Security vulnerabilities and protection of VoIP

Source: Internet
Author: User
Keywords VOIP
With the continuous expansion of data network bandwidth, hundreds of megabytes or even gigabit to the desktop has become possible. The increase in bandwidth also provides a powerful prerequisite for transmitting voice over the data network. At the same time, VoIP technology is increasingly mature, similar to voice compression, QoS quality assurance, such as the topic has been widely discussed and reached a consensus. It can be said that VoIP technology has been from the original experimental nature of the real specificity for the mature commercial applications. With the continuous expansion of data network bandwidth, hundreds of megabytes or even gigabit to the desktop has become possible. The increase in bandwidth also provides a powerful prerequisite for transmitting voice over the data network. At the same time, VoIP technology is increasingly mature, similar to voice compression, QoS quality assurance, such as the topic has been widely discussed and reached a consensus. It can be said that VoIP technology has been from the original experimental nature of the real specificity for the mature commercial applications. Although the earliest application of VoIP in China is to make circuit exchange in the carrier, but now many enterprise users have begun to pay attention to the application of VoIP. For the new small office enterprises, the use of the new data network sufficient bandwidth to carry the voice, it is more convenient than building a separate voice system, functions, such as mobile office and other traditional voice switches do not have the function. For industry users, because there is a data network connecting each branch node, using IP Relay for the interconnection between headquarters and branch nodes can save the high cost of renting long-distance circuit relay. Therefore, VoIP technology in the enterprise-class user community will have a wide range of applications. However, in the implementation of the project or in the use of the process, users and equipment suppliers will be more focused on how to improve the voice quality and integration with the existing data network, rarely take into account the security risks of VoIP. Just as we put an important application server under the protection of the firewall, in fact, in the case of VoIP, voice and data applications, as well as a "Packet", also will withstand a variety of viruses and hacker attacks. No wonder someone joked: "This is the first time ever that a computer virus can make your phone work." "What kinds of factors affect VoIP?" The first is the problem of the product itself. At present, the most commonly used voice establishment and control signaling in VoIP technology is H.323 and SIP protocol. Although there are several differences, they are generally an open system of protocols. Equipment manufacturers will have a separate component to carry including IP terminal login registration, Guan Shou signaling. Some of these products use Windows NT operating systems, or Linux or VxWorks. The more open the operating system, the more vulnerable to viruses and malicious attacks. In particular, when some devices need to provide a web-based management interface, they will have the opportunity to use Microsoft IIS or Apache to provide services, which are installed at the time of the product out of the device, not guaranteed to be the latest version or commitmentSome security vulnerabilities have been made up. The second is a DOS (Denial of service) attack based on open ports. From the method of network attack and the damage effect, DOS is a simple and effective attack way. An attacker sends a considerable number of service requests with false addresses to the server, but because the included reply address is false, the server will not wait for the returned message until all resources are exhausted. VoIP technology already has a number of well-known ports, such as 1719, 1720, 5060 and so on. There are also ports where the product itself needs to be used for remote management or private messaging, in short, more than a simple data application. As long as the attacker's PC and these application ports are on the same network segment, you can get more detailed information through simple scanning tools, such as X-way, shared software. A recently reported security vulnerability was presented by NISCC (UK National Infrastructure, co-ordi-nation Center), and the test results showed: " Many VoIP systems using H.323 protocol in the market have loopholes in the process of h.245 establishment, which is easy to be attacked by DOS on port 1720, which leads to the instability and even paralysis of the system. Again, the service is stolen, the problem is also in the case of analog phone. Just as we are on a common analog phone line and connected to a number of phones, there will be the problem of phone theft. Although the IP phone does not have the means to call through the line, but by stealing the user's IP telephone login password can also get access to the phone. Usually when the IP phone is first logged into the system, it will require prompt input to each person's extension number and password; Many VoIP-enabled enterprises, in order to facilitate staff remote/mobile office, will be allocated a desktop phone, and then assign a virtual IP phone, and grant password and dial-up permissions. In this way, even if the staff on business trip or home Office situation, can use VPN access to the company's local area network, and then run the computer's IP software phone to answer or call local, as in the company office. When the password is lost, anyone can use their own soft phone landing to become someone else's extension number, if the access to the right is free to call domestic and even international long-distance number, will cause huge losses and difficult to trace. Finally, the problem of listening to the media stream. Analog phone existence and line eavesdropping problem, when the enterprise users use the digital phone, because are the factory private agreement, it is difficult to use simple means to listen. But in the VoIP environment, the problem has been raised. A typical VoIP call requires signaling and media streaming two steps to establish, RTCP is a protocol to transmit voice information on a packet based network. Since the protocol itself is open, even a small segment of the media stream can be replayed without the need to correlate the information. If someone passes on a data networkSniffer's way of recording all the information and replaying it through the software can cause employees to trust the voice communication crisis. At the beginning of this technology development, developers expect it to be a cheap alternative to traditional long-distance calls, so they don't pay much attention to security issues; Meanwhile, VoIP technology is also with the development of the entire network market, too many different manufacturers and products at the same time can not put forward a unified technical standards , the basis of VoIP or IP network, open architecture is inevitable from the negative impact of the network. The main ways to maximize the security of VoIP are as follows: 1. Isolating the network used for voice and data transmission The isolation described here does not refer to physical isolation, but it is recommended that all IP phones be placed in a separate VLAN while restricting unrelated PC terminals into the network segment. The feedback from many reviewers shows that the VLAN is the most simple and effective way to protect the IP voice system, and can isolate viruses and simple attacks. At the same time, with the QoS setting of data network, it will also help to improve voice quality. 2. The use of VoIP as an application means that we need to protect some of the key ports and applications in VoIP devices by using tools such as the protection of important application servers, such as using Nortel Networks Aleton switched firewalls to effectively withstand Dos attacks. The same approach applies to VoIP systems, when two IP terminals are called, once the signaling through the central point of the signaling service process is established, the media stream only exists between two terminals; only when the call initiated on the IP terminal needs to enter the PSTN public network through the gateway, Will consume the DSP processor resources in the media gateway. Therefore, we need to protect the signaling and media flow of two types of external addresses and ports. Also, keep as few ports as you need, such as web-based administrative addresses, and shut down as many service processes as you need. The caveat is that H.323/SIP is encountering obstacles when traversing NAT and firewalls, due to the protocol itself, but it can be resolved by enabling the application-tier gateway (creator Layer Ga-teway, ALG) As the number of calls grows, an external media streaming proxy (RTP media Portal) can be used to support a larger-scale VoIP system. 3. Choose the right products and solutions at present different manufacturers of the product system structure is not the same, operating platform also have preferences. We cannot assert which operating system is the safest and most reliable, but manufacturers need to have the appropriate technical support to enable users to believe that their products are capable of withstanding the increasing range of virus attacks. At the same time, many manufacturers of products also use the Management network segment and the user's IP voice network segment in the physical isolation mechanism, as little as possible to expose the port outside the Internet. SUC launched by Nortel NetworkCession 1000/1000m used these design ideas, the management network segment and the user network segment completely physically isolated, and the use of VxWorks operating system, as much as possible to screen the impact of the system. In addition, VoIP security issues and data network security are intrinsically closely related to the need for manufacturers to provide more than a set of equipment, more how to help users in the existing network to improve security and reliability of ideas and some skills. 4. Encryption of voice data streams currently, a member of the H.323 protocol cluster,-h.235 (also known as h.secure), is responsible for authentication, data integrity, and media stream encryption. More realistically, manufacturers will choose their own proprietary protocols to ensure VoIP security. But even without h.235 or other means, it's much harder to eavesdrop on an IP phone call than it is to eavesdrop on an ordinary phone, because you need a codec algorithm and corresponding software. Even if you get the software and successfully connect to the company's IP voice network segment, there is still the possibility of nothing. Because at present many enterprise internal data network uses Ethernet switch's M port to the desktop rather than the hub, therefore cannot steal the information through the sniffer way. 5. Reasonable establishment of employee dialing permissions Many manufacturers have ported the rich functions of traditional switches to VoIP systems, which will effectively inhibit the theft of login password to steal the fight. IP telephony to set the ability to dial long-distance or specific number of permissions, or through the way of authorization code required to dial long-distance number must enter the correct number of password and so on, you can simply solve the above problems. The security problem of IP network has been paid attention to all the time. As a new application of data network, some security hidden troubles of VoIP are the continuation of some problems in IP network. Only a good solution to the network security problems, at the same time with the product itself, some security authentication mechanism, based on VoIP applications can be in the enterprise sustainable and stable play a role, and to solve the enterprise voice communication needs of an effective method. (Responsible editor: ZHAOHB) to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passing (0 Votes) Text: VoIP Security vulnerabilities and protection back to network security home

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.