- IE 8 hits Beta 2, privacy features added
- 10 Firefox add-ons for better browsing
- Cisco buys PostPath
- 595 immigrants arrested at electronics plant
- Locked iPhones can be unlocked without password
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
How are VoIP networks weak and vulnerable to attack and catastrophic failure? Securing VoIP Networks, the new book by Peter Thermos and Ari Takanen, looks at VoIP infrastructure and analyzes its vulnerabilities much as the Open Web Application Security Project did for Web-related vulnerabilities and Mitre did with its Common Weakness Enumeration dictionary for software. And it’s about human failings, too, not just technology problems.
Here are the top VoIP vulnerabilities explained in Securing VoIP Networks:
1. Insufficient verification of data: In VoIP implementations, this can enable man-in the-middle attacks.
2. Execution flaws: Standard databases are typically used as the backbone of VoIP services and registrations. Implementation has to be paranoid in filtering out active content such as SQL queries from user-provided data such as user names, passwords, and Session Initiation Protocol (SIP) URLs. The majority of problems relating to execution flaws result from bad input filtering and insecure programming practices.
3. String/array/pointer manipulation flaws: Malformed packets with unexpected structures and content can exist in any protocol messages, including SIP, H.323, SDP, MGCP, RTP, and SRTP. Most typical malformed messages include buffer-overflow attacks and other boundary-value conditions. The result is that the input given by the attacker is written over other internal memory content, such as registers and pointers, which will let the attacker take full control of the vulnerable process.
Web vulnerabilitiesExperts say most Web applications can be hacked. Here are the top ten vulnerabilities that could put your Web site at risk. |
SOURCE: OWASP (the Open Web Application Security Project) |
4. Low resources: Especially in embedded devices, the resources that VoIP implementations can use can be scarce. Low memory and processing capability could make it easy for an attacker to shut down VoIP services in embedded devices.
5. Low bandwidth: The service has to be built so that it will withstand the load even if every caller makes a call at the same time. When the number of subscribers to a VoIP service is low, this is not a big problem. But when a service is intentionally flooded with thousands of bot clients, or when there is an incident that results in a huge load by valid subscribers, the result might be a shutdown of the whole service.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
The Foundry Enterprise Advantage
Foundry Networks, Inc. (NASDAQ: FDRY) is a leading provider of high-performance enterprise and service provider switching, routing, security and Web traffic management solutions. Foundry's customers include the world's premier ISPs, metro service providers, and enterprises.
For further information on Foundry Networks please click here.
Leveraging the Advantages
of a Multi-vendor Network Strategy
Today's enterprise network provides more than simply a technology infrastructure. It's an enabler for the enterprise, supporting mission critical applications, creating operational efficiencies and increasing productivity gains. Foundry Networks provides the ideal foundation for a multi-vendor network.
Click here to view whitepaper!
Comments (8)
VoIP security has been done better elsewhereBy phon1k on October 12, 2007, 10:43 pmAny references pointers for the rest of us? Or is this some kind of "special" group that one needs a secret handshake to obtain this wisdom? phon1k
Reply | Read entire comment
Unfortunately equatingBy Anonymous on October 9, 2007, 10:08 pmUnfortunately equating synchronous (i.e. realtime apps. such as VoIP/video) with asynchronous communications (i.e. email/IM/web application) creates a false perception...
Reply | Read entire comment
TDM as fallback - NOTBy Anonymous on October 5, 2007, 10:46 amCome on, I have never in my life owned a fixed line phone. I have used cellular only since 1991. Our company also has never (for close to 10 years) had fixed line...
Reply | Read entire comment
VOIP VulnerabilitiesBy Julian on October 5, 2007, 5:19 am13. Lacking fallback system ?? there is a well worked fallback system, the good old TDM system...
Reply | Read entire comment
replace "VoIP" with any other application...By Anonymous on October 3, 2007, 9:42 am...And you've seen this article a hundred times before.
Reply | Read entire comment
View all comments