VoIP security : Not an Afterthought

OVERVIEW

• What is VoIP?• Difference between PSTN and VoIP.• Why VoIP?• VoIP Security threats• Security concerns• Design and implementation• Conclusion

What is VoIP?

• VoIP is Voice over internet protocol, is a technology allows voice conversations to be carried over the Internet.• VoIP exchanges voice information in digital form, in discrete packets

rather than by using the traditional circuit-committed protocols of the Public Switched Telephone Network (PSTN).

Difference between PSTN and VoIP.

• In PSTN (Public Switched Telephone Network) the control is rested at switch.• In VoIP the resource control is at deeper part of network.

Why VoIP?

• Price• Flexibility• Protocols• Implementation• Service

VoIP Security threats• Security threats Viruses impacting servers. Denial of service attacks. Logical attacks on SIP. Subscription fraud and non-payment. Call eavesdropping.

Security concerns

• Preserve the availability:

• By network/service access control

• Preserve integrity:

• Prevent malicious activities by encryption techniques.

• Prevent theft of the VoIP service.

• Prevent fraudulent use of VoIP services

• Preserve the confidentiality:

• By encryption techniques.

• Preserve Authentication by login password.• Preserve authorization by access control, role based authentication

Is VoIP Security Different?

• VoIP services are real-time.

• VoIP services are target of voice specific malicious activities such as

toll fraud, service theft, voice spam and identity theft.

• VoIP services are extremely sensitive to delay, packet loss and jitter

caused by worms, viruses and DoS attacks.

• VoIP services are impacted by the existing security devices such as

firewalls/NAT, encryption engines and IDS/IPS.

An Approach to VoIP Security

Open source security

Prevention Protection Reducing the risks

VoIP Infrastructure

Design and implementation

• Major concerns for VoIP software development are 1)Software stability. 2)Robustness. 3)Interoperability.For implementation of VoIP its should have separate voice transport, signaling, service creation from one another.

VoIP protocols

The two most widely used protocols for VoIP are the ITU standard H.323 and the IETF standard SIP. Both are signaling protocols that set up, maintain and terminate a VoIP call. In addition, the Media Gateway Control Protocol (MGCP) provides a signaling and control protocol between VoIP gateways and traditional PSTN (Public Switched Telephone Network) gateways. ITU-T , H.323 is a comprehensive protocol under the ITU-T specifications for sending voice, video and data across a network. The H.323 specification includes several sub-protocols:

1. H.225 for specifying call controls (e.g. call setup and teardown),2. H.235 for specifying the security framework for H.323 and the call setup. 3. H.245 for specifying media paths and parameter negotiations such as terminal capabilities. 4. H.450 for specifying supplementary services such as call hold and call waiting.

Conclusion

• VoIP presents a number of interesting security challenges that differ substantially from those of traditionally telephony.

• In addressing these challenges, we might consider the roles of the vendor, service provider, and implementer communities.

References

• http://www.voip-info.org/• Voip security : not an afterthought by Douglas C.Sicker and

Tomlookabaugh

Thank you