Results tagged “security” from IP Communications and Technology

Microsoft's Unified Communications product has apparently rendered person to person verbal communications obsolete. Not bad when you consider how late they were to arrive at the UC party!
Things may change however once they add security (developed by the Vista security team).

- Bob: Clicks "Call Jane"
- MS Security: "Are you sure you want to call Jane?"
- Bob: Clicks "Yes"
- MS Security: "Calling Jane"
- MS Security: "Are you really really sure you want to continue calling Jane?"
- Bob: Clicks "Yes Dam It"
- MS Security: "While were ringing Jane, would you like to make sure her identity certificate is valid?"
- Bob: Clicks "No thanks, I like living on the edge, continue ringing Jane"
-Jane: Clicks "Incoming Call from Bob, click yes to accept call"
- MS Security: "Bob is not on your trusted buddy list, accept call anyway? (not recommended)
-Jane: Clicks "Yes"
-MS Security: "Bob discontinued call attempt, and is walking over to your cubicle"

Rick McCharles
Telecom Consultant, RIC Services, Toronto

An article posted on March 05, 2007 in COMPUTERWORLD has for a title:

"Enterprises must avoid IP telephony for teleworkers or face attack" Link Here

According to this article, allowing Teleworkers to work with VoIP will expose your enterprise to a multitude of dire consequences such as:

• Hackers stealing usernames and passwords
• Placing users vulnerable to a very real attack
• Hackers recording conversations
• Hackers gaining access to your online banking
  

Whatever the motivations for these sensationalist articles, they do nothing to educate the public about the real risks associated with VoIP and how to mitigate them.

Avoid IP Telephony for Teleworkers? Sure, ignore one of the most important benefits of IP Telephony in case some evil VoIP hacker posts all of your private conversations on CNN, empties all of your bank accounts and bankrupts your organization!

The fact is, that VoIP can be, and is routinely, deployed and used securely; even by Teleworkers, imagine that.

There are risks associated with VoIP and IP Telephony. For enterprise most of these risks are associated with network infrastructure. If an enterprise's security policy and implementation is full of holes, then it is vulnerable to attack not only for VoIP but all the other applications that run over the infrastructure including email. How many companies encrypt their email? Very few, yet we're not bombarded with a constant stream of doom articles on how corporate email is at serious risk and we should prevent remote employees from using it!

In almost every instance, the VoIP sky-is-falling articles are not able to produce even a single documented event that demonstrates how a particular vulnerability was exploited.

As usual, I make the distinction between Consumer based VoIP services and Enterprise-Class IP Telephony. The former has the potential for more security concerns and weaknesses.

On the enterprise side, there are plenty of sources that describe best-practices and tools to deploy VoIP securely:

- A PDF Document by Juniper
- VOIPSA (An organization dedicated to VoIP security without the hype)

A Google search on the subject will yield hundreds of related sources.

Perhaps the authors contributing to all this hype should also do a little research.

Rick McCharles
www.ric.ca

The numbers are impressive and, to me, somewhat worrisome. I’m convinced that many consumers are making a decision to abandon their analogue residential service without being fully informed of the potential risks including:

• Security: Most VoIP services do not encrypt the signaling or the voice payload. I personally have been using such a service for several years and I’m not very concerned. But, at least I am aware of the potential risk and use my service accordingly.

• Power Interruptions: Cable operators will typically provide an analogue adapter with battery backup and have some level of backup power within their infrastructure. Assuming that all the backup systems have been properly maintained (a big assumption), and that all of the automated systems function as planned, residential VoIP subscribers can expect the service to remain active for a few hours at best. For most other VoIP service provider subscribers, a power interruption affecting the subscribers’ homes will result in an immediate service failure.

• 911: When it comes to automatically identifying the location of a 911 caller, rules vary from country to country. In Canada, (assuming the provider complies with regulations), a 911 caller may first be directed to a national call centre where an agent will confirm the location of the caller then route the call to the appropriate local emergency service. It is an additional step in the process with a potential for failure and it may increase response time. Additionally, in traditional analogue voice services, the 911 operator can prevent the caller from disconnecting the call; not so with residential VoIP services. And as discussed in the next point, whether an intelligible conversation can take place with the 911 services personnel is dependent on the quality of the broadband connection.

• Voice Quality: The quality of a residential VoIP service is dependant on the network connection delivering the service. If the service provider owns the broadband connection then it is possible to prioritize voice packets to ensure voice quality. Most cable operators’ VoIP services do in fact protect voice traffic by giving it priority over data. Most other VoIP service providers do not have this capability and therefore voice quality can be severely affected by network congestion. Current trends suggest that bandwidth intensive applications such as video streaming and peer-to-peer file sharing will contribute to bandwidth shortages and likely VoIP quality issues.

I have been involved with VoIP technology since 1998 and I have consistently commented on its beneficial and disruptive impact on the communications industry. However, I believe more must be done to inform consumers of the potential risks. Once the risks are understood, consumers can make an intelligent decision about whether or not they should discontinue their primary line (traditional) voice service.

Note: As I have previously, I make the distinction between consumer VoIP services and enterprise-class IP Telephony. In the latter, all of the risks mentioned in this post can be adequately addressed and the implementers will typically understand the risks and how to mitigate them.

Rick McCharles
www.ric.ca

I’ve read many articles over the last few years concerning the security vulnerabilities of VoIP. The latest flurry of VoIP security related articles is as a result of two alerts and fixes from Cisco that could impact Call Manager. Cisco Call Manager versions with, multi-level administration enabled, may be vulnerable to privilege escalations. The second alert states that “Vulnerable versions of Cisco Call Manager do not manage TCP connections and Windows messages aggressively, leaving some well-known, published ports vulnerable to Denial of Service attacks.” Cisco has released patches for both and apparently, there were no reports of either vulnerability being exploited. But the announcement lead to a new round of articles and commentaries exaggerating the risk of VoIP related Denial of Service attacks and other vulnerabilities.

Once again I’ve been reading articles that insist that Data Networks security and VoIP security are completely different and that if your enterprise uses IP Telephony you are at great risk. In my view this is pure nonsense.

Of course we must be vigilant but the fact is that if your organization has a well defined, implemented, monitored and enforced security policy related to your data network and systems then you’ve also mitigated most of the security risks associated with the implementation of an enterprise class IP Telephony system. Notice, that I stated “Enterprise Class” which excludes most of the PC based or residential type VoIP services that use the public Internet for transport.

Layering IP Telephony onto your data network does require that you identify potential vulnerabilities that may not be part of your present data security policy. You should work with your IP Telephony vendors to ensure that you are aware of, and have patched, all know security risks. Attention to robust AAA, signed configurations and firmware, DHCP inspection and voice / signaling encryption in addition to the previously mentioned sound security practices will mitigate most of the risks.

The risk must not be trivialized. There will always be the possibility that a previously unknown VoIP vulnerability will be exploited and it is understood that the consequences of such an exploit could be serious. But, I really wish the “techno-weenies” would tone down their alarmist rhetoric. The IP Telephony sky is not falling!

Rick McCharles
http://www.ric.ca/