Voip security

VoIP Security

Defined: Voice over IP (VoIP) Security is a branch of the information security field that is specifically applied to VoIP infrastructures. The objective of VoIP security is to preserve the availability of VoIP services, protection of VoIP caried and stored information from theft or corruption, voice communication integrity or QoS (Quality of Service), or the prevention of voice communication carryting spam and fraudulent usage of voice communication (toll fraud).

Background: VoIP operates differently than data services. For example, in order to establish real-time communication VoIP uses various signaling protocols such as SIP to identify the calling parties, define call characteristics and ring the phone. Once the call is established the conversation is carried over an IP network using packetized voice. Signaling protocols have their own specific characteristics such as dynamic assignment of ports for RTP traffic.

While the signaling phase is handled, in the case of Enerprise VoIP, by a PBX and Call Manager, in most implementations, RTP traffic is routed in a Peer-to-Peer (P2P) mode between calling parties, completely bypassing the PBX/Call Manager. From a security perspective, it is very difficult to protect the various end-points using P2P communication given that RTP traffic is a stream of packets with random, binary content created by digitizing human speech, and that all VoIP phones regardless of the vendor and geographical location, are using this protocol. Finally, traffic flows directly between phones without any centralized controllers.

VoIP is highly sensitive to QoS parameters such as packet loss, jitter and delay. Basic VoIP characteristics such as its real-time nature and stringent QoS requirements mean that even a benign attack can significantly disrupt VoIP services. Implementing existing security techniques and technologies such as IPS, Firewalls or encryption, without taking into account the QoS impact and specific nature of VoIP protocols, could lead to a severe impact on the quality of voice communication, and in some cases, to the complete loss of voice services.

Another unique threat is voice spam or SPIT (Spam over Internet Telephony). While conceptually it is similar to email spam, there is one significant difference. Existing anti-spam applications can examine the entire email including the header and the content resulting in acceptable false-positive ratios with a high efficiency throughput. In the VoIP environment, information carried by the signaling protocols can be relatively easily analyzed, but it can also be easily spoofed or altered. Real-time speech processing and pattern matching for a large number of concurrent calls is still a problem with current technologies.

The popular tool SiVuS [http://www.vopsecurity.org] was the first VoIP Scanner to be published. The tool is designed to help security professionals perform several security checks to validate the security of SIP signaling in VoIP networks. The tool provides the means to test for signaling message authentication, confidentiality, robustness, registration hijacking, service disruption and craft specific SIP messages to test filtering conditions in Session Border Controllers. VCube [http://www.vcubescanner.com] is the evolutionary commercial version of SiVuS.

VoIP Vulnerabilities and Threats: The traditional enterprise VoIP infrastructure consists of a wide range of components, applications and specialized protocols—including wireless—implemented in the form of complex networks and often globally distributed. These IP-based telecommunication networks introduce a large number of new attack vectors that in many cases impose different security requirements than traditional data security threats. VoIP vulnerabilities and exploits can be roughly classified as:• Software-related (introduced by a VoIP application/equipment vendor)• Configuration-related (introduced during deployment and life cycle of VoIP infrastructure)• Protocol-related (inherent protocol issues – SIP, UNIStim, Skinny, H323, RTP)• Composite (any combination of the above)• Device-level (related to a particular device/application such as IP PBX)• System-level (related to the VoIP infrastructure components and topology)• Unidirectional or duplex (related to flow of data and information)

Further Reading:

1. Peter Thermos, Ari Takanen, "Securing VoIP Networks", Addison-Wesley, 2007

2. Thomas Porter, Michael Gough, “How to Cheat at VoIP Security”, Syngress, 2007

3. Bogdan Materna, “A Proactive Approach to VoIP Security”, VoIPshield Systems White Paper, 2007 [http://www.voipshield.com/proactive_wp.html]

4. David Endler, Mark Collier, "Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions”, McGraw-Hill Osborne Media, 2006

5. Thomas Porter, “Practical VoIP Security”, Syngress, 2006

6. D. Richard Kuhn, Thomas J. Walsh, Steffen Fries, “Security Considerations for Voice Over IP Systems”, NIST Special Publication 800-58, 2005

7. James F. Ransome, John Rittinghouse, "Voice over Internet Protocol (VoIP) Security”, Digital Press, 2004.

External Links:

VoIPSA [http://www.voipsa.org] VoIP Security Blogs Bogdan’s Blog [http://blog.voipshield.com/] Mark Collier’s Blog [http://www.voipsecurityblog.com] Bluebox Podcast [http://www.blueboxpodcast.com] Palindrome Technologies [http://www.palindrometech.com] VoIPshield Systems Inc ( [http://www.voipshield.com] )Sipera [http://www.sipera.com] Voice Over Packet Security [http://www.vopsecurity.org] VCube Scanner [http://www.vcubescanner.com]