As more consumers and organizations continue to migrate from their landline to IP telephony, hackers are targeting this platform because of the sheer number of gateways that could be exploited. With VoIP, the security threat not only includes the same problems data networks face, but also issues that are specific to IP telephony. Unlike TDM phones and PBXs which had very few security issues because they are hard-wired, VoIP caller server gateways and IP phones are software based, which makes it much easier to access. Therefore protecting the infrastructure with a layered security approach is better to mitigate VoIP attacks.
According to Chris Partsenidis of techtarget.com, “A strategically placed firewall within your network infrastructure can help mitigate VoIP attacks.” In his article titled “Layered security approach can thwart VoIP attacks,” he goes on to say that adding encryption and proxy services will strengthen the security.
The security issues VoIP networks face include:
- Inheriting the shared data network’s security problems.
- Signaling, directory, and feature and function tampering, spam over Internet Telephony (News - Alert), RTP attacks, Caller ID spoofing, and eavesdropping.
- Because the VoIP/IPT resources are dispersed around a network locally, nationally and internationally they are more vulnerable; on the other hand TDM PBX (News - Alert) were centralized.
- The OSs of VoIP/IPT devices are not as secure as TDM operating systems.
- Browser access to systems (PBX) administration located at multiple sites can be accessed more easily.
There are also vulnerabilities which include viruses and worms (in call servers, gateways and phones); Trojan horses; port scanning (for signaling and RTP speech ports); malicious executable software (even in the IP phone); spoofing source identity (pretending to be the call server); spyware (in IP phones); password/identity cracking; and traditional Denial of Service and new types for VoIP/IPT.
Partsenidis suggest strategically placing firewalls within an organization's network infrastructure so it can monitor all connections and sessions to the "inside zone" (IP telephony data center), "DMZ zone" and "outside zone."
While a single solution is much cheaper, a layered approach delivers better security for VoIP. The layers are built starting with the user-facing access ports (Layer 2) and moves to the data center core where the IP telephony services run (Layer 3 and above).
Gary Audin (News - Alert), an expert with more than 40 years of computer, communications and security experience recommends the following VoIP call server and endpoint security -- best practices:
1. Assign call server security to the same group that manages data server security.
2. If there are firewalls in front of data servers, there should be a firewall in front of the call server.
3. Check with the call server vendor to determine whether third-party security software can be resident in its call server product.
4. Consider IP phones as a desktop endpoint, managed as a desktop with some unique problems.
5. The IP side of the gateway should be managed as any other data device by the same personnel who handle the endpoints -- most likely the desktop security personnel.
If an organization has any digital presence, it can expect to be attacked. Hackers from around the world are on a mission to find any vulnerability to access the data or use the infrastructure for a larger attack. Internet telephony is just another gateway that has now become a valued target, and companies must protect it using all the means they have at their disposal, including a layered security approach.
Edited by Rory J. Thompson