Are You Using VOIP — Is It Secure?
Tuesday, July 7, 2009 17:59What is VOIP
As I discussed in my recent “VOIP Phishing Scam” article, VOIP stands for voice over IP or internet protocol. Basically, all this means is that the you send the phone call over an internal or external network. An internal network would be your own businesses LAN (local area network) or WAN (wide area network). To call someone outside your own company using an external network, you would be using the internet. An example of VOIP that most people would know is Skype or Vonage. So why do people use VOIP? Mainly because it is cheaper than the standard telephone network, and you can use your existing high-speed internet connection you are already paying for. Just like anything in life, though, there are downsides to VOIP, the biggest being security. That is what I want to spend the rest of this article talking about.
Security Issues with VOIP
A lot of the security issues with VOIP are similar to network security issues that you may already deal with on your network. The most talked about and the one most people have heard about is having your VOIP phone call tapped or listened in on. Since most VOIP traffic is unencrypted just like most network traffic, it is relatively easy for someone with the right tools and skills to capture the voice packets traveling over the network. Tapping regular phone lines takes a little more effort than tapping VOIP, and with VOIP your business can be targeted by anyone with internet access. VOIP can also serve as an entry point into your internal network. Also, denial of service attacks are possible just like an attack that can occur on your website or e-mail servers. The thing I feel makes denial of service attacks worse for VOIP systems is that it takes your business phone communication away. That is usually never a good thing.
VOIP Phishing attacks (refer to VOIP Phishing Scam article) where someone can call customers and appear to be calling from your company are also possible The motive is usually to collect sensitive or personal information from your customers. Minus the financial implications, this does not help with your company’s reputation or brand. Just as spam is an issue for e-mail, with VOIP there is a type of spam or what is called SPIT (spam over internet telephone). It does not take long for junk voice messages to fill up voice-mail systems. Other types of attacks are possible against VOIP systems so what can you do to reduce the risk?
Steps to Secure VOIP
The steps I list here are not all encompassing but will get you started down the right path. Remember, security is a continuous process, not a one time thing which you can then ignore. Also, security is a layered approach as I have stated many times before. Do not depend on just one security measure to protect your business, including your VOIP system. Let’s look at some of the things you can do to secure VOIP:
- Separate your VOIP system from your data network by using a separate internet connection, if possible, and also keep voice and data separate by running them on separate network segments.
- Avoid cheap VOIP systems that can be installed on an ordinary desktop because most of these are highly insecure and can open up a door to the rest of your network.
- Use dedicated servers for VOIP traffic and use firewalls to separate them from the rest of the network.
- Disallow voice protocols from running on the data network.
- Make sure to put all VOIP servers in a secure physical location, just like you should for any of your network equipment. This is important because even if someone cannot gain access remotely, they can still accomplish their goal if they can gain physical access to the equipment. Read my recent article on Social Engineering for details regarding such social engineering techniques.
- Like all network equipment, make sure you have hardened your routers and servers by turning off unnecessary services and closing unneeded ports.
- Use separate intrusion detection systems for your VOIP system and also log all access to your VOIP system.
- Use encryption to keep voice traffic private and to prevent someone from eavesdropping in on your business conversations.
Encryption can occur in a couple of different ways. VPN connections or tunnels can be used, or some VOIP services have their own proprietary encryption such as Skype. Another option is the Zfone Project which is a new VOIP phone software and protocol which lets you encrypt your phone calls over the internet. It was developed by Phil Zimmerman the creator of the e-mail encryption program Pretty Good Privacy (PGP), which you’ve probably used if you have ever used a free e-mail encryption program. Just like PGP, Zfone is also an open source project. I have not personally used Zfone yet, but it is available for Windows, Mac and Linux.
Related posts: