Is enterprise VoIP (voice over IP) due for a security wakeup call or are the threats mostly exaggerated? It depends on who’s talking.
“The security aspects of enterprise VoIP have been overblown,” says Irwin Lazar, senior analyst at the Burton Group. “There’s a lot more attention being paid to the fear of attack than what is actually possible.”
Roger Farnsworth, manager of marketing for Secure IP Communications at Cisco, concurs: “VoIP systems can be at least as secure as traditional voice systems, and future IP technologies and voice applications will make them even more secure.”
But Mark Collier, CEO of SecureLogix, a vendor of voice management and security platforms for both traditional phone systems and VoIP, isn’t completely sold. “With IP at its foundation, it’s simply unrealistic to expect VoIP to be any more robust than e-mail, the Web, or DNS,” he says.
Hold the phone. E-mail? The Web? DNS? Who in their right mind would move from the rock-solid service of legacy enterprise telephony to a platform that’s no more secure than e-mail?
Just another app
In fact, enterprise VoIP is essentially just another application on the IP network. The principal elements of today’s typical enterprise IP telephony systems are call control servers, which usually run on an operating system such as Linux, Windows, or VxWorks; VoIP clients, which are either handsets or softphones; and VoIP gateways, which sit at the edge of the network and translate between VoIP and the PSTN.
They all use some relatively standard protocols — typically either the International Telecommunication Union’s H.323 series of protocols or the IETF’s SIP for the servers and clients and the MGCP (Media Gateway Control Protocol) or Megaco/H.248 protocols for gateways. And the vast majority share the data network, depend on the same routers and switches for voice packet transport, and, ideally, interface with other data applications, including messaging.
So, theoretically at least, VoIP systems are as vulnerable to attack as other data applications. The list of potential threats includes DoS attacks, viruses, worms, Trojans, packet sniffing, spam and phishing. Spam? If you remember the dark days before do-not-call lists, imagine the potential of SPIT (spam over Internet telephony).
“If I want to send 100 calls, I have to dial 100 times or use an autodialer,” says Andrew Graydon, vice-president of technology at BorderWare Technolgies. “But with an IP connection, I could upload a WAV file to a computer in the Bahamas, press a button, and send it to 2,000 employees instantly.” Phishing is accomplished simply by spoofing caller ID information to masquerade as a representative of a legitimate institution.
Nonetheless, vendors and analysts emphasize that IP PBXs run on a variety of operating systems, usually stripped down and hardened, and use a mix of still-evolving standards and more proprietary protocols, such as Cisco’s Skinny call control protocol, making VoIP apps more difficult to target than typical data applications.
Also potentially menacing are man-in-the-middle attacks (hackers masquerading as a SIP proxy and logging all call activity) and trust exploitation (hacking into a data server that has a trust relationship with VoIP servers to gain access to the latter).
To these, add toll fraud, which is accomplished by hacking into a voice gateway and making international calls at the company’s expense. Then there’s eavesdropping: Users with access to the network and two free, easily available tools called tcpdump and Vomit (Voice over Misconfigured Internet Telephones) can reassemble and convert a voice conversation over IP to a standard WAV file.
Further, VoIP systems often depend on vulnerable applications to function properly. “SQL Slammer attacked Microsoft SQL Server, but because Cisco Call Manager telephony servers depend on SQL server, it disrupted many of them, as well,” Collier says.