This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
VoIP (Voice over IP) technology is a voice emerging. It is part of a watershed in the world of communication. Indeed, the convergence of triple play (voice, data and video) is part of the main issues involved in telecommunications today. More recently the Internet has extended partially into each organization's intranet; seeing the total traffic based on IP packet transport network traffic surpass the traditional voice network (circuit switched network). It became clear that in the wake of this technological advance, traders, companies or organizations, and suppliers were required to obtain the benefit single IP transport, introduce new voice and video services.
To be more precise, however schematic, the digital signal obtained by digitizing the voice is broken into packets that are transmitted over an IP network to an application that will do the reverse transformation (packets to the voice). Instead of having both a computer network and a switched telephone network (PSTN), the company can then, thanks to VoIP, all merge on the same network by the fact that the phone becomes the "data". The new capabilities of broadband networks are expected to reliably transfer data in real time. Thus, applications of video or audio conferencing or telephony will invade the IP world, which until then could not reasonably support such applications (response time important, jitter, jitter, QoS-Cos...).
1.1 Advantages of IP telephony
VoIP is providing many new opportunities for operators and users who benefit from a network based on IP. The greatest advantages are the following:
By moving voice traffic to the private network Rtc WAN / IP companies can significantly reduce some costs of communications. Highlighted significant reductions for international calls, these reductions become even more interesting in sharing voice and data IP network between locations (WAN). In the latter case, the gain is directly proportional to the number of remote sites.
Open standards and multi-vendor interoperability
Too often in the past users were locked into a technology choice earlier. VoIP has now been proven both network operators and corporate networks that the choices and changes become less dependent on existing.
Contrary to our belief from the beginning, we now know that the world will not only VoIP H323, but a multi-use protocols as required for necessary services. For example, H323 works in "peer to peer" while operating in centralized mode MGCP. These design differences offer an immediate difference in the operation of terminals considered.
Choosing a service operated
Services operators open VoIP alternatives. Not only can the company make its private network extension of VoIP PSTN operator but the operator itself opens new VoIP transport services that simplify the number of local access to a site and reduces cost. Most often companies operating multi-site networks hire a private link for voice and one for data, maintaining the PSTN local access connections. The new offers VoIP operators also allow the local PSTN access, subscribe to only the media inter-site VoIP.
PABX service distributed or centralized
The PBX network benefit of centralized services such as voicemail, taxation, etc ... This same centralization continues to be secured on a VoIP network without limiting the number of channels. Conversely, a number of services are sometimes allowed in a form of decentralization. This is where the call center where the need is a centralized call number (e.g. hotline), and decentralization of call center agents. Difficult to do in traditional telephony without the use of an IP network to the offset of the remote management of ACD. It is very easy to set up a call center or contact center (multi-channel / multi-media) which has a virtual centralized supervision and information.
Appropriate, to ensure proper use of properly sizing the network link. The use of VoIP is a common medium that can both provide a precise moment a maximum bandwidth to the data, and in another period, a maximum bandwidth to voice, always maintaining the priority.
Implementing IP telephony using client-server architecture based on the well reputed, well-publicized, and unlock Internet Protocol, it is subject to the same security openness of any IP network-based client server system. Unprecedented connectivity of the Internet era has brought significant economic and social benefits, but at the same time posed many new challenges. In a networked world, the Internet security threats are constantly evolving and still ahead of the defense systems of the most advanced.
1.2 THREATS IN IP TELEPHONY
Threats and best practice responses may be identified based on four broad layers of functionality within IP telephony architecture network, session control, applications, and endpoints.
Endpoints: phones, subscribers, and gateways are vulnerable to distributed denial of service attacks as hosts that enable viruses, toll fraud, and eavesdropping.
Applications: like endpoints, software products running on computers can be victims or hosts in distributed denial of service and virus attacks or as spam targets.
Session Control: IP telephony systems have centralized software services to coordinate network resources for the interaction of applications and endpoints.
Network: wireless access points, switches, and routers are susceptible to packet floods caused by viruses and distributed denial of service attacks.
Figure 1: Threats of IP telephony
1.3 DISTRIBUTED DENIAL OF SERVICE ATTACK
The Distributed denial-of-service or distributed denial of service is a type of sophisticated attack to make it crash or mute a machine in the submerging of unnecessary traffic. Several machines at once are the source of this attack (it's a distributed attack), which aims to wipe out servers, subnets, etc... On the other hand, it remains very difficult to counter or avoid. That is why this attack is a threat that many fear.
To better understand the phenomenon, it seems impossible not to consider the most important tools in this area, who owe their fame to the famous attacks that targeted major sites on the net.
A typical network is therefore composed of a master (central) and many remote hosts, also called demons. During the course of the attack, the hacker connects to the master sends a command to all remote hosts (via UDP, TCP or ICMP). These communications may also be encrypted in some cases. Then the remote hosts will attack the final target following the technique chosen by the hacker.
For example, they begin to send up to UDP packets on specified ports on the target machine. This mass of packets will overwhelm the target can no longer respond to any other application (hence the term Denial of Service). Other attacks exist, such as ICMP flood, SYN flood (TCP), smurf attacks, called stealth attacks, attacks by so-called aggressive denial of service (whose aim is indeed to crash completely the target), or type attacks "stream attack". Some tools have even inspired Trojans (see sheet on trojan horses) that install small irc servers allowing the hacker to control through this interface.
1.4 Common attacks involve:
Exploiting mechanisms such as the Internet Control Message Protocol (ICMP) which is used for router-to-host communications and is intended as a method for providing feedback to the host about communications environments
Transmitting a volume of connection requests to the target from phony IP addresses that are never acknowledged in order to overflow the connection management buffer
Broadcasting forged ICMP echo packets to subnets with the target forged as the packet source; the hosts on the subnets respond to the target with ICMP echo packets and overwhelm the target host, network, or network link with bogus packets to cause the denial of service
Clients such as PC based soft-clients and IP phones, as well as telephony and convergence applications servers using operating systems or other foundation software platforms with well known vulnerabilities are affected by DDoS.
DDoS attacks cripple client and server computing systems by causing them to perform unproductive tasks and denying them any resources to perform their intended functions. Left unchecked, such attacks can render telephony systems inoperable. In addition, they can cause enormous amounts of unproductive traffic within the network, denying any bandwidth, routing, or switching resources for transport of telephony control and media traffic such as voice or video.
Protocol tuning in endpoints, applications, and session control:
Software engineers need to establish buffer limits on attempts at malformed packet assembly and session initiation requests. A favorite technique of DDoS attacks is to consume server resources through flooding the server with service requests or malformed packets which consumes processor cycles and leaves no capacity for legitimate applications.
Support for IEEE 802.1Q:
Modern network switches today support IEEE 802.1Q virtual LAN (VLAN) services to segment IP telephony traffic from other network applications and sources. This degree of internal isolation makes it more difficult for compromised PCs or applications to affect IP telephony VLAN-attached endpoint devices.
Support for seamless service continuity:
To maintain quality telephony service for the enterprise and optimize security precautions, communications networks should include fast failover session control services that will quickly backup modules elsewhere in the enterprise network if needed.
Prevent attack damage:
A new product class, the intrusion prevention system, is a powerful arrangement of control software and silicon that performs very rapid and very deep packet scrutiny. Vulnerabilities in protocols such as SIP and H.323, traffic signatures of attacks, and even packet anomalies can be detected and halted in milliseconds before the protected applications and systems are affected. The Digital Vaccine® service closes the gap between vulnerability reporting and network inoculation.
1.7 Operational Practices
Best practices in enterprise security combine products and business practices.
â€¢ Implementing a strategy of not exposing IP telephony session control servers to the Internet
â€¢ Use of telephony protocol cognizant firewalls (such as SIP-capable firewalls) to isolate an enterprise IP telephony system from the Internet
Eavesdropping is not a new or special attribute of IP telephony. Years ago, it was common for users to share a party line and listen, often inadvertently, to their neighbors' conversations. As recently as 1995, analog radio scanners enabled listening to police and emergency networks to hear about the burglary down the street or carchase at the south end of town. Analog cell phones were so open that anyone could eavesdrop on cellular conversations, including significant political or business discussions. At first glance, aspects of IP implementations would appear to make eavesdropping particularly easy. In IP telephony networks, packets are routinely duplicated for audit purposes or packet assembly function.
Therefore, audio signals that are transported as packets can be stored for later retrieval and recombination into cohesive speech. Associating such speech packets with a conversation, however, requires retrieval of telephony call or session details which occurred asynchronously and perhaps through a different network path compared to the speech packets, and correlating them with the reassembled speech packets. Therefore, while it is technically feasible in IP telephony networks to eavesdrop, in practice it is quite hard.
The endpoints and the session control layers are most likely the targets of eavesdropping attacks-one of the endpoints, the gateway, the IP phone, or the PC client is probably the only component directly in the path of the audio stream. The network layer transports all the packets of the corporation, so finding specific IP telephony packets of interest may be difficult. The session control layer is a point of attack since it knows which endpoints are communicating with each other at any moment in time. It could provide the interloper with enough information to induce the network to yield those specific packets or authorize duplicate packet streams to a third IP endpoint.
Encryption is commonly thought to be the most valuable tool against eavesdropping, but it is not without a major cost in processor time, inconvenience, and interoperability. Some of these issues can be alleviated with standards-based encryption systems. In IP telephony, the packet stream is most often delivered as Real-Time Protocol (RTP).
Secure RTP (SRTP)-a current Internet Engineering Task Force (IETF) draft- provides a security profile for RTP specifically addressing IP telephony applications that adds confidentiality, message authentication, and packet replay protection to the packet, SRTP is intended to secure only RTP and the Real-Time Control Protocol (RTCP) streams, not to provide a full network security architecture. SRTP uses the RTP/RTCP header information, along with the Advanced Encryption Standard (AES) algorithm, to derive a key stream algebraically applied to the RTP/RTCP payload. SRTP calls for the Hash-based Message Authentication Code (HMAC) - SHA1 algorithm to be used for packet authentication. There are additional component interactions that can strengthen privacy protection. The session establishment dialog, commonly using Session Initiation Protocol (SIP), is also standardized within a privacy implementation as SIPS and defined in IETF RFC 3261. Within SIPS, call control messages are transmitted within a Transport Layer Security (TLS) encrypted session, at least through the hostile IP environments where prudent policy might indicate the advantage of strong privacy protection in session initiation dialogs. Easier and less costly protection can be achieved with a modern Ethernet switch feature called automatic virtual LAN segmentation (implemented as IEEE 802.1Q).
This technique logically restricts access and packet flow to well-defined and well-understood endpoints. Devices on the IP telephony VLAN are segmented separately from devices on another VLAN and their two traffic flows do not mix. Performance impacts and issues in one VLAN do not impact the other VLAN. Endpoints receive only those packets to which they are entitled. The latest generation of wireless LAN environments assures over-the-air privacy using IEEE 802.11i. The standard enables strong privacy, message integrity, and authentication service. Furthermore, rapid setup of virtual LAN tunnels to maintain addressing and RTP flow integrity let wireless switches deliver call hand-offs from access point to access point or from subnet to subnet. This functionality enables IP telephony deployments over a wireless LAN campus to deliver performance that is consistent with user expectations set by public cellular network service. In addition, wireless switch management capabilities help detect, neutralize, and manage rogue or interfering access points that users may encounter.
2.3 Operational Practices
Using network features like VLAN segmentation to protect against infiltration of the logical segment makes the eavesdropper's task more difficult. Implementing 802.11i authentication services and wireless switching within Wi-Fi environments are essential to successful IP telephony mobility within the enterprise. Generally, encryption is required only where the risk of eavesdropping exceeds the cost of providing privacy service. A useful guideline is the availability of encrypted e-mail within the enterprise. Contents of e-mails are often far more critical and private than content shared in a phone conversation. Therefore, one can expect an enterprise to encrypt e-mail before being concerned about lack of encryption in IP telephony.
3.0 TOLL FRAUD
Toll fraud is long distance service theft with a long history of practice and profitability. Although the attractiveness of stealing long distance (LD) minutes has been diminished by falling LD rates in Canada, the United States, and most European countries, international dialing is a choice target even today. Fraud happens as a result of:
voice mailbox theft-the message "hello" pause "yes" pause "I accept the charge" is recorded on the mail box, allowing third-party pay calls to be sent to the mail box to get permission
calling-card number theft-video capture of dialers or line bridging of public pay phones to obtain dialed digits for unauthorized use and resale
reconfiguration of PBXs-hacking through the maintenance modem, resulting in the ability to configure unauthorized extensions to forward to trunks for long distance theft
Endpoints and applications are most often targets of toll fraud because they enable features for call forwarding and social engineering. Applications, and in particular voice mail, are also targets for toll fraud perpetrators.
Features for avoiding toll fraud are readily available in typical IP-PBX and PBX products.
3.3 Operational Practices:
A critical best practice that can be implemented to avoid toll fraud is training receptionists and call center employees in social engineering avoidance. Training should include information about the cost of toll fraud, the techniques used to perpetrate the fraud, steps to avoid the fraud, and processes for reporting incidences should they occur.
Another practice is to shutdown all unassigned voicemail boxes and take steps to educate users in password selection-avoid simple, easily stolen passwords such as the default password or 1-1-1-1. Periodic password rotation procedures and aging mechanisms do increase the number of calls into IT help desks, but also increase security. Most IP PBXs do not have maintenance ports for remote modem dial up. IP-PBX support professionals often choose to use their browsers with VPN enterprise network access for remote support service or for access to the management system dialog. Therefore, methods for accessing the PBX maintenance ports deserve examination.
Spam-unsolicited e-mail-was recently regulated in the United States by the CANSPAM Act of 2003. Most spam is commercial advertising, often for dubious products. However, as every user can attest, spam is a problem of epidemic proportions on the Internet. Because e-mail accounts can receive ten times more spam than legitimate e-mail, major Internet Service Providers such as AOL, MSN, EarthLink, and Yahoo!. Having implemented strategies and technologies to reduce the volume of junk mail arriving in their users' inboxes. Market estimates indicate that between 38% and 80% of all e-mail in North America, more than 11 billion pieces of e-mail, is spam.
Users are spending significant time, money, and IT resources dealing with spam-related issues. Spam consumes bandwidth and storage space. It also acts as a launching pad for virus attacks on enterprise networks. And, though instances have not yet been reported, an IP telephony version of spam called spit can deliver unsolicited advertising as voice mail or interrupt conversations with injections of nuisance or nonsense words.
Spam most directly affects the applications layer. Some applications such as voice mail as e-mail or read-me services integrate with e-mail services, making them particularly vulnerable to spam.
The Simple Mail Transport Protocol (SMTP) feature should be disabled when read-me e-mail service is not required or enabled as a suitable feature. All other applications should send, but not receive e-mail. And to reduce the incidence and productivity impacts of spam, enterprise e-mail servers can include anti-spam enhancements or modules such as spam-assassin or the 3Com® Email Firewall appliance.
4.3 Operational Practices
E-mail management practices can lessen spam production, distribution, and its effect on IP telephony systems and user services. Effective best practices guarantee that authentication services necessitate server accounts and passwords for sending messages from the SMTP server and receiving them from the POP3 or IMAP4 servers.
Analytical services can eradicate messages written in common spam techniques- such as using all capital letters, including forbidden terms-and delete known harmful attachments or extensions. Spam can also be eliminated by the use of black lists that deny mail from domains of known spammers
Virus is code designed to self-replicate. The code attempts to spread from one computer to another by attaching to a host program. It can damage your hardware, software or data. A computer worm is a type of virus. It generally spreads without user does anything and repeat complete identical copies (possibly modified slightly) of itself across networks. It can exhaust memory or network bandwidth, thus causing the computer to hang. A Trojan is a virus that takes the appearance of a legitimate program but is actually designed to damage your system.
Viruses plague all layers. They clog the network with unnecessary and useless packets and messages, and they exploit weaknesses in the operating systems of session control applications that lead to network instability. Viruses also act as launching pads for DDoS attacks.
Firewall should be used merely for network connections that are utilized to connect straight to the Internet. For example, apply a firewall on a personal computer connected to the Internet directly through a wired modem or dial-up. If you are utilizing the same network connection to connect via the Internet and a home network or business, use a router or firewall which prevents Internet computers from sharing resources present on home computers or company. Avoid using firewall on system connections that you exploit to connect to your domicile or workplace network, unless you can configure it to open ports independently only for your home or corporate network. If you connect via the Internet using your home network or business, you can always use a firewall on the computer or another device like a router, which let you connect to the Internet. For example, if you are connecting to the Internet via a network that you manage and that it uses connection sharing to allow multiple PC to access the Internet, you can mount or enable a firewall just on the shared Internet connection. If you connect to the Internet via a network that you do not control, confirm that the network administrator uses a firewall.
The most up-to-date security update help protect your computer beside security problems, viruses, worms and other threats as and when they are exposed. The following procedures can be adopted:
Mount the latest security updates for Windows and Windows components
Preventing attack damage:
As already described, the intrusion prevention system can prevent virus attacks that exploit vulnerabilities in protocols such as SIP and H.323, traffic signatures of attacks, and even packet anomalies. The IPS proactively detects attacks and prevents them at the network level in milliseconds before the protected applications and systems are affected. The Digital Vaccine service closes the gap between vulnerability reporting and network inoculation. This automatic inoculation methodology reduces dependence on the manual application of complex patches and virus definitions to server and client systems, mandated by software platform and operating systems vendors.
5.3 Operational Practices
Despite their prolific attributes, viruses in enterprise networks can be controlled through vigorous hygiene procedures that remove or quarantine known infectious objects on incoming e-mail. Commercial anti-virus programs from companies like Symantec or McAfee can be deployed on user desktops. These applications provide control of common viruses through active, background tasks such as file and process inspection. Most often these products provide subscription services available as individual or enterprise-wide licenses. The products periodically can check for updates that are automatically downloaded and deployed on the computer.
6.0 What protections afforded to businesses?
You must provide the server that manages IP telephony multiple levels of protection against potential attacks (firewalls, network scindage, etc.).
Most providers of IP-PBX systems offer different methods and tools to significantly reduce the current risks of insecurity
Communications may be encrypted (this requires, however, a surplus of human resources for the central IP-PBX usually do this choice as an option.
Monitor and limit the bandwidth and protect network resources allocated to voice over IP.
The vulnerability scanner SiVus VoIP provides a number of interesting features to assess the level of network security. Its use requires a thorough knowledge of network administration.
IP telephony systems can be made safe, through hardening of the Operating system, by securing network management, in addition to by benefiting of the technologies established for data security. The expenditure of further securing IP telephony must be adequate with the business cost of loss. As with some latest application, IT should update its safety measures policy in general and make sure that it is time and again implemented across technologies, processes, and organizations.