Integrity of VoIP
VoIP phones and infrastructure are connected to the internet through routers and servers; and is accessible by the availability of electricity or any power generator. In occurrence of power outage, connections between networks can fail. In this instance, VoIP providers arrive into using Uninterrupted Power Supply (UPS) to maintain electricity; but with the length of time of availability.
According on the site, (http://en.wikipedia.org) to deal with VoIP’s power dependency, VoIP providers needs to improve there connectivity through backup DSL and providing UPS or power generator on the site where VoIP are present.
Further, VoIP call is executed by sending voice over the internet; the conversation is broken up into packets. Then the packets are sent over the same network. This procedure could lead the network to congestion and Denial-of-Service. When this occurs, VoIP can be vulnerable to DoS attacks and threats; and attackers may take the opportunity to interfere in the conversation.
According to Paul Curran, calls could be corrupted by interrupting the RTP (Real-time Transmission Protocol) packets and changing the contents or execute delay into the call before it is received by the recipient (http://www.microsoft.com/uk/business/ security/VoIP.mspx). This may result to the disruption of VoIP call integrity.
To maintain integrity in VoIP, message or packet should be authenticated; and the packets should retain its content unchanged. Phones with caller ID should reveal the identity of the caller and calls should be recorded and guarded. If not so, the phone number can be hacked and used as a stolen account with the calling bills at the victim’s expense.
According on the site, (http://www.frost.com/prod/servlet/market-insight-top.pag? ocid=42936783) DoS attacks can be prevented by protocol tuning, buffering, configuring tags and port blocking. VoIP providers should provide failover session control service for backup in case of network failure or if the network is under Denial of Service. Authentication of network elements, such as the packet and message, can make the hackers difficult to interrupt in the conversations. The user needs to improve the communication security to lessen the threat occurrence.
With strong security build-up over the internet connection, it has less opportunity for the VoIP to be hacked.
Vulnerability of VoIP
"VoIP networks are known to be particularly susceptible to DoS and Distributed DoS attacks," says Butler Group Senior Analyst, Andy Kellett. "The convergence of voice and data networks means that successful virus-based attacks could be used to bring down the entire business with both voice and data channels potentially being paralyzed by a single attack model.” (http://www.microsoft.com/uk/business/security/VoIP.mspx)Convergence of voice and data networks makes the VoIP organizations cost efficient and process improve in the services they offered.
The susceptibility of VoIP through Denial of Service attacks and other threats is due to the organizations which install VoIP services which focus of the deployment of service is the throughput and the quality of service; and security of service is just the second option.
According to the Internet Security System in their article on “VoIP White Paper”, the quality of service is and always be an important component of voice transmission whether in analog or digital form. However, it must be realize that VoIP is also a data to be transmitted. To be able to transmit, the voice and message will be broken into packet first before being sent over a network; and this procedure is highly susceptible to number of attacks.
The primary types of attacks commonly associated with the vulnerability of VoIP are the following:
1. Theft of service which also known as ‘Toll fraud’
2. Eavesdropping
3. Impersonation
4. Phishing
Aside from these major attacks in VoIP, there are also other types of attacks according to the Internet Security System (ISS):
1. Call Re-direction
2. Information theft
3. Call Integrity compromise
Further, VoIP service is open and available as much as the connection with the broadband is highly present. Because of service availability, some attacks to VoIP could also be encountered, such as the:
1. DoS or Denial of Service Attacks
2. Spamming
3. Internet Virus
4. Worms
5. Hacking
In addition, since VoIP is vulnerable to all problems associated with broadband services, the vulnerability could affect the call quality in VoIP. This quality can be identified as the following according on the site (http://communication.howstuffworks. com/ip-telephony11.htm):
1. Latency
2. Jitter
3. Packet Loss
Because of these threats and attacks, phone conversation become corrupted, distorted and lost due to transmission errors. In order to deal with these, internet stability and strong security should be guaranteed and provided.
Security in VoIP
When conversation is performed, a session between caller and recipient is being initiated. According on the site, (http://www.securiteam.com/securitynews/ 5MP0C00GAM.html) the network layer that holds the session is the Session Initiation Protocol (SIP) which is responsible for creating, modifying and terminating sessions either with one or more participants.
According to the researchers of Royal Institute of Technology in Stockholm, Sweden, only few users of VoIP with SIP based telephony pay attention to call security. Most users overlook on how vulnerable VoIP service can be. Users of VoIP services today are primary concerned to the quality of service such as voice quality, latency and interoperability. But some security organizations, like ISS, are sending cautions to users about the dangers brought by unsecured VoIP services.
However, in order for VoIP to be adopted globally in the market, security facilities must be provided to address the worst security vulnerabilities of VoIP. "VOIP security needs to be handled in the overall context of data security," Krauthamer says, director of IT at Advanced Fiber Communications Inc. (AFC), a Petaluma, Calif.-based manufacturer of telecommunications equipment. AFC is using limited VOIP communications according to the article of Jaikumar Vijayan in the site (http://www.computerworld.com/).
But according to Maxine Kincora, “VoIP security measures won’t stop hackers”. (http://searchcio.techtarget.com) Because of VoIP’s vulnerability and unreliability, hackers were able to spread attacks in VoIP. Consumer could take cautions in order to protect their network from being susceptible to attacks and hackers. The other technologies could be protected basically; but with VoIP, no one is doing such protection.
However, there are things to consider in making secure VOIP which were the following according on the site (http://voip.about.com/gi/dynamic/offsite.htm):
1. Using of Firewalls
2. Enforcing Authentication
3. Using Encryption
4. Secure Service Provider
Security issues were the challenge for VoIP network, there are other steps to protect and prevent VOIP network from attacks according on the site (http://www.voiplowdown.com/2007/ voip-security-challenges-25-ways-to-secure-your-voip-network):
1. Restrict all VoIP data to one Virtual Local Area Network (VLAN)
2. Monitor and track traffic patterns on your VoIP network
3. Lock down your VoIP servers
4. Use multiple layers of encryption
5. Build redundancy into VoIP networks
6. Put your equipment behind firewalls
7. Update patches regularly
8. Keep your network away from the Internet
9. Minimize the use of softphones
10. Perform security audits on a regular basis
11. Evaluate physical security
12. Use vendors who provide digital security certificates
13. Secure your gateways
14. Manage servers separately
15. Sort SIP traffic
16. Examine call setup requests at the application layer
17. Isolate voice traffic
18. Use proxy servers
19. Run only applications that are necessary to provide and maintain VoIP services
20. Configure applications against misuse
21. Add endpoint security layers
22. Restrict access according to certain criteria
23. Avoid remote management
24. Use IPsec tunneling rather than IPsec transport
25. Secure your VoIP platform
With the help of these cautions, attacks could be lessened and later would be prevented; and the ‘vulnerable’ term to VOIP would be abandoned. With these steps and cautions, network hardware and software requirements should also be considered. Security measures would be useless if the network specifications were poor to accommodate the security demands. Thus, in order to secure VOIP, the network specification should be good enough to serve VOIP services.
No comments:
Post a Comment