Voice Over IP VOIP Security Term Paper

Excerpt from Term Paper :

Voice over IP (VoIP) Security

Voice over Internet Protocol or VoIP refers to making use of telephone services over that of the computer networks. During the first part of the process, the VoIP makes an analog signal which is evolved from the speaker's voice. It is then transferred to a digital signal and further transfers over that of an IP network and this is well inclusive of the Internet. Voice over Internet Protocol is also inclusive of any types of software, hardware, or even that of the protocol which could be linked to VoIP. There are very many examples which could be found relating to VoIP technologies which are being widely in use and there are several of these technologies being provided by various companies. Their various systems have the necessity to make use of analog telephone adapters in such a manner so that the standard type of telephones could be used on various IP networks. Another method of using it is by means of implementing the software's and what it needs for this purpose is that of a PC and headphones. There are also various open source applications of this technology that promote the use of a complete system of PBX functionality.


One of the important things is checking the quality of speech that is going to go through a VoIP system or is combined with other systems. This has led to the development of new systems like QPro, which measures quality. It also enables the simulation of systems at various levels and offers a detailed measurement and assessment of the tested network or system component. The online statistics and results are displayed as in Figure 1. It makes analysis of the quality of calls and this is displayed in reference and network degraded waveforms as shown in figure 2. It can also be seen as voice distortion graphs as shown in Figure 3. The end results of end causes distribution and success graphs can be shown as in Figure 4. The entire circuit can also be shown as a Figure as in Figure 5. These are just analysis of VoIP systems, but do not have to do anything to do much that of with security directly. (VoIP Performer- QPro - Ultimate Speech Quality Performance Testing)

According to information from Gartner, it is stated that by the year 2007, 97% of new phone systems which are installed in North America will be VoIP-based or hybrid. Despite the apparent ease-of-use of VoIP, the technology behind it contains a complex set of protocols, applications and appliances that should receive careful security attention. ISS has warned that security dangers regarding VoIP will continue to increase as the system becomes more popular. Internet Security Systems -- ISS has announced it has now provided protection for flaws the company discovered in VoIP technology that had been offered by Cisco, who are one of the top providers of VoIP technology. (Internet Security Systems Discovers Critical Flaws in VoIP Infrastructure; Company Provides Protection for Customers against VoIP Vulnerabilities)

The most recent discovery of VoIP security flaws has been by ISS X-Force (R) team within the systems of Cisco's Call Manager, and that is a necessary component to the functioning of any Cisco VoIP software, since it performs tasks like call signaling and call routing. These vulnerabilities are attacked and the party is able to trigger a heap overflow within a critical Call Manager process. This causes both a denial of service condition and enables the attacker to completely compromise the Call Manager server. This could result in the attacker to redirect calls or eavesdrop, as well as gain unauthorized access to networks and machines running Cisco VoIP products. Compromise of VoIP networks and machines may result in exposure of confidential information, loss of productivity and also network compromise. The full ISS X-Force advisory on these flaws can be found at: http://xforce.iss.net/xforce/alerts/id/200. (Internet Security Systems Discovers Critical Flaws in VoIP Infrastructure; Company Provides Protection for Customers against VoIP Vulnerabilities)

Even though it could be said that a wide range of making use of VoIP has evolved during the last several years, still the ideas which are at the back of VoIP could be considered as a relatively innovative approach and application of that of the old concepts. Packet switched data networks have been found to prevail for a considerably sufficient amount of time, and making use of these networks for the purpose of sending voice traffic to and for was an activity that was waiting to prevail. Multiple protocols for the purpose of managing VoIP traffic have been evolved, and these are like H.323, the Session Initiation Protocol -- SIP and the Real-Time Transport Protocol -- RTP. The National Institute of Standards and Technologies -- NIST have come out with a white paper that gives an improved idea of these protocols, and they are inclusive of detailed security analyses for each of the protocols. (Security Considerations for Voice over IP Systems)

Recent research, on the Cisco 7900 series VoIP phones, by Secure Test have revealed about security concerns which ar eto be taken seriously. Secure Test has separately tested the Cisco 7900 since this is probably the most widely used enterprise VoIP solution. Similar problems may as well be present in other vendor products. The systems were found susceptible to both DoS -- denial of service attacks and interception. It is now clear that when phone systems are transferred to an IP network they are susceptible to several of the same security concerns as Ethernet data networks. The more dangerous part of it is that phone systems may be difficult or even impossible to patch. Like several other IP devices Cisco's VoIP phones are vulnerable to ARP -- Address Resolution Protocol spoofing, allowing what is called 'man-in-the-middle' attacks and that includes data interception and packet injection. This means that any VoIP phone can be tapped by anybody else who uses a phone on the same network, and that any individual VoIP phone can crash easily and any VoIP network infrastructure is highly susceptible to DoS attacks. (Allsopp, 2004)

The modern business world is becoming more data-centric than ever before, yet, voice still rules as king. If a person wants to create a client relation, attain a business deal or discuss sensitive information, then it would be normally done over a voice network. At the same time, voice over IP can run foul of traditional security challenges that involve modern data communications, and that includes address spoofing for hijacking a phone number, or Denial of Service -- DoS attacks. This is possible due to a flaw of TCP/IP when the establishing of a connection takes place. Deploying a firewall will take care of such traditional assaults, but cannot deal with the more targeted attack taking place from sniffers and eavesdroppers. Eavesdroppers can easily get special software designed to convert miss-configured IP phone conversations into wave files, which can be played back on ordinary sound players. To take care of such activities and secure voice calls, businesses need to think about encrypting voice. One way is to do this via a virtual private network -- VPN tunnel, which may use AES or DES -- Data Encryption Standard. This will ensure encryption of the signaling and streaming components of a VoIP call. Another option is to make use of secure real time protocol -- SRTP for encrypting the streaming side of the VoIP call. (Porter, 2005)

During the last year, a lot of noise has been made about the alleged security failings of VoIP. The press has continuously warned about voice spam, spyware, phishing, eavesdropping, and Denial of Service -- DoS attacks. There is also a feeling that the firewall and carrier communities are promoting much of this coverage, and they have a vested self-interest in showing VoIP security situation as very gloomy. In fact, VoIP security is probably no worse in comparison to the security of e-mail and traditional phone networks and may be expected to dramatically improve in the future years. The situation today is that most VoIP networks today are independent of one another and this is due to the wide majority of enterprise VoIP networks not accepting external VoIP calls. This makes these networks even more protected against phishing, spam, and forgery of identity. (Mahy, 2005)

Again, the very properties of voice make it an inherently less interesting target for hackers when compared to data files or e-mails as voice cannot be searched or skimmed through. Eavesdropping in a traditional telephone network is comparatively straightforward and the attacker only requires access to the physical line and inexpensive equipment. In comparison, eavesdropping on VoIP in an IP network requires administrator access to the switch along with an attachment to the switch's span or monitoring port. Only this will permit the attacker to gather packets from another switch port. Against this, using a wireless network with a VPN or strong Layer-2 encryption such as Wi-Fi Protected Access -- WPA will provide better security. (Mahy, 2005)



Cite This Term Paper:

"Voice Over IP VOIP Security" (2005, October 13) Retrieved January 21, 2018, from

"Voice Over IP VOIP Security" 13 October 2005. Web.21 January. 2018. <

"Voice Over IP VOIP Security", 13 October 2005, Accessed.21 January. 2018,