Essential Computer Security

Tony Bradley on Facebook
Tony_BradleyPCW
- Smartphone Survey Only Tells Part of the Story. http://bit.ly/95J11j about 1 hour ago from API
- Is the iPad a business tool? Perhaps with the right business-friendly apps. http://bit.ly/dqIBgo about 3 hours ago from API
- Planning to use your iPad for business as well as pleasure? Make sure you have the right accessories. http://bit.ly/cxbs6C about 6 hours ago from API
- Vast Majority Feel Internet Access is a Right. http://bit.ly/bH4Rp7 about 8 hours ago from API
- Palm was good at the PDA. WebOS seems like a capable platform. Just make it into a tablet PC to compete with iPad. http://bit.ly/c0eqGm about 9 hours ago from TweetDeck
“I have been in the Information Security arena for the last 15 years. During this time, there are many places I have turned for guidance on the pulse of Information Security. Tony Bradley is one of those sources. Tony can understand the trends in the ever-changing world of Information Security and communicate those concepts very effectively. His contributions to the Information Security community have made an impact on many people. I know I can reach out to Tony on most any topic and get an articulate and measured approach to achieve a successful outcome."
Ryan Maher
BT
My Sites

Locking Down VoIP

Posted on July 18th, 2009 by Tony Bradley

Voice networks have always been exposed to certain types of attacks. Data networks have a much larger threat environment to worry about. Converging the two seems to create a whole greater than the sum of its parts in that the merging of voice and data networks exposes each to the attacks of the other and creates unique new scenarios that have to be guarded against as well.

A phone system exists to place and accept phone calls. Therefore, a VoIP server is typically an Internet-facing server which, by design, is supposed to accept attempts to connect with it and route those connections to endpoints inside the network. The same precautions that any security best practices would prescribe for protecting Internet-facing servers should be applied to the VoIP server as well to both protect it from outside threats and to protect the internal network from the potentially insecure VoIP server.

As this TechTarget SearchSecurity article discusses, there are also some specific areas that need to be looked at to lock down the VoIP server and strengthen the security of your unified communications infrastructure. This excerpt from the article describes some of the areas you should pay particular attention to:

User authentication – Which users are associated with which handsets? Which users have softphones installed? Which group does a user belong to, and what usage privileges are associated with that group? How do users log in?
Call signalling – Call signalling (for example, dialling, busy signals, transfer and redirection) is one of the core functions of the VoIP system. If it uses a standard protocol such as SIP, it will inherit not only the vulnerabilities of a specific software implementation, but also those of the SIP protocol.
Media Gateway – The VoIP server will also be running media gateway functions such as audio codec processing.
Call accounting – In the background, the VoIP server will be generating and passing messages to some kind of call accounting system, probably based on a database server (such as MySQL, in the open-source Asterisk world).
Third party enhancements – Many or most VoIP systems can interface with third-party enhancements such as instant messaging, click-to-call, videoconferencing, unified messaging, and so on. All of these introduce their own problems: the VoIP system has to interact with these applications, so if the third-party application has weak security, that will open up an attack vector into the VoIP system.

It is a good idea to conduct an initial security audit of the unified communications environment to identify risks and vulnerabilities so they can be addressed, and then to follow up with annual security audits to ensure that the unified communications environment remains secure.

Follow me on Twitter

Tags: Blog // 2 Comments »

2 Comments to “Locking Down VoIP”

Essential Computer Security » Locking Down VoIP : Stilton Company - NJ SEO & IT Services - Ocean County - Monmouth County - Toms River - Jackson - Freehold
July 18th, 2009 at 3:13 pm
[...] See the article here: Essential Computer Security » Locking Down VoIP [...]
Video | Enjolt.com | Innovate for Success
July 18th, 2009 at 6:09 pm
[...] that will last a lifetime, and that will signify the exact feeling you are trying to create. Locking Down VoIP – tonybradley.com 07/18/2009 Voice networks have always been exposed to certain types of attacks. [...]

Computer Security In Plain English For Normal People

Tony_BradleyPCW

My Sites

Locking Down VoIP

2 Comments to “Locking Down VoIP”

Recent Posts