The Essential Guide to VoIP Security

Updated: August 20, 2012

It's a well-known fact that VoIP technology sends voice data over networks in the form of data packets. Data-networking technology allows IP telephony to provide an array of powerful and flexible call-management options at a rock-bottom cost.

The downside to VoIP's data-focused structure is that it exposes IP telephony systems to many of the same threats that imperil enterprise data networks and computers — and in some cases extends their range, making them more difficult to detect. Many observers believe that these security threats represent the biggest challenge that VoIP adopters currently face.

Threats

VoIP threats come in many forms, including:

DDoS (distributed denial of service) Attacks: DDoS attacks, although largely viewed as a Web-site threat, can also be used to take down a VoIP system. By flooding a network with useless data — including automatically generated spam calls — attackers attempt to ensure that VoIP calls can't get through or proceed only in a delayed and degraded fashion.
Snooping: Since some VoIP calls move over the open Internet, they are vulnerable to snooping at various points during their journey. An attacker with network access and a packet-sniffing program downloaded from the Web can monitor and record calls with relative ease. Even inside an enterprise that uses a private backbone, the same sniffing technologies can present a threat.
SPIT (SPam over Internet Telephone): SPIT is still a largely theoretical threat, but it's one that has the potential to be just as distracting and resource-draining as its email equivalent. Only a handful of SPIT outbreaks have been reported to date, but "legitimate," automatically generated political and credit-card calls are already pushing the limits of acceptability.
Vishing: The VoIP counterpart to email phishing , vishing attackers target the phone numbers of VoIP users and attempt to lure them into bogus moneymaking schemes or trick them into disclosing credit-card numbers and other vital information. Like SPIT, vishing is not a widespread issue, but it is a growing problem.
Direct Hacks: Also like data networks, VoIP systems are vulnerable to direct hacks via unsecured "holes" in the system. Fortunately, also like data networks, there are groups watching for these vulnerabilities and pushing fixes out as soon as possible. These are usually system-specific problems, so for example, a new release of Asterisk , the open-source IP PBX platform, might display a vulnerability. Typically, a fix is announced within a couple of days of the vulnerability's discovery.

Security Approaches

Dealing with VoIP threats is a constant, never-ending chore. Since attackers are always devising new ways of breaching VoIP safeguards, it's important that businesses keep on top of the latest threats and adopt fresh measures to counter evolving attacker strategies. Most security experts recommend that VoIP safeguards be blended with the measures that are used to protect a company's existing data network, creating a comprehensive security environment. Common security techniques (which apply to data networks as well as VoIP networks) include:

Firewall: A firewall is designed to allow or block data flowing into or out of a network. Firewalls are available as stand-alone hardware appliances or as software (typically installed inside a router or a gateway ). A firewall can provide services such as stateful inspection (analyzing transactions to ensure that inbound packets were requested) and packet filtering (blocking data from specified IP addresses and ports).
IDS (Intrusion Detection System): An IDS analyzes incoming data traffic for suspicious types of activity. If it detects something peculiar, the IDS alerts the network administrator, who can then move to halt whatever event (such as a DDoS onslaught) is taking place. A variety of vendors offer IDS solutions with all sorts of capabilities, allowing businesses to find a product that most closely matches their requirements.
IPS (Intrusion Prevention System): An IPS is similar to an IDS, except that the product is designed to take immediate action — such as blocking a specific IP address or user — rather than simply issuing an alert. Some IPS products also use behavioral analysis to spot and stop potentially dangerous data.
DDoS Protection: Specific anti-DDoS products from vendors such as Cisco Systems Inc . and Symantec Corp . can quickly detect the start of an attack, filtering out bogus service requests so that legitimate ones can pass through unimpeded.
VPN (virtual private network): Placing the VoIP infrastructure on its own encrypted VPN "island" can isolate the system from external attacks.

Specific techniques for VoIP security usually focus on the human side of the equation and include:

SPIT and Vishing Education: Many enterprises take it upon themselves to educate employees and other VoIP system users about SPIT and vishing attacks, as well as to be alert to signs that someone may be trying to tap into the business's phone system.

Fundamentally, there is no difference between VoIP security and the normal security requirements associated with any well-protected data network. In nearly all respects, VoIP, Web and email protection are simply different aspects of a single security issue.

Related Categories

Featured Research

SolarWinds MSP; Digimite Technology

more
Five Cyberthreats that Slip Past Traditional Antivirus

more
The Art of Organizing and Simplifying IT Support

Any operational business model relies heavily on IT support and the help desk to achieve maximum uptime for all IT systems. This white paper addresses ways for help desk analysts and IT support staff to easily and efficiently handle their workload by simplifying and automating processes to increase time and operational cost savings, enhance productivity, and boost customer satisfaction. more
2020 Wheelhouse Buyer’s Guide to APIs

more
2020 Security Software Buyer’s Guide

more