Vanquish the VOIP Security Threat

With over a million users and growing, voice over IP (VOIP) is clearly gaining a foothold and it is anticipated that corporate users will drive the next phase of growth. Many companies are attracted by VOIPs promise of reducing corporate communications costs and the future promise of integrated multimedia.

But, in the rush to adopt VOIP, many organizations are overlooking the security implications of such a move, due in part to the limited number of widespread exploits targeted against VOIP implementations. However, the range of potential threats that exists is significant and warrants a closer look.VOIP Security Threats

With the convergence of data and voice, many of the threats that exist in data networks have their equivalents in the IP telephony world. Among the more serious threats are the following:

Denial-of-Service/Flooding One form of denial-of-service (DOS) attack targets the session initiation protocol (SIP) with a flooding attack. SIP is a widely accepted signaling protocol for IP telephony, Internet conferencing, and instant messaging. By flooding the system with call registration requests, the attacker can exhaust the resources of SIP network servers and create a DOS scenario.

Call Session Hijacking Another form of attack enables the attacker to gain access into a call session by compromising the SIP call signaling process. By injecting a SIP control packet into the call session, the attacker can essentially spoof a response from the SIP server to the endpoint. Similar to a “man-in-the-middle” attack, the attacker is now in a position to either perform call tampering or redirection.Sniffing SIP By sniffing on unencrypted call signaling packets between the SIP servers and the endpoints, an attacker can gain access to caller identity information, including account information and passwords. This opens the door to other threats such as rogue calling and identity theft.

Unsecured Endpoints Another attack takes advantage of the inherent weaknesses of “softphones” –- computers outfitted with a headset and a VOIP client application. Since these softphones are essentially PCs and likely to be running a version of Windows, they are inherently susceptible to attacks targeted to the Windows operating system, including buffer overflow attacks. Once successfully compromising a softphone client, the attacker can then leverage that position to launch other attacks.

Securing VOIP

In the face of these potential threats, security cannot be relegated as an afterthought. A thoughtful approach to a VOIP deployment should include a number of security best practices, including:

Virtual Local Area Networks (VLANs) By using VLANs, VOIP traffic can be segmented from the traditional data traffic. VLANs allow for a logical separation of a voice network and a data network that may span across multiple physical network segments. The use of VLANs will reduce contention for network services and ensure quality of service for VOIP transmissions. It will also help to protect the voice network from potential security risks incurred in the data network and vice versa.SIP Encryption This ensures that phone addresses and other call-related information isn’t easily compromised by simply sniffing the SIP traffic.

Minimization of Softphone Use Although you could certainly “harden” the softphone platform, the possibility for continued exposure remains as long as the softphone platform is running standard operating systems and application services. By moving to a hardware-based IP phone, you eliminate a potential weak point in your IP telephony infrastructure.

Security Tools Even if the traditional data and voice networks are separated via the use of VLANs, the axiom of “defense in depth” still holds to be true. As such, VOIP security should be managed as part of a common security architecture. Security tools such as intrusion prevention systems (IPS) with VOIP-specific functionality (for example, protocol validation for SIP) will help protect against the possibility of call tampering or session hijacking.

— Andre Yee, President and CEO, NFR Security Inc.