was a conductive circle around the plug above the tip and was the negative side of the ciruit.
Sometimes another conductor was present on the plug after the ring—this was called the sleeve.
88 Chapter 3 • The Hardware Infrastructure
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutionsand click on the “Ask the Author”form.
372_PRAC_VoIP_03.qxd 3/1/06 3:45 PM Page 88
Q: What does “codec” mean, and what common codecs should I consider using?
Is any kind of codec more secure than another?
A: Codec is short for COder/DECoder (and in more modern usage,
COmpressor-DECompressor—though the first PCM codec was not com-pressed). In audio, a codec like the name implies, compresses audio before transmitting it, and decompresses the received audio.This helps pack more traffic in the same bandwidth. G.711 is standard PCM encoding, G.721 uses Adaptive Differential PCM (ADPCM) to cut the bandwidth required in half, and G.729 can compress a 64 kbps speech channeld down to 8 kbps, but with significant loss of quality (and it won’t work for fax or data connec-tions). In general, your choice of codec will not affect the security of your VoIP system one way or the other.
Q: Why do regular firewalls have so many problems with VoIP traffic?
A: There are several reasons for this. First, VoIP packets have three characteristics that make traversal more difficult: separate signaling streams from media streams, broad ranges of port numbers for media, and embedded IP addresses.
Second, VoIP standards are always changing and firewall vendors have a hard time keeping up. Finally, VoIP packets are real-time by nature and firewalls aren’t friendly to real-time packets under load.
Q: What is a WEP initialization vector and how is it used? Why is it not enough to protect me?
A: WEP is a stream cipher, which uses a value known as an initialization vector to ensure every signal is a unique signal, despite being encrypted by the same key. WEP’s fatal flaw is that its IVs are too short, and duplication occurs
Q: Can I use WPA2 with any access point?
A: Most access points, but not all, now support WPA2 encryption.To be sure, consult the manual that came with your router (or they can usually be down-loaded from the manufacturer’s site) and look up the encryption they
sup-www.syngress.com
The Hardware Infrastructure • Chapter 3 89
port. Some routers can be upgraded by uploading a special firmware to the device. Check the manufacturer’s Web site, just to be sure.
Q: Can I run my own RADIUS server?
A: RADIUS, which stands for Remote Authentication Dial in User Service, has many free implementations for Linux and other operating systems. For a typ-ical list of commercial and open source options, visit the VoIP-Info wiki at www.voip-info.org/wiki-Radius+Servers.
Q: What are some of the security concerns involved with using the popular instant messaging clients?
A: The same vulnerabilities that exist on the desktop are found in IM clients.
This includes man-in-the-middle attacks, keylogging, and even audio capture and reconstruction with freely available tools on the Internet. And just as we’ve seen in the operating system world, the more widespread an IM client becomes, the more attractive a target it is to the hacking community.
90 Chapter 3 • The Hardware Infrastructure 372_PRAC_VoIP_03.qxd 3/1/06 3:45 PM Page 90