FEATURE SECURITY
VoIP Phone Phreakers to Target Enterprises Speak of the Devil By Yaniv Epstein, Sales Director UK & Nordics, Audiocodes
Enterprises across the globe are moving their traditional TDM-based telephony systems to IP-based voice and unified communications (UC) networks. While there are many benefits to this, there are also inherent perils, particularly with data security.
Security breaches on VoIP systems already include the theft of telephone numbers and use of them to make calls which appear on a business’ phone bill. Take the example of premium rate numbers such as 09 numbers. These 09 scams usually involve a bogus operation, registered outside the EU, which hacks into an unsuspecting business’ PBX at a time when no one is working. Once in, the hackers programme the PBX to automatically make premium rate calls. No one is aware of the scam until much later. The scam yields revenue for the carrier and the company that set up the number, with a phone operator paying the scammer as much as 90% of the generated revenue. In fact, scammers don’t even have to be present anymore – industrial grade scanners have taken their place, operating around the clock to find and exploit the IP-PBX.
Voice of doubt
The security drawback with VoIP has always been that voice is treated as just another data service. Because of this, commercial firewalls and Application Level Gateways don’t handle it well. Unlike in the TDM world, where the
telephony network is isolated from the data network, most VoIP networks have several potentially insecure interfaces with other data networks. A poorly designed VoIP network can expose you to conventional data security threats such as denial of service attacks, fraud, computer viruses, eavesdropping and
Crimes of financial gain are just the tip of the iceberg, the following security issues and attacks have been observed on many standard VoIP implementations.
•General scanning and directory scanning (extension enumeration).
•Phone hacking, including account secret discovery or software vulnerabilities exploits.
•Man-In-The-Middle attacks like eavesdropping, injection of audio and application and denial of service, including invite/register flooding and fuzzing.
These kinds of attacks are all happening today, but are rarely reported.
even spam calls. Fortunately, there are solutions available which, when correctly deployed, can ensure the smooth implementation of new VoIP and UC services without comprising the network’s security. To protect the enterprise VoIP
network, the traffic within VoIP and Unified Communications networks has to be separated into three distinct planes, each of which uses its own dedicated protocols. Call control predominantly uses the SIP protocol, media uses RTP, and management uses SNMP, HTTP, Telnet, Radius etc.
Prying eyes
To further enhance security and protect calls from eavesdropping and other threats, the traffic within each of these
planes can be protected by encrypting the protocol data between endpoints. Each plane has its own mechanism for achieving this. Of course, all the elements in the VoIP network need to support these security enhancements in order for them to be deployed throughout the enterprise. Clear-cut demarcation points between ‘trusted’ and ‘untrusted’ domains will need to be defined. However, for advanced applications
like VoIP, standard firewalls operating at OSI layer 3 do not provide adequate protection. Take the SIP protocol, the most commonly-used protocol for controlling VoIP calls. Data cannot be picked up by a standard firewall to identify whether a call is genuine or not. There is a solution specially designed for VoIP networks called Enterprise Session Border Controllers (E-SBC). The technology has all the essential components to facilitate a corporation’s migration to VoIP voice services. The E-SBC performs a number of
functions such as protocol mediation, media transcoding and facilitating interoperability between different vendors’ VoIP and legacy TDM equipment. The E-SBC provides security features like call admission control, prevention of DOS attacks, topology hiding, and encryption of signalling and media streams. As more and more of us move over
to VoIP, the best way of protecting ourselves is to ensure that our security is up to the job.
For advanced applications like VoIP, standard firewalls operating at OSI layer 3 do not provide adequate protection.
26 NETCOMMS europe Volume II, Issue 1 2011
www.netcommseurope.com
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60