Back to Top

Voice over IP

IP telephony networks based upon Voice over Internet Protocol (VoIP) are being increasingly used within an organisation due to the benefits of utilising existing data networking cables to carry voice calls. However, the integration of the two environments brings about additional security challenges, including ensuring that telephony infrastructure are not exposed to common IP-based threats.

Voice over IP has become the method of choice for providing corporate telephony services. It provides unparalleled flexibility for workers both inside and outside the corporate offices. However, unless it is properly configured, there are inherent risks involved in merging data and telephony networks.

Correctly designing and implementing a VoIP network alongside the traditional data network can be a complex task. The aim of testing VoIP networks is to ensure that privacy of calls and the integrity of the network is maintained, whilst ensuring the high availability associated with standard telephony networks is not compromised. Additionally, any possibility of fraudulent use of the VoIP network can lead to an unexpected bill associated with a high number of calls to national and international numbers.

There are two main aspects to a VoIP security test: -

Infrastructure Design and Configuration Review:

The logical design of the VoIP network is reviewed against security best practice. At the same time, the configuration of the call handling servers, phones and network switches are reviewed to ensure that there are no weaknesses that could lead to fraudulent activity.

It is essential that best practice security considerations are followed to maintain proper segregation of the voice and data networks. Different vendors have different approaches to this problem.

Network Based Assessment Against VoIP Infrastructure:

A consultant will connect directly to the telephony infrastructure. The network equipment that supports the VoIP service will be probed and scanned. This includes calls servers, phones and switches. A number of tools will be employed to capture, decode and subvert voice traffic where possible. The aim of the assessment will be to subvert the telephone system to obtain free calls or impersonate another user station. Any flaws discovered in the configuration review will be used to further the effectiveness of the assessment.

The deliverable from a VoIP assessment will be a report that describes the current state of information security with regard to the VoIP network and any weaknesses that were identified in the architecture and configuration of any components comprising it.

The return on investment gained from a VoIP test is the increased assurance to the organisation that the telephony network is secure, that telephone calls remain confidential and that there is no possibility of its fraudulent use.