Originating Author: Kaushik Das
Enterprises are showing a strong interest on wireless voice technology over the standard WiFi networks for its attractive features such as lower phone bills, centralized management, or fast deployments. However these wireless voice networks are susceptible to usual attacks like viruses, spam, phishing, hacking, stolen data, denial of service (DoS), voice injections, man in the middle attacks, call hijacking, eavesdropping etc. The security of these networks become a major concern for enterprises because IT managers have no or very little knowledge how to protect voice networks.
In addition to the threats that are associated with over-the-air communication for Wi-Fi LAN or WAN, the wireless voice communication is also vulnerable because of the VoIP network, the networking devices, the servers and their operating systems, the protocols, the phones and their softwares.
Because of vulnerability, the following are at risk:
- Call information: information about call is as valuable as voice content itself. Any hacker can target the unsecured compromised signaling server that is used to transmit and manage calls to get call information like call durations, incoming and outgoing call numbers, its parameters etc and this information can be used to track user conversations and call records.
- Voice conversation: It is the most sought after target of any wireless voice network for any hacker. If you enterprise voice network is insecure, an attacker could capture and reassemble voice packets in order to regenerate the entire conversation.
- The ongoing calls are also vulnerable to hijacking. The calls could be intercepted in between source and destination and redirected to the hacker’s wish. The consequences could be spoofing and identity theft, making data integrity a major risk.
- Complete Denial of Service is another risk where the entire organization network would become standstill leading to direct and indirect business losses and more serious repercussions.
The IT managers are now concerned about the fraud detection and preventions, unauthorized access and privacy over the enterprise wireless voice networks. Voice systems, which encompass traditional PBXs, Voice over IP and multi-media servers, voice messaging and unified messaging platforms, and voice gateways, have evolved from closed and standalone to open and integrated in corporate networks. The evolution and increased complexity of these systems, combined with the migration to IP, has direct implications for security management. With the ever increasing complexities, wireless networks are becoming susceptible to security breaches. And moreover, internet connectivity is proving to aggravate security vulnerability.
Complexities are increasing with the increasing deployment of hardware, software, protocols and applications to support new age voice networks that further require proper security management. Further, the transmission of voice packets over corporate data networks and the Internet introduces a new issue—content privacy. None the less, voice systems on WAN can invite security threats from anywhere.
Contents |
Capabilities of secured voice communication over WiFi networks
Enterprises like to secure voice communication, i.e secure both voice calls and voice mails. When implemented, the capabilities of such feature are to:
- Enables the enterprise to exercise total control over its own site coverage with full security.
- Enables the enterprise to achieve continuous access to critical personnel anywhere on the premises securely .
- Protect vulnerable communication that makes eavesdropping and tampering extremely difficult
- Implement end-to-end encryption that ensures maximum security for an enterprise
- Protect privacy employing sophisticated technology that deters any interception of user conversation with rock-hard reliability.
- Enhance productivity with peace of mind fo users carrying conversation
Operational goals of secured voice communication over WiFi networks
Expected effects on the IT budget
A significant issue for an IT manager is to implement an effective, reliable, cost-effective security Vsolution with low total cost of ownership (TCO). This is particularly true since all the benefits of the system will accrue to business operations, while the IT budget will have to absorb an increase in infrastructure spend.
The security initiative
Key analysis milestones:
Analyze Phase
- Multiple points of entries due to its dependence on enterprise common data networks
- Open voice mailboxes of former employees
- Un-initialized and abandoned voice mailboxes
- Remote access ports for administration and maintenance. Generally standard sets of login and passwords are never changed.
- Integration with corporate data network to provide access to voice mails via telnet. Voice systems that are IP enabled but not segregated into separate domains and vulnerable to attack from anyone on the network.
- Easy availability of hacking tools like packet sniffing software that enable anyone to capture and view the IP packets. And legacy voice systems are vulnerable as they do not use any server side encryption technique, so logins and passwords can be easily captured from packets.
- Other standard security problems like viruses, data tempering etc as generally these voice applications are deployed over windows based platforms.
Key considerations and design milestones
First and foremost step is to draft a comprehensive security policy to identify roles, and responsibilities for each level of the organization.
- It is strongly recommended to have a separate virtual LAN for voice. This will keep data on the voice network separate and hidden from those connected to data network.
- Regular monitoring of traffic pattern on the wireless voice network. Any irregularity will help you identify break in attempts to you VoIP network.
- If possible, physically secure the voice servers from internal as well as external intruders who can intercept date using sniffing techniques.
- Multiple layers of encryption is required. Use encryption techniques to encrypt data packets as well as call signals. You can use Secure Real Time Protocol (SRTP) to encrypt communication between endpoints or Transport Level Security (TLS) to encrypt the entire call process.
- Firewall your equipments.
- Keep you voice network separate from direct internet access.
- Avoid using software to make calls. Software is always prone to hacker attacks and viruses. Also, software does not separate voice and data.
- Make sure that devices and uses who are authenticated and pre approved gain access to the voice networks
- Configure gateways list the authenticated users so that only who are allowed access can make and receive VoIP calls.
- Use remote management when highly necessary and use it over Secure Shell (SSH) or IPSec (IP Security).
- Identify and remove unused resources.
- Change passwords on regular intervals.