How secure is VoIP?
By Branko Miletic
Over the past few years, internet telephony (IP) systems or voice over internet protocol (VoIP) systems have become popular as businesses begin to see hard savings in converging voice with other data applications such as web conferencing and email.
The cost savings of VoIP, both in terms of dollars and bandwidth, compared to that of circuit switched networks (CSN), is encouraging a growing number of Australian organisations, both public and private to move to VoIP.
But many companies are unaware of the additional security baggage that VoIP brings along with it.
Most experts agree that once voice is converged with data on the network, a company’s voice systems are suddenly vulnerable to many of the same kinds of attacks that occur on the data side.
Brian Kelly, director of the US-based Giuliani Advanced Security Center at Ernst and Young says, “Despite the advantages of VoIP, if the technology is not implemented properly and securely, we will likely circumvent existing security controls and expose our networks.”
But as many government agencies explore the benefits of this latest addition to communications technology, they must first strengthen firewalls, gateways, encryption and authentication methods, and other security components to as a primary step to protect users.
According to a recent Symantec internet security threat report, VoIP is quickly becoming a widely adopted alternative to traditional analogue phone systems. It has been estimated that by the end of 2006, two-thirds of the Forbes Global 2000 companies will have adopted VoIP as their primary means of voice communication.
Intruder alert
But there are many security issues associated with VoIP.
Eavesdropping is a common fear with both regular and VoIP calls, and there are additional concerns unique to this technology. Since VoIP data is travelling across the internet just like any other kind of data, it is vulnerable to the same types of attacks.
Hackers have many software tools available to them to retrieve information being transmitted over the internet and these tools are as effective with voice data as with any other kind of data. It must be remembered that in the context of cyber-security, voice traffic is data after all.
Cisco spokesman Peter Witts says as voice is one element on a network, and IP communications is becoming ubiquitous across businesses, the need for security will continue.
“We believe that as more organisations adapt to an organisation-wide, self defending network strategy, security breaches will be dealt with by the network automatically in real time,” he says.
Another security threat is the possibility of sending viruses with VoIP data -- potentially overloading VoIP networks, reducing sound quality and creating delays.
Although it has not been publicly admitted to by the major VoIP vendors, the technology is not secure against spam either, which in IP telephony terms is known as ‘spit’. Moreover, automated tools can send this spit to all voice mailboxes within a certain range of the provider, address space or area code.
There are several points in the transmission of VoIP calls that hackers can use to recover information. In addition to retrieving actual conversations, they can also access critical information such as user identities and VoIP phone numbers. With this information, a hacker can place phone calls using someone else’s identity.
For example, hackers can target phone systems with denial of service attacks, or program a company’s phones to call other businesses, shutting down the second company's phone systems. People can hijack a phone’s IP address and make calls that are billed back to the company. And as with a traditional phone system, calls can be intercepted and listened to.
Minimise vulnerability
VoIP systems more often than not use proprietary protocols, and even where standards such as Session Initiation Protocol (SIP) are incorporated, vendors were forced to add proprietary features to the emerging standards to increase the phone’s feature sets.
The potential for cyber attacks has increased because of this standardisation. The use of defence through anonymity is fast becoming a thing of the past and just like any other data system, a SIP system is vulnerable to general IP attacks.
Because VoIP traffic travels over a data network that is used by all of the regular users of the corporate LAN, any or all of the conversations traversing the network could theoretically be compromised by anyone with a regular connection on the network. VoIP packets could be identified and stored for re-assembly to be played back at a later time.
Firewalls might not be as effective in blocking attacks on combined voice and data networks. Firewalls examine packets and block suspected ones at the digital communications port.
However, phone calls require opening many communications ports on the firewall; some sessions may need 10 or more ports. Firewalls that are not configured for VoIP security might leave a large number of ports continually open, increasing the network’s vulnerability.
“The idiosyncrasies of voice data may strain your security system to the breaking point. You definitely need specialised security products and different architectures when moving to VoIP,” says Richard Kuhn a computer security specialist from the US National Institute of Standards and Technology.
“Server defence upgrade and patch management are two very important ways of increasing the security of voice systems, although it would not be untrue to say that most companies have traditionally updated their voice systems only when they wanted to add new features. But with VoIP, it is very important to install updates and patches as they arrive.”
Packet encryption is another way to make the hackers’ job harder –although this technology has inherent problems attached to it – not least of which is its very real potential in severely degrading the quality of the phone call because IP-based telephony is even more time sensitive than data or even video.
Plan for protection
VoIP gateway technologies are also potential weak points. When VoIP is used externally, gateway technologies convert data packets from the IP network into voice before sending them over a public switched telephone network.
When VoIP is used internally, the gateways basically route packetised voice data between the source and the destination and such gateways can be hacked into by malicious attackers in order to make free telephone calls.
Netgears’ Andrew Trickett says security of a VoIP call is relative to the types of calls to be made and the customer.
“It would be far easier to intercept a phone call and listen in to a conversation that was passing between a cordless DECT handset and a receiver than it would be to intercept the VoIP packets that were passing over ADSL connection, through an ISP's network to get to the VSP," he says.
“However security of VoIP packets should possibly be considered for deployments that may involve the VoIP call traversing LAN's where they could be easily sniffed and played back if unencrypted or where the content of the call is known to be highly confidential. To implement security a lot of companies will create a secure tunnel for the VoIP packet (e.g. use IPsec) but there are alternatives built into VoIP protocols as well.”
Mr Witt says although concern about communications security is real, independent research from the likes of Miercom and others has shown that IP based telephony is actually more secure than traditional TDM based telephony.
It is vitally important that CXOs and security managers have a view across the entire organisation to successfully deploy security, and, if this is not done, the chances of security breaches increase, he says.
In general, most of the best practices for data communication are relevant for voice communication.
David Sykes, vice president, Symantec, Pacific Region, says,
“Consequently, protecting data and VoIP environments requires a combination of antivirus, firewall, intrusion detection systems and virtual private networks (VPNs). These technologies must also be optimised for voice. Latency, bandwidth and quality of service (QoS) are all critical requirements for voice and, therefore, must be considered when implementing a communications security infrastructure.”
Mr Sykes says that governments should “first make sure their security infrastructure and network support VoIP”.
“They should monitor critical vulnerabilities and patch systems as needed,” he says.
“Governments should also secure remote access configuration capabilities to individual devices to eliminate backdoors and create and enforce strong password policies. In addition, governments should use encryption to secure traffic and, where possible, structure the network so that a VLAN separates voice and data devices and traffic.”
Most IT professionals agree that VoIP offers some dramatic benefits over traditional telephony in the areas of portability, and accessibility.
However, these enhancements do not come without a cost and require greater effort, planning, and vigilance to ensure high availability and security –the idea that only internet traffic is at risk is not based on reality.
And as to whether a VoIP network can ever be 100 per cent secure, Mr Trickett says, “No network can ever be made 100 per cent secure, particularly one that is accessible to the public”.
[Wed 23/08/2006 03:24:27]
|
