Information Technology News| IT News India | IT industry | IT News, Products, Services

DataQuest

|

Audio

Home > Specials > Security > Features

presented by


	How safe is VoIP? *VoIP is generating a lot of noise these days. Is VoIP really mature enough in all respects to be used in an enterprise? How secure is it?* VoIP is generating a lot of noise these days. We are seeing new standards, products and vendors in the market enticing you in the name of faster and cheaper voice communication. Is VoIP really mature enough in all respects to be used in an enterprise? How secure is it? What if one fine day you find your landline phone not working because you've forgotten to update its antivirus last night? Or while sitting in a meeting you suddenly receive 50 spam calls on your phone, from some company selling nasty drugs to enlarge your body parts? Or, what if a crucial tender your company was working on, just got publicized because some �Black Hat' hacked and intercepted your CEO's call and recorded all of a confidential conversation? If you think all this sounds absurd, do it yourself and see. Telephony, when it took the path of IP, got some really cool features in terms of manageability and cost effectiveness. But it also inherited the vulnerability of IP based networks. You can easily intercept the voice stream being transferred over your corporate network using an easily available and free tool like Ethereal. Intercepting VoIP calls First of all you have to understand the protocols and data flow pattern of a standard VoIP network. When someone picks up a VoIP phone and dials a number, a Session Initiation Protocol (SIP) stream is sent to the IP PBX. From here the phone recognizes, connects and authenticates the other phone it wants to talk to. After this session, both the phones establish a direct IP link between each other. Voice communication between the two takes place in the form of two streams (backward and forward) of RTP (Real Time Protocol). Each stream contains the voice generated from one end. So, if there is a conference call happening with three people, there will be three RTP streams, each having voice from one end. Now, the problem lies with the RTP protocol. This protocol is not encrypted and anyone can initiate a �Man in the Middle' attack and capture the stream easily. Let's test it through a simple �hands on.' Take any two VoIP phones from a vendor and an IP PBX. Now connect all of these to a hub. After you have connected all the VoIP devices, take a laptop and hook it on to the same network, and run Ethereal. Whenever someone is speaking on the IP phone, start capturing the data by going to the Capture menu and then selecting the appropriate network adapter. Let Ethereal capture the data till the phones are free. After that, stop the capture process and go to the Statistics menu and select the RTP submenu. This will show you an option �Show All Streams.' Click on it and a new window will open. Here, you will see two different streams of RTP. Select both the streams one by one and click on the �Analyze' button. This will open another window. Here, click on �Save Payload' and a third window will open. Give a name to the file, select the �.au' and �forward' radio buttons, and save the file. Now you can play this file on any media player and listen to the confidential talks that might have taken place on the VoIP phone. What to do? V endors have been incorporating security features in protocols and equipment. However, that does not necessarily mean that the network implementers and administrators are using security features as well as they could. Due to the pervasive connectivity provided by IP, and as the range of threats is broad, the first step toward reliable IP-based telephony is to protect the underlying infrastructure. Protecting the routers is the first natural step. Routers are the cornerstones of an IP network and need to be properly secured. The most obvious opportunity for a security breach is with router administration. If an attacker can gain control of a router (for instance, by logging onto the administration user interface), the entire network can be compromised. Therefore, stringent security measures must be available as part of the router feature set and be properly implemented. These include RADIUS technology and two-factor authentication, ideally with encrypted administrative session traffic so that sensitive information cannot be intercepted. Attackers are also becoming competent in attacking protocols between routers. This type of network traffic must also be secured. There are standard procedures for doing so, though network administrators often overlook some of the details, leaving vulnerabilities out in the open. Additional gear can be implemented to protect the network. Intelligent firewalls that ensure only legitimate traffic is passed are important investments. So is the time taken by the system administrators to carefully analyze their network and configure appropriate filtering rules. When the networks are not properly secured because administrators have cut corners, hackers will have room to move. Protecting the application Aside from securing the underlying foundation, the VoIP service itself must be protected. The service introduces VoIP-specific devices -- such as media gateways , softswitches and PBXs - and protocols -- including H.323, SIP and RTP -- into the topology. All of these present additional points for potential abuse. Their protection requires more stringent inspection of network traffic by advanced tools; simple packet-filters cannot provide the level of detail required. This type of intelligence is usually not integrated into telephony equipment, and is provided via a purpose-built firewall, a security component in the router, or a dedicated session border controller (SBC). Sometimes, networks use two or even three of these to provide more security. "Pinholing" is another important concept in strong VoIP security. To "pinhole" an application session means to open up a temporary conduit between two endpoints on the network (such as two VoIP end devices) and allow the communication to take place only during the session. After the telephony session is completed, the pinhole is closed. This is often the duty of a stateful-inspection network firewall and supported by a service known as an Application Level Gateway (ALG). A firewall designed to be used in a VoIP setting should have ALG capability. Firewalls for VoIP should also cater to security concerns from network address translation (NAT), traffic rate limiting, intrusion detection and prevention (IDP) and topology hiding. Protecting your mission-critical asset As technologies encompassed by VoIP constantly change, network administrators need to always be aware of the latest developments and, from a security standpoint, to understand any potential weaknesses that attackers might exploit. VoIP provides excellent return on investment (RoI) and is built on top of network infrastructure that is often already in place. The good news is that VoIP security will only become easier, not harder, in the future. In the meantime, conscientious effort toward security measures will ensure the continued service of this essential corporate resource. (Collated from PCQuest and www.ciol.com)

Product Reviews
Forsa GeForce 7600 GS
Share Music over iTunes

Digital Communication
Go Local For Broadband
RFID: Emulate the Internet

Channel Tech
Super Storage On Its Way
Globalsat GPS gets certified by Dell

Sponsored Links

	SAP Technology optimises Business
	Try visual studio 2008. It�s Free
	Complexicity or Simplicity - Choose

Custom Sites:

	Motorola : Good Mobile Messaging
	Smart Enterprises = Smart CIOs
	TAM : Freedom from password management

Case Studies:

	Mahindra Connect benefits from SharePoint Server 2007
	Solving the "lost data" problem
	Wipro meets its future demands through E-Cube

White Papers:

	HP Business Availability Center
	Transforming Business
	Aligning IT and Business

Opt-In-Newsletters | RSS Feeds | Link Partners | Videocast | Podcast | White Papers
Case Studies | Specials | Tutorials | Ask the Expert | Forums | Product Reviews | Discussion Board

+ Worth a click +

CyberMedia | PCQuest|Dataquest | Voice&Data | Living Digital | DQ Channels | DQ Week | Global Services Media | CyberMedia Events
Cyber Astro | CyberMedia Digital | DQChannelFinder | BioSpectrum | BioSpectrum Asia | Voice&DataConnect | DARE

About CIOL | Media Kit | Site Map | Contact Us | Help | Write to CIOL | Jobs@CIOL | Privacy Policy

Copyright © CyberMedia India Online Ltd.
All rights reserved. Reproduction in whole or in part in any form or medium without written permission is prohibited.
Usage of the content from the web site is subject to Terms and Conditions