Security vulnerabilities and protection methods for VoIP

With the continuous expansion of data network bandwidth, hundreds of megabytes or even gigabit to the desktop has become possible. The increase of bandwidth also provides a powerful precondition for transmitting voice on the data network. At the same time, VoIP technology is increasingly mature, similar to voice compression, QoS quality assurance, such as the topic has been widely discussed and reached a consensus. It can be said that VoIP technology has been from the original experimental nature of the real specificity for the mature commercial applications.

Although the earliest application of VoIP in China is to make circuit exchange in the carrier, but now many enterprise users have begun to pay attention to the application of VoIP. For the new small office enterprises, the use of the new data network sufficient bandwidth to carry the voice, it is more convenient than building a separate voice system, functions, such as mobile office and other traditional voice switches do not have the function. For industry users, because there is a data network connecting each branch node, using IP Relay for the interconnection between headquarters and branch nodes can save the high cost of renting long-distance circuit relay. Therefore, VoIP technology in the enterprise-class user community will have a wide range of applications.

However, in the implementation of the project or in the use of the process, users and equipment suppliers will be more focused on how to improve the voice quality and integration with the existing data network, rarely take into account the security risks of VoIP. Just as we put an important application server under the protection of the firewall, in fact, in the case of VoIP, voice and data applications, as well as a "Packet", also will withstand a variety of viruses and hacker attacks. No wonder someone joked: "This is the first time ever that a computer virus can make your phone not work." ”

What are some of the factors that affect VoIP? First, the problem with the product itself. At present, the most commonly used voice establishment and control signaling in VoIP technology is H.323 and SIP protocol. Although there are some differences between them, they are generally an open system of protocols. Equipment manufacturers will have a separate component to carry including IP terminal login registration, Guan Shou signaling. Some of these products are based on Windows NT operating systems, or Linux or VxWorks. The more open the operating system is, the more vulnerable it is to viruses and malicious attacks. Especially when some devices need to provide a web-based management interface, they will have the opportunity to use Microsoft IIS or Apache to provide services that are installed in the device at the time of the product, are not guaranteed to be the latest version or the commitment has made up some security vulnerabilities.

The second is a DOS (Denial of service) attack based on open ports. From the method of network attack and the damage effect, DOS is a simple and effective attack way. An attacker sends a considerable number of service requests with false addresses to the server, but because the included reply address is false, the server will not wait for the returned message until all resources are exhausted. VoIP technology already has a number of well-known ports, such as 1719, 1720, 5060 and so on. There are also ports where the product itself needs to be used for remote management or private messaging, in short, more than a simple data application. As long as the attacker's PC and these application ports are on the same network segment, you can get more detailed information through simple scanning tools, such as X-way, shared software.

A recently reported security vulnerability was presented by NISCC (UK National Infrastructure, co-ordi-nation Center), and the test results showed: " Many VoIP systems using H.323 protocol in the market have loopholes in the process of h.245 establishment, which is easy to be attacked by DOS on port 1720, which leads to the instability and even paralysis of the system.

Again, the service is stolen, the problem is also in the case of analog phone. Just as we are on a common analog phone line and connected to a number of phones, there will be the problem of phone theft. Although the IP phone does not have the means to call through the line, but by stealing the user's IP telephone login password can also get access to the phone. Usually when the IP phone is first logged into the system, it will require prompt input to each person's extension number and password; Many VoIP-enabled enterprises, in order to facilitate staff remote/mobile office, will be allocated a desktop phone, and then assign a virtual IP phone, and grant password and dial-up permissions.

In this way, even if the staff on business trip or home Office situation, can use VPN access to the company's local area network, and then run the computer's IP software phone to answer or call local, as in the company office. When the password is lost, anyone can use their own soft phone landing to become someone else's extension number, if the access to the right is free to call domestic and even international long-distance number, will cause huge losses and difficult to trace.

Finally, the problem of listening to the media stream. Analog phone existence and line eavesdropping problem, when the enterprise users use the digital phone, because are the factory private agreement, it is difficult to use simple means to listen. But in the VoIP environment, the problem is raised again. A typical VoIP call requires signaling and media streaming two steps to establish, RTP/RTCP is a protocol to transmit voice information on a packet based network. Since the protocol itself is open, even a small segment of the media stream can be replayed without the need to correlate the information. If someone in the data network through the sniffer way of recording all the information and replay through the software, will cause the staff to the Voice Communication trust crisis.

At the beginning of this technology development, developers expect it to be a cheap alternative to traditional long-distance calls, so they don't pay much attention to security issues; At the same time, VoIP technology is also with the development of the entire network market, too many different manufacturers and products at the same time can not put forward a unified technical standards; VoIP is the basis of IP network, open architecture is inevitably from the negative impact of the network. The main ways to maximize the security of VoIP are as follows:

1. Isolation of networks for voice and data transmission

The isolation described here does not refer to physical isolation, but it is recommended that all IP phones be placed in a separate VLAN while restricting unrelated PC terminals into the network segment. The feedback from many reviewers shows that the VLAN is the most simple and effective way to protect the IP voice system, and can isolate viruses and simple attacks. At the same time, with the QoS setting of data network, it will also help to improve voice quality.

2. To treat VoIP as an application

This also means that we need to adopt some means to protect the important application servers to protect some of the important ports and applications in VoIP devices, such as the use of Nortel Network Aleton switching firewalls can effectively resist Dos attacks. The same approach applies to VoIP systems, when two IP terminals are called, once the signaling through the central point of the signaling service process is established, the media stream only exists between two terminals; only when the call initiated on the IP terminal needs to enter the PSTN public network through the gateway, Will consume the DSP processor resources in the media gateway. Therefore, we need to protect the signaling and media flow of two types of external addresses and ports.

Also, keep as few ports as you need, such as web-based administrative addresses, and shut down as many service processes as you need. The caveat is that h.323/sip encounters obstacles when traversing NAT and firewalls, due to the protocol itself, but it can be resolved by enabling the application-tier gateway (application Layer ga-teway); As the number of calls grows, an external media streaming proxy (RTP media Portal) can be used to support a larger-scale VoIP system.

3. Choose the right products and solutions

At present, different manufacturers of product system structure is not the same, operating platform also have preferences. We cannot assert which operating system is the safest and most reliable, but manufacturers need to have the appropriate technical support to enable users to believe that their products are capable of withstanding the increasing range of virus attacks. At the same time, many manufacturers of products also use the Management network segment and the user's IP voice network segment in the physical isolation mechanism, as little as possible to expose the port outside the Internet. Nortel Network launched the succession 1000/1000m on the use of these design ideas, the management network segment and the user network segment completely physically isolated, and the use of VxWorks operating system, as much as possible shielding outside the impact of the system. In addition, VoIP security issues and data network security are intrinsically closely related to the need for manufacturers to provide more than a set of equipment, more how to help users in the existing network to improve security and reliability of ideas and some skills.

4. Encryption of voice data streams

Currently, a member of the H.323 protocol cluster,-h.235 (also known as h.secure), is responsible for authentication, data integrity, and media stream encryption. More realistically, manufacturers will choose their own proprietary protocols to ensure VoIP security. But even without h.235 or other means, it's much more difficult to eavesdrop on an IP phone call than it is to eavesdrop on an ordinary phone, because you need a codec algorithm and corresponding software. Even if you get the software and successfully connect to the company's IP voice network segment, there is still the possibility of nothing. Because at present many enterprise internal data network uses the Ethernet switch the 10/100m port to the desktop rather than the hub, therefore cannot steal the information through the sniffer way.

5. Reasonable establishment of employee dialing authority

Many manufacturers have ported the rich functions of traditional switches to VoIP systems, which will effectively suppress the theft of login passwords for theft. IP telephony to set the ability to dial long-distance or specific number of permissions, or through the way of authorization code required to dial long-distance number must enter the correct number of password and so on, you can simply solve the above problems.

The security problem of IP network has been paid attention to all the time. As a new application of data network, some security hidden troubles of VoIP are the continuation of some problems in IP network. Only a good solution to the network security problems, at the same time with the product itself, some security authentication mechanism, based on VoIP applications can be in the enterprise sustainable and stable play a role, and to solve the enterprise voice communication needs of an effective method.