View all posts filed under 'Security'

VoIP Security – Basic Threats and Action Plan

Friday, 11. November 2011 8:34

The enterprise voice and trading communications ecosystems are moving inexorably from the seemingly closed and thus secure world of digital, time-division-multiplexing (TDM) to the open, threat-laden domain of Internet Protocol (IP)-based communications. Whereas privacy and security were essentially a given in the TDM world this is not the case with VoIP. And there is  no industry which depends more on  private and secure networks than financial markets where trillions of dollars worth of transactions flow through the ether on any given day.

In a recent entry we took a topical look at the VoIP security landscape and offered a pair of links to articles that aimed to give the reader a high-level understanding of the inherent vulnerabilities of Session Initiated Protocol (SIP) as well as a checklist to diagnose areas of vulnerability in a VoIP environment.

Today we are going to dig a little deeper into the subject by outlining the basic elements surrounding VoIP security, areas of concern and a checklist of best practicies.

Let’s start with a link to a white paper that endeavors to comprehensively define the various security and privacy threats to VoIP deployments, services and end users:  http://www.voipsa.org/Activities/VOIPSA_Threat_Taxonomy_0.1.pdf. The other goal this paper is equally important, to provide a definition of VoIP security and to make it something that is measurable and actionable.

Armed with this background we can now develop a list of common threats and summarize how best to minimize them:

VoIP Risk Action
Application-level attack Use Application Layer Gateway (ALG) and Intrusion & Detection Prevention (IDP) System
DDoS, Virus, Worm
  • Establish policy-based security zones
  • Deploy application-aware IDP
  • Maintain current patch levels
  • Install (and update) anti-virus software
  • Isolate voice traffic on VLAN
Eavesdropping Isolate VoIP traffic on VPN and use encryption
Protocol-targeted attack, SPIT Use Application Layer Gateway (ALG) and Intrusion & Detection Prevention (IDP) System
Unauthorized monitoring/spoofing Deploy strong authentication, authorization tools and IPSec

 

It might be worth noting at this point that this list comprises threats from outside of the enterprise. There is equal or greater potential threats residing inside your enterprise in the form of malicious or unintended employee (or employees at vendor partners) actions that can result in compromised security. These threats can only be mitigated by: education, a strong security policy, limitation of access rights and perhaps deterrence through surveillance.

Finally, in many firms the “IT Staff” may be a single person or even an outside contractor. Without resident security expertise it is critical to be in regular contact with the security resources of your vendors and service providers and establish a continuing security dialogue with them.

In the next part of our security series we will review specific elements and tools and their roles in the network security fabric including: firewalls, VPN, encryption, session border controllers and SIParators.

Category:Security | Comments Off on VoIP Security – Basic Threats and Action Plan | Author:

Secure VoIP and Why Hope Should Not Be Your Strategy

Tuesday, 8. November 2011 11:26

The subject of Voice-over-Internet-Protocol (VoIP) security came up at a recent customer meeting and it was so novel to hear “VoIP” and “security” in the same question that I thought it would be worth revisiting.

The first thing I did was read up on VoIP-hacking and, ideally, high-profile cases out there. Strangely, my curiosity was not really piqued. A basic Google News search yielded only ten results for VoIP hacking! The best I could do was a story on the VOIP Security Alliance (VOIPSA) blog about a case of VoIP services fraud that actually had nothing to do with hacking. This blog may actually be one of the best places to read up on VoIP security and issues (http://voipsa.org/blog/category/security/)

In thinking more about it I was struck that concerns about VoIP security seem, at least in the public discourse, to be receding instead of increasing; and that this is astonishing in a world where personal technology and social media are evolving as institutionalized pillars of enterprise infrastructure. Upon further consideration, I thought, as voice evolves as not only “just another application” but one that is being virtualized on our customers own IT infrastructure shouldn’t it be of more concern than ever (the world of mainstream trading communications has really only embraced the concept of convergence in thought and word vs. real-life deployment so far)?

VoIP  is, thankfully, no longer a new/new technology and with this maturity has come a welcome measure of respect. And, combined with an apparent dearth of high-profile security breaches, the topic of VoIP security has faded somewhat  into the background. Of course, the fact that the mainstream media is not focused on covering the topic of VoIP security does not mean it is not a real threat.

So, where to begin? Let’s start with some simple education through reading with an article in VoIP Planet that outlines the issues of security and Session Initiated Protocol SIP)http://www.voipplanet.com/solutions/article.php/3747161 and then move on to one about diagnosing potential vulnerabilities: http://www.voipplanet.com/backgrounders/article.php/3775186.

From here, in a follow-up post we will attempt to address in more detail security threats, challenges and best practices for securing VoIP infrastructure, applications and connections across the enterprise voice trading communications network.

 

 

 

Category:Industry Research, Security | Comments Off on Secure VoIP and Why Hope Should Not Be Your Strategy | Author: