Network World - BOSTON -- Those who want to operate secure VoIP networks must be mindful of myriad threats, because the technology is susceptible to vulnerabilities that might be foreign to traditional telecommunications managers and their staffs.
That was the conclusion of experts at the Fall VON 2004 conference who warned those considering VoIP to layer on security to keep their networks protected.
AT&T Corp. described one of the more disconcerting threats: injecting words into VoIP streams in a form similar to man-in-the-middle attacks in data networks.
"You can inject swear words into conversations, and the speaker can't even hear it," said Kevin Kealy, a security scientist at AT&T, during his keynote address.
Kealy says he has used the same technology in AT&T labs to fabricate entire VoIP voice mail messages that current FBI-grade voiceprint analysis rated as genuine. "We've proved that it works," he said. "That's scary."
Other vulnerabilities include spam over Internet telephony -- unsolicited voice mail that can clog VoIP mailboxes -- and denial-of-service attacks that can cripple voice servers with floods of call-setup signals, he said.
Not to worry, though, say the experts, because known security measures can greatly reduce the risks. For example, the chances of a voice-injection attack can be slashed by encrypting call signaling so phone addresses don't run in the clear. The threat can be cut further by encrypting the voice packets, making it virtually impossible to insert words, Kealy said. Nortel Networks Ltd., for one, says it's working on software for its VoIP handsets that will encrypt voice packets and thwart injection attacks.
The overriding VoIP security principle applies to good network security in general: No single set of protection hardware and software will guard against everything forever, experts say. "Data shows that there are new threats every month. There is ongoing innovation on the malicious side," said Akif Arsoy, product manager at VeriSign Inc., who spoke at a VoIP security session.
VeriSign announced new VoIP security services delivered via its dual security operation centers that monitor customer networks for malicious behavior by scanning for known viruses and worms, and seeking behavior that strays from the norm, Arsoy said. Such traffic can be temporarily blocked until customers are notified and check whether it represents an attack.
VeriSign also is seeking IP-phone partners to include digital certificates in their devices so users can verify that the phone is secure and not, for example, multicasting conversations to rogue phones, Arsoy said. The Department of Homeland Security, which is developing an all-IP network, seeks such phones, he said. "Device control is very sensitive to them."
Meanwhile, Juniper Networks Inc. and Avaya Inc. demonstrated the integration of Juniper's security appliances and Avaya's VoIP gear for small and midsize businesses. The demo showed the Juniper firewall opening and closing ports to accommodate VoIP calls. A VoIP call uses multiple random ports within a certain range of ports and has no mechanism for closing them unless the firewall is tightly integrated. Making sure the ports close when calls are over is key to protecting VoIP networks from port-scanning exploits.
The general solution to VoIP protection is layered security, the same model that is evolving for IP networks in general, Kealy said. These include firewalls around communications servers, blocking in-bound VoIP signaling except from known IP addresses and using VPNs to transport VoIP among sites. Some of the recommended measures are already commonly used to protect data networks, while others are specific to VoIP.
Despite assurances, the potential for harm looms large enough that businesses still approach VoIP with caution.
"Our VoIP is just internal now at a single site, and I'm not overly concerned with the security of what we're doing on this island," said the telecom director of a national retail chain who asked not to be identified. "When we start doing this in our stores and over the WAN, then it raises concerns."
Lee Quintanar, a telecom manager at Countrywide Financial Corp. in Los Angeles, was at the show to research technologies to consolidate more than 40 PBXs from multiple vendors that serve 34,000 employees across the country, and the security of IP telephony gear vs. TDM switches is a major concern.
"The general feeling [in our IT group] is that the TDM stuff is rock solid for providing voice services," he says. "With the IP equipment, there are concerns about that kind of solidness."
Part of that uncertainty stems from the fact that threats in the world of IP networks and Intel-based servers -- such as viruses and Trojans -- are not issues telecom people are used to dealing with. These threats are all too real.
For instance, Todd Goodyear, vice president and manager of voice product development at Merrill Lynch & Co., said his VoIP network was taken down by viruses.
"We were well along in our deployment of IP PBXs, then along came the e-mail viruses -- Sasser, Code Red, things that took our data network and crumpled it. Because our voice network rode on top of the data network ... we experienced some [voice] outages of anywhere from two to four hours before we could get access control lists in place [to block the attacks]."
Goodyear said the firm is still actively deploying IP phones, but TDM also is used as an alternate path for voice traffic. The firm expects to have more than 10,000 IP phones deployed by 2006.
Despite the dangers, businesses can craft secure VoIP deployments, said Jim Thorpe, director of engineering at Aegis Mortgage Corp. in Houston, whose phone network is based on more than 20 IP-enabled Nortel PBXs and some smaller all-IP PBXs. "I'm not too concerned about VoIP network security," he says.
Because the company's main PBXs are based on TDM, Thorpe said he is less concerned about attacks on his call-processing equipment.
"I haven't heard much about Trojans and those sort of things that can be passed to an enterprise PBX," Thorpe said. "I'm not saying it isn't possible, but I haven't seen anything from CERT and ICAT [two IT security alert bulletins], that would indicate these things are an immediate threat."
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
