Information Security and Assurance
VoIP
Xeon Group
Rohit Bhat
Ryan Hannan
Alan Mui
Irfan Siddiqui
1
VOIP
I. What is VoIP?
II. Business & Security Concerns
III. Security Threats
IV.Security Measures
V. Cost/Risk Analysis
VI.Legal Consequences
2
What is VOIP?
• Protocol optimized for the transmission of voice through the Internet or other packet switched networks
• Also referred to as IP telephony, Internet telephony, voice over broadband, broadband telephony, and broadband phone.
3
How fast is VoIP growing?
Per a study conducted by IBISWorld:
• Industry’s forecast is to experience the largest revenue growth in the telecommunications sector over the next five years, at an annual growth rater of 25%.
• Business subscriptions will grow by 44%, compared with consumer subscription growth of 21%.
4
How fast is VoIP growing?
Per a study conducted by IBISWorld:
• U.S. will have 25 million paying VoIP customers by 2012.
• Total industry revenues in 2008 are forecast at $3.2 billion, reaching $5 billion by 2012.
5
Business Concerns
Integrity – Voice quality should be excellent
Availability – User needs dial-tone 365/24/7
Confidentiality – All communication should remain confidential
Authenticity – Valid service subscribers should be able to access the service provider’s network
Federal and State regulatory compliance
6
Security Threats
Configuration weaknesses in VoIP devices and underlying operating systems can enable denial of service attacks, eavesdropping, voice alteration (hijacking) and toll fraud
(theft of service), all of which can result in the loss of privacy and integrity.
Unscrupulous telemarketers could use VoIP (via soft PC based phones) to access customer credit and privacy details.
7
Security Threats
Today, the biggest VoIP-related security threats are inside a company's firewall, such as changing a configuration setting to make the CEO's phone ring at a disgruntled employee's desk. Eavesdropping is another potential problem.
8
Security Threats
Launch a Denial of Service attack by placing a large number of calls, either as an authorized or unauthorized user, to flood the network.
SPIT (spam over Internet telephony or VOIP) – advertising that appears in a VoIP voice mailbox. 9
Security Threats
Vishing, the process of persuading users to divulge personal information such as Social
Security and credit card numbers. Attackers can "spoof" the caller ID that users see to make the call appear to come from a legitimate organization.
10
Security Measures
Bolster encryption by encoding and decoding information securely, both the conversation and the call numbers.
Encrypt VoIP communications at the router or other gateway, not at the individual endpoints. Since some VoIP telephones are not powerful enough to perform encryption, placing this burden at a central point ensures all VoIP traffic emanating from the enterprise network will be encrypted.
11
Security Measures
IP Phone must register to make phone calls.
1.
2.
3.
When a phone tries to register, the registrar sends a challenge.
Phone correctly encrypts the challenge, digital certificate from phone manufacturer, and Media Access Control (MAC) address.
Manufacturer certificate cannot be forged because it is burnt into the phone’s nonvolatile RAM and cannot be retrieved.
12
Security Measures
Separate VoIP network from data network by logically segregating the voice and data networks using vLAN-capable switches.
Don't allow interaction between Internetconnected PCs and VoIP components.
13
Security Measures
Install an Intrusion Prevention System (IPS) at the network's perimeter to scan for known signatures while blocking or allowing traffic based on application content rather than IP addresses or ports.
An IPS can dynamically modify firewall rules or