Undoubtedly, corporations are realising the benefits of IP voice systems. Voice over internet protocol (VoIP) can bring substantial cost savings and productivity enhancements to a business by transforming its circuit-switched networks to IP packet switching networks and running voice and data applications over a single infrastructure. However, businesses need to be aware that there are potential risks involved, they need to take some necessary steps to protect their interests.
When voice and data are merged onto a single network, voice becomes an application on the network and is, therefore, exposed to the same threats as data applications. These threats include infrastructure and application-based attacks, denial-of-service (DoS) attacks, eavesdropping, toll fraud and protocol-specific attacks. However, with the right procedures in place, VoIP security risks and threats can be managed and mitigated--maximising the benefits of VoIP while minimising exposure.
Infrastructure and application-based attacks
In VoIP, voice is essentially an application on the data network, fine-tuned to maintain voice-quality performance. VoIP equipment and end-point devices such as IP phones are becoming standardised and commoditised just like other data components such as PCs--meaning that VoIP is just as vulnerable to cyber-attacks. Hackers can exploit voice devices and disrupt the network from normal service and/or perform criminal actions such as data theft.
IT managers need to maintain current patch levels on all IT and network equipment and applications, and have appropriate anti-virus software installed and up-to-date. Virtual local area networks (VLANs) can also be implemented and used to protect voice traffic from data network attacks. By implementing application gateways between trusted and untrusted zones of the network, a VLAN will complement the protection offered by corporate firewalls.
Denial-of-service (DoS) attacks
A DoS attack occurs when someone deliberately floods a particular network with so much illegitimate traffic that it blocks legitimate traffic. Obviously, if your voice traffic is being transmitted over the same network, a DoS attack will have significant impact on business operations.
DoS attacks are difficult to stop and prevent, but proper intrusion prevention practices, special network devices and proper patch updates can minimise the risk of exposure. In order to prevent data network problems from affecting voice traffic, voice and data traffic should logically be separated from administrative traffic. Traffic shaping can also provide another layer of protection and control for the network.
Intercepting data traffic is a trivial endeavour for most hackers so it stands to reason that with voice and data convergence, the same can be said for voice traffic over the network. Many tools are freely available to collect packets associated with VoIP conversations and reassemble them for illicit purposes. Two measures that can be taken to prevent eavesdropping include isolating VoIP traffic using virtual private networks (VPNs) and applying encryption on voice packets. However, IT managers need to carefully evaluate the use of encryption of VoIP as it can increase latency in the network. Encryption of voice data could be selectively applied based on business requirements, for example, encryption and decryption can be used only for those conversations over untrusted networks. When choosing a managed service provider, companies should ensure that appropriate security protocols are actively used by the potential provider to ensure secure conversations within the network.
Just as with traditional voice systems, toll fraud cannot be ignored when considering VoIP systems. Using toll fraud, attackers gain unauthorised access to a private branch exchange (PBX) call-control system to make long-distance or international calls, which can mean significant financial impact to the business. Poor implementation of authentication processes could allow calls from unauthorised IP phones and/or allow unauthorised use of the VoIP network. Companies need to impose proper control for access to VoIP systems, including gateways and switches, in order to avoid the occurrence or toll fraud. Centralisation of management and configuration control is also recommended.
Since VoIP was developed on an open standard, the protocols that support communications are well known and thus vulnerable to probing for their weaknesses and security flaws. Session initiation protocol (SIP) is gaining popularity -- SIP is a session and call-control protocol, components of which are used by standards-based IP PBX and IP telephony systems. In addition to the standard IP vulnerabilities, SIP brings additional risks.
SIP is a text-based protocol, like the common HTTP and SMTP. Therefore attackers can easily monitor and analyse traffic and then transition into various application-level attacks. Attacks can include impersonation of registration for system access, unauthorised access to corporate directory information, taking control of calls to disrupt business and also placing unsolicited calls and voice messages. Obviously, in a malicious attack, this could be highly detrimental to a business. It managers need to be aware of these vulnerabilities and thus implement strong authentication and authorisation processes.
IP voice security
While convergence and VoIP implementations are fast becoming mainstream among multinational corporations, they are, at the same time, posing serious security challenges. Whether you are planning to build your own converged network or utilise the services of a managed service provider, the primary goal should be the implementation of VoIP security that is properly built and validated, with ongoing management support. Security has to be managed through proactive monitoring, event management, remediation and regular follow-up to ensure a stable and reliable corporate communications infrastructure. However, with the right security in place, VoIP can be a valuable asset to a company.
This story, "IP voice security: are you susceptible or strong?" was originally published by CSO Online (Australia).