However, with these benefits come a host of security and connectivity considerations. Companies moving to VoIP will face familiar security threats such as worms and denial-of-service attacks, as well as new threats introduced by VoIP itself. Companies will need to take steps to include security planning in their VoIP deployments.
In the old days, phone phreakers tried to get free phone services. What if phone systems were no longer closed, but connected to the internet? Theft of services is the opportunity that VoIP provides. Hackers can obtain free unauthorized telephone calls that many times end up getting billed as company VoIP usage. Even internal employees can fool billing systems to gain unbilled phone services. These attacks can potentially go unnoticed but directly impact an organization’s bottom line.
On the other hand, voice system hijacking works by compromising the underlying components of VoIP. Malicious users can remotely manage devices, change settings and even eavesdrop on phone conversations. Besides the havoc this attack wreaks on the actual VoIP system and voice communications, it presents a significant security risk for companies in terms of confidential data loss that can occur when hackers use the VoIP infrastructure as an entry point.
Currently, these threats are theoretical. However, as more organizations move to VoIP, these types of attacks, as well as new attacks targeting VoIP infrastructures, will present an increasing risk.
Securing a VoIP deployment requires a multifaceted approach. There are key issues and decisions to take into account related to infrastructure placement, inbound-outbound connectivity, and detection of VoIP-specific malicious activities.
First, you should choose VoIP components that are security-friendly. When choosing components for your VoIP infrastructure, make sure they will easily integrate into your network without introducing an undue amount of security risks. These components should neither introduce new points of exploit, nor should they force you to compromise your existing security methodology.
Be sure to carefully consider infrastructure placement, also. From a high level, companies should consider placing control elements — especially externally accessible control elements — on a separate segment from their core network. This divide-and-conquer approach increases protection for the internal network in the event that a VoIP system is compromised, and protects sensitive components such as their IP-PBX, Centrex and management infrastructure.
Finally, use VoIP-aware security solutions. In addition to carefully choosing VoIP infrastructure components and their placement, a VoIP-aware network security solution adds an extra layer of protection. A network security solution that is able to proactively monitor VoIP-related network traffic and look for signs of VoIP attacks greatly reduces the risks associated with deploying VoIP. A good solution should be able to identify suspicious call behavior including improper or redundant commands. This type of solution gives organizations protection that can originate from outside as well as from within.
Finding the appropriate balance between security and productivity while leveraging VoIP services is critical in all deployment scenarios. Including security planning as part of a VoIP deployment decreases the risk factors that accompany the benefits.
Exploits once limited to mission-critical corporate systems now have the potential to bring down an entier communications network. By taking the appropriate steps, companies can reap the benefits of a secure network, as well as the cost savings elements associated with their VoIP deployment.