Despite his advanced age VoIP technologies and its widespread use in the corporate and government sectors, the use of this technology raises a number of serious security concerns: it is relatively easy to monitor VoIP calls, it is relatively easy to change the content of VoIP calls, and the VoIP system is susceptible to DoS attacks.

Existing solutions to the problem

Use of proprietary (closed) audio codecs

Some manufacturers offer to solve IP telephony security issues by using closed audio codecs. All protection is based on the fact that the attacker does not know the audio encoding algorithm, but as soon as the algorithm becomes known, the system ceases to be safe. Current trends are such that most manufacturers use open audio codecs. Thus, this method of protection has lost its effectiveness.

Using VLANs

When building an IP telephony system, it is customary to allocate a separate VLAN network to which all IP phones are connected. This method has a number of disadvantages:

• If an attacker gains access to the VLAN of an IP telephony system, he will have access to all telephone conversations.
• This solution cannot in any way ensure the security of an IP telephony system built between two or more geographically distributed offices.

VoIP Encryption and Cryptographic Authentication

This method of ensuring security is by far the most reliable. Protection of modern IP telephony systems can be implemented using various protocols such as SRTP, ZRTP and IPSec. However, each of these protocols has a number of significant disadvantages:

• SRTP, ZRTP use “weak” cryptography - encryption keys of insufficient length or non-cryptographic encryption algorithms.
• IPSec requires a preliminary key exchange, is often blocked by various Internet providers, and in some cases, due to technology limitations, does not allow establishing a secure connection.
• In addition to particular disadvantages, all of the mentioned methods of cryptographic protection of IP telephony have common disadvantage— lack of certificates of the FSB of the Russian Federation and FSTEC of the Russian Federation. It follows that existing methods IP telephony protection cannot be used in government agencies.

VoIP security solution from JSC InfoTecs

The basis for VoIP protection is the ViPNet CUSTOM VPN solution, which has the following functionality:

• Encryption and filtering of signaling and voice traffic of all participants in the IP telephony network.
• Ensures smooth passage of VoIP traffic through NAT devices.
• Support for virtual addresses, including those in SIP, H.323 and Cisco SCCP (Skinny Client Control Protocol), is a solution to the problem of crossing the IP address space of remote offices.

Advantages

• Allows you to organize the protection of heterogeneous IP telephony systems.
• Allows you to organize secure interaction between two or more local networks with overlapping IP addressing without changing the topology of these networks.
• Provides protection for mobile IP telephony users.
• Ensures the passage of VPN traffic in case of using NAT or opposition from the provider.
• Availability of FSB and FSTEC certificates.

The article was written specifically for linkmeup.

=======================

Hello, colleagues and friends, I, Vadim Semenov, together with the network-class.net project team, present a review article that touches on the main trends and threats in IP telephony, and most importantly, the protection tools that the manufacturer currently offers in quality of protection (in the language of security specialists, let’s consider what tools the manufacturer offers to reduce vulnerabilities that illegitimate individuals can take advantage of). So, fewer words - let's get down to business.
For many readers, the term IP telephony has long been formed, and also the fact that this telephony is “better”, cheaper compared to public telephony (PSTN), rich in various additional functions, etc. And this is true, however... partly. As we move from analogue (digital) telephony with its own subscriber lines (from subscriber phone to the station or station extension) and connecting lines (inter-station communication line) were no less than only in the access and control zone of the telephony provider. In other words, ordinary people had no access there (or practically so, if you do not take into account the cable duct). I remember one question on the good old hacker forum: “Tell me how to get access to the PBX? - answer: “Well, you take a bulldozer, ram the wall of the telephone exchange building and voila.” And this joke has its share of truth) However, with the transfer of telephony to a cheap IP environment, we also received in addition the threats that an open IP environment poses. An example of acquired threats is the following:

• Sniffing signaling ports in order to make toll calls at someone else's expense
• Eavesdropping by intercepting IP voice packets
• Call interception, illegitimate user posing as legitimate user, man-in-the-middle attack
• DDOS attacks on station signaling servers in order to disable all telephony
• Spam attacks, sending a large number of phantom calls to a station in order to occupy all its free resources

Despite the obvious need to eliminate all possible vulnerabilities in order to reduce the likelihood of a particular attack, in fact, the implementation of certain protection measures must begin with drawing up a schedule that takes into account the cost of implementing protective measures against a specific threat and the losses of the enterprise from the implementation of this threat by attackers. After all, it is stupid to spend more money on the security of an asset than the value of the asset itself that we are protecting.
Having determined the security budget, we will begin to eliminate exactly those threats that are most likely for the company; for example, for a small organization, the most painful thing would be to receive a large bill for imperfect long-distance and international calls, while for public companies the most important thing is to maintain the confidentiality of conversations. Let's begin our gradual consideration in the current article with basic things - this is providing a secure way to deliver service data from the station to the phone. Next, we will consider the authentication of phones before connecting them to the station, the authentication of the station from the phones, and the encryption of signaling traffic (to hide information about who is calling and where) and the encryption of conversational traffic.
Many voice equipment manufacturers (including Cisco Systems) already have integrated security tools, from the usual restriction of the range of IP addresses from which calls can be made to the authentication of end devices using a certificate. For example, the manufacturer Cisco Systems with its voice product line CUCM (Cisco Unified CallManager) began to integrate the “Security by Default” function from product version 8.0 (release date May 2010; version 10.5 dated May 2014 is currently available). What it includes:

• Authentication of all files downloaded via/from TFTP (configuration files, firmware files for phones, etc.)
• Encryption of configuration files
• Checking the certificate with the phone initializing the HTTPS connection

Let's look at an example of a “man in the middle” attack, when an illegitimate person intercepts configuration files for phones, from which the phone learns which station to register with, which protocol to work on, which firmware to download, etc. Having intercepted the file, the attacker will be able to make his own changes to it or completely erase the configuration file, thereby preventing the phones of the entire office (see figure) from registering at the station, and, consequently, depriving the office of the ability to make calls.

Fig.1 Man-in-the-middle attack

To protect against this, we will need knowledge of asymmetric encryption, public key infrastructure, and an understanding of the components of Security by Default, which we will now introduce: Identity Trust List (ITL) and Trust Verification Service (TVS). TVS is a service designed to process requests from IP phones that do not have an ITL or CTL file in the internal memory. The IP phone contacts TVS if it needs to make sure whether it can trust a particular service before starting to access it. The station also acts as a repository storing certificates of trusted servers. In turn, ITL is a list of public keys of the elements that make up the station cluster, but it is important for us that the public key of the TFTP server and the public key of the TVS service are stored there. When the phone initially boots, when the phone has received its IP address and TFTP server address, it requests the presence of an ITL file (Fig. 2). If it is on the TFTP server, then, blindly trusting, it loads it into its internal memory and stores it until the next reboot. After downloading the ITL file, the phone requests a signed configuration file.

Now let's look at how we can use cryptography tools - signing a file using the MD5 or SHA hash functions and encrypting using the private key of the TFTP server (Fig. 3). The special thing about hash functions is that they are one-way functions. Based on the received hash from any file, it is impossible to perform the reverse operation and get exactly original file. When a file is changed, the hash obtained from this file also changes. It is worth noting that the hash is not written to the file itself, but is simply appended to it and transmitted along with it.

Fig.3 Signing the phone configuration file

When forming a signature, the configuration file itself is taken, the hash is extracted from it and encrypted with the private key of the TFTP server (which only the TFTP server has).
When receiving this settings file, the phone initially checks it for integrity. We remember that a hash is a one-way function, so the phone has nothing left to do except separate the hash encrypted by the TFTP server from the configuration file, decrypt it using the TFTP public key (and how does the IP phone know it? - and just from the ITL file ), from a clean configuration file, calculate the hash and compare it with what we received during decryption. If the hash matches, it means that no changes were made to the file during transmission and it can be safely used on the phone (Fig. 4).

Fig.4 Checking the configuration file with an IP phone

The signed configuration file for the phone is shown below:

Rice. 5 Signed IP phone file in Wireshark

By signing the configuration file, we were able to ensure the integrity of the transferred settings file, but we did not protect it from viewing. From the captured configuration file you can get quite a lot of useful information, for example, the IP address of the telephone exchange (in our example it is 192.168.1.66) and open ports at the exchange (2427), etc. Isn't that enough? important information, which you wouldn’t want to just “shine” on the Internet? To hide this information, manufacturers provide the use symmetric encryption(the same key is used for encryption and decryption). In one case, the key can be entered into the phone manually; in another case, the phone’s configuration file is encrypted at the station using the phone’s public key. Before sending a file to the phone, the tftp server on which this file is stored encrypts it using the phone’s public key and signs it using its private key (thus we ensure not only the secrecy, but also the integrity of the transferred files). The main thing here is not to get confused about who is using which key, but let's take it in order: the tftp server, by encrypting the file with the public key of the IP phone, ensured that only the owner of the paired public key can open this file. By signing the file with its private key, the tftp server confirms that it was he who created it. The encrypted file is shown in Figure 6:

Fig.6 Encrypted IP phone file

So at this point we've looked at protecting our phone configuration files from being viewed and ensuring their integrity. This is where the Security by Default functionality ends. To ensure encryption of voice traffic and hiding signaling information (about who is calling and where they are calling), additional tools are needed based on the list of trusted certificates - CTL, which we will consider further.

Telephone exchange authentication

When a phone needs to communicate with a telephone exchange (for example, to negotiate a TLS connection for signaling exchange), the IP phone needs to authenticate the exchange. As you might guess, certificates are also widely used to solve this problem. At the moment, modern IP stations consist of a large number of elements: several signaling servers for processing calls, a dedicated administration server (new phones, users, gateways, routing rules, etc. are added through it), a dedicated TFTP server for storing configuration files and software for phones, a server for broadcasting music on hold, etc., in addition, the voice infrastructure may include voice mail, a server for determining the current state of the subscriber (online, offline, “at lunch”) - the list is impressive and, most importantly, every the server has its own self-signed certificate and each acts as a root certification authority (Fig. 7). For this reason, any server in the voice infrastructure will not trust the certificate of another server, for example, a voice server does not trust a TFTP server, voice mail does not trust a signaling server, and besides, phones must store the certificates of all elements participating in the exchange of signaling traffic. Telephone exchange certificates are shown in Figure 7.

Fig.7 Self-signed Cisco IP station certificates

For establishment tasks trust relationships Between the above-described elements in voice infrastructures, as well as encryption of voice and signaling traffic, the so-called Certificate Trust List (CTL) comes into play. The CTL contains all self-signed certificates of all servers in the voice station cluster, as well as those participating in the exchange of telephony signaling messages (for example, a firewall) and this file is signed with the private key of a trusted certification authority (Fig. 8). The CTL file is equivalent to the installed certificates that are used in web browsers when working with https protocol.

Fig.8 List of trusted certificates

In order to create a CTL file on Cisco equipment, you will need a PC with a USB connector, the CTL client program installed on it, and the Site Administrator Security Token (SAST) itself (Fig. 9), containing a private key and an X.509v3 certificate signed by an authentication center manufacturer (Cisco).

Fig.9 eToken Cisco

CTL client is a program that is installed on a Windows PC and with which you can transfer the ENTIRE telephone exchange to the so-called mixed mode, that is, a mixed mode supporting the registration of end devices in secure and unsafe modes. We launch the client, specify the IP address of the telephone exchange, enter the administrator login/password and the CTL client establishes a TCP connection on port 2444 with the station (Fig. 10). After this, only two actions will be offered:

Fig.10 Cisco CTL Client

After creating the CTL file, all that remains is to reboot the TFTP servers so that they download the new created CTL file, and then reboot the voice servers so that the IP phones also reboot and download the new CTL file (32 kilobytes). The downloaded CTL file can be viewed from the IP phone settings (Fig. 11)

Fig. 11 CTL file on an IP phone

Endpoint authentication

To ensure that only trusted endpoints are connected and registered, device authentication must be implemented. In this case, many manufacturers use an already proven method - device authentication using certificates (Fig. 12). For example, in the Cisco voice architecture this is implemented as follows: there are two types of certificates for authentication with corresponding public and private keys that are stored on the phone:
Manufacturer Installed Certificate - (MIC). The certificate installed by the manufacturer contains a 2048-bit key, which is signed by the manufacturer's certification authority (Cisco). This certificate is not installed on all phone models, and if it is installed, then there is no need to have another certificate (LSC).
Locally Significant Certificate – (LSC) A locally valid certificate contains the public key of the IP phone, which is signed by the private key of the local authentication center, which runs on the telephone exchange itself, the Certificate Authority Proxy Function (CAPF).
So, if we have phones with a pre-installed MIC certificate, then every time the phone registers with a station, the station will request a certificate pre-installed by the manufacturer for authentication. However, if the MIC is compromised, replacing it requires contacting the manufacturer's certification center, which may require a lot of time. In order not to depend on the response time of the manufacturer's certification authority to reissue a compromised phone certificate, it is preferable to use a local certificate.

Fig. 12 Certificates for authentication of end devices

By default, the LSC certificate is not installed on the IP phone and its installation can be done using a MIB certificate (if available), or through a TLS connection (Transport Layer Security) using a shared public key manually generated by the administrator at the station and entered on the phone.
The process of installing a locally significant certificate (LSC) on the phone containing the phone's public key signed by a local certification authority is shown in Figure 13:

Fig.13 Installation process of a locally valid LSC certificate

1. After loading the IP phone, it requests a trusted list of certificates (CTL file) and a configuration file
2. The station sends the requested files
3. From the received configuration, the phone determines whether it needs to download a locally significant certificate (LSC) from the station
4. If we at the station set up for the phone to install an LSC certificate (see below), which the station will use to authenticate this IP phone, then we must make sure that upon a request to issue an LSC certificate, the station issues it to that person. to whom it is intended. For these purposes, we can use a MIC certificate (if available), generate a one-time password for each phone and enter it manually on the phone, or not use authorization at all.
The example demonstrates the process of installing LSC using the generated key.
At the station in the IP phone settings mode, we indicate that we want to install an LSC certificate on the phone, and the installation will be successful if we enter the authentication key on the phone, which we defined as 12345 (Fig. 14).

Fig.14 CAPF settings mode on the phone

We go into the phone setup mode and enter our key (Fig. 15):

Fig.15 Authentication key for LSC installation

After this, the installation of the LSC certificate on the phone was successful (Fig. 16):

Fig.16 Security settings on the IP phone

The peculiarity of using an LSC certificate for authenticating end devices is that if the certificate itself is compromised, it can be re-signed with a new private key by the CAPF certification authority of the telephone exchange.

So, at the moment we have achieved the security of not only downloaded files, but also the authentication of signaling servers from the end devices (IP phones), as well as the end devices themselves from the station. Let us now consider maintaining the confidentiality of conversations by encrypting voice traffic and hiding signaling information.

Conversation encryption - SRTP

Let's consider what the manufacturer currently offers to perform the most popular task - ensuring the confidentiality of conversations.
As a standard, all signaling and voice messages are transmitted in clear text, as shown in Figure 17:

Fig.17 Open message SIP

Secure Real Time Protocol (SRTP) is a specially designed RTP protocol designed for voice and video transmission, but supplemented with mechanisms to ensure confidentiality and integrity transmitted information not only via RTP, but also RTCP. A voice application that supports SRTP must convert RTP packets to SRTP before sending them over the network. The reverse operation must be done on the receiving side. The SRTP architecture defines two types of keys: a master key and a session key (for encryption and authentication) (Figure 18). However, SRTP does not regulate the procedure for exchanging master keys; for these purposes it is necessary to use TLS or IPSec. For key exchange, the standardized solution for SRTP is MIKEY (Multimedia Internet Keying), but protocols such as SDES and ZRTP can also be used.

Fig.18 Making a call using SRTP

SRTP Messaging Process:

• The phone and server exchange certificates;
• The phone and server authenticate each other;
• The phone creates TLS keys for SHA authentication and AES encryption;
• The phone encrypts the keys using the station's public key and sends. The station decrypts using its private key;
• The station exchanges TLS keys with each of the phones and begins the secure exchange of telephone signaling messages (the called subscriber's phone rings);
• The station creates session keys for SRTP SHA authentication and SRTP AES encryption;
• The station distributes session keys to both phones via a secure signaling connection;
• The phones begin exchanging voice traffic through a secure SRTP connection (the called person picks up the handset).

Enabling encryption and authentication on Cisco equipment is controlled by security profiles. It looks like this (Fig. 19):

Fig. 19 Security profile on Cisco CallManager

In it we determine in what mode the end devices (phones) will register and operate. When selecting the Non Secure option, neither signal data nor voice are encrypted; Authenticated – signaling messages are encrypted, but voice is not encrypted; Encrypted – both signaling and voice are encrypted. It is possible to select encryption of configuration data. After creating a profile, you need to assign it to your phone (Fig. 20).

Fig.20 Phone security profile on Cisco CallManager

At the moment, we have considered the main points in the security of IP telephony, which allow us to fight against the main threats to telephony, however, this is only the tip of the iceberg of the entire security of the voice infrastructure) Separately, it is necessary to consider the physical security of the infrastructure (for example, here: GOST R ISO/IEC 17799-2005 Practical management rules information security), and a separate topic can be devoted to network security. I hope that those who read the article to the end were satisfied with it and the information was useful.
I am ready to answer any questions by mail: [email protected]
With the support of the network-class.net project

An IP telephony system must provide two levels of security: system and calling.

The following functions are used to ensure system security:

Preventing unauthorized network access by using a shared codeword. The codeword is simultaneously calculated using standard algorithms on the initiating and terminating systems, and the results obtained are compared. When a connection is established, each of the two IP telephony systems initially identifies the other system; If at least one negative result occurs, the connection is terminated.

• Access lists that include all known IP telephony gateways.
• Record access denials.
• Security functions of the access interface, including checking the user ID and password with limited read/write access, checking access rights to a special WEB server for administration.
• Call security features including user ID and password verification (optional), user status, subscriber profile.

When a gateway establishes a connection with another gateway in its zone, an optional verification of the user ID and password is performed. The user may be deprived of access rights at any time.

Indeed, during the development of the IP protocol, due attention was not paid to information security issues, but over time the situation has changed, and modern IP-based applications contain sufficient security mechanisms. And solutions in the field of IP telephony cannot exist without the implementation of standard authentication and authorization technologies, integrity control and encryption, etc. For clarity, let’s consider these mechanisms as they are used at various stages of organizing a telephone conversation, starting with raising the telephone handsets and ending with a hang-up signal.

1. Telephone set.

In IP telephony, before the phone sends a signal to establish a connection, the subscriber must enter his ID and password to access the device and its functions. This authentication allows you to block any actions by outsiders and not worry that other people’s users will call another city or country at your expense.

2. Establishing a connection.

After dialing the number, the signal to establish a connection is sent to the appropriate call management server, where a number of security checks are carried out. The first step is to verify the authenticity of the phone itself, both through the use of the 802.1x protocol and through public key certificates integrated into the IP telephony infrastructure. This check allows you to isolate unauthorized IP phones installed on the network, especially in a network with dynamic addressing. Phenomena similar to the notorious Vietnamese call centers are simply impossible in IP telephony (of course, provided that the rules for constructing a secure telephone network are followed).

However, the matter is not limited to phone authentication - it is necessary to find out whether the subscriber has the right to call the number he dialed. This is not so much a security mechanism as it is a fraud prevention measure. If a company engineer is not allowed to use long-distance communications, then the corresponding rule is immediately recorded in the call management system, and no matter which phone such an attempt is made from, it will be immediately stopped. In addition, you can specify masks or ranges of telephone numbers that a particular user has the right to call.

In the case of IP telephony, communication problems similar to line overloads in analog telephony are impossible: with proper design of the network with backup connections or duplication of the call control server, failure of IP telephony infrastructure elements or their overload does not have a negative impact on the functioning of the network.

3. Telephone conversation.

In IP telephony, a solution to the problem of protection against eavesdropping was provided from the very beginning. A high level of confidentiality of telephone communications is ensured by proven algorithms and protocols (DES, 3DES, AES, IPSec, etc.) with virtually complete absence costs for organizing such protection - all the necessary mechanisms (encryption, integrity control, hashing, key exchange, etc.) are already implemented in infrastructure elements, ranging from an IP telephone to a call management system. At the same time, protection can be used with equal success for both internal and external conversations (in the latter case, all subscribers must use IP phones).

However, there are a number of issues associated with encryption that you need to keep in mind when implementing a VoIP infrastructure. Firstly, there is an additional delay due to encryption/decryption, and secondly, overhead costs increase as a result of an increase in the length of transmitted packets.

4. Invisible functionality.

Until now, we have considered only those dangers to which traditional telephony is exposed and which can be eliminated by the introduction of IP telephony. But the transition to the IP protocol brings with it a number of new threats that cannot be ignored. Fortunately, well-proven solutions, technologies and approaches already exist to protect against these threats. Most of them do not require any financial investment, being already implemented in network equipment, which underlies any IP telephony infrastructure.

The simplest thing that can be done to improve the security of telephone conversations when they are transmitted over the same cable system as regular data is to segment the network using VLAN technology to prevent ordinary users from eavesdropping on conversations. Good results are obtained by using a separate address space for IP telephony segments. And, of course, you should not discount access control rules on routers (Access Control List, ACL) or firewalls, the use of which makes it difficult for attackers to connect to voice segments.

5. Communication with the outside world.

Whatever benefits IP telephony provides within the internal corporate network, they will be incomplete without the ability to make and receive calls to landline numbers. In this case, as a rule, the task arises of converting IP traffic into a signal transmitted over the public telephone network (PSTN). It is solved through the use of special voice gateways, which also implement some protective functions, and the most important of them is blocking all IP telephony protocols (H.323, SIP, etc.) if their messages come from a non-voice segment.

To protect elements of the voice infrastructure from possible unauthorized influences, specialized solutions can be used - firewalls (FWUs), gateways application level(Application Layer Gateway, ALG) and session border controllers (Session Border Controller). In particular, the RTP protocol uses dynamic UDP ports, the opening of which firewall leaves a gaping hole in the defense. Therefore, the firewall must dynamically determine the ports used for communication, open them at the time of connection and close them when it is completed. Another feature is that a number of protocols, for example, SIP, place information about connection parameters not in the packet header, but in the data body. Therefore, the security device must be able to analyze not only the header, but also the data body of the packet, extracting from it all the information necessary to organize a voice connection. Another limitation is the difficulty of using dynamic ports and NAT together.

2015. SwitchRay presents an updated solution to protect IP PBX from fraud

SwitchRay Company, a leading supplier of VoIP solutions for retail and wholesale telecom operators, Internet providers, wireline and wireless network, announced the availability of a new version of its IP PBX fraud prevention product SR-P7000 v1.1. Unlike other solutions, SR-P7000 v1.1 is an independent platform that is easily compatible with any softswitch to protect operators from loss of revenue caused by various forms of fraud, hacking and other information security violations.

2013. WebMoney Voice - application for secure VoIP communication

The WebMoney payment system has released the WebMoney Voice application (or rather, it is an additional module for mobile client systems), allowing for secure telephone conversations via IP telephony. WebMoney Voice encodes data using special algorithms and virtually eliminates the possibility of interception and eavesdropping of conversations by third parties on any data networks. At the same time, during a confidential call, the sound quality of the interlocutor’s voice is not lost. There is no charge for using the service. The application is currently available for download in Google Play for Android version 3.0.52 and higher. Versions are planned for other mobile platforms.

2012. Telfin protects corporate VoIP communications

Business VoIP service provider Telfin has launched a new service Telfin.VoiceVPN, which is designed to protect VoIP communications. The fact is that VoIP technology involves voice transmission over public Internet channels, as well as on the intranet, which is not always properly fenced off from the external network. Therefore, the voice signal can be intercepted and trade secrets stolen. Telfin.VoiceVPN allows you to protect your company’s internal network from eavesdropping and organize a secure channel between remote offices. To do this, each office must have a VPN router installed (which Telfin sells for 3,200 rubles). Connection costs another 1000 rubles, and then you pay a monthly fee of 500 rubles/month.

2011. BELTEL will sell VoIP solutions to Polycom

System integrator BELTEL announces that it has received the status of an authorized reseller of Polycom. This status allows the company to expand its portfolio with products and solutions such as hardware phones for working with Microsoft Endpoint, IP-based voice solutions, as well as Video Border Proxy solutions created to provide secure remote access to UC, VoIP and Video functions and ensure the passage of multimedia data through corporate firewalls.

2010. PhoneUp increases business security and controllability

The BKS-IT company introduced a new module “Priority” for its PhoneUp package, expanding the powers of certain groups of employees to manage calls within an IP network built on Cisco technologies. With the help of the new module, managers or company security officers will be able to listen to conversations by discreetly connecting to an employee’s phone, initiate a forced connection with an employee (even if his phone is busy), join an employee’s current conversation, and initiate recording of an employee’s conversation. In addition to the new module, the PhoneUp package includes modules for implementing a unified company telephone directory, video surveillance and employee information.

2009. WatchGuard XTM will provide security for IP telephony

The importance of protecting VoIP communications from threats has been growing significantly in recent years, and this trend will only intensify due to the annual increase in VoIP traffic volumes. WatchGuard Technologies has introduced a new version of the corporate IP network security system WatchGuard XTM 8 Series, the main features of which are tools for protecting IP telephony. The system provides VoIP protection, instant messaging (IM) and P2P application blocking. WatchGuard XTM 8 Series solutions also feature application-based security for SIP and H.323 protocols, allowing commercial VoIP systems to be masked while hardening them to repel directory harvesting attacks, unauthorized access to input verification, and other security threats. VoIP. The WatchGuard XTM 8 Series solution is designed for large companies with networks from 1 thousand to 5 thousand users.

2009. A special course on IP telephony security will be held in Russia

The Informzashita training center has announced a special course on IP telephony security, dedicated to complex issues of security analysis and ensuring the security of IP telephony. This is a unique course for Russia, which examines modern approaches to building an IP telephony infrastructure, vulnerabilities and attacks on its components, protection methods, monitoring systems and methodologies for analyzing the security of a VoIP network. More than 50% of teaching time will be devoted to practical work, during which typical attacks on the IP telephony infrastructure are modeled and the methodology for using protective mechanisms is considered. The server and workstation virtualization technology used in the training process allows each specialist to perform practical work on an individual VoIP network. The course is aimed at information security administrators, system and network administrators responsible for operating VoIP applications, computer security experts and analysts who determine requirements for the security of network resources and protection against leakage of confidential information through technical channels.

2009. Euro authorities want to listen to Skype

The European Union Agency for the Coordination of National Justice Systems wants to be able to listen to IP telephony systems, incl. Yahoo Messenger, InternetCalls, Skype. Currently, these voip providers are not subject to EU and US interception and data retention laws and, unlike telecommunications companies, they are not required to cooperate with law enforcement agencies. In addition, encryption of communications, for example in Skype, makes it practically impossible to “forcibly” listen to it. A meeting of EU legislators on this issue will take place in the coming weeks.

2008. Cisco will secure unified communications

SIP protection for unified communications consists of using the SIP protocol in the Cisco IOS Firewall to protect voice communication. This innovation will enable companies to embrace the concept of a distributed enterprise, increase productivity, and minimize threats associated with voice communications. This update transforms CISCO Self-Defending Network solutions into a broader system solution that provides overall protection for networks and a wide variety of endpoints, applications, and content.

2007. VoIP is difficult to listen to

The widespread use of VoIP services is causing problems for various intelligence agencies. Phone calls via Skype are almost impossible to track and listen to, and if a VPN is used, the task becomes several times more difficult, writes Australian IT. The proliferation of IP telephony operators and the availability of data encryption means that the days of simply wiretapping are over. The intelligence services are working in this direction, attracting specialists and expanding their technical capabilities. However, the wages of such specialists and the cost of equipment are too high. In this case, the government is tempted to introduce regulations requiring VoIP providers to use simplified technologies, which could ultimately lead to weakened network security.

2007. Cisco: IT Security Professionals Are Not Afraid of VoIP

A survey commissioned by Vanson Bourne for Cisco found that viruses top the list of most important threats. In 2007, they were awarded the championship by 55% of respondents (versus 27% in 2006). Unauthorized access to data was named the main threat by 33%, compared to 50% last year. The number one concern of 38% of IT security professionals was data security, and 33% cited the need to bring processes into compliance with regulatory requirements. None of the respondents expressed "strong concerns" about the security of VoIP, Asterisk, or unified communications systems (internet plus wireline). However, half (49%) agreed that security considerations must be taken into account when deploying IP communications. The survey was conducted among 100 IT security professionals responsible for information protection in their companies with more than 1 thousand employees.

2007. Skype is committed to improving the security of its software

Popular peer-to-peer IP telephony operator Skype plans to enter into a cooperation agreement with a company specializing in network security instant messages,FaceTime Communications. According to the information publication Silicon, Skype will thus try to give more tools control over IP telephony sessions in order to promote their services in the business sector. It is expected that this agreement will be followed by a number of other similar transactions. Skype's intention to make its software a public tool business communication, required a change in the attitude towards the problems of IT managers of enterprises who were unable to control the traffic of the popular telephone system. According to official Skype data, approximately 30% of the 171 million registered users are from the business world.

2007. Security experts continue to raise fears about future problems with IP telephony

Companies specializing in ensuring the security of computers in networks continue to frighten the world community with potential threats that will soon befall numerous IP telephony users. The absence of long-promised problems is explained by the insufficient development of this type of communication, but based on research data claiming that by 2010 the number of IP phones in business will more than quadruple, security experts argue that most companies are simply not ready for attacks on their VoIP networks, writes The Register. At the same time, manufacturers of security systems do not hide the fact that they are expecting rapid growth in the market for security systems for IP telephony, and explain their gloomy forecasts by the desire to warn about the danger potential clients in advance. Symantec experts believe that the main difficulties of VoIP systems will be related to phishing, Panda Software fears the spread of worms through the traffic of VoIP modules of IM clients or systems like Skype, and representatives of ScanSafe argue that VoIP networks will be especially vulnerable for DoS attacks.

2006. American experts create a VoIP security partnership group

A group of American academics and industry experts was recently formed to investigate the security issues associated with VoIP technology. The partner group includes Georgia Tech Information Security Center(GTISC), BellSouth and Internet Security Systems (ISS). Communication services are moving to Internet platforms and the importance of security is increasing in the context of the use of new convergent technologies. The researchers plan to analyze the security of VoIP protocols and authentication problems, model VoIP traffic and device behavior, and protect mobile phones and VoIP applications. ISS and BellSouth have provided $300,000 for a two-year research program that will enable GTISC to develop and evaluate security solutions, and ISS and BellSouth will have access to the results of that research.

2006. Session border controller will help protect VoIP

The development of IP telephony services raises with all its urgency a new issue that has roots in old problems: the security of VoIP. Experts predict that by mid-2007, hacking and virus attacks on VoIP networks will be commonplace, which cannot but worry VoIP solution developers and VoIP service providers. However, some basic protection can be organized at the network architecture level, using session border controllers (SBCs), which can prevent DDoS attacks, the spread of SPIT (Spam over internet telephony) and virus outbreaks, as well as continuously encrypt traffic. SBCs were originally used to organize VoIP sessions behind NAT. Today they are able to perform a lot of protective functions, thanks to the ability to examine the contents of packages in real time. In the network, session border controllers hide the user's real address, which minimizes the possibility of a DDoS attack or hacking, control bandwidth, maintain QoS, and hide the topology of neighboring networks. In next-generation networks, SBC will become an essential element of security, along with flexibility and scalability, while being reliable and simple.

2006. New encryption for VoIP on Windows platform

A new cryptographic security technology that allows you to protect a VoIP session between two nodes without contacting a third party or storing the keys separately was developed by Phil Zimmermann, the legendary author of PGP data encryption software. Zimmerman said the protocol he developed is suitable for use with any telephone system that supports SIP. Taking into account the fact that the new version of Zfone works with Windows, the mass user of peer-to-peer IP telephony systems has the opportunity to thoroughly secure their communications. The technology has been submitted for approval to the Internet Engineering Task Force (IETF).

2006. VoIP is safer than regular telephony

In the transition from TDM to VoIP networks, service providers are faced with a significant challenge: ensuring the security of voice communications. The telephone network was no longer isolated, and a poorly designed VoIP system could easily fall victim to any common Internet misfortune: from a DoS attack to data interception. To date, technologies developed to solve this problem have accumulated enough to talk about the possibility of achieving greater security in IP telephony compared to conventional telephone network, writes Haim Melamed, Marketing Director of AudioCodes, in his article published in the Converge news publication. However, security is by no means a new concept for telephony systems. For ordinary telephone networks, all the current problems from eavesdropping to denial of service were also, to one degree or another, relevant. Just connect to global network has sharply increased the number of potential attackers who have the opportunity to carry out unauthorized actions in relation to the communication system and have an extensive set of proven tools. Previously, this required physical access and special equipment, which sharply limited the number of potential criminals.

2006. NetIQ launches VoIP anti-hacking tool

NetIQ has unveiled a VoIP Security Solution that works with Cisco IP telephony and protects against DoS, viruses, worms, toll fraud, eavesdropping and other threats, NetworkWorld reports. New tool allows administrators to have real-time information about the operation of the system, its availability and warns of any security threats. The solution includes AppManager, which monitors the VoIP environment for security events and configuration changes. AppManager Call Data Analysis examines records of incorrect calls and generates a report, Security Manager for IP Telephony records and analyzes security events. Sales of the VoIP Security Solution will begin later this quarter and are priced at $6 per IP phone.

2005. VPN for IP telephony from Avaya

Avaya has introduced a VPN service to its family of IP telephony equipment. This will allow business users to securely extend their headquarters communications to employees working from home or temporarily working in insecure network environments. Integrating the new VPNremote software with an IP phone will provide employees with business-class communications that contain all the features needed for high-performance, uninterrupted enterprise communications. VPNremote for Avaya 4600 IP Phones allows you to quickly and cost-effectively install IP desktop phones in your home or remote offices. All that is required is for the administrator to download the software to the IP phone, and for the employee to plug it into an electrical outlet, connect it to the home broadband router, and enter a password.

2005. VoIPShield Releases VoIP Risk Assessment Tool

VoIPShield System has released a new vulnerability assessment solution for VoIP systems (such as Asterisk) that allows organizations to prevent threats before they affect VoIP services. Based on a threat database, VoIPaudit is comprehensive and scalable. It can be used to monitor the VoIP family of protocols, including Session Establishment Protocol (SIP), H.323 Protocol, Cisco Skinny Protocol, Nortel Unistim Protocol, and more. VoIP communications are critical, and VoIPaudit offers an unprecedented level of protection for all VoIP equipment and devices networks. VoIPaudit is available today, starting at $10,000, which includes training and support.

2005. VoIPSA takes its first steps

Since launching its work this year, the IP telephony security organization Voice over IP Security Alliance (VoIPSA) has taken its first major step in protecting VoIP services: it has clearly identified a list of problems and vulnerabilities that can be exploited by attackers. The project, called VoIP Security Threat Taxonomy, is posted for public discussion. It provides comprehensive and detailed definitions and descriptions of potential security threats, which is the basis for creating countermeasure systems, writes Computer Business. Although the organization is aware of serious attacks using VoIP vulnerabilities using fairly simple means, specific examples VoIPSA head Jonathan Zar refuses to provide any information. The list of potential problems includes reconnaissance, DoS and DDoS attacks, exploitation of protocol vulnerabilities, eavesdropping, removal and modification of audio streams.

2005. Juniper Provides VoIP Security

Juniper Networks Inc. announced Dynamic Threat Mitigation, which allows service providers to provide businesses and consumers with advanced network service protection and service assurance, including VoIP. The system is built into Juniper routers (M series or E series), without requiring customers to install new equipment. The solution allows you to identify attacks by user or application, using dynamic policy management and intrusion detection and prevention methods (DoS attacks, worm penetration). Considering a large number of services provided over IP networks, the use of the Dynamic Threat Mitigation system is a natural and progressive step.

2005. VoIP security will be under serious threat in two years

Attackers will pose a threat to IP telephony with special spam and viruses in two years. This was stated by representatives of the well-known manufacturer of telecommunications equipment, Nortel. Moreover, companies that use VoIP, video conferencing and other multimedia services based on network technologies in their activities should prepare for the next stage of protecting their infrastructure now, writes the information publication Silicon. Vice President of the company, Atul Bhatnager, said that for now, interference with VoIP service is rather exotic, but hackers are quickly gaining experience and in the future, IP telephony users will face the same problems that are inherent, due to attackers, to conventional transmission networks data: spam and DoS attacks. True, two years is enough to prepare and deploy enough protective systems, capable of deep analysis of data packets.

2005. Motorola+Skype

Motorola and Internet telephony service provider Skype Technologies have signed a cooperation agreement, as announced at the 3GSM Congress in Cannes. At the first stage of cooperation, the companies will jointly develop new optimized Motorola Skype Ready products for IP telephony. The product line will include a Bluetooth headset, hands-free devices and hardware to protect software and data from unauthorized access. In addition, Motorola plans to release a number of mobile phone models with Internet phone functions. The handsets will be equipped with IP telephony software developed by Skype, which will allow the phones to interact with both cellular networks and Wi-Fi networks. The partnership between the companies will make it possible to affordable service voice communication over the Internet is not limited to users of personal computers and handheld devices. Owners of new Motorola mobile phones will also have the opportunity to call anywhere in the world without worrying about huge bills for communication services.

2004. Cisco CallManager 4.1: Unprecedented Level of Security

Cisco Systems announces the release of new security features for IP communications systems. The new solution - Cisco CallManager 4.1 - provides an increased level of security for voice communications and once again confirms Cisco's leadership in the field of IP technologies. Cisco CallManager 4.1 supports voice encryption on the new Cisco 7940G and 7960G IP Phones, as well as on the more than 2.5 million Cisco 7940G and 7960G IP Phones already installed. Encryption of voice data ensures confidentiality telephone conversations, and encryption of signal information protects against manipulation of telephone signaling packets. Cisco CallManager 4.1 software interfaces with a wide range of Cisco media gateways, including the Integrated Services Router family. Encryption support for Cisco media gateways complements the powerful Voice over Virtual Private Network (V3PN) and threat protection capabilities already included in these platforms.

2002. New version of Avaya IP Office 1.3 has been released

Avaya has introduced a new version of its VoIP solution for small medium businesses, Avaya IP Office 1.3. Avaya IP Office Release 1.3 includes new software and hardware to meet diverse business requirements. The software enhances the system's capabilities to support a wider range of Avaya IP phones, improves system security and provides more network functionality. The new version allows you to serve up to 256 users and supports up to two simultaneous conferences (up to 64 participants each) or more conferences with fewer participants on an expanded hardware platform. Security features include special conference modes and access control using PIN codes. VoiceMail Pro allows you to automate number dialing (call by name). There are also interactive voice response (IVR) functions with an open API interface.

2002. Avaya introduced a new solution for IP telephony over VPN

Avaya has released a new version of Avaya VPNremote with expanded support for open networking standards. The new solution will allow companies to quickly and efficiently organize access for remote employees to all communication capabilities that are used in the organization’s offices. Avaya IP phones based on the new version of VPNremote allow remote workers to work in Cisco Systems and Juniper Networks networks. New Avaya VPNremote features for IP phones provide high level control and quality of communication. Avaya VPNremote 2.0 is a software solution that enhances Avaya IP phones with secure virtual private network (VPN) access capabilities. Thus, remote employees of companies have the opportunity to work in the corporate network with high quality communications. A new version Avaya VPNremote supports Cisco Systems and Juniper Networks VPN environments.

2001. PGPfone - secure conversation via VoIP and IM

PGPfone is a program that turns your personal computer or laptop into a secure phone. In order to provide the opportunity to conduct secure telephone conversations in real time (via telephone lines and Internet channels), it uses audio compression technology and strong cryptographic protocols. The sound of your voice received through the microphone is sequentially digitized, compressed, encrypted, and sent by PGPfone to the person on the other end of the line who is also using PGPfone. All cryptographic and compression protocols are selected dynamically and transparently to the user, providing a natural interface similar to a regular phone. Public key cryptography protocols are used to select the encryption key, so that a secure channel for key exchange is not required in advance.

Practical aspects of protecting a corporate IP telephony network

IP telephony, like any new technology, is associated with many different myths, rumors and speculations that hinder its widespread distribution. Many of them relate to IP telephony security. Apologists for traditional telephony argue that since VoIP technology uses the IP protocol as a transmission medium, then all network attacks are applicable to it, and therefore the IP medium is not suitable for transmitting voice traffic. On the one hand, they are right: attacks are indeed possible. However, similar attacks (eavesdropping, subscriber falsification, and others) are also applicable to traditional telephony (see sidebar "Cost of intercepting information..."). Moreover, in the case of traditional telephony, these attacks are much easier to implement, but much more difficult to detect and localize. And in terms of the cost of protection, ordinary telephone conversations differ from more modern IP telephony by several orders of magnitude (for the worse). But, of course, in order for the new technology to allow the exchange of calls in a secure manner, it must be correctly implemented and configured.

Cost of interception of information
You can buy a telephone bug, radio bookmark or other information retrieval device on any radio market and even in an online store: the lower price level is 10-30 dollars. (but without quality guarantee). A detective agency will offer such a device for rent for $20-50. plus the collateral value of the bug (although this activity is illegal). And ordering “wiretapping” for professionals will cost only 50-100 dollars. at one o'clock. Another convenience for attackers is the fact that in many cases, radio bookmarks do not require additional power sources, much less their replacement, since they are “powered” from the telephone line itself. Yes, and ourselves telephone lines pose a potential threat because they can be used to listen to the premises they pass through due to various electromagnetic interference and radiation.
More than one article could be written about each of the IP telephony standards and protocols (H.323, SIP, MGCP, Skinny), but this is not the scope of this publication. A description of the security mechanisms of the Voice over IP protocols themselves (for example, H.235 or SRTP), which are an integral part of the voice infrastructure, is also not the purpose of this review. If you start talking about the general principles of IP telephony, you may never get to the topic of its protection. Thus, this article will describe a number of practical aspects associated with the secure use of the "follower" of traditional telephony.

Dividing the network into segments
The main thing that needs to be done when building an IP telephony infrastructure is to separate it from the segments in which regular data is transmitted (files, email, etc.). This can be done using both virtual local area network (VLAN) technology and firewalls (Firewalls). The first option is more efficient and does not require any additional investment, since the VLAN mechanism is implemented in most switches. Such segmentation will create an additional barrier to prevent ordinary users from eavesdropping on conversations.
It is good practice to use a separate address space for IP telephony segments (for example, from the ranges specified in RFC 1918). If the network transmitting voice over IP is quite large in scale, then it cannot do without dynamic addressing via DHCP protocol. In this case, you need to use two DHCP servers: one for the voice network and the second for the data network.

Filtering and access control
Voice Gateways connected to the public switched telephone network (PSTN) must reject all IP telephony protocols (H.323, SIP and others) coming from the data segment of the corporate network. Often, support for IP telephony protocols is implemented in routers with integrated services (Integrated Services Router), which allows you to save on equipment while providing support for the latest technologies. In this case, the router's built-in stateful packet filter can monitor for any disturbances in voice traffic and, for example, block packets that are not part of the call setup procedure. In addition to the filtering and access control mechanisms built into IP telephony components, there are also special solutions, protecting elements of the voice infrastructure from possible unauthorized influences. Such solutions include firewalls (FW), application layer gateways (Application Layer Gateway, ALG) and specialized border controllers (Session Border Controller).

Firewall selection
Not every firewall is suitable for protecting an IP telephony network - it must satisfy a number of specific requirements inherent in this particular voice transmission technology. For example, the RTP voice protocol uses dynamic UDP ports numbering in the thousands. Trying to allow them all on the firewall opens up one big security hole. Therefore, the firewall must also dynamically determine the ports used for communication, open them at the beginning of a telephone conversation and close them at the end.
The second feature is that a number of protocols, such as SIP, place information about the connection parameters used not in the packet header, but in the data body. Therefore, a regular packet filter that examines only the recipient and sender addresses and ports, as well as the protocol type, will be absolutely useless in this case. The firewall must be able to analyze not only the header, but also the data body of the packet, extracting from it all the information necessary to organize the connection.

Application Gateways and Border Controllers
Another serious problem that needs to be addressed before purchasing a firewall is Network Address Translation (NAT). Since dynamic ports specified in the request to establish a connection between subscribers are used when establishing a call, the technology of hiding the network topology by translating addresses makes telephone conversations impossible. The solution to the problem is the use of special application gateways (ALG), released as dedicated devices or integrated into firewalls that understand dynamic port protocols (for example, SIP or RTCP). Some manufacturers produce only specialized security gateways for processing VoIP traffic. But when choosing them, you should remember that in protecting a corporate network you still cannot do without a regular firewall that can analyze not only the H.323, SIP and MGCP protocols, but also other protocols common in networks: HTTP, FTP, SMTP, SQL*Net etc.
A number of manufacturers offer a solution to the security problem by using specialized border controllers (SBCs). In essence, these devices are in many ways similar to the application gateways described above.

Anti-spoofing protection
Dynamic addressing in many elements of the IP telephony infrastructure gives attackers a lot of scope for activity: they can “pass off” their IP address as an IP phone, call management server, etc. This means that the network administrator faces the task of authenticating all participants in telephone conversations. To do this, it is necessary to use various standardized protocols, including 802.lx, RADIUS, PKI X.509 certificates, etc. And, of course, we cannot discount the above-mentioned access control rules on routers and firewalls, which make it difficult for attackers to connect to voice segments.
These methods make it possible to effectively deal with “left” connections, in contrast to traditional telephony, where this problem, if solved, is done with very expensive means.

Encryption
Encryption is the most effective method keep telephone conversations secret (see sidebar "Scramblers and Vocoders..."). However, such functionality entails a number of difficulties that must be taken into account when building a secure communication network.

Scramblers and vocoders to protect traditional telephony
Among the security tools, vocoders (voice coders) and scramblers, which encrypt telephone conversations, stand out. Obviously, such devices must be installed for all participants in secure conversations. The encryption mechanism is built into the phone or supplied as a separate device. In the first case, the subscriber terminal becomes too expensive (and you have to give up multi-functional and convenient foreign-made telephones), in the second, there is almost no scaling possibility, and using the phone becomes extremely inconvenient. Equipping each subscriber with a scrambler or vocoder is not an easy task. At the same time, the issue of cost also does not disappear: the price of one scrambler ranges from 200 to 500 dollars. If we add here the price of a telephone set and the cost of installing protective devices, we get truly astronomical figures. So this method of protecting traditional telephony cannot be considered economical.
One of the biggest problems is the latency added by the encryption/decryption process. With stream encryption, the latency is much lower than with block ciphers, but it cannot be completely eliminated. This problem is solved by using faster algorithms or incorporating QoS mechanisms into the encryption module.
Another difficulty is the overhead associated with increasing the length of transmitted packets. For the IPSec protocol, the size of the added header is about 40 bytes, which is quite large for 50-70 byte IP telephony packets. However, the speeds of modern networks are constantly increasing, and over time this problem will be resolved. In the meantime, the optimal solution to both problems is the SecureRTP (SRTP) protocol, adopted as a standard in the spring of 2004. (RFC 3711).

Downtime protection
Although various components of IP telephony are potentially susceptible to denial of service attacks (for failures in traditional telephony, see the sidebar "Call rerouting..."), there are a number of protective measures that prevent both DoS attacks and their consequences. To do this, you can use information security mechanisms built into network equipment, as well as additional solutions:
division of the corporate network into non-overlapping segments of voice and data transmission, which prevents common attacks, including DoS, from occurring in the “voice” section;
application of special access control rules on routers and firewalls that protect the perimeter of the corporate network and its individual segments;
use of an attack prevention system on the call control server and PC with voice applications;
installation of specialized protection systems against DoS and DDoS attacks;
"application special settings on network equipment, which prevent address spoofing, which is often used in DoS attacks, and limit bandwidth, preventing the attacked resources from being damaged by a large flow of useless traffic.

Rerouting calls in traditional telephony
Another threat is rerouting calls to other phone numbers, dropping the interlocutor from the line, or “breaking through” the busy signal. For example, in 1989, the hacker group The Legion of Doom gained control of the BellSouth telephone network, including the ability to eavesdrop on telephone lines, rerouting calls, masquerading as station technicians, and even disabling the 911 emergency communications system. To investigate this incident, 42 experts were invited, and BellSouth spent $1.5 million on their work. And this does not include loss of reputation and other hard-to-calculate losses.

Control
For remote management, the use of secure access protocols (for example, SSH) is mandatory (in this case, encryption introduces much less delay than when encrypting voice data). If access to any component of the IP telephony network is carried out using a conventional protocol (for example, HTTP), then an indispensable condition for such access must be the use of the IPSec or SSL protocol. Otherwise, any attacker will be able to not only intercept all data with an unprotected element, but also replace it.
If the cryptography requirement conflicts with performance, then encryption on IP phones or voice applications on a PC can be neglected. Unless, of course, the network is subject to legal requirements to protect all confidential information (including telephone conversations). For example, such a requirement for all US federal structures is specified in section 5131 of the American Information Technology Management Reform Act of 1996.
If you refuse to hide voice traffic, it must be separated from all other types of transmitted data using a VLAN. At the same time, voice transmission between offices must be protected using cryptographic transformations. For these purposes, you can use the IPSec VPN mechanism built into routers or install separate encryptors certified by the Russian FSB.

Organizational matters
The main security problem with IP telephony is not dynamically opening ports on the firewall, not NAT, or reduced voice quality as a result of encryption. All these issues have been resolved for a long time and effectively. The main problem is “in the heads,” as Professor Preobrazhensky said in “Heart of a Dog,” or rather, in the underestimation of existing risks and a lack of understanding of new technologies. For example, in many organizations and companies there is a classifier of confidential information processed in an automated system. But only a few organizations also classify voice data transmitted within the IP telephony infrastructure. Meanwhile, information not included in such a classifier is outside the attention of the information security service and turns out to be completely unprotected.

Conclusion
The published annual report by IBM "Security Threats and Attack Trends Report" provides an analysis of the main threats of the past year and gives a forecast for 2005. According to IBM experts, an increase in the number of IP telephony networks will lead to an increase in threats to their existence and uninterrupted functioning. Therefore, it is necessary to worry about the protection of the IP telephony infrastructure being implemented or already implemented right now, so as not to “bite your elbows” later. And it is not as difficult as it seems at first glance. There are technologies that significantly increase the security of VoIP, and they have long been known to information security specialists. Moreover, these technologies are often already embedded in the components used to build a voice-over-IP environment. Which means you just need to use them.

Based on materials from the Daily Sec news agency.