The Essential Guide to VoIP Security

Updated: April 30, 2009

It's a well-known fact that VoIP technology sends voice data over networks in the form of data packets. Data-networking technology allows IP telephony to provide an array of powerful and flexible call-management options at a rock-bottom cost.

The downside to VoIP's data-focused structure is that it exposes IP telephony systems to many of the same threats that imperil enterprise data networks and computers — and in some cases extends their range, making them more difficult to detect. Many observers believe that these security threats represent the biggest challenge that VoIP adopters currently face.


VoIP threats come in many forms, including:

  • DDoS (distributed denial of service) Attacks: DDoS attacks, although largely viewed as a Web-site threat, can also be used to take down a VoIP system. By flooding a network with useless data — including automatically generated spam calls — attackers attempt to ensure that VoIP calls can't get through or proceed only in a delayed and degraded fashion.
  • Snooping: Since some VoIP calls move over the open Internet, they are vulnerable to snooping at various points during their journey. An attacker with network access and a packet-sniffing program downloaded from the Web can monitor and record calls with relative ease. Even inside an enterprise that uses a private backbone, the same sniffing technologies can present a threat.
  • SPIT (SPam over Internet Telephone): SPIT is still a largely theoretical threat, but it's one that has the potential to be just as distracting and resource-draining as its email equivalent. Only a handful of SPIT outbreaks have been reported to date, but "legitimate," automatically generated political and credit-card calls are already pushing the limits of acceptability.
  • Vishing: The VoIP counterpart to email phishing , vishing attackers target the phone numbers of VoIP users and attempt to lure them into bogus moneymaking schemes or trick them into disclosing credit-card numbers and other vital information. Like SPIT, vishing is not a widespread issue, but it is a growing problem.
  • Direct Hacks: Also like data networks, VoIP systems are vulnerable to direct hacks via unsecured "holes" in the system. Fortunately, also like data networks, there are groups watching for these vulnerabilities and pushing fixes out as soon as possible. These are usually system-specific problems, so for example, a new release of Asterisk , the open-source IP PBX platform, might display a vulnerability. Typically, a fix is announced within a couple of days of the vulnerability's discovery.

Security Approaches

Dealing with VoIP threats is a constant, never-ending chore. Since attackers are always devising new ways of breaching VoIP safeguards, it's important that businesses keep on top of the latest threats and adopt fresh measures to counter evolving attacker strategies. Most security experts recommend that VoIP safeguards be blended with the measures that are used to protect a company's existing data network, creating a comprehensive security environment. Common security techniques (which apply to data networks as well as VoIP networks) include:

  • Firewall: A firewall is designed to allow or block data flowing into or out of a network. Firewalls are available as stand-alone hardware appliances or as software (typically installed inside a router or a gateway ). A firewall can provide services such as stateful inspection (analyzing transactions to ensure that inbound packets were requested) and packet filtering (blocking data from specified IP addresses and ports).
  • IDS (Intrusion Detection System): An IDS analyzes incoming data traffic for suspicious types of activity. If it detects something peculiar, the IDS alerts the network administrator, who can then move to halt whatever event (such as a DDoS onslaught) is taking place. A variety of vendors offer IDS solutions with all sorts of capabilities, allowing businesses to find a product that most closely matches their requirements.
  • IPS (Intrusion Prevention System): An IPS is similar to an IDS, except that the product is designed to take immediate action — such as blocking a specific IP address or user — rather than simply issuing an alert. Some IPS products also use behavioral analysis to spot and stop potentially dangerous data.
  • DDoS Protection: Specific anti-DDoS products from vendors such as Cisco Systems Inc . and Symantec Corp . can quickly detect the start of an attack, filtering out bogus service requests so that legitimate ones can pass through unimpeded.
  • VPN (virtual private network): Placing the VoIP infrastructure on its own encrypted VPN "island" can isolate the system from external attacks.

Specific techniques for VoIP security usually focus on the human side of the equation and include:

  • SPIT and Vishing Education: Many enterprises take it upon themselves to educate employees and other VoIP system users about SPIT and vishing attacks, as well as to be alert to signs that someone may be trying to tap into the business's phone system.

Fundamentally, there is no difference between VoIP security and the normal security requirements associated with any well-protected data network. In nearly all respects, VoIP, Web and email protection are simply different aspects of a single security issue.

Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more