I’m continually amazed by the amount of FUD being spread with regard to VoIP security threats. People...the sky is not falling. VoIP isn’t e-mail. It isn’t implemented like e-mail, it won’t be implemented like e-mail (maybe “it shouldn’t be implemented like e-mail” is a more appropriate statement). Following best security practices will ensure at least a level of security equivalent to current TDM systems.
Best FUD I’ve heard this week: VoIP is insecure because you can simply put a bridge on an ethernet line and capture a stream. Hey, has anyone ever heard of alligator clips?
Heck, we could use a Thunderbird protocol analyzer ten years ago to listen to calls on our channelized T1s at a previous job site. And, we could do this in a central location because all calls out of our HQ site went through a single set of cables. VoIP is much more difficult to tap, calls, or even individual packets within a single call, can take multiple routes through a network. Tapping a user’s Ethernet port requires the ability to log in to their local switch and span their port, something that requires an account on the switch, and something that ought to be logged (there is that ‘best practice’ thing again).
While the “place the hub” in-line attack could work, it won’t work in environments where the switch is providing line power to the phone (unless you have a line-powered hub), and it won’t work in implementations that use 802.1x to authenticate devices placed on the network. Finally, if you are really concerned about wire-tapping, turn on the encryption capabilities that many VoIP vendors currently support. (In this case, VoIP offers superior security to TDM, how many TDM systems support end-to-end encryption?)
Yes, there are security threats to VoIP, just as there are to any application, or even legacy TDM systems (toll fraud anyone?). But let’s not scare people into thinking that implementing VoIP means that they will fall victim to a non-stop flood of SPAM, SPIT, DoS, Phishing, and a litany of other attacks.
Also read “Is VoIP Ripe for Attack?”, a related NewsFactor Network article on VoIP security where Irwin Lazar, author of this post, is quoted.
There are no comments for this post yet.