500

As a mission critical service, 500 advocates that any IP telephony solution should be secure. As the take up and roll out of IP telephony increases in businesses, the issues of IP security will become increasingly important.

A recent article published in www.voipplanet.com, discussed the versatility and vulnerability of SIP technologies.

Although there are inherent vulnerabilities with standard PSTN and IP networks in general, this article concentrated on the inherent vulnerabilities of SIP technologies. These were:

• Network-borne attacks
• New SIP products code attacks
• Secure network & system configuration

Below are pertinent extracts. Regarding, network-borne attacks:

“existing network security measures can be used to help mitigate them. For example, firewalls can protect SIP servers and applications from Denial of Service floods, while LAN authentication methods like 802.1X can deter impersonation. Extensions are often necessary to satisfy VoIP-specific demands—for example, firewalls must process RTP without undue latency or jitter, while intrusion prevention systems need SIP attack signatures.”

Regarding, new SIP products code attacks (i.e.: attacks can be introduced during product development):

“…when the Oulu University Secure Programming Group (OUSPG) tested INVITE message processing by SIP agents and proxies, just one of nine implementations survived this relatively basic exercise.”

“Although the affected implementations have since been patched, this test demonstrates the likelihood of code flaws in newly released VoIP products and the importance of applying available patches.”

“SIP registrar/proxy servers are not the only devices that should be tested for security bugs. Applications and handsets/phones also deserve plenty of scrutiny.”

Regarding, secure network & system configuration:

“…security advisories recommend the use of ingress, egress, and broadcast traffic filters to block SIP messages sent to/from systems that should not do so. In networks that use VLANs to compartmentalize VoIP traffic, switches and access points should be configured to avoid VoIP hopping. The premise here is simple: the fewer systems that are exposed to SIP, the lower the risk of falling victim to SIP-based attacks.”

“Many VoIP servers and user agents are easily compromised as the result of basic configuration mistakes like failure to disable risky services or change default passwords. VoIP phones tend to be particularly vulnerable to mis-configuration because (a) they aren’t managed like ordinary desktop computers and (b) their debug and admin interfaces are frequently hidden or not well advertised to end users.”

In conclusion,

“The trick is to proactively identify and eliminate security holes before hackers get a chance to exploit them. Start your vulnerability assessment with conventional network security tools like port scanners and application banner grabs. But don’t stop there—pursue SIP-specific tests that can uncover the vulnerabilities described here and many others.”

It can be a challenge to find an IP telephony service provider that adequately considers security within their provisioning. However, here at 500 we take security seriously. Businesses can be rest assured that when assessing network capabilities and recommending an IP telephony solution, the issues raised in this article have been considered and addressed: from SIP endpoint encryption to ISP provisioning for voice-only calls that do not ‘touch’ the public internet.

Article courtesy of www.voipplanet.com, 15/05/08.

Session border controller manufacturer Newport Networks today reveals that managing quality of service is seen as the biggest obstacle to IP-based voice calls (VoIP) ahead of security and billing concerns, according to a recent poll of telecoms industry delegates at networking software event, SofNet. The results indicate that VoIP adoption rates are expected to slow if operators and service providers do not take steps to ensure quality as well as address security concerns for VoIP services.

A surprising 60 percent of delegates believed that VoIP is ‘reasonably secure’ with 1 in 10 considering it to be secure with just 30 percent believing it to be insecure. These figures are interesting considering that the majority of SIP based VoIP services do not use encryption. A significant majority (60 per cent) of delegates surveyed believe that service providers should be responsible for security, followed by 35 per cent feeling that both the service provider and subscriber should be responsible, and 5 per cent believing that it should be the sole responsibility of the subscriber.

When asked what they thought was the biggest threat to continued adoption of VoIP, nearly half of experts surveyed (43 per cent) named quality of service, followed by identity theft (28 per cent), lack of interconnect between services (20 per cent), and denial of service attacks (9 per cent). The majority (65 percent) of delegates predict that a two-tier VoIP billing model will emerge with service differentiation based on quality and price. Another 35 per cent of delegates think that more end-users will be willing to pay more for VoIP security as awareness of potential risks increases.

Dave Gladwin, VP of Product Marketing at Newport Networks comments, “It is clear that operators and service providers need to take action now to address fundamental issues such as quality of service and security to ensure they continue to retain or increase their market share. It is interesting to see that delegates placed a higher value on quality of service over security and billing concerns, pointing towards a need for better managed, robust IP networks to meet demand.”

Article courtesy of Comms Business News, 16/05/08.