Chapter 1: Working with VoIP

Cisco Press

Cover image 

Excerpt from Voice over IP Security.

By Patrick Park

Published by Cisco Press

ISBN-10: 1-58705-469-8

ISBN-13: 978-1-58705-469-3

This chapter covers VoIP strengths and vulnerabilities with the following topics:

  • VoIP advantages

  • VoIP disadvantages

  • Sources of vulnerability

  • Vulnerable components

  • Myths versus reality

Voice over Internet Protocol (VoIP) has been prevailing in the telecommunication world since its emergence in the late 90s as a new technology transporting multimedia over the IP network. It is very common today for people to make phone calls with IP phones or client software (for example, Skype, iChat, and Google Talk) on their computer. Many telecommunications companies and other organizations have been moving their telephony infrastructure to their data networks, because it provides a cheaper and clearer alternative to traditional public service telephone network (PSTN) phone lines.

Even though the VoIP service is getting popular, its technology is still developing. It is growing rapidly throughout North America and Europe, but it is sometimes awkwardly implemented on most legacy networks, and often lacks compatibility and continuity with existing systems. Nevertheless, VoIP will capture a significant portion of the telephony market, given the fiscal savings and flexibility that it can provide.

The context of VoIP service in this book includes not only voice, but also video, Instant Messaging (IM), presence data, and fax data over the IP network. Figure 1-1 shows VoIP service architecture with many different types of services.

In this chapter, you learn about the benefits and disadvantages of using VoIP, its vulnerabilities and components, and this chapter also dispels some myths. The content in this chapter refers to recommendations from the National Institute of Standards and Technology (NIST).1

Note - This chapter approaches the topics at a high level. The technical details are described in Part II, "VoIP Security Best Practices."

Like every technology, VoIP has many benefits and disadvantages. The following section describes the benefits of VoIP.

Figure 1-1

VoIP Service Architecture

VoIP Benefits

The reason for the prevalence of VOIP is that it gives significant benefits compared to legacy phone systems. The key benefits are as follows:

  • Cost savings—The most attractive feature of VoIP is its cost-saving potential. When we move away from public switched telephone networks, long-distance phone calls become inexpensive. Instead of being processed across conventional commercial telecommunications line configurations, voice traffic travels on the Internet or over private data network lines.

  • For the enterprise, VoIP reduces cost for equipment, lines, manpower, and maintenance. All of an organization's voice and data traffic is integrated into one physical network, bypassing the need for separate PBX tie lines. Although there is a significant initial setup cost, significant net savings can result from managing only one network and not needing to sustain a legacy telephony system in an increasingly digital and data-centered world. Also, the network administrator's burden may be lessened as they can now focus on a single network. There is no longer a need for several teams to manage a data network and another to manage a voice network.

    For consumers, VoIP reduces the charge of subscription or usage, especially for long distance and international calls.

  • Rich media service—The legacy phone system mainly provides voice and fax service even though limited video service is possible. However, the demand of users is much higher than that, as shown in today's rich media communications through the Internet. People check out friends' presence (such as online, offline, busy), send instant messages, make voice or video calls, transfer images, and so on. VoIP technology makes rich media service possible, integrating with other protocols and applications.

  • Rich media service not only provides multiple options of media to users, but also creates new markets in the communications industry, such as VoIP service in mobile phones.

  • Phone portability—The legacy phone system assigns a phone number with a dedicated line, so you generally cannot move your home phone to another place if you want to use the same phone number. It is a common hassle to call the phone company and ask for a phone number update when moving to a new house. However, VoIP provides number mobility: The phone device can use the same number virtually everywhere as long as it has proper IP connectivity. Many businesspeople today bring their IP phones or softphones when traveling, and use the same numbers everywhere.

  • Service mobility—The context of mobility here includes service mobility as well. Wherever the phone goes, the same services could be available, such as call features, voicemail access, call logs, security features, service policy, and so on.

  • Integration and collaboration with other applications—VoIP protocols (such as Session Initiation Protocol [SIP], H.323) run on the application layer and are able to integrate or collaborate with other applications such as email, web browser, instant messenger, social-networking applications, and so on. The integration and collaboration create synergy and provide valuable services to the users. Typical examples are voicemail delivery via email, click-to-call service on a website, voice call button on an email, presence information on a contact list, and so on.

  • User control interface—Most VoIP service providers provide a user control interface, typically a web GUI, to their customers so that they can change features, options, and services dynamically. For example, the users log in to the web GUI and change call forwarding number, speed dial, presence information (online, offline), black/white list, music-on-hold option, anonymous call block, and so on.

  • No geographical boundary—The VoIP service area becomes virtualized without geographical limit. That is, the area code or country code is no longer bound to a specific location. For example, you could live in South Korea but subscribe to a U.S. phone number, which makes it possible that all calls to the U.S. become domestic calls (cheaper) even though you live in South Korea.

  • Rich features—VoIP provides rich features like click-to-call on a web page, Find-Me-Follow-Me (FMFM), selective call forwarding, personalized ring tones (or ringback tone), simultaneous rings on multiple phones, selective area or country code, and so on.

Now that you are aware of many of the benefits, the next section takes a look at several disadvantages.

VoIP Disadvantages

The benefits of VoIP do not come free of charge. There are significant disadvantages for using VoIP, as follows:

  • Complicated service and network architecture—Integrated rich media services (such as voice, video, IM, presence, and fax) make it difficult to design the service and network architecture because many different types of devices for each service are involved, as well as different protocols and characteristics of each media. Rich features (such as click-to-call and FMFM) also make the architecture more complicated because many different applications (such as web and email) and platforms are involved. This complication requires extra time and resources when designing, testing, and deploying. It also causes various errors and makes it harder to troubleshoot and isolate them.

  • Interoperability issues between different protocols, applications, or products—There are multiple VoIP protocols (such as SIP, H.323, Media Gateway Control Protocol [MGCP], and Skinny), and product companies who choose whatever they like when developing products, which means there are always interoperability issues between the products that use different protocols. Even between the products using the same protocol, interoperability issues still come up because of different ways of implementation, different versions (extensions), or different feature sets. Therefore, it is common for VoIP service providers to spend a significant amount of time and resources for testing interoperability and resolving the issues.

  • Quality of service (QoS) issues—Voice and video streams flow over an IP network as real-time packets, passing through multiple networks and devices (such as switches, routers, firewalls, and media gateways). Therefore, ensuring QoS is very difficult and costs lots of time and resources to meet the user's expectations. The main factors in QoS are packet loss, delay (latency), and jitter (packet delay variation).

  • In a comparison of VoIP QoS versus traditional circuit switched networks, Sinden2 reported data from a Telecommunications Industry Association (TIA) study that showed even a fairly small percentage of lost packets could push VoIP network QoS below the level users have come to expect on their traditional phone lines. Each coder-decoder (codec) the TIA studied experienced a steep downturn in user satisfaction when latency crossed the 150-ms point. However, even with less than 150 ms of latency, a packet loss of 5 percent caused VoIP traffic encoded with G.711 (an international standard for encoding telephone audio on a 64-kbps stream) to drop below the QoS levels of the PSTN, even with a packet loss concealment scheme. Similarly, losses of 1 and 2 percent, respectively, were enough to place quality in VoIP networks encoded with G.723.1 (for very low bit-rate speech compression) and G.729A (for voice compression on an 8kbps stream) below this threshold. At losses of 3 and 4 percent, respectively, the performance of these networks resulted in a majority of dissatisfied users.

  • Power outages—Legacy home phones continue to work even during a power outage because the phone line supplies 48 volts constantly. However, VoIP phones use regular data network lines that do not provider power in most cases, which means you cannot use VoIP phones during power outages. Of course, there are inline power solutions (such as Power over Ethernet), but these are mainly for enterprise environments.

  • Emergency calls—Unlike legacy phone connections, which are tied to a physical location, VoIP allows phone portability as described in the previous section, which is convenient for users. However, the flexibility complicates the provision of emergency services like an E-911 call, which provides the caller's location to the 911 dispatch office based on the caller ID (phone number). Especially for users using softphones on their mobile computers, E-911 service is almost impossible unless the users notify the service provider of their physical location every time they move. Although most VoIP vendors have workable solutions for E-911 service, government regulators and vendors are still working out standards and procedures for 911 services in VoIP environment.

  • Security issues—In a legacy phone system, the security issue is mainly intercepting conversations that require physical access to phone lines or compromise of the office PBX. In VoIP, based on open or public networks, security issues are much more than that. Between a caller and callee, many elements (such as IP phones, access devices, media gateways, proxy servers, and protocols) are involved in setting up the call and transferring the media. Each element has vulnerable factors that are targets for attackers. The next few sections provide examples.

  • Legal issues (lawful interception)—Legal wiretapping in VoIP, also called lawful interception (LI), is much more complicated than that in legacy phone systems, because of the complexity of VoIP service architecture. For the details, refer to Chapter 10, "Lawful Interception Fundamentals."

Among these disadvantages, the security issues are becoming more serious because traditional security devices (such as firewalls and Intrusion-Detection Systems) and protocols (such as encryption) cannot protect VoIP services or networks from recent intelligent threats.

The following sections look into the vulnerability from the following aspects:

  • What are the sources of vulnerability?

  • What are the vulnerable components?

  • What do people misunderstand about the vulnerability?

Sources of Vulnerability

VoIP has two types of vulnerability. One is the inherited vulnerability coming from an existing infrastructure such as the network, operating system, or web server that VoIP applications are running on. The other is its own vulnerability coming from VoIP protocols and devices, such as IP phone, voice gateway, media server, signaling controller, and so on.

Basically, these vulnerabilities are derived from the characteristics of VoIP that are shown in Figure 1-2.

Figure 1-2

1 2 Page 1
Page 1 of 2
IT Salary Survey: The results are in