ITEXPO begins in:   New Coverage :  Asterisk  |  Fax Software  |  SIP Phones  |  Small Cells
April 2007
Volume 10 / Number 4
Feature Articles

VoIP-Specific Attack Risks

By Joel Maloff, Feature Articles

One of the most attractive aspects of IP telephony is the ease with which we can communicate with people anywhere in the world at dramatically reduced costs (even zero cost in many cases). . The same technologies that afford us these benefits also can be employed for far less savory purposes. These include identity theft, compromising carrier networks for personal gain, intentional disruptions that threaten the viability of businesses, and industrial or state-sponsored espionage.

The typical enterprise or communications carrier executive has no concept of the risks associated with VoIP services, nor how to address them — other than what they are told by their IT teams. In most cases, executive fears are based on general media coverage that may be questionable in terms of reality and ignore more serious problems. IP telephony is still new with very complex issues.

Voice over IP (VoIP) traffic grew at a 42 percent annual growth rate last year to 45 billion minutes of calls handled by carriers, according to Telegeography (January 2007). The same report also indicated that the rate of growth for wholesale traffic carried by VoIP is double the pace for total voice revenues.

Yet, despite this phenomenal growth and increasingly critical portion of our ability to communicate globally, most telecommunications carriers, Internet Service Providers, and enterprises are unprepared for malicious assaults — especially where VoIP in concerned.

These issues are serious and not to be taken lightly. Failure to properly secure the data-related infrastructure upon which IP telephony rides can compromise the intellectual property/assets of an organization. Access to your customer base, personnel files, billing systems, or other confidential information is at risk. The “doomsday” approach of Denial of Service (DoS) or Distributed DoS (DDoS) attacks can shut down an enterprise or carrier if precautions are not taken.

So, as an executive for a telecommunications carrier, ISP, or enterprise, what steps can be taken to step up to these challenges?

The first step towards ensuring an acceptable level of network security risk associated with VoIP is to ensure that VoIP is treated no differently than any other networked application. This means carefully considering, creating, and implementing associated policies, and once achieved, instituting plans to accomplish the aims of the policies.

However, in some ways VoIP must be treated differently from most data applications. For example, there is no VoIP protection analogous to antivirus software. SPAM over IP Telephony (SPIT) is completely different in nature from traditional SPAM and requires different treatment. It is important to consider all VoIP and data issues collectively to determine their potential threat vectors.

Does your organization have a written network security policy? If so, by whom was it written?

If the policy was created by information technology personnel without direct input and participation from executive management, how can you be certain that organizational objectives and priorities have been considered?

For example, what access privileges are allowed to personnel within the organization while they are connected to the organization LAN? What permissions are allowed when they are connected remotely via a cyber-cafe or wireless network? This may seem trivial at first, but external networks may be far more vulnerable to sneak attacks than your own. Therefore, the policies treating use from different locations must be considered.

As a network security office, you want to ensure that travelers do not inadvertently bring malicious code from the outside world into the heart of your corporate network. The network policy must indicate what resources can connect to your systems, by whom, perhaps even by time of day, and what certification of health they need to present before being allowed into the inner sanctum.

Without active participation by executive leadership, a proper network security policy cannot be devised. Recently, demands for greater accountability by senior personnel have led to Sarbanes-Oxley (SOX) requirements in the U.S. and other similar scrutiny from other areas. Executives can no longer claim ignorance of a threat as an excuse for succumbing to it. IT audits are intended to identify vulnerabilities that could threaten key systems such as accounting, human resources, and others. Making sure that these vulnerabilities are identified and that plans are made to ameliorate them is an executive responsibility these days — especially where VoIP is concerned.

Most effective network security plans are based on the concept of ‘layers of an onion.’ As intruders attempt to penetrate the network, a new barrier is placed before them. After two, three, or four encounters with new and different impediments, most intruders will seek easier targets.

Regarding network security plans that address VoIP-related issues, there are two general components to consider. The first is the nature of the services provided by the VoIP carrier, and the second are the precautions taken within an enterprise.

As an enterprise, it is important to understand what to expect from the organizations that are carrying your Internet telephony traffic. As a carrier, it is critical for you to have a clear implemented plan that can be communicated to your customers so that they know how to incorporate what you have accomplished into their own plans.

Some VoIP services, like those provided by Skype (News - Alert), use proprietary technology so that not much is known for certain about their inner workings or level of security. It has been asserted that Skype calls are encrypted and not very susceptible to interception. This means that there is most likely very little threat that someone can overhear or capture your voice calls made via Skype. On the other hand, the underlying method of transport used by Skype relies on the “super node” concept whereby the computers and bandwidth of unsuspecting users are converted into transfer points for a vast number of other users. This severely compromises most network security policies as it allows unauthorized users ready transit through our corporate network, and creates substantial vulnerability to the implantation of malicious code.

The network may be far from secure just because the payload is encrypted.

“Carrier-Class” services are provided by organizations that offer perceived higher quality and cost more than “consumer-grade” services where variances in latency and availability are tolerated because they are free. Within a carrier environment, there are many layers of security with each of these hopefully well-documented. These certainly should include edge systems that are designed to create barriers to entry from attackers as well as interior defenses.

Some of these edge systems include firewalls, applications layer gateways, and proxy servers. Firewalls are not particularly good for VoIP traffic, however, because these packets need to “punch holes” to gain access and egress. Network Address Translator (NAT) is used to protect data network systems, yet other tools, such as STUN (which stands for the cryptic Simple Traversal of UDP over NATs), afford entry to the network interior.

There are many other techniques that are commonly used to protect data networks that do not work as well where IP telephony is concerned. Carrier-Class services must include attention to detail when it comes to VoIP security and protection.

Understanding what your VoIP carrier does to ensure the confidentiality of your communication is quite important.

Would you do business with a bank that was not insured or did not have obvious protections such as guards on duty? Requiring your service providers to be sensitive to network security needs goes a long way towards demonstrating professional accountability.

On the enterprise side, it is very important that you have both a network security policy as well as a network security plan that incorporates the nuances of IP telephony. Without a clear policy, it is difficult to know what you are protecting and how much protecting it is worth to you. When the objectives are clear, it is time to create or modify the plan to implement those policies. Some of the prevention methods include the use of Intrusion (News - Alert) Detection Systems (IDS) and Intrusion Prevention Systems (IPS). As their names imply, IDS helps to detect unauthorized access and IPS helps to thwart those attempts prior to invasion.

In addition, the area of authentication and access control is also very important. The purpose is to ensure that the people attempting to access your critical information are who they say they are. Methods including access control lists (ACLs) that indicate specific users and also their likely points of access. Additionally, there are various “form factors” used for network authentication. These include Something You Know (such as memorized passwords), Something You Have (such as a physical token or memory stick) or Something You Are (including biometric tools like fingerprint scans, voice recognition or others.).

Many of these tools have been used to protect data networks for years. Our challenge as an industry is now recognizing the new attack vectors that are present within VoIP and IP telephony systems and adapt our tried and true data network techniques to address them.

Neither carriers nor enterprises should be lulled into thinking that VoIP is “safe.” There are smart people that will use any available access to invade, disrupt, or steal.

Recognizing the existence of these threats is the first step to countering them.

Joel Maloff is Vice President-Products, GlobalTouch Telecom.


Today @ TMC
Upcoming Events
ITEXPO West 2012
October 2- 5, 2012
The Austin Convention Center
Austin, Texas
The World's Premier Managed Services and Cloud Computing Event
Click for Dates and Locations
Mobility Tech Conference & Expo
October 3- 5, 2012
The Austin Convention Center
Austin, Texas
Cloud Communications Summit
October 3- 5, 2012
The Austin Convention Center
Austin, Texas