IP Telephony (VOIP) Security: Threats, Defenses and Countermeasures

 

 

Privacy Policy

 

 

This page uses style sheets created by Ruthsarian Labs

How to Protect Your VoIP Network

How to Protect Your VoIP Network VoIP has finally arrived as a mainstream application. IP PBX equipment sales topped $1 billion in 2005, for the first time outpacing traditional TDM PBXs, according to Dell' Oro Group. In fact, analysts predict that IP PBXs will account for more than 90% of the market by 2009. Before you deploy VoIP, however, you need to be aware of the security risks and the countermeasures that you can take. Security is important in every context, but especially when you're replacing the world's oldest, largest and most resilient and available communications network. While no individual security measure will eliminate attacks against VoIP deployments entirely, a layered approach can meaningfully reduce the probability that attacks will succeed. Read the rest of my feature article at Network World.

IP Telephony Security, Part 1: Threats to Subscribers IP networks are now used to handle an increasing number of voice calls. While the bulk of this telephone traffic is currently enterprise, consumers are dabbling in IP Telephony (alias Voice over IP, VoIP). As products are commoditized and public services like Vonage mature, new voice-data applications will be offered, encouraging even broader adoption. More... IP Telephony Security, Part II: Threats to Operators In Part I of this series, I explained how IP networks are now used to handle an increasing number of voice calls. As products are commoditized, new applications appear, and more public IPT "carriers" come online, even broader adoption is inevitable. I also called attention to the dark side of the convergence of voice, IP, and wireless networking: the combined attack targets and vectors present formidable threats, not only to IPT users but also to operators, public and private. More...

Security Threats to IP Telephony Subscribers and Operators My IPComm 2004 presentation is now available for download (pdf, requires Acrobat). Is VOIP hacking heating up? It's unusual to see three SIP-related posts on BugTraq in the span of less than a week. Perhaps it's an anomaly, but last week, exploit code for two vulnerabilities and a new SIP war dialing tool were announced. These posts suggest that there are enough SIP UAs to make attacking *interesting* and that traditional scanning and information gathering tools can and are being extended to probe SIP-based applications. More...

---

Books

Hacking VOIP Exposed
Understanding Voice over Internet Protocol Security

Forums and Consortia

VOIP Security Alliance
Voice Over Packet Security
The Defense Switched Network (DSN) DISA
VOIP Security Research at the University of Hamburg

Security Standards and Works in Progress

RFC 3093, Firewall Enhancement Protocol
RFC 3323, A Privacy Mechanism for the Session Initiation Protocol
RFC 3324, Short Term Requirements for Network Asserted Identity
RFC 3325, Private Extensions to the Session Initiation Protocol (SIP) for Asserted Identity within Trusted Networks
RFC 3711, The Secure Real-time Transport Protocol (SRTP)
RFC 3725, Best Current Practices for Third Party Call Control (3pcc) in the Session Initiation Protocol (SIP)
RFC 3760, Securely Available Credentials (SACRED) - Credential Server Framework
RFC 3830, MIKEY: Multimedia Internet KEYing

Secure SIP

Secure SIP protects VoIP traffic by Michael Ward

SKYPE Security

SKYPE: Free Internet Telephony that just works
Skype Security Evaluation by Tom Berson
Skype uncovered: Security study of Skype by Desclaux Fabrice

Attacks and Threats

Eavesdropping an IP Telephony Call by Tom Long
Voices... I hear voices! by Ivan Arce
Two attacks against VoIP by Peter Thermos
The Value of SIP Security by Mark Collier
Security Concerns with VOIP by Weiss
Security Analysis: Traditional Telephony and IP Telephony by Alan Klein
VoIP Security Challenges In Enterprise And Service Provider Networks by Steve Bakke
The RTP DOS Attack and its Prevention by Jonathan Rosenberg
IPT: Is Your VOIP Secure? at Communications Convergence
VOIP spam - it's coming by Peter Cochrane
Security Considerations when Implementing IP Telephony in Enterprise Networks at Ericcson
IP Telephony in Enterprise Environments and Security Issues by Brennan Reynolds
How VoIP is changing the network security equation by Philip Bednarz
Modem Passthrough over Voice over IP at Cisco Systems
VOIP and Security Greg Tucker
Voice over IP Exposed Larry Stevens
Is Your VOIP Service Secure? at VOIP-Traffic.com
Experts: VOIP Attacks Are Tough to Stop at Dark Reading
The myths and realities of VoIP security Zeus Kerravala

SPIT and SPAM

SPAM and DOS headed VOIP's way by Susan Kushinskas
Net phone customers brace for VOIP spam by Ben Charny
Don't SPIT on VOIP by Susan Kuchinskas
Move over SPAM, make room for SPIT NewScientist.com news service

VOIP and Wireless (WiSIP, VOWLAN)

VoIP Vulnerabilities and DoS Delusions" by Andy Dornan
Overcoming QoS, Security Issues in VoWLAN Designs by Ravi Kodavarti
Adding Voice Service to a WLAN Network: Protecting QoS and Data Security at Colubris
Beyond Interoperability: Network Security: as a Voice over IP (VoIP) Enabler

Defenses and Countermeasures

A VoIP security plan of attack by Joel Snyder
IP Telephony changes security equation Mathias Thurmon
SIP, Security and Session Controllers Newport Networks
Breaking Through IP Telephony Ed Meir
VOIP Security: Not an afterthought by Douglas C. Sicker and Tom Lookabaugh
Configuring High Availability in a SIP-Based Network
Security Considerations for Voice over IP Systems at NIST
Next Generation Networks and Security Peter Thermos and Guy Hadsall
VOIP Security Technical Implementation Guide Defense Information Security Agency
VOIP Security - A Layered Approach
Often Overlooked: PBX and Voice Security in a Networked World by Chris Herrera
VOIP: Don't overlook security
The value of VOIP security by Mark Collier
Securing IP Telephony by Tony Rybczynski
What to look for in VOIP Security Ranch Networks White paper
Defense in Depth for VOIP networks by Dave Roberts
Security in SIP-Based Networks at Cisco Systems
How VoIP is changing the network security equation by EE Times
STOP DoS Attacks against your VoIP by Tom Lancaster
VOIP Security Implementation by Debbie Greenstreet and Sophia Scoggins
Securing The IP Telephony Perimeter David Greenfield
Secure IP Telephony For The Enterprise at Check Point Technologies
Voice over IP Security Matt Tanase
VoIP Security: Loose IPs Sink Ships Ray Horak
Security for service provider VoIP networks at Nortel Networks
VOIP Security - Firewall Options
Five VoIP security recommendations Gerhard Eschelbeck
SIP Firewalls Tom Lancaster
Avoiding a VoIP security 'judgment day'Eric B. Parizo
Encrypting VoIP traffic: How and why
Employ fuzzing to test VoIP security Benjamin Vigil
VoIP Security - Best Practices Outline at Juniper Networks
Privacy Guru Locks Down VOIP Phil Zimmerman on PGP VoIP
VoIP security safeguards -- they may be there already VoIP News
VoIP tightens security against fuzzing, zombies, malicious intruders

Dave Piscitello is president and principal consultant

Dave Piscitello founded Core Competence, Inc. in 1993 and is now an occasional consultant for the company. He is currently ICANN's Senior Security Technologist and serves on the ICANN Security and Stability Advisory Committee (SSAC). A 30-year network, Internet and security veteran, Dave provides advisory and consulting services to security and broadband access companies, *SPs, and Fortune 100 companies. An enthusiastic writer, Dave has published hundreds of articles, product reviews, and editorials for print and online publications, including BCR, ENISA Journal, Infoworld, Information Security Magazine,LOOP, Network World, SecurityPipeline, USENIX ;login, and WatchGuard Technologies' Live Security. Dave maintains a security infoblog at securityskeptic.typepad.com

Posted 8/25/2004, Last updated 12/10/2009 © 2004-2009 David M. Piscitello