Security specialists have warned that Voice over IP (VoIP)
deployments could compromise corporate networks, writes Antony
Adshead.
Unless users are wary of the security dangers of the technology and
address the related issues of quality of service, deployment can
lead to denial of service (DoS) attacks, telephony theft,
eavesdropping and voicemail spoofing.
Glyn Geoghegan, principal consultant at Internet Security Systems,
said, "Many in the industry have not analysed the potential
problems. Some are looking at issues of quality of service but not
at the related security threats."
He highlighted the three main areas of concern as DoS, telephony
theft and packet sniffing.
DoS attacks result from the fact that IP-encoded voice packets
travel over the same network as data. An attacker can generate so
much voice traffic that the network is swamped, inhibiting data
traffic, or can generate so much traffic on key network segments
that quality is degraded or VoIP traffic is prevented from getting
through. Bandwidth management is essential to ensure that data and
voice get their required share and do not inhibit one
another.
Infrastructure devices must be secured to prevent an attacker
rerouting voice traffic that can then be captured, analysed or
modified.
Telephony theft can happen when attackers use the corporate phone
system for their own means. Access to exchanges must be rigidly
controlled and, ideally, should be protected by a firewall.
The prevailing technology in VoIP is H.323, which is not encrypted.
Geoghegan explained that packets - primarily those on public
networks - can be "sniffed" out and played back in real time by a
third party. To prevent this, traffic should be run over a virtual
private network (VPN), he said. Revised H.323 standards provide
security within the protocol using CryptoH323Tokens in the
registration, admission, signalling (Ras) messages. These enable
the voice gateways to authenticate each other on a per-link or
per-call basis.
Tim Pickard, strategic director of marketing at RSA Security, said
voicemail is also a potential source of weakness on the VoIP
network. Traffic can be redirected to "ghost" mailboxes set up by
hackers. To guard against this, digital certificates can be used to
authenticate devices on the VoIP network.
Voicemail passwords are another source of weakness, and Pickard
recommends stronger measures if security is a major
consideration.
Eric Paulak, an analyst at Gartner, said companies cannot afford to
ignore the voice route into the corporate network. "You don't want
the back door open so that people can get in and compromise your
data network," he said.
"Voice professionals implementing VoIP don't seem to have the same
awareness of security issues as network professionals. There is
better awareness than we initially thought - but it is still
poor."
What is VoIP?
Voice over Internet Protocol (VoIP) sends
packets of voice information in digital format, in contrast to the
constant flow of an analogue signal in traditional circuit-switched
telephone networks. Implementors position a VoIP device at a
gateway where it receives packets of audio transmissions and then
routes them to other parts of the intranet or, using a T-carrier or
E-carrier interface, converts them for sending over the public
switched telephone network (PSTN).