Voicing concerns


25 Jun 2007

The rewards of voice over IP are great but so too are the risks if proper security precautions are not put in place.

Voice over IP, internet telephony, PC-to-PC calling. The names differ but they all boil down to the same thing: using the internet rather than the traditional public telephone network to make phone calls.

The very idea might cause investors in fixed-line telcos to shudder but VoIP is here to stay and is making significant inroads into the business world as well as in the home, where Skype, for example, has now become so common in the US that Wal-Mart has even begun stocking the headsets and other VoIP accessories.

“People aren’t doing VoIP trials anymore, it’s going mainstream. I can’t remember the last time we sold a PABX that didn’t have VoIP as a significant component,” says Robert Hackett, enterprise product manager at Siemens Ireland. “Even organisations that might be considered as conservative, such as government departments or public sector bodies, are all going for VoIP solutions as standard.”

The benefits of VoIP can be summed up in a single word: cost. VoIP calls are either free (if the person you’re calling is using VoIP software too) or very cheap relative to standard phone calls, especially international ones.

But in the rush to reap the savings from VoIP, some businesses are, IT security professionals believe, not paying enough attention to the computer security implications of VoIP adoption.

Tom Bourke, senior consultant at IT security firm EuroKom, believes that there are security risks inherent in some of the VoIP products being offered to small businesses, particularly small telephone switches or private branch exchanges (PBXs) that allow users to route calls over the internet.

“You can now buy a mini-PBX that sits in your office and that routes calls on a least-cost basis over the internet. The problem here is twofold. First you’re making voice calls over an open network and there’s a possibility that someone can put monitoring tools on your pipe and watch the packets going back and forth. Second, if the PBX hasn’t been configured properly there is a risk that someone can dial into it from outside using a vacant port, reconfigure the switch and before you know it you’ve got horrendous telephone bills.”

Bourke stresses that a VoIP-enabled PBX is no more insecure than a traditional PBX so long as proper security precautions are put in place, such as installing firewalls and closing any ports that don’t need to be open. The problem is, however, that some businesses either won’t have the resources, know-how or the level of awareness needed to properly lock down their systems.

“I’m not saying people shouldn’t use VoIP, because the cost savings are certainly there, but my one recommendation is that if you do decide to install a VoIP system make sure that the provider who installs it gives you guarantees that you’re not being exposed to anything malicious on the internet,” says Bourke.

Hackett believes the security risks associated with VoIP stem from the fact that users fail to put voice in the same bracket as other applications running over the network. If they did so, they would be more security conscious, he argues. “All of the threats and vulnerabilities that are associated with data are there and perhaps even more so with VoIP: denial of service, eavesdropping, getting unauthorised information – all are there in the voice world through VoIP.”

A good example of this security crossover between the worlds of voice and data is phishing. In the same way that email addresses can be spoofed so that the recipient believes the email has come from a credible source, so too can VoIP calls. Possible scenarios here including getting a phone call from what you believe is your local bank branch (because that’s the caller ID that’s coming up on your display) when actually it is someone using that number to elicit your account details.

“Voice phishing is unfortunately gaining ground as hackers become more educated and find the security weaknesses,” notes Hackett.

Spamming is another security issue that spans both voice and data. If you are a Skype user chances are you will have had the experience of typing away on a document and having a dialogue box appear on your screen alerting you that some Skype user in Croatia or Brazil is trying to make contact. Only problem is that the person is a total stranger: they simple came across your name on Skype’s open directory and decided to call you.

Voice spamming carries a high nuisance value and one that can detract from the VoIP experience and hog bandwidth. Mark Cawley, head of BT’s security practice, can see it becoming more prevalent on enterprise networks. “There’s definitely an opportunity here for would-be spammers. Rather than just sending you an email to buy Viagra, they can have your phone ringing with an automated message as well.”

David Forde, head of Nortel Ireland’s SME business, believes small business is particularly vulnerable to security threats because, unlike large organisations, they have neither the skillsets nor the budgets to put in a security system with all the bells and whistles. Recognising this, Nortel now bundles key security tools with its range of IP PBX products. “We’ve built multimedia firewalls and virtual private networks into our VoIP solutions and this is the default system that you get as an SME when you buy one of our products. We haven’t done this with the enterprise customers because they tend to do a lot more customisation and configuration.”

Forde says that putting good security in place has another very significant spin-off benefit in addition to protecting the company against attack: it will often also increase the quality of the voice application.

“If your network is not secure then chances are it’s not reliable either and if there’s one thing that VoIP needs on a network it is reliability. So security is not just about protecting against viruses or denial of service attacks, it’s about network performance and reliability.”

Dos and don’ts of VoIP

Do

Make sure you have proper access control systems in place to block unauthorised users

Install firewalls and intrusion detection systems to monitor unusual traffic patterns on your network

Encrypt voice traffic running across the internet by adopting tools such as private area networks (eg VPNs)

Consider quality of service. There’s no point in switching to VoIP if you can’t guarantee call quality

Don’t

Ignore security. It’s just as much a threat in the voice world as it is in data

Try to do it yourself unless you are competent to do so. If you don’t have the expertise internally, use a trusted supplier.

By Brian Skelly

Pictured – Mark Cawley, head of BT’s security practice