On MovieTome: TRANSFORMERS 2 SPOILERS!

Search:
Go!


Today on CNET
Reviews
News
Downloads
Tips & Tricks
CNET TV
Compare Prices
Blogs
Cell phones| Desktops| Digital cameras| Laptops| MP3 players| TVs| All Categories


Click Here
advertisement

Security Watch : Don't get burned by viruses and hackers.
Make your Internet phone safe
E-mail to a friend
Send us feedback
By Robert Vamosi 
Senior associate editor, CNET Reviews
April 26, 2004

As with most new technology, convenience often demands important security trade-offs. The ability to make long-distance telephone calls over the Internet using Voice over IP (VoIP) is no exception. While Internet calling may save small businesses money, it's vulnerable: hackers can easily get ahold of phone lists, intercept incoming and outgoing phone numbers, or worse, listen in on confidential conversations. Fortunately, there are some considerations you can (and should) make before installing any Internet phone service, to ensure your company a greater margin of safety.

First, you need to understand how Internet phones work. Several different flavors of VoIP are available. Very simple applications use your desktop's built-in microphone and an Internet messenger such as Yahoo IM. Business solutions, however, include Internet-aware telephones (complete with network interface cards) that send voice-signal packets similar to data packets over existing intranet or Internet trunk lines.

Internet phone attacks are possible
Although attacks against Internet phone networks are still rare, they will increase as the technology goes mainstream. VoIP attacks often mirror those against pure data networks and include denial of service, packet reconstruction, and (less commonly) attacks aimed at the operating systems used by VoIP phones themselves. And like data attacks, voice attacks can occur either from within a company or from outside the office.

VoIP attacks often mirror those against pure data networks.
The most likely scenario is that of a distributed denial-of-service attack against your company's Web site. Of course, this wouldn't bring down your Internet phone system if you keep it and your file server on separate networks. It's very tempting, however, for a small business to run both its voice-signal and data transmissions over the same system. In this case, the simplicity and the reduced costs won't justify the loss of both voice and data should your business's sole connection to the Internet go down.

Another scenario involves an attacker sniffing out voice packets from your business's Internet traffic, then reconstructing the packets to intercept phone conversations. With conventional phone systems, attackers must identify the correct pair of wires being used to place a particular phone call and even then can listen in on only one conversation at a time. With VoIP, however, attackers could potentially listen in on all corporate communications (assuming they have the time and resources to reconstruct the calls, of course).

Packet-spoofing (where someone intercepts a call by impersonating voice packets, a man-in-the-middle attack) and message-integrity attacks (where someone could corrupt a message in transit) are of lesser concern, as they are in pure data networks. Nonetheless, these attacks are worth guarding against.

Solutions do exist
Fortunately, there are ways to safeguard your Internet calls. With a little due diligence, you can enjoy the benefits of VoIP without compromising your business's safety.

With a little due diligence, you can enjoy the benefits of VoIP without compromising your business's safety.
Last October, the SANS Institute put out a white paper outlining specific concerns for small to medium-size businesses, particularly when it comes to hiring a third party to administer your VoIP networks.

The SANS Institute recommends that you separate voice and data networks with virtual local-area networks (VLANs), limit physical access to the network rooms, choose switches over hubs, use encryption, and opt for hardwired rather than software-based Internet phone solutions whenever possible. Other recommendations include having firewalls or firewall proxies monitor voice and data, maintaining antivirus software on all systems (either voice or data), and performing regular backups (many VoIP systems include backup capabilities).

If all this sounds like a lot to take care of, it is. Adding VoIP to your business demands adding voice-specific protocols and hardware specific to voice technology that require unique IT expertise. For example, VoIP requires its own set of protocols, such as Session Initiated Protocol (SIP), H.323, MGCP, or Real-Time Transport Protocol (RTP), among others, so you'll need (depending on the size and nature of the company) at least one more IT person specifically trained in VoIP, an option that most small businesses don't have.

Thus, third-party solutions have become attractive. And it makes sense: someone else applies security patches, manages the voice system, and assumes all the risks. The main disadvantage, however, is that if an attacker decides to take out your third-party supplier, it cripples all dependent businesses, including your own. In other words, keep your cell phone handy but also request in writing the VoIP reseller's details regarding updates, patches, and technical support. The up-front costs may seem reasonable, but that doesn't mean the service after the sale will be as affordable.

Got a security question? Let me hear about it!

Security Center
Top antivirus apps
From CNET Reviews
Top antispyware apps
From CNET Reviews
Virus and security alert forums
From CNET Message Boards




4/19/04
Why you should patch Windows today
Usually Robert Vamosi is grousing about Microsoft's bungled attempts to patch its own software, but this time it appears the software giant is actually interested in fixing underlying flaws, not just patching them.

4/12/04
Don't be a Typhoid Mary
Good networks are built on trust, but no matter how many firewalls and antivirus scanners you have, it takes only one Typhoid Mary computer to infect a whole network.

4/5/04
Why I'm not sending you viruses
E-mail spoofing is common these days, so much so that innocent people are getting blamed for spreading the latest wave of Bagle and Netsky viruses. Here's what you need to know about spoofing and why solutions are still years away.

More commentary


More commentary
Buzz Report
Molly Wood
Taking a bite out of hype.
Security Watch
Robert Vamosi
Don't get burned by viruses and hackers.
Fully Equipped
David Carnoy
The electronics you lust for.
On Call
Kent German
Solutions for your wireless woes.
Driving It
Wayne Cunningham
What's hot and what's not in car tech.

Help Center|Newsletters|Corrections|What's New|All Product Reviews|
Search:
Go!

Popular topics: Apple | Antivirus | Cell Phones | Dell | Digital Camera | Firefox 3 | Games | iPhone | iPod | iTunes | Laptops | Norton | PS3 | Verizon | Wii | Xbox 360
CNET.com
About CNET|Today on CNET|Reviews|News|Compare prices|Tips & Tricks|Downloads|CNET TV
Popular on CBS sites: World News | Fantasy Football | Amy Winehouse | Baseball | E3 | Batman | Firefox 3 | iPhone 3G
About CNET Networks | Jobs | Advertise


© 2008 CNET Networks, Inc., a CBS Company. All rights reserved. | Privacy Policy | Terms of Use