VOIP SECURITY ISSUES AND RECOMMENDATIONS



Similar documents
A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

Security issues in Voice over IP: A Review

Security and Risk Analysis of VoIP Networks

Voice Over Internet Protocol (VOIP) SECURITY. Rick Kuhn Computer Security Division National Institute of Standards and Technology

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Recommended IP Telephony Architecture

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

Best Practices for Securing IP Telephony

Business Phone Security. Threats to VoIP and What to do about Them

An outline of the security threats that face SIP based VoIP and other real-time applications

VOICE OVER IP SECURITY

Securing SIP Trunks APPLICATION NOTE.

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Securing VoIP Networks using graded Protection Levels

Ron Shuck, CISSP, CISM, CISA, GCIA Infrastructure Security Architect Spirit AeroSystems

SS7 & LTE Stack Attack

Security Issues with Integrated Smart Buildings

Basic Vulnerability Issues for SIP Security

Voice over IP Security

VoIP Security Threats and Vulnerabilities

T.38 fax transmission over Internet Security FAQ

Receiving the IP packets Decoding of the packets Digital-to-analog conversion which reproduces the original voice stream

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

ICTTEN5168A Design and implement an enterprise voice over internet protocol and a unified communications network

COSC 472 Network Security

ETM System SIP Trunk Support Technical Discussion

Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP

2010 White Paper Series. Top Ten Security Issues Voice over IP (VoIP)

VoIP: The Evolving Solution and the Evolving Threat. Copyright 2004 Internet Security Systems, Inc. All rights reserved worldwide

CPNI VIEWPOINT 03/2007 HOSTED VOICE OVER IP

Villains and Voice Over IP

Multi-layered Security Solutions for VoIP Protection

VOIP Security Essentials. Jeff Waldron

VOIP THE ULTIMATE GUIDE VERSION /23/2014 onevoiceinc.com

Voice Over IP (VoIP) Denial of Service (DoS)

CS5008: Internet Computing

Voice over IP (VoIP) Vulnerabilities

Voice Over IP and Firewalls

VoIP Security: How Secure is Your IP Phone?

Voice over Internet Protocol (VOIP) By: Ahmed Said Mahmoud Supervisor: Prof.Dr. Shawkat K.Guirguis

Threats to be considered (1) ERSTE GROUP

VOIP Attacks On The Rise

Draft ITU-T Recommendation X.805 (Formerly X.css), Security architecture for systems providing end-to-end communications

VOIP TELEPHONY: CURRENT SECURITY ISSUES

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Solution Brief. Secure and Assured Networking for Financial Services

Voice over Internet Protocol. Kristie Prinz. The Prinz Law Office

Threat Mitigation for VoIP

VoIP Security regarding the Open Source Software Asterisk

How To Secure A Voice Over Internet Protocol (Voip) From A Cyber Attack

NineStar Connect MASS MARKET INTERNET SERVICE POLICIES AND CUSTOMER INFORMATION. Policy Statement:

REVIEW ON RISING RISKS AND THREATS IN NETWORK SECURITY

Hosted Voice. Best Practice Recommendations for VoIP Deployments

Level: 3 Credit value: 9 GLH: 80. QCF unit reference R/507/8351. This unit has 6 learning outcomes.

10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network

ICANWK406A Install, configure and test network security

1 ABSTRACT 3 2 CORAL IP INFRASTRUCTURE 4

HOSTED VOICE Bring Your Own Bandwidth & Remote Worker. Install and Best Practices Guide

Transparent weaknesses in VoIP

Wireless Network Security

Firewall and UTM Solutions Guide

For Your Eyes Only: Protecting Data-in-Motion with Dispersive Virtualized Networks

Basics of Internet Security

TECHNICAL CHALLENGES OF VoIP BYPASS

VoIP / SIP Planning and Disclosure

Network Simulation Traffic, Paths and Impairment

Wireless Security with Cyberoam

Mitigating the Security Risks of Unified Communications

Vulnerabilities in SOHO VoIP Gateways

Intrusion Prevention: The Future of VoIP Security

SIP Trunking Configuration with

How to make free phone calls and influence people by the grugq

VOICE OVER IP AND NETWORK CONVERGENCE

Voice over IP is Transforming Business Communications

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

Secure Voice over IP (VoIP) Networks

nexvortex SIP Trunking Implementation & Planning Guide V1.5

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Indepth Voice over IP and SIP Networking Course

Models of Secure VoIP Systems. VoIP Security Best Practice. Vol. II. Models of Secure VoIP Systems (Version: 1.2) NEC Corporation

The Trivial Cisco IP Phones Compromise

Network Access Security. Lesson 10

VoIP Security. Customer Best Practices Guide. August IntelePeer

Packetized Telephony Networks

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Transcription:

VOIP SECURITY ISSUES AND RECOMMENDATIONS Sathasivam Mathiyalakan MSIS Department, College of Management, University of Massachusetts Boston Phone: (617) 287 7881; Email: Satha.Mathiyalakan@umb.edu ABSTRACT VoIP is the hottest trend in telecommunications. Prior research shows that the VoIP technology is at the introductory stage in technology adoption with solid growth expected over the next few years as both consumers and businesses adopt VoIP technology to cut costs, improve productivity and efficiency, integrate with other applications, seek enhanced capabilities, and digital convergence. But, security issues tend hinder its adoption. In this study, we identify VoIP security challenges, risks and threats, and offer some recommendations for mitigating these risks. Keyword: MIS, IT, Security, VoIP INTRODUCTION Voice over Internet Protocol (VoIP) is the hottest trend in telecommunications (Walsh & Kuhn, 2005). VoIP is the transmission of voice over traditional packet-switched IP networks (Walsh & Kuhn, 2005). VoIP is also known as Internet telephony or IP Telephony. The analog signals (voice) are converted digitized packets and then sent over a IP network. The digital packets have a destination address but they follow no fixed path. At the destination packets are re-assembled and delivered. To enable VoIP, broadband access, a computer, and software are required. Additional hardware such as servers, switches, routers, and others may be required depending on the volume and nature of traffic. Readers are urged to consult VarShney, Snow, McGivern, & Howard (2002) for an excellent review of the VoIP history and technology. VoIP permits the integration of data, voice, and video into one communication channel. The term digital convergence refers to this phenomenon of multiple media delivered over a single network. Some of the applications and services include PC based distance learning solutions, video conferencing, live webcasting, video streaming, collaboration and team management software, security surveillance, contact center applications, remote multimedia solutions and unified messaging ((Tobin & Bidoli, 2006). To compete in the new economy firms including are looking at many strategic options. Recent events suggest that firms in particular large ones are exploring the use of Voice over Internet Protocol (VoIP) as a means to cut costs, to improve productivity, and the firm s strategic position. The use of VoIP enables a firm to reduce costs, improve worker and organizational

productivity, provide greater functionality and better integration with computer based applications, and improve the strategic position of the firm. Recent studies project VoIP market to grow (Roberts, 2005a) significantly over the next few years. An Osterman Research Report dated February 2005 suggests that VoIP penetration of US organizations will increase from 10% to 45% by the end of 2007. Another Osterman Research Report, also dated February 2005 suggests that approximately 17% of US organizations have either completed voice and data convergence or are near completion. A Juniper Research report dated September 2004 forecasts that VoIP adoption will rise to 17% of US households by 2009 from its current value of 1% of all US broadband households in 2004. The factors that promote the growth of VoIP include low cost of the software, wide availability of analog adapters, growing availability of broadband, and relative high costs for traditional calls (Roberts, 2005a). VoIP security is a major issue to both Network administrators and managers. A security outbreak is likely to result in loss of service, denial of service, eavesdropping, spoofing, toll fraud, spam, unavailability of emergency calls. Research shows that VoIP security continues to be the key barrier to VoIP adoption (Sass, 2006). The practitioner literature is rich with How to articles on VoIP security. As security plays a key consideration in VoIP acceptance and adoption, the purpose of this article is to review the literature, identify security risks, and suggest recommendations. This article is organized interms of 6 sections. Next, we discuss VoIP adoption issues. In section 3, we discuss VoIP security implementation challenges. In section 4 identify and catalog VoIP security threats. Guidelines for securing a VoIP network are in section 5. In section 6 we provide some summary remarks. BACKGROUND TO VOIP & VOIP SECURITY IMPLEMENTATION CHALLENGES Transition to a VoIP network increases the risk profile of a corporate network due to complexity, the presence of new access points to the network, new routing patterns and configurations, the use of new devices and protocols which in turn increases the number of vulnerable points, and the presence of a new channel for blended threats (Roberts, 2005b). Walsh and Kuhn (2005) identify several challenges associated with implementing VoIP security measures. These challenges deal with supporting protocols, VoIP vs. data network security, and the need for new technologies. Below we provide a brief description of these challenges as noted in Walsh and Kuhn (2005). H.323 and Session Initiation Protocol (SIP) are the common protocols used in VoIP networks. H.323 is based on the recommendations of the International Telecommunication Union. It encompasses other protocols such as H.225, H.245, and T.120. H.323 provides the necessary specification for audio and video communication in packetized network environment. In addition to its use in VoIP, H.323 is also used in applications such as NetMeeting and Ekiga. SIP is an application level protocol and is the IETF specification for a two way communication session. Initially SIP was designed to be simple and elegant. It is text based and inherited some

aspects of Hypertext Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP) (Roberts, 2005). But, over the years SP has become more complex. Readers are urged to visit the sites http://www.openh323.org/ and http://www.cs.columbia.edu/sip/ for additional information on these two protocols. As the architecture of the two networks are different, the need to implement different protocol specific security mechanisms arises. The addition of upper layer protocols and messaging structures increases the threat profile of the already flawed IP protocol (Sass, 2006). Many configurable parameters such as addresses of voice terminals, routers, and firewalls exist in a packet network. VoIP networks also have specialized software such as call managers. As a VoIP network has dynamically reconfigurable parameters, many dynamically configurable parameters exist. When compared to data networks, these add additional complexity of VoIP networks. The stricter performance constraints of VoIP also pose additional VoIP security concerns. Issues pertaining to Quality of Service (QoS), Infrastructure, and Security trade offs highlight the differences between VoIP and data networks. The need to maintain appropriate level of QoS poses some restrictions on security. VoIP networks are mores sensitive to delays than data networks. Latency, jitter, and packet loss all present concerns within a VoIP network. Latency is the delay in packet delivery. Security implementation mechanism such as encryption and firewalls while providing a means to secure the network also introduce delay in network traffic. Such delays can cause the VoIP message to become a mess. VoIP relies on Real Time Transport Protocol (RTP) which does not guarantee packet delivery. Even a packet loss of 1% can make the VoIP call meaningless and thereby affecting the QoS. Jitter is jitter is the variation in the time between packets arriving, caused by network congestion, timing drift, or route changes. A jitter buffer can be used to handle jitter (http://whatis.techtarget.com/). Buffer overflows and improper packet handling can cause security flaws such as Denial of Service and disclosure of system critical information. As VoIP and data are on the same network, opportunities for eavesdropping exist. Buffer overflows can also cause the insertion of malicious code within the VoIP software. The availability of network information on IP phone can cause security flaws such as downloading from a hacker controlled server. Privacy issues and denial of service (DoS) issues may surface if VoIP web based applications have weak access control, script vulnerabilities, and inadequate parameter validation. The convergence of voice and data traffic may enable hackers to manipulate or functioning of the phone system. Firewalls are used routinely in many network to protect a network. The use of such firewalls may interfere with the operations of a VoIP network which uses dynamic port trafficking and call setup procedures. Newer tools such as Application Level gateways (ALG) may be able overcome this issue by providing firewalls with necessary instructions from an application aware agent.

VOIP SECURITY RISKS, THREATS, AND VULNERABILITIES Several techniques and methodologies exist for classifying VoIP security threats. Radware (2005) categorizes the security threats as attacks on VoIP network operating system devices, configuration weaknesses, IP infrastructure attacks, VoIP protocol implementation vulnerabilities, and VoIP application level attacks. Mihai (2006) classifies the threats in terms of protocol layers signaling, transport, and application. The threats pertaining to the signaling protocol layer are denial of service, man in the middle/call hijacking. Transport layer threats arise from eavesdropping, RTP insertion attacks, and RTCP insertion attacks. Application layer threats pertain to software vulnerabilities. Roberts (2005b) links the security threats to QoS and categories the threats interms of service disruption, service interception, and service fraud and abuse. Roberts also notes the presence of other threats such as fire, flood, earthquake, poorly trained users, and environmental threats. The VoIP Security Alliance (VoIPSA) a consortium of major vendors, providers, security leaders, and business leaders recently released a report on a taxonomy for classifying VoIP security and threats. The alliance defines security as 1) the right to protect privacy, 2) a method of achieving privacy and 3) ways to keep communication systems and content free from unauthorized access, interruption, delay or modification. The security threats are grouped interms of unlawful monitoring (traffic analysis, packet snooping, spying on signaling, and eavesdropping on content), interruption of service (specific denial of service, general denial of service, physical intrusion, loss of power, and performance latency), unauthorized signal or traffic modification (spoofing and impersonation, false caller identification, signal replay, vocal impersonation, vocal replay, service abuse, improper bypass of adjustments to billing, and improper access to service) and bypassing refused consent. A large number of threats exist as shown in Table 1. We outline the major ones. A proper knowledge of these threats facilitates the development of security recommendations which are provided in the next section. GUIDELINES FOR SECURING THE VoIP NETWORK The following guidelines based on Kuhn, Walsh, & Fries (2005) and Sass (2006) may serve to protect the network from the threats noted previously. 1. To ensure security and adequate performance dedicated VoIP components are necessary. 2. To isolate attacks voice and network traffic should be separated and use DNS/DHCP servers. 3. Ports should have separate MAC addresses and any unused ports should be disabled.

4. Appropriate network architecture should be developed. To mitigate the security problems, Internet Protocol Security (IPsec) virtual private network or secure shell for remote management and auditing and encryption at the router or gateway. 5. As VoIP networks provide greater latitude for eavesdropping and monitoring traffic, physical controls needs to be present and implemented. The hardware should be physically secured. 6. The VoIP operating system should be kept up to date any unneeded service should be disabled. 7. Encrypted and authenticated communication between network components is vital. 8. Hosts on switched ports should not be able to or be aware of traffic not intended for them. 9. If situation warrants, the use of soft phone applications should be discouraged to ensure that these applications with a PC which uses a software and a voice headset. Worms, viruses, and web browser flaws may pose risks for softphone applications. 10. The statutory requirements for VoIP calls may be different for VoIP calls from traditional calls. Legal advice may be necessary for privacy and record retention issues. 11. Use VoIP ready firewalls and other strategies and security mechanism need to be used to prevent packet sniffing. 12. Additional power backups maybe necessary to ensure smoothing functioning should power outages occur. 13. If the need to integrate mobile phone with VoIP system exists, then it is recommended that WiFi Protected Access (WPA) security protocol be used than Wired Equivalent Privacy (WEP) protocol. 14. Firewalls are required if the traffic flows between voice and data networks. SUMMARY REMARKS VoIP is a newest technology and researchers speculate that its use could provide rewards to both the individual and the organization. The Telecom Insider newsletter identifies the following seven VoIP trends for 2006 that will have a bearing on its adoption. These include a possible retaliation by Internet access providers who may block VoIP calls, consolidation and partnerships, growth in broadband penetration, growth in wireless use, Session Initiation Protocol (SIP) to become the standard for delivering VoIP calls, regulatory threats, and availability of sophisticated multimedia applications. The main issue that dampens its widespread acceptance and adoption is security. The purpose of this study is to identify security threats and suggest some guidelines for improving security.

While many of these recommendations are from practitioner sources, it is not clear whether they will adequately negate the security threats. A great deal of academic work needs to be conducted before verifiable security recommendations leads to widespread acceptance of VoIP technology. Available upon request from the author. REFERENCES Term Call Black Holing Call Pattern Tracking Call redirection and hijacking Call Rerouting Conversation Alteration Conversation Degrading Conversation Impersonation and Hijacking Conversation Reconstruction Denial of Service Eavesdropping False Caller Identif. Fax Alteration Fax Reconstruction Message integrity Number Harvesting Packet spoofing and masquerading Replay attacks Rogue device Service abuse Text Reconstruction Toll fraud Traffic Capture Voice mail bombing (Vbombing) Video Reconstruction Voicemail Reconstruction Definition Any unauthorized method of dropping, absorbing or refusing to pass IP or another essential element in any VoIP protocol which has the effect of preventing or terminating a communication. The unauthorized analysis by any means of any traffic from or to any node or collection of nodes on the network. It includes monitoring and aggregation of traffic for any form of unauthorized pattern or signal analysis. A call intended for one user is redirected. Any method of unauthorized redirecting of an IP or other essential element of any VoIP protocol with the effect of diverting communication. Any unauthorized modification of any of information in the audio, video and/or text portion of any communication, including identity, status or presence information. The unauthorized and intentional reduction in quality of service (QoS) of any communication. The injection, deletion, addition, removal, substitution, replacement or other modification of any portion of any communication with information which alters any of its content and/or the identity, presence or status of any of its parties. Any unauthorized monitoring, recording, storage, reconstruction, recognition, interpretation, translation and/or feature extraction of any audio or voice portion of any communication including identity, presence or status. An attack on a system that causes loss of service to the users of that system. The unauthorized interception of voice packets or RTP media streams and the decoding of signaling messages and the intercepted data The signaling of an untrue identity or presence. Any unauthorized modification of any of information in a facsimile or other document image, including header, cover sheet, status and/or confirmation data. feature extraction of any portion of any document image in any communication including identity, presence or status. Compromise where the data has been altered in transit The authorized collection of IDs, which may be numbers, strings, URLs, email addresses, or other identifiers in any form which represent nodes, parties or entities on the network. Packet or person impersonation which may include fake Caller ID and phishing attempts Retransmission of a legitimate session so the recipient device reprocesses the data A misconfigured or unauthorized device or a device about to fail and displaying aberrant behavior. The use of Corporate systems in a manner for which it was not intended. feature extraction of any portion of any text in any communication including identity, presence or status. The theft of telephony services. The unauthorized recording of traffic by any means and includes packet recording, packet logging and packet snooping for unauthorized purposes. The delivery of multiple voice mail messages (possibly thousands) to a VoIP device and is unique to VoIP networks. feature extraction of any portion of any moving images in any communication including identity, presence or status. feature extraction of any portion of any voice mail message. Table 1: VoIP Security Threats Definitions from Roberts (2005b) and VoIPSA

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information