Voice apps push security barriers

Security threats are on the increase as voice applications move to converged networks where devices are connected to the IP network.

As a result, communication devices are more open to attacks designed to gain unauthorized access to stored messages, call history records, configuration files, interactive voice response scripts, and log files.

Communications integrator NSC account executive Bob Struthers said threats include eavesdropping, which in the data world involves sniffing network packets for data that can be interpreted in real time.

In the converged space, he said, the new eavesdropping threat involves sniffing voice conversations.

One method of dealing with this threat is encryption, but Struthers said encryption without authentication and authorization techniques is not sufficient.

“Integrity threats are based on the insertion of bogus content in files or communication streams; attackers may insert malicious or misleading data into unprotected files,” Struthers said.

“Other threats involve an attacker spoofing the identity of a valid user to gain access to systems and operate with the full privileges of the impersonated user.”

To deal with integrity threats, authentication and signing techniques for users, devices and applications are essential before accessing converged networking resources.

“For example, phones that are connected to a network should be authenticated prior to allowing access to feature servers that enable placing calls,” he said.

Another threat to converged networks is Distributed Denial of Service (DDoS) allowing an attacker to gain control of multiple computers to simultaneously attack a single target.

“This type of DoS attack is more difficult to thwart because the perpetrators are more numerous; they can take the form of ICMP floods, TCP SYN floods, and UDP floods,” he said.

Struthers said implementations should follow the Internet Engineering Task Force (IETF) Site Security Handbook RFCs 1918 and 2827.

NSC is working closely with the Australian National University to meet the security protocols on a major convergent network rollout.

The ANU is implementing a US$3 million IP communications network over the next three years.