VoIP Security Threats: Fact or fiction?

IT managers should not assume that because their data networks are protected, it is safe to add voice to their systems. Imagine a situation in which an intruder enters your VoIP network unnoticed, starts monitoring any conversation he chooses, extracts sensitive information, company secrets, and even details that can be used to blackmail the CEO. Last month, ISS (Internet security Bae) issued a warning alerting users to the existence of a security vulnerability in Cisco's VoIP products that is likely to occur. According to the company, this vulnerability in Cisco's Call manager, which handles calling signaling and routing, could cause a buffer overflow that would allow intruders to access the system to listen for all calls transmitted through the system. Growing Pains Neel Mehta, director of the X-force Research and development team at ISS, said: "VoIP is going to suffer from growth in security issues." This is still a new and emerging threat, and a threat that we need to take seriously. "Such vendors (including Borderware, secure Logix and NFR) urge the use of security devices such as dedicated firewalls. Such firewalls are specifically designed to filter VoIP transport streams, look for suspicious patterns, and sever these connections. But it is also difficult to find a company that is abused by VoIP abusers, whether they use unwanted messages to block voicemail boxes, intruders who monitor phone conversations or who hide their true identities. So far, the threat is largely hypothetical. "I don't think there is a real threat," said Irwin Lazar, senior analyst at Burton Group. VoIP is still a fairly closed system, and few companies are opening their VoIP systems to the Internet. But, he says, once that happens, the company begins to advertise the SIP addresses it uses in VoIP communications on business cards and websites, and VoIP security becomes critical. Last year, VoIP management maker Qovia announced that it had applied for a patent that involved capturing VoIP spam technology. VoIP spam is considered one of the more immediate threats to VoIP networks. Pierce Reid, vice president of Qovia Marketing, said the company had planned to launch the spam capture module last year, but had not done so because of a lack of interest in the market. Hot Topics However, Reid said interest in such products began to rise, and security issues are now a hot topic on VoIP activities. "Part of what we wanted to do last year was to help people raise their safety awareness and protect themselves before they hit the VoIP threat," Reid said. "The company plans to launch its anti-spam products by the end of this year. Parrish, a senior IT expert in Jacksonville City, North Carolina, said the municipal authorities for about 3 yearsBefore installing Cisco's VoIP devices, focusing on reducing costs, security is not a major concern. However, his department has taken steps to protect voice networks, such as isolating voice networks from data networks and providing physical security for telephones. Although Jacksonville's VoIP network did not encounter any security breaches, Parrish thought his department might be in good luck and believed that such luck would not last forever. "I haven't seen the scary side yet, but I'm not naïve enough to think it won't happen," he said. "When Qovia's anti-VoIP Spam product is released, Jacksonville evaluates the product." We have some good reasons not to overlook the potential threats to VoIP, even before they become a widespread reality. First, given the rampant abuse of viruses, spam and web-page fraud in other ip-based communication systems (especially e-mails), it's not hard to imagine a similar threat going into VoIP. Second, if these theoretical threats enter the enterprise, they can cause serious damage. Be careful. "I don't think people should deploy VoIP unless they take the necessary security measures," said Bob Gligorea, an Exchange bank Information security officer at Santa Rosa, Calif. "The Community Bank is currently installing new network hardware, including ISS security equipment, so that he can migrate to VoIP next year," he said. "I've never heard of such abuses, but I would think it would be very bad to eavesdrop on a competitive advantage," he said. "So what should companies do about these threats?" The US government made some suggestions earlier this year. In January, the Ministry of Commerce's National Standards and Technology Bureau published a report assessing VoIP security, stating that IT managers should not think that it is safe to add voice to their systems because their data networks are protected. The report said, "managers may mistakenly think that because digital voice is routed through packets, they can simply plug VoIP components into their already protected networks and then sit on their own." But the process is not that simple. "The report recommends the current approach to isolating voice and data streams, using security products such as firewalls that detect VoIP protocols, and avoiding the use of PCs and headphones for VoIP" soft phones, which can protect the network from viruses and other malware. Susan Larson, vice president of Global Threat analysis and research at SurfControl, said the company should also consider how its VoIP network could play a role in overall security efforts, in addition to installing special products that could remove suspicious VoIP transmissions. With Skype, a free peer-to-peer program that enables PC users to make phone calls on the Internet, it builds on the outside worldunprotected connections) The growing popularity of such applications requires companies to consider what their employees might download. Larson says SurfControl products can prevent downloads from such sites and capture them before e-mail comes into the enterprise with embedded URLs that point to those sites. (Editor: ZHAOHB) to force (0 votes) (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passed (0 Votes) Text: VoIP Security threats: facts or fiction? Back to network security home