VOIP SECURITYBy: Christopher Henderson

Outline

What is VoIP? How is it being used? VoIP’s main Security Threats.

Availability of Service Integrity of Service Eavesdropping

Securing VoIP and The 5 Simple Steps. Questions and Comments.

What is VoIP?

VoIP stands for Voice-over IP VoIP “is the routing of voice

conversations over the Internet or through any other IP-based network.” (Wikipedia)

Implemented over WLAN using soft phones.

At its core VoIP is a Data Network.

How is VoIP Being Used?

Many companies are starting to adopt VoIP services because of the reduced cost – no telephone system needed.

Services such as T-Mobile’s Hotspots. Wireless Phones using VoIP from WLAN access points – allows use of phone without using minutes.

Computer services such as Skype allow free Internet Phone Calls across the world using VoIP.

Security Threats

With VoIP being essentially a data network many of the security threats for the service are classic network security threats that have been modified to take advantage of the VoIP specific applications and protocols.

Availability of Service Integrity of Service Eavesdropping

Availability of Service

VoIP requires a high Quality of Service (QoS).

Basic Denial of Service (DoS) attacks can cripple a VoIP service.

DoS attacks can be centered around VoIP protocols or applications.

A simple attack consists of an attacker setting multiple phones to forward a single request message until all the phones system resources are used.

DoS Attack

Integrity of Service

VoIP requires a secure connection between users.

VoIP protocols (SIP and RTP) have weak end-to-end user authentication.

Attackers can exploit this by hacking guest or user accounts.

Using these hacked accounts, attackers can commit ‘toll fraud’ by placing a call on the account’s expense and ‘identity fraud’ by using the account’s phone number impersonating that user.

Eavesdropping

Eavesdropping consists of two steps: Intercepting protocol (SIP or RTP) packets Translation into plain speech

Protocol packets can easily be intercepted with a packet sniffer.

VoIP protocols does not have encryption. Thus allowing easy translation into real speech.

Eavesdropping Threats

Securing the VoIP System

Since VoIP is essentially a data network many of the easiest ways of securing the service include securing the network, just aimed specifically at VoIP.

John Edwards outlined 5 simple steps in his article “Secure Your Wireless VoIP System”

5 Steps

1. Look for equipment that uses newer wireless security standards. Wi-Fi Protected Access (WPA), WPA2, and IEEE 802.11i have met many powerful security benchmarks.

2. WPA, WPA2, and 802.11i have authentication and encryption built in. WPA2 and 802.11i support the Advanced Encryption Standard (AES).

3. Use Multilevel Protection Embed. Have a hand set encrypt audio while 802.11i authenticates and encrypts wireless connections.

4. Use a VoIP firewall. 5. Train employees how to use VoIP technologies, and

the security threats.

Questions?

Sources

Edwards, John. “A Guide to Understanding the VoIP Security Threat.” VoIP-News. February 14, 2007. Tippit, Inc. December 1, 2007. http://www.voip-news.com/feature/voip-security-threat-021407/

Edwards, John. “Secure Your Wireless VoIP System.” VoIP-News. February 14, 2007. Tippit, Inc. December 1, 2007. http://www.voip-news.com/feature/ways-secure-wireless-voip-021407/

Materna, Bogdan. “Making Sense of VoIP Security Threats.” TMCnet. November 22, 2005. Technology Marketing Corporation. November 29, 2007. http://www.tmcnet.com/news/2005/nov/1211529.htm

Piscitello, David. “How to protect your VoIP network.” NETWORKWORLD. May 15, 2006. Network World, Inc. November 28, 2007. http://www.networkworld.com/research/2006/051506-voip-guide-security.html?page=1

VoIP Security Alliance. http://www.voipsa.org/