VoIP Can Be Vulnerable To Hackers, Too

As VoIP sweeps across the high-technology landscape, many IT managers are lulled into a dangerous complacency because they look upon Internet phoning as a relatively secure telecommunications technology and not as an IP service susceptible to the same worms, viruses, and other pestilence that threatens all networked systems.

"With VoIP," said security specialist Mark Nagiel in an interview, "we're inserting a new technology into an unsecured and unprotected environment. VoIP is essentially availability driven, not security driven, and that's the problem." Nagiel, who is manager of security consulting at NEC Unified Solutions, said, however, that various measures can be taken to protect VoIP from the specific threats that confront Web telephoning.

The first step--an obvious one, he says--is to secure existing TCP/IP nets. Nagiel is finding that the new government-required regulations--such as Sarbanes-Oxley, which stipulates improved accounting record-keeping, and HIPAA in health care--are helping IT managers because they impose security discipline across-the-board. "The financial and health-care fields are getting secured very quickly," said Nagiel.

Even so, there can be difficulties. He noted that in hospitals, where the protection of patient records has generally been excellent, hospitals often neglect to completely secure physicians' conversations. Security managers can overlook the fact that VoIP conversations can reside on servers that can be hacked.

The traditional voice model utilized PBXes, which were stable and secure, Nagiel noted. If the VoIP infrastructure isn't properly protected, it can easily be hacked and recorded calls can be eavesdropped. He says the networks utilized to transmit VoIP--routers, servers, and even switches--are more susceptible to hacking than is traditional telephony equipment.It's also relatively easy to launch an attack against a VoIP network because the software tools available to hackers and others bent on invading a network are more available and easier-to-use. "And the exposure levels have gone up because there are so many nets," he said.

What's the solution? "You need strong encryption over VoIP servers and VoIP client devices," Nagiel said. He observed that extensive encryption can slow down efficiency of networks, but encryption is a small price to pay to avoid denial-of-service and invasions of networks. Another useful defense tactic is to use VLANs "whenever possible to separate traffic," according to Nagiel. In this way, transmitted data can be segregated into unique VLANs for data and voice transmission.

Nagiel cautioned, however, that security managers should resist using shared Ethernet network segments for voice.

One seemingly benign issue--the growing use of softphones on laptops--can easily be violated, Nagiel said, suggesting that softphones be encrypted, too.