Don't believe the VoIP security hype

By Andrew R. Hickey, News Writer 23 Nov 2005 | SearchEnterpriseVoice.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Denial-of-service attacks against VoIP systems are still the biggest security threat, according to experts. Beyond that, other frequently mentioned risks, like eavesdropping and voice spam, are not much more than hype.

But from startups to major players, numerous vendors are capitalizing on VoIP concerns, introducing a host of products to protect and monitor VoIP networks. In a push to alleviate some of those concerns and show companies where they should focus their security needs, the VoIP Security Alliance (VoIPSA) recently introduced its "Threat Taxonomy," a reference document listing the threats a VoIP system could face.

"There's a lot of hype about VoIP security," said Lawrence Orans, a research director at Gartner Inc. in Stamford, Conn. "There's hype about Spam over Internet Telephony. There's hype about eavesdropping. These aren't concerns that businesses should have at the top of their priority lists."

Orans said denial-of-service attacks should be a company's biggest concern.

All-in-one reference guide Be sure to check out our VoIP Security Learning Guide for a complete list of news articles, tips, expert advice, webcasts and quizzes.

Jonathan Zar, VoIPSA secretary and senior director at SonicWall, a security software vendor, agreed with Orans that denial-of-service attacks top the list, followed by phishing and other deceptive practices. Spam over Internet telephony, known as SpIT, "is kind of a fear of the future," he said.

A recent Gartner study predicted that by 2010, voice spam will be less than 5% as prevalent as e-mail-based spam messages. That's not much of a threat, according to Orans, given that Gartner predicts that by the end of 2005, more than 10 million people will be using VoIP.

Orans said because so many companies are unsure of what threats they could face, VoIPSA's taxonomy has become a necessity. He said many companies using or planning to use VoIP are questioning such a system's security, and media hype surrounding the potential for SpIT attacks has shaken a number of would-be VoIP users.

"[The taxonomy] is important so everyone understands exactly what the threats are," he said of the taxonomy. "There's a lot of confusion about VoIP security, and a taxonomy is critical."

The taxonomy highlights a cooperative effort to identify and define VoIP security threats, covering not just voice communication, but text, video and instant messaging as well.

"There really was nobody focused on security and privacy for VoIP," Zar said. He said several users are concerned about their VoIP systems' security, but for different reasons. In other words, he said, "Everybody was touching a different part of the elephant."

"Very simple attacks can take down a system," Zar continued. "There are major gaps, misalignment of people and miscalibrating. Folks just aren't talking the same language. We really wanted to anchor security and privacy."

A recent survey conducted by Framingham, Mass.-based research firm IDC for the Computing Technology Industry Association found that less than half of small and midsized businesses (SMBs) in the U.S. trust the security of VoIP systems. The study suggests that 60% of SMBs had encountered disruptions of voice or data communications and 70% indicated that the disruptions resulted in material loss. Conversely, a mere 8% said the disruptions put the viability of the business in jeopardy.

Orans said while threats against VoIP systems are still in their infancy, companies should keep abreast of what's on the horizon. Firewalls and intrusion prevention systems (IPS) offer the most protection, Orans said.

"The biggest risk is [that] someone would launch a denial-of-service attack against your PBX," he said. "You have to put the PBX behind a firewall. Not just any firewall, but one that can filter over IP telephony protocol."

Orans said Cisco Systems Inc.'s Call Manager is bundled with the vendor's Host IPS software.

"The leading vendors are moving in that direction for a standards-based protocol," he said. "You need to make sure the protocol you're using is supported by the firewall."

Along with Cisco, vendors like VoIPshield Systems Inc., Network Instruments and several others, have launched products so companies can keep tabs on trouble in their VoIP systems.

More on VoIP Security Group seeks to bolster security High-risk flaws in Skype

Juniper Networks Inc. recently introduced its Dynamic Threat Mitigation software that lets organizations boost security of network services, namely VoIP. Using Juniper routers and intrusion detection and prevention systems, the software prevents Session Initiated Protocol attacks, worms and denial-of-service attacks from taking out SIP-based voice communication.

"[Dynamic Threat Mitigation software] dynamically takes any threat and deals with it there and then, in real time," said Dean Sheffield, voice solutions marketing manager at Juniper. "When the intrusion detection and prevention product detects an anomaly in SIP, it puts the call on hold, sends the user to a capture portal and explains why the call has been dropped."

Sheffield said securing a VoIP network is "not rocket science," but noted Juniper has taken a different approach by protecting at the SIP level.

"If you lose your voice system, the productivity and financial impact is critical," he said. "The dynamic and real-time nature of VoIP means it also needs to be protected in real time."

Scott Heinlein, also a Juniper solutions marketing manager, added that several companies fall short by only protecting their voice networks at the signaling or application levels, but "to fully secure a VoIP network, you really need to look at both parts of it."

Like Orans, Heinlein said firewalls and VPNs are a necessity, but can't defend against every type of attack.

"Enterprises need to make sure someone can't enter the PBX because there's a number of things that can happen," Heinlein said. If a PBX is breached, Heinlein said the attacker could listen to voice mail, access call logs, make calls posing as someone else and listen in on calls.

This article originally appeared on SearchEnterpriseVoice.com.

Tags: Network Protocols and Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Protocols and Security Expert calls SSL protocol vulnerability a non issue How to prevent phishing attacks with social engineering tests How SSL-encrypted Web connections are intercepted DNSSEC deployment challenges can be overcome Microsoft issues SMB vulnerability advisory, patch pending Microsoft repairs Windows media, TCP/IP vulnerabilities How to test IPv6 infrastructures DNSSEC deployments gain momentum since Kaminsky DNS bug Kaminsky interview: DNSSEC addresses cross-organizational trust and security How to create secure Windows FTP automation

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary 5 terms you need to know before you employ VoIP  (SearchSecurity.com) digest authentication  (SearchSecurity.com) IGP  (SearchSecurity.com) IP spoofing  (SearchSecurity.com) Secure Sockets Layer  (SearchSecurity.com) smurfing  (SearchSecurity.com) Transport Layer Security  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary