In VoIP, an attacker uses two methods typically. One is sniffing media packets in the same broadcasting domain as a target user’s‚ or on the same path as the media. The sniffing tools are available on the Internet, like Wireshark (formally Ethereal). The other way of intercepting communications is compromising an access device (for example, Layer 2 switch) and forwarding the target media to an attacker’s device, which generally happens in enterprise networks.
Can VoIP ever be completely secure?
No. There are too many sources of vulnerability to make VoIP completely secure. Today's VoIP includes not only voice, but also video, IM, presence data, and fax data.
VoIP has two types of vulnerability. One is the inherited vulnerability coming from an existing infrastructure such as the network, operating system, or web server that VoIP applications are running on. The other is its own vulnerability coming from VoIP protocols and devices, such as IP phone, voice gateway, media server, signaling controller, and so on.
In reality, it's hard to control every component to provide 100% security. However, we are able to make it reasonably secure. The best practice is to integrate all possible solutions according to service model, network architecture, protocol model, target customers, and peering partners.
What is a Session Border Controller (SBC) and how does it secure the VoIP network border?
An SBC is, as the name implies, a controlling device located on a border of two network sessions. The session is a logical boundary of a VoIP network, like between the consumer and the service provider network, or between two different enterprise networks.
The function of SBC is, simply speaking, resolving border issues like interop and security issues. Let me summarize the critical functions of SBC:
- Network topology hiding: it's a key function of SBC, hiding the core network topology from either access or peer network. Most VoIP servers like SIP proxy are exposed to the external networks so that endpoints may access the servers to request calls or register, which means that the topology of the service network is partially visible and vulnerable. So, an SBC encapsulates the core network and provides a single logical interface for external networks. The external endpoints can see only the IP address and port of the SBC rather than actual VoIP servers, and the SBC routes the call to the corresponding server based on type of service, policy, protocol, and so on.
- Denial-of-service protection: SBC uses access control that allows secure traffic, limits uncertain traffic, and denies insecure traffic. It's similar to white list, black list call control.
- Overload prevention: the meaning of overload prevention in this context is that the SBC monitors regular traffic from legitimate endpoints and controls it in order not to overwhelm VoIP servers, which is somewhat different from DoS protection dealing with malicious or flooded traffic. The typical method of preventing the overload is that an SBC reduces redundant or unnecessary signals by controlling the frequency of messages (for example, periodical registration or keepalive), or distributes the load to multiple targets based on policy.
- NAT traversal: One-way or no-media issues are very common when traversing a NAT. SBC can resolve this issue in the middle of the network by relaying media or rewriting protocol messages as a B2BUA.
- Lawful Interception (LI): It's a VoIP service provider’s duty to intercept call data or contents, and forward them to a law enforcement agency according to a warrant. The reason for using an SBC for the interception is that it can see most of the signals and media going back and forth among endpoints and VoIP servers as an access device.
- Other functions of SBC are load balancing, transcoding, protocol conversion, number translation and QoS marking.
A new term we're seeing is SPIT. This is essentially spam on VOIP. Is this a real concern?
Yes, it's a real concern. The main reason SPIT is becoming popular is that it is cost-effective for spammers.
In some cases, spammers use computational and bandwidth resources provided by others by infecting their machines with viruses that turn them into "zombies" that can be used to generate call spam.
Another reason SPIT is getting popular is its effectiveness, compared to email spams. Most spam filters for email today work very well. Even though users may still receive a small percentage of email spams, they usually look at profiles (for example, sender name and subject) and delete most of them without seeing the contents. However, the method of filtering emails does not work for SPIT because voice is real-time media.
Only after listening to some information initially can users recognize whether it is spam. There is a way to block those call attempts based on a blacklist (spammers' IP address or caller ID), but it is useless if spammers spoof the source information.