VoIP Security – Basic Threats and Action Plan

Friday, 11. November 2011 8:34 | Author:

The enterprise voice and trading communications ecosystems are moving inexorably from the seemingly closed and thus secure world of digital, time-division-multiplexing (TDM) to the open, threat-laden domain of Internet Protocol (IP)-based communications. Whereas privacy and security were essentially a given in the TDM world this is not the case with VoIP. And there is  no industry which depends more on  private and secure networks than financial markets where trillions of dollars worth of transactions flow through the ether on any given day.

In a recent entry we took a topical look at the VoIP security landscape and offered a pair of links to articles that aimed to give the reader a high-level understanding of the inherent vulnerabilities of Session Initiated Protocol (SIP) as well as a checklist to diagnose areas of vulnerability in a VoIP environment.

Today we are going to dig a little deeper into the subject by outlining the basic elements surrounding VoIP security, areas of concern and a checklist of best practicies.

Let’s start with a link to a white paper that endeavors to comprehensively define the various security and privacy threats to VoIP deployments, services and end users:  http://www.voipsa.org/Activities/VOIPSA_Threat_Taxonomy_0.1.pdf. The other goal this paper is equally important, to provide a definition of VoIP security and to make it something that is measurable and actionable.

Armed with this background we can now develop a list of common threats and summarize how best to minimize them:

VoIP Risk Action
Application-level attack Use Application Layer Gateway (ALG) and Intrusion & Detection Prevention (IDP) System
DDoS, Virus, Worm
  • Establish policy-based security zones
  • Deploy application-aware IDP
  • Maintain current patch levels
  • Install (and update) anti-virus software
  • Isolate voice traffic on VLAN
Eavesdropping Isolate VoIP traffic on VPN and use encryption
Protocol-targeted attack, SPIT Use Application Layer Gateway (ALG) and Intrusion & Detection Prevention (IDP) System
Unauthorized monitoring/spoofing Deploy strong authentication, authorization tools and IPSec


It might be worth noting at this point that this list comprises threats from outside of the enterprise. There is equal or greater potential threats residing inside your enterprise in the form of malicious or unintended employee (or employees at vendor partners) actions that can result in compromised security. These threats can only be mitigated by: education, a strong security policy, limitation of access rights and perhaps deterrence through surveillance.

Finally, in many firms the “IT Staff” may be a single person or even an outside contractor. Without resident security expertise it is critical to be in regular contact with the security resources of your vendors and service providers and establish a continuing security dialogue with them.

In the next part of our security series we will review specific elements and tools and their roles in the network security fabric including: firewalls, VPN, encryption, session border controllers and SIParators.

Category:Security | Comments Off on VoIP Security – Basic Threats and Action Plan

Secure VoIP and Why Hope Should Not Be Your Strategy

Tuesday, 8. November 2011 11:26 | Author:

The subject of Voice-over-Internet-Protocol (VoIP) security came up at a recent customer meeting and it was so novel to hear “VoIP” and “security” in the same question that I thought it would be worth revisiting.

The first thing I did was read up on VoIP-hacking and, ideally, high-profile cases out there. Strangely, my curiosity was not really piqued. A basic Google News search yielded only ten results for VoIP hacking! The best I could do was a story on the VOIP Security Alliance (VOIPSA) blog about a case of VoIP services fraud that actually had nothing to do with hacking. This blog may actually be one of the best places to read up on VoIP security and issues (http://voipsa.org/blog/category/security/)

In thinking more about it I was struck that concerns about VoIP security seem, at least in the public discourse, to be receding instead of increasing; and that this is astonishing in a world where personal technology and social media are evolving as institutionalized pillars of enterprise infrastructure. Upon further consideration, I thought, as voice evolves as not only “just another application” but one that is being virtualized on our customers own IT infrastructure shouldn’t it be of more concern than ever (the world of mainstream trading communications has really only embraced the concept of convergence in thought and word vs. real-life deployment so far)?

VoIP  is, thankfully, no longer a new/new technology and with this maturity has come a welcome measure of respect. And, combined with an apparent dearth of high-profile security breaches, the topic of VoIP security has faded somewhat  into the background. Of course, the fact that the mainstream media is not focused on covering the topic of VoIP security does not mean it is not a real threat.

So, where to begin? Let’s start with some simple education through reading with an article in VoIP Planet that outlines the issues of security and Session Initiated Protocol SIP)http://www.voipplanet.com/solutions/article.php/3747161 and then move on to one about diagnosing potential vulnerabilities: http://www.voipplanet.com/backgrounders/article.php/3775186.

From here, in a follow-up post we will attempt to address in more detail security threats, challenges and best practices for securing VoIP infrastructure, applications and connections across the enterprise voice trading communications network.




Category:Industry Research, Security | Comments Off on Secure VoIP and Why Hope Should Not Be Your Strategy

Desktop Voice Virtualization – The Next Frontier

Wednesday, 14. September 2011 14:46 | Author:

Is there anything in recent memory that has brought as much benefit to the world of information technology as virtualization? If there is, it would be hard to name.

A recent announcement from Mitel and VMware is extending the benefits of desktop virtualization to the phone and the unified communications (UC) applications on which more and more workers are coming to depend. These benefits may be amplified in the capital markets, where many forms of trading depend on an intense and immediate level of collaboration among colleagues who, more and more, it seems may be located anywhere.

As an example, I happened to be invited to the US Open last week where I met a group of people who work for an investment bank and manage an investment fund there. The team is based in an office in midtown Manhattan. At any given time there are members who may be sitting at the trading desk but just as likely others will be meeting with investors in a conference room, meeting potential investors in another city, on a research assignment on another continent or, given that it was August, on vacation somewhere. One of the staff spent half of his time in New York and the other half in Delhi, India.

It is critical that these types of workers be able to communicate and have access to their desktops whether in an office on a plane or anywhere their lives take them.

In earlier posts we have made mention of WCS’s technology leadership position in voice virtualization which is based on innovations from our partners at Mitel and VMware. And while the benefits of virtualization are compelling, fewer servers, hypervisors and virtual machines do not have the same cachet among non-IT employees as say, a cool iPhone app.

This may be because a lot of what is transformative about virtualization happens in the data center, out of the view of the rank and file.

This is beginning to change somewhat as virtualization extends its reach to the desktop. And with it, the lives of many knowledge workers will change for the better. This is because desktop virtualization untethers the worker from the need to be in a particular place, say a cubicle, to actually perform their job effectively. And as workers become more mobile and the work force more distributed, desktop virtualization will become the norm.

Category:Voice Virtualization | Comments Off on Desktop Voice Virtualization – The Next Frontier