Tip

Testing VoIP security with fuzzing

As Voice over IP (VoIP) gains popularity with customers, it will also gain popularity with attackers. With the rise of security threats comes the need for better monitoring and prevention. This tip, reposted here courtesy of SearchVoIP.com, explores

    Requires Free Membership to View

the fuzzing method, which channel professionals can use to test implementation protocols.

Voice over IP security is a popular topic lately, and there is good reason for concern. VoIP is becoming more and more popular, and the more widely used it becomes, the more of a target it will be to those interested in wrongdoing.

There are many attack vectors when it comes to VoIP. It relies on the IP infrastructure so any attack that targets a network can be a potential hazard for VoIP. There is concern regarding VoIP components like the OS a soft-phone is running on or the firmware of a device. There are configuration concerns like devices with exposed TCP and UDP ports. There are the aforementioned IP infrastructure attacks in the form of DoS attacks or SYN flooding. Eventually, no matter what the specific attack, there is a good chance that the attacker is exploiting a weakness in the VoIP protocol that is being used.

The two most popular VoIP protocols are SIP and H.323. Each of these has their pluses and minuses in terms of security and overall effectiveness.

First let's take a look at SIP. SIP is easier to use since it uses textual encoding like HTTP. It's extensible and it can be paired with other protocols. As far as security goes, textual coding makes debugging easier, but it also makes spoofing easier. Since it is a relatively simple protocol, there is less chance of coding errors. Its open nature does create some concern, as easily integrated and extensible protocols can have more implementation errors.

What about H.323? H.323 uses a binary encoding, which makes it difficult to debug and subject to buffer overflow attacks. Its complexity can also lead to implementation errors. It is not very extensible which actually helps the security-wise and it has a monolithic architecture, which means it does not need to borrow functionality from other protocols.

As you can see, each protocol has its pros and cons. Regardless of the protocol your VoIP implementation is using there are some ways you can test the security of these protocols.

One way to test your implementation protocols is with fuzzing. Fuzzing, or functional protocol testing, is a good way to find bugs and vulnerabilities. Fuzzing works by creating different packets for a given protocol and injecting the packets with data that will test the limits of the protocol. The packets are sent to a device, app or OS and the results are observed.

The PROTOS group at the University of Oulu in Finland is responsible for identifying a number of protocol weaknesses. They've published papers that describe methods for testing SIP and H.323.

The more widespread VoIP becomes the more it will come under attack. By taking some initiative now and testing your VoIP implementation, you might be able to prevent a failure in the future.

This tip originally appeared on SearchVoIP.com.


This was first published in March 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.