Amid all the hype surrounding VoIP technologies, a dirty little secret slinks behind the scenes, often remaining unseen by companies that implement VoIP. Historically, voice architectures never posed a huge security threat beyond classic social engineering schemes, but VoIP’s network-driven design brings into play an entirely new world of threats.
In fact, In-Stat recently revealed that while large numbers of U.S. businesses continue to adopt VoIP technologies, efforts to secure those implementations are woefully lacking--in a survey, no more than 50% of U.S. businesses indicated they had installed VoIP security mechanisms. Further, they reported low use of proactive measures, such as security audits and predeployment assessments.
“Security in VoIP is not an easy sell,” says Himanshu Dwivedi, co-founder and principal partner of iSEC Partners (www.isecpartners.com). “Everyone wants the VoIP network to be secure from unauthorized users; however, the desire to ‘get it working’ first before adding security usually wins out. Once the VoIP network is working, people often don’t want to fix what is not broken.”
VoIP’s Dark Side Dwivedi explains that the process for applying security to a VoIP implementation isn’t straightforward, and there are several methods for doing it. He adds that lack of awareness is a problem, as the fact that an unauthorized user can enter a VoIP network and eavesdrop on calls isn’t well-known.
“Many organizations are not told about the security issues in VoIP, so they assume things are OK. The truth is that any individual with a bit of curiosity and some freely available tools could start eavesdropping on calls if proper security measures are not in place,” Dwivedi says.
Beyond the risks posed by VoIP itself, threats that can affect an internal network can also affect the VoIP installation, prompting the need for similar security controls on both the network and the VoIP components. “If a corporate network comes under fire from the ‘virus of the month,’ people can still use their phones in a legacy TDM [time division multiplexing] environment,” says Joel Pogar, director of network and security solutions for Forsythe Solutions Group (www.forsythe.com). “But, with VoIP being an application on the network, if the corporate data network comes under attack, so does the phone system. Without the ability to communicate, any business will come to a screeching halt.”
Even when made aware of the potential risks posed by VoIP--including the aforementioned eavesdropping, but also phone and voicemail hijacking and vishing (VoIP phishing)--companies aren’t always necessarily willing to implement security to battle those risks. Tim Hebert, CEO of Atrion Networking (www.atrion.net), says that increasing security can come at the cost of reduced functionality and increased maintenance.
“As an example, if a contact center agent runs client software on his or her PC to leverage features and functionality of the VoIP system, the strict separation of voice and data traffic on the network is not possible,” Hebert says. “In general, more and more UC [unified communications] applications run on the desktop, not through the phone. In these circumstances, difficult decisions about what functionality and ease of maintenance are required relative to what of security is needed must be made.”
Locking It Down Although there’s not always a clear path to VoIP security, experts agree that there must be some form of security in place. To Dwivedi, effective VoIP security entails several steps that can ensure that data traveling across the network remains secure. The first step is to encrypt media traffic with the use of either SRTP (Secure Real-time Transport Protocol) or ZRTP, and voice privacy should be the first issue to tackle.
However, he notes that the use of SRP requires TLS (transport layer security) for session protocols such as SIP or H.323. “The reason . . . is the key for SRTP is transmitted over the session protocol, which should not be clear text. Using TLS on session protocols will also protect against many authentication attacks possible with VoIP systems,” Dwivedi says.
He also instructs companies to ensure that authentication is enabled on session initiation protocols and that authentication passwords are strong enough to avoid dictionary-based attacks. Naturally, this means that passwords should not be the last four digits of a phone’s extension.
Policy-driven steps can also help to protect VoIP networks. Atrion’s Hebert recommends creating a security policy that defines how the voice and data networks must interact and then enforcing that policy through proper infrastructure configuration. Additionally, he says companies should create a clear list of responsibilities for IT staff that are relative to VoIP and security to ensure that the policies are consistently enforced.
Another option, he says, is using a managed service. “Technology, in general, is moving too fast to keep up with. Keeping that technology security moves even faster, consider a managed service with quarterly or biannual checkups and updates. Be sure to discuss new security options available and current best-practice security approaches,” Hebert says.
Be Smart Above all, neglecting to protect VoIP from malicious data traffic is the most critical mistake an organization can make when dealing with this technology, Hebert explains. The smart move is to logically separate the VoIP network from the voice, in turn allowing for granular traffic inspection between the systems. “The second area of protection is in guaranteeing appropriate access to the shared network infrastructure,” he says. “This is accomplished through the configuration of quality of service and prioritization of voice--even on high-speed links.”
The lacking state of VoIP security mirrors the initially sluggish penetration of VoIP itself, which hit roadblocks due to conflicting goals and politics of networking and voice technology staffs, Hebert says. But as with its implementation, smart organizations will find ways to effectively secure VoIP. “Businesses that have excellent cooperation among voice, network, security, and other IT staff specializations are more likely to properly approach voice security,” he says.
by Christian Perry
Tidak ada komentar:
Posting Komentar