Voice-over-IP (VoIP) communications present small companies with a number of business benefits over traditional telephone systems, including significantly reduced costs of deployment and management. It is projected that by 2009 IP-based phones will represent 91 percent of all enterprise phone systems worldwide.
However, a recent survey of U.S. small and midsized businesses found that less than half of small and midsize companies trust the security of IP telephony solutions currently available.
For VoIP to become a mainstream reality, enterprises of all sizes need to gain a greater level of confidence that VoIP can be securely deployed. As small enterprises plan their VoIP networks and look to reap the cost savings, security needs to be integrated into the deployment plan from the beginning.
Given that VoIP is a relatively new area of technology, it is important to understand that these networks face new types of attacks and have unique requirements when compared with traditional data or telephony networks. Otherwise, small enterprises may find themselves making shortsighted technology investments which leave parts of the IP network vulnerable and will need to be supplemented with additional technology, or even replaced.
While there have been very few documented cases of attacks on VoIP networks, there’s no question that attacks will occur as VoIP becomes more mainstream. IP-based telephone communications are exposed to all of the existing vulnerabilities of data networks plus a whole new series of threats specific to VoIP technology, including toll fraud, service theft, and voice Spam.
VoIP Security is Different
Unlike data communications, VoIP is a real-time service and requires security infrastructure focused on preserving the very high availability expected by telephony users. While it may be acceptable to wait for email that has been taken down by a virus to be fixed, end-users expect to hear a dial tone each and every time they pick up the phone.
The underlying VoIP infrastructure is different than that of data security networks and includes a wide range of components and applications such as telephone handsets, conferencing units, mobile units, call processors/call managers, gateways, routers, firewalls, and protocols that must all be protected. Additionally, there’s a need to secure any connection to the traditional public switched telephone network so that VoIP security issues can’t be transferred across networks.
Finally, VoIP communications are carried in the form of packets, making it highly sensitive to delay, packet loss and jitter, thus many of the traditional data security measures will not work.
While many of the lessons learned from the data security world are valuable to consider when deploying VoIP, it is important to remember that VoIP security is different and demands much more than a one-size fits all approach to both data and IP security.
Understanding VoIP Security Threats
To effectively secure VoIP networks, it is important to understand the threats to VoIP security. VoIP-specific security attacks fall into several distinct categories.
Service Disruption
Service disruptions include Denial of Service (DoS) attacks, Spam and viruses which can seriously impact the quality of VoIP services or make them unavailable. DoS attacks are designed to flood a target call manager, phone, or VoIP system with an overwhelming number of spurious service requests or malformed packets. It is expected that voice Spam will fill up users’ voicemail boxes, much like email Spam today.
Viruses clog the network with unnecessary and useless messages, and exploit weaknesses in operating systems and applications, leading to network instability. A recent survey of IT directors cited service disruption attacks as the greatest threat to the security of VoIP networks due to the consequences of lost revenues, system downtime, lost productivity and unplanned maintenance costs.
Privacy Threats
The most common privacy threats are call eavesdropping, insertion and disruption, as well as masquerading, impersonation, registration hijacking, and replay. Free tools exist on the Internet that allow someone connected to a VoIP network to ‘sniff’ phone calls. An attacker can listen, copy, alter, and replay confidential phone conversations.
For example, in July 2005, a flaw was identified in Cisco’s Call Manager that could be exploited so an intruder could listen in to all calls routed through it. The flaw was discovered and addressed before it could be exploited, but this gives a clear idea of the potential impact of eavesdropping.
Service Theft
Withthe deployment of VoIP come new possibilities and schemes for individuals to defraud service providers by committing acts such as toll fraud, subscription fraud and non-payment. Call tracking tools can be used to capture authentication credentials and subsequently spoof legitimate users to place calls at the subscriber’s expense.
These new types of VoIP-specific attacks combined with the unique nature of voice communications illustrate how existing data security technologies do not address the unique security requirements of VoIP networks.
Deploying Secure VoIP in the Small Enterprise
In designing and deploying VoIP networks, security cannot be an afterthought. For small companies, it is particularly important to include a proactive security strategy from the onset of VoIP deployment to keep costs manageable. With the right technologies and security strategies in place, even the smallest organizations can deploy secure VoIP.
Take a Proactive, Systems-Level Approach.To successfully secure VoIP networks, a proactive security strategy is required to ensure that risks can be identified and eliminated before the network is impacted. The complexity of VoIP networks demands a systems-level approach, which enables organizations to secure all parts of the network. A firewall-type approach where only the “door” to the network is secured leaves many “windows” for intruders to penetrate the network and brings the risk of serious financial and business consequences.
Choose VoIP-specific Security Technologies.In the rush to fill the need for VoIP security solutions, many data security vendors have adapted existing data solutions or created add-ons to their existing products. Telecommunications networks are very different than data networks, so organizations should look for solutions that are specifically designed to secure telephony networks and built to address VoIP security issues.
Call in the Security Experts.In an emerging field such as VoIP security, it can be difficult for small organizations to build in-house expertise. If necessary, work with third party consultants who have VoIP security expertise and a solid understanding of telephony networks. Partner with consultants who can execute automated security procedures such as vulnerability assessments at the implementation stage and provide the organization with tools to manage these types of assessments on an ongoing basis.
For any small company looking to make the move to VoIP, security should be the number one priority. But security concerns should not prevent organizations from taking full advantage of the business benefits of VoIP. By taking a proactive approach to VoIP security from the early stages of deployment, even the smallest companies can protect their next-generation voice networks in a holistic, cost-effective manner.
----
Bogdan Materna is the CTO and VP of Engineering at
VoIPshield Systems. He can be reached at
[email protected] or (613) 224-4443. 
Internet Telephony Magazine
Click here to read latest issue
CUSTOMER 
Cloud Computing Magazine
Click here to read latest issue
IoT EVOLUTION MAGAZINE
