Guarding the spoken word


Security for voice networks is as vital as for data systems says Tana Scouras, but many lack even the basics

Security has certainly captured the attention of information technology management. For telecommunications networks, the dynamic pace of change has created the extra burden of maintaining systems against fraud, preventing unauthorized access, and more recently, ensuring content privacy during transmission. Voice network systems, encompassing legacy PBXs, media, messaging and voice-over internet protocol (VoIP) servers, are vulnerable to security threats, and face new dangers as they become integrated into the corporate WAN.

Open systems cause problems

The evolution of voice networks from closed, standalone systems to open, network-integrated platforms has produced new management problems. As legacy PBXs become 'IP-enabled,' and integrated into corporate networks, issues of security and privacy are compounded. Hardware vendors have moved away from older, proprietary systems to those such as Windows NT, whose publicized vulnerabilities are often a target of attack. Security issues such as viruses and denial-of-service attacks, and even message privacy, have now migrated into the voice domain.

Legacy and next-generation communications systems are vulnerable to both external and internal attacks. External threats, arising from outside the intranet, typically result from holes in hardware configuration or lax operational policies that leave systems vulnerable. The majority of breaches are still the result of overlooked or unenforced operational procedures. In 2002, there was a well-publicized security breach of the voice mailbox of Hewlett Packard's CEO. This event underscores the vulnerability of voice messaging servers in any organization.

External hackers try to enter vulnerable access points such as PBX trunks and stations, message server mailboxes and remote access logins. For example, a hacker can dial into a PBX and randomly test trunk access codes to seize outgoing trunks for toll calls. Toll fraud from telephone stations is a common focus of telecommunications administrators. Direct inward system access (DISA) ports allow for remote access into PBXs by employees with proper authorization codes, but they are also an open door to hackers. Next-generation VoIP servers are also vulnerable, as gateway access lists and firewalls require proper configuration, especially gateways that interface with public networks and the internet.

Don't rely on defaults

Voice systems still rely on remote access for maintenance and administration. Organizations often disallow firewall access to outside vendors, so maintenance is handled remotely, usually via dial-up modems. Similarly, legacy systems that are not on the LAN still rely on dial-up modems for administration.

These systems typically have a standard set of logins and default passwords. Surprisingly, many of the default passwords have never been changed, and are widely known and even published in hacker magazines or internet newsgroups. In addition, hardware vendors provide system documentation on their web sites, so login and access information is in the public domain.

A favorite target of messaging servers is uninitialized and abandoned mailboxes. It is impossible for telecommunications personnel to keep up with employee terminations and layoffs, and consequently, voice mailboxes remain activated. It's relatively easy to find an uninitialized mailbox, as organizations set an obvious or easy initial password for new employees, and there is usually a time lapse before employees actually initialize their mailbox and change the default password.

While performing an internet search using the keywords 'security' and 'voice mail,' I came across at least a dozen articles from organizations that published directions on accessing their internal voice mail system and setting up a mailbox. Not only were the telephone access numbers published, one university even posted the default password. How long will it take a hacker to identify the numbering plan and systematically go through the mailbox range to find an uninitialized mailbox?

Internal breaches involve access from the corporate network. Packet or network sniffing technology is widely and easily available, and enables hackers to capture and view IP packet header and content information. The use of network sniffers by college students is a constant nuisance for IT security staff. Network sniffers are a concern for data networks, but also one for PBX and messaging servers that are IP-enabled. These legacy systems do not utilize server-side encryption for administration access, so logins and passwords can easily be captured.

Taking the triple approach

VoIP technology creates issues of privacy as well as security. Voice terminals are identified by an IP address, which is contained in packet headers. Sniffers can read these packet headers and capture message content, as message content is saved to computers and then decoded. Privacy concerns for packet content are more prevalent when VoIP packets are sent over the internet.

Securing the voice network requires a three-pronged approach: developing methods to identify problem areas, regularly monitoring configuration and usage data, and implementing hardware and software tools to reduce or eliminate possible threats. Regular audits of calling activity for all communications systems should be an integral part of organizational policy. Concerns over virus and denial-of-service attacks require the same vigilance and safeguards as data networks. Understanding how these attacks occur ensures that policies address hardware configuration and management, and regular reviews identify problems before they occur.

There are many issues in controlling voice networks. Identifying weak points, implementing software tools and hardware devices, combined with internal procedures, provide measures to secure the network.

Tana A. Scouras is the founder and chief architect at Vitel Software, Inc. (

Reducing the threats Hardware and software tools

  • Hardware vendors are introducing products with embedded security controls, such as login authentication and session encryption.
  • Older systems can utilize security devices that front-end the system with authentication technology. These offer different levels of security such as an additional password tier, modem control lists, access authentication, session auditing and encryption.
  • Dial-up modems for administration can be replaced with terminal servers, which limit access to intranet users only and provide additional security features.
  • Network segments with IP-enabled PBX and messaging servers should be isolated from networks that could host packet-sniffing agents.
  • VoIP hardware vendors recommend the separation of voice and data traffic elements.
  • VoIP servers use packet encryption techniques to provide security during message transmission.
  • Authentication is another component that verifies the recipient of intended traffic.
  • Several protocol standards address security in VoIP networks.
  • Two of these,layer 2 tunneling (L2TP) and IPsec, concentrate on VPN security. For VoIP traffic, IPsec provides authentication and content security for packets.
  • All traffic over the public network should be encrypted.

Identifying the problem areas

  • Analyze usage patterns outside expected levels for a class of service, or for a type of user or department. Unusually high usage can indicate fraud or abuse, while little or none could mean an open station or mailbox. Telemanagement software packages can pinpoint out-of-range values and possible toll fraud.
  • Establish thresholds for login attempts to mailboxes and for lower-level maintenance accounts. The login or mailbox should lock up when the threshold is hit. There may be system logs that record the number of invalid attempts into mailboxes or admin accounts.
  • Change default authorization codes, administrative and maintenance logins on a regular basis.
  • Define a process for identifying and removing abandoned and uninitialized mailboxes. Remove mailboxes that have not been accessed in 60 or 90 days, or that demonstrate little or no usage.
  • Always enforce password schemes.
    Finally,don't post directions on using internal systems on the internet!

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.