The following is an interesting article with some suggested best practices for deploying VoIP.
Dial VoIP For Vulnerability
A couple of comments on the article:
-
The author immediately makes the association between VoIP and “sending
voice calls over the Internet”. This association is done all the time
but Enterprise IP Telephony and transporting voice over the Internet
are two completely different things. And, an Enterprise can enjoy the
benefits of an IP Telephony system without ever sending a single call
over the public Internet.
- Many of the security precautions
mentioned in the article are just common sense and should already be
part of a sound security policy.
- The incident at Merril Lynch would not have affected voice traffic if the data network was properly designed and configured.
-
Separating voice traffic from data traffic with VLANs is a VoIP best
practice. However, it’s only part of the answer since the two types of
traffic will still meet on trunks and on PCs. Properly configured QoS
is also required to ensure that data traffic never impedes voice
traffic.
- The perception that 911 doesn’t work with IP
Telephony is false. Are there VoIP services that don’t have adequate
911 services? Of course, but there are no technical barriers preventing
an enterprise from implementing fully functional E911 services on their
IP Telephony system and it’s routinely implemented today.
- The following quote from the article is just silly and plain wrong:
“According
to Chris Rouland, CTO at security firm Internet Security Systems, it's
as easy to intercept unencrypted VoIP calls as it is to use an iPod. By
downloading software off the Internet, hackers can intercept calls
"with a simple click", he says. In order to protect caller IDs, phone
addresses and account information, VoIP users need to encrypt SIP
traffic.”
- Yes, free software is available to sniff and decode
all voice traffic. However, in a properly configured network within an
environment that has a solid security policy, the potential sniffer
will never get an opportunity to even see the traffic. In a properly
configured switched infrastructure, users A’s voice traffic can not be
detected from user B’s data jack because it’s simply not there. Is it
possible to send A’s traffic down B’s data connection? Yes, but the
potential eavesdropper would need access to the closet in which the
switch resides or would require administrative access to the switch.
You did lock the closet and restrict access to authorized personnel
only didn’t you?
Rick McCharles
http://www.ric.ca/
VoIP: Perceived Risks & Best Practices
Stumble It!3 TrackBacks
Listed below are links to blogs that reference this entry: VoIP: Perceived Risks & Best Practices.
TrackBack URL for this entry: http://www.ric.ca/mt/mt-tb.cgi/17
» VoIP Security Perspective from IP Communications and Technology
I'm amazed at the viral charateristics of the propagation of stories related to VoIP security risks. I don't really understand why that's the case. Perhaps it's due to the emotion of fear and the basic instinct of defending oneself against... Read More
» Verizon Says Come and Play from IP Communications and Technology
Yesterday, Verizon announced that it will be opening up its network to non-Verizon supplied devices. I believe the decision is of great significance and marks the beginning of a shift towards openness that will ultimately spread to all major wireless... Read More
» Canadian Governmet Reserves Spectrum for Newcomers from IP Communications and Technology
Moments ago, Industry Minister Jim Prentice announced that a portion of the spectrum up for auction next spring will be reserved for industry newcomers.The move, along with other factors such as the impact of the iPhone and yesterday's announcement by... Read More
