Voip assessment

pma111
pma111 used Ask the Experts™
on
What should be coverered/reviewed in a voip/telephony IT audit? WOuld prefer comments as opposed to links. And what you pereive to be the biggest risks to voip/telephony - if this is your filed of expertese?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
-Some SIP phones can be configured through HTTP, crackers can take advantage and set up a MITM attack, putting themselves in the way of the singaling/audio stream.
-Other phones have HTTP browsers to show read only configuration data that might reveal netwok weaknesses.
-The VOIP servers are exposed to any other network attack like DoS.
- VOIP servers provide certain features like Call Detail Records through HTTP consoles, which store lots of information about the business.
-VOIP calls can be tampered, if the audio stream is not encrypted then another user can get a copy of the RTP packets (switchport span, man in the middle, hub device, so forth) and listed to the conversation.
-Voice gateways may have security holes that may allow outside users to place international calls
-SIP registration can be attacked with brute force from the outside, once known ports like 5060,5061 are scanned and detected opened, your server may receive a stream of register attempts with common user names, like 1000@10.10.10.1, and if the server accepts this without security challenges, it will most likely accept calls to national, or international numbers.

Hope it helps.

Author

Commented:
It does, much appreciated.

Aside from the security issues / elements of IT audit, is there any other key areas to review around voip/telephony?
- Redundancy: if your primary voip server fails, how much will the business suffer? How long would it take to have a replacement? Is it necessary to have a redundant box?
- Backup and restore: does your VOIP solution implement an effective and efficient way of backing the data and restoring it?
- Survivability: if there are remote sites where you deploy phones using a WAN link to connect to their server, what would happen if the link goes down? Is there a solution to have basic calling features in that scenario?
- Emergency dialling: for example, if there is an access code in place for outbound calls, call it 9 for example, how will users dial 911? 9911or  just 911?. Also it is important to make sure that the circuits used for emergency dialling allow the 911 service to identify the real location of the emergency. VOIP trunks tend to be tricky.
- Network infrastructure: VOIP is a very large topic. The underlying network requires preparation to make it work, specially when you want to pull out toll bypass and intersite calling. This item includes voice vlans, DHCP offers with the necessary options (TFTP servers, NTP servers, SIP proxies), bandwidth calculation, Quality of Service, Call Admission Control, Power over Ethernet considerations and so forth.

These are some items I can think of, but I think they are a mouthful.

Regards,

Author

Commented:
Great points, what about management control of 'calls' which is what it is for at the end of the day, excessive or inappropriate use etc
VOIP systems have Class of Control, or Class of Restriction. This means you can categorize calls, and then allow certain users with appropriate calling privileges that will route some calls while blocking others.

You can also enforce Forced Authorisation Codes so that certain patterns (international, services, etc) require the caller a code with the necessary weight to allow the call through.

Some VOIP systems, like Cisco, have a hard time when it comes to inbound calling restriction. Many times I have seen users harassed by external callers, and the only way to achieve call blocking based on the caller number (one specific number alone) is to have H.323 gateways. Other systems like Asterisk and OpenSIPS have less issues or none at all on these regards.

Finally, if you have Call Detail Records, and a nice analysis tool, like this one for illustration purposes:

http://www.cdr-stats.org/screenshot/

Then you will be able to tell if a user is abusing of the system or things like that.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial