VoIP security: The real risks

Hi, I'm Andy Abramson, editor of VoIP Watch, and today we'regoing to talk all about VoIP security, the real risks you're facing when youhave Voice over IP in your network. Let's first dispel something. A lot oftimes people are talking about the concept of SPIT, S-P-I-T. That stands forSpam over Internet Telephony. So what is that? That's a bunch of unwantedmessages, calls and everything else imaginable that can be done over atelephone being automated from your network and into your network and throughoutyour network. What are we talking about? Unwanted calls leaving your network.Too many email messages filling your mailbox that mean nothing. Or a telephonecall going out from your switchboard with an advertisement preceding it thatyou never placed in it.

All those things are possible with SPIT. Now, so far therehasn't been a SPIT attack, but that doesn't mean it won't happen. And becauseof that, we have to understand why it can happen. That's real simple. Thenetwork is the network. Let's imagine this is our network. Our network is nottotally closed. It has ways in and it has ways out. And inside the network wehave packets. Well, packets for voice, just like packets for anything else,because they're based on IP, internet protocol, are susceptible. They'resusceptible to attack many different ways, and because it's IP packets in anetwork and your voice network is running right with your data network, that'sgoing to cause a problem. You're going to get attacked just like your datanetwork possibly is.

So what are the primary threats? From where we're sitting, Isee three. The very first one, the dreaded denial of service attack. That'swhere your network is hit by many different computers all feeding packets toone single IP address or to multiple IP addresses of your network, making yournetwork vulnerable and basically useless. When that happens, you're basicallysunk and Voice over IP, just like data, runs the same risk.

Number two, fraud-this one hits you right in the wallet-andabuse. Fraud is unwanted people using your network without permission,unauthorized who shouldn't be on it, making telephone calls. Abuse, that's alittle different. That's people who are permitted on your network but don'tnecessarily have permission to make calls to all the places they are.

And lastly, and maybe the one that we should be concernedabout the most, the breach of privacy and confidentiality. That one is realserious. What does that mean? That means somebody can actually listen to yourarchived voicemail messages that are sitting inside your voice mailbox. Or,someone could access your call records and know who you've called and possiblywho has called you. Those concerns are real and they exist today.

Now, let's talk about how we can prevent that from occurring.We have five easy tips that will make your life a lot easier once you'veinstalled it. First, you want to have a security policy. By having securitypolicy in place, just like for your data, for your voice, to prevent attack.Secondly, protect the network. Don't treat voice any different than you dodata. Third, maintain and update your software. Make sure that you have it allcurrent. Fourth, detect your abuse and fraud and cut it out as soon as itstarts. And lastly, segment your voice and data networks into separate networksto prevent the crossover of problems from one impacting the other.

So just like a regular network has potential threats, VoIPsecurity shouldn't be taken lightly. There are real risks. We've identified afew. We've talked about another that's not yet here, but which could emerge atany time. But with common sense and a good understanding of what you need to doto protect your regular data network, applying those same principles to voicewill make your network secure.