[Asterisk-Users] Fwd: [ISN] Voice Over IP Can Be Vulnerable To Hackers, Too

tmpm tmpm at softhome.net
Fri May 14 11:57:07 MST 2004 

Hope this isn't too far OT, but its relevant to us. From isn.attrition.org



>http://www.informationweek.com/story/showArticle.jhtml?articleID=20300851
>
>By W. David Gardner
>TechWeb News
>May 13, 2004
>
>As voice over IP sweeps across the high-tech landscape, many IT
>managers are being lulled into a dangerous complacency because they
>look upon Internet phoning as a relatively secure technology--not as
>an IP service susceptible to the same worms, viruses, and other
>pestilence that threatens all networked systems.
>
>"With VoIP," security specialist Mark Nagiel said Thursday in an
>interview, "we're inserting a new technology into an unsecured and
>unprotected environment. VoIP is essentially availability driven, not
>security driven, and that's the problem." But Nagiel, manager of
>security consulting at NEC Unified Solutions, said that there are
>measures that can be taken to protect voice over IP from the threats
>that confront Web telephoning.
>
>The first step--an obvious one, he says--is to secure existing TCP/IP
>networks. Nagiel is finding that the new government-required
>regulations--such as Sarbanes-Oxley, which stipulates improved
>accounting record-keeping, and HIPAA in health care--are helping IT
>managers because they impose security discipline across-the-board.
>"The financial and health-care fields are getting secured very
>quickly," Nagiel said.
>
>Even so, there can be difficulties. He noted that although hospitals'
>protection of patient records generally has been excellent, they often
>neglect to completely secure physicians' conversations. Security
>managers can overlook the fact that voice over IP conversations can
>reside on servers that can be hacked.
>
>The traditional voice model utilized PBXs, which were stable and
>secure, Nagiel noted. If the voice over IP infrastructure isn't
>properly protected, it can easily be hacked and recorded calls can be
>eavesdropped. He says the networks utilized to transmit voice over
>IP--routers, servers, and even switches--are more susceptible to
>hacking than traditional telephony equipment.
>
>It's also relatively easy to launch an attack against a voice over IP
>network because the software tools available to hackers and others
>bent on invading a network are more available and easier to use. "And
>the exposure levels have gone up because there are so many nets," he
>said.
>
>What's the solution? "You need strong encryption over VoIP servers and
>VoIP client devices," Nagiel said. He observed that extensive
>encryption can slow down efficiency of networks, but encryption is a
>small price to pay to avoid denial-of-service attacks and invasions of
>networks. Another useful defense tactic is to use virtual LANs
>"whenever possible to separate traffic," according to Nagiel. In this
>way, transmitted data can be segregated into unique virtual LANs for
>data and voice transmission.
>
>However, Nagiel cautioned that security managers should resist using
>shared Ethernet network segments for voice.
>
>
>
>_________________________________________
>ISN mailing list
>Sponsored by: OSVDB.org

More information about the asterisk-users mailing list