Most enterprise organizations encrypt data that transverses the network. It's a no-brainer. Thus, encrypting voice...
and data packets transmitted over a VoIP network is also a given, right? Turns out, not so much. By and large, VoIP vendors are building encryption support into their offerings. Across the board, companies planning a VoIP migration rank encryption technology as among their top concerns. Ironically, however, most organizations do not actually employ encryption – or at least are reluctant to do – when launching their VoIP network.
In SearchVoIP.com's Fast guide to VoIP encryption, you'll learn how VoIP encryption works, what malicious scenarios can unfold in the absence of an encrypted VoIP network and why, despite the inherent, inevitable and potentially devastating risks, enterprises are reluctant to encrypt their VoIP traffic.
Enterprises know that voice communications are vital and very often need to be secured, but what types of threats exist and how do you minimize the damage they can cause?
Here is a sneak peak into the many types of threats and disruptions poised to pounce on your VoIP network if not properly secured.
Voice and data disruption
- VoIP data and VoIP control packet flood
- Service disruption
- VoIP call data flood
- TCP/UDP/ICMP packet flood
- VoIP implementation DoS exploit
- OS/protocol implementation DoS exploit
- VoIP protocol DoS exploit
- Wireless DoS attack
- Network service DoS attacks
- VoIP application DoS attacks
- VoIP endpoint pin change
- VoIP packet replay
VoIP data and service threats
- VoIP packet injection
- VoIP packet modification
- QoS modification
- vlan modification
- VoIP data and VoIP social engineering
- Service theft rogue VoIP device connection
- ARP cache poisoning
- VoIP call hijacking
- Network eavesdropping
- VoIP application data theft
- Address spoofing
- VoIP call eavesdropping
- VoIP control eavesdropping
- VoIP toll fraud
- VoIP voicemail hacks
Terms to know:
Encryption: The use of encryption/decryption is as old as the art of communication. Find out how it's being used today to secure voice and data transmissions. (WhatIs.com)
IPsec (Internet Protocol Security): A framework for a set of protocols for security at the network or packet processing layer of network communication. (WhatIs.com)
VPN (virtual private network ): A framework for a set of protocols for security at the network or packet processing layer of network communication. (WhatIs.com)
ZRTP: ZRTP is a voice over IP (VoIP) encryption extension for the Real-Time Transport Protocol (RTP). (WhatIs.com)
How does encryption work?
As a general rule, VoIP traffic flows across the Internet in unencrypted packets. What this means is that anyone with a protocol logger who happens to be on a network segment between the sender and the recipient can intercept VoIP packets and use those captured packets as a recording of the phone conversation.
Stolen voices: The challenge of securing VoIP
Businesses should devote at least as much consideration to securing voice traffic as they do to their data today. One possibility is to do this via a virtual private network (VPN) tunnel, either using AES or DES (Data Encryption Standard) for the encryption of the signaling and streaming components of a VoIP call. A second option is to use ...
In this webcast, Andrew Graydon examines specific SIP security problems, where traditional perimeter firewalls fall short and what steps need to be taken to secure and manage the dynamic nature of real-time SIP communications.
Keeping out snoopers
A SearchVoIP.com member asked Andrew Graydon, "For best practices, what traffic logging should be performed at firewalls? Is there an encryption for Voice over IP -- for example, to protect traffic from snooping on Internet?" Read Andrew's advice.
Philip R. Zimmermann is the creator of Pretty Good Privacy, an email encryption software package. Originally designed as a human rights tool, PGP was published for free on the Internet in 1991. This made Zimmermann the target of a three-year criminal investigation, because the government held that U.S. export restrictions for cryptographic software were violated when PGP spread worldwide. Despite the lack of funding, the lack of any paid staff, the lack of a company to stand behind it, and despite government persecution, PGP nonetheless became the most widely used email encryption software in the world. (Bio excerpted from Zimmerman's website).
Encrypting VoIP traffic: How and why
Securing VoIP traffic remains one of the biggest obstacles to its mainstream enterprise use. VoIP traffic tends to be unencrypted, but that doesn't mean that it has to be. In this tip, Brien Posey explores various options for VoIP encryption, including sending VoIP traffic through a VPN tunnel and implementing an encryption tool called Zfone.
VoIP security, PGP style
In an interview with SearchVoIP.com, the creator of the Pretty Good Privacy e-mail encryption technology, Phil Zimmermann, explains how his new software can successfully secure VoIP connections and why other methods are likely to fail.
Other VoIP security resources:
SearchVoIP.com's security resource center
Don't overlook the security risks that can pop up when the worlds of voice and data converge. Find out how to create security policies, identify security threats and thwart attacks here.
VoIP Security Resource Guide
Voice over Internet Protocol (VoIP) implementations are becoming more common and keeping it secure is no easy task. Created in partnership with our sister site, SearchSecurity.com, SearchVoIP.com's guide is a compilation of resources that review the importance of VoIP security, protocols and standards, LAN security, vulnerabilities, troubleshooting, threats and more.
The Voice over IP Security Alliance (VOIPSA) aims to fill the void of VoIP security related resources through a unique collaboration of VoIP and Information Security vendors, providers, and thought leaders.