Voice over IP (VoIP), or internet phone service, has grown substantially in the past ten years. VoIP runs on the internet, and therefore inherits the internet’s most common security issues. Telephone networks have historically been targeted by hackers. Activities such as call diverting, rerouting, and eavesdropping are all security issues that have carried over into VoIP telephone service.For VoIP security, you want to first identify vulnerable areas and then address them so the cost of getting past the security is higher than the potential gain.
Problem # 1: The Internet
Routing traffic over the internet is inherently less secure than placing a call over traditional circuit switched networks. The internet is a dangerous place, and packet sniffers can easily grab unencrypted traffic using freely available software. Imagine your network administrator overhearing the latest round of layoffs.
Problem # 2: Limited gateway security options.
Firewalls work by blocking invasive and malicious traffic from accessing your system. It provides a central location for deploying security policies. Securing VoIP traffic at the firewall level presents certain challenges because not all firewalls are VoIP aware. An older firewall may not recognize VoIP protocols and incorrectly block this traffic.
Problem # 3: Patching.
Vulnerability in the operation system, software, and servers are the targets of attackers. Patching all the systems in the network is not easy and can be time consuming. VoIP phone systems require diligent patching of the core call management system, voicemail system, infrastructure components, and endpoints, to maintain a high level of security.
Problem # 4: VoIP security is only as reliable as your underlying network security.
Viruses and worms are still the top concerns for computer security. The viruses might break down the system and disable the service. If an existing network has security vulnerabilities, these can be exploited once VoIP is implemented.
Problem # 5: Your computer’s operating system.
Similar to problem # 4, phone system vendors who leverage industry recognized operating systems inherit the operating systems’ vulnerabilities. A phone system running on Microsoft’s Windows 2008 server requires regular updates to resolve newly discovered critical issues.
Problem # 6: Denial of Service (DoS) attack.
VoIP components need to make sure that they are communicating with legitimate counterparts. Out of the box VoIP implementations may leave TCP/UDP ports unnecessarily open and without sufficient monitoring that could leave the system open to a DoS or distributed DoS attack. Attackers can create large number of call setup requests that consume the processing power of proxy server or terminal. Though the attacked network may not be penetrated, these attacks can “busy” a system, rendering it unusable. To combat these attacks, security experts must ensure that unnecessary ports and services are shut down, and that the network is properly patched for newly discovered vulnerabilities. VoIP firewall should also be implemented to monitor streams and filter out abnormal signals and RTP packets.
Problem # 7: Eavesdropping.
With VoIP, opportunities for eavesdroppers increase dramatically because of the large number of nodes in the path between the two ends of the conversation. If the attacker compromises any of these nodes, he can access the IP packets flowing through that node.
Voice over Misconfigured Internet Telephones (VOMIT) and SimTap have grabbed the attention of the VoIP community for their ability to siphon packets and convert the information to a .wav file in order to eavesdrop on a conversation. The only existing method to prevent this sort of eavesdropping is to properly secure access to the call management system, and to encrypt voice data. Even if you address all external security issues, all it takes is one disgruntled employee using an application like SipTap to snoop on internal conversations.
Problem # 8: Spam over IP telephony (SPIT).
Spam over IP telephony (SPIT), are prerecorded, unsolicited messages that are sent to your VoIP handset. (You may have gotten one or two in the months leading up to the recent election?) Unfortunately, combating SPIT is very similar to current day methods used to combat SPAM; it is impossible to stop it, you can only hope to control it. VoIP specific firewalls should be deployed in voice network to prevent malicious data traffic or voice traffic enter the system.
Problem # 9: More ports open = more ports to secure.
VoIP complicates network traffic flow with many new ports, rules, and virtual networks. A communications expert must carefully map out TCP and UDP traffic rules, the method by which this traffic traverses the internal network, as well as the resulting implications to the corporate wide area network and remote access policies. The best advice is to carefully plan an implementation ahead of the installation.
Problem # 10: Wireless phones require wireless security.
Weak wireless security exposes your VoIP. The best wireless solutions require centralized network authentication, in addition to wireless encryption, and should be implemented before using VoIP telephone services.
Most companies implementing VoIP are concerned about quality-of-service considerations, such as voice quality and interoperability, rather than security. VoIPs have to deal with all security problems of traditional data network plus new security problems caused by new protocols and components. All too often, VoIP products are released onto the market without thought to security. It is up to you to take the precautions that ensure the security of your network. All in all, these security threats take a fair bit of experience to navigate, so spoofing and sniffing on the Internet is not as simple as it’s been made out to be. It is important to realize that VoIP is a relatively young technology, and with any new technology, security typically improves with as the technology does.
Telx Telecom is a VoIP and Manage Service provider based in Miami, FL. For more information about VoIP Security, or any of our other services, contact us today!
