White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act



Similar documents
Voice Over IP (VoIP) Denial of Service (DoS)

White Paper A COMPARISON OF HOSTED VOIP AND PREMISES- BASED IP PHONE SYSTEMS FOR IT AND TELECOM DECISION MAKERS. Executive Summary

Business Phone Security. Threats to VoIP and What to do about Them

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

Security Issues with Integrated Smart Buildings

Securing VoIP Networks using graded Protection Levels

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Network Security: Introduction

Best Practices for Securing IP Telephony

Multi-layered Security Solutions for VoIP Protection

VoIP: The Evolving Solution and the Evolving Threat. Copyright 2004 Internet Security Systems, Inc. All rights reserved worldwide

Safeguards Against Denial of Service Attacks for IP Phones

Deploying Firewalls Throughout Your Organization

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

Securing SIP Trunks APPLICATION NOTE.

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

Voice over IP Security

Security and Risk Analysis of VoIP Networks

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Cisco Advanced Services for Network Security

VOIP SECURITY ISSUES AND RECOMMENDATIONS

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

DDoS Protection Technology White Paper

Recommended IP Telephony Architecture

How To Secure A Voice Over Internet Protocol (Voip) From A Cyber Attack

Security Toolsets for ISP Defense

ICANWK406A Install, configure and test network security

Information Technology Cyber Security Policy

E-BUSINESS THREATS AND SOLUTIONS

CTS2134 Introduction to Networking. Module Network Security

VoIP Security Threats and Vulnerabilities

Security Features and Considerations

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

IP Phone Security: Packet Filtering Protection Against Attacks. Introduction. Abstract. IP Phone Vulnerabliities

By David G. Holmberg, Ph.D., Member ASHRAE

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Evaluation Report. Office of Inspector General

VOICE OVER IP SECURITY

State of Texas. TEX-AN Next Generation. NNI Plan

Voice over Internet Protocol. Kristie Prinz. The Prinz Law Office

Internet Content Provider Safeguards Customer Networks and Services

Cyber Threats in Physical Security Understanding and Mitigating the Risk

COSC 472 Network Security

Villains and Voice Over IP

CMS Operational Policy for Firewall Administration

How To Prevent Hacker Attacks With Network Behavior Analysis

ethernet services for multi-site connectivity security, performance, ip transparency

Secure Software Programming and Vulnerability Analysis

Technical Standards for Information Security Measures for the Central Government Computer Systems

Voice Over IP and Firewalls

Own your LAN with Arp Poison Routing

Network & Information Security Policy

Threat Mitigation for VoIP

Network Security and the Small Business

An Oracle White Paper December The Value of Diameter Signaling in Security and Interworking Between 3G and LTE Networks

Avaya G700 Media Gateway Security - Issue 1.0

Mobile Devices and Malicious Code Attack Prevention

Secure Voice over IP (VoIP) Networks

Firewalls Overview and Best Practices. White Paper

Network Instruments white paper

Cisco Security Optimization Service

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

Advantages of Managed Security Services

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

VoIP Resilience and Security Jim Credland

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

THE BUSINESS CASE FOR NETWORK SECURITY: ADVOCACY, GOVERNANCE, AND ROI

VOIP SECURITY: BEST PRACTICES TO SAFEGUARD YOUR NETWORK ======

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

8. Firewall Design & Implementation

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

VoIP Time to Make the Call? Abstract

Managed Security Services

IBM Managed Security Services Vulnerability Scanning:

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Exam Name: Cisco Sales Associate Exam Exam Type: Cisco Exam Code: Doc Type: Q & A with Explanations Total Questions: 50

IQware's Approach to Software and IT security Issues

Avaya TM G700 Media Gateway Security. White Paper

Mitigating the Security Risks of Unified Communications

Conquering PCI DSS Compliance

VOIP THE ULTIMATE GUIDE VERSION /23/2014 onevoiceinc.com

WLAN Security Why Your Firewall, VPN, and IEEE i Aren t Enough to Protect Your Network

Beyond Quality of Service (QoS) Preparing Your Network for a Faster Voice over IP (VoIP)/ IP Telephony (IPT) Rollout with Lower Operating Costs

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Firewalls, Tunnels, and Network Intrusion Detection

Domain 6.0: Network Security

Basic Vulnerability Issues for SIP Security

Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP

Complete Protection against Evolving DDoS Threats

Secure networks are crucial for IT systems and their

Transcription:

A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK With organizations rushing to adopt Voice over IP (VoIP) technology to cut costs and integrate applications designed to serve customers better, security is often a secondary concern, or may be overlooked entirely. Unless proper steps are taken to protect VoIP systems on your data networks, you could be leaving open holes that can be exploited by intruders to disrupt all applications on your converged infrastructure, including voice calls. This step-by-step guide identifies the common threats and the countermeasures used to protect converged networks. Your VoIP solution provider will be your first line of defense in managing this issue. A balancing act The reason IP networks are so vulnerable to attack is that Internet protocols developed decades ago were not designed with security in mind. Security features were added later as specific threats emerged, resulting in the piecemeal fixes we contend with today. This has forced network administrators to take an active role in identifying threats and taking countermeasures to deal with them. Since voice conversations are carried over data networks as packets, just like every other application on the network, VoIP systems are susceptible to the same threats that are commonly launched against servers residing on IP data networks. The key to effective security is to focus on critical points of vulnerability those areas where the IP infrastructure or services are susceptible to known or expected attacks. However, since VoIP is a

real-time application, the security solution must not bog down performance to the point that conversations are disrupted. Types of attacks Denials of Service Attacks (DoS) originate on the Internet and are typically launched against web servers. In this type of attack, a server is bombarded with bogus service requests. The server becomes so busy trying to answer these requests that service is denied to those with legitimate requests. The intent of the attacker is to stop the server from functioning, thereby frustrating a company s customers and motivating them to take their business elsewhere. The DoS attack is not strictly limited to web servers; with more frequency, this type of attack is being launched against customer premises equipment (CPE), which includes VoIP systems. Among other things, your VoIP equipment has an operating system, just like any other server on your data network. The VoIP system provides critical functions like dialtone and call routing. A DoS attack can affect your VoIP system in several ways, including: Force the operating system to shut down, disrupting conversations and preventing calls until service is restored. Trick the VoIP system into accepting phony signaling messages, interfering with the proper operation of the service. Divert the VoIP system s CPU power and memory to handling false requests, degrading the real-time performance of telephone service. Generate excess traffic on your network through the use of worms and viruses, for example, forcing voice packets to be delayed or dropped, interfering with the smooth flow of conversations. Theft of service attacks are launched by intruders who want to make calls for free, using your VoIP system. In one scenario, a hacker could spoof a legitimate IP address to access your VoIP system to make calls anywhere in the world, leaving you stuck with the bill. Thieves can even use your VoIP system to spoof a Caller ID that can be used for phishing. This refers to the act of tricking someone into giving the thief confidential information. As applied to VoIP, phishing would entail a hacker posing as a network administrator to obtain sensitive information from an unsuspecting user within the company. If the user 2011 TCI, a Telcept Holdings LLC. Company Page 2

recognizes the Caller ID as being that of the network administrator, he or she will likely cooperate in giving out the requested information. Eavesdropping attacks are directed toward revealing private information within the voice conversation or the signaling protocol. Private data in the signaling protocol may include the phone numbers being called by a subscriber, as well as the IP and MAC addresses of the phones at each end of the conversation. This type of attack, also known as a man-in-the-middle attack, entails use of a spy program that gets in between two communicating parties and intercepts the information passing between them. The packets are intercepted without either party being aware of what s happening. The packets are recorded, collected from the host machine and recovered using protocol analyzer software, which is normally used by technicians to identify problems on data networks. Security solutions Achieving a secure IT environment involves a balance between risk and cost. In the case of VoIP, however, there must also be a balance between risk and quality because of the real-time nature of voice conversation. Therefore, a VoIP security solution must combine existing IP security and VoIP-specific security mechanisms. Denial of Service protection involves the deployment of security mechanisms throughout the infrastructure, such as: At the borders between networks, VoIP-aware routers can be set to block suspicious traffic. Configuration settings within servers, switches, firewalls and routers can shut off packet flooding and other types of DoS attacks that are intended to disrupt service. Software in various network elements, including the VoIP system, should provide the means to limit the amount of resources that will be used for responding to requests. When an attack is suspected, the VoIP systems log files should be examined as the first step in investigating the event and to prevent a recurrence of that event. Access to the VoIP system should be granted only to specific IP addresses, not a range of IP addresses. 2011 TCI, a Telcept Holdings LLC. Company Page 3

PCs are the weak link in security due to user carelessness. Regular and frequent security audits of all network elements, especially PCs, will minimize the introduction and spread of viruses, worms and spyware onto your network. Access to all advanced features of your VoIP system must be protected with authentication and unused features should be disabled to limit their possible use by an attacker. Voice and signal integrity can be maintained on office LANs by logically separating them from general data traffic. On the WAN, VoIP and data traffic can be further separated through the use of virtual private networks (VPNs) to ensure both security and quality of service (QoS). For the ultimate in protection, encryption can be applied to signaling and voice traffic across the WAN, but this entails extra expense. The VoIP router would need to be equipped with a dedicated processor for encryption/decryption tasks so that normal protocol processing does not get bogged down and disrupt the smooth flow of voice communication. The addition of encryption to safeguard voice would also entail the use of more bandwidth, which might boost your costs even more. Depending on the nature of your voice traffic, the additional expense may be justified. Theft of service protection involves putting into place mechanisms for ensuring that only authenticated users and devices can obtain access. The mechanisms include physical security to limit local access as well as secure configurations to limit remote access. In addition, system logs should be monitored regularly to detect unauthorized access attempts. This might reveal internal users who are trying to use VoIP features to which they are not entitled. Logs would also reveal attempts to access internal systems from outside the company, providing you with a clue as to what potential vulnerabilities might exist on your network that deserve closer examination. Other considerations Infrastructure security involves a layered approach such that a failure or breach in one security mechanism does not affect the entire service. These mechanisms include: Server and device security User authentication Network security 2011 TCI, a Telcept Holdings LLC. Company Page 4

Software security patch updates Vulnerability scans Networks, systems and applications should be monitored and compared with baseline usage to detect abnormal activity. Security is a continuous process and new threats can emerge. If not managed properly, VoIP security risks can impact performance and mitigate the expected benefits of this powerful technology. The good news is that an experienced business communications partner with VoIP and security expertise understands all of the issues and can make the security concerns transparent to your business. For over 25 years TCI has been supporting client transitions to new technology. We ve always been there evolving networks from analog to digital and now to IP, building and managing the reliable networks our customers have come to depend on. Find out how TCI s secure IP Telephony solutions can benefit your business. Call TCI at 800 TCI 1001 or email Don Routhier at routhierd@tcicomm.com. About TCI TCI is one of the largest full-service integrated solutions providers in the Washington D.C. and Baltimore metropolitan areas. We deliver voice, network and data support to organizations of all types and sizes. TCI offers a complete line of client services and business solutions, including security services, in partnership with leading manufacturers. Learn more by visiting our website, www.tcicomm.com 2011 TCI, a Telcept Holdings LLC. Company Page 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information