Home » Data Protection » Network Security

Industry View

Industry View | VoIP Security

Bob Bradley of Sonus Networks provides practical tips for mitigating VoIP security risks

April 17, 2008 — CSO — VoIP is well known among carriers and service providers as a powerful enabler of new services, as well as a cost-reduction mechanism. The technique of using IP peering to pass VOIP traffic was initially deployed between carriers to expand market presence globally, increase potential customers and deliver new services. As time progressed, however, IP connections developed to the point that they could become more than just access service providers and were enhanced to reach consumers via DSL and cable. As a result, carriers were able to deliver high-demand, IP-based triple-play services (TV, phone, Internet access).

Today, network operators are turning to direct IP-trunk connections to deliver carrier-class business services across a range of business environments, from large enterprises to small and medium-size businesses.

As the benefits of VoIP were realized by not only carriers but also enterprises, VoIP has quickly replaced legacy telephone systems in some of the world's largest organizations. And, as with many popular technologies, as VoIP's adoption has spread, it has become a prime target for security breaches, attacks and system vulnerabilities.

What's threatening VoIP?

The security risks to VoIP deployments are vast. To ensure the best possible protection against current and emerging threats to this technology, businesses must understand where risk exists and audit their current security practices to address any system vulnerabilities that could allow these risks to be exploited. The following is an overview of the primary threats to current VoIP deployments.

Toll fraud. Savvy hackers can piggyback off the enterprise VoIP network to conduct several nefarious activities, including breaking through to the carrier's system to make free phone calls; infecting the network with viruses and stealing confidential company information, such as billing details.

Lack of authentication exploitation. On an IP-based network, it is possible to assign ownership and access privileges over specific phones lines. However, without proper end user authentication, it is easy for an individual to hijack a colleague's line and place calls as that person or gain access to a line with higher authority or systems rights. The potential risk associated with any of these scenarios can lead to reputation damage, legal ramifications or information theft.

Drains on corporate bandwidth. By exploiting the VoIP network, there are many ways in which attackers can impact corporate bandwidth, and many of these can be crippling to overall operations. Attackers can launch internal denial of service (DoS) attacks that have varying impacts on network bandwidth. For example, a DoS attack against the IP network can target just the voice network, flooding the system with calls, or it can also target traffic that impacts the quality of service for legitimate users.