The earliest application of VoIP in China is still complementing circuit switching among operators, but now many enterprise users have begun to pay attention to the application of VoIP. For emerging small office companies, it is much more convenient to use the abundant bandwidth of the newly built data network to carry voice than to build a separate voice system. It also has functions that are not available in traditional voice switches such as mobile office. For industry users, because there is a data network connecting each branch node, the use of IP trunks to interconnect the headquarters and branch nodes can save the high cost of renting long-distance circuit trunks. Therefore, VoIP technology will have broad applications in enterprise-level user groups.
However, during the implementation of the project or in the process of use, users and equipment suppliers will focus more on how to improve voice quality and integration with existing data networks, and rarely consider the hidden security risks of VoIP. Just as we put all important application servers under the protection of the firewall; in fact, in the case of VoIP, the voice is also the same as the data application, and it has become a "Packet" one by one. Haunted by hacker attacks. No wonder someone ridiculed and said, "This is the first time in history that a computer virus can prevent your phone from working properly."
What kind of factors will affect VoIP? The first is the problem of the product itself. The most commonly used voice establishment and control signaling for VoIP technology is H.323 and SIP. Although there are several differences between them, they are generally an open protocol system. Equipment manufacturers will have independent components to carry IP terminal login registration, gatekeeper and signaling connection. Some of these products use the Windows NT operating system, and some are based on Linux or VxWorks. The more open the operating system, the more vulnerable it is to viruses and malicious attacks. Especially when some devices need to provide a web-based management interface, they will have the opportunity to use MicrosofTIIS or Apache to provide services, and these applications are already installed in the device when the product is shipped from the factory. There is no guarantee that the latest version or commitment Some security holes have been closed.
The second is the DoS (denial of service) attack based on open ports. Judging from the method of network attack and the destruction effect produced, DoS is a simple and effective attack method. The attacker sends a considerable number of service requests with false addresses to the server, but because the included reply address is false, the server will not be able to wait for the return message until all resources are exhausted. VoIP technology already has many well-known ports, like 1719, 1720, 5060, etc. There are also some ports that the product itself needs to be used for remote management or private information transfer. In short, it is more than an ordinary simple data application. As long as the attacker's PC and these application ports are on the same network segment, more detailed information can be obtained through a simple scanning tool, such as X-Way shared software.
A recent security vulnerability was proposed by NISCC (UKNaTIonalInfrastructureSecurity Co-ordi-naTIon Center), the test results show: "Many VoIP systems on the market that use the H.323 protocol have vulnerabilities in the H.245 establishment process, which is easy to port 1720 Attacked by DoS, resulting in system instability or even paralysis. "
The third is service theft. This problem also exists in the case of analog phones. Just as we have received multiple calls in parallel on a common analog phone line, the problem of telephone theft will occur. Although IP phones cannot make calls through parallel connection, they can also obtain phone rights by stealing the login password of the user's IP phone. Usually when an IP phone logs in to the system for the first time, it will be prompted to enter each person's extension number and password; many companies that use VoIP will allocate a desktop phone and a virtual phone to facilitate the remote / mobile work of employees. IP phone, and grant password and dialing authority.
In this way, even when employees are traveling or working from home, they can use VPN to access the company's LAN, and then run the IP software phone in the computer to answer or dial local calls, just like working in a company. After the password is lost, anyone can use their own soft phone to log in as someone's extension number; if they get the permission to dial domestic and international long-distance numbers freely, it will cause huge losses to the enterprise and is difficult to trace.
Finally, there is the issue of media stream interception. Analog phones have the problem of eavesdropping on the line. When enterprise users use digital phones, since they are all proprietary protocols of manufacturers, it is difficult to listen by simple means. But in the VoIP environment, this problem was raised again. A typical VoIP call requires two steps of establishing signaling and media stream. RTP / RTCP is a protocol for transmitting isochronous voice information on a packet-based network. Since the protocol itself is open, even a small piece of media stream can be replayed without the need to correlate the context. If someone records all the information on the data network through Sniffer and replays it through software, it will cause a crisis of confidence in employees' voice communication.
At the beginning of the research and development of this technology, developers expect it to be a cheap alternative to traditional long-distance telephones, so they do not pay much attention to security issues; at the same time, VoIP technology is also following the development of the entire network market, too many different The coexistence of manufacturers and products makes it impossible to propose a unified technical standard for a while; the foundation of VoIP is still the IP network, and the open system architecture is inevitably negatively affected by the network. The main methods to maximize the security of VoIP are as follows:
1. Isolate the network used for voice and data transmission
The isolation mentioned here does not refer to physical isolation, but it is recommended to put all IP phones in a separate VLAN, while restricting unrelated PC terminals from entering the network segment. According to feedback from many reviewers, dividing VLANs is currently the simplest and most effective way to protect IP voice systems, which can isolate viruses and simple attacks. At the same time, with the QoS settings of the data network, it will also help to improve voice quality.
2. Treat VoIP as an application
This also means that we need to adopt some methods suitable for protecting important application servers and the like to protect some important ports and applications in VoIP equipment. For example, using the Nortel network Aleton switching firewall can effectively resist DoS attacks. The same method is also applicable to the VoIP system. When two IP terminals are talking, once the signaling is established through the signaling service process at the central point, the media stream only exists between the two terminals; only when initiated by the IP terminal When the call needs to enter the PSTN public network through the gateway, it will occupy the DSP processor resources in the media gateway. Therefore, we need to protect the external addresses and ports of signaling and media streams.
At the same time, keep as few ports as necessary, such as Web-based management addresses, and close as many unnecessary service processes as possible. It should be reminded that H.323 / SIP will encounter obstacles when traversing NAT and firewalls, which is caused by the protocol itself, but after enabling the "application layer gateway" (ApplicaTIon Layer Ga-teway for short ALG), This problem can be solved; as the number of calls grows, an external media streaming proxy server (RTP Media Portal) can be used to support a larger VoIP system.
3. Choose the right product and solution
At present, the product system architectures of different manufacturers are different, and the operating platforms also have their own preferences. We cannot say which operating system is the most secure and reliable, but manufacturers need to have corresponding technical guarantees to convince users that their products are capable of withstanding the increasing number of viruses. At the same time, many manufacturers' products also adopt a mechanism of physically separating the management network segment and the user's IP voice network segment, and expose the ports to the external network as little as possible. The Succession 1000 / 1000M introduced by Nortel Networks adopts these design ideas, completely isolates the management network segment from the user network segment, and uses the VxWorks operating system to shield the outside world from the system as much as possible. In addition, the security issues of VoIP are closely related to the security of data networks. It is not only a set of equipment that manufacturers need to provide, but more is how to help users improve security and reliability on existing networks. Some tips.
4. Encryption of voice data stream
At present, there is a member of the H.323 protocol cluster-H.235 (also known as H.Secure) is responsible for authentication, data integrity and media stream encryption. The more practical situation is that manufacturers will choose their own private protocols to ensure the security of VoIP. But even without H.235 or other means, eavesdropping on an IP phone call is still more difficult than eavesdropping on an ordinary phone, because you need codec algorithms and corresponding software. Even if you obtain the software and successfully connect to the company's IP voice network segment, you may still get nothing. Because many internal data networks of enterprises currently use the 10 / 100M port of the Ethernet switch to the desktop instead of the HUB, it is impossible to steal information through the Sniffer method.
5. Reasonably formulate employee dialing authority
Some of the hidden security risks faced by VoIP are actually the continuation of several problems on the IP network. Only when the network security problem is solved well, and with some security authentication mechanisms of the product itself, VoIP-based applications can play a lasting and stable role in the enterprise, and become an effective method to solve enterprise voice communication needs.
Ac Linear Actuator,Miniature Linear Actuators,24V Linear Actuator,Mini Linear Actuator
Changzhou Sherry International Trading Co., Ltd. , https://www.sherry-motor.com