MSIT 458

Information Security and Assurance

VoIP

Xeon Group
Rohit Bhat
Ryan Hannan
Alan Mui
Irfan Siddiqui

1
 VOIP

I. What is VoIP?
II. Business & Security Concerns
[Link] Threats
[Link] Measures
V. Cost/Risk Analysis
[Link] Consequences

2
 What is VOIP?

• Protocol optimized for the transmission

of voice through the Internet or other
packet switched networks

• Also referred to as IP telephony,

Internet telephony, voice over
broadband, broadband telephony, and
broadband phone.

3
 How fast is VoIP growing?

Per a study conducted by IBISWorld:

• Industry’s forecast is to experience the

largest revenue growth in the
telecommunications sector over the
next five years, at an annual growth
rater of 25%.

• Business subscriptions will grow by

44%, compared with consumer
subscription growth of 21%.
4
 How fast is VoIP growing?

Per a study conducted by IBISWorld:

• U.S. will have 25 million paying VoIP

customers by 2012.

• Total industry revenues in 2008 are forecast

at $3.2 billion, reaching $5 billion by 2012.

5
 Business Concerns

 Integrity – Voice quality should be excellent

 Availability – User needs dial-tone 365/24/7
 Confidentiality – All communication should
remain confidential
 Authenticity – Valid service subscribers
should be able to access the service
provider’s network
 Federal and State regulatory compliance

6
 Security Threats

Configuration weaknesses in VoIP devices and

underlying operating systems can enable
denial of service attacks, eavesdropping,
voice alteration (hijacking) and toll fraud
(theft of service), all of which can result in
the loss of privacy and integrity.

Unscrupulous telemarketers could use VoIP (via

soft PC based phones) to access customer
credit and privacy details.

7
 Security Threats

Today, the biggest VoIP-related security threats

are inside a company's firewall, such as
changing a configuration setting to make
the CEO's phone ring at a disgruntled
employee's desk. Eavesdropping is
another potential problem.

8
 Security Threats

Launch a Denial of Service attack by placing a

large number of calls, either as an
authorized or unauthorized user, to flood
the network.

SPIT (spam over Internet telephony or VOIP) –

advertising that appears in a VoIP voice
mailbox.

9
 Security Threats

Vishing, the process of persuading users to

divulge personal information such as Social
Security and credit card numbers. Attackers
can "spoof" the caller ID that users see to
make the call appear to come from a
legitimate organization.

10
 Security Measures

Bolster encryption by encoding and decoding

information securely, both the conversation
and the call numbers.

Encrypt VoIP communications at the router or

other gateway, not at the individual
endpoints. Since some VoIP telephones are
not powerful enough to perform encryption,
placing this burden at a central point
ensures all VoIP traffic emanating from the
enterprise network will be encrypted.
11
 Security Measures

IP Phone must register to make phone calls.

1. When a phone tries to register, the registrar

sends a challenge.
2. Phone correctly encrypts the challenge,
digital certificate from phone manufacturer,
and Media Access Control (MAC) address.
3. Manufacturer certificate cannot be forged
because it is burnt into the phone’s non-
volatile RAM and cannot be retrieved.

12
 Security Measures

Separate VoIP network from data network by

logically segregating the voice and data
networks using vLAN-capable switches.

Don't allow interaction between Internet-

connected PCs and VoIP components.

13
 Security Measures

Install an Intrusion Prevention System (IPS) at

the network's perimeter to scan for known
signatures while blocking or allowing traffic
based on application content rather than IP
addresses or ports.

An IPS can dynamically modify firewall rules

or terminate a network session when
necessary.

14
 Security Measures

Session Border Controllers (SBC) prevent

someone (most likely a computer program)
from generating abnormal number of calls
from a legitimate VoIP account within a
threshold period.

A violation of the threshold policy rule

suspends additional call placement from an
account for specified period of time.
A session key is maintained for the whole of
the conversation for security and encryption
purposes. 15
 Security Measures

Implement a voice-aware (VoIP-ready) firewall,

which is optimized by voice, allowing the
opening of ports only when a connection
must be established.

Stateful packet inspection can be used to

drop attack packets because they are not
part of an authenticated connection.

16
 Security Measures

In order to mitigate the latency issues caused by

security measures, add QoS to all devices
processing the calls, i.e. turn on this feature
on the service provider’s data switch and
the data router, as opposed to a phone
switch located within the subscriber’s LAN
where the call terminates.

17
 A look at the VoIP infrastructure
Session Border Customer A
EWSD Switch
Controller T1(s)
Edge Router
`

GenBand G6
Public Switched T1(s) Customer B
Telephone Network
PRI Virtual VPN
Trunk Router `
Per rate Center

Firewall
Next VOIP
Service

1. Customer A’s SIP phone initiates call by contacting

SBC
Central Office 2. SBC contacts Applications Server to determine
Site Headend Router
(Telephone Switch Exchange) where to send RTP (Real Time Protocol) traffic
3. Application Server consults with Network Server to
determine where SBC is to connect to send establish
session for traffic
TECH CENTER Core Routing
4. Application Server Contacts Genband G6 and SBC
Virtual VPN Router
VOIP Servers VPN Tunnel and give them each others contact info (IP and port).
5. Genband and SBC establish Signaling session for
call
6. Customer A’s SIP phone sends traffic to SBC, then
to G6 over to the EWSD

Data Center
Broadworks Application
Server

Email Servers that store

Core Routing Vmail wave files

Broadworks Network
Broadworks Media Server
Server

Firewall

Firewall
18
Broadworks Web Server
 Security Threat to Come

A lot of the security measures taken today are

based on experience with restricting access
to data networks.

To date, not a single virus is reported that is

specific to infecting the VoIP packets.
However, it is to come without a doubt.

19
 Cost/Risk Analysis

Cost/Risk analysis vary from industry to industry

and business to business. The best
judgment of risk exposure is collective
assessment of both immediate and future
monetary losses to an organization.

Organizations today can utilize research based

calculators for estimating the potential cost
of a data security breach for any number of
'at risk' records. The same concept can be
applied to VoIP.
20
 100,000 Cost/Risk Analysis

A sample identity theft or data breach Cost

calculator can be found at
[Link]/[Link]

Enter Total Number Of Affected Records 100,000

Customer Notification (Mail) $664,000.00
Phone Call Center Support $2,895,000.00
Legal Defense Services $663,000.00
Criminal Investigations (Forensics) $248,000.00
Public / Investor Relations $205,000.00
Free / Discounted Services (Credit
reports) $2,380,000.00
Cost Of Brand Impact - Lost & Fewer Customers $9,832,000.00
Cost Of Security Data Breach $16,887,000.00
21
 Legal Consequences

Businesses need to be aware that the laws and

rulings governing interception or monitoring
of VoIP lines, and retention of call records,
may differ from those of conventional
telephone systems. These issues should
be reviewed with legal advisers.

Virus attacks delivered through use of VoIP

services, such as Skype, may not be held
accountable.
22
VoIP Security

Questions?

23