Avoiding holes in your VoIP

Ottawa-based startup VoIPshield Systems Inc. is marking time on the release of protection products for voice over Internet Protocol (VoIP) applications, but last month released VoIP-specific auditing software as its first product.

The company says the full scope of VoIP threats is still unpredictable and instead is offering VoIPaudit, a discovery and assessment tool that scans the network for VoIP vulnerabilities, then compiles a report and lists recommendations to address known issues.

“Based on our discussions with enterprises, vendors and service providers, this is the first tool they are looking for, because today, no one really knows whether VoIP is fully secure, what the issues are and how to address those issues,” said Bogdan Materna, chief technology officer and vice-president of engineering for VoIPshield.

Alicia Wanless, an analyst at Seaboard Group in Toronto, says although VoIP is in its early stages, the most pressing issue is regulatory compliance. And a product such as VoIPaudit directly addresses these concerns, she says.

“It’s important that VoIP as a new technology is monitored in more of a preventative manner than reactionary, but it would appear the VoIPaudit product is a response to the regulations. There’s a certain amount of auditing necessary and that’s what VoIPshield is offering,” said Wanless.

“Sarbanes-Oxley, Bill 198 in Canada, as well as the Gramm-Leach-Bliley Act (GLBA) enforce that enterprises must have auditing tools in place that will produce reports in real-time for their communication systems. That includes authorization for who has access to information, and that touches voice over IP because of the security issues involved with VoIP.”

The automated auditing tool scans the VoIP hardware and software, and related components such as routers, firewalls and the underlying operating system, supporting applications, directory servers and protocols, such as domain name service (DNS) and dynamic host configuration protocol (DHCP).

VoIPaudit also provides multi-vendor support for VoIP protocols, including SIP, H323, Cisco Skinny, Nortel Unistim and other proprietary protocols.

Vulnerabilities such as virus and denial of service (DoS) attacks, toll fraud, information privacy, buffer overflow attacks and voice spam need to be assessed, says Materna, before the deployment of VoIP over the infrastructure.

“We approach security in three domains,” he said. “Prevention deals with finding vulnerabilities and patching them before deploying VoIP, while protection is where we build defence mechanisms for the VoIP infrastructure, such as firewalls, intrusion protection systems, anti-virus software, session border controllers and encryption.

“But no matter what you do in those two domains, sooner or later something will still get through. The domain we have to begin with is mitigation,” said Materna. “That way, the VoIP network can still be up and running, even if it’s at a lower quality level, and you have enough time to address the issues.”

Materna says VoIP offers new and unique challenges to security teams, particularly because is voice is a real-time service. “VoIP security is not the same as existing security for data networks,” he said.

“Security has to match the real-time demands of packet-loss and garble. Voice has very stringent delay requirements on the network, so encryption isn’t very popular.”

For example, typical firewalls cannot deal with the voice protocols. To this end, security vendors have developed the session border controller (SBC), a device that functions as a firewall and attempts to address VoIP-specific protocol issues.

And voice is only the beginning, says Materna. The IP multimedia subsystem (IMS) extends the IP network to which VoIP is exposed. “New protocols, applications and devices, television over IP and video conferencing, are in constant interaction on the IP infrastructure and all of these create new opportunities for hackers,” he said.

QuickLink: 054472

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now