Tej Kohli- How to secure VOIP
Mr. Tej Kohli came across an important bit of information on the net about VoIP security, here is what it states:
Technology offers benefits galore, from lower calling costs and larger mobility to ultramodern functions like unified messaging and collaborative whiteboarding. But as VOIP is catching fire and as hackers become more familiar with its ins and outs, the threats are likely to overshadow benefits—if companies remain dormant now.
One of the biggest VOIP-related security threats of current times are inside a company’s firewall. That’s because most systems still rely on a combination of an IP network and the PSTN (Public Switched Telephone Network) land-line network. Each time a VOIP call is made, the VOIP phone number’s IP address is translated into a standard phone number passing through the PSTN network.
Hackers can exploit it easily, for instance take an employee listening in on a phone call or changing a configuration setting to make the CEO’s phone ring at the employee’s desk. Now a hacker who managed to get inside the building—could launch a DoS (Denial of Service) attack that would flood the network so thoroughly that nobody would be able to make or receive calls.
However, there exists a solution. The first step is to solidify management servers by turning off any unnecessary services and making sure that administrator passwords aren’t easy. Other important steps include keeping a record of which IP addresses are related to each user and logging activities, so if anyone makes changes to a configuration setting there will be a record of it.
“That way, if you suspect that somebody was listening in on a conversation, you could at least find out who it was and where they were listening in by relating that IP address from that IP phone to an actual person,” Oltsik said.
But technology marches on. The next frontier, which promises to vastly improve the reliability of VOIP while further reducing costs, also will open up VOIP to more attacks.
That technology is SIP (Session Initiation Protocol) trunking, which routes calls over an IP network instead of the PSTN, allowing for voice and data through all IP connections. According to The Nemertes Research Group, 56 percent of enterprises today have either adopted or plan to adopt SIP trunking, with smaller businesses being particularly interested because of the potential cost savings.
But because an external IP network is involved, security concerns increase. Of particular concern are “vishing” and SPIT (spam over Internet telephony). SPIT is basically spam over VOIP—unsolicited advertising that appears in a VOIP voice mailbox. Attackers can send messages to thousands of recipients simultaneously. Vishing, a term formed from “voice phishing,” is the process of persuading users by e-mail, text message or phone call to divulge personal information such as Social Security and credit card numbers. This is fairly easy to do, unfortunately, since attackers can “spoof” the caller ID that users see to make the call appear to come from a legitimate organization. Vishers also can send messages in bulk.
“Now you have that direct IP link from your service provider into your VOIP network, somebody could theoretically reach your phone system components across the public Internet, so companies have to take more precautions,” said Irwin Lazar, a principal analyst at Nemertes Research Group.