Design, Implementation and Evaluation of a Secure VoIP System Based on Theoretical and Empirical Analysis of Threats and Attacks

Classical telephony has been radically changed by the ongoing networking of systems and services and the associated crossover into Internet services, in both the private and business domains. Voice over IP (VoIP) systems have become well established and have gained widespread acceptance. However, the very popularity of these VoIP systems means they now face new forms of attacks and types of attackers. Therefore securing VoIP systems is now of paramount importance to companies and organizations, for example to thwart industrial espionage or the compromising of their communications. Establishing adequate VoIP security mechanisms is a continuous process which must be adapted to evolving threats. The threats to VoIP systems must be evaluated on the basis of known attacks as well as by collecting ongoing attacks on VoIP systems, in order to better understand the pattern of new attacks and the behavior of attackers. A combination of theoretical and empirical analysis (by capturing real-world attacks using a honeynet) was used to gain information about the real-world threats to VoIP systems. This information was used to establish security measures for the most important attacks, which were then implemented in a transparent VoIP security layer. This layer offers a resource optimized protocol for the end-to-end encryption of client-server communication (SIP) and client-client communication (RTP). Therefore, it protects both the conversation content and the meta-data associated with the communication. By using strong authentication and encryption mechanisms (which take into account the disadvantages of previous approaches), the risk of identity theft and eavesdropping on a conversation are lowered to an acceptable level. A proof of concept of this security layer, implemented with a standard VoIP architecture, proved its applicability and usefulness for mobile telephony. This applied security approach shows, that by integrating the VoIP security layer, the security of currently deployed VoIP systems can be raised to an appropriate level and they can be used without reservation for critical communications.

Back to Top