Computerworld - In an effort to cut costs, my company has decided to migrate from private branch exchanges to IP telephony. By routing calls over our existing IP network and using voice-over-IP links, we can significantly cut our telecommunications costs, especially since we have significant telephone traffic between our U.S. offices and places like Europe and India, as well as other parts of Asia.
The bottom line, however, is that we'll have phones on our desks that are connected to the network. And that means securing the telephone network will become my problem.
The thought of IP traffic with voice traversing the network bothers me, since our network isn't as secure as it could be. So I conducted an assessment of the major pieces of the IP telephony infrastructure. Since my exposure to IP telephony has been limited, I started by reading up on the technology. Most of the vulnerabilities discussed focused on the ability to either intercept network traffic or conduct impersonation attacks -- manipulating a phone call so that it appears to come from someone else.
Since I didn't have a lot of time, I didn't focus on denial-of-service attacks, which we can address with our regular network gear. For example, we use Cisco network equipment, which includes several self-defense features within the operating system to address most DoS attacks. In addition, we will most likely deploy an all-in-one device to mitigate the threat posed by malicious code. Fortinet Inc. in Sunnyvale, Calif., has a very appealing product that we're considering deploying. This device not only addresses malicious code, but also supports firewall, VPN and intrusion detection and prevention functions.
To conduct my tests, I created a scaled-down version of the new IP telephony system. The setup included several IP phone models, a call management server and some networking gear. I started by testing the network over which the voice traffic must flow. I first attached my Linux laptop to an available Ethernet port to see what I could monitor using the free dsniff and ethercap tools.
Once I recorded some network traffic, I downloaded and compiled a tool called Voice Over Misconfigured Internet Telephones, which goes by the horrible acronym VOMIT. This program can take captured IP telephony packets and reassemble them into a form that you can play back over your computer's speakers. The IP phones from which I gathered the voice traffic don't support encryption, so I could easily play the conversations. Using handsets that encrypt traffic will be a requirement. We'll also require that IP telephony
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
