Should I Be Concerned About VOIP Security?
The main reasons for enterprises not using VoIP is security. If the managers are able to install the right kind of security for their VoIP phones then they will be able to achieve a good business. The old PBX phones were simple phones and their simplicity was the reason that it did not need any security. However with this sharing applications was not easy, changes and moves were costly and there was no integration with the data network. The VoIP system is like other networked connections and its servers and endpoints communicated through IP-over-Ethernet network. Due to this the VoIP system also has the same threats as other IP applications. There may be network hacks in the IP address like Denial of Service (DoS) which is one of the biggest threats to the VoIP systems. Delays with call set up may occur because DoS attacks overload the call servers. The VoIP firewall is the most hyped part of VoIP security. The VoIP ports on the firewall should be closed as a major number of deployments are internal and do not enter the firewall. A VoIP aware firewall should be considered only when under rare circumstances the VoIP traffic leaves the corporate network. IP PBXs are generally built on Windows or Linux which are standardized softwares. If standardized products such as these are used proper securities are taken. It is however a matter of choice as to which one should be used. SIP, MGCP, Megaco, and H323 protocols are vulnerable to hacking threats like eavesdropping, spoofing and impersonation. If these protocols are badly implemented then they become susceptible to overflowing buffers. Mission critical systems like call servers and media gateways in the VoIP system can be controlled with these overflows. The hype is about configuration hacks, toll frauds, and spoofing. However the bigger problem is viruses. If one endpoint is infected by a virus it can infect other points that may result in performance glitches and damaged data. Viruses could spread from other corporate computers as most of the VoIP systems are deployed internally. Thus all corporate computers should be properly protected. VLANs if used can prevent a hacker from compromising a call. However VLANs only work with IP phones and not softphones. A VLAN tagger can be used to tag data and voice traffic as Windows does not support VLAN. Quality of Service implemented on the LAN and WAN prevents faulty traffic from entering the network and flooding it. Fear, uncertainty and doubt are created around VoIP by the vendors and media to help them sell their products. Spam over IP telephony, eavesdropping and unauthorized calls are not as big threats as unauthorized access to the network and information theft. All the security aspects that affect VoIP can be avoided if appropriate security tools are utilized. Over the last three years VoIP and IP telephony vendors have been able to improve their security offers. Before that hardly any attention had been paid to VoIP security. A proper understanding of how VoIP components are affected enables enterprises to deploy the right kind of security for their VoIP systems. |
