VoIP security a moving target

BOSTON - Those who want to operate secure VoIP networks must be mindful of myriad threats because the technology is susceptible to vulnerabilities that might be foreign to traditional telecom managers and their staffs.

That was the conclusion of experts at the Fall VON 2004 conference who warned those considering VoIP to layer on security to keep their networks protected.

AT&T described one of the more disconcerting threats - injecting words into VoIP streams in a form similar to man-in-the-middle attacks in data networks.

"You can inject swear words into conversations and the speaker can't even hear it," said Kevin Kealy, a security scientist for AT&T, during his keynote address.

Even more ominous, Kealy says he has used the same technology in AT&T labs to fabricate entire VoIP voice mail messages that current FBI-grade voiceprint analysis rated as genuine. "We've proved that it works," he said. "That's scary."

Other vulnerabilities include spam over Internet telephony - unsolicited voice mail that can clog VoIP mailboxes - and denial-of-service attacks that can cripple voice servers with floods of call setup signals, he said.

Not to worry, though, say the experts, because known security measures can greatly reduce the risks. For example, the chances of a voice-injection attack can be slashed by encrypting call signaling so phone addresses don't run in the clear. The threat can be cut further by encrypting the voice packets, making it virtually impossible to insert words, Kealy said. Nortel, for one, says it is working on software for its VoIP handsets that will encrypt voice packets and thwart injection attacks.

The overriding VoIP security principle applies to good network security in general: no one set of protection hardware and software will guard against everything forever, experts say. "Data shows that there are new threats every month. There is ongoing innovation on the malicious side," said Akif Arsoy, product manager for VeriSign, who spoke at a VoIP security session.

VeriSign announced new VoIP security services delivered via its dual security operation centers that monitor customer networks for malicious behavior by scanning for known viruses and worms, and seeking behavior that strays from normal behavior, Arsoy said. Such traffic can be temporarily blocked until customers are notified and check whether it represents an attack.

VeriSign also is seeking IP-phone partners to include digital certificates in their devices so users can verify that the phone is secure and not, for example, multicasting conversations to rogue phones, Arsoy said. The Department of Homeland Security, which is developing an all-IP network, seeks such phones, he said. "Device control is very sensitive to them."

Meanwhile, Juniper and Avaya demonstrated the integration of Juniper's security appliances and Avaya's VoIP gear for small and midsize businesses. The demo showed the Juniper firewall opening and closing ports to accommodate VoIP calls. A VoIP call uses multiple random ports within a certain range of ports and has no mechanism for closing them unless the firewall is tightly integrated. Making sure the ports close when calls are over is key to protecting VoIP networks from port-scanning exploits.