VON Magazine - March/April 2008 - What Works At Work (Page 16)

…DELIVERED

Security – a Critical Component of VoIP Service

Security is widely regarded by service providers as the single most important component affecting VoIP services on their network. End users reasonably expect their VoIP services to offer the same level of security and privacy as traditional PSTN communications. Unfortunately, new security challenges appear almost daily, thanks to the ever-increasing ingenuity and ruthlessness of attackers. Conventional measures to secure IP data networks are generally inadequate to protect voice traffic, which requires a specialized security approach. In addition to security measures to prevent denial of service attacks, viruses and malware (such as worms), voice traffic requires additional protection from fraud, theft of service and compromised confidentiality of communications, customer information and signaling.

A strong set of security policies and continuous risk assessment are critical to every VoIP service provider in order to protect their networks and internal systems and establish business continuity for services. Brian Riggs, Research Director for Enterprise at Current Analysis, observes that, “Software that detects unauthorized use of VoIP systems, prevents service disruption and eavesdropping, and monitors voice networks for new threats will be vital for businesses....” Best practices, including basics such as timely patching of operating systems, changing software password defaults, segmenting networks so that data and voice traffic don't adversely affect each other, and prioritizing highly-sensitive voice traffic via quality-of-service offerings can help businesses cut down significantly on threats to their VoIP networks.

VoIP – A Summary of Security Threats Denial of Service Attacks

Denial of Service (DoS) attacks, often due to software vulnerabilities or implementation

problems, attempt to tie up network resources or interfere with service protocols and processes so that the proper level of service is denied to subscribers. DoS attacks take several forms. One method is to force the operating system of a network element to fault, either disrupting service or presenting some other undesirable customer experience. Another method is to send false messages for the various protocols used in the service. These false messages can interfere with the correct operation of the service. The so-called “flood” or Distributed Denial of Service (DDoS) attacks are intended to overwhelm network resources. These attacks attempt to force the network element to divert resources such as CPU power or memory to handle false requests for service, leading to a degradation of service. Another denial of service attack can be due to excess traffic on the network, for example, from worms and viruses. Excess traffic can degrade network performance enough such that voice packets are delayed or even dropped, and possibly cause a degradation in voice quality.

Fraud and/or Theft of Service Attacks Fraud and/or theft of service attacks are situations where individuals use more services or resources than they are entitled to use. Fraud can cover the spectrum from complete theft (where service is used without authorization by non-subscribers) to partial theft (where more service is used by a subscriber than permitted or paid for). Fraud may also occur if new, advanced features are not adequately protected.

Data Confidentiality and Privacy Attacks

Data privacy issues are concerned with protecting the rights of VoIP users by protecting their personal data. Subscriber data required for providing service may be stored within service provider databases. Typical IP attacks against privacy are directed toward compromising the network elements or databases that contain customer data. Information that VoIP users would consider private is also transported within the voice conversation and the signaling protocol. Private data in the signaling protocol may include, for example, the phone numbers being called by a subscriber, when particular calls were placed and the duration of the calls. Unprotected voice and signaling transported over public or shared IP networks may be susceptible to confidentiality (eavesdropping) attacks.

The Network – A Frontline Security Device AT&T Wholesale (AT&T Wholesale and its affiliated companies are collectively referred to herein as AT&T) incorporates security as an integral part of its AVOICS (AT&T Voice over IP Connect Service)