Auditing Unified Communications Security
Click here to hear author Chris Jackson talk about this article...
Unified Communications (UC) has transformed the traditional business phone into a multifunction device capable of interacting with web applications, video conferencing, and integrating with calls centers and other customer experience enhancing services. With the vast array of applications and business critical services being deployed in a UC environment, security should be top of mind for anyone tasked with managing a company’s communications technology. Auditing a UC system can help to ensure that security features and functions are enabled and that policy, process, and procedures represent prevailing good practices for protecting the system.
The goal of this article is to present a methodology for auditing UC deployments from a technical perspective and will not go into detail regarding the various policies and procedures that should be in place for secure operations. Instead, it will focus on Cisco technical controls for preventing common threats that every UC deployment should include.
Security controls and countermeasures are designed to mitigate or reduce risk to sensitive business assets. In order to audit any network system, these risks must be identified to determine if the deployed IT service or technology is adequately protected. A Unified Communications audit should be scoped to take into account the likely threats that an organization faces from internal and external attackers. The three most prevalent threat categories to a UC system are:
People, Process, and Technology
After the threats are identified, you can divide the audit tasks into addressing security from a people, process, and technology perspective. A good UC audit cannot focus only on technology, as most of the weaknesses in security are a direct result of failures in the people or process aspect. It won’t help you to set a configuration standard for secure phone deployment if none of the IT staff adheres to it. Crafting your UC audit to encompass controls that address people, process, and technology is useful in mitigating or minimizing risk to the UC solution. People, process, and technology include the following:
From a technology perspective, the parts of the network that are most at risk are the voice gateway, call control, voice VLAN, and voice endpoint. These attack surfaces are places where risk-mitigating controls should be in place and any UC-focused audit should pay particular attention to.
Voice gateway: The voice gateway needs to be able to defend against attacks that could enable an attacker to steal phone service, manipulate dial patterns, and prevent outbound and inbound calls from reaching their appropriate destination. Direct access to the voice gateway from internal and external data networks should be prohibited through access control lists and/or firewalls. If a voice gateway needs to have access to the Internet, because of the use of SIP voice trunking from a service provider, countermeasures should be in place to prevent unauthorized access from the Internet. SIP gateway compromises are a common source for toll fraud and it is recommended that Cisco Unified Border Element features be deployed on the gateway to strengthen SIP attack prevention.
Call control: Cisco Unified Communications Manager (CUCM) and CUCM Express are the central control points for registration of voice endpoints and call routing, making them ideal targets for denial of service and other attacks. No data networks should be able to directly access call control ports, TFTP servers, or any other signaling or management ports directly. A firewall should be in place between the CUCM and data networks if web access to client configuration on the Communications Manager is allowed.
Voice VLAN: The voice VLAN is a direct pathway to the UC network and should be configured to prevent attackers from gaining unauthorized access. If an attacker can gain access to the voice VLAN, they can potentially eavesdrop on voice and video calls. Cisco offers a wide range of features to prevent voice VLAN hopping and other attacks aimed at eavesdropping. The best mechanism to prevent unauthorized access to the voice VLAN is to enable the integrated 802.1x supplicant on each phone to force authentication of the phone to the network. Other configuration requirements can be found in the Cisco CUCM SRND for good security practices on Cisco switches.
Voice endpoint: The voice endpoint should be hardened to prevent user reconfiguration and access to network topology information. Phones in common areas should be physically locked in place and the data port disabled. Voice endpoints also include softphones and phones deployed at remote locations that may be using the Internet as the network transport. These phones should utilize encryption through phone proxy on the Cisco ASA to ensure confidentiality.
Technical testing of security controls allows an auditor to verify that security controls are in place and actively defending the network from common attacks. An auditor is typically looking for proof of policy enforcement as opposed to a penetration test, which is designed to break in to the network at all costs and may be outside of the scope for an audit. The following are some tests that should be conducted as part of a comprehensive UC audit.
Basic Security Tests
One of the first things an attacker will do when attempting to gain access to the voice network is to perform reconnaissance to determine the IP addressing scheme and other information that will be useful in crafting an attack strategy. A Cisco IP phone will divulge lots of useful information to an attacker by simply accessing the settings menu and scrolling through the configuration screens. Administrators should disable access to this information on the voice endpoint once the UC system has been deployed, as it is useful only in a troubleshooting situation.
If an attacker can’t connect to the voice VLAN, then they are significantly limited in their ability to attack the voice infrastructure and call control functions. Auditors should test whether or not the voice and data VLANs are adequately separated. One of the easiest ways to test for voice VLAN separation is to simply plug a laptop into the back of a phone and determine if the assigned VLAN is separate from the one used by the IP phone. This may seem unnecessary, but a surprising number of voice deployments have segments that do not use voice VLANs, leaving phones and users directly connected.
If the voice VLAN is deployed, auditors should then check if the phones have been configured to prevent VLAN hopping, by sending 802.1q-tagged packets directly to the phone PC port destined for the voice VLAN. The phone should drop the packets and prevent access to the voice VLAN. Another test that the auditors should perform is to assess switch port security by unplugging the IP phone and connecting the laptop to the port instead. Again using 802.1q, auditors should test to see if they can communicate to the voice VLAN with standard 802.1q trunking.
A really nice Voice VLAN testing tool is VoIP Hopper, which is designed to automate the process of gaining access to the voice VLAN. VoIP Hopper can be found at:
The best mechanism for preventing eavesdropping is to encrypt signaling and voice media streams. The auditor should check to see that voice encryption is enabled for sensitive employee roles and executives. An easy way to test that encryption is enabled is to examine the phone and look for the Shield or Lock icon displayed on the phone during an encrypted call. The Shield icon tells the user that signaling is encrypted and authenticated, but the media stream is not. The Lock icon tells the user that both signaling and media encryption is enabled.
Without encryption, softphone clients are also vulnerable to eavesdropping. All mobile communicator users should be required to use encryption through a VPN on their laptops and mobile devices that terminate to a Cisco ASA.
If a phone is deployed in a home office scenario or in any situation where the phone cannot attach to a dedicated voice VLAN and must communicate in a general purpose data VLAN, it is recommended to use encryption by enabling phone proxy on a Cisco ASA to prevent direct access to the voice network from remote segments and to prevent eavesdropping.
UCSniff is an all-in-one tool that greatly simplifies the testing of eavesdropping prevention controls and allows for the recording and playback of both voice and video in a UC environment if the proper protections are not in place. Not only does the tool sniff voice and video but it also automates VLAN hopping and VLAN discovery making it a must for auditing voice security. Some the capabilities of this tool are:
UCSniff can be downloaded for free at: http://ucsniff.sourceforge.net/
Gateways to the PSTN should be protected, with access control restrictions in place to limit the devices that are allowed to communicate. An auditor should run the port scanner NMAP on a gateway to discover what ports allow connections from various network segments to identify mistakes in hardening the gateway from attack. After the services available have been mapped, auditors should attempt to make direct calls through SIP or H323 to see if the gateway allows it through. IPSEC should be configured on the gateway for signaling to prevent direct connection without authentication to further reduce the possibility of external attackers hijacking the gateway. With SIP, UDP port 5060 is commonly used. Auditors should check to see if message digest authentication has been configured. There are numerous methods for attacking SIP, but proper authentication and access rules can reduce the risk of unauthorized use of PSTN connections.
Testing toll fraud controls involves reviewing and assessing dial plans and calling restrictions for different classes of users. Auditors should review dial plan configuration for adherence to phone usage policies. In particular auditors should test the following controls:
Good UC Security Practices
Security auditing is a process where a systems implementation is compared against good practices and standards. So where do you find these good practices against which you can compare a UC deployment? Cisco provides fantastic documentation for UC deployments that includes detailed security configuration for both CUCM and CUCME. The CUCM SRND guide weighs in at a portly 1200 pages, and represents an enormous amount of good practices for the care, feeding, and protection of your UC system.
Another source of good practices comes from the National Institute of Standards and Technology, which is a government organization that provides many documents detailing good security practices for all sorts of information technology. NIST 800-58 is a document that highlights many of the security issues that need to be addressed in order to secure voice over IP. This document is not as detailed on technical security countermeasures like the CUCM SRND, but does provide a good high-level overview of the types of security controls (both from a policy and operational standpoint) that should be in place to secure a VoIP network.
Additionally, the Defense Information Systems Agency is a part of the US military that has published a great checklist that document secure configuration requirements for government deployed VoIP systems. This document can serve as the source material for your own custom auditing checklist.
Auditing a Unified Communication system is a key aspect of maintaining a secure communications environment. Following a systematic auditing approach that addresses people, process, and technology can help reduce risk and provide assurance that your UC network is protected from attack.
About the Author: