General discussion



By dotxen ·
VOIP ? Is It Secure?
Not according to Robb Kimmer

This new and emerging technology is a useful and sensible way to utilise traditional networking protocols to transmit and receive voice messages. Already we see the adverts aimed at beguiling us into ordering our first VOIP service. But beware, I perceive a pattern of misconception and misunderstanding being peddled by those who see this as a new Wi-Fi Yukon.

Like Wi-Fi, VOIP is becoming very fashionable and is sold to a, generally, un-skilled (IT) and ignorant public (no offence meant), as easy-peasy technologies that will make life easier, more exciting and modern. That may be true, but what is not being explained to the public is the grave and dangerous problem of lack of security. Yes, I know that we talk about it, but we are IT folk and no-one else listens to us anyway. They all glaze over when we start to prattle on about ?techy? stuff.

As soon as you utilise IP network protocols to transfer data or voice you are immediately vulnerable to being attacked/hacked and infiltrated by the low-life and organised crime that slithers around in the network ooze.

The war to keep our networks safe is an ongoing daily battle and creates many casualties. I believe that the introduction of Wi-Fi was incredibly crass (and naive) in terms of the security provisions. There was just not enough time between the idea and the launch of the services/technologies. It was, in my opinion, rushed out to make a quick buck and relied on the public's ignorance. Wi-Fi was sold on the simplistic advantage of "Look, no wires!". Very little thought went into securing the systems. The security that is offered is minimal and relies on standard authentication and encryption protocols. Now that SHA has been breached Wi-Fi has, in essence, NO SECURITY! What security it had is now gone in the face of any kind of professional attack. If you look at the endless adverts for Wi-Fi you would never know that it had any problems at all! To introduce VOIP using the same, or similar, marketing hype and relying on that same public ignorance is nothing short of criminal.

VOIP is NOT SECURE at this time. In my opinion it will not be secured until the world moves over to IPv6 and develops more robust authentication and encryption protocols and services that can be easily managed. That will introduce the possibility of security processes that cannot exist at this time while we have the limited IPv4 and compromised encryption.

Security of VOIP is relying on the same gossamer defences that Wi-Fi enjoys. It is simply a packet header addition and some nifty, but old fashioned, authentication. That is about all the thought that is going into this 'new' technology. The danger lies in the fact that VOIP is a mobile telephone marketing manager's wet dream. It will be implemented far too quickly by companies determined to mine that golden seam before anyone else attaches their brand to it. In this rush, the public will be treated with the same contempt as they were when Wi-Fi was rocketed onto the covers of the monthly hardware magazines.

It's not that I want to prevent the public from enjoying these gizmos and gadgets, neither do I want to prevent the marketing managers from getting excited. What I want to see is a more mature approach to the actual infrastructures that support these new services. Instead of the "Let's get it out there now we have got it working well last night" syndrome, we should be making sure that the systems really are secure and robust and that people can use them without opening up vast vulnerabilities that organised crime and script-kiddies will exploit.

Once you implement VOIP you will be fair game for being attacked. The real danger lies in the networks that will provide the service. Because its IP based traffic, an attacker will have a direct route into your network and into all adjoining networks. Current cracking tools and techniques will be used and will be effective. For instance, right now I can't NMap for open ports on a telephone network. Once VOIP is implemented, I will be able to scan ports and place all the same kind of spyware, mal-ware and Trojans on those attached networks as I can on current data networks. Besides this I will be able to spam callers and their networks. All this will be ignored in the marketing hype that will start to appear. In a short time, network administrators will be downloading the endless patches and potions to Band-Aid their systems. We will be involved in another war on another front. Most companies do not have the support teams to fight this war. Better to spend more time getting it right and making sure that the systems are secure before letting it loose to the marketeers. Sales folk only have one response to any question that is put to them, and that is a resounding YES. For us back-end people that YES is the most dangerous word in the English language. It puts pressure on testing budgets, releases untried products, it forces designers to cut corners and it speeds up a manufacturing and testing process to the point where a product is launched before it is completely tested and passed as perfect. The Windows operating system is a good example of the 'YES' problem. It has created a whole new industry involved in testing, patching and defending it, and added millions to the cost of the products in the long term.

Let's make sure that we get it right first time with VOIP and reject the marketing pressure to launch this new, raw and untested system.

VOIP, like Wi-Fi is a 'good idea'. Currently, that's all it is.

Robb Kimmer

Network Systems Engineer. MCSE Instructor. Security Consultant
Robb owns MilMates Training Company

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -


by skywalker_al In reply to VOIP

We are looking into VOIP solutions. I think that with Cisco, we can secure the voice network to some degree. No matter what technology you have, someone is always going to try to crack it, that should not make us scared. If so, the little punks have won and we might as well all give up. All decisions have risks. Is VOIP worth the risk? I think it is.

Collapse -


by DC_GUY In reply to VOIP

So far I've spent three hours on the phone with tech support simply trying to get my new VOIP account to WORK AT ALL! With no success. Their website has bugs, the tech guy had to set up a Hotmail account for me because he couldn't purge my real e-mail address out of the system where it was frozen, to start over. I was supposed to get an Activation Code e-mailed to me within 45 minutes, it never arrived and I had to get the techie to read it to me. Now I punch it into my phone and I get a dead line. Another hour talking to the techie tonight. Oh joy. Who cares what happens on NCIS, I'd much rather become a telephony software mechanic.

All this to save a couple hundred bucks a year by dumping a phone company that I can take for granted as easily as my plumbing?

This is a technology that is not ready for prime time. There should be a guild that passes judgment on stuff and doesn't let it go to market until it's reasonably free of defects. Wait, then there wouldn't be any PCs. Hmm, that sounds lovely.

Collapse -

Not apples and apples

by Oz_Media In reply to Yucch

You are referring to a residential or off site VoIP center, they are a farce at best. Not onsite hardware.

Collapse -

Try looking at decent VoIP hardware

by Oz_Media In reply to VOIP

nortel's BCM, NEC's NEAX series.

3-Com, Cisco, Avaya, etc. Just two bit players who have too many bugs to work out. Most don't even offer the most important telecom features found in the most basic key systems.

Reasearch the INDUSTRY, not the computer manufacterers offerings or routing solutions. Business Telecom has been perfected by Business telecom providers, not computer compnent manufacturers or router builders, they are just trying to jump on board and make a few bucks without realizing that the telecom system is THE most important aspect of ANY business.

Your company can probably operate without a network for a few hours, day or whatever. Take the phones down and the issue is completely different. Also the support from two-bitplayers is lost, they BARELY got the thing to work in the first place, now they want a piece of a big industry, and they get it because IT staff are left to handle Telecom nowadays, and they will but a familiar manufacturer's product regardeless of what others offer.

Payt the price up front for DECENT proprietary hardware and save in the long run, Cisco won't do it for you, I have removed so many of those to be replaced wit ha decent PBx that it is frustrating to continually see IT folk who think "hey Cisco knows routing" but they sure as **** haven't got a clue about daily business telecom.

2 cents, but I know you will still go cheap and get something from a PC or router vendor you trust, best of luck with that. What a cost somepeople pay to keep the budget happy, no offense but get in line, there's a milion others just like you, waiting to rip out their old VoIP equipment or have it work properly.

Just ask your boss how much money he is prepared to spend in order to have his business operate each day. If he give you a number, stick with your key system and forget VoIP altogether.

Collapse -

by skywalker_al In reply to Try looking at decent VoI ...

So far Cisco looks good to me. Nortel is demoing their product this Fri and NEC the next Fri. So hopefully we will get to see some different products so that we can make a well-informed decision.

Collapse -

Short comment

by Oz_Media In reply to

If you buy on price you will buy Cicsco.

Cisco demo's and Cisco real world are two different animals though.

NEC, the best place to see it is in action AT an NEC dealer's shop where the install is up and running. They make an emulator box for the demos but it is VERY limited.

They (Nortel and NEC)will both seem VERY expensive, key cards and licence unlockcodes, but in the long run, cards are the way to go by far! Something dies and you hot swap it, your system still works.

If looking at the IPK, good choice as a hybrid, haven't seen something near it yet for reliability. For a PBX (IPS 2000 or IVS 2400), solid power, tried tested and true.

All in all, you get what you pay for, and cheap should NOT be even considered an option with such important parts of a business.

Good luck, keep us posted!

Related Discussions

Related Forums