Voice over Internet Protocol Security Vulnerability and Risk Analysis - Literature review Example

?Voice over Internet Protocol Security vulnerability and Risk Analysis: The journey of communication has undergone number of steps and overperiod of time all those means have offered more compared to their predecessors. The late 20th century was seen as the time period where rapid development took place in the world of telecommunications. In modern times different means and mechanisms are being introduced for establishing communication with one another. The aim behind all of them has been to work on those lines that ensure reliable, fast and economical sources that can enable connecting people from across the borders and shores. The progress so made is so immense that people sitting across the continent can get in touch and see each other in matter of few seconds. Different means exist for such concepts. All those means of communication that have existed in history were conducted with a concern and consideration of privacy in them. This is achieved through encryption of data that is being exchanged between the two points. Voice over I.P (VOIP) is one of them. It has gained popularity in recent times and is being widely used .Like every other system in the field of telecommunications; VOIP has its strengths as well as weaknesses. Like every other internet utility, it has its own vulnerabilities and security concerns. This paper looks into the vulnerabilities and risks affiliated with it, further touching on the features being provided by it along with its working principles in brief. The paper also looks into the role of Voice over I.P Security Alliance and its efforts to meeting the demands in terms of narrowing down the vulnerabilities that exist in various forms. Keywords: VoIP, Open standard, Vulnerability, Denial of Service. Introduction: In modern day Voice over I.P technology is becoming ever common amongst the internet users. The users circle is not limited to individual personnel only; rather their use is on the rise in enterprises, commercial businesses, telecom sectors, all have been using this technology to full in recent times(Wallingford 2005). There are certain features that make Voice over I.P the most favorite amongst its users, these features include ease of use, no or little costs, clear voice and data quality and various other features that are top of customers demand list. VOIP is established on the concept of open standards to maximum its use and accessibility (Ellis, Pursell & Rahman,pg 250, 2003). Interoperability is another feature that is making inroads across the platform all over. Having mentioned the features that are being provided by VOIP, a serious concern is being raised about its security aspect. Many a times it is being tagged as vulnerable in terms of security aspects. For this purpose efforts are needed to be in place which will insure the safety of all parameters involved in this. This is possible through study of all those areas which have loop holes in them and further working on those areas will make this a safe source of communication for customers to use. VOIP is a generic term for number of applications intended for establishing connection (Persky 2007); it could be the chat client establishment, the phone call conversation, the SMS service establishment. VOIP makes use of number of protocols that contain both the open protocols and proprietary protocols. Through the use of single broadband line, VOIP enables sending voice signals, data that includes textual format and video format information. The vulnerabilities are not just limited to its usage and application, rather operating systems, and protocols used (McGann & Sicker 2005). Types of calls possible with VOIP: Unicast calls: This kind of calling conversation involves the minimum number of parties, one at each end. It is the SIP or H.323 based call. Mostly the traffic and conversation is not encrypted and hence unsafe. Multi cast calls (limited number of callers): This includes more than two users involved in a conversation at one time. Usually a conference call where the first two establish a connection first and then, either of the two invite third person into the conversation .This too is bound to vulnerabilities without encryption. This kind of conversation and connection is usually termed as topology chain call. Multi cast (Extensive chain): This kind of connection establishment includes conversations held between number of parties, usually in corporate enterprises and business firms. This type of connection is generally characterized as an extended hub (Keagy 2000). Background of VOIP: VOIP as the name implies, makes use of Internet protocol for establishing connection. Contrary to the traditional P.O.T.S system and other analogue sources, which were used for establishing conversation path between given two points. It is possible over a broadband line that supports relatively high speed of internet traffic. Various services are being provided by VOIP applications in modern times, some only allow connecting across the internet while others allow making a phone call from internet to the phone line through their application. The service of VOIP took an upward shoot in early 21st century when number of software applications were established for it (Kelly 2011). The most famous one being Skype that is ubiquitously used all over. Initially, Skype offered limited features and access, but seeing the public interest and orientation, it has been expanded full scale and provides extensive features like call over the internet as well as call from internet to the phone line (Stadler, pg 8, 2009). The use of VOIP applications is on the rise and hot spots in public places provide connection to this service. There are number of reasons to its vulnerability and weak security setup, the first and very basic one being, its interaction with large number of interfaces in form of hardwares, softwares and data networks across the board. Besides other reasons the fragmented nature is considered as one of the reasons for being intensively vulnerable. It makes encryption little difficult. Methodology: The methodology adopted in this research was elaborative in nature and was based on the study of literal work conducted by various experts from time to time and the improvements and recommendations suggested accordingly. Further, an insight was presented into the types of vulnerabilities, their possible impact, circumstances that give rise to such weaknesses, and finally the recommendations and preventive measures. The literature review was conducted in a detailed manner which was aimed at including the work of almost all the notables. Extensive study of research papers helped in studying the advancements and the work and proposals presented from time to time. This study would help in number of ways , firstly highlighting the challenges faced, followed by the solutions proposed in context of the literature review which contains work of various experts from the field of VoIP. Discussion: By critically reviewing the work conducted in this research, it can be deducted that this research paper can serve as a model for implementing VoIP in future keeping in consideration the shortcomings in the existing setup. Since this paper highlights the weaknesses and vulnerabilities along with their possible prevention, therefore it can be used for VoIP implementation. The Methodology and study of literature review would enable us to implement a system that is less prone to the vulnerabilities; this can be achieved by working on all those weak areas that exist in the current standard. For future consideration, preventive measures studied, can help implementing a far more effective system in future. Toll fraud: this one is quite common in practice and observation. The most worrying point about this threat is its invisibility and presence in the setup for a while without being noticed. This kind of vulnerability results from the loop holes and openings that might be left during the remote access can enable intruders to get into the system and penetrate without catching any attention. The headache with this kind of attack is the scanning process and eliminating it out of the system which itself is an extensive task (Ransome & Rittinghouse,pg186, 2005). Eavesdropping: The scope of eavesdropping is not just confined to VOIP applications, it can penetrate in to other applications in equal amount, yet VOIP is the easy target for such kind of malicious attempt. As long as the peers are involved in the network, eavesdropping is bound to enter the network. This kind of attack is possible with a source of penetration into the source (Endler, Collier & Endler,pg 120, 2007). Denial of Service (D.O.S): As the name implies, it restricts users from accessing the interface. VOIP is of large use in emergency situations since it does not need major infrastructure presence, with denial of service attack the target can be such spots and connections that prevent connection establishment in remote places and in emergency situations. These types of attacks can affect the logical connections as well as the physical components of the connection. Such spam attempts often target business interfaces and large enterprises where penetration can provide them with greater benefits. They are mostly like intrude and penetrate when TCP/UDP ports are left open without any watch and observation (Porter & Gough,pg 120, 2007). Denial of Service can result in jittery conversation due to the lag that occurs or the entire web traffic becomes slow and results in slow browsing and exchange of data (Endler, Collier & Endler,pg 122, 2007). SIPTAP: SIPTAP has been a recent addition to the list of threats to VOIP. It is highly penetrative in environments where there is no encryption on the traffic in progress. These are very dangerous in nature and they can intercept not only the phone calls but also make it to the customer’s identity and other valuable information (Ruck 2010). Spoofing: Spoofing mostly involves impersonating as the genuine caller through use of a bogus calling identity. Such sources are of severe concern to financial and government organizations where valuable data is placed online all the time. The receiver does not get to know the purpose of the call and at times exchange of valuable information takes place or the hacker himself penetrates into the profile causing severe damage. Spoofing as an individual act might not bring down the entire setup but information collected here can be of great importance in later use and misuse (Wang 2006). The physical aspects of the security and access are as dangerous and vulnerable as the other factor. Interruption of Service: The network traffic can be brought down to halt through number of ways. This can result from any bug or virus directed towards the receiver end, as well as possibility of a bad protocol. These attacks can lead to intrusion into the personal profiles and private data (Keromytis, 2011). Literature Review: The mid 20th century was dominated by the use of Plain Old Telephone Systems which provided communication across an analogue medium (Jielin 2007). We all are aware of the level of security and protection across the analogue transmission medium. They are the most fragile source of communications. With time, new methods and technologies came to forefront that made things look more lucrative, VOIP is one of them, however it is not free of concerns and security is an equal concern in this case as well. VOIP might be the most suitable option at the moment yet it makes the stakeholders pay and give them a tough time in form of security concerns and weak links. Various research studies have been conducted in this regard by number of experts from the field to identify the threats and recommend solutions that can help securing the network. The work of few of those proponents has been stated in the literature review section below. The entrance of the users is considered as a threat by some experts and is believed that a reason to search for jobs or any other hardware equipment is enough to penetrate into the profile and later perform malicious act. At times the websites even mention the hardware used in form of routers and switches along with the models, this provides a foundation for any hacker with intention to infiltrate. (Persky, page 21, 2007) Once VOIP is installed and put it place, vulnerabilities become part of the system. The need is to establish a nomenclature for safety prior to its usage. Areas of concern include gateway associated security, procedures related to patching, periodic syslog review (Ruck,pg 4, 2010). (McGann & Sicker 2005) in their study on the challenges faced in the field of VOIP segmented the vulnerabilities according to the structure of T.C.P/I.P model. They distributed the vulnerabilities impact into three different categories and stated that the security threats can directly impact the integrity, availability of data and information, and most importantly the confidentiality of any conversation and information exchanged. (Niccolini et.al, 2006) address the issues that are being faced in implementing a full layer security protection layer. In his research it is suggested that authentication measures should be encouraged that are based on verification and confirmation. According to their research, efforts must be made to make the systems anomaly free and for this purpose various techniques should be introduced and implemented. His efforts are complemented by the recommendations of which introduces and advocates the use of SDRS, a system that works mitigating and counteracting SPIT systems through use of various techniques. Spider project (Rebahi et.al, 2007) further looks into the threats and challenges faced in form of SPIT systems and touches on the European frame work. (Porschmann & Knospe, 2008) also contributed towards eliminating the SPIT issue, their study recommended the use of spectral analysis in order to construct voice samples. These samples would enable identifying SPIT. (Schlegel et.al, 2006) present a frame work for eliminating any threat faced. Their frame approach was based on number of steps; it included collection of information prior to establishment of call. The pre call information tracking and during the all information tracking enables collecting sufficient data to allow identify a genuine and fake source at other end. (Quittek et.al,2007) in their research focused on eliminating the SPIT system through use of firewall, a Hidden Turing test was conducted for this purpose to identify spammers and unsolicited request source. Their study focused on elements which are normally missing in normal and genuine calls. (Balasubramaniyan et.al, 2007) research is more based on analogy and assumption. According to their report, users that are engaged in small length calls are likely to be spammers, or at least those who are engaged in a prolonged call are less likely to be outsiders who mean evil business. (Kolan et.al, 2008) conducted a research in a local university to evaluate the possibility of threats and SPIT attacks. Their survey was intended to support their mathematical approach towards their study conducted. The mathematical model would allow calculating the disturbances noticed in the call and possible spammers behind it. Their work mainly relied on previous history of calls conducted. Besides this use of effective antivirus softwares, awareness of the usage of VOIP, ensuring that the call received from other end is coming from a secure source, creation of backup, and multi tier security can help minimizing the threats faced by VOIP and can make it more secured compared to present day situation. Use of protocols and enabling encryption mandatory for all kinds of traffic conducted over the interface will make life safe (DESANTIS, 2008). (Salsano et.al, 2002) in their study focus on the productivity and effectiveness of SIP security mechanism. From their study it was determined that SIP authentication are least economical. An alternate to this approach is recommended in form of Datagram T.L.S. The use of IPSec which is largely favored in I.P transmission and especially in the case of I.P V6, does not hold good in case of VOIP, (Barbieri et.al, 2002) in their study showed that IPSec reduces the performance bench mark by nearly 60 percent. (Seedorf,2006) in his study recommends the use of cryptography for making the traffic safe over VOIP .The process is focused on encoding the public key. (Petraschek et.al 2008) assess the possibility of usage of ZRTP, the protocol makes use of Diffie Hellman key exchange which is based on the usage of verbal authentication key at both ends, this approach is relatively simple yet effective in its own way. Possibility of intermediate intrusion cannot be ruled out in such cases. A more concrete approach towards denial of service menace is recommended by (Reynolds & Ghosal, 2003), where they recommend a multi layer protection scheme against the transport layer of transmission .Their work recommends usage of multi sensors along the whole network, by evaluating the average divergence from the average traffic. This approach is also useful in case of monitoring and preventing flooding effect in T.C.P protocol. Compatibility factor of firewalls: Firewalls might be the suggested solutions against number of threats; however these firewalls must not block the common safe traffic between the users. Up gradation might be needed in this regard to allow compatibility between the two (Ruck 2010). Conclusions: Recommendations: VOIP calls are not encrypted in routine. Encryption can be performed however they create an obstacle in form of incompatibility. A TLS/SSL encryption technique can be handy and can resolve the vulnerability issues (Sl?zak, 2010). Role of VOIPSA: VOIPSA is the administrative body that is looks into the security aspects of entire operations. They create and provide details of links that can pose any threat. VOIPSA should be made more effective in order to fight the challenge faced in form of security threat and vulnerabilities. Research must be conducted in this field and expertise should be hired to eradicate the menace of invasion and privacy breach (Prakash, 2009). Through the research of the work performed by all these proponents it was concluded that denial of service serve as the major vulnerability towards VOIP. Its eradication is possible if and only if heeds are paid in the implementation stage. Efforts need to be made on emergency basis in the field of D.O.S counteracting in order to make the medium a long lasting one and free of security issues. There is an imminent need for mitigating the risks possessed by VOIP, and security must be beefed up in order to make it a safe medium for information exchange. Various tools are available on commercial scale which is believed to provide considerable amount of security, one of them is SiVuS scanner, which aims at highlighting the vulnerabilities in the incumbent and ensures counteracting them(Dwivedi, 2008). The need is to create compatibility amongst the fire walls and VOIP .They should work in coherence and VOIP traffic and working should be enabled in such a way that the firewalls usage does not restrict the normal traffic, rather only malicious content. Preventive Measures: Segmenting of the entire network into Virtual Private Network is the recommended solution against vulnerabilities and threats. Absence of encryption is a concern in terms of the security at this level; however Cisco has encryption enabled in their system with aim to reduce the threats and vulnerabilities by a considerable amount (Persky 2007). However, V.P.Ns are not feasible in all environments since they would limit the scalability of calls being made from a distance. The use of propriety protocols can reduce the probability of vulnerabilities and threats faced. Solution recommended to SIPTAP is the fencing of call management system and encryption of data. The encryption of data and entire traffic is a generic condition that will solve nearly all problems faced in form of vulnerability (Rebahi et.al 2008). Creation of dynamic Host Control Protocol can help reducing the effect of Denial of Service attack. Mapping of physical addresses across the logical address will enable allocating a fixed id to each member and thereby reduce the chance of outsiders making an attempt to disrupt any traffic or induce it with any malicious content. Further, access to physical components of the network should be restricted and other information that can lead to security breach must be withheld from being published on websites and other public traffic domains (Robles, 2004). Bibliography: 1-B. Mathieu, S. Niccolini, and D. Sisalem, page 52–59, (2008). SDRS:” A Voice-over-IP Spam Detection and Reaction System “, IEEE Security & Privacy Magazine. 2-B. Reynolds and D. Ghosal, (2003). “Secure IP Telephony using Multi-layered Protection”. In Proceedings of the ISOC Symposium on Network and Distributed Systems Security (NDSS). 3-C. Porschmann and H. Knospe, (2008). “Analysis of Spectral Parameters of Audio Signals for the identification of Spam over IP Telephony”. In Proceedings of the 5th Conference on Email and Anti-Spam (CEAS). 4-Dempster, B., 2007. “VoIP Security -Methodology and Results”, s.l.: Next Generation Security Software Ltd. 5-DESANTIS, M., 2008. “Understanding Voice over Internet Protocol”, s.l.: US-CERT. 6-Dwivedi, H., 2008. “Hacking VoIP: Protocols, Attacks, and Countermeasures. San Francisco”: No Starch Press. 7-Ellis, J, Pursell, C & Rahman, J.(2003), “Voice, Video, and Data Network Convergence: Architecture and Design, From VoIP to Wireles”s, Academic Press, San Diego. 8-Endler, D, Collier, M & Endler 2007, “Hacking exposed VoIP”, Tata McGraw-Hill Education, New York. 9-Jielin, D 2007, “Network Dictionary”, Javvin Technologies Inc, Saratoga. 10-J. Quittek, S. Niccolini, S. Tartarelli, M. Stiemerling, M. Brunner, and T. Ewald, (2007). “Detecting SPIT Calls by Checking Human Communication Patterns”. In Proceedings of the IEEE International Conference on Communications (ICC). 11-J. Seedorf, (2006). “Security challenges for peer-to-peer SIP”. IEEE Network,20(5):,38–45. 12-Keagy, S 2000,” Integrating Voice and Data Networks”, Cisco Press. 13-Kelly, TV 2011, “VoIP For Dummies”, John Wiley & Sons, Indianapolis. 14-Keromytis, A. D., 2009.” A Survey of Voice over IP Security Research”. p. 16. 15-Keromytis, AD 2011, Voice Over IP Security:”A Comprehensive Survey of Vulnerabilities and Academic Research”, Springer, New York. 16-McGann, S & Sicker, DC 2005, “An Analysis of Security Threats and Tools in SIP-Based VoIP Systems”, University of Colorado, Colorado. 17-M. Petraschek, T. Hoeher, O. Jung, H. Hlavacs, and W. N. Gansterer,( 2008). “Security and Usability Aspects of Man-in-the-Middle Attacks on ZRTP”. Journal of Universal Computer Science, 14(5):673–692. 18-Persky, D 2007, “VoIP Security Vulnerabilities', SANS Institute InfoSec Reading Room”, p. 125. 19-P. Kolan, R. Dantu, and J. W. Cangussu, (2008). “Nuisance of a Voice Call. ACM Transactions on Multimedia Computing, Communications and Applications (TOMCCAP)”. 20-Porter, T & Gough, M 2007, “How to Cheat at VoIP Security”, Syngress, Rockland. 21-Prakash, A., 2009. “Information Systems Security”. Kolkata, India, Springer. 22-Ransome, JF & Rittinghouse, JW 2005, “VoIP Security”, Digital Press, Boston. 23-R. Barbieri, D. Bruschi, and E. Rosti,( 2002). “Voice over IPSec: Analysis and Solutions”. In Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC), pages 261–270. 24-Rebahi, Y., Pallares, J.J., Kovacs, G., Minh, N.T., Ehlert, S., Sisalem, D,( 2008).: “Performance Analysis of Identity Management in the Session Initiation Protocol (SIP)”. In: Proceedings of the IEEE/ACS International Conference on Computer Systems and Applications (AICCSA), pp. 711–717. 25-Robles, F., 2004. “The VoIP Dilemma. SANS Institute InfoSec Reading Room”, p. 12. 26-R. Schlegel, S. Niccolini, S. Tartarelli, and M. Brunner,( 2006). “Spam over Internet Telephony (SPIT) Prevention Framework”. In Proceedings of the IEEE Global Telecommunications Conference (GLOBECOM), pages 1–6. 27-Ruck, M 2010, “Top Ten Security Issues Voice over IP (VoIP), Project VoIP Security”, p. 8. 28-Sl?zak, D., 2010. “Security Technology :International Conference Proceeding”s. Berlin: Springer. 29-S. Niccolini, R. G. Garroppo, S. Giordano, G. Risi, and S. Ventura, (2006), pages 47–52.” SIP Intrusion Detection and Prevention: Recommendations and Prototype Implementation”. In proceedings of the 1st IEEE Workshop on VoIP Management and Security (VoIP Mase). 30-S. Salsano, L. Veltri, and D. Papalilo, (2002). SIP Security Issues: “The SIP Authentication Procedure and its Processing Load. IEEE Network”. 31-Stadler, J 2009, “An Investigation Into Skype Technologies S.A”., GRIN Verlag, Mu?nchen. 32-V. Balasubramaniyan, M. Ahamad, and H. Park, (2007). Call Rank: “Combating SPIT Using Call Duration, Social Networks and Global Reputation”. In Proceedings of the 4th Conference on Email and Anti-Spam (CEAS). 33-Wallingford, T. (2005), “Switching to VoIP”, O'Reilly, Beijing. 34-Wang, W 2006, “Steal This Computer Book 4.0: What They Won't Tell You About the Interne”t, No Starch Press, San Francisco. 35-Y. Rebahi, S. Ehlert, M. Theoharidou, J. Mallios, S. Dritsas, G. F. Marias, L. Mitrou, T. Dagiuklas, M. ?vgoustianakis, D. Gritzalis, B. Pannier, O. Capsada, J. Markl, M. Citron (2007), “Technical Report SPIDER-D2”. Read More