VOIP & Telephony - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  VOIP & Telephony


VOIP: What? Me Worry?



 By: Andrew Garcia
2007-02-16
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this VOIP & Telephony story.


Rate This Article:
Poor Best
Tech Analysis: As VOIP grows, so do security risks. But there are many resources available to shore up VOIP vulnerabilities.

As VOIP systems proliferate, so, too, must the measures taken to secure them. Luckily for IT administrators, several resources are available to help them do just that.

In the book "Hacking Exposed VOIP: Voice over IP Security Secrets & Solutions," for example, authors David Endler (director of security research at TippingPoint) and Mark Collier (chief technology officer of SecureLogix) bring to life the imminent threat of VOIP attacks, describing in detail how an attacker could discover, enumerate, probe and eventually co-opt an existing voice network.

Moreover, the book provides a useful starting place for VOIP adopters to begin shoring up their own networks.

The $50, 539-page book is a must-read for IT administrators, particularly those who are managing a voice network but are not totally comfortable with the technology—and are perhaps relying too much on resellers for the stability and security of the network.

Resource Library:
Endler and Collier also have created several tools to automate voice-specific scans and penetration attacks of commonly used end-user devices and VOIP infrastructure components. These tools, along with Google hacking tips and a database of stock voicemail recordings, can be found on the books companion Web site.

Another good resource is VOIPSA, or Voice over IP Security Alliance, which has put together a number of useful tools. The Threat Taxonomy, for example, enumerates known types of attacks and organizes them into general categories.

These include social threats, eavesdropping, or interception and modification. The group also maintains a best-practices mailing list that is still in the organizational stage but holds great promise. Data and voice ties.

The health of a VOIP network is tied to the health of the data network. Beyond throughput and latency demands, VOIP relies heavily on several legacy data services to operate correctly. For example, VOIP administrators should think about shoring up services such as DNS (Domain Name Service), DHCP (Dynamic Host Configuration Protocol) and TFTP (Trivial File Transfer Protocol)—bedrocks of the network that may have been forgotten because, in most circumstances, they just work.

All of that said, isolating voice traffic should be a priority, as malware-infested desktops or servers could be used as a launchpad for attacks against a voice system that is not otherwise exposed to Internet traffic. Maintaining separate VLANs (virtual LANs) for voice and data traffic is a worthy endeavor: It will isolate VOIP components to some extent from other endpoints, with the added benefit that QOS (quality of service) will be easier to implement.

However, VOIP implementers may have to make some hard decisions about the role of IP softphones in the network because the workstations on which they are installed should be separated from the voice network, too.

Hosted VOIP services grow, report shows. Click here to read more.

Assuring call privacy through the use of encryption (of the voice payload, call signaling or both) has been a nonstarter for many VOIP adopters because call quality has traditionally trumped security as the primary objective. Many common voice-quality monitoring and assessment tools arent effective on an encrypted stream, and IT staffers certainly cant record and play back encrypted voice calls to manually ensure call quality.

However, some new assessment tools are coming down the pike that can estimate call quality by measuring factors that can be derived from an encrypted stream, such as latency and jitter. For example, at the RSA Conference in San Francisco Feb. 5-9, AirMagnet demonstrated its AirMagnet VoFi Analyzer, which includes the ability to derive an MOS (mean opinion score) and R-values from metrics gathered without actual access to call payload.

Any of the tools mentioned here will help administrators lock down their VOIP systems, but, in general, admins must become more acquainted with the tricks of the trade. Just as they learned to use penetration testing and assessment tools for the data network, administrators must grow their skills to adapt to the vicissitudes of VOIP.

Technical Analyst Andrew Garcia can be reached at andrew_garcia@ziffdavis.com.

Check out eWEEK.coms for the latest news, views and analysis on voice over IP and telephony.



  Reader Comments: VOIP: What? Me Worry?
>>> Be the FIRST to comment on this article!
 

 
 
>>> More VOIP & Telephony Articles          >>> More By Andrew Garcia
 


x}r۸qռFgk"i;RJXglRIjIS$I̞nK3n7~I"%#MflK@7F{{o~$rak#ÚK{47)ٟ٣Gu'76cO9P[ mwDz#:5Mt~w(Ītj56G-_?TھoÙN }! {>"B%h1Qus_Ə{ό3!X]~jcj#24mhjTN`Uƞfn=ƋAz.92o;C?FT2퉝ݙ L=iDVC;$1Ãth:9:m. NRY"R k3Äh,ɣ1lHc M}<E%$7 V.nqcS0~b4INXEEnڏuKm_j| 5nsktDjjxKHU6}yS Ͼ4ja[Zdq=}9emsteݼ;VrP jrX([o+iXNe;޾SPQTP8]uίs(Ԭ;08CM=듫yظ}  7D_"0QYTYߙekfy 3(ժ?TRJ{3F~7tWgۧkU{#gj蜶{ KlHG#0\2:jo~91?o!$@J~X@7'1d#2Ta]VjGoW_ ZRm}G_x0Fukns@kFPYTsa6R\ 9hbh)6B̄H )s'Wjt ~^,.|Y* bԸrݢ@P3nSB!ތ!E\r/eE !\J!=! g|8JJz7pyWɻfu՜Ӆ]WeG臘 ]ۚ4vW.~lzwmxH18,]evr`\\Զ7j02_)CR/+rOG̶%ae)kskܟ <0tZG6/93:2P@= M/}@˥qn>5@ Lna V8=4uӹ=W}cF=SD47 l"#0Ie{e"3 qOs ΃droo͠^(gMnPjX^0 j5pHpyY?9ûmDgx 1#|[ S&x KGs١F\KQ -2v)%ł4G!-i]R@Az68 -,rr 0#!b\[2'9\v{B#ž\\.̈́RZ z)3ٜʬ$1M&힟u]_ #m"0%X -'Z Xuk{T*aiܛ ݀%1tAμ's&,`b IKD%\Ew,[t3Aĵp=73sg,0aEiŬ9g)9 i\X#,TifB7g ƩOI|B0-qڛuVsӠһA[>W6̇K;X1h'0NSm wгU ұ)N<: XHTEdtX 0A,Ca&: JE Ѧ9<<+j#U Bf6p~m8@Lsխ?f^W L?uP=ڜwZu^ ߬]hDQT αtbG gI,b+Bn<1WkOhS欭p +RSJb/ $6f! o";>]5P$2ϝ KY`I.h\tt@,+?~GسU_:k^v.>9L\Y^p.;ݫ# {L۝w ^+;Ҹ6`>|:WoG|L`u뻛Թlkw0.[L@2}m&A)p$Q :JfWKfչz'wY?R`f{n߽p.7:WKߧ݋ ?nvL.:Wm)^{-y0䘠]j^t]Dd0szn7bS0vhRd !fF<$]wFD/h!oM}Ù9q.Dz=x_Ucg0Tt8єm1w|uk`!旁۟bB!|FgǥIҽ8 $u"SPӃ/ڜr=1$y!@N/o l"HdS#25F#jYkNEh=O[?G clGA)V9 [4wiQf)uьyjtJ)Stl~(4H PUS'q^VⲞP6T$UT%T4LN"C]۳]7'8 $ k|wisq/A#rWJ*m2KHԝa(6{[Q uەg)Nbxa)z8ga!%W>i^7yja~%XDoBKHԽ1~ſ|p낧  {cg企*^Q/,dk}?I/KeݖycP!OSJ٘&BEW5vln({jYpJUO.W FXd17K0d&'zvA JsKgȮ~GWbR >As>]f+wP{_z͞YiYu/K\-"PnZ^W%0*Ձ4 2UCnKPvpU8BZy$N0 ?1 W^L·⎭zgQ(|[q$[+/' g|o#'_M_j S M[k/!1 %CKѴg=.0 AQ/soK[⹏^}b[lQߏo^%~<+ X#Nƈ yZpMՕZ)]&䋿u p2ru_,mC'| cCbQŰŌOöBNnÃwCqiLg!FSaFjWRyiη,, Q9jT>#^}ܒDZNK|2L,God(΀,af1`8(@(JlVìf‹Yy8 e6|n?H}{h:jB%&Sex|q9 NS^>fc"M4sc -">SϪb㮨` 4R;)R5+y XxIx+/ĮoŕBC9-) uΚr=gIߓ!3x _{tDV23D?L?Ma#+?^.k1T'Ts.˗'zژJ"oƕԂ;ѕ:Pe!bD+pD%\ `鄝f p 2'̣x웫7^J")2P}<t }yL#v%[HlbN;](XGA'/4^`}o:kkTjv` --J@# oB<e⬳3!yk'ƫITnxfd~ʍ=1BSqUV ]i5JҼ?݇<[?ju :L}nb: @ܵ$Xi}F|KSZτ%ð"Cë6h8.aЄ->y^2lJ4֗v%Y*(tCH=7G a_c@LrWgg>@|+lzyGߚ`Jci}>]c-k7YG+cq Sqj-Ś{3J/] ͗Zҥ1j0>@` Rk3##oΗvuI|6)c S:WI#2W΂oF? h66VjΫ^'Q@ޝ(cxW(#GX<3B@473؏=D{[\j.+fݶgמE|\1=Ƽo-^t6Xf,Nue Ym}߆5R=4h.wx/0كjZƻ%rtbş-y w6\q|v4*|K\!7{j'߃<̭a|L)tkĠBfpΡ6k?1? ROMc86.{}m_Ps6`l[V0P=zUQVF.t%RP3Wwlp,C˸N z>(& TRˬ)V$.B*Θh֖P27AFX+o^䶈hF+PC]6.oE{*e ]G?,ÁZ;(X67m}g+h s/cЌJBF[?Q"$Zmw !^tAw'y}LdS~G4 \0[oꨯ 7~.F[(]JYXcJ: ǽ 1sl,ǽSTC䉯]HFo9<76å=[/=p .O.2X=+=9t^фTx#.:~Ers@(j ?'*3(q "}TK;\H`n3(8{ߒ¼fD9-Ewc\z_%ʄV&b/2\T#ЭB)˪M;oP}wY?e=ta ' ij=n+Zaql+;Y75 iU@ğ8AnKar&l#cN .?&}&`Cq !rtw'WAz$G:p NmF_ 6a^zgZq1NG)L > +Cb2zޘql5`(; joEֹIr# ,Ő?Z̅D!O#? I}n\mozaȐYs28`#wTMmAGc sf~x!'va]Q sAi<5"a]&x:7ra)}-~ rRHע sK)_ozBԝ 8 `8.gj5T%R!@9 dU _oz=&nń[v‚ 5" |vصgI@F&4H'a͈1iqr6_j .?2PQZj*!b3wإ4ϓ/ 3$R Xt]\UP*@J>Q|6XP؟ceԋM)Awa/xa 3 ̱=`EP&00a|Lh3د?LqWNgC|83|̫kP>񖃠zP8Y|obLcA~욷\l @Đ0(J$Ѕ:x,@#! 9ω 1wHOPbޅR-'I]+A !2,c=Vr}Kwy<߂fETJo1TH+^@03%OУ.6#&T мHκ7Inm{;\;+rҾ&lkM߂ԒQvI{sվ\ 31F;%6/ME`X<ehe)sC9>Ԛpm.4 "dȀW.}VX\mmj-E~Rv}YQJ/Nh M!~պizj6Z[AqY'>;d8eh75 >r:X)` \js@1@C| k_O{5{_m^;^d fO7P~^~NmfwQO/o ZS(?M/?e]F߽\㼓^iVF9?t2ʡ5~e">vˌ/3Y\f2?/?/3e*P!3(ˌr߫ʐ+Bf.n~kx:  {/>_?Aog(U}Cn66oیon3/>IR< 9k^K$kdK"*SV9,2c˼_V,= >w槸Ixϕ]"&o-cENZ).~QBxdR$h{ULFD4LnQUb><&E0wå,O ;H_=xĽO߃|n]1λ݈_˗-懲OW,:7-#Gõ;J{umeDf;w K췡^2*%U-)UTj%wwrDa"BRv/JA.8`ϴXR8,EPP%h[vjoh#5ϡN!3p<@&܊-F@ P]:1jkT |y3KIݯTsc;ގd@V,(n[^A%bklBCV9xʼn=^f-Ƕ7礃i&%#lŒM51lK灭uʿ.Г FH&h;Ì9x426{Dð(9P3l1@әzԜxKdp!gB-[˫d^oHaDK3%X] &lylm*b+HtjY {g˹FUx, "XC0 |ůtͱ蹈 p:ĝ[YͺփMΊ̚l%xLŒkT7MnmĴ`Տ⣭A{קF3o"91S:abng#3 B;/aoA+_waSӞυ=y F_xՇIx&d5b P|_A0gv JQC͞kiD`{Vvbc94ɈG=& E;02Wd]f A_f|bh6MxXuعm&KbN}ۢ1e4`>,<QN j$!vV! . >뮭Fc^X}{ # E3dƠ4)@%Xn[#rF31#qy] YV8[R"į֋QRVmnE hv[i>dt;BI<ŗ5_x|XT ,sD=>7woOSc? `nwfXmOe] G'NFpxSP7ޣ-["@F'p !MX`(fyc< znG}4Ҥ 2~ׁݞVO OXo}8h-dz|}́!XsCQ %ɷ` ]]Hˍt$_f%\#d< l[ !ۂˌKMˬ>W¥"UX HMbX,8.# sfZmrxgsҕ@NDqH'@vx 6s6`^q=ӸkAўXmw0g>4 o5/#]\&&k$~El=au;+Wurcdkyf:ePeXl'k׀5V`=2H]3(.(ZFƫ14cBT ȟctXUT(CO6r)* XCڤ^*নNmOs^k;usjE]E>*ЍA4gXIڙDz ralX ^|޹MwϏq0pcf:~[g[8KqZ y2 !J^xyu~ҕ^F$V/(y lHc9m5{0X1#(NRK&t>ug0 'Ɣ ϰ" sk4),SYS>+w&x-^cdKX$֬=LE")s0KW z|Lk|FXKq\\Khmpbf#3& Axv4<5T<nRh1(xW$֊rq-9=O9N*HX6^?}f EW@ͽm]Ac*a?8_h0E8yjSa2ī$YPwYXyp8z1ba'*mwޝv/7X7454O}w}Ւ&҂%!toZ$!ջnZwxO޿a(XEh}`bhP5cTWԊZGvŶ3&HZW'R}{o,;uD^0ŦܖmJ9MR"Zk/!zR8.fr0:_ &|FZ2c{͵N_ l??&