Fundamental of VoIP and Security

    CHAPTER NO.6               VI. SECURITY BREACHES

Security is a necessary part of any computer network. VoIP has much vulnerability to attacks such as Spoofing, Eavesdropping, and Denial of Service. VoiP user must know about the security breaches. To know about these breaches detection and prevention methods Security breaches can be reported internally and externally and included virus attacks, worms and DoS attacks there are many kind of security breaches where a client can take steps to prevent security breaches with firewalls and other preventative measures. Client also knows that no matter how good his defense is that breaches will occur. By putting detection tools and processes in place, so that can speed reaction time. The operations processes can be either reactive or proactive. How an organization responds to an incident is driven by how well prepared everyone is. There are number of breaches in VoiP networks, unauthorized access, Exploitation of know weaknesses of programs, Denial of service, spoofing, eavesdropping, etc. within each security breaches the prevention is also defined. 

A.   UNAUTHORIZED ACCESS:   This simply means that people who shouldn't use computer services are able to connect and use them. For example, people outside the company might try to connect to the company�s accounting machine or to NFS server. There are various ways to avoid this attack by carefully specifying that can gain access through these services. It can prevent network access to all except the intended users.

PREVENTION:  There are number of routers that help the network to stop any unauthorized access. One of the examples is 3640 Router that has a couple of inherent features that we plan to use to stop unauthorized access. Briefly, this is how it works. The caller enters the local number to access the VoIP trunk line. The caller is prompted to enter an account number and pin number. The account number and pin number are verified against a VCCS controlled database. If the account number and pin number are verified the caller is prompted for the 10 digits of the destination phone number. If the account number and pin number are not verified the caller is informed that verification failed and the call is disconnected.  

 B. EXPLOITATION OF KNOW WEAKNESSES OF PROGRAMS:   Some programs and network services were not originally designed with strong security in mind and are inherently vulnerable to attack. The BSD remote services (rlogin, rexes, etc.) are an example. The best way to be protected against this type of attack is to disable any vulnerable services or find alternatives. With Open Source, it is sometimes possible to repair the weaknesses in the software.

D.    DENIEL OF SERVICE:   Denial of Service is a type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic. VoIP is more susceptible to DOS than a typical computer network. Not only does it suffer from the standard DoS attacks of flooding the network with traffic to the point it crashes but it also has its our specific vulnerabilities. VoIP specific DoS attacks use setup and cancellation of pending call set up signals. These signals include sending a CANCEL, GOODBYE or PORT UNREACHABLE message. These cause the phone not being able to complete calls. With DoS there is a chance that both you data network goes down along side of your phone services provided through VoIP. They may also be performed at the application layer, where carefully crafted application commands are given to a program that cause it to become extremely busy or stop functioning. Preventing suspicious network traffic from reaching to the host and preventing suspicious program commands and requests are the best ways of minimizing the risk of a denial of service attack. It's useful to know the details of the attack method so client should educate and prepare himself about each new attack as it gets revealed.

PREVENTION: DoS is one of the VoIP�s most challenging threats to address. DoS is an issue now, and will become a more significant issue going forward, as VoIP is more widely deployed and as enterprises start to interconnect their internal networks via untrusted networks. Research has shown that many VoIP components are vulnerable to DoS. The threat to these components will increase. Requiring well-designed VoIP components, use of strong authentication, and VoIP firewalls best mitigates this threat.  DoS is a very difficult threat to deal with but DoS is best mitigated with the following steps.1  System hardening: It involves disabling and removing unnecessary network services, locking down the operating system, and using internal host-based interruption detection to mitigate certain classes of attacks. All VoIP components should be hardened..2-  Strong authentication. It allows VoIP components to be sure that they are communicating with legitimate components. Any packets from non-authenticated components can be more easily discarded. This model works well for internal VoIP deployments is helpful when VoIP is exchanged over an un-trusted network..3.     Traditional firewall: It provides another layer of protection, focusing on mitigating platform level attacks. VoIP firewalls can provide additional security, especially on the enterprise perimeter when VoIP is exchanged over an un trusted network.

 E.     SPOOFING :   Spoofing uses a false source address on the IP packets. The network data such as a VoIP call will appear from a different source than where it originated. Spoofing can change caller ID number, hide the origin of attacks, and pretend to be a trusted host. Several services available allow you to spoof your phone number.  A serious risk with spoofing is identity theft. To protect against this type of attack, verify the authenticity of datagram and commands. Prevent datagram routing with invalid source addresses. Introduce unpredictability into connection control mechanisms, such as TCP sequence numbers and the allocation of dynamic port addresses.

PREVENTION:   Put your VoIP network behind the firewalls. No body can enter and use the network until to be verified first. Secure your network with antivirus and anti spy ware software.

 F.     EAVESDROPPING:   Eavesdropping is the unauthorized interception of voice packets and the decoding of the conversations. It is relatively easy and simple. Typically eavesdropping is restricted to the subnet the phone is attached to and the path it takes to the destination.  This is the simplest type of attack. A host is configured to "listen" to and capture data not belonging to it. Carefully written eavesdropping programs can take usernames and passwords from user login network connections. Broadcast networks like Ethernet are especially vulnerable to this type of attack. To protect against this type of threat, avoid use of broadcast network technologies and enforce the use of data encryption.