Operators of IP telephony networks should also use access control lists and other techniques to prevent unauthorised traffic flows. In addition, the management interfaces of the software systems involved in routing calls must be secured to prevent unauthorised access.
The potential for abuse of features like sink-holing makes it essential for those operating IP telephony systems to secure them effectively, limiting the ability to modify their configuration to appropriately authorised individuals.
A network perspective
The significance of the various weaknesses and vulnerabilities depends on how VoIP is being used. IP phone services that operate over the public internet are more at risk that other applications of the technology, for example, but are often used to compliment, rather than replace, other phone services. Private IP phone networks that operate within a single organisation are inherently better protected but, because they are the sole way of making calls, the costs and consequences of service failures are often orders of magnitude greater.
Calling over the public internet
A growing number of services is available to allow people to make phone calls over the internet, typically taking advantage of unused capacity on the broadband link to a home or office. Examples are Skype, Vonage, BT Communicator and BT Broadband Talk.
The services work in different ways. For instance, Skype is a PC application that can also be accessed via a proprietary handset connected to the computer’s USB port – the handset cannot be used unless the computer is switched on. In contrast, Vonage and BT Broadband Talk can work with standard phones connected directly to a broadband router through an adapter. The services operate independently of any computers connected to the network and are therefore much more like standard phone services.
Because the services all share network capacity with other traffic, calls will be subject to delay, interference and interruption from time to time, either as a result of legitimate peaks in demand or, say, if a denial of service attack is launched on the relevant service operator’s infrastructure.
Wherever a computer or other programmable device is used to make calls, the potential for infection by viruses and malware (such as rogue diallers) exists. And whichever technique is used, there is the issue of enabling the data packets generated by phone calls to pass securely through PC, corporate and other firewalls. Some VoIP applications generate activity that’s similar to hacking attempts and other attacks, for example, making it difficult to enable IP phone calls to pass through a firewall without weakening defences. For this reason, many organisations prohibit use of the IP telephony services that operate over the public internet.
Making calls in private
The situation with regard to use of VoIP to carry calls within organisations is somewhat different. Calls are typically received from the public telephone network using ‘standard’ lines or T1/E1 connections, etc. They are converted into VoIP by a gateway and relayed on to specific IP phones using the organisation’s private data network.