The VoIP Risk Factor

VARs encourage early action to prevent potential security attacks

By Kevin McLaughlin, ChannelWeb
12:00 AM EDT Mon. Sep. 03, 2007
From the September 03, 2007 issue of CRN
Page 1 of 2

Security experts believe it's just a matter of time until widespread attacks on VoIP systems begin to materialize. But there has yet to be a major event to make the IT industry sit up and take notice.

Still, as VoIP adoption continues to grow, vendors and integrators are stressing the importance of building layers of security into VoIP deployments. Last November, the SANS Institute, in its annual ranking of the Top 20 security threats, for the first time included VoIP servers and phones, in recognition of the fact that collaboration technologies that weave VoIP into messaging systems provide new pathways for hackers to exploit.

The current generation of VoIP technology has transformed the IP phone into an application that can integrate with other enterprise applications, said Krishna Kurapati, founder and CTO of Sipera Systems, a VoIP security software vendor in Richardson, Texas.

VoIP today also extends beyond the network perimeter and facilitates more open access to the network, but that creates new security risks, according to Kurapati. "You're removing the restriction of being only in one place, but opening up vulnerabilities by doing things like connecting to partners via SIP trunks," he said.

With traditional e-mail-based attacks, hackers have relied on being able to dupe users into clicking on an attachment or link containing an executable file. But since VoIP acts as a client and server simultaneously, a phone can be both the source of an attack and the target, which adds to the challenge of securing it, Kurapati said.

"The big advantage of moving to an IP-based telephony network is integration with applications, which is why you find VoIP systems connected to the data network. But these systems definitely need to be protected as much as any server on the network," said Chris Labatt-Simon, president and CEO of D&D Consulting, an Albany, N.Y.-based solution provider.

In some cases, VoIP security issues stem from existing vulnerabilities in the underlying network infrastructure. For example, the Blaster worm affected deployments of Cisco Call Manager running on Microsoft IIS (Internet Information Services) Web servers, said David Endler, director of security research at Marlborough, Mass.-based 3Com and its TippingPoint security business.

In other cases, the vulnerabilities stem from security issues in VoIP protocols. More of these types of vulnerabilities are being discovered in VoIP, not because of careless developers, but because VoIP is being integrated into other applications such as instant messaging, which increases the attack surface, Endler said. In addition, VoIP "fuzzers," or tools that are designed to root out vulnerabilities by bombarding applications with malformed data, also are being used to automate discovery of VoIP vulnerabilities, he added.

Next: Hacking VoIP

1 | 2 | Next >>

CHANNELWEB MARKETSPACE >> (Sponsored Links)

>>Buy a Link Now

RELATED NETSEMINARS >>

Bundled Strategies for Data Protection

More Storage, More Security - More Opportunity

Keeping Security Well-Grounded When Your Customers Are on the Fly

>>More Netseminars

WHITEPAPERS >>

Attracting Students and Faculty to Western Kentucky with Intelligent Multi-Campus Voice, IM, Video and Mobility Applications

Taking 802.11 Wireless Productivity to the Edge

>>More White Papers