Just when you think you've finally finished battering down the hatches and locking down your network, evil seeps in through any crack. Now on top of all the other precautions that should be taken, we should brace ourselves against inevitable VoIP attacks.
Granted, anything popular (in widespread use) and convenient makes itself a target due to the nature of the beast. Let that popular and convenient thing be a nacent technology and you've got a recipe for disaster on your hands.
Granted, VoIP is just following the same path as other technologies -- a killer app that's widely deployed with security being addressed only afterward... This follows the path of wireless, instant messaging, email and DNS. The good news is - just like the technologies before it, a bunch of 'best practices' will arise to mitigate the risks as much as possible to make it somewhat operable. The bad news is - the next great, new thing will follow the same path.
And the greatest weapon in a network professional's arsenal is: knowledge. One of the soft spots is that VoIP isn't that well understood by network admins. It's a new technology - and there's so much to learn. You can't get behind the curve on this one. You already know the tricks that the 'bad guys' use and all you have to do is apply the same principles to this new technology. Sounds simple, but I realize it's not. But you can't do that until you understand the technology itself. Then the normal process of wondering... "well, what if someone ____?" should lead you in the right direction.
VoIP may be new, but it's not revolutionary by any means. It's still a voice call combined with networking. There are a lot more 'known' pieces to this puzzle than first meets the eye.
Voice calls are crucial to a functioning business unit. So, naturally, Denial Of Service would be a concern. While you're learning how it works, keep an eye out for how it could be made to not work. What things could make it 'go south' and cripple your business?
Another worry about VoIP is an old saw - interception of traffic. Just like you don't want anyone sniffing your data traffic on the network (or through the air in the case of wireless), you don't want anyone sniffing your voice traffic and listening in to your phone calls. Ah, some familiar principles, right?
At some point, you are probably dealing with a service provider. Well, just like when you deal with intersite connectivity through the Big, Bad Internet, you have to protect the endpoints. So, you already know *where* to look - and as you learn VoIP, keep an eye out for *how* you can do this. [And don't forget that the PEOPLE who work on the Service Provider's network may be new at this too. You can't rely on a provider to take care of everything for you - they may not know how yet.]
Interestingly enough - the Cisco Call Manager runs on a Windows server. Perhaps the time has come when those who 'lowered themselves' enough to learn the 'lowly' functions of the Microsoft Universe become valued in the Cisco world? I was actually told once that it was 'embarrassing' for Cisco Certified engineers to wear MCSE logo shirts. It was as if my 'humble beginnings' as an MCSE were something to be embarassed about. After all, *real* network guys use Unix and have *always* worked on more important things like networks. To work on the LAN level and configure, operate and deploy SERVERS is something that is just too easy to be bothered with... (until you watch one of them try to do it) And since the Cisco Call Manager server is actually a network device - those who already know the vulnerabilities of Microsoft servers can apply those same principles to protect those systems.
Okay, now think of what happened to email and fax. Spam and phishing. Same thing applies. Just like email and fax, spammers are going to find a low entry point into a large number of targets. It will automate their advertising - expect automated messages on your VoIP phone - or from the spammer's VoIP phone. Also remember that now we have text messaging capabilities. This is another vector for fraudulent links to be sent right to your phone (how convenient). Oh yes... phones run software. Software can have holes and be attacked. Again, think Denial of Service and Spamming you and your closest from your own address/phone book.
And there is the ever-present Social Engineering tactics. These will never go away. No matter what type of technology you invent, there will always be a way to compromise the system through Social Engineering. People who may not fall for any other tactic may feel their buttons pushed a bit too far when told they will be CHARGED for something. Nobody wants to be charged for something they don't want. Companies are forever pushing the "Free Trial" mechanism. And we know it's our fault if we accept a free trial and don't cancel a service we don't want. So we flock to cancel and opt-out in any way necessary. In this way, a plain text message could result in malicious software on your computer. It could also mean a way for a cell phone text message to bring you unknowingly to an Internet site - eating up airtime, etc... And also perhaps installing malicious software on your cell phone. The scary part of this one is that one system could lead to another totally unrelated system. Although some people would argue that an 'air gap' exists between disparate systems - I disagree. Those systems are directly connected -- at the 8th Layer of the OSI 7-Layer model.
Posted by BlueWolf on January 29, 2007 11:08 AM