VOICE OVER INTERNET PROTOCOL: SECURE OR NOT RECOMMENDATIONS ...

4,699 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
4,699
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
137
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

VOICE OVER INTERNET PROTOCOL: SECURE OR NOT RECOMMENDATIONS ...

  1. 1. VOICE OVER INTERNET PROTOCOL: SECURE OR NOT RECOMMENDATIONS TO THE BUSINESS AND PRIVATE SECTOR by Ronald P. Gagner, Jr. A Graduate Research Report Submitted for INSS 690 in Partial Fulfillment of the Requirements of the Degree of Master of Science in Management Information Systems Bowie State University Maryland in Europe May 2005 i
  2. 2. TABLE OF CONTENTS ABSTRACT………………………………………………………………………………….iv LIST OF FIGURES…………………………………………………………………………..v CHAPTER I INTRODUCTION……………………………………………………………..……1 Statement of the Problem…………………………………………………..….1 Need for the Study…………………………………………………………..…1 Definition of Terms…………………………………………………………....1 II REVIEW OF THE LITERATURE………………………………………………...3 Literature Review………………………………………….………………......3 Vulnerabilities…………………………………………………………3 Reliability……………………………………………………………...4 Limitations…………………………………………………………….4 Benefits………………………………………………………………..5 Security Concerns……………………………………………………..5 Summary of the Literature………………………………………….…………6 Research Questions……………………………………………………………6 III METHODOLOGY………………………………………………………………...7 Design, Participants and Procedures…………………………………………..7 Assumptions…………………………………………………………………...7 IV RESULTS, ANALYSIS AND DISCUSSION OF THE RESEARCH…………....8 Vulnerabilities of VoIP………………………………………………………..8 Denial of Service Attacks……………………………………………...8 SPAM over Internet Telephony……………………………………….8 Voice Tapping………………………………………………………....8 ii
  3. 3. Toll Fraud……………………………………………………………..9 Identity Fraud………………………………………………………....9 Lack of Security Methods and Tools………………………………....9 Reliability of VoIP…………………………………………………………....9 Network Connection…………………………………………….…….9 Software Reliability………………………………………………..…10 Link Failure…………………………………………………….….…10 Packet Loss………………………………………………………..….10 Network Availability/Outages…………………………………….….10 Quality of Service…………………………………………………….10 Network Design………………………………………………………10 Limitations of VoIP…………………………………………………………..11 Access to Local 911 Services………………………………………...11 Loss of Power………………………………………………………...11 Number Transfer Restrictions………………………………………..11 Line Echo…………………………………………………………….11 Benefits of VoIP……………………………………………………………...11 Cost Savings………………………………………………………….11 Phone Number and Location Flexibility……………………………..12 Taxes and Access Fees……………………………………………….12 Impact on Security and System Operation…………………………………...12 V CONCLUSION AND RECOMMENDATIONS………………...……………….14 REFERENCES……………………………………………………………………....15 iii
  4. 4. ABSTRACT Is security or a lack of security a deciding factor prior to businesses and individuals implementing Voice over Internet Protocol (VoIP)? VoIP systems are quickly starting to dominate the telecommunication market place. They are economical, easy to use via a broadband connection to the internet or a private IP network. Initially, this system seemed like a godsend to businesses and people alike who make numerous long distance calls and are on the phone for hours on end. However, just as everyone starts to get excited someone mentions security. Because IP networks are used it leaves systems like VoIP susceptible to security attacks and a variety of other vulnerabilities and concerns. This paper will address the concerns that are out there and provide the information needed to help businesses and individuals make an educated decision on implementing VoIP systems and ensure the security of their connection. iv
  5. 5. LIST OF FIGURES Figure 1: Components of a VoIP System ..................................................................................2 v
  6. 6. CHAPTER ONE INTRODUCTION In today’s business world security has never been more important. With the emergence of new electronic capabilities and the transfer of sensitive information over networked systems secure connections become a necessity. Approximately nine years ago the world was introduced to a new technology, Voice over Internet Protocol (VoIP). VoIP is the delivery of voice transmissions over the internet instead of using the ordinary telephone. In the last few years VoIP has been implemented in several organizations with the intent to save money on long distance calls and to streamline the management of the network. However, one consideration that has been under emphasized by many is the security of the connection. Statement of the Problem VoIP is rapidly becoming a primary communication method in the business community. In saying this, the security of these voice communications over the Internet Protocol is a major concern in that vulnerabilities arise leaving network systems open to attack from hackers or viruses. Because of these threats, businesses need to examine if they really want to implement VoIP. To understand the depth of this problem, a thorough analysis of the security needs, vulnerabilities, system reliability and limitations of VoIP must be completed. A comparison of VoIP benefits and weaknesses to the public switched telephone network (PSTN) must also be done. This will answer the question: Is security or the lack of security a deciding factor on whether or not to implement VoIP? Need for the Study The need for this study is to help businesses and the private sector make an educated decision when considering full or partial implementation of VoIP systems. Numerous security concerns have been brought forth that may cause one to think twice about using VoIP systems until security is improved. This study will examine all areas that impact the security of VoIP systems and usability across the entire business and private sector. Definition of Terms Voice over Internet Protocol (VoIP): the process of using an Internet connection to deliver voice data through IP packets instead of the ordinary telephone. There are several ways to implement VoIP; here are some of the common ways in use today: PC to PC is the original VoIP service. For this method to work both end-users must be using the same or compatible software and a multimedia computer. Typically, the caller “dials” a person or selects someone from a real-time list of users currently ready to receive web phone calls. It's the "oldest" type of voice-over-IP and was introduced by VocalTec Communications LTD in 1995. For this system to function correctly, both parties need to have their systems turned on and know they're expecting a call. You can expect delays of more than half a second between voice transmissions over the public Internet. 1
  7. 7. PC-to-phone grew out of PC-to-PC services as early NextGen telcos began installing IP-to-PSTN gateways (or simply gateways) that translate calls originating from a multimedia PC and outbound dial the destination number over the PSTN. How this works is a caller simply enters the destination phone number from her PC through either specific software or at a web-site. If a gateway is located near enough to the destination phone number, the call is then routed over the Internet to that gateway. Phone-to-phone eliminates the need for a PC altogether, using the Internet (or a dedicated IP network) to the carry the voice call between an originating and terminating IP- to-PSTN gateway. Generally, the caller dials a local access number that terminates on a gateway, and enters a PIN and the destination number. The gateway then routes the call over the Internet as previously described. Asynchronous Transfer Mode (ATM): A very high speed packet-based multiplexing standard that integrates voice, video and data onto a single "virtual circuit." Generally found in the backbones of major long distance providers, ATM is designed to provide guaranteed levels of service, unlike other data standards such as IP. Private Branch Exchange (PBX): A type of telecom equipment that operates on the customer premise and provides a way to route calls within the office and over the PSTN. In large companies, PBXs could be linked together using a private voice and/or data networks, thereby saving the company money by not placing inter-office calls over the public network. Public Switched Telephone Network (PSTN): a term used to refer to the public telephony network. H.323: a signaling protocol and recent standard that integrates voice, video and data over IP networks. Session Initiation Protocol (SIP): a signaling protocol for establishing real-time calls over Internet Protocol networks. It also integrates voice, video and data over IP networks. This is the most common standard used today. Source: Acterna Corporation, 2005 Figure 1: Components of a VoIP System 2
  8. 8. CHAPTER TWO REVIEW OF THE LITERATURE Literature Review Is security or the lack of security a deciding factor on whether or not to implement Voice over Internet Protocol (VoIP)? The most common delivery of VoIP is through IP packets over the internet or a private IP network. In the past few years VoIP has grown tremendously in the business and local exchange carrier world. Companies are switching from the antiquated circuit switched “Ma Bell” systems to VoIP to save thousands of dollars and to improve management efficiencies. This rapid transformation has raised several questions about the reliability, vulnerability, and limitations of VoIP. Combining these three areas brings forth the big question as to the security of VoIP transmissions. A lot of businesses that implemented VoIP did not consider the security vulnerabilities. With the rapid expansion of VoIP several IT experts are looking deeply into this area and the efforts being made to ensure it is secure. Throughout this document the areas of vulnerability, reliability and VoIP limitations will be examined as well as the benefits of VoIP. After examining these areas security issues will be brought forth. The compilation of these four areas will be used to address the research question: Is security or the lack of security a deciding factor on whether or not to implement VoIP? Vulnerabilities The Internet, because it is a publicly accessible service, has been a major concern for VoIP deployment. The reasoning behind this statement is because the public Internet is accessible by anyone leaving us vulnerable to hackers, viruses and denial of service attacks. This is not necessarily the cause of the problem but an affect of it. A global Deloitte partner stated in an article in ZDNet UK News that the vulnerability of VoIP systems to disruption means senior executives and boards of directors must be involved in evaluation and deployment decisions. Igal Brightman, a Deloitte global managing partner further stated that despite recent advances in reliability and performance “the risk of business disruption remains a valid concern.” Considering the vulnerability of denial of service attacks and the reliance people put in their phone system, is this vulnerability worth the risk of implementing VoIP? VoIP is also vulnerable to spam over internet telephony (SPIT). The fear here is that advertisers will send numerous voice mail messages to these phones therefore causing a reduction in bandwidth and breaks in service. The strain on network resources when millions of 100-KB voicemail messages are transmitted, compared with 5- or 10-KB e-mails, will be considerable (Biddlecombs, 2005). Ashley Johnston, director of business development at Texas Instruments’ VoIP group stated that voice tapping, toll fraud and identity fraud at the top of the list of VoIP vulnerabilities (Baard, Nov 2004). The most serious of the vulnerabilities is the lack of VoIP security methods and tools. The primary security concern is the security of the infrastructure and resiliency of public branch exchanges (PBX) which was noted in the 2004 Webtorials VoIP State of the Market Report (Taylor and Hettick, 2004). Along with the previous concern is the lack of security 3
  9. 9. tools. Edwin Mier stated in his article, VoIP Security Tools Lacking, “If IP telephony is going to prevail, there will have to be some better way for normal users to set up and adjust all of the pertinent pieces needed to make their VoIP networks secure.” Mier further explains what he means when he states that security tools are lacking by comparing it to Internet Explorer’s security tools. With Internet Explorer the user can manually select the security settings or change all the settings to high, medium or low and all the settings a changed. VoIP systems don’t have that luxury and each individual setting must be changed which causes vulnerabilities for the inexperienced user. Because VoIP is only just starting to mature there are several vulnerabilities coming to the surface. Another concern is the reliability of VoIP. Reliability How reliable is VoIP? VoIP is as reliable as the network it is connected to; whether it is connected over a private IP intranet, or a Frame Relay or ATM network, or to an ISP where it is connected over the Internet. In a report on VoIPReview.org, the writer states that VoIP is a very reliable system which can be an excellent opportunity to run you business over and replace your home phone line. However, what happens when you lose your network connection? If the network system being used is not 99.99% reliable then some form of backing up VoIP with a POTS line or cell phones must be used. For these backups to work then some type of system must automatically move traffic from one network to another when the network connection is lost. Other reliability issues are stated in the article VoIP Reliability include hardware and software reliability and link failure. There are several suggestions in this article which will be discussed in the main body of this paper. In 2003, Wenyu Jaing and Henning Schulzrinne did a study on the reliability of VoIP. In their findings they stated that VoIP reliability was affected by packet losses and network outages. The reliability issues reduced the service availability of VoIP from 99.5% to 98%. In an article VoIP Reliability: A service Providers Perspective, written in Jul 2004, quality of service is identified by the writers as a reliability issue also. The authors further state that network design also impacts reliability. Lastly, a more recent article written on 6 Mar 2005, states the same message about VoIP reliability in terms of network availability. Reliability is a definitive topic when deciding to switch from the POTS system to VoIP. Another factor is the limitations of VoIP. Limitations An article in Bizhelp24.com and a consumer alert lists several limitations with VoIP. One major limitation to consider is whether or not VoIP phone service provides access to enhanced 9-1-1 services. Depending on the service provider, when VoIP customers place a 9-1-1 call, it may be routed to a call center other than the one nearest to them. Callers will need to be able to give the operator their call back number in case they are disconnected and their physical location for response, as this information will not be available to the 9-1-1 operator. The loss of time to do this could be the difference between life and death. Several providers are currently seeking solutions to this problem or have already fixed it. Another limitation is power failures. VOIP phones run through an electronic system, if there is a power failure they become inoperable unless there is some type of backup power supply. If backup power supplies are not available or used then it would become necessary to keep a back up standard phone line. 4
  10. 10. Other limitations include an echo sound through your phone; it sounds like you are repeating yourself. Echo is caused by the telephone hybrid circuit at the far end and causes the near-end talker to hear a reflected version of his voice. Most causes of this are delays in the link. Reliance on only VoIP in lieu of both VoIP and PSTN can create havoc if the VoIP connection goes down. Although VoIP systems have several limitations there are also several benefits. Benefits The benefits of implementing a VoIP system are plentiful. General Electrics IT Solutions web page lists several of these benefits. They include: a. Cost Savings b. Toll Call Charge Bypass Savings c. Single Network Infrastructure Savings d. Other Infrastructure Savings e. Productivity Savings In looking at these benefits one must compare them to the limitations as well as the other issues presented in earlier paragraphs. All of the facts presented can be used to formulate an educated decision as to whether or not security or lack of security is the deciding factor to implement VoIP. Security Concerns To make this decision an in-depth analysis must be done to compare the previous areas mentioned as well as take a deeper look into the security issues in the field. ZDNet.co.uk, (author unknown), Elizabeth Biddlescombe from wired.com, Edwin Mier from Network World and several others have identified several security concerns listed below: a. Viruses and Worms b. Electronic Surveillance c. Denial of Service Attacks d. Eavesdropping e. Hackers These security issues my cause a business to error on the side of caution and stay with the circuit switched “Ma Bell” system versus moving to VoIP. In today’s fast moving technical environment major players in the VoIP business are finding new ways to secure the systems and prevent any type of intrusion. One primary concern, there are security flaws in two of the protocols being used for VoIP. One of the protocols is Session Initiation Protocol (SIP) and the other one is H.323 (McAlearney, Dec 2004). The vulnerabilities can lead to the security concerns listed above. Gerhard Eschelbeck, CTO of Qualys Inc stated “Security flaws will be found and announced that allow worms to spread in a similar way for VoIP as they do in UNIX and Windows operating systems.” 5
  11. 11. Summary of the Literature VoIP systems are being deployed in more and more businesses. There are still many issues that need to be resolved. Shawna McAlearney, editor with searchsecurity.com states “VoIP offers many benefits and appears inevitable for enterprises but before you jump into it with both feet it’s crucial to consider quality of service, manpower and importantly, security issues”. However in stating this she goes on to say that soon enterprises won’t have a choice. The non-IP phone systems and services are disappearing. Also, of further note, Robert Mullins from Silicon Valley/San Jose Business Journal stated that security concerns are taking a back seat to the appeal of cheaper phone calls. VoIP has vulnerabilities, reliability issues, limitations and security flaws. In the same breath, there are also several benefits to VoIP. Research Questions The questions that guided the research are (a) What are the vulnerabilities of VoIP? (b) What VoIP reliability issues exist? (c) What are the limitations of VoIP? (d) What are the benefits of VoIP? (e) Is security or a lack of security a deciding factor in implementing VoIP? 6
  12. 12. CHAPTER THREE METHODOLOGY Design, Participants and Procedures The design of this research was descriptive in nature with all sources found through magazine and web based articles. The primary participant is Mr. Terry Martin who is a Senior Consultant with GVNW Consulting INC and an IEEE member of Communication Society. He graciously agreed to be the subject matter expert for this paper. Terry is responsible for telecommunications, and network design services as well as system integration consulting. Terry has over 20 years of telecommunications experience. He has been providing voice, data, radio and video communication system design and network integration consulting services for over 10 years for customers like IBM, Intel, City of Albuquerque and the State of New Mexico. Before that he managed and maintained voice, data and radio systems including Microwave for the Department of Interior and the US Forest Service. Terry has an Associate of Arts degree in Engineering, a Bachelor of Science degree in Business and a Masters of Science degree in Telecommunications Engineering. A thorough analysis and review of all the material was accomplished to verify its authenticity and accuracy prior to its implementation in this paper. Additionally, the subject matter expert, Mr. Terry Martin, reviewed the material presented to ensure the accuracy of the data used. To begin the research several security issues were examined in-depth to ensure complete coverage of the topic. Assumptions Several businesses and individuals are beginning to use VoIP. Several attempts were made to contact some of these companies to ask what their concerns were and if they have experienced any problems with security of the VoIP systems. Because of my failed attempts, an assumption must be made that companies and individuals are having security problems with VoIP based on the literature that has been read. 7
  13. 13. CHAPTER FOUR RESULTS, ANALYSIS AND DISCUSSION OF THE RESEARCH Throughout this research several magazine and online articles covering VoIP security have been reviewed. Security concerns are the tip of the iceberg with three underlying areas that have had an impact on security. These three areas include vulnerabilities, reliability and limitations of VoIP. The results of the research into the areas and their impact on security will be discussed below. Once all of the results have been discussed then a thorough analysis will be accomplished followed by a brief discussion of the research. Vulnerabilities of VoIP What are the vulnerabilities of VoIP? Denial of Service Attacks Since VoIP systems are servers, they are subject to distributed denial-of-service attacks, which can bring a server to its knees and even shield other attacks. Basically what happens is that a large number of messages are sent to a host and the return messages are not responded to. To put this in simple terms it is like millions of calls coming into a call center. When the call comes in it is not answered and millions of others follow denying service to those that need it. There are tools out there to prevent these attacks from the same network but when the attacks originate from a different network they are much harder to prevent. Additionally, tests can be carried out on VoIP servers and IP Public Branch Exchanges to verify that they are capable of preventing these attacks. As always, nothing is fool proof and the potential still exists that one may suffer from a denial of service attack. SPAM over Internet Telephony (SPIT) SPIT is the VoIP equivalent of unsolicited email -- unwanted messages clogging up your voice mail box. VoIP spit directly hits gateways and degrades the voice quality because of the degradation in bandwidth. Industry observers have cautioned that the open nature of a VoIP phone call will make it easy for spammers to send numerous voice mail messages therefore causing a reduction in bandwidth and breaks in service much in the same way that e-mail in boxes are spammed. The strain on network resources when millions of 100-KB voicemail messages are transmitted, compared with 5- or 10-KB e-mails, will be considerable. Security specialists, and VoIP vendors for that matter, are treating the prospect of unwanted voice messages as a security threat, much as they have done with e-mail spam. Voice Tapping Most VoIP packets sent over the internet are not encrypted; anyone with network access can listen in on conversations. Voice tapping is one of the most common vulnerabilities in a VoIP environment. Unauthorized interception of audio streams and decoding of signaling messages can enable an individual to tap conversations in an unsecured VoIP environment. This vulnerability can create havoc for the end users of VoIP systems. For example, someone may be making a purchase over the phone using their credit card number. All the eavesdropper needs is a packet capture tool, available on the internet, to start capturing voice traffic on the network. In addition to gathering this type of data other 8
  14. 14. sensitive information can be stolen also. However, there are encryption methods available for secure communication. Toll Fraud The risk of toll fraud is greatly increased in converged VoIP networks from plain old telephone systems due to the open nature of many enterprise data networks and vulnerability to service theft via spoofing. Unauthorized access to the VoIP network allows attackers to spoof known source or destination addresses of VoIP terminals, creating both privacy and theft-of-service risks. Identity Fraud Identity fraud or theft is increasing in numbers via VoIP systems. Thieves have been able to change how their number appear on victims' caller ID boxes leading the victim to believe it is their bank or credit card company calling. Some VoIP services let scam artists make it appear that they're calling from another phone number--a useful trick that enables them to drain credit accounts and pose as banks or other trusted authorities. "It's like you've handed people an entire phone network," said Lance James, who as chief technology officer of Secure Science sees such scams on a daily basis. Lack of Security Methods and Tools VoIP systems suffer from a lack of security methods and tools. Larry Hettick and Steve Taylor state in their article, “The most worrisome VoIP security issue”, that the primary security concern is the security of the infrastructure. Security methods that are lacking include network and security infrastructure to include firewalls that are not voice- optimized and not capable of supporting the advanced security requirements for VoIP. This problem can be controlled by proactive management to ensure safeguards are in place that is compatible with VoIP systems. Traditional static policy rules are not adequate for VoIP traffic control. Finally, bandwidth, latency and quality of service become critical requirements for network and security infrastructure, when processing multiple simultaneous voice streams. Along with the previous concern is the lack of security tools. Specifically, the problem is that there are numerous security settings that must be individually set. This causes problems in that individuals may unknowingly have some of the settings set too low therefore causing a potential opening for a hacker or virus attack. Edwin Mier compares this to the security settings in Internet Explorer where the user can set all of the settings to high, medium or low. This would enhance the security of VoIP systems if ever adapted. Reliability of VoIP What VoIP reliability issues exist? Network Connection The reliability of VoIP systems is directly independent of the type of network connection used. The difference lies in the type of connection such as a private IP intranet, or a frame relay or ATM network, or to an ISP to the internet. 9
  15. 15. Software Reliability The reliability of software to perform its intended function is imperative to proper system operation. If the software fails to perform as expected several problems can develop. These problems include security breaches, proper VoIP system operation and other operational capabilities of the system. Other key concerns with software are stability, interoperability and robustness. When software is lacking in these areas it makes the system vulnerable to security breaches. Link Failure A link failure is when a series of packets are lost during a period of time that can last for several seconds which will be followed by a change in delay after the link is re- established. There are several reasons one my have a link failure. They can be caused by equipment problems, a cable being unplugged or cut, a configuration change in the transport network or potentially a denial of service attack. Routers are generally intelligent enough to recognize a link failure and find an alternate route. Packet Loss Packet loss results from bandwidth limitations on the network system and also due to the way IP packets are routed over a network system. When a VoIP system is used IP packets are sent over the server through a router and to the network system. The are multiple packets and some may go one way and others in a different direction however they all have a IP address to where they are going and meet at that point. Because of this some packets may be lost causing a period of silence in the conversation which leads to a clipped-speech effect that is unsatisfactory for most users and unacceptable in business communications. Network Availability/Outages Network systems go down from time to time. If individuals and businesses rely solely on VoIP systems then they will face the burden of not being able to make or receive calls. This could be very damaging to businesses. Back up systems are necessary to ensure that communication devices are available at all times. Outages occur when the primary system goes down for one reason or another. The network system may still be up but the VoIP system may be down depending on the service provider. This has been a problem in the past and continues to happen from time to time. Service providers are working to alleviate this issue so they can meet reliability standards of public switched telephone network (PSTN). Quality of Service Quality of service issues exist in VoIP systems due to the introduction of different types of network applications. This is now a problem because in the past IP data packets just needed to get to there final destination where as IP voice packets must get to their destination to ensure the quality of the transmission. There is a requirement for VoIP packets to be delivered on a reliable, low latency basis. To overcome this quality of service protocol have been and are being developed. The problem here is that not all systems are as reliable as others. Network Design The reliability of VoIP systems is affected by the network design. If networks that deliver voice and data packets are not designed to handle these combined transmissions then 10
  16. 16. reliability of the system will be affected. The challenge is to design the network to support VoIP service requirements for strict connectivity, latency, jitter, packet loss, and reliability objectives that are normally expected from the PSTN services. In addition the network design must support new voice applications that are made possible by the new converged voice/data network. This is not always accomplished and creates reliability issues. Limitations of VoIP What are the limitations of VoIP? Access to Local 911 Services The problem in delivering 911 calls via VOIP is that neither the phone number nor the calling device, often a laptop computer, corresponds to a fixed location and that the traditional 911 structure routes a call according to a caller's address. Workers who use their laptops at a home office, at their corporate headquarters and on the road, for example, use the same number and device regardless of location. Although this problem was more widespread a few years ago it is still troublesome for some users today. Currently, VOIP providers that offer 911 access rely mostly on systems that require users to update their calling devices with their current locations, but several companies are developing more automated technologies. Loss of Power As VOIP phones run through an electronic system, they will not work in the event of a power failure. Because of this limitation one may need to keep a back up standard phone line. However, some VoIP service providers do offer back up power. Number Transfer Restrictions Some VOIP companies will not allow you to use an existing number, so you could have to change your business number, or operate using two numbers. Local number portability is an FCC regulation that is enabling users to take their number with them when they change service providers. There are still issues with this but the future will see the easy transfer of numbers from one provider to another. Line Echo Receipt of an echo sound through the phone where it sounds like you are repeating yourself is a problem. This limitation is caused by the telephone hybrid circuit at the far end and causes the near-end talker to hear a reflected version of his voice. This is often due to a mismatched hybrid (2 to 4 wire convertor) on the analog part of a telephony connection. To help resolve this problem VoIP Gateways incorporate a line echo canceller to remove or reduce the echo level from analog loops. Network delay is the primary cause of line echo. There are several different types of delay. To go into great detail here is beyond the scope of this paper. For more information regarding this topic please go to http://www.cisco.com/warp/public/788/voip/delay-details.html. Benefits of VoIP What are the benefits of VoIP? Cost Savings The price of a VoIP phone line is a fraction of the cost of a traditional telephone line, the long distance calls are much less expensive if they are made via a VoIP provider, 11
  17. 17. and applicable taxes are far lower with VoIP phone service than with a traditional phone service. Some VoIP phone service providers offer a phone line for around $9 U.S. dollars per month and will charge you for calls you make at the rate of 1-3 cents per minute depending on the provider. Most VoIP phone providers offer a bundled service offering unlimited incoming calls and unlimited long distance calls to anyone in the U.S. or Canada for one small fee. VoIP unlimited calling plans currently start at $19.95 per month. You can also expect these costs to fall over time as technology and competition matures. Phone Number and Location Flexibility VoIP subscribers can have multiple area codes across the country. For example, a subscriber located in Connecticut can have a VoIP phone number with a Utah area code in addition to their Connecticut VoIP phone number. Additionally, if you move, there is no need to subscribe to phone service in the city where you are moving. All you need to do is take your VoIP adapter with you and VoIP should work the same as from your home or business. Taxes and Access Fees Currently, VoIP providers do not have to pay taxes and regulatory fees that standard phone service providers have to pay. Therefore, these costs are not included on your VoIP bill. This is subject to change if federal and state regulators change their policy concerning VoIP providers. Impact on Security and System Operation VoIP vulnerability and reliability issues, VoIP limitations and benefits must be examined on a large scale. Several issues have been addressed above that are concerning to business and individuals alike. The vulnerabilities addressed above affect the security of VoIP systems in one way or another. Denial of service attacks, spit, voice tapping, toll fraud, identity fraud and the lack of security methods and tools can devastate individual users and businesses. Individuals and businesses need to be aware of these vulnerabilities and take action to thwart them. VoIP service providers are continuously making advances in these areas but at a cost to the subscribers. Reliability of VoIP systems impacts system operation. Network connection and software reliability, link failure, packet loss, network availability/outages, quality of service and network design are all reliability issues. With these issues come costs. It could be the cost of not being able to use the VoIP service, enable intruders to break through the system or reduce the efficiency of the system. When an individual or a business relies solely on their VoIP service these reliability issues can knock out their method of communication for hours or even days. VoIP systems also have limitations. The limitations include access to local 911 services, loss of power, number transfer restriction and line echo. If the VoIP system is affected by any of these limitations it will impact system operation and cause communication problems. Some of these problems can be very critical. If there is an emergency and the 911 call does not go to the local operator then the delay caused to route it to the correct area could be a matter of life or death. Failure to receive the entire voice message could cause 12
  18. 18. miscommunication. One could also lose use of the system should there be a power outage. These limitations impact VoIP system operation and can create severe business problems if not solved. The benefits of VoIP systems must not go unnoticed. They include cost savings, phone number and location flexibility and tax and fee benefits. These benefits are what have attracted the hundreds of thousands of business and individual to the technology. There are a few other security concerns that have yet to be addressed that impact VoIP systems. They include intrusion by hackers and virus attacks. Hackers can hijack entire messages through SIP messages and IP addresses. Vulnerabilities and reliability issues can enable these types of malicious acts to take place. The question that must be answered now is: Is security or a lack of security a deciding factor in implementing VoIP? Throughout this analysis of the research several issues have been addressed however, VoIP service providers are taking several steps towards preventing the problems listed above. Is the cost greater to the consumer? Definitely. Why wouldn’t you want to spend the money to ensure that a safe, reliable VoIP system is installed? There are still many unresolved issues that are being worked. The key point is not to be scared away from VoIP but rather, do the homework, know what requirements need to be met and seek a provider who can meet them. 13
  19. 19. CHAPTER FIVE CONCLUSION AND RECOMMENDATIONS VoIP system implementation is rapidly expanding in the home and in businesses. Everyday a new article is printed addressing security concerns and other relevant issues. Yet, everyday businesses and individuals are acquiring this service. All of the problems or potential problems have received widespread press. Some of the press has been published by service providers. The vulnerabilities, limitations, reliability issues and security concerns presented earlier are just that, concerns. The intent is not to sway someone from implementing a VoIP system or service. It is to ensure people are aware of these issues and make an educated decision. In my opinion, VoIP systems are the future and public switched telephone networks will become the past. VoIP phones will go with people so they can make calls when they want and where they want for only a small cost. The only caution is to know the risk, exercise proper risk management and take measures to neutralize the risks. Accomplish this and your VoIP system will be much safer than those that think “It won’t happen to me”. 14
  20. 20. REFERENCES Beard, Mark (2004, Oct 28). VoIP security, “spit” concern experts. Retrieved Feb 27, 2005 from http://searchnetworking.techtarget.com Beard, Mark (2004, Nov 8). Can VoIP ever be as secure as Ma Bell’s creation? Retrieved Feb 27, 2005 from http://searchnetworking.techtarget.com Biddlecombs, Elizabeth (2005, Feb 7). Hold the Phone, VoIP Isn’t Safe. Retrieved Feb 28, 2005 from http://www.wired.com/news/technology/0,1294,66512,00.html Birdsall, Randall and Mier, Edwin and Thayer, Rodney (2004, May 24). Breaking through IP telephony. Retrieved Mar 3, 2005 from http://www.nwfusion.com/reviews/2004/0524voipsecurity.html Boards warned again over VoIP risks (2004, Nov 3). Retrieved Feb 27, 2005 from http://news.zdnet.co.uk/communications/networks/0,39020345,39172451,00.htm Carlson, Caron (2004, Dec 6). VoIP: A New Day Is Dawning, eWeek, Volume 21 Number 49 Carlson, Caron (2004, Dec 13). Hosted VoIP: Not All Equal, eWeek, Volume 21 Number 50 Carlson, Caron (2004, Dec 20/27). IT Moves Into Voice Communications, eWeek, Volume 21 Number 51 Consumer Alert – Consumers Should be Aware of VoIP Limitations (n.d.). Retrieved Mar 3, 2005 from http://www.atg.wa.gov Eschelbeck, Gerhard (2004, Dec 20). Five VoIP security recommendations. Retrieved Feb 27, 2005 from http://searchnetworking.techtarget.com Garland, Juston (n.d.). Advantages and Disadvantages of VoIP. Retrieved Feb 1, 2005 from http://www.a-to-z-wellness.com/computer-articles/voip.htm 15
  21. 21. Ghaffar, Ahmar (2004, Nov 27). How Secure is VoIP? Retrieved Mar 10, 2005 from http://next3.blogspot.com/2004_11_01_next3_archive.html Greene, Tim and Hochmuth, Phil (2004, Oct 25). VoIP security a moving target. Retrieved Mar 3, 2005 from http://www.nwfusion.com/news/2004/102504von.html Greene, Tim (2005, Feb 21). VoIP security vendors debut new tools. Retrieved Mar 10, 2005 from http://www.nwfusion.com/reviews/2005/022105voipsecurity.html Hamblen, Matt (2005, Jan 31). Deploy VoIP With Care, Feds Warn. Retrieved Feb 08, 2005, from http://www.computerworld.com/printthis/2005/0,4814,99375,00.html Hamblen, Matt (2005, Jan 31). Deploy VoIP With Care, Feds Warn. Retrieved Mar 10, 2005 from http://www.computerworld.com Hettick, Larry and Taylor, Steve (2004, Oct 25). The most worrisome VoIP security issue. Retrieved Mar 3, 2005 from http://www.nwfusion.com/newsletters/converge/2004/1025converge1.html Hettick, Larry and Taylor, Steve (2004, Oct 27). Mailbag: VoIP security. Retrieved Mar 3, 2005 from http://www.nwfusion.com/newsletters/converge/2004/1025converge2.html IPT and VoIP Benefits (n.d.). Retrieved Feb 27, 2005 from http://www.gettsolutions.com Jiang, Wenyu and Schulzrinne, Henning (2003, Apr), Assessment of VoIP Services Availability in the Current Internet. Retrieved Feb 27, 2005 from http://edas.info/S.cgi?bibkey=Jian0305:Assessment Limitations of VoIP (n.d.). Retrieved Mar 3, 2005 from http://www.bizhelp24.com McAlearney, Shawna (2004, Dec 20). VoIP 2005: Better watch what you say. Retrieved Feb 27, 2004 from http://searchnetworking.techtarget.com Messmer, Ellen (2005, Feb 7). Group’s aim: secure VoIP. Retrieved Mar 10, 2005 from http://www.nwfusion.com/newa/2005/020705-voip-security.html 16
  22. 22. Mier, Edwin (2004, May 31). VoIP Security Tools are Lacking. Retrieved Feb 27, 2005 from http://www.nwfusion.com Mullins, Robert (2005, Mar 11). Security Issues Lurking Behind VoIP’s Cost Saving Promise. Retrieved Mar 14, 2005 from http://sanjose.bizjournals.com/sanjose/stories/2005/03/14/smallb3.html Nemer, Elias (2002, Oct 16). Handling VoIP Speech Coding Challenges. Retrieved Mar 20, 2005 from http://commsdesign.com/design_corner/OEG20021016S0005 Parizo, Eric B. (2004, Nov 3). VoIP security daunting, but possible. Retrieved Feb 27, 2005 from http://searchnetworking.techtarget.com/ Radvision Ltd. (n.d.). Overview: Session Initiation Protocol. Retrieved May 10, 2005 from http://www.sipcenter.com/sip.nsf/html/WEBB5YFPVR/$FILE/SIPOverview.pdf Rendon, Jim (2004, Jan 13). VoIP vulnerability could leave networks exposed. Retrieved Feb 27, 2005 from http://searchnetworking.techtarget.com Rendon, Jim (2004, Dec 8). The security risks of VoIP. Retrieved Feb 27, 2005 from http://searchnetworking.techtarget.com Starting with VoIP (2002, Mar 5). Retrieved Mar 1, 2005 from Mindfire Solutions at http://www.mindfiresolutions.com Taylor, Steve (2004, Oct 20). 2004 VoIP State of the Market report. Retrieved 3 Mar 2005 from http://www.webtorials.com/abstracts/VoIPSurvey2004.htm Understanding Delay in Packet Voice Networks (2005, Mar 30). Retrieved May 10, 2005 from http://www.cisco.com/warp/public/788/voip/delay-details.html VoIP Reliability (2004, Jun 30). Retrieved Mar 10, 2005 from http://www.lightreading.com/document.asp?site=testing&doc_id=53864&page_numbe r=4 VoIP Reliability (2004, Aug 8). Retrieved Feb 27, 2005 from http://www.voipreview.org 17

×