VoIP 1th Position paper

VoIP Position Paper-security issues

Rokeshia Robinson

March 19, 2007

Voice over internet protocol (VoIP i.e., IP telephony, Internet telephone, Digital Phone) is the routing of voice conversation over the Internet or any other IP-based network. The voice data flows over a general-purpose packet-switched network, instead of traditional dedicated circuit-switched voice transmission lines. Before VoIP, telecommunications occurred over a public switched telephone network, that is, voice data traversed circuit switched connections. The cost savings of VoIP, both in dollars and bandwidth, compared to that of circuit switched networks is encouraging companies to move to VoIP. However, VoIP deployment has brought several security concerns.

Securing VoIP system is a lot more challenging than securing pure data network. Since VoIP does not have a dominant protocol standard, the support of two standards in products just increases the chance of buggy application. In addition, the quality of service requirement of VoIP leaves less working room for possible security measures. Not to mention various threats to confidentiality, integrity and availability of VoIP systems.

VoIP needs two types of protocols; signaling protocol and media protocols. Signaling protocols manage call setup and teardown. Media protocols manage the transmission of voice data over IP networks. However, every vendor uses either its own proprietary or one of two standards, H.323 and SIP (session initiation protocol). For example, Cisco uses the SCCP (signaling connection control part) protocol, were as the organization that I currently work for use the Avaya-UNISTIM (unified network stimulus) protocol. These proprietary protocols make it difficult to inter-connect products from different vendors.

Quality of service is vital for the success of VoIP since few will use it if VoIP can not deliver at least the same voice quality as traditional telephone network. While, I believe that the quality for VoIP may be affected by latency, jitter, and loss packets these same issues affect traditional telephone networks. VoIP has introduced requirements for data packets to reach their destination in a more restricted time frame than other internet protocol (IP) applications. Many applications are somewhat tolerant of packet delay and it may be imperceptible to the client using the application. Packet delay in VoIP, however, can reduce the functionality to unusable.

Another security issues surrounds the ability to eavesdrop on phone conversations. Conventional telephone eavesdropping requires either physical access to tap a line, or penetration of a switch. With VoIP, opportunities for eavesdroppers increase dramatically because of the large number of nodes in the path between two conservation entities. If the attacker compromises any of theses nodes, he/she can access the IP packets flowing through that node. There are several free network analyzers and packet capture tools that can convert VoIP traffic to wave files. These tools allow the attackers to save the conversation into the files and ply them back on a computer.

Unauthorized access attack is another security concern when using VoIP. A legitimate user may perform an incorrect or unauthorized operations function and may cause delirious modification, destruction, deletion or disclosure of switch software and data. An intruder may masquerade as a legitimate user and access an operation port of the switch.

In conclusion, I can go on and on about security stuff and how these issues would influence businesses decision not to implement VoIP. Unfortunately, there are some countermeasures to most of the security concerns that I have addressed. However, these security issues continue to be ongoing issues within organizations who adapt VoIP technology. With all the other potential threats lurking out there, I wouldn’t just to this technology unless I had the right security team and IT team in place to manage the ongoing issues.