ITEXPO begins in:   New Coverage :  Asterisk  |  Fax Software  |  SIP Phones  |  Small Cells

Voice over IP Security

By Mark Collier


As an application running on the shared IP network, VoIP inherits the network security issues common to IP, including viruses, worms, Denial of Service (DoS), eavesdropping, man-in-the-middle (MITL) attacks, etc. Attackers can now attack the voice application from locations on the shared IP network. This is true even if Virtual LANs (VLANs) are used, which only provide basic separation. Listed below are several reasons why VoIP can be vulnerable to attacks:

Multiple Networked Components VoIP requires multiple networked components, including IP PBXs, media gateways, IP phones, etc. An attack on any component affects the VoIP application.

Complex Protocols VoIP is controlled through various network-based protocols, which exchange signaling information to support call control. This includes proprietary protocols, H.323, MGCP, and SIP. A large VoIP deployment may use several of these protocols. The greater the number of protocols in use and the more complex and dynamic a protocol is, the greater the chance its implementation has vulnerabilities.

Weak Authentication Most VoIP systems do not employ strong authentication. Without strong authentication, attacking software can use spoofing and other techniques to execute a wide variety of attacks.

Platform Vulnerabilities VoIP components run a variety of operating systems and supporting services and can be attacked through these underlying services. This is especially true for IP PBXs, which often run a general-purpose operating system such as Windows or Linux, a database server, a Web server, and other software.

The reasons above and its presence on the shared IP network, bring VoIP the following vulnerabilities:

Signaling DoS Every component of a VoIP system must process signaling exchanged over the shared IP network. If the software implementing the signaling has implementation flaws, it is vulnerable to DoS attacks, including transmission of malformed packets and request floods.

Media DoS VoIP media (audio), normally carried by RTP, is vulnerable to attacks that congest the network or slow the ability of a phone or gateway to process the packets in real time.

Voice SPAM Voice SPAM, or SPIT, occurs when an attacker sends many unsolicited calls to an enterprise. These calls may go directly to users or voice mail.

Vulnerable IP Phones IP Phones (and softphones) are the most common component in a VoIP deployment and can be a challenge to secure. IP Phones often come with network-based access enabled and no/weak passwords.

Eavesdropping Most VoIP media is not encrypted during transmission. An attacker who has access to the network segment where media is transmitted or who can execute certain types of MITL attack, can access, gather, and playback the media.

Firewall Issues VoIP creates a number of issues for traditional firewalls. VoIP uses separate connections for signaling and media. The media sessions use random ports, which is an issue for firewalls because these ports are normally closed. VoIP also embeds IP addresses in signaling messages, which are ignored by traditional NAT. Firewalls also add latency to VoIP media packets and tears down calls if they fail. Finally, traditional firewalls do not monitor all of the VoIP protocols for the many types of attacks that can occur.

While a VoIP network has vulnerabilities, the threat of exploitation can be managed by following these recommendations:

General Security Develop policies, maintain strong physical security, follow best practices for securing an IP-based service, monitor resources for new vulnerabilities, maintain patches, remove unneeded network services from all components, enable and review logs, and use standards-based security add-ons (TLS and SRTP) where possible.

Secure the Network Build a fully-switched network, use VLANs for basic voice/data separation, use switches to provide the first line of security, and VPNs to secure traffic traveling over an untrusted network.

Secure the IP PBX Use secure operating systems, remove/lock down all network services, control administrative access, use host-based intrusion prevention, and use network firewalls/intrusion prevention systems.

Secure IP Phones Use phones that offer strong security, use strong passwords, disable unneeded network access, and secure the firmware upgrade process.

Deploy VoIP-Optimized Firewalls Monitor signaling and media for attacks, mitigate SPIT, provide call admission control, and perform protocol-aware NAT.

VoIP deployments will have vulnerabilities depending upon scope, vendor selection, configuration, and deployment scenario. Because VoIP deployments are still uncommon, generally separated from other data applications, use closed/proprietary protocols, and do not yet exchange VoIP with a public network, the threat of an attacker actually exploiting the vulnerabilities is moderate. This will change however, as more VoIP is deployed, as it becomes more closely integrated with other data applications, and protocols such as SIP are used to communicate with a public voice network. VoIPs evolution will require a focus on VoIP security, including deployment of VoIP-optimized firewalls at key network locations. IT

Mark Collier is the chief technology officer of SecureLogix Corporation. SecureLogix will participate in the Reseller Live Internet Telephony Conference & EXPO panel scheduled from 1:004:00 p.m. on October 26. If you would like to submit a question for the panel, please send to: [email protected].

If you are interested in purchasing reprints of this article (in either print or PDF format), please visit Reprint Management Services online at or contact a representative via e-mail at [email protected] or by phone at 800-290-5460.

Today @ TMC
Upcoming Events
ITEXPO West 2012
October 2- 5, 2012
The Austin Convention Center
Austin, Texas
The World's Premier Managed Services and Cloud Computing Event
Click for Dates and Locations
Mobility Tech Conference & Expo
October 3- 5, 2012
The Austin Convention Center
Austin, Texas
Cloud Communications Summit
October 3- 5, 2012
The Austin Convention Center
Austin, Texas