Ways to secure VoIP

[Monty1]

Since VoIP uses a standard network infrastructure, it also has the same security risks. Existing (and future) vulnerability but can be easily fix. VoIP is through all of the IP-based and endangered local networks known defects and safety problems: Examples are denial of service attacks, routing deflections, man-in-the-middle attacks or eavesdropping of voice traffic by sniffing. These also come attacks that specifically targeted the VoIP protocols, such as the manipulation of call routing tables. Cyber-criminals get VoIP up new possibilities: for them it is easy to change the sender ID and the system for so-called Spit ( Spam -Telephony) or phishing to abuse over the Internet. Hacker tools with which to crack the VoIP systems are now available not only in great variety. You can also technically mediocre attackers use, enabling them to manipulate with relatively little effort, the appropriate systems. A well-known in the IT world such as the method is Pharming: The calls are routed through a remote server - completely unnoticed by the user. The hacker can listen to telephone calls or intercept SIP passwords.

[Monty1]

But to fall back as well as the hackers and scammers on the IT landscape familiar tools, also includes the VoIP users, as it best antidote is available. For ultimately, VoIP is indeed no more than another IT application. The associated risks are largely known and therefore well to get a grip. Nevertheless, to a VoIP infrastructure can be reliably protected, a comprehensive security concept is developed that all components of the system. The foundation of such an approach is - as with traditional PBX systems also - the physical protection of all system components. This may not be accessible to authorized administrators.

Second pillar of VoIP security is the closed nature of the network. To the manipulation of the interfaces and the network putting a stop to, there are different versions: enabling the voice and data networks are selectively separated by a VLAN or by using different ports from each other. For the protection of the ways in which the voice data is transported, we recommend the use of a VPN (Virtual Private Network). In this undertaking, the secure data communications between multiple locations of a guarantee by all traffic on clearly defined roads and reliably monitored router is passed.

[Monty1]

The VPN technology ensures only the transmission of voice data. To ensure a complete, end-to-end security, therefore, further steps are necessary. On the one hand, the voice data is encrypted. On the other hand, to ensure that the corresponding signaling information is encrypted. This is particularly true for the ubiquitous SIP (Session Initiation Protocol). The latter is responsible for the session control, for example, the registration of the terminals, the call setup. When SIP in use, replace the terminal is different messages from each other and with the application servers. Because the SIP messages but text-based and are usually sent in clear text, they could be caught easily be faked and manipulated. Further efforts are required in the encoding of the Administration traffic: VoIP components can be of different protocols such as HTTP, Telnet, SSH or HTTPS administration, some of which the user and password data is also transmitted as clear text, so are easily intercepted. For safe management of the VoIP components must be either encrypted administrative connections or via a separate network area. Moreover, all devices such as VoIP phones and softphones on the PC are involved in the security concept. For VoIP terminal can manipulate the configuration or firmware, the entire network to its knees. This can be prevented by changes to the configuration only allows a central administration to individual devices or device groups.

[Monty1]

An attacker could disable a non-secure voice encryption device and redirect the conversation to its computer. It is therefore important to sensitize the people, through a detailed training for the safe use of VoIP. Moreover, comprehensive security rules should be established.

In recent years, played the theme of security for VoIP implementations a relatively minor role. This is mainly due to the fact that so far only a few attacks on VoIP systems are publicly known. Companies may therefore not lulled into a false security. A recent report by the security experts at McAfee , according to this year's number of VoIP security vulnerabilities from the previous year more than doubled. McAfee goes for 2008 a further increase in VoIP risks by up to 50 percent. Therefore: While VoIP companies can save staff resources to support the telephony infrastructure. At the same time but must invest in the IT department in order to protect the VoIP infrastructure optimally. With these precautions VoIP is more secure:

• Data and voice must be in the network logically separated from each other;
• Voice and signaling data and the administrative traffic must be encrypted;
• It must be installed strong access control and authentication systems;
• the default passwords for VoIP equipment and VoIP terminals to change;
• New patches for the system must be immediately recorded;
• Employees must be aware of the risks of VoIP.