By DINESH NAIR

Break-ins, downtime and noise persist on VoIP networks despite its decade long existence. Companies that raced to replace the plain old telephone system with VoIP are paying the price for overlooking security. What can they do now?

AS WITH many technologies, Voice-over-Internet Protocol (VoIP) technology has its share of security risks and opportunities. Its promise of high cost savings and greater communication flexibility coupled with low-cost implementation has made VoIP an attractive option for many organisations, especially large conglomerates.

However, MIS (management information systems) administrators often make the mistake of assuming that security remains infallible when a VoIP component is plugged into the current network that has been secured.

The inclusion of any VoIP component into any type of network would mean that the current security processes must be re-examined to incorporate new security features and to ensure that the reliability and security of the system is enhanced without sacrificing the quality of service delivered.

Organisations keen to deploy VoIP should protect themselves from three aspects: Network architecture, security protocols and user interaction.

It is vital to look for a communications network architecture that seamlessly integrates both Internet Protocol (IP) and legacy Time Division Multiplexing (TDM) connections to unify voice, data and video on a single IP-based network.

This simplifies the deployment, integration and management of an organisation’s IT systems and infrastructure.

The converged communications platform also creates a single-image and transparent system across all geographies, allowing employees to work collaboratively and efficiently, resulting in reduced infrastructure cost.

Standard security elements such as firewalls, passwords and encryption must be hardy. Check to see that vendors have ensured that application gateways between trusted and untrusted zones are installed to isolate public from private spaces within the network. Industry-standard protocols must also be deployed across all the solutions.

Eyeballing it

Let’s take a look at five common (and major) security flaws of VoIP and how each can be addressed.

1. Denial of service (DoS)

One of the most vulnerable flaws on a VoIP network lies in the softswitch that is open to a denial of service (DoS) attack crippling the IP PBX. When an IP PBX telephone system is compromised through DoS, users will experience a drop in service quality and eventually are unable to perform simple tasks like placing or receiving calls or sending faxes.

Most solutions available from VoIP vendors protect IP PBX systems from DoS but are not thorough enough to combat stealth DoS attacks.

How do you tell that your VoIP network is secure? For one, it should have a built-in packet filtering firewall that ensures only authorised clients are able to make or receive calls.

Secondly, the network is further secured with each Session Initiation Protocol (SIP) account authorised through an encrypted username and password. The username and password is further secured as it is never sent as clear text over the network and is complete with a comprehensive access control list protecting it.

Another effective way to block DoS attacks is to enable the built-in firewall to block attacks coming from specific IP addresses or IP address blocks.

2. Eavesdropping over the network

Many organisations make the mistake of encrypting only the data traffic on its VoIP network and neglect to protect voice or audio traffic that is routed through the IP PBX. Rogue crackers can easily sniff out voice traffic and listen in on calls transmitted over any IP network.

Organisations would be better off encrypting the entire virtual private network (VPN) completely as not only will this prevent eavesdropping over the network but would also protect sensitive information from being compromised.

A VoIP solution that supports built-in VPN through Windows Point to Point Tunneling Protocol (PPTP) as well as the industry standard IP security to encrypt all communications between the softphone and the IP PBX would be the best bet.

3. Vishing on VoIP

Almost everyone is familiar with the term “phishing,” where forged e-mail messages purportedly from your bank or financial institution ask you to enter personal identification data which is then used to log in as the affected victim.

Over the VoIP network, fraud has reared its ugly head through “vishing,” where Caller ID information is forged in order to allow the victim to be fooled into thinking that the call is from the bank. To prevent your VoIP network from such unscrupulous attacks, a fullfledged softswitch and IP PBX implementation is best.

A mere SIP (Session Initiation Protocol) proxy is not good enough. A solution that enables strict enforcement of the Caller ID mapping to each individual SIP account which is centrally controlled would prevent potential “vishing” attacks as well as ensures that the caller ID of the actual caller is correctly correlated and displayed.

The inclusion of access control lists within the system would ensure that only the necessary devices are allowed to register and to make phone calls.

4. Threat of viruses and worms attacks on the VoIP server

Our increasingly converging communications environment may make access to information and reach to people easier and cheaper than before. However, the threat of viruses or worms infecting the VoIP server and bringing down the communications system has also become increasingly real.

A solution that is a fully firmware-based embedded operating system that is built on a memory segmented model would prevent viruses and worms from taking over the network. Furthermore, a very secure Unix-based kernel would further insulate the server from the usual viruses and worms which commonly infect Windows-based communication and VoIP systems.

5. SPIT – SPAM over Internet Telephony

We are all familiar with spam but SPIT (SPAM over Internet Telephony) is also gaining attention. As telephony moves to the Internet, so will the unsolicited automated calls driven by interactive voice response (IVR) systems hawking unsolicited commercial products.

The emergence of these automated telemarketers will be disruptive to business and consume precious time as users are unable to detect nor prevent incoming calls.

However, there are solutions that can detect SPIT by piping calls through a background voice detection check to classify if the the calls are from mechanised source.

A solution that has a privacy function built into IP PBX systems can automatically filter callers, putting them on hold while the receiver decides if he should take the call, send it to voicemail or to just hang up.

Such choices are remembered by the system, and will be automatically filtered the next time the same caller calls. A better solution would be to use a traffic analysis to trace the source of the SPIT and block the compromised servers.

Conclusion

Security threats over the VoIP are very real and organisations need to make the right precautionary choices to ensure that voice communication will be safe.

Organisations can begin by conducting a VoIP security audit to determine the gaps before putting in place a stringent network practice that would protect their networks, and ultimately the bottom line.

(Note: The author is chief technology officer at homegrown IP telephony solutions provider QubeConnect Sdn Bhd.)