IP Telephony (VOIP) Security: Threats, Defenses and CountermeasuresCourtesy of Core Competence, Inc. |
|
|
How to Protect Your VoIP Network VoIP has finally arrived as a mainstream application. IP PBX equipment sales topped $1 billion in 2005, for the first time outpacing traditional TDM PBXs, according to Dell' Oro Group. In fact, analysts predict that IP PBXs will account for more than 90% of the market by 2009. Before you deploy VoIP, however, you need to be aware of the security risks and the countermeasures that you can take. Security is important in every context, but especially when you're replacing the world's oldest, largest and most resilient and available communications network. While no individual security measure will eliminate attacks against VoIP deployments entirely, a layered approach can meaningfully reduce the probability that attacks will succeed. Read the rest of my feature article at Network World. |
IP Telephony Security, Part 1: Threats to Subscribers IP networks are now used to handle an increasing number of voice calls. While the bulk of this telephone traffic is currently enterprise, consumers are dabbling in IP Telephony (alias Voice over IP, VoIP). As products are commoditized and public services like Vonage mature, new voice-data applications will be offered, encouraging even broader adoption. More... IP Telephony Security, Part II: Threats to Operators In Part I of this series, I explained how IP networks are now used to handle an increasing number of voice calls. As products are commoditized, new applications appear, and more public IPT "carriers" come online, even broader adoption is inevitable. I also called attention to the dark side of the convergence of voice, IP, and wireless networking: the combined attack targets and vectors present formidable threats, not only to IPT users but also to operators, public and private. More... |
How to Protect Your VoIP Network
Security Threats to IP Telephony Subscribers and Operators My IPComm 2004 presentation is now available for download (pdf, requires Acrobat). Is VOIP hacking heating up? It's unusual to see three SIP-related posts on BugTraq in the span of less than a week. Perhaps it's an anomaly, but last week, exploit code for two vulnerabilities and a new SIP war dialing tool were announced. These posts suggest that there are enough SIP UAs to make attacking *interesting* and that traditional scanning and information gathering tools can and are being extended to probe SIP-based applications. More... |
Books
Hacking VOIP ExposedUnderstanding Voice over Internet Protocol Security
Practical VOIP Security
Forums and Consortia
VOIP Security AllianceVoice Over Packet Security
The Defense Switched Network (DSN) DISA
VOIP Security Research at the University of Hamburg
Security Standards and Works in Progress
RFC 3093, Firewall Enhancement ProtocolRFC 3323, A Privacy Mechanism for the Session Initiation Protocol
RFC 3324, Short Term Requirements for Network Asserted Identity
RFC 3325, Private Extensions to the Session Initiation Protocol (SIP) for Asserted Identity within Trusted Networks
RFC 3711, The Secure Real-time Transport Protocol (SRTP)
RFC 3725, Best Current Practices for Third Party Call Control (3pcc) in the Session Initiation Protocol (SIP)
RFC 3760, Securely Available Credentials (SACRED) - Credential Server Framework
RFC 3830, MIKEY: Multimedia Internet KEYing
Secure SIP
Secure SIP protects VoIP traffic by Michael WardSKYPE Security
SKYPE: Free Internet Telephony that just worksSkype Security Evaluation by Tom Berson
Skype uncovered: Security study of Skype by Desclaux Fabrice
Attacks and Threats
Eavesdropping an IP Telephony Call by Tom Long
Voices... I hear voices! by Ivan Arce
Two attacks against VoIP by Peter Thermos
Basic Vulnerability Issues for SIP by Mark Collier
The Value of SIP Security by Mark Collier
Security Concerns with VOIP by Weiss
Security Analysis: Traditional Telephony and IP Telephony by Alan Klein
VoIP Security Challenges In Enterprise And Service Provider Networks by Steve Bakke
The RTP DOS Attack and its Prevention by Jonathan Rosenberg
IPT: Is Your VOIP Secure? at Communications Convergence
VOIP spam - it's coming by Peter Cochrane
Security holes make VOIP a risky business by Jim Louderback
VOIP Security Considerations by Doug Kuhn
Security Threats to IP telephony-based networks by Ofir Arkin
Security Considerations when Implementing IP Telephony in Enterprise Networks at Ericcson
IP Telephony in Enterprise Environments and Security Issues by Brennan Reynolds
No Security, no talk by Jeanne Lim
How VoIP is changing the network security equation by Philip Bednarz
Modem Passthrough over Voice over IP at Cisco Systems
VOIP and Security Greg Tucker
Voice over IP Exposed Larry Stevens
Is Your VOIP Service Secure? at VOIP-Traffic.com
VoIP Security Gets Noisy at Red Herring
Current State of VoIP Security (as of 28 Sept 2005) Mark Collier
Experts: VOIP Attacks Are Tough to Stop at Dark Reading
The myths and realities of VoIP security Zeus Kerravala
SPIT and SPAM
SPAM and DOS headed VOIP's way by Susan Kushinskas
Net phone customers brace for VOIP spam by Ben Charny
Don't SPIT on VOIP by Susan Kuchinskas
Move over SPAM, make room for SPIT NewScientist.com news service
VOIP and Wireless (WiSIP, VOWLAN)
VoIP Vulnerabilities and DoS Delusions" by Andy Dornan
Overcoming QoS, Security Issues in VoWLAN Designs by Ravi Kodavarti
Adding Voice Service to a WLAN Network: Protecting QoS and Data Security at Colubris
VOIP Security Technical Information Guide at DISA
Beyond Interoperability: Network Security: as a Voice over IP (VoIP) Enabler
Defenses and Countermeasures
A VoIP security plan of attack by Joel Snyder
VoIP Security - An Achievable Goal by Ray Stanton
IP Telephony changes security equation Mathias Thurmon
SIP, Security and Session Controllers Newport Networks
Breaking Through IP Telephony Ed Meir
VOIP Security: Not an afterthought by Douglas C. Sicker and Tom Lookabaugh
Cisco SAFE: IP Telephony Security in Depth by Jason Halpern
Configuring High Availability in a SIP-Based Network
Voice over Internet Protocol (VoIP), Security Technical Implementation Guide DISA
Security Considerations for Voice over IP Systems at NIST
Next Generation Networks and Security Peter Thermos and Guy Hadsall
VOIP Security Technical Implementation Guide Defense Information Security Agency
VOIP Security - A Layered Approach
Often Overlooked: PBX and Voice Security in a Networked World by Chris Herrera
VOIP: Don't overlook security
Enterprise IPT: Securing Voice Today at Cisco Systems
The value of VOIP security by Mark Collier
Securing IP Telephony by Tony Rybczynski
What to look for in VOIP Security Ranch Networks White paper
Defense in Depth for VOIP networks by Dave Roberts
Security in SIP-Based Networks at Cisco Systems
Securing your VOIP network Jim Valentine, et. al.
Firewall Requirements for Securing VOIP at SecureLogix
How VoIP is changing the network security equation by EE Times
STOP DoS Attacks against your VoIP by Tom Lancaster
Network Intrusion and QoS impact within VoIP at Qovia
VOIP Security Implementation by Debbie Greenstreet and Sophia Scoggins
Intrusion Prevention: The Future of VoIP Security at TippintPoint
Securing The IP Telephony Perimeter David Greenfield
The Telephone Reloaded: VoIP Enters the Data Matrix by Jim Tiller
Avoiding VOMIT by Doug Mohney
The Value of VOIP Security by Mark Collier
Secure IP Telephony For The Enterprise at Check Point Technologies
Voice over IP Security Matt Tanase
VoIP Security: Loose IPs Sink Ships Ray Horak
Security for service provider VoIP networks at Nortel Networks
VOIP Security - Firewall Options
Five VoIP security recommendations Gerhard Eschelbeck
SIP Firewalls Tom Lancaster
Avoiding a VoIP security 'judgment day'Eric B. Parizo
Encrypting VoIP traffic: How and why
Employ fuzzing to test VoIP security Benjamin Vigil
VoIP Security - Best Practices Outline at Juniper Networks
Privacy Guru Locks Down VOIP Phil Zimmerman on PGP VoIP
VoIP security safeguards -- they may be there already VoIP News
VoIP tightens security against fuzzing, zombies, malicious intruders