Testing Security for Voip

Posted on 2006-06-03
Medium Priority
Last Modified: 2010-04-11
Is there any software out there that currently tests the security of Voip, and if so to what extent has it been done. What are the possible errors bugs and how feasible is it to correct it. Please steer me in the right direction
Question by:djsqueeze
LVL 13

Accepted Solution

prashsax earned 80 total points
ID: 16826977
VOIP in itself is not encrypted. These are unencrypted voice packets on IP. Anyone who can capture them on way can read them.

If you are implementing VOIP, then you should consider either encrypting these packets and use a VPN between your offices. Sending VOIP packets over internet is a major security risk.

If you aer using VOIP in office, even then you should consider encrypting them to prevent insider attack.

You should also keep your VOIP network in seperate VLAN. This will prevent your VOIP servers which runs on Windows etc from being infected from viruses etc.

LVL 15

Assisted Solution

wingatesl earned 80 total points
ID: 16827548
Have a look at NetIQ they have software dedicated to voip performance and security monitoring. Good pricing too
LVL 38

Expert Comment

by:Rich Rumble
ID: 16827899
Cain and Abel can help you see how easy it is to listen to VOIP calls by simply sniffing the local lan: http://www.oxid.it/cain.html It can save calls as wave files... but other than someone being able to sniff the traffic of a VOIP call, there isn't much of a security risk... VOIP traffic should be Encrypted and tunneled, so that call's can no longer be tapped as easily by anyone.  Avaya phones have the abilities to encrypt data from the phone to the VOIP switch, and from switch to switch as well. This is not the default behaviour for all Avaya phones and equipment, they must be able to do this, and them must be programmed to turn on the encryption as well.
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

LVL 18

Assisted Solution

decoleur earned 80 total points
ID: 16829124
VOIP is an IP based applicationso any of the tools that you would use to evaluate an IP based application could apply.

There are many strategies that can be used to secure VOIP communications and the time honored solutions will be those that use defense in depth.

Encryption is not a very good solution for VOIP for the private network, it introduces latency and can negatively impact class of service tagging to deteriorate the over all qaulity of service.

Yes, Avaya has encryption and no one uses it, and with good reason.

A more appropriate solution in the traditional LAN/WAN environment is to tag voice traffic and put it on a different VLAN from the data network and then provide priority queueing for that traffic of WAN links to facilitate interoffice communications, and that is only over point to point or MPLS connections.

The only people pushing encrypted VOIP over the wild internet are vonage and skype, and they cannot support voice and video IPT and probably won't utli they can get much bigger pipes into your house.

FWIW - Ethereal has been able to recreate VOIP calls for a while now, there are many ways to skin a cat... some just leave you with less meat and Cain's approach doesn't give you a whole lot more but Ethereal is rich in content.

But if you use seperate VLANS for voice and data you cannot sniff the voice traffic, unles you are able to span a trunk port, and does your casual malfeasor have that kind of access to your network?

So I guess the better question is what type of VOIP application are you looking at testing, and then we can start looking at the best practises and how we can evaluate how far they are off of them.


LVL 38

Expert Comment

by:Rich Rumble
ID: 16829803
QoS and tagging can be applied encrypted/tunnelled traffic as much as non-encrypted traffic, and it's even easier if there is a dedicated vlan for that traffic. The same rj-45 connection that my pc uses, my voip phones use, switch the plug from the data port to the phone wall jack, and I'm now listening on the VOIP vlan(promicious mode), no need for a spanning port, I'm not going to pick everything up, but I'll get something. With some slight poisioning, I can get a re-transmit for any particular phone IP I want, and likely I can get plenty of conversations.

To be certain, encryption adds overhead, with modern soft-phones and hardware VOIP, I've found that the impact is small. In my tests, the phones,  are the encryption/decryption points. The switches we have are able to understand layer 3 and tag the QoS, or we can use routers for the QoS. If your VOIP switch isn't getting as much of a "work-out" as the rest of your network, you can sometimes off load the QoS and possibly the encryption too.

That's my experience anyway.
LVL 18

Expert Comment

ID: 16835351

I believe you but I have not seen "QoS and tagging can be applied encrypted/tunnelled traffic as much as non-encrypted traffic", my impression is that you have to decrypt to get access to the dscp values in every switch that the packet traverses. No VOIP application is just encrypting its payload yet.

For listening to the VOICE VLAN while hanging of a phone, that capability can be uniformly blocked by the admin in a cisco environment and with the addition of VLAN segmentation non VOICE can be considered untrusted and pretty completely blocked, even over WAN networks.

Which VOIP implimentations are you talking about? I work with Cisco most of the time and don't see the same results.


Assisted Solution

kevinf40 earned 80 total points
ID: 16841380
If you are using PC based VOIP rather than specialised hardware have a look at


the guy that created pgp is working on an efficient encryption mechanism for voip.

The obvious issues around voip not being encrypted and being relatively easy to sniff have already been covered.  As with many things it appears they may be a slight trade off between security and performance - consider what will be on your system - e.g. if you have customers credit card details you probably want to encrypt it, if it is just friends chatting then encryption may not be necessary.

I recently saw an article on using fuzzing (functional protocol testing) to test your voip implementation by using a variaty of packets to test the limits of the protocol.  Below are links to two papers on this for SIP and H.323 which are the two most common protocols used for voip:


H.323 -

richrumble - not sure how you find the Avaya stuff, but we are implementing some IVR and moving forwards CTI functionality and between them and their partners we are having huge issues getting them to realise the importance of security....


LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 80 total points
ID: 16841728
I'm not directly in charge of our VoIP setup's but I do our penetration testing and quality assuance on the phones, it looks like were using Avaya's Communication Manager package: http://support.avaya.com/elmodocs2/white_papers/media_encryption.pdf

With reguard to our QoS setup, again were using QoS/prioritization for our VoIP vlan's, the traffic on these (VoIP)vlans have more priority than data.
RSVP (cac) and FairQueue are enabled in our configs
It's not an easy thing to setup for sure, and I was not the lead on the setup, but I'm pretty fimilar with what we have in place.

In the future (I hope), encryption will be a standard for VoIP (lets hope), I also think that Jabber will start to be picked up in more and more communication implimentations.

The author also asked about tools for testing, I've recently found that the NetIQ tool mentioned above and one from Agilent to test PSQM
http://www.home.agilent.com/cgi-bin/pub/agilent/Product/cp_Product.jsp?NAV_ID=-536900853.536908081.00   J1981C Agilent Voice Quality Tester (VQT)
These don't actually check for exploits.

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
Each password manager has its own problems in dealing with certain websites and their login methods. In Part 1, I review the Top 5 Password Managers that I've found to be the best. In Part 2 we'll look at which ones co-exist together and why it'…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question