There’s no such thing as a bulletproof VoIP system, but there are things you can do to make your setup more secure.

At its heart, a VoIP system is a data network. This means VoIP deployments are vulnerable to the same internal and external threats that plague any enterprise data local area network (LAN) or wide area network (WAN).

Enterprises pondering voice over Internet protocol (VoIP) primarily focus on the technology’s cost benefits. Yet, in their zeal to converge voice and data networks and shave telephony costs, many organizations are failing to adequately consider VoIP’s single drawback: security.

Like Seinfeld’s George Costanza and the cashmere sweater with the little red dot, most VoIP supporters would prefer to ignore the ugly defect that mars their otherwise stainless technology. Unfortunately, VoIP’s little red dot has the potential to cripple enterprise VoIP systems. Worse yet, VoIP’s security gaps threaten to wreck havoc in several different, often insidious ways.

In-Stat, a US technology research firm, predicts that the number of business IP phones sold will grow from 9.9 million in 2006 to 45.8 million in 2010. Yet, the company ominously notes that over 40 percent of the enterprises it surveyed don’t have any specific plans for securing their VoIP deployments. Additionally, when asked to rate their VoIP security knowledge, most enterprise managers In-Stat contacted characterized themselves as being “somewhat knowledgeable,” the lowest rating the survey offered.

Locking Down Your System

There’s no such thing as a bulletproof VoIP implementation, but there are a handful of fundamental steps you can take today to ensure that your system, or the systems that you’re planning, will be highly secure.

According to network vendor Cisco, preventing unauthorized access to the network is a smart first step in a voice security program. For an additional layer of protection, in case somebody does gain unauthorized access, organizations can also encrypt voice traffic. Voice and video-enabled VPN (V3PN) technology, available in many routers and security appliances, encrypts voice as well as data traffic using IP Security (IPsec) or Advanced Encryption Standard (AES). Encryption is performed in hardware so that firewall performance is not affected.

Many security experts also recommend limiting VoIP data to a single virtual local area network (VLAN). A VLAN will keep voice network traffic hidden from data network users, providing an additional layer of security. The technique can also limit the scope of damage to the VLAN in the event of an attack. An additional side benefit is that a VLAN help prioritize VoIP data over other types of network traffic.

When creating the VLAN, be sure to place its equipment behind separate firewalls. This practice will restrict traffic crossing VLAN boundaries to applicable protocols and prevent viruses and other kinds of malware from spreading from clients to servers. When looking for firewall technology, be sure to examine products that support both leading standards: Session Initiation Protocol (SIP) and the International Telecommunication Union’s H.323 protocol.

Data and Physical Security

By now, just about everybody is aware of the need for packet data encryption to safeguard VoIP transmissions. Yet call signaling encryption is important as well to prevent hackers from misdirecting or otherwise interfering with call traffic.

To install multiple encryption layers, turn to Transport Level Security (TLS), which encrypts the entire call process. The Secure Real Time Protocol (SRTP) is useful as well for encrypting communication between endpoints.

A secure gateway, properly configured, is a VoIP system’s cornerstone. The gateway will limit system access to authenticated and approved users while keeping hackers safely on the outside. Gateways themselves, as well as the networks that lie behind them, can be protected through the use of a stateful package inspection (SPI) firewall and network address translation (NAT) tools.

Eternal Vigilence

VoIP security requires constant vigilance. This means monitoring the network for suspicious activities, as well as maintaining the operating system and VoIP applications. Be sure to install updates, particularly security patches, as soon as they become available. Consider using an operating system that has been “hardened” to deflect hacker attacks. It’s also important to disable non-essential operating and application services, since hacker can exploit these pathways to enter your system.

Ethernet ports are also prime hacker entry points. You can help keep the bad guys out of your network by using management tools that limit access to authenticated and pre-approved users and devices. You may also want to bar softphones from your system, since these products are vulnerable to malware and can also be imitate IP and MAC addresses when linked into the network via an RJ44 port.

Building redundancy into a VoIP system can help it better withstand hacker attacks as well as equipment failure. Multiple gateways, nodes, routers, servers and power supplies make a system more resilient and reliable.

Final Point

The good news is that VoIP threats are still a largely theoretical issue. So far, few enterprise VoIP networks have experienced anything close to a serious hacker attack. But complacency shouldn’t lull enterprise VoIP adopters into a false sense of security. Enterprises should strive to follow security best practices and demand that VoIP technology vendors build adequate safeguards into their products. Doing anything less is to court disaster.

Why Over 90% of VoIP (Computer Phone) Services are Vulnerable to Attack

You are in the crosshairs as a primary target of computer hackers if you own a computer or operate on un-secure VoIP (computer phone) services.

John Ashcroft, Attorney General, in remarks at the High Technology Crime Investigation Association 2004 International Training Conference held on September 13, 2004 stated, ?We have seen worms and viruses attack?disrupting basic services?And with the increased use of the Internet and especially peer-to-peer networking, we have seen malicious code spread more quickly and infect more personal computers than ever before. The cost of these worms, viruses, and denial-of-service attacks?reaches into the billions of dollars.?

In an article written by Daniel A. Morris, Assistant US Attorney, Computer and Telecommunications Coordinator with the District of Nebraska stated in ?Tracking a Computer Hacker?, that the ?The modern thief can steal more with a computer than with a gun. Tomorrow?s terrorist may be able to do more damage with a keyboard than with a bomb.?

Ralph Echemendia, head of Intense School which trains executives regarding network security risks, stated that ?Telecom providers are one of the main targets for malicious attackers because they control communications for everybody.?

Sophisticated hackers have learned how to tap into sensitive information traveling on the Internet, and their focal point is communication.

How is this possible?

It is fairly simple. First, you should be aware that email services operate off of email servers, and web services operate off of web servers. Both email servers and web servers are built for data and not for voice.

Because VoIP has voice, it requires a system that will convert the voice into data packets to travel across the Internet, and then convert back to voice at destination. However, VoIP should not be considered just another application residing on a data network, as it necessitates a real time service due to performance expectations (e.g., quality of sound).

The majority of VoIP computer phones require a minimum of 20 kps (kilobytes per second) of bandwidth (information carrying capacity) for data packets to travel across the Internet, which is why most require a minimum high speed Internet connection in order to function without corrupting the quality of the voice.

Although in the minority, a few VoIP computer phone providers, some of which are reputable, require a minimum of less than 10 kps (kilobytes per second) of bandwidth (information carrying capacity), which is why their services can be used with dial-up connections or high speed (e.g., cable), satellite, and wireless connections.

Over 90% of VoIP services operate using industry standard codec (encryption codes) and industry standard protocols.

Computers are assigned a different numeric Internet Protocol (IP) address while on line, which is analogous to mail where you would have an identity location with your street number, city, state and zip code.

Relative to a protocol, the IP (Internet Protocol) address is a number that identifies the user and their computer. Industry standard codec and industry standard protocols are open and interpretable to the public. Unscrupulous hackers frequently launch their attacks against VoIP (Voice over Internet Protocol) services that operate on these publicly open and interpretable standards.

Peer-to-peer services, as well as over 90% of all VoIP computer phone services, operate on industry standard codec and industry standard protocols. In other words, their lines are not secure.

IM services also create targeted vulnerability to vicious hacker attacks by a simple monitoring program made available that enables electronic eavesdropping.

Security is an obvious concern when it comes to any sort of technology, but even more so with any technology that is run through the Internet. Because VoIP runs through the Internet any information can be intercepted by anyone at any time. Because many things go through phone line, private information can wind up in the hands of the wrong person. Obviously, nothing is a one hundred percent guarantee because as fast as technology is made to keep information from getting in the wrong hands, the wrong hands are working to figure out how to break through those systems. Luckily, VoIP security is becoming more and more well rounded all the time and soon it’ll be so well done that even the best of the best won’t be back to get their hands on personal information.

One of the ways that most VoIP providers secure their customers personal information is through the tunneling and encryption process. These techniques keep hackers and those will ill intent from capturing information packets as they pass through the internet. Most VoIP providers use Layer 2 tunneling and an encryption method called Secure Sockets Layer or SSL to keep anyone from getting into the information they shouldn’t have. The security of VoIP will undoubtedly change and become more sophisticated as technology allows and consumers demand more security and more privacy. For some time to come VoIP security will remain a huge concern, just because it’s widely known that all information that passes over the internet could potentially fall into the hands of someone with ill intent.

Don’t let VoIP security issues keep you from getting VoIP services. The benefits of VoIP far outweigh the security risks. The bottom line is that you are more at risk every time you get online sending emails and paying bills than you will be every time you use your VoIP services. So, the features and convenience are well worth the small security risk associated with the internet access associated with it!

What Are The Top Issues In VoIP Implementations? Hint: They Don

Now that VoIP is gaining significant momentum, many small and midsized enterprises are only too happy to jump on the bandwagon and are seeing reduced telephony costs as a result.

But, like any new technology, VoIP also has issues that need to be addressed, according to industry experts, and some affect SMEs in particular. Larger companies that have the funding for consultant teams might be able to sidestep some of VoIP?s challenges without much effort, but SMEs will have to put in time and effort to make sure VoIP implementations are worry-free. Here are some of the top concerns.

Rip & Replace Headaches

Because SMEs have smaller offices than large firms, many are tempted to simply take out existing phone systems and put in VoIP in one swift move. But the shift isn?t as easy as replacing one telephone with another, says John Halpin, public sector strategy manager at 3Com.

?Companies, especially smaller ones, are much better off doing a test before they really implement VoIP,? he suggests. ?Putting VoIP in just one department, or even just one room, is a way for technicians to get comfortable and give everyone a sense of how the system works.?

The more limited implementation will also allow IT to train employees in smaller groups, rather than having to get everyone up and running within days after an implementation, a situation that could become hazardous to the help desk?s health.

Network Strength

Another significant concern is whether an SME?s network is really ready for VoIP. In some cases, the upgrade that?s needed just to deliver VoIP can wipe out any cost savings that might subsequently be realized.

?When converting to an IP network, companies need to think about that bandwidth increase and what that?s going to involve,? says Mary Ellen Buzzelli, a business development manager at Siemens. ?A network has to be in the proper shape for VoIP to come in, and that might mean upgrades?to routers, servers, and operating systems.?

Smaller companies might not have the resources to do a full VoIP rollout in the way a large company can, Buzzelli notes. SMEs that aren?t ready yet for VoIP should do gradual upgrades but always keep IP telephony in mind, she advises. In many cases, a five-year plan, detailing network enhancements, can put VoIP in reach.

Mission Critical Calls

Although many SMEs will use VoIP throughout their organizations, companies that absolutely can?t have a telephone line down should be very cautious about implementing IP telephony, according to Bob Bluemer, a director at networking firm Avaya.

?I don?t know of a single police department using IP for their phone system,? he says. ?The reason is its reliability. A company may not mind a few minutes of downtime on the phones, but if you have emergency calls, that?s going to feel like a very long couple of minutes.?

The difficulty comes in increased bandwidth, which can sometimes spike without warning if there?s a DoS attack or other bandwidth-clogging action, Bluemer says. In some companies, he points out, VoIP is used for the majority of calls, but mission-critical phones are plugged into the telephone company?s system.

Realistic Expectations

VoIP will save so much money that you can buy a whole new data center! It will centralize voice and data into one management application! It could cure cancer!

The fact is that when the hype around VoIP actually started coming true, many companies saw the systems as panaceas for limited budgets. But there?s only so much savings that VoIP will provide, and only so many new services it can boast, says Bluemer.

?Make a list of expectations, and bring that to vendor meetings,? he advises. ?Understand that bandwidth issues, the age of data networks, and migration costs will all play a part in changing those expectations. And if the vendor doesn?t address those, find another vendor.?

You” have heard about eavesdropping, or “phone taps” on regular phone lines (the PSTN). Most people know that this kind of activity is possible, but rarely worry about it.

But all of us worry about viruses, hackers, spam, and general violations of our personal computer space. So, when it comes to broadband internet telephone service, or VOIP, how secure are we?

There are a number of security issues associated with VoIP.

VOIP Data is Susceptible to Hacking and Eavesdropping

VOIP data on the Internet is the same as any other kind of data. Determined hackers can retrieve this data with the right software tools. Potentially, hackers can retrieve and record entire conversations, and other user information.

BUT, how likely this will happen in the future is a matter of some debate. Consider that VOIP phone calls may be as secure as cell phone calls. While it is possible to intercept and listen in to these calls, there is some determined effort required.

Remember that consumer VOIP at this time is encoded, not encrypted. Encoding means the data stream is modified to a certain standard. If you know what the standard is (i.e. the codec used to digitize the analog voice), then conceivably you could decode the data stream. Encryption on the other hand requires a “key” to unlock the data. Only the intended receiver would have access to the key.

VOIP Data Can Potentially Transport Viruses

Like other kinds of data that transport viruses, VOIP data streams could potentially be used in the same way, overloading VOIP networks causing delays and reduction in sound quality.

There have been no major incidents yet of this type of virus attack.

VOIP Can be Used to Transmit Spam

Spam, or SPIT (Spam over Internet Telephony), refers to unwanted telemarketing calls from companies trying to sell services or products.

At this time, it is unlikely that unscrupulous spam artists will be targeting VOIP users. More than likely, they will be using VOIP like everybody else to make cheap calls to landlines.

With the use of Voice Over Internet Protocol (VoIP) by all reports rapidly expanding, several recent cases have exposed serious vulnerabilities with the service. However fraud is an everyday occurrence so I for one wouldn?t base my decision solely on these events.

As per previous articles I have written and various on my ?About VoIP Information? website, security vulnerabilities for VoIP do exist and have been and continue to be seriously examined and worked through by industry. However two recent cases act as a reminder that all holes have not been closed.

In Australia it has been reported that a very public VoIP provider Engin had it?s Customer Relationship Management (CRM) software cracked by a hacker who publicly exposed how to obtain details of other customer?s orders in a post on the broadband site Whirlpool. Engin reportedly resolved the problem the next morning before any advantage was gained.

Engin appeared very honest and forthright admitting the problem and fixes that would be put in place with blame attributed to a third party programming consultancy responsible for programming of the CRM. Despite credit card details apparently not recorded in the area that became accessible, it does highlight the ease at which confidential personal information can be accessed, not something that is usually considered a security problem related to VoIP.

In the very public case two arrests have been made in early June for breaking into a New York companies network and spoofing VoIP traffic to its service provider. Wholesale phone connections were then offered at discount rates in a pseudo-service provider manner with a resultant 100% profit margin for the fraudsters.

TMCnet Executive Editor Robert Lui reported that one security expert advised the problem could have been easily adverted. It is suggested that multiple security products are required for securing VoIP networks which to some degree is in line with the layered or defence in depth security principle ie more layers of security making it more difficult to get through.

Despite these two reported cases and significant discussion and reporting about a diverse range of security considerations and concerns, it must be remembered that fraud is part of everyday life and regardless of how many checks and balances are put in place, a determined criminal will eventually be successful. Such is the case with credit cards for example, passports and other identification documents. The message in my view to take away is review the service providers performance and virtually by the numbers game, assuming all advisable security precautions are adhered to, it would be unlucky to be a victim of hacking.

Voice to Phone Advertisement over VoIP, or SPIT (Spam over IP Telephony), is a security threat with the potential to fill voicemail boxes with unwanted messages in much the same way that spam currently fills many email inboxes. With toll costs low and access open in many VoIP environments, advertiser are theoretically able to record an “advertisment” once and blast it to many using nothing more than a PC.

As more telephone traffic moves onto the Internet, attracted by its low costs, so too will the sales pitches of telemarketers. And just like e-mail, individual Internet voice messages can easily be sent from one to many.

Although marketers already use voice mail for commercial messages, IP telephony makes a more effective channel because the sender can send messages in bulk instead of dialing each number separately. Internet phones are often mapped to telephone numbers, in the interests of computer-telephony integration but each has an IP address as well.

SPIT is not much of a problem yet, simply because IP telephony is not widely used. However, experts expect that the technology will become increasingly common over the next several years, thus making it much more attractive to advertises.

Broadcast Messaging is less expensive and faster than traditional direct marketing techniques. In addition, it allows company to deliver a more consistent message and discover what part of the message is well received and what part needs further refinement. This provides a better return on investment as the message can be modified midstream to improve response rates and customer satisfaction.

VOIP security has been an issue for the industry almost since its conception, for the providers. Many consumers seem to be uninformed or just uninterested when it comes to protecting their communications. Experts believe that this apathy stems from the fact that VOIP has yet to suffer any real attacks to date.

There are several scenarios that have been predicted when it comes to the downside of VOIP security. One of them is phishing scams similar to those that have bombarded the email industry. Criminal minds are hard at work devising ways to pick the pockets of the VOIP users. These bad guys will use a system to call the VOIP customer and request bank information. They may even provide a website or phone number that seems official. Some of these attacks have already occurred, but they are not widespread and are not receiving much press.

Hackers are not just about the almighty dollar ? they are about fame. For some criminals, just hurting a company (and making it to the news) is payment enough. These bad guys will look to breakthrough the weak VOIP security in order to paralyze the phone system of a company. They may also demand a ransom in order to release the phone system.

Currently, the risk of wide spread attack is not that high. Because VOIP has not yet made it to the mainstream, the numbers are not there to entice the attackers. That does not mean that it is a time to relax. Providers, and subscribers, still need to make VOIP security a priority. No one wants to be the one hit that sets off the warning in the industry. Unfortunately, it may have to be that someone is hurt before the public (and the media) pay attention.

There are many companies that are leading the charge for VOIP security. BorderWare Technologies and the NEC Corporation are just two of the industry leaders who are seeking to secure the technology before it can be exploited.

Differences in VoIP architecture compared to traditional land lines have resulted in a number of issues associated with VoIP Security.

As with all new technologies, there are many opportunities as well as risks involved with VoIP, which can be very damaging to individuals, small businesses, and large corporations alike. Therefore VoIP Security must be a primary consideration before benefits such as flexibility and low costs.

Although VoIP is digitised voice travelling in ?packets? over a network, which may seem like ?any other data?, the technology behind VoIP adds complications.

It would be misleading for VoIP users or administrators to assume that their already secure networks would handle VoIP calls without any potential risks involved, so inevitably, some further security measures are necessary.

For everyday residential users, VoIP Security is mostly a matter of preventing others from eavesdropping on conversations as well as having some protection when telephone banking, or when security details are exchanged by both parties.

Business users face some added challenges with VoIP Security. Since many businesses operate their own gateways and other equipment for connecting to the Internet, they are more susceptible to the Denial of Service (DOS) attacks or other kinds of malicious hacking.

Viruses could potentially overload VoIP networks causing delays and reduction in sound quality. Although this is a threat that hasn”t actually been seen yet, it is a concern for many businesses.

VoIP is also susceptible to spam, where users could be hit by hundreds of marketing calls trying to sell services or products.

VoIP Security concerns can be addressed in a couple of ways. The first method is through encryption, just like when you enter a credit card number on a web page. The second option is to separate VoIP data from other Internet traffic by using a Virtual Local Area Network (VLAN). However, employing both these methods can affect call quality. Quality of Service (QoS) is essential to the operation of a VoIP network which meets the user?s quality expectations. As previously mentioned, taking these measures can cause deterioration in QoS.

Some VoIP service providers do offer VoIP Security through the means of encryption or separate data routes (VLAN). Businesses in particular need to be concerned about VoIP Security issues and be aware of the risks involved when considering moving to VoIP technology to ensure customer confidence is not affected.

Voice over IP (VoIP) security is a challenge for IT staff because IP telephony (IPT) brings with it not only the security problems of data networks but also new threats specific to VoIP. In this fundamentals guide, learn about network security threats and emerging IP telephony threats, and how to secure your VoIP systems and endpoints from them.

How to think about VoIP security

Security requires constant vigilance. Security is all about the protection of resources — data, devices, networks, applications and people. While access to these resources is the goal of the user, securing access to these resources means the administrator of the resources wants to limit, even prevent, that access. Enterprises already have many security problems with their data network infrastructure, servers, desktops and software. Adding VoIP and IPT to the mix only compounds the security problems.

There are several security issues with VoIP networks:

1. The VoIP/IPT devices, servers, gateways and phones share the data network and inherit the data network’s security problems.
2. There will be data attacks on voice devices such as Denial of Service (DoS) and malware.
3. It is easier to eavesdrop on IP calls than on TDM calls.
4. The centralised TDM PBX is gone. The VoIP/IPT resources are scattered around a network.
5. The operating systems of the VoIP/IPT devices are less secure than the TDM operating systems of the past.
6. Systems (PBX) administration can be located at multiple locations and can be accessed by Web browsers.

VoIP security vs. voice quality

It may not be apparent, but security tools and solutions will conflict with voice quality. The more barriers there are in the network and endpoints for security purposes, the more interference there will be with voice quality.

One of the first issues is the firewall. The firewall can block calls because it cannot process the signaling or dynamically allocate the UDP ports for the calls to pass through it. Firewalls may not read the QoS markers in the voice packet, thereby degrading the packet delivery service. Other issues include:

1. Voice packets, when they pass through security devices, can cause added delay, jitter and packet loss during the call.
2. Intrusion prevention systems perform considerably more processing than a firewall and have been proven to cause voice quality degradation.
3. Encryption and decryption add delay to the calls.
4. VPN connections encrypt the QoS markers. The routers consequently cannot deliver the needed QoS for the voice packets.

The security vs. voice quality conflict will be hard to resolve. The voice manager, obviously, does not want poor-quality calls. If the calls are poor, then why have calls travel over the data network in the first place? The security manager does not want to open the network and endpoints to security exposures that will not only compromise the voice services but weaken the data functions as well. This will require a great deal of negotiation and compromise. Security is important, but not at the cost of an unacceptable voice service.

Finding vulnerabilities

There are two sites that demonstrate the software security threats to the data functions. These lists now include VoIP/IPT vulnerabilities. Both lists are funded by the federal Homeland Security Administration. The first is hosted at Mitre. This site has a dictionary of standardised names and descriptions for Common Vulnerabilities and Exposures (CVE). The second site hosts the National Vulnerability Database at the federal National Institute of Standards and Technology (NIST).

The voice staff has not encountered many security problems with traditional TDM PBXs, but voice staff may not be prepared for the new range of security issues that will become evident as the enterprise migrates to IPT or VoIP. The VoIP personnel will either have to take on their own security responsibilities or use the existing security personnel. In either case, the new responsibilities for VoIP security will require education, possibly some organisational adjustment, and expanded job descriptions.

What data security threats exist in VoIP/IPT?

Most of the people working with Ethernet and IP networks today were not around when these technologies debuted. No security was integrated into the Ethernet design. Ethernet endpoints were to be responsible for security, not the Ethernet network. The creation of TCP, UDP and IP protocols also left security to the endpoints. Security problems such as viruses were considered a novelty in 1988 and were not given serious consideration. We do not want to make the same mistake with VoIP security.

IPT vendors have been moving to common operating systems (Linux, UNIX and VxWorks), as well as continuing to use Windows. All of these operating systems will be attacked, whether they support data or voice applications. The threats to the operating systems for VoIP will be the same as those encountered for data function support.

The following data threats are not yet as prevalent for VoIP as they are in data networks, but they will become more common in the future.

* Viruses and worms (in call servers, gateways and phones)
* Trojan horses
* Port scanning (for signaling and RTP speech ports)
* Malicious executable software (even in the IP phone)
* Spoofing source identity (pretending to be the call server)
* Spyware (in IP phones)
* Password/identity cracking
* Denial of Service (both traditional DoS and new types for VoIP/IPT)

These data threats will only increase with time as more people learn about VoIP and more products are installed. IP telephony systems use the data DHCP, DNS, TFTP and NTP servers. If these servers are not well protected (they are vulnerable in many enterprises), the IPT system is also vulnerable to security threats. Verify the security of these servers with the appropriate staff before you allow the IPT system, gateways and IP phones to access them.

A good set of security resources can be found at the US National Institute of Standards and Technology. Look for the following publications:

* SP 800-100, Information Security Handbook: A Guide for Managers SP 800-12, An Introduction to Computer Security: The NIST Handbook (look for the latest version)
* Draft Special Publication 800-94, Guide to Intrusion Detection and Prevention (IDP) Systems
* Draft Special Publication 800-80, Guide for Developing Performance Metrics for Information Security

Securing the elements of the VoIP network

The first conclusion is that VoIP security issues that occur in the data network should be managed and solved by the existing network security personnel. They already do the job and have the responsibility for protecting data traffic. The security problems may not be new, but the problems will occur more frequently as VoIP is added to the network traffic mix.

The IPT call server is not quite the same as the data server. Data servers normally correspond with a desktop and deliver the information or service to the desktop. The call server exists for signaling, but once the call is set up, voice traffic bypasses the call server and is no longer in a signaling dialog with the IP phone. Call server security is concerned with PBX administration, call control, performance, call admission control, management, features and functions assignment, and restriction.

The security of the call server should be assigned to the same group that manages the data server security. DoS, tampering and malicious code, which are problems for the data server, will be problems for the call server as well. There will be more attempts to access the call server to modify privileges and restrictions assigned to the IP phones and gateways. An intruder may attempt to register rogue phones.

If there are firewalls in front of the data servers, there should be a firewall in front of the call server. Check with the call server vendor to determine whether third-party security software can be resident in its call server product. Some call server vendors will optionally supply their own security software but will not allow third-party security software to be resident. Resident third-party security software may impair call server performance.

IP phones with two Ethernet ports can be used to invade the data network by connecting a laptop to the second Ethernet port on the phone. Someone could disconnect an IP phone with a single Ethernet port and plug in a laptop that simulates an IP phone in order to gain unauthorised access to the data network.

Voice security may be initialised by the call server, but the voice connection security operation is the responsibility of the endpoints: phones and gateways. The endpoints can be attacked without interfering with the call server. The call server can be fooled into thinking that the endpoint security is satisfactory. The IP phones should be considered as a desktop endpoint and managed as a desktop with some unique problems. They can be attacked like any other IP device.

The gateway presents a new set of problems because it connects to legacy analog and digital phones, faxes and other analog devices, as well as PSTN trunks. Some IPT vendors offer security software in the gateway, such as an integrated firewall. The security of legacy connections has issues that will be new to the data security personnel. These issues will be covered in the next tip.

The IP side of the gateway should be managed like any other data device by the same personnel who handle the endpoints — most likely the desktop security personnel. The desktop security personnel may be reluctant to accept this responsibility because the gateway is so different from the typical desktop.

Although the data network, server and desktop security problems will also occur in VoIP devices, the voice staff may have holes left in the VoIP security picture. The existing security personnel see disruptions caused by deploying VoIP as weakening their security controls. New policies, and probably new hardware and software, will be necessary to fully protect the IPT environment from existing data security threats.

What makes VoIP security different?

In addition to data security issues, VoIP is plagued by other problems that will expand the definition of information security. Part of the problem for the VoIP implementer is that legacy TDM PBXs and phones have very few security problems. Not only is security strong, but the user is also used to a high level of privacy. The primary security issues for TDM-based PBX systems were toll fraud and tampering with feature/function privileges and restrictions. Both of these problems have been significantly reduced in the past several years.

@36757 TDM analog and digital phones are dumb. The PBX contains all of the intelligence and is essentially a closed system. This is not true for VoIP. The call server is more easily accessed and gateways and IP phones are software based rather than hard-wired. The softphone is no more secure than any other PC application. VoIP has opened voice devices to more security problems and attacks than encountered in TDM-based environments.

Security personnel have to broaden their perspective in response to VoIP’s security problems. There will be security issues with the server. Many of the new threats will relate to the phones and gateways. The attack or threat may appear to be the same as that found in data security, but the results will be different. Many of the threats will be generated behind the firewall by internal employees, individuals who are on site temporarily, and contractors. Some threats are not really attacks but are caused by negligence or abuse.

The threats can be variations of those found in data networks or can be specific to VoIP. Here are some of the security threats found in IP-based telephone networks:

1. Signaling tampering

* Fuzzing is a tool used by developers to locate problems. It can also be used to attack a signaling protocol implementation. Fuzzing discovers vulnerabilities by creating packets that push a protocol to its breaking point. SIP can be attacked this way. This can create denial of service (DoS), endless loops, logic errors, buffer overflow, configuration errors, access validation flaws and information leaks.
* A PC can be loaded with server software and behave as the real call server by spoofing other devices. The rogue call server is then in control, supporting the signaling protocol.
* Flood-based DoS can be caused by a PC on the network sending many “register” packets that can tie up the phone operation.
* Another DoS can be created by sending many “invite” packets that cause the phone to ring. (The user picks up the phone, and no one is there; he then hangs up, and the phone rings again.)
* In session teardown, an attacker sends “bye” packets that cause the phones to hang up.

2. Directory tampering

* Registration manipulation can erase, add or hijack a phone’s registration.
* Calls can be redirected to another phone without the caller’s knowledge.

3. Feature and function tampering

* These can be enabled and disabled without authorisation from the administrator.
* Incoming and outgoing calls can be blocked by the setting arranged in the call server.
* Applications in the call server can be blocked or enabled improperly.

4. SPIT

* This is SPAM over Internet Telephony. SPIT can rob the network of bandwidth, interfere with QoS and overload voicemail systems. It also takes longer to eliminate SPIT from a voicemail box when the caller is unknown and the listener must hear the call to determine whether it is legitimate.

5. RTP attacks

* RTP attacks can inject sounds into a phone conversation. The speaker does not know of the injected sounds and the listener thinks the sounds are coming from the speaker, not a third device injecting other sounds. (What if someone is on a conference call or calls home to say he is working late, but the listener hears restaurant or bar sounds instead?)

6. Check-sync messages

* These can be sent to the endpoints, causing repeated reboots that do not allow the phones to work properly.

7. Caller ID spoofing

* Caller ID is now carried in a data packet that can be generated falsely. This can have an adverse effect because attackers can pretend to be valid executive or special phones, IVR or call centers. The caller ID simulation cannot be detected by an unknowing caller or called party.

8. Eavesdropping

* This is easier to perform with IP-based calls than TDM-based calls. Any protocol analyser can pick and record the calls without being observed by the callers. There are software packages for PCs that will convert digitised voice from standard CODECs into WAV files.
* The speakerphone function can be turned on remotely, with the caller on mute so that there is no sound coming from the phone. This has happened with some IP phones in executives’ offices. Their offices can be listened to without their knowledge.
* PCs and laptops that have microphones attached or integrated into them can be enabled as listening devices without the user’s knowledge. There is a rootkit available for this purpose.

What security tools exist to protect a VoIP network?

VoIP security tools can help the enterprise’s security staff test IP telephony vulnerability and take measures to prevent security breaches.

1. Sniffing and manipulating the packet stream

When discussing IP telephony vulnerability test tools, there is always the issue that publicising information will be considered unethical because it can fall into the hands of potential attackers.

However, manyVoIP sniffing tools are publicly known. Attackers will use them anyway, and hiding this information from the public ensures that the tools will be more useful to the attackers. The attackers will become reliant on the ignorance of the enterprise security staff if the tools are not known to the public. When the enterprise security staff has access to these tools, they can move forward to mitigate security problems.

2. IP telephony fuzzing tools

Fuzzing is a form of stress testing using malformed packets. Fuzzing is also known as functional protocol testing or robustness testing. It is usually used to automate vulnerability discovery. It finds bugs and vulnerabilities by producing different packet types that target a protocol. The fuzzing attack pushes the protocol’s design specifications to the breaking point. It is often used by developers and vendor internal QA groups to test their protocol implementations.