It Is Only Dialtone Jean Silbaugh September 8, 2000 For how long has there been a boundary between the "Voice Group" and the "Data Group"? You can usually walk into any Telecommunications department and see the divide between those employees that are administrators of voice equipment and those of data equipment. To use a phrase from the voice group, "Its not just dial tone anymore", emphasizes that Plain Old Telephone (POT) serves is dead. Are these groups ready and able to share their bandwidth? If so, are the networks ready to handle the load? We have seen over the last few years, what was once thought of as voice companies, such as Lucent and Nortel, buying data equipment companies, Internet/Security Consulting Companies as well as other types of Internet networking companies, which has brought them to the forefront of the Internet/Data world. And with our constant increasing need for speed regarding Internet access, the old 56k single pair phone line is being replaced with services like ISDN and DSL. ISDN lines, through data routers and digital phone extenders, give telecommuters LAN-speed data connectivity and features like Voice Mail, Call Forwarding, Speed Dialing and Conferencing from home. Remote Call Center agents receive queued calls and the same screen-pops as agents located at a central site. These screen-pops can contain user account and transaction information from a data server with backend connectivity to mainframe applications and are not always encrypted. DSL, while supplying speed, has created security issues for home computers. Security is no longer just a concern of corporations for corporate networks but a concern for anyone who owns a computer with access to the Internet from home or office, hence, the explosion of desktop firewall products like BlackIce and ConSeal. With the push to offer new voice, data and multimedia services over a common network, we create new issues and requirements of compatibility for hardware, software and signaling. With hundreds of call centers throughout the United States, the Enterprise Computer Telephony Forum (ECTF) is one organization that is striving to create standards to meet these requirements with the S.100 (software interfaces specifications) and H.100 (hardware specifications). Computer Telephony Integration (CTI) controls commands and messages between computers and telephone systems. Agilent has commented, "To interoperate with the PSTN, and to integrate intelligent networks and IP networks for a seamless delivery of services, IP switches must support the SS7 protocol." Two network types make up the current telephone system: speech path (voice channels) and signaling (data messages). Signaling system number 7 (SS7) is the protocol used by the signaling network, a digital packet network with built-in redundancy. SS7 uses out-of-band signaling which has many advantages over the old inband signaling which used the same channel for voice as it did for signaling information and was susceptible to billing fraud through the faking of tones. The International Telecommunication Union (ITU) has approved H.323 specifications for how voice and video traffic is transported over local area networks. There are four components that make up the architecture. Gateways, which interface between packet-based data networks such as IP and Public Switched Telephone Networks (PSTN), Gatekeepers which perform IP network functions such as translation between ip addresses and phone numbers, terminals which reside on wide area networks which includes pc’s and telephones and finally multipoint control units. The Internet Engineering Task Force (IETF) with ITU have agreed on a single standard called H.248 that elaborates on the H.323 specifications. H.248 breaks the H323 gateway function into sub-components and protocols used for communication. Voice Over IP (VoIP) is one service that is expanding based on these standards. VoIP is the ability to compress and transmit voice communications over IP networks like the Internet as well as wide and local area networks. Industry analysts estimate 25% to 40% of all international telephone traffic will be over Internet gateways with 60% of major public telecommunication operators believing that IP telephony will be the main means of telecommunication by the year 2004. Many new companies have started offering VoIP solutions and this year we have seen companies combining efforts to create state-of-the art networks like Cisco and Simplified’s effort to create a new network for Mundi Telecom in Spain allowing voice and data transmissions on the same network. Latency and low quality of service are some current limitations with VoIP. It is believed that once IP network’s Quality of Service is equal to that of the PSTN, costs for these type of calls will increase. Why am I bringing all this up? Because I feel that in most corporations, voice systems and networks have not received the security attention that the data networks have leaving them vulnerable in ways never thought of. Internet access has been the major focus for senior management with emphasis on the web, mail, ftp and dns servers, since these are typically higher profile devices for corporations performing business on the Internet. What they typically do not think of is that the PBX’s, Voice Mail systems and Auto Attendants, are now being accessed over the same IP networks for management and functionality. An example of a service that is integrating the data and voice world is unified messaging. This feature offers the ability to merge voice, fax and email messages into a single interface. It can be managed with Lotus Notes, Microsoft Exchange/Outlook or Novell Groupwise, and web browsers such as Microsoft Internet Explorer and Netscape Communicator. Avaya (Lucent) offers a product called Definity Anywhere which offers voice calls to be sent directly to your desktop, real time data file sharing with local and remote users, conference calls via Internet web browser access and NetMeeting, call forward corporate numbers to remote locations as well as many other features. Having corporate names and numbers on a Internet site creates security risks for social engineering by revealing employee names and corporate numbers. The real time data sharing would leave client workstations vulnerable and chances are most employees would not turn file share off after allowing access to valid users. Call forwarding to locations external to the PBX has always been a security issue allowing for toll fraud. In the past, dialup lines where the main method of accessing the management ports on these systems with vendors offering user id and password protection and in some cases a lock and key technology. As with data equipment, these systems where set-up using default user ids such as cust, sa, or logi that are rarely changed or deleted by administrators. Now these systems are accessed through IP networks through telnet sessions resulting in plain text user ids and passwords being thrown on the network. Certain vendors use a unix platform for their local management consoles OS. How many unix system administrators do you think actually install these servers and lock them down according to corporate security requirements and policy like they would data servers? My guess is very few. In fact, I know of a company who allowed the vendor technicians to install their systems but never provided them with the company security policy or guidelines for setting up a unix or nt system. If you think these systems were included in follow-up security scans and checks for open vulnerabilities, you would be wrong. These systems where not thought of when contracting with penetration and vulnerability testing companies, mainly because they are not "data" servers and voice systems where never thought of. We can not continue to think of Voice Network security issues being just call routing, remote access, dial-up lines and toll fraud. Nor can we think of voice security issues being the other department’s responsibility. Remember, "risk assumed by one is shared by all" and in today’s world, the risk assumed by the voice group, is shared by the data group. We need to step back and look at the security module of Integrity, Availability and Confidentiality to include any network, system and application whether voice or data and no longer think of them as two separate entities. Security professionals need to get busy cross training on the known vulnerabilities that have become common between voice and data and those that are still unique to each. And be ready to learn what new vulnerabilities, Trojans, viruses and whatever else will be created as voice and data networks, systems and applications combine and interact with each other and as new technologies are developed to meet the future needs and demands of corporations. If we do not take proactive steps to learn and eliminate vulnerabilities and exploits, I am sure the Hacker Community will be prepared and more then willing to show them to us. With all this said, we have not even begun to discuss what the world of wireless has in store for us. But that is another topic for another day. And that day should be today. References: Churchill, Sam. "Welcome to Sam’s Telecommunication Casbah" http://www.teleport.com/~samc/cable1.html (Aug. 16, 2000) Enterprise computer Telephony Forum. "H.100 Q&A". URL: http://www.ectf.org/ectf/news/techfaq.htm (Aug 16, 2000) Hewlett Packard. "SS7, The Vital Link" URL: http://www.communications.hp.com/opencall/ss7.html (Aug. 21, 2000) Hewlett Packard. "HP, Cisco and Simplified Chosen to Deliver End-to-End VoIP Network for Spain’s Mundi Telecom". URL: http://www.communications.hp.com/opencall/tools/pressroom/voip_network.html (Aug. 21, 2000) ITU. "Signaling System 7" URL: http://www.agilent.com/cm/commslink/hub/tech/ss7/ (September 7, 2000)