VoIP Security Posted on: March 29, 2008 at 12:00 AM
VoIP Overlook Security
Corporations that are implementing voice over IP (VOIP) technologies in a bid to cut communications costs shouldn't overlook the security risks that can crop up when the voice and data worlds converge, users and analysts say.
VoIP Overlook Security Corporations that are implementing voice over IP (VOIP) technologies in a bid to cut communications costs shouldn't overlook the security risks that can crop up when the voice and data worlds converge, users and analysts say.
Most users implementing VOIP these days are primarily concerned about voice quality, latency and interoperability. All are fundamental quality-of-service considerations that companies need to deal with before they can even begin justifying the move to VOIP.
But some security organizations are cautioning users about the dangers of unsecured VOIP services. For instance, in an August 2001 paper on its Web site, the Bethesda, Md.-based SANS Institute warned of privacy- and authentication-related issues stemming from VOIP services and urged users to apply the same precautions they've used to protect their data services.
Introduction of Voice over IP
Voice over IP ? the transmission of voice over packet-switched IP networks ? is one of the most important emerging trends in telecommunications. As with many new technologies, VOIP introduces both security risks and opportunities. VOIP has a very different architecture than traditional circuit-based telephony, and these differences result in significant security issues. Lower cost and greater flexibility are among the promises of VOIP for the enterprise, but VOIP should not be installed without careful consideration of the security problems introduced. Administrators may mistakenly assume that since digitized voice travels in packets, they can simply plug VOIP components into their already-secured networks and remain secure. However, the process is not that simple.
Telephony Security VoIP has finally arrived as a mainstream application. IP PBX equipment sales topped $1 billion in 2005, for the first time outpacing traditional TDM PBXs, according to Dell' Oro Group. In fact, analysts predict that IP PBXs will account for more than 90% of the market by 2009. Before you deploy VoIP, however, you need to be aware of the security risks and the countermeasures that you can take.
Security is important in every context, but especially when you're replacing the world's oldest, largest and most resilient and available communications network. While no individual security measure will eliminate attacks against VoIP deployments entirely, a layered approach can meaningfully reduce the probability that attacks will succeed.
The VoIP Security Takes Center Stage
Opher Kahane is no stranger to the world of VoIP security. Kahane was the cofounder of Kagoor Networks, which was acquired by Juniper in March of this year. Kagoor's claim to fame was its session border control (SBC) products.
Kahane noted that one of the issues discussed that seemed to resonate with the audience was the generally shared assumption that the good old TDM (traditional telephone) world is secure from a telecom perspective. TDM telephony is, however, also susceptible to attack. That said, Kahane commented that securing a VoIP enabled network is clearly more complex than
TDM-and more complex than securing a regular data network that doesn't need to carry voice traffic.
Security Learning Guide More organizations are choosing to implement VoIP telephony for its cost savings. However, securing the technology comes with its own price tag. Created in partnership with our sister site, SearchVoIP.com, this guide is a compilation of resources that review the importance of VoIP security, protocols and standards, LAN security, vulnerabilities, troubleshooting, threats and more.
VoIP (voice over IP) is an IP telephony term for a set of facilities used to manage the delivery of voice information over the Internet. VoIP involves sending voice information in digital form in discrete packets rather than by using the traditional circuit-committed protocols of the public switched telephone network (PSTN).
Security Framework An industry group has released what's billed as the first comprehensive description of security and threats to Voice over IP (VoIP) systems. The framework - dubbed the VoIP Security Threat Taxonomy - was put together by the newly formed Voice over IP Security Alliance (VOIPSA) and is designed to provide the industry with a clearer view of VoIP security risks put into context with a discussion of technical trade-offs.
Until now, the public has been uncertain about the various threats, how risks related to each other and technical trade-offs. This is fundamental to all future work in the field," said Jonathan Zar, secretary and outreach chair for VOIPSA, head of the taxonomy project and senior director for firewall supplier SonicWALL.
Security with safe and Sound Security concerns are nothing new for voice. Legacy phone systems have had trouble with toll fraud for decades. These days, some enterprises are holding off on installing voice over IP because of security fears, while others have forged ahead without addressing the problem. Most industry analysts estimate that at least half of new enterprise voice phones this year will be VoIP handsets, which means there's a good chance you'll have to face the voice security issue soon--if you don't, you're leaving your system open to attack.
There's no magic bullet for effective VoIP security, but it must be part of your overall security strategy. Because VoIP is an application that becomes part of the IP network--which should already have good security practices in place--the more secure your overall network, the harder it will be for an attacker to eavesdrop, cause a DoS (denial-of-service) attack, or break into an OS or application in a VoIP system.
VoIP Deployment Voice-over-IP (VoIP) technology has come of age and is quickly gaining momentum as
an affordable alternative to traditional PSTN networks. VoIP packetizes phone calls through
the same routes used by network and Internet traffic and is consequently prone to the
same cyber threats that plague these carriers today. In addition to traditional network
security and availability concerns, there are a plethora of new VoIP protocols that have
yet to undergo detailed security analysis and scrutiny.
Security Building with Gateway level To protect an enterprise's VoIP system and the data network behind it, a VoIP gateway should incorporate a variety of security technologies. The prime security features to look for in a VoIP gateway include a stateful packet inspection firewall, network address translation (NAT) support, application content filtering and extensive application layer gateways (ALG) that include SIP support for VoIP soft clients (software-based VoIP phones).
The VoIP gateway should also offer support for wireless LAN security, including, but not limited to: RADIUS (Remote Authentication Dial In User Service) authentication, as well as EAP-PEAP, EAP-TLS and PSK authentication suites. Buyers should also check for TKIP, AES-CCMP and other encryption ciphers.
VoIP Security Moving Target Those who want to operate secure VoIP networks must be mindful of myriad threats, because the technology is susceptible to vulnerabilities that might be foreign to traditional telecommunications managers and their staffs.
That was the conclusion of experts at the Fall VON 2004 conference who warned those considering VoIP to layer on security to keep their networks protected.
AT&T Corp. described one of the more disconcerting threats: injecting words into VoIP streams in a form similar to man-in-the-middle attacks in data networks.
"You can inject swear words into conversations, and the speaker can't even hear it," said Kevin Kealy, a security scientist at AT&T, during his keynote address.
Kealy says he has used the same technology in AT&T labs to fabricate entire VoIP voice mail messages that current FBI-grade voiceprint analysis rated as genuine.