Slashdot Mirror
Security In Voice Over IP Converged Networks
dotslash writes: "This article at Internet Telephony Magazine has a very interesting analysis of security issues created by converging data and telephony networks with VoIP: "When the phenomenon of "convergence" between telephony and Internet started, it also brought closer the world of the phreaker and the hacker. VoIP brings all this to the next level. Unfortunately, the security inherent in VoIP solutions is equivalent to that of the early Internet: Non-existent.""
Anyone equiped with a standard issue electrician's but-set can walk up to a house, pop open the telco terminal and listen/make phone calls on any line in the house. Same goes for corporate lines.
"Virtually no security" is an improvement over "_no_ security."
I think the main concern with using OpenSSL is that it is too slow for real-time data.
Just think of the amount of packets you have to crypt/decrypt per second.
If we assume 44khz, 16-bit (depends on the ADC/DAC I guess) data, well that's a lot of packets.
No one wants to have a 1-2 second delay in their phone conversation.
Having worked in the subject area for some time, I can assure you that running VoIP and even video conferencing sessions over IPsec/AES tunnels results in the delay less than 1 ms on the P2-350 machines (serving as gateways on both ends).
I agree that lag may potentially become a problem as number of VoIP sessions grows, but, hey, that's what you need a hardware crypto gadgets.
3.243F6A8885A308D313
My university just recently overhauled the on-campus phone system. They replaced the old (working) system with IP phones. They did the whole job in a matter of months, despite very vocal opposition by the CS department faculty. These Cisco IP phones cost $700 a pop.
They hooked the central hub of the phone system up to generators in the event of a power failure. Unfortunately, all our phones depend on switches and routers scattered throughout campus, and the phones themselves have DC power adapters. In the event of a power outage, the central hub will stays on-line, but all the phones throughout campus go out!
When asked what students and faculty should do in the event of an emergency during a power outage, our IT services department responded, "Try to find someone with a cell phone!"
Worse yet, switches have a mean time to failure of 100,000 hours. With 2,000 switches throughout campus, sections of the phone system go out once every 50 hours. The current average time for IT services to replace a down switch is 2 weeks.
These phone have web servers, and a few other goodies. I'm just waiting until an IP phone worm takes out our entire campus's network and telecommunications infrastructure.
Also, the article author's are clearly behind on their reading. Plain text passwords (known in HTTP as 'basic' authentication) are explicitly disallowed in RFC 3261, the current SIP spec.
Also, most SIP proxy servers support TLS for secure connections at least between proxies.
The security problems are real, but it doesn't help anybody (except consultants, maybe) to spread myths.
security in VoIP? don't make me laugh. check out VOMIT (feel lucky at google).
and don't believe the hype about the supposed safety of switched nets -- VoIP phones are so very compliant, they just love redirects.
nobody
parturiunt montes, nascetur ridiculus mus