Developing an IP Telephony Security Policy
This section covers the intricacies behind building an IP Telephony Security policy because without one you cannot enforce IP communications’ pertinent security effectively.
Building an IP Telephony Security Policy/Strategy In line with Your Corporate Security Policy
An IP Telephony network security policy (the words policy and strategy will be used interchangeably) defines a construct to protect the assets connected to a network that supports IP Telephony, based on a risk assessment analysis. It defines the access limitations and rules for accessing various assets connected to an IP Telephony network. It is the source of information for users and administrators as they set up, use, and audit the network.
It is imperative that the IP Telephony network security policy is general and broad in scope. This implies that it should provide a high-level view of the corporate ideology based on which security-related decisions should be made. However, it should not go into the details of how the policy should be implemented. The rationale is that the details can change overnight, but the general principles of what these details must achieve should remain the same. An IP Telephony Security policy needs to balance between ease of use and ease of implementation, network performance, and the security aspects in defining the rules and regulations.
Building an IP Telephony Security policy is not a one-time process. It requires adjusting policy as per new requirements, objectives, threats, or challenges. Also, IP Telephony Security policy is not an isolated or a single team effort. It requires participation and support from all segments: the IP Telephony team, network team, security team, and most importantly, management (executive sponsor). The security policy needs to be supported by management and other respective engineering teams within an organization; otherwise, it is difficult to have user buy-in.
The first step toward developing an effective IP Telephony Security policy is to assess the risk associated with the network assets to be protected. Risk assessment in quintessence is a method to outline why the resources in your IP Telephony network should be protected. The next section investigates risk assessment and the fundamentals of the risk assessment process for an IP Telephony network.
Risk Assessment
Let us go over this intriguing topic to understand what goes behind performing a risk assessment exercise and why it might just save you from a certain catastrophe.
At a high level, the risk management process helps you attain the following goals:
- It helps achieve the organization’s objectives (vision and goals): By highlighting the assets that are important or central to an organization’s functions. This helps protect those vital assets.
- It ensures the network and infrastructure availability for rightful users: By helping categorizing network assets in terms of their importance for the network to be up and running, thereby helping with the scale of economy.
- It assists in maintaining a strong security posture: To deter attacks against an organization’s vital assets by deploying appropriate security controls against identified and potential threats.
- It ensures compliance with organization’s rules, regulations, standards, and policies: By helping to understand the various components of the network that could be exploited and misused, thereby building policies, rules, and regulations around their use or access mechanisms.
Figure 4-3 gives an insight to the various benefits perceived by carrying out the risk management process.
Figure 4-3. Risk Management: Areas Addressed
A typical IP Telephony risk assessment activity may well be outlined via the following steps:
Step 1. Identify sensitive information and critical systems.
Step 2. Estimate the value of IP Telephony system (information and components).
Step 3. Identify potential threats and vulnerabilities to your IP Telephony network (covered in security assessment).
Step 4. Estimate the likelihood of a potential attack or penetration being realized.
Step 5. Identify countermeasures against perceived threats and vulnerabilities (covered in security assessment).
Step 6. Estimate the cost of implementing countermeasures versus not implementing them.
Step 7. Select suitable countermeasures for implementation (covered in security assessment).
Before taking a deep dive to understand the different processes that work within a risk assessment exercise, you must realize an important fact. Not all risks are present and applicable in all different types of IP telephony implementations; every IP Telephony network is unique and has its own set of strengths and weaknesses. However, it is important to create an overall IP Telephony Security policy or strategy in which all assets, potential risks, existing issues, and mitigation methods are listed. Although, it is advisable to perform a risk assessment on existing IP telephony implementation(s), it is equally important to perform an initial risk assessment, including a review of the impact on the data network for new implementations.
Step 1. Identify Sensitive IP Telephony Information and Critical Systems
Organizations should pinpoint the various systems that form the baseline for IP Telephony, from internal servers to external network components, to understand where their critical information may potentially be stored, processed, managed, or viewed. As a disseminated system, IP Telephony network has many individual components that must be protected. Any attack vector realized at any point of time can render the system unusable for legit users. This includes and is not limited to the following:
- Endpoints and servers targeted for DoS/DDoS or MITM attacks
- Changes in routing protocols, leading to failed or hijacked calls
- Change in the IP Telephony application or device configuration
Step 2. Estimate the Value of IP Telephony System (Information and Components)
After identifying the critical information and systems, organizations can then estimate the value of data loss based on where sensitive information is sent, depending on who sends it, and how often it happens. For example, an organization may find that the majority of data loss risks are associated with employees inside the organization who unconsciously put information at risk in the course of their day-to-day activities at work, for example, placing CDR data on a USB drive in preparation to work at home. Also, an estimate of loss of revenue because of a loss of communication or unavailability of the IP Telephony system should be evaluated.
Step 3. Identify Potential Threats and Vulnerabilities to Your IP Telephony Network
Identifying the threats to your IP Telephony network and understanding the vulnerabilities (gaps) is the key to secure your network. Threats can be various, such as the following:
- Inside attacks from malicious users
- Outside attacks from hackers and phreakers
- Viruses, Trojan horses, and worms
- DoS or DDoS
- Man-in-the-middle attacks
- Hardware or software failures
- Loss of critical systems
Vulnerability can range from a simple software defect to a sophisticated implementation for application and network security. A gap could be introduced because of a defect that may allow an attacker to implant a back door or because there was no host protection applied, as the system was supposed to be insulated.
Step 4. Estimate the Likelihood of a Potential Attack/Penetration Being Realized
To assess the probability of an attack from malicious individuals who are either inside or outside the organization and network, application security or penetration tests could be carried out. No matter if these tests are conducted by security professionals inside the organization or outside (for example, third-party security consultants), the end result should be to identify the specific attack vectors that may be used by malicious users or outsiders to gain access to critical information and, in turn, identify and validate potential vulnerabilities that could lead to data loss.
Step 5. Identify Countermeasures Against Perceived Threats and Vulnerabilities
At the termination of an information security revelation or a penetration assessment, an organization should develop an alleviation plan based on their risk tolerance. This plan should detail the findings of the information exposure risks and explain the estimated business impact in case a vulnerability is exploited or an attack is established. The report must also address an assessment of the security measures currently in place.
Most importantly, organizations must also formulate a prioritized action plan for remediation together with a list of recommendations to enhance security and reduce risk.
Step 6. Estimate Cost of Implementing Countermeasures Versus Not Implementing Them
Always remember that security is a balance between risk and cost. To achieve a balance, there must be a plan well in advance and resources to put the plan in action. Too less or too much security can be a serious disadvantage to your IP Telephony network because it will either pave a way for the attackers to invade your network or may cost much more than you expected it to (in terms of financial and performance cost). For example, elevated operational costs because of fraudulent usage of the system by unauthorized users and high-usage bills can ensue.
No two networks and their security needs could possibly be similar, and the same applies to IP Telephony network as well. Thus, to cover this topic, that is the level of security required, there’s a dedicated section that explains the level of security required for your IP Telephony network to enable you to make the right decisions for your network.
Step 7. Select Suitable Countermeasures for Implementation
The last part of the risk assessment process is the contingency plan. The contingency plan usually consists of what to do if the systems do not work as expected, or in other words, they backfire. For example, if there is a natural or unnatural disaster, what should be done to contain the damage to a minimum. Fortified with the data collected during risk assessment and the final outcome, an organization should have a precise understanding of where its exposures are and how it can leverage this information to take a risk-based, prioritized approach to create a secure IP Telephony environment.
It is important to understand that although risk assessment requires high-level participation and decision making, it’s actually a team effort. The process of risk assessment should be initiated and fronted by the top management in an organization. However, feedback from all levels is required, and everyone right from inventory maintenance to network administration to IP Telephony (telecom) team to CTO should be involved as stakeholders during risk assessment.
Identifying risk and conducting risk assessment are vital components of any successful and comprehensive security strategy. This significantly helps to underline what is valuable and at risk. It helps to ensure that the security planned and applied is effective and is aligned with the organization’s objectives.
Components of IP Telephony Security Policy
There are standards around which a security policy should be built and implemented. These standards are guided by RFC 2196, which lists the elements of a security policy. Although RFC 2196 provides a generic security policy outline, an IP Telephony Security policy should follow these guidelines and be built on the lines of either an existing corporate security policy or developed from scratch.
As described in RFC 2196, “The Site Security Handbook:”
A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.
IP Telephony Security Policy/Strategy
Following is an example of an IP Telephony Security policy built to protect not only the underlying network, but also the IP Telephony servers, applications, endpoints, and related assets.
An IP Telephony Security policy statement follows:
It shall be the responsibility of the IP Telephony/IT Department to provide adequate protection and confidentiality of all IP Telephony-specific corporate data and proprietary software systems, whether held centrally, on local storage media, or remotely, to ensure the continued availability of IP Telephony data, network access, and programs to all authorized members of staff and to ensure the integrity of all data and configuration controls.
The security policy for IP Telephony must address the following areas:
- Acceptable use of organizational IP Telephony equipment (for example, hard phones, soft phones, WLAN phones, voicemail, and conferencing). The acceptable use includes calling plan restrictions (for example, calls to 900 numbers or international calls). These restrictions are also translated to configuration parameters on the respective IP Telephony components (for example, IP-PBX or SIP proxy). Acceptable use of IP Telephony equipment pertains also to contractors, vendors, and other third parties who interact with the organization.
- Protection of IP Telephony services, including the following:
- Service access (for example, password-protected conferencing sessions and voice mailbox access controls)
- Signaling and media encryption for interactions in which sensitive information is handled (for example, calls or videoconferencing in which customer or patient health information or financial information is communicated)
- Media retention based on the minimum duration that media should be kept based on regulatory or other industry, state, or federal requirements. The types of media include, but are not limited to, CDRs (call detail records), voicemail, call or videoconferencing recordings, instant messages, or backup.
- Signaling or media interception to satisfy law enforcement requirements (for example, CALEA). Although the requirement for lawful intercept pertains to carrier networks, it is helpful to provide such capability in an enterprise network to support the investigation of unforeseen incidents or circumstances.
- A vulnerability management process should be in place to categorize and prioritize the impact of vulnerabilities that may affect the organization’s IP Telephony infrastructure and service.
Summary of Main IP Telephony Security Policies:
- Confidentiality of all data is to be maintained through discretionary and mandatory access controls.
- No Internet and other external service access is allowed to or from IP Telephony data center.
- Calling restrictions access will be implemented globally on all call-control clusters.
- Only authorized IP Telephony and IT staff are allowed to enter the data center. (The only exception is third-party and vendor employees escorted by IP Telephony and the IT team).
- Voice communication will be secured by using encryption techniques and by Layer 2 or Layer 3 mechanisms where possible and required.
- Voice equipment will be placed behind firewalls restricting access to users. A dedicated management VLAN will be used to manage IP Telephony devices.
- Antivirus and HIPS products will be installed and enabled wherever applicable.
- OS and administrator passwords must consist of a mixture of at least eight alphanumeric characters must be changed every 30 days, and must be unique.
- IP Telephony configurations may be changed only by IP Telephony and the IT staff.
- To prevent the loss of availability of IP Telephony resources, measures must be taken to back up data, applications, and configurations of IP Telephony equipment.
- A business continuity plan will be developed and tested on a regular basis.
- Technology purchasing guidelines must be well laid out and defined to ensure that only a vendor that passes certain criteria is to be considered for the IP Telephony solution.
- The authentication, accountability, and access (AAA) policy should clearly define the level of access, authorization for different work levels, and monitoring requirements for the access to IP Telephony system.
- Availability Statement.
- Information Technology Systems and Network Maintenance Policy.
- Supporting information.
Policy General Guidelines and Statements
Following are organization XYZ’s IP Telephony Security policy general statements and guidelines.
IP Telephony Technology Purchasing Guidelines:
- All IP Telephony and network-related equipment must be purchased keeping in mind XYZ’s requirements for confidentiality, integrity, and availability (CIA).
- It is essential for the equipment to incorporate mechanisms for secure and confidential administration.
Availability Statement:
The network is available to bona fide users at all times of the day except for outages that occur for various reasons. When a trade-off must be made between confidentiality and network availability, confidentiality is always given priority.
Supporting Information:
- All information regarding XYZ IP Telephony operations must be kept confidential and must never be divulged to sources outside the company. All publicity-related matters should be handled through the Corporate Press Relations office.
- Any later conflicts and issues about the security policy must be resolved with the intervention of the chief security officer, who bears the ultimate responsibility for the security policy.
Policy Enforcement
Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment.
Core IP Telephony Security Policies
Accountability Policy:
- All users (end users and administrators) of the network are accountable for their actions that may result in network security concerns.
- It is the responsibility of every user to be familiar with the guidelines for the services offered through the XYZ network. Also, every user is responsible to report to the system administrator about any suspected inappropriate use of IP Telephony endpoints or malicious activity on the network.
- All users are accountable for use of their phone and in the manner it is used.
Authentication Policy:
- All information assets on the IP Telephony network require authentication before someone is given access to them. Access attempts are logged for auditing.
- Remote-access users need to go through two layers of authentication to authenticate themselves to the access servers connecting them to the network and then to gain access to individual resources on the network.
- Authentication is carried out using security servers on the network. Steps must be taken to safeguard the security servers against attacks and intrusions from the outside or inside network.
- Authentication should be carried out using one-time passwords. Authentication must be accompanied by authorization and accounting on the security servers. Authorization should be used to restrict user access to resources that are intended for users based on their belonging to a certain group. Accounting should be used to further track authorized user activities. This is a basic safeguard that must be supplemented along with intrusion detection systems.
Acceptable Usage Policy:
- XYZ’s IP Telephony network is available for use by employees any time of the day or night for the sole purpose to address business-related conversations.
- Using telephony, voicemail, and all IP Telephony resources for any function that is non business-related or for personal use is prohibited.
Access Policy:
- Data center access will be strictly restricted. Access will be allowed by assuming that all access is denied unless specifically required. Access to IP Telephony data center will be given to only the following:
- IP Telephony administrators
- IP Telephony network administrators
- IP Telephony management team
- Authorized vendors or third-party employees
- The IP Telephony resources must be accessed while an authorized IT or IP Telephony staff employee is located on the local network or from one of the remote sites or by one of the authorized telecommuters (only through company-approved procedures for remote-access users). Access from any other location is prohibited.
- Access to network resources will be on an as-needed basis. Information assets are protected by giving access to specific groups and denying access to all others. Increasing access privileges for a given asset requires approval from the management.
- All remote users must get management approval before they can use the resources to remotely access the corporate network. Users from the remote sites and telecommuters are treated the same as local users who use network resources. Similar access restrictions are placed on these users for accessing the various network resources.
- Remote-access users must comply with corporate guidelines to make sure that their PCs are safe to connect to the corporate network.
- It is the responsibility of the employees using remote access to ensure that their remote-access equipment is not used by unauthorized individuals to gain access to the resources on the corporate network.
IP Telephony Network Maintenance Policy:
- All IP Telephony and related network equipment is to be managed only by the full-time and authorized employees of XYZ Inc. who have the privileges to do so. Giving an individual permission to work on any network equipment for administrative purposes requires management approval.
- Remote access to administer the networking equipment is allowed, but it requires that the access be done using encryption and that authentication for login access takes place against the security servers. All management sessions, internal and external, must be encrypted.
Violations and Security Incident Reporting and Handling Policy:
- Documented processes must be set up to identify when intrusions and network attacks take place. These processes of detection must include manual reporting and automatic reporting tools.
- The following processes need to be set up for incident reporting and handling:
- As soon as it has been confirmed that a breach has taken place or an attack is taking place, a process must be invoked to inform all the necessary network administrators of the problem and what their role is in tackling the situation.
- A process needs to be set up to identify all the information that will be recorded to track the attack and for possible prosecution.
- A process must be in place to contain the incident that has occurred or that is occurring. The process must be written keeping in mind that confidentiality and integrity is a bigger concern for XYZ than availability.
- A process must be in place to follow up on attacks that have occurred to make sure that all the vulnerabilities exposed through the attack are corrected and that similar attacks can be avoided in the future.
Physical Security of IP Telephony Equipment
Physical Security of IP Telephony equipment must comply with the guidelines as detailed:
- Data center equipment: All IP Telephony equipment, which includes IP Telephony servers, appliances, routers, switches, firewalls, and any IP Telephony related data center equipment.
- High-risk situations: This refers to any IP Telephony data center area that is accessible:
- At the ground floor level
- At the first floor level, but accessible from the adjoining roof
- At any level via external fire escapes or other features providing access
- Rooms in remote, concealed, or hidden areas
- Lockdown devices: The IP Telephony equipment will be locked down by placing it in dedicated racks placed in the secured data center.
Physical Security Policy
The following section summarizes the required physical security features for an IP Telephony data center or remote sites hosting IP Telephony equipment.
- IP Telephony servers, routers, and switches locked down to rack.
- Racking of equipment away from windows.
- High-risk situations should be addressed by window locks, shutters, and bars.
- Blinds should be deployed for observable windows.
- Intruder alarm installed by an approved company.
- Install movement detectors where applicable and possible.
- Door specification for entry/exit to/from data center.
- Visual or audio alarm confirmation.
- Strict badge access to data center.
- Access to only authorized Network Operation Center (NOC) and IP Telephony or IT team personnel.
- Break glass alarm sensors.
- Anti masking intruder alarm sensors in the data center and access routes.
- Alarm shunt lock on door.
- Superior protection of alarm signal transmission.
- Security marking.
- All IP Telephony and related hardware should be prominently security marked by branding or etching with the name of the establishment and area postcode. Advisory signs informing that all property has been security marked should be prominently displayed externally. The following are considered inferior methods of security marking: text composed solely of initials or abbreviations, marking by paint or ultra violet ink (indelible or otherwise), or adhesive labels that do not include an etching facility.
Local-Area Network Security Policy
This section details the essential LAN security mechanisms that should be implemented to safeguard IP-based communications.
- LAN equipment
- IP Telephony LAN equipment, hubs, bridges, repeaters, routers, and switches will be kept in secure hub rooms.
- Hub rooms will be kept locked at all times.
- Access to hub rooms will be restricted to IT and IP Telephony staff only.
- Other staff and contractors requiring access to hub rooms will notify the IT department in advance so that the necessary supervision can be arranged.
- All unused ports on switches must be in administrative shut down mode.
- Trunk ports will allow only specific VLANs to traverse the switch trunks.
- All VTP domains should be password protected, and VTP should be pruned.
- Essential port security should be enabled allowing only three MAC addresses on the access port.
- DAI and DHCP snooping should be implemented.
- Appropriate provisions for preventing CAM table overflow, IP, and MAC spoofing attacks should be implemented.
- Workstations
- Users must logout of their workstations when they leave their workstation for any length of time. A password protected screen saver will be implemented on all user workstations (helps prevent CIPC, sniffer-based attacks).
- All unused workstations must be switched off outside working hours.
- LAN wiring
- All network wiring will be fully documented.
- All unused network points will be deactivated when not in use.
- All network cables will be periodically scanned and readings recorded for future reference.
- Users must not place or store any item on top of network cabling.
- Redundant cabling schemes will be used where possible.
- Monitoring software
- The use of LAN analyzer and packet sniffing software is restricted to the IT department.
- LAN analyzers and packet sniffers will be securely locked up when not in use.
- Intrusion detection systems will be implemented to detect unauthorized access to the network.
- Servers and other related equipment
- All IP Telephony switches and routers will be kept securely under lock and key in the hub room. All IP Telephony servers will be kept in a secure data center.
- Access to the system console and server disk, tape, and network share drives will be restricted to the authorized IT/IP Telephony staff only.
- Electrical security
- All IP Telephony servers will be fitted with UPS, which also condition the power supply.
- In the event of a mains power failure, the UPSs will have sufficient power to keep the network and servers running until the generator takes over.
- All UPSs will be tested periodically.
- Inventory management
- The IT/IP Telephony department will keep a full inventory of all servers, network gear, computer equipment and software in use throughout the organization.
- Audit
- IP Telephony and underlying hardware and software audits will be carried out periodically. These audits will be used to track unauthorized changes to hardware and software configurations and to trace the source of change.
Wide-Area Network and Perimeter Security Policy
This section details the WAN and network perimeter security guidelines:
- IP Telephony equipment will be based off XYZ HQ and Remote data center, protected by firewalls.
- Remote users’ alias telecommuters will be required to connect over IPSec or SSL VPN connections to the corporate VPN server for any IP Telephony services to be availed.
- Wireless LANs will make use of the most secure encryption and authentication facilities available (for example, WPA and WPA2).
- Users will not install their own wireless equipment, switches, and phones under any circumstances.
- Unnecessary protocols and services will be disabled on routers.
- The preferred method of connection to outside organizations is by a secure VPN connection, using IPSec or SSL connections.
- Permanent connections to the Internet will be via a firewall to regulate network traffic.
- Permanent connections to other external networks for offsite processing and so on will be via a firewall to regulate network traffic.
- Where firewalls are used, a dual-homed firewall (a device with more than one TCP and IP address) will be the preferred solution.
- Firewall redundancy in Active/Standby mode is preferred.
- Network equipment will be configured to close inactive sessions.
IP Telephony Server Security Policy
This section details security policy as it applies to Windows and Linux IP Telephony servers:
- The operating system will be kept up to date and patched on a regular basis.
- Servers will be checked daily for viruses (applicable to Windows servers only).
- Servers will be locked in a data center.
- Where appropriate the server console feature (HP ILO or IBM RSA) will be activated.
- Remote management passwords will be different from the application and OS administrator passwords.
- Users possessing administrator rights will be limited to trained members of the IT/IP Telephony staff only.
- Use of the Administrator accounts will be kept to a minimum. MLA/Roles will be enabled.
- Assigning security equivalences that give one user the same access rights as another user will be avoided where possible.
- Users’ access to IP Telephony applications will be limited by the access control features (ACL).
- Intrusion detection and lockout will be enabled.
- The system auditing facilities will be enabled.
- All accounts will be assigned a password of a minimum of eight characters, alphanumeric.
- Administrators will change the server passwords every 180 days. (180 days is an example here; the number of days for changing passwords for servers may differ for different organizations and business verticals.)
- Unique passwords will be used for OS administrator and the web application administrator.
- FTP or SFTP facilities will be restricted to authorized staff only.
- SSH facilities will be restricted to authorized users.
Voice Application Security Policy
This section details the specifics of IP Telephony application level security:
- Call accounting will be used to monitor access and abnormal call patterns.
- Internal and external call forwarding privileges will be separated to prevent inbound calls being forwarded to an outside line.
- The operator will endeavor to ensure that an outside call is not transferred to an outside line.
- Use will be made of multilevel passwords and access authentication where available on IP Telephony applications.
- Voicemail accounts will use a password with a minimum length of six digits.
- The voicemail password should never match the last six digits of the phone number.
- Caller to a voice mail account will be locked out after three failed attempts at password validation.
- Dialing paid numbers will be prevented.
- Telephone bills will be checked carefully to identify any misuse of the telephone system.
- A conference call will be dropped when the initiator leaves.
- The phones of all executive level employees and managers and above must be encrypted.
- Use of encrypted conferences is preferred.
- CFA CSS can forward only calls to internal VoIP numbers.
- Auto registration of phones is not permitted; manual registration should be used.
Endpoint Security Policy
This section details the specifics of endpoint security (applies to wired and wireless IP Phones and soft phones):
- Web access to IP Phones will be disabled. (If web access is enabled, it should be either restricted by ACLs or should leverage HTTPS URLs.)
- Video capabilities where not needed should be disabled.
- Settings button access should be restricted or disabled.
- PC Voice VLAN access should be always disabled.
- PC port should be disabled on lobby, elevator, and rest room phones.
- GARP should be disabled on all IP Phones.
Conclusion
As apparent in various sections of the sample security policy, each asset in the IP Telephony network needs to be protected right from the perimeter to endpoints. It is essential that your IP Telephony Security policy covers all components as, leaving anything unguarded can possibly open up flood gates to attacks.
After you formulate your IP Telephony Security policy, it is time to look into some common questions that would mushroom in any IP Telephony or network security administrator’s mind. Two of the most burning questions are as follows:
- What is the cost of implementing security in my Cisco IP Telephony network?
- What is the right level of security for my Cisco IP Telephony network?
In the following sections, you will be introduced to the facts that can help you decide both the level of security and the cost to implement (versus not implementing) security for your Cisco IP Telephony network.