All the Chief Network Architects (CNAs) I have talked to over the past year are convinced that the direction of enterprise voice networks is clear: it is IP telephony. This is evident by the sheer fact that PBX manufacturers have virtually stopped R&D funding in those platforms and have relabeled them either as servers or gateways. What is not clear is how to get there. Some enterprises in the early days of 2000, 2001 and 2002 did large IP Telephony installations and paid a heavy price. Part of that price was the high cost of training operational staff, flaky and buggy code which created instability of the voice network, lost calls, lost dial tone, lack of scale, etc. In one case a large financial services concern lost dial tone for 5 minutes corporate wide! As its Chief Network Architect put it, ?¬¢‚Äö?ᬮ??¨it was the longest 5 minutes of my life.?¬¢‚Äö?ᬮ¬¨?? If you were lucky or large enough you got the attention of your IP
Telephony manufacturer, normally Cisco. If you weren´t then you got fired, which was the fate of a CIO in Seattle.

But a lot has changed over the past few years. VoIP call quality can be just as good as toll if you architect your enterprise network correctly. The scale issue is being addressed with implementations reasonable stable over 5,000 end points. The economics of IP Telephony is getting compelling at best and cost justifiable at worse. SIP phones have dropped below the $100 mark and will drop much further over the next year. There are a wide range of wide area designs with associated price points to
choose from for extending LAN based IP Telephony installations across multiple sites. Such options include traditional private lines or frame relay with VoIP tagging and queue prioritization, MPLS based transport services, non-facilities based service provides such as net2phone, Vonage, VoicePulse, Skype, packet8, etc.

Even with all this good news there are important design dilemmas slowing down the network design process and implementation. In particular any IP Telephony network design has to incorporate solutions for three extremely important concerns: 1) IP Phone security, 2) privacy and 3) reliability. These three design elements are tightly coupled by the fact that one heavily influences the other. Poor security reduces the integrity of the IP Telephony network by increasing vulnerability to replay attacks and hijacking voice sessions significantly compromising privacy. Also, poor security increases denial of service attacks, making the IP Telephony network less reliable.

Since security or the lack thereof is the root of privacy and reliability issues, let´s take a look at various security issues. First and foremost is the simple fact that when you move your voice network onto an IP network all the vulnerabilities associated with an IP architecture now move to your voice service. That is virus, worms, denial of service attacks, eavesdropping, spoofing, unauthorized use of resources, fraud, etc. can now affect your enterprise voice network. Some of these problems and concerns are none existent with traditional voice networks. Fraud however has always been a problem with voice service and still is today. You can then bet that fraud will be an ongoing problem with IP Telephony installations as well.

There are two types of fraud. The first is someone billing his or her calls to your IIP phone. The second is a service provider issue aimed at preventing someone from obtaining free calls. We´ll deal with the first type.

There are a few options that can be deployed to limit your company´s exposure to this type of fraud. They include password protection on IP phones, IP address and subscriber validation and the use of Reverse Path Forwarding (RPF), which helps mitigate the introduction of malformed or spoofed IP source addresses into a network by discarding IP packets that lack a
verifiable IP source address. Authentication and authorization assures that an IP Phone is authorized to use a particular service such as making calls, conference systems, instant messaging, etc.

Proxies play an important role policy role in authentication and authorization, registering end points plus restricting or allowing calls between domains. Protocols such as IPSec, TLS and message digest or MD5 are examples of authentication and authorization protocols. In particular, channel security such as TLS and IPSec creates an authenticated, encrypted channel between hops. This prevents hijacking and impersonation of IP phones between specific links in an IP call.

Denial of Service or DoS attacks: Limiting or eliminating DoS is a hard problem to solve. A hacker sending a flood of packets to your company servers can cripple not only your customer facing website but your enterprise network and IP phones as well. How do you deal with it? Since RPF limits spoofed IP packets on the network, this is one level of defense. Consider using committed access rate or CAR features to rate limit high CPU activity such as call managers that perform call set up. Limit or eliminate call managers from direct Internet access by front ending them with firewalls. Also, deploy IP Telephony gateways and servers from companies such as Avaya, Nortel and Mitel, who are not prone to DoS.

Privacy: The tools to limit fraud mentioned above will also contribute to a more secure IP telephony environment where IP Phone users can be assured that their calls and stored messages are not being eavesdropped upon or compromised. Encryption between two IP phones does provide data privacy to limit eavesdropping. Encryption also increases the integrity of the call by limiting the ability of a 3rd party to reply to messages or modify a recorded call by cutting and pasting snippets of the call and
rearranging them to be used in some mischievous or malicious way. Security services in general can be added to each communication link along a path, or they can be wrapped around the data being sent, so that they are independent of the communication mechanism.

This latter approach is often called “end-to-end” security. The above approaches to securing IP voice calls go only so far, however; there are points in a path that can be compromised. End-to-end security is the real goal, knowing that your real time and stored communications are secure. S/MIME, or Secure/Multipurpose Internet Mail Extensions, provides an end-to-end secure channel, which can be used for VoIP. S/MIME is based on the MIME standard. S/MIME provides cryptographic security services including authentication, message integrity and non-repudiation of origin (via digital signatures) and privacy and data security using encryption.

Just encrypting the media or transport through IPSec or Secure Real-time Transport Protocol (SRTP) can prevent eavesdropping and modification of voice calls. But there are difficulties: legal authorities need keys to tap calls, there are firewall and NAT penetration issues and a need for key management, thus increasing operational cost. IPSec has particular advantages for media encryption but comes with large bandwidth overhead, lack of QoS mechanisms and of course there are no IP Phone
implementations, pretty much eliminating IPSec from a media encryption option. SRTP offers less overhead and bandwidth consumption and delivers both encryption and authentication, increasing privacy. But SRTP requires key management with all of its limitations and tradeoffs.

It is because of these concerns and other, yet to be proven security protocols and techniques that many Chief Network Architects have decided to implement a hybrid approach to their IP Telephony deployments. The pure plays aren´t as pure as they seem or as they market themselves to be. The hybrid approach calls for the linking of existing PBX based enterprise phone systems with an IP Telephony implementation. This allows a transition that offers feature transparency, reliability, security and experimentation.

The so-called ?¬¢‚Äö?ᬮ??¨hybrid?¬¢‚Äö?ᬮ¬¨?? approach offers CNAs a control knob which allows them to migrate or transition to an IP Telephony environment at their pace and when they feel comfortable with security and reliability attributes of an all IP Telephony architecture.

Posted 17 November 2003 at 7:25 pm under Lippis Report. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.