Employ fuzzing to test VoIP security

Voice over IP security is a popular topic lately, and there is good reason for concern. VoIP is becoming more and more popular and the more widely used it becomes, the more of a target it will be to those interested in wrongdoing.

There are many attack vectors when it comes to VoIP. It relies on the IP infrastructure so any attack that targets a network can be a potential hazard for VoIP. There is concern regarding VoIP components like the OS a soft-phone is running on or the firmware of a device. There are configuration concerns like devices with exposed TCP and UDP ports. There are the aforementioned IP infrastructure attacks in the form of DoS attacks or SYN flooding. Eventually, no matter what the specific attack, there is a good chance that the attacker is exploiting a weakness in the VoIP protocol that is being used.

The two most popular protocols are SIP and H.323. Each of these has their pluses and minuses in terms of security and overall effectiveness.

First let's take a look at SIP. SIP is easier to use since it uses textual encoding like HTTP. It's extensible and it can be paired with other protocols. As far as security goes, textual coding makes debugging easier, but it also makes spoofing easier. Since it is a relatively simple protocol, there is less chance of coding errors. Its open nature does create some concern, as easily integrated and extensible protocols can have mo

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT VoIP QoS and VoIP Security VoIP implementation study guide How will VoIP impact the quality of phone calls on our network? How does one cope with echo in a VoIP-enabled network? What's the best way to use an echo canceller? Does implementing VoIP security affect the QoS? How would one handle it, if it does? IBM, Avaya deals signal IP telephony quality control's coming of age Ensuring voice and video quality about more than watching packet flows Security concerns for enterprise Skype VoIP service selection: MPLS, VPLS or Metro Ethernet? Microsoft's Real-Time Codec (RTC) for VoIP optimization Disaster and recovery in the VoIP/IPT RFP Unified Communications Tech Tip The significance of Avaya's Aura UC buyers should look for SaaS-based UC offerings in 2009 Using the iPhone in the enterprise? Social networking and discussion forums for the enterprise Streaming Cisco's IP Communicator to an HP thin client Demystifying unified communications deployment strategies Presence management and security Presence: SIMPLE versus XMPP Four factors driving videoconferencing Consider IBM Lotus SameTime for UC, not just Microsoft OCS

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary vishing  (SearchUnifiedCommunications.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

re implementation errors.

What about H.323? H.323 uses a binary encoding, which makes it difficult to debug and subject to buffer overflow attacks. Its complexity can also lead to implementation errors. It is not very extensible which actually helps the security-wise and it has a monolithic architecture, which means it does not need to borrow functionality from other protocols.

As you can see, each protocol has its pros and cons. Regardless of the protocol your VoIP implementation is using there are some ways you can test the security of these protocols.

One way to test your implementation protocols is with fuzzing. Fuzzing, or functional protocol testing, is a good way to find bugs and vulnerabilities. Fuzzing works by creating different packets for a given protocol and injecting the packets with data that will test the limits of the protocol. The packets are sent to a device, app or OS and the results are observed.

The PROTOS group at the University of Oulu in Finland is responsible for identifying a number of protocol weaknesses. They've published papers that describe methods for testing SIP and H.323.

The more widespread VoIP becomes the more it will come under attack. By taking some initiative now and testing your VoIP implementation, you might be able to prevent a failure in the future.

Benjamin Vigil is a Technical Editor with SearchEnterpriseVoice.com.