Tip

VoIP protocols: Security vulnerabilities

    Requires Free Membership to View

VoIP security resources for resellers
Get more tips and best practices in our VoIP Security Learning Guide

Voice over Internet Protocol (VoIP) has arisen as the next budget-saver technology for enterprise communications. However, VoIP security has become a cause for question, especially through the two standard VoIP protocols: H-323 and Session Initiation Protocol (SIP). In this guide, value-added resellers (VARs) and networking consultants will learn about these weaknesses, as well as methods for protecting their customers' networks.

VoIP protocols: A technical guide

Today, many companies are replacing traditional telecommunications services with VoIP, using their own IP network infrastructure to slash phone bills and increase productivity. However, IP telephony terminals, call servers, proxies and gateways create new attack targets, and converged voice/data networks can fall victim to new exploits.

Learn more about the rise of VoIP, its protocols and what it has to offer consultants who implement it on their customers' networks.

Understanding VoIP protocols

VoIP hardware uses unique protocols to initiate calls over the network. This tip examines H.323 and SIP for VARs and network consultants who manage their customers' VoIP telephony projects.

VoIP phones, Voice over Wi-Fi handsets and PC-based "soft phones" send H.323 or SIP messages over private or public IP networks to register themselves and initiate calls. The analog voice is then digitized, encoded, compressed and transported by Real-Time Transport Protocol (RTP)/User Datagram Protocol(UDP)/IP packets, routed between the calling and called parties. Most VoIP products employ one of the following two standard protocols to accomplish this:

Get more information on the two main VoIP protocols.

VoIP protocol insecurity

H.323 and SIP, the two main protocols used by VoIP hardware, are both plagued with security issues that network consultants and systems integrators should be aware of when deploying VoIP. This tip examines some of these inherent weaknesses.

Like many Internet protocols, SIP was designed with simplicity, not security, in mind. And, although H.323 was created to meet broader goals, security issues have plagued it as well. Some vulnerabilities are inherent in the protocols themselves; others have been introduced by the developers who turn these standards into products.

Get more information on the  VoIP protocol security issues, and how they can be reconciled.

How to use fuzzing to deter VoIP protocol attacks

Standard VoIP protocols are rife with security issues. However, with fuzzing, VARs and systems integrators can identify and patch most of these weaknesses. This tip examines this technique and offers a few examples.

Functional protocol testing, also known as "black-box testing" or "fuzzing," sends many diverse input messages to a vendor's implementation, exercising error handling routines and generating conditions never anticipated by the protocol designers or software developers. Fuzzers systematically send test messages, randomly or sequentially, within the framework defined by a given protocol specification. The implementation undergoing testing is observed for buffer overflows, unhandled exceptions and unexpected behavior.

Learn more about the practice of fuzzing for testing VoIP security.

About the author:
Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications.

 

This was first published in April 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.