As the epidemic of spam and malware continues to barrage email systems, one might think the industry would have learned to build strong security into new communications protocols. Unfortunately, in the case of VoIP - the most important new communications protocol since SMTP - this is not true. Historically, the development of VoIP infrastructure has prioritized quality and reliability over security, with few security measures being built in.
Today, VoIP has emerged as a mainstream communications tool that many businesses are starting to integrate into their networks. Without strong security built in to protect users, we will likely see a new era of malicious VoIP attacks, much like what we are now witnessing with other IP-based communications.
Why VoIP is vulnerable
VoIP is simply data transmitted in digital packet form. This means it can be attacked, hacked, intercepted, manipulated, re-routed and degraded just like packets on the data network. All of the maladies of the data network – viruses, worms, trojan, DoS attacks and hijacking – are possible on the VoIP network.
Thus, it isn't a far stretch to imagine the creation of "telephony botnets" capable of shutting down call centers. While no cases of this type of attack are on the public record, many large call centers are already working with security experts to test their infrastructure against DDoS attacks.
In addition to DDoS, here are other examples of potential VoIP attacks:
· Toll Fraud/Service Theft — This will likely be the most common attack in the early stages of VoIP, where an unauthorized user gains access to the VoIP network by mimicking an authorized user or seizing control of an IP phone and initiating outbound long distance calls.
· Eavesdropping — VoIP services measurement and troubleshooting software makes eavesdropping on a packetized voice call relatively easy.
· Phishing — The same techniques used to steal identity information over email are being used over VoIP. Criminals spoof caller identification information so it looks like the call is coming from a legitimate organization and then ask the call recipient for identity information.
Protecting Your business
There are three main steps you can take to provide a strong foundation for VoIP security.
1. Keep your VoIP network separate
Externally – If you don't have to expose your VoIP system to the Internet, then don't. However, an increasing number of companies are opening their VoIP networks to facilitate communications with mobile workers using softphones or laptops to connect via the Internet.
Take every step to ensure that there is some level of authentication and encryption in place for these communications. A virtual private network (VPN) is a good way to maintain the integrity of communications from any trusted person connecting to your VoIP system from an untrusted network.
Internally – Many organizations still use closed VoIP systems as an internal tool to call between office locations. But even if it is blocked off from the Internet, you still need to separate it from your desktop and network environments, any key servers, and other VoIP networks. Likewise, if your VoIP network runs in a converged environment, you'll need to separate it at an abstract level – using a VPN or VLAN – to ensure that any attacks or compromises to the network are localized and don't affect your VoIP equipment, and vice versa.
2. Implement VoIP-aware security intelligence
Even if you are diligent about keeping your VoIP network separate, and you've implemented a VPN to protect both internal and external communications, there are still attacks specifically designed for VoIP that require a deeper level of protection. For instance, there will be people who have legitimate access to your VoIP network who can use this access to launch an attack or conduct other illicit activities such as eavesdropping or hijacking calls.
VoIP architecture contains many different protocols, which standard intrusion prevention systems (IPS) and firewalls are not capable of handling. Make sure to implement IPS and firewall technology that is "VoIP aware" and can look deep into the traffic. You want to be able to allow legitimate users to go through, while accurately identifying and blocking suspect traffic before it becomes a threat.
You also want to ensure that you have intelligent IPS deployed between VoIP gateways and near your call manager, a key area of attack that contains all your critical user information.
3. Protect against rogue VoIP usage
It is almost guaranteed in any sizable company that you'll find unsanctioned use of consumer peer-to-peer VoIP technologies such as Skype or Google Talk. These tools introduce a high level of risk to your network since they are designed to find multiple ways to tunnel out of the network to the Internet, easily bypassing standard firewalls. One way to address this is to install VoIP-aware IPS and firewalls at all the key access points, which will enable the organization to design a policy to either block this type of traffic entirely or decide who can use these tools and in what capacity.
If you have taken steps to address VoIP in these three areas, then you have gone a long way toward protecting your business and improving bottomline VoIP security.
-Neel Mehta is team lead for X-Force's advanced research group, a part of IBM Internet Security Systems.
