Know what problems to expect and learn how you can avoid them.
A Texas research company that's comprised of experienced VoIP security teams operating globally around the clock, Sipera Systems Inc.'s VIPER Lab has identified thousands of vulnerabilities and security threats since its inception in 2003, including fuzzing, floods, spoofing, stealth attacks and VoIP spam. In January 2008, VIPER Lab released its predictions for the top five VoIP threats of 2008, as reported in Forbes magazine and elsewhere. What do you need to know now about your VoIP security weaknesses, and what can you really do about it?
The top five VoIP threat predictions for 2008 are:
2. VoIP Eavesdropping: In June 2007, it was learned that a hacker with a packet sniffer and VOMIT could tap directly into VoIP calls. Then it was learned that those vulnerabilities could also lead to DoS attacks. “Anyone on your network,” stated an article found at EnterpriseVoIPPlanet, “anyone on other networks that you contact — and all points in between, including service providers — all have the opportunity to do an awful lot of juicy snooping.” Not to mention, of course, that the FBI and other security agencies can do all the VoIP snooping that they want. How do you prevent unwanted listeners on your VoIP calls? Place all VoIP phones on separate, secured vLANs to protect against rogue devices, then protect that vLAN against the introduction of unauthorized devices. Once you've isolated your VoIP devices, limit their inbound and outbound traffic so that they can only communicate with their call manager, encrypt the calls that travel over public networks, and watch the news and get ready to react, according to SearchSecurity.com.
3. Microsoft Office Communications Server: Hackers love attacking Microsoft, and Microsoft loves being unprepared. VIPER Lab predicts that hackers will find vulnerabilities in Microsoft Office Communications Server’s VoIP client and use it to access networks that had previously been secure, and the organization is not alone in reaching this conclusion. Network World blogger Mitchell Ashley suggests that Microsoft could learn from Vonage’s vulnerability to spoofing attacks.
4. Vishing by VoIP: The FBI has been aware of vishing for nearly a year now, and the IC3 (Internet Crime Complain Center) recently released a report stating that vishing attacks are on the rise. With caller ID spoofing, the criminals can be very difficult to track, “due to rapidly evolving criminal methodologies,” according to the IC3.
5. VoIP Attacks Against Service Providers: These sorts of attacks will escalate, VIPER Lab predicts, because of readily available, anonymous $20 SIM cards. As UMA (Unlicensed Mobile Access) technology becomes more widely deployed to allow calls to switch from cell networks to VoIP networks, VIPER Labs warns that “service providers are, for the first time, allowing subscribers to have direct access to mobile core networks over IP, making it easier to spoof identities and use illegal accounts to launch a variety of attacks.” Such attacks include scripting “various flood, fuzzing and spoofing attacks,” according to VoIP blogger Rich Tehrani. “The hacker could set up multiple IPSec tunnels to various PDGs in the network or across multiple GPRS sessions [generating] up to 10,000 messages per second … equal [to] the traffic of 10 million users,” he wrote.
So how can your company best protect its VoIP network from these sorts of threats? It should protect itself on three levels: network architecture, security protocols and user interaction. At the network level, hosting VoIP on a VPN (virtual private network) does a good job of separating VoIP’s security holes from the underlying data network. Like all computer systems exposed to outside vulnerabilities, a VoIP network should be covered in firewalls, anti-virus programs and a sturdy intrusion-prevention system. At the user level, company employees should be trained and assessed against high-risk security behavior, like using Google Talk, Skype or other hosted IP voice technologies that could expose the company’s VoIP network to outside attack.
Other VoIP best security practices include installing application-layer gateways between trusted and untrusted zones, establishing security zones to isolate VoIP segments, and applying encryption as a part of a holistic security program. For more information on best security practices, download the white paper "A Proactive Approach to VoIP Security."