Home / Blogs

VoIP Security FUD

By Irwin Lazar Analyst

I’m continually amazed by the amount of FUD being spread with regard to VoIP security threats. People…the sky is not falling. VoIP isn’t e-mail. It isn’t implemented like e-mail, it won’t be implemented like e-mail (maybe “it shouldn’t be implemented like e-mail” is a more appropriate statement). Following best security practices will ensure at least a level of security equivalent to current TDM systems.

Best FUD I’ve heard this week: VoIP is insecure because you can simply put a bridge on an ethernet line and capture a stream. Hey, has anyone ever heard of alligator clips?

Heck, we could use a Thunderbird protocol analyzer ten years ago to listen to calls on our channelized T1s at a previous job site. And, we could do this in a central location because all calls out of our HQ site went through a single set of cables. VoIP is much more difficult to tap, calls, or even individual packets within a single call, can take multiple routes through a network. Tapping a user’s Ethernet port requires the ability to log in to their local switch and span their port, something that requires an account on the switch, and something that ought to be logged (there is that ‘best practice’ thing again).

While the “place the hub” in-line attack could work, it won’t work in environments where the switch is providing line power to the phone (unless you have a line-powered hub), and it won’t work in implementations that use 802.1x to authenticate devices placed on the network. Finally, if you are really concerned about wire-tapping, turn on the encryption capabilities that many VoIP vendors currently support. (In this case, VoIP offers superior security to TDM, how many TDM systems support end-to-end encryption?)

Yes, there are security threats to VoIP, just as there are to any application, or even legacy TDM systems (toll fraud anyone?). But let’s not scare people into thinking that implementing VoIP means that they will fall victim to a non-stop flood of SPAM, SPIT, DoS, Phishing, and a litany of other attacks.

Also read “Is VoIP Ripe for Attack?”, a related NewsFactor Network article on VoIP security where Irwin Lazar, author of this post, is quoted.

By Irwin Lazar, Analyst

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

DNS

Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

View All Topics