SIP: November 2007 Archives

Hang up the Phone! Your VoIP is Being Hacked!

By Rick McCharles on November 23, 2007 1:48 PM | | Comments (2) | TrackBacks (1)

Sensational title isn't it?

Pardon the sarcasm, but once again we are being bombarded with sensationalist blog and news headlines about the vulnerability of VoIP. The headlines would have you believe that recording any VoIP call is as simple as installing a utility on your PC. Sorry but, in a secure environment that's just nonsense.

I deem the stories to be counter productive and I question the motives. It's great to raise security awareness, but how about some perspective and some helpful advice? What I don't see in these blog posts and news articles, is any description of the environment or circumstance under which these attacks are possible. Nor do I see any advice on whether protection mechanisms are available.

Several months ago, I bought and read the book Hacking Exposed VoIP since so many security presentations and articles used this book as a reference. It was interesting, and I would recommend it for those who would like to understand VoIP and SIP vulnerabilities. However, what I discovered was that nearly all of the hacks / vulnerabilities described in the book were dependent on the fact that common security best practices had not been implemented or had been compromised.

The latest flurry is related to a monitoring utility named SipTap by Peter Cox at VoIPCode.org.

While it's true that VoIP is vulnerable to a wide variety of attacks, it is also true that nearly all (including this latest one) can be mitigated by sound security practices.

I won't go into a detailed tutorial but I will provide a quick list and some references for you to pursue:

  • Secure the IP Phones preventing users from viewing or changing configuration parameters
  • Encryption: Signaling, Audio Path and Administrative
  • Use Certificates to authenticate humans and components that use the system
  • Disable root access for telephony administrators
  • Deploy AAA systems and procedures (Authentication, Authorization and Accounting)
  • Carefully choose who is allowed to transfer calls to an external destination
  • Deploy and maintain virus protection
  • Disable all unnecessary services on phones and related systems
  • Expire passwords
  • Disable passwords following a number of failed attempts
  • Impose content and length restrictions to passwords
  • Impose rate-limiting mechanisms to thwart DoS attackes
  • Deploy security monitoring and alarming systems
  • Phones and devices should reject unsigned or tampered firmware
  • Reject 802.1q traffic destined to, or from the PC switch port of the phone
  • Segment voice and data traffic on separate VLANs (PC phones violate this best practice)
  • Install properly configured firewalls (duh!)
  • Secure all network devices (physically and logically)
  • Phones should ignore gratuitous ARPs
  • Perform DHCP inspection
  • Implement VPNs for remote access
Here are some excellent references:

Enhanced Security for Unified Communications (Cisco)
Enterprise VoIP Security Best Practices (Juniper)
VoIP Security for Dummies (Avaya)

I don't deny for a second that SIP and VoIP have vulnerabilities and that they must be addressed. But, there's no going back to TDM. IP communications is here to stay and the vast majority of risks can be adequately mitigated. Many of the security precautions should already be in place if your network and IT environment is secure.

Rick McCharles
VoIP / IP Telephony Consultant, Toronto
RIC Services



StumbleUpon ToolbarStumble It!

SIP Trunking Will Displace PRI

By Rick McCharles on November 20, 2007 5:08 PM |

Long Distance, Audio Conferencing and Hosted IP Telephony service providers have been taking advantage of the lower cost and scalability of IP Trunking for years. Many of the current IP Trunking circuits are based on the H.323 protocol. Nearly all new deployments however, employ SIP as the signalling protocol.

While not yet widely adopted, IP Trunking for enterprise PSTN connectivity offers significant advantages to enterprise relative to the common PRI model. I am convinced, that there will be very few, if any, new PRI circuit deployments in Canadian urban locations, within five years.

If you are about to migrate to IP Telephony you should seriously consider, replacing your PRI and in some cases BRI or analogue trunks with IP Trunks.

The following table contrasts PRI vs. IP Trunks and highlights just some of the compelling advantages enabled by IP Trunking.

An update to this article can be found here.


PRI vs IP Trunking

PRI

IP Trunks

Physical connections:

 

Each circuit requires physical connection and costly termination hardware.

Connections are virtual:

 

Number of available  trunks is a function of available bandwidth, not physical termination hardware or circuits.

Scaling up requires the installation of new circuits and additional termination hardware.

Scales up or down easily and quickly (a software configuration change) and can offer automatic and on-demand burst capabilities

Providing sufficient backup circuits to remote sites in an IPT-distributed architecture can negatively impact the ROI.

 

Automatic IP re-routing capabilities allow practical geographic distribution of PSTN connectivity to sites with limited or no network redundancy

Cost is usually per circuit per month

 

A variety of pricing models (i.e. usage based) are likely to emerge, including on-demand capacity.  Relative to PRI circuits and the associated supporting hardware, IP Trunking costs are likely to be significantly lower.

Capacity planning & engineering is critical:

 

Additional capacity must be planned well in advance since considerable lead time may be required for the ordering and installation of new circuits and termination hardware

While capacity planning is still important, adding additional capacity can be as simple as a software change. Additionally, providers are likely to offer burst capabilities.

Only way to accommodate loss of hardware or facility where PRI’s terminate is to build-in excess capacity with associated cost impact.

 

Can be designed to retain PSTN reachability and capacity in the event of the loss of terminating hardware (or even an entire office location) without the need to build in excess capacity

 

Including dispersed locations in most current IP Telephony deployments requires the addition of network redundancy or significant local PSTN connectivity (analogue or ISDN trunks) to ensure that individual locations can function autonomously in the event of a failure. These factors can add substantial Opex and Capex.

Dispersed locations can be connected to the PSTN via an IP connection. Should a network failure occur incoming calls can be automatically rerouted to the isolated location.

Diversity across service providers is usually cost prohibitive.

 

Can accommodate diversity across service providers much like is done today with Internet access via BGP.

 

 
Even if you no immediate plans to migrate to VoIP, IP Trunks connected via a gateway to your existing PBX can result in cost savings and can allow you to enhance your current system’s functionality and features.

Rick McCharles
Telecom Consultant, Toronto
RIC Services



StumbleUpon ToolbarStumble It!
Main Index | Archives | SIP: January 2008 »

About this Archive

This page is a archive of entries in the SIP category from November 2007.

SIP: January 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.

SIP: November 2007: Monthly Archives

RIC Services
Powered by Movable Type 4.01