VoIP Security: The Basics
Yes, voice-over-IP threats exist, including some new wrinkles. With care, Sonus Networks' Bob Bradley says you can mitigate risks to your networks.
By Bob Bradley, Sonus Networks
February 05, 2009 — CSO — With the continuing pressure to reduce fixed costs within business, enterprises and small- and medium-sized businesses (SMBs) are looking at Voice over IP (VoIP) as an opportunity for cost savings. There is increasing data verifying that the use of IP as a common transport for data and voice will provide a foundation for existing services such as voice traffic, and be a vehicle for new applications in the future such as presence and video.
Soft clients, powerful multi-function handheld devices, IP-enabled wireless networks within an enterprise, SIP-enabled handsets, and IP PBXs are becoming more pervasive in enterprise networks. Network managers are being asked to implement these new networks to provide top-quality services, without compromising network integrity. But with the introduction of any new IP device into the local network, there are security vulnerabilities that organizations must not only be aware of, but well prepared for.
VoIP security trends ... something old, something new
The security challenges in 2009 are mostly known vulnerabilities, but there are some new twists. The majority of these vulnerabilities were first discovered by carriers as they deployed VoIP in 2002 in search of cost savings in the delivery of services such as long distance. Today, there are solutions, both technical and procedural, that can mitigate these potential exploits. These solutions can be deployed directly by large enterprises, potentially servicing thousands of remote locations, or can be delivered as a managed VoIP/security service to smaller businesses. Here's a sampling of how enterprises can implement a robust, reliable and secure network to address the most pressing threats:
Threat #1: DoS/DDoS attacks
An old favorite of the hacker community, these attacks come at various protocols levels e.g. IP layer, SIP layer, etc; and are used to consume bandwidth and resources, especially in elements located on the edge of the network. These types of attacks can also affect other customers attempting to make calls.
To ensure proper mitigation in a large enterprise network, organizations need an enterprise-class solution that is designed specifically to scale in order to manage the influx of activity at the edge of the network. This scalability is critical, because it ensures the secure edge element itself does not become overwhelmed when treating the attack, otherwise it becomes a DoS agent itself. For SMBs, there are comparable products that can be deployed on-site or as part of a hosted service, protecting the SIP trunk to their premise-based IP PBX.
Threat #2: "I know what you said last summer"
Individuals with snooping tools can pick up or eavesdrop on voice calls on core networks. A popular eavesdropping location is an unsecured network connection from a VoIP provider MPLS backbone using SIP trunking to a SMB's LAN.