Because voice over Internet Protocol allows companies to run voice along the same networks as their data, telephony systems have become as secure as the underlying IT system. But that’s only good news if the IT network is actually secure enough to thwart hackers.
Many industry experts agree
that any organization that installs IP telephony is susceptible to security breaches such as electronic eavesdropping and denial of service attacks. They also say it’s easy to spoof the IP addresses of phones and use someone else’s network to make free long-distance calls.
“”This is a real threat, and the only reason that we haven’t heard more about it, frankly, is the relatively low adoption of VoIP in large-scale enterprises,”” said Jim Slaby, senior analyst for security solutions and services at the Boston-based Yankee Group. “”I think the criminals and miscreants who are behind most IT security attacks just haven’t set their sights on VoIP yet because it’s not that widespread yet.””
He added hackers are starting to notice they can make money by breaking into IP telephony systems because they could potentially make free long-distance phone calls and steal company secrets by listening in on sensitive calls.
Toll fraud was a threat to time division multiplexing (TDM)-based systems long before voice over IP, but it’s easier for hackers to break into an IP-based network, said David Heard, vice-president of marketing for San Antonio, Texas-based SecureLogix Corp., which manufactures telephony security products.
“”All of those proprietary, expensive TDM switches, in a VoIP world, are simply computers on a (local-area network),”” he said. “”You take your switch and hook it into your IP network and now it’s just another server on your network.””
Heard said it’s easier to attack IP telephony systems because hackers often don’t need to write their own code, and can often dial into modems installed by users on networks without the knowledge of or authorization from their IT departments (commonly known as “”rogue”” modems).
“”All of this goes back to basic LAN security,”” he said. “”You need to lock down that Internet connection with an appropriate IP firewall and most people have probably done that, but the kind of basic LAN network security devices that you have deployed are going to be a key part of your security story for voice over IP.””
Heard said hackers can bring down IP networks, and SecureLogix staff have accomplished this in a laboratory simulation environment.
“”We have brought down switches, we’ve brought down IP phones,”” he said. “”This is not difficult to do, by the way. This does not require mountains of code.””
Building a secure network will cost more than an insecure network, Slaby said, adding IP telephony equipment manufacturers aren’t always upfront about the security issues.
“”Locking down a system with appropriate security measures is really going to stretch out the time it takes you to recoup your investment in the technology, so the Cisco (IP telephony) sales guy isn’t going to be introducing the security issues early on if he knows what’s good for him,”” Slaby said.
But Cisco Systems Inc. ships security functions with its IP handsets, said Brantz Myers, Cisco Canada’s director of enterprise marketing.
Whether the users actually turn the security functions on is up to them, Myers added.
“”We ship tools with the products we make and we tell people right up front in the manuals, ‘You’ve got a system that’s capable of security, the security features aren’t turned on, and we encourage you to create a security policy that’s appropriate for your organization,'”” he said.
Myers said toll fraud was a problem with TDM networks and will continue to be a problem with IP telephony.
There are steps IT departments can take to make their voice systems more secure, according to Mark Collier, SecureLogix’s chief technology officer.
Collier e-mailed C&N a list of recommendations for engineering and building VoIP networks. SecureLogix suggests users disable any network services that are not required for voice over IP, and to disable non-secure forms of remote access, such as Telnet.
SecureLogix also advised users to separate the voice network from the data network using virtual local-area networks (VLANs), have strict control over administrative access, only buy phones with authentication and encryption (and force users to log on) and monitor signal protocols for application attacks.
Although some may be worried about hackers attacking their VoIP networks with denial of service attacks, Myers said 70 per cent of security breaches originate from inside the network.
Cisco advises IP telephony users to evaluate potential threats and develop policies which can be applied to their security devices.
“”I don’t know of a single voice over IP security breach in Canada,”” he said. “”In fact, for that matter, I don’t know of a single one within Cisco’s world globally.””
But that doesn’t mean the threat doesn’t exist, said Andrew Graydon, vice-president for technology of Toronto-based BorderWare Technologies Inc.
“”Very few people are reporting attacks at the moment,”” Graydon said. “”They are happening but people aren’t reporting them.””
Graydon said many large organizations that are installing IP telephony are only using it for internal communications.
“”What is the point of deploying VoIP into your network if you can’t have your customers call you?”” Graydon asked. “”One of the big fears that the IT guys and the infrastructure guys have is that most VoIP implementations are extremely untrustworthy as far as security goes.””