Who else is listening?

Will the real threats please stand up?

Sorting out the FUD (fear, uncertainty and doubt) from the reality takes some work. “The VoIP security discussion is made difficult by scare tactics and outright exaggerations,” says Gartner analyst Bjarne Munch.

Hype about threats is based on the false assumption that SMEs are running VoIP over an open IP network, which is very rarely the case with enterprise. “The risk of hacking, spitting, voishing etc. is currently small for an enterprise because these attacks traditionally are initiated from the Internet and the
Internet is shielded by a firewall,” says Munch.

Claims that hackers can listen to SMEs’ calls as they travel over
the Internet are totally misleading. In fact, business-grade VoIP calls
rarely travel over the public Internet and when they do are normally encrypted.

“Very, very few customers are doing anything over the Internet,” says Mark Duncan, convergence practice manager at Avaya. Avaya also encrypts the call signalling whenever a VoIP call is made over a public network as an added measure.

There are vulnerabilities in VoIP networks but these mainly require access to the physical servers that run the application. This follows the accepted wisdom that the greatest threat, like the majority of attacks, is internal.

There is a real threat of staff eavesdropping within the security perimeter. An IT-savvy person who has access to the Ethernet switch can take a feed of all data, enter in the IP address of the MD’s handset to isolate the traffic and listen in on the call. Vendors like Avaya have responded by encrypting calls from handset to handset or handset to PSTN, which eliminates this problem.

Avaya’s Duncan also rubbishes the claim that a single-vendor environment is more secure than multiple vendors. “There are very few vendors who would suggest that,” says Duncan. In fact, he believes the opposite is true: experience shows that “lock-in drives complacency”, he says.

VoIP is most vulnerable when used over a wireless network, as there are many network-based attacks that can scan for VoIP devices and sniff VoIP conversations. Using a VPN over the wireless network to make calls addresses this vulnerability.

Softphones – software-based versions of IP handsets that are sold by most vendors – are another weakness, says Gatford. This is because they run on the PC and therefore it is much more difficult to separate voice traffic onto another network to that carrying data.

From outside, it is often easier to attack not the VoIP application itself but the server it is running on. Windows servers, even regularly patched, are the easiest targets thanks to the volumes of documentation on the Web listing vulnerabilities and exploits. A hacker that can create a new account with administrator privileges will then be able to listen into phone calls, says Tipping Point’s Low.

However, there are dedicated products running highly secure OSes, which are much harder to crack. One such switch is made by Shoretel and runs on a highly stable OS called VXWorks, which is found in pacemakers. If a worm goes through a company’s servers, at least the phone server won’t need to be rebuilt, says Tony Warhurst, managing director, South East Asia at Shoretel.

Two years ago Tipping Point brought out VoIP filters that stopped intrusions rather than simply detecting them. An intrusion protection system (IPS) sits behind the firewall and inspects every TCP/IP packet. If a packet doesn’t
fit the pattern of expected activity, the IPS blocks it.

While Tipping Point did have success with an IPS sale to a large government department in Canberra recently, Australian companies haven’t rushed out to buy Tipping Point’s IPSes, says Low. He estimates the size of the market here as only 1 percent that of the US.

Bored or malicious employees at a network provider are also in a prime position to listen in on calls. One way to lessen the opportunities for
non-staffers to hear a conversation is to minimise the number of networks a call travels across.

Consumer-grade calls can travel through four or more networks, and a technician managing any one of those networks can easily listen in.
ISPhone is a wholesaler to resellers for the SMB market, which has physical access to its national network and the DSL tail into a client’s premises. This not only means that the wholesaler can monitor congestion and ensure QOS and security, says ISPhone’s Spenceley.

If a company also takes DSL with the wholesaler, ISPhone is responsible for each VoIP call until it terminates at a PSTN point with a tier-one carrier. He adds that he trusts his own co-workers not to snoop on customers’ calls.

Banks, crisis support centres and other institutions with an extreme need for confidentiality can minimise the time an integrator has access to its VoIP network. Security tokens with expiry dates and times can grant authorisation for one hour to allow QOS monitoring.

Despite assurances, some vendors are offering even greater levels of protection. Like Avaya, Nortel also recommends encrypting the call set-up and teardown signalling, which identify the extension number a phone is dialling, even if the call itself is encrypted from handset to handset, says Mitch Radomir, product and solutions marketing, voice, Asia Pacific, Nortel.

This feature adds another box, called the security media control server, to the set-up, as well as several thousand dollars more to
the final bill.

However, Radomir denies that the feature is one being foisted unnecessarily on the market; defence and security customers are demanding it.
He is also one of the few vendors that believes that the VoIP threat is significant. Radomir points to the number of patches and updates released on www.cert.org, a security website, as evidence of an ongoing tussle between vendors and hackers.

“You wouldn’t be spending that much money doing security patches if there were no attempted breaches or attempted vulnerabilities,” Radomir says. ?