IP calls could open up your network to a world of pain VoIP has many upsides but moving your telephony system to a packet-_base_d network could leave you at the mercy of hackers. Danny Bradbury looks at how to properly secure a corporate IP telephony system against known and unknown threats. Voice over IP (VoIP) calls offer the twin benefits of cost and convenience but there are dangers associated with moving your telephony system onto IP networks: it potentially opens them up to hacking, with disastrous results. Commentators like Paul O'Reilly, director of sales for VoIP EMEA at network monitoring company NetIQ, say VoIP is really just another application on the network. This turns security experts such as Mike Murray, director of vulnerability and exposure at vulnerability management company nCircle, a strange shade of pale. "You are now deploying a second computer on everyone's desk in the whole network," he says, describing the use of IP phones. "Does that change your security posture? Well, sure it does." Most IT security departments he knows are already overworked. VoIP users who don't properly protect their networks can look forward to attacks such as on-hook listening, where hackers surreptitiously turn on an IP phone's speaker capability to eavesdrop on your office. Running your telephony service over IP makes it one of the most mission-critical IT applications you own. Most medium-sized organisations can survive for a while if line of business applications fail but if your telephones are down, everyone may as well go home. And moving telephony to an IP network makes it vulnerable to different types of attack. Denial of service attacks, where someone tries to hit your telephony server repeatedly with traffic, can theoretically stop a company using its VoIP system but there are other more insidious attacks, too. "It means that any box on your entire system that gets compromised can be potentially used to start tapping phones," says Murray. VoIP users who don't properly protect their networks can look forward to attacks such as on-hook listening, where hackers surreptitiously turn on an IP phone's speaker capability to eavesdrop on your office. Or they could theoretically eavesdrop on VoIP traffic travelling across the network. "I'm waiting to see the security tool which is a network packet sniffer that reassembles packets on the fly," Murray says. Or, if you'd really like something to keep you awake at night, think about hackers compromising the phone system and using your VoIP network to make free calls to external numbers. Companies have to work out the threat and risk to their voice applications, says Paul King, Cisco UK's principal security consultant. Cisco breaks VoIP policy down into four areas: infrastructure, call control, the phones themselves, and components at the application level. He advocates the use of application firewalls to check that, for example, communications coming into its Call Manager application are using the right signalling protocols. For IP phones themselves, the company uses digital certificates to encrypt traffic and authenticate endpoints. NetIQ's O'Reilly adds that security managers should use common sense practices, such as disabling advanced facilities on IP phones located in public areas such as the company foyer. At the call control level, King argues that Cisco's Call Manager application is protected with intrusion prevention software, and serves as a secure control hub for the IP phones. That may be true but the company did patch a major security flaw in the product in July, which could make customers nervous. The answer to such problems is to make use of mult_i_layer__ed security. At the infrastructure level, for example, logically partitioning voice traffic into a VLAN is a good way to help protect it from attacks that may take place over the data network. This logical partitioning is a key security tool for Aidan Hancock, network manager at UK radio giant GCap Media. The company, formed from the merger of Capital Radio and GWR earlier this year, uses the firm's nationwide network to send broadcast signals to regional areas and to handle VoIP information, too. To secure the network, Hancock puts access controllers in his infrastructure to separate voice traffic onto its own LAN and uses quality of service technology to filter out denial of service attacks. Before the overhaul, the company's network was badly hit by the Blaster worm, which flooded routers with junk packets. "QoS [quality of service] is a key enabler when securing the network because we define certain types of traffic that are most likely to be generated by worm attacks, rate limiting those right at the edge of the network," he says. "You can throw a huge amount of junk at the router but quality of service lets you carry on without dropping any voice packets." Handling current threats such as denial of service attacks is relatively easy because companies know what they are dealing with. The difficulty comes in preparing yourself against hypothetical attacks. Spam over VoIP may not be here yet but it is a future possibility, says the Internet Engineering Task Force (IETF). This is because many VoIP systems use the Session Initiation Protocol (SIP), which provides addresses for IP telephony users in the same way email servers provide addresses. Just as spammers can use dictionary attacks to harvest email addresses for spam, so they can harvest SIP addresses from servers within an organisation, simply by trying to call them and seeing what happens. The IETF believes VoIP spam would be three orders of magnitude cheaper than traditional telemarketing both because of speed, capacity and call cost. However, VoIP spam is unlikely to be a problem right now because many companies, including GCap, have closed off their VoIP networks to the outside world. Although you can reach them from a conventional PSTN phone, you cannot make a SIP call to their internal handsets from an external VoIP system. This may be effective but it is leading to the balkanisation of internet telephony services and moves the world further away from the dream of anywhere-to-anywhere SIP-_base_d VoIP calls. We are at the same stage with VoIP today as we were with corporate data networks 15 years ago, when some companies decided not to connect to the internet for security reasons, according to nCircle's Murray. "Systems generally seem to move from closed to open, and from being competitive and isolationist to co-operative," he says. "I would imagine that VoIP will follow the same model." But until companies understand the intricacies of building security into their VoIP networks, things are likely to remain closed for the foreseeable future. * voip * voip billing * india voip * voip predictive dialer * voip technology * voip phones * voip billing software * voip call * cheap voip * voip white paper * voip gateways * voip conferencing * voip bandwidth * voip vendors * voip telephone * voip test * voip systems * voip soho * voip termination * linux voip * voip cards * voip courses * voip service * voip origination * voip equipment * voip market * voip application * voip performance * voip platform * firewall voip * voip telephones * voip tools * voip routers * lucent voip * voip atlanta * corporate voip * multitech voip * voip product * cisco voip gateway * voip applications * voip telephony * voip ireland * voip microphone * europe voip * voip card * palm voip * voip networks * best voip * voip presentations * benefits of voip * voip advantages * implementing voip * hong kong voip * voip book * phone voip * voip malaysia * voip phone * introduction to voip * voip internet phone * voip ata * voip presentation * cisco voip * voip providers * voip packet * for voip * of voip * and voip * voip services * voip provider * voip gateway * is voip * voip software * business voip * voip reviews * voip router * voip in * voip phone service * voip review * vonage voip * with voip * compare voip * voip qos * sip voip * a voip * voip over * voip info * avaya voip * voip belgium * voip forum * voip international * voip fax * voip cisco * voip training * voip news * hosted voip * yak voip * voip tutorial * voip solution * warner voip * broadband voip * time warner voip * using voip * voip headset * voip plans * how voip * source voip * over voip * open source voip * usb voip * voip compare * voip work * voip codec * wholesale voip * voip carriers * qwest voip * voip e911 * voip traffic * voip modem * voip client * pc voip * voip broadband * voip regulation * voip ratings * voip ports * voip blog * voip architecture * cisco voip phone * voip carrier * voip monitoring * motorola voip * voip ip * ip voip * voip wiki * yahoo voip * voip forums * voip connection * voip products * voip history * voip number * cheapest voip * asterix voip * e911 voip * voip echo * bellsouth voip * primus voip * voip wholesale * voip basics * voip benefits * voip for dummies * 3com voip * voip comcast * voip lingo * voip for business * voip comparisons * future of voip * packet 8 voip * voip adapters * voip configuration * voip growth * history of voip * voip caller id * earth_link_ voip * about voip * ata voip * & voip * voip long * voip headsets * setup voip * voip speed test * voip codecs * voip telephone service * telecom voip * fax voip * voip virtual * port voip * your own voip * www voip * line voip * voip open * sun rocket voip * voip affiliate * voip cable modem * voip stocks * voip at&t * voip resellers * voip phone services * gateway voip * voip calls to * voip subscribers * protocol voip * usb voip phone * voip video phone * h323 * mgcp * sip * telephony * gatekeeper * pstn * net2phone * merdeka * telefonie Š