VoIPowering Your Office: The Thorny VoIP Security Thicket

VoIP over the untamed Internet is inherently insecure. While we don't have answers to all the threats, knowing what they are is a start.

By Carla Schroder | Posted Jul 14, 2008
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Security for Internet-based IP communications is a problem that isn't going to go away. Not only do we have to protect ourselves from snoopy network administrators, snoopy competitors, snoopy marketers, and organized crime, but our own governments are engaged in a relentless assault on our remaining shreds of privacy. Throw in a large helping of businesses whose inability to protect customer records could fuel a 21st century Three Stooges revival, and a person might want to give up and not even try, and just hurl her/himself naked into the universe.

But grumpy old codgers like me don't give up that easily. VoIP suffers from the same core weaknesses that afflict e-mail, Web sites, and all other services that cross the Internet: The Internet was born in a more trusting era, and it served a small set of professional and academic users who did not envision that it would turn into the world's largest shopping mall, the most crime-infested neighborhood, and largest porn distributor. It has no built-in safety mechanisms such as reliable audit trails, encryption, or tools for preventing unwanted traffic from invading your network. And thus we have an incredibly polluted Internet that excels at enabling international crime, aided and abetted by legions of malware-friendly Windows PCs.

Perils everywhere

There are three types of technological threats: denial of service, SPIT (phone spam), and eavesdropping. There are also social engineering threats, which are probably more common and more successful. They don't depend on fancy hacking skills, but simply asking people for information. I don't know how to implant reliable baloney detectors in employees, so let's take a look at technological threats.

Eavesdropping and snooping

If you've ever worked in IT, you know that an awful lot of unauthorized and unethical snooping goes on all the way along the chain—in your own business, at your ISP, and at all stops between endpoints. A percentage of IT staff are known for snooping on network traffic. They're reading e-mail, monitoring Web surfing, and spying on instant messaging. Records clerks, mail clerks, and other administrative staff have access to everything. It's always amazed me how this obvious security hole is routinely overlooked, and companies that invest millions in futuristic electronic card key systems, and biometrics, and mean-looking security cops are careless about who they hire to manage their records. Usually the cheapest perma-temps they can find. Combine this with government's relentless drive to bug every law-abiding citizen into oblivion, and it's not a pretty sight.

Anyone with access to the wires carrying your voice and data traffic can eavesdrop with trivial ease. There are powerful open-source encryption tools for e-mail and Web traffic; I think we need something that works at the protocol level for VoIP.

Skype uses reliable old AES and RSA-based key-pair encryption, which authenticates and encrypts both ends of the call session. This works okay for a closed network, but does no good out in the big bad world of untrusted, unknown people calling you. It seems that something that operates similar to SSL on Web sites would be a nice protection—only the server needs to be trusted, so any visitor to an SSL-enabled site receives the benefit of an encrypted session.

Since strong encryption really is strong and foils even government snoops, its days are probably numbered. So use it while you can.

SPIT

"SPam over Internet Telephony" has not become a serious problem yet. But it seems a safe prediction that it will be, given the utter lack of conscience demonstrated by spammers and their idiot cousins, "legitimate" marketers. They already did their best to ruin postal mail and old-fashioned telephone service, and nearly plastered the entire United States with billboards until laws were passed to restrict them. However, the tide is turning and science fiction is coming true—ads infest everything, from buses to shopping carts to branded consumer goods of all kinds, and TV commercials have escaped from program breaks and now intrude on programming.

All of these things are self-limiting to a small degree because of the cost. But the same technologies that give us inexpensive, powerful telephony can also be exploited by vandals, I mean spammers/"legitimate" marketers. I doubt they will be deterred by infinitesimal rates of return any more than e-mail spammers are.

Denial of Service

This is the hardest to defend against. An attacker floods your network with packets and overloads it. In this era of giant botnets fueled by idiotically non-securable Windows PCs, an attack can come from a multitude of sources and be impossible to trace to any origins. In some countries there are thriving extortion rackets based on DoS attacks—pay up and the attack stops.

I wish I had some words of wisdom and good advice on how to deal with these threats, but as far as I know strong encryption is the only reliable tool currently available, and it only stops snooping. The rest is uncharted territory. You can install the Snort intrusion detection system and monitor threats from the Internet, and possibly get early warnings of problems. Work with service providers who are connected to multiple Internet backbones, and who are experienced in dealing with DoS and other Internet threats. Don't give up your PSTN just yet—pure VoIP is not good enough for mission-critical phone services. Visit the various security sites and stay informed. At the least, you'll learn warning signs and won't be taken by surprise if something bad happens.

Resources

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter