Expert Tip: Does VoIP create new security worries?

In this expert tip Security Expert Ed Eliff addresses the security issues created by voice over IP.

Q: Does VoIP raise any security issues I may not be covering today? If so, what are they and how do I address them?

A: Since VoIP relies on a communications medium that is inherently insecure, VoIP technology is susceptible not only to attacks against VoIP-specific technology, but to general Internet attacks as well. In addition, as additional technologies are required for VoIP communications, those technologies will also be susceptible to attack.

In essence, VoIP in its current offerings is a hybrid of traditional PSTN technology and Internet technology. From a security viewpoint, this juxtaposition is one of a relatively secure (due to its proprietary nature and lack of access by the public) PSTN with a fundamentally insecure (by virtue of uncontrolled anonymous access and encouraged access by the public) Internet. This does not mean that VoIP is destined for failure. In fact, there are signs that VoIP will continue to grow, much as the other Internet technologies have grown in response to Internet acceptance.

However, let's not be complacent - VoIP technology (especially the security aspects thereof) is immature and yet another factor to consider on an already burdened Internet infrastructure.

Data traffic represents the primary Internet telephony security target. VoIP packets lack clearly recognised signatures, making it difficult for IT administrators to distinguish legitimate VoIP traffic from Trojans that are slipped into the network. To protect against this threat, IT administrators must isolate the VoIP network completely, using entirely separate networks for voice and data traffic, or by connecting through a VPN.

As mentioned, VoIP in any incarnation is just as susceptible to Internet-based attacks as any other Internet technology, such as: DoS attacks; DNS weakness attacks; malicious code attacks; packet interception and translation (eavesdropping); packet interception, translation and spoofing; man-in-the-middle and man-in-the-loop attacks; spam over Internet telephony (SPIT) attacks; and ISP port blocking.

However, the additional technology associated with VoIP implementations is another layer of complexity that will come under attack by malicious actors. The largest attack vectors at this time are the protocols that VoIP uses for its operation. These protocols are a moving target for developers and because they are not yet static, are susceptible to ongoing vulnerability discovery. Additionally, different vendors use proprietary protocols, and some vendors pay more attention to security than others.

As for the other hardware which might be vulnerable to attack, there are currently 1,631 VoIP providers from 127 different countries. There is no requirement (other than caveat emptor) in VoIP design that demands security be a consideration.

VoIP protocols are not the only weakness of a VoIP implementation. Other facets of VoIP infrastructure are, by their very nature, difficult to secure and include: conventional crimes (such as theft), firewall open ports (ports that normally would be closed must now be opened), IP phones (often shipped as a network enabled device with default (or no) passwords for access) and authentication (most VoIP installations do not require strong authentication among VoIP devices).

VoIP Security Considerations

Several protocols currently exist that are being used for VoIP transmissions. The emerging standard, and the one that is most supported by associated security standards, is ITU H.323 version 5. ITU H.323 version 5 supports another standard for security, known as ITU H.235, which is the de-facto security and encryption standard for ITU H.323.

If considering a new VoIP solution, consider adoption of this standard with an implementation that includes the associated security standard ITU H.235. In addition to selecting the ITU H.323/ITU H.235 standard, common network security precautions can also assist in preventing VoIP exploitation, such as VoIP encryption, adequate network protection, failover contingencies, as well as net neutrality considerations.

While not a security issue per se, the ongoing debate over Net Neutrality legislation is cause for concern to at least some VoIP providers and end users. The proponents of Net Neutrality hold that ISPs should treat all packets transmitted by the Internet equally, without regard to transmitter, originator, or pack type. While the exact ramifications of the presence or absence of Net Neutrality legislation on VoIP traffic is unclear, its impact will undoubtedly affect either VoIP costs or levels of service.

Read more on Network security management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.