VoIP's earliest application in China is still supplemented in the operator, but now there are many enterprise users have begun to pay attention to the application of VoIP. For emerging small office companies, using the new data networks of the new data network to carry voice, it is more convenient than building a separate voice system, and there is also a function of traditional voice switches such as mobile office. For industry users, because there is a data network connected to each branch node, using IP relay, the interconnection between headquarters and branch nodes can save the high cost of renting long-distance circuitry. Therefore, VoIP technology will have broad applications in enterprise user groups.
However, in implementing items or during use, users and equipment supply manufacturers will put energy in how to improve voice quality and fuse with existing data networks, rarely consider the security hazards present in VoIP. As we put important application servers within the protection of firewalls; in fact, in the case of VoIP, voice is also the same as data applications, and it has become a "packet", which will also bear a variety of viruses and Hacker attacks. It is no wonder that some people say: "This is the first time in history, computer viruses can make your phone work properly."
How many factors affect VoIP? The first is the problem of the product itself. The most common voice establishment and control signaling of VoIP technology is H.323 and SIP protocols. Although there are several differences between them, it is generally an open protocol system. Equipment manufacturers will have independent components to carry out the IP terminal login registration, Defold and Signaling. These products have a Windows operating operating system, and some are based on Linux or VxWorks. The more open the operating system, the easier it is, the more affected by viruses and malicious attacks. In particular, some devices need to provide web-based management interfaces, there will be opportunities to use Microsoftiis or Apache to provide services, and these applications are installed in the equipment when the product is factory factory, and cannot guarantee the latest version or promise. Certain security vulnerabilities have been made.
Secondly, the DOS (Reject Service) attack based on open port. From the method of network attack and the destruction result, DOS is a simple and effective attack method. The attacker sends a quite number of service requests with false addresses to the server, but because the reply address contained is false, the server will wait back the message until all resources are exhausted. VoIP technology has many well-known ports, like 1719, 1720, 5060, etc. There are also some ports that the product itself needs to be used for remote management or private information transmission, in summary, is more than a simple data application. As long as it is an attacker's PC and these application ports in the same network segment, you can get more detailed information by simple scanning tools, such as shared software such as X-Way.
A recent security vulnerability is proposed by Niscc (UknationalInfrastructure Co-Ordi-Nation Center), the test results show that many VoIP systems in the market use H.323 protocols exist in H.245, which is easy to be on the 1720 port. Affected by DOS, resulting in unstable or even 痪 ".
Once again, the service is stolen, this problem exists in the case of analog phone. As we have received multiple phones on a normal analog phone line, there will be a problem of telephone stealing. Although IP phones can't call through a parallel way, it can also obtain the permissions of the phone by stealing the login password of the user IP phone. When IP phones are first logged in to the system for the first time, you will be prompted to enter the extension number and password of each person; many companies that use VoIP companies in order to facilitate employee remote / mobile office, they will allocate a desktop phone while allocating a virtual IP phone and grant password and dial-up permissions.
In this way, even if the employee is traveling or at home, you can use the VPN mode to access the company's LAN, and then run the IP software phone in the computer to answer or call the local call, just like the company in the company. When the password is lost, anyone can log in to the extension number of others with their own soft phone; if the permissions obtained are free to dial domestic or even international long-distance numbers, it will bring huge losses to the company and difficult to find out.
Finally, the media stream listening problem. The analog phone has a parallel eavesdropping problem. After enterprise users use a digital telephone, it is difficult to listen through simple means because of the private agreement. But in the VoIP environment, this issue was raised. A typical VoIP call requires the steps of signaling and media streams, and RTP / RTCP is a protocol that transmits voice information on a package-based network. Since the protocol itself is open, even a small media stream can be replayed without the association of the pre-rear information. If someone records all information by Sniffer on the data network and replayed by software, it will cause the trust crisis for employee dialogue communication.
At the beginning of this technology, developers expect it as a cheap alternative to traditional long-distance calls, so there is not much in terms of safety; at the same time, VoIP technology is also developing with the development of the entire network market, too many different The existence of manufacturers and products leads to a uniform technical standard; VoIP's foundation or IP network, open system architecture inevitably affected from the network. Maximize the security of VoIP's security has the following:
1. Isolate the network used for voice and data transmission
The isolation mentioned here does not refer to physical isolation, but it is recommended to put all IP phones into a separate VLAN, while limiting unrelated PC terminals enter the network segment. The feedback from many evaluators indicates that the division VLAN is the most simple and effective way to protect the IP voice system, which can isolate viruses and simple attacks. At the same time, the QoS settings of the data network will also help improve voice quality.
2. Treat VoIP as an application
This also means that we need to adopt a means suitable for protecting important application servers to protect some important ports and applications in the VoIP device, such as using Nortel Network aleton swaping firewalls to effectively resist DOS attacks. The same approach applies to the VoIP system. When two IP terminals are called, once the signaling is established by the signaling service process of the center point, the media stream is only between the two terminals; only when the IP terminal is initiated. When the call needs to enter the PSTN public network through the gateway, the DSP processor resource within the media gateway will be occupied. Therefore, we need to protect the two types of information and ports of signaling and media streams.
At the same time, as little reserved as possible, such as a web-based management address, and close the unwanted service process as much as possible. It is necessary to remind H.323 / SIP to experience obstacles when crossing the NAT and firewalls, which is due to the reasons for the agreement itself, but after the "Application Layer GA-TEWAY ALG), This problem can be solved; with the growth of the call, the external media stream proxy server (RTP Media Portal) can be used to support larger VoIP systems.
3. Select the right product and solution
At present, the product system architecture of different manufacturers does not have the same, and the operation platform also has more favorable. We cannot assert which operating system is the most secure, but manufacturers need corresponding technical security to let users believe that their respective products have the ability to resist increasing viruses. At the same time, many manufacturers' products also use the management network segment and the user's IP voice network segment to physically isolated mechanism, and expose the port to the outer network as little as possible. The SuCcession 1000 / 1000m launched by the Nortel Network has adopted these design ideas, and the management network segment and the user network segment are physically isolated, and the VxWorks operating system uses the VxWorks operating system to shield the external influence on the system as much as possible. In addition, VoIP security issues and security of data networks are closely related. It is necessary to provide more than just a set of devices, but how to help users improve their security and reliability on existing networks and Some techniques.
4. Encryption of voice data stream
There is a member of the H.323 protocol cluster --H.235 (also known as h.secure) is responsible for authentication, data integrity, and media stream encryption. What more practical is that manufacturers will use their own private protocol to ensure the security of VoIP. But even if there is no H.235 or other means, you want to steal an IP phone call is more difficult than stealing an ordinary call because you need to codon algorithm and corresponding software. Even if you get the software and successfully connect to the company's IP voice network segment, it is still possible to nothing. Because the data networks in many companies currently use the 10 / 100m port of the Ethernet switch to the desktop instead of HUB, the information cannot be steaved through the Sniffer.
5. Reasonably develop employee dial-up permissions
Some security hazards faced by VoIP are actually a continuation of several problems in the IP network. Only well solved the security problem of the network, and simultaneously with some of the safety certification mechanisms of the product itself, VoIP-based applications can play a role in the enterprise, and become an effective way to solve the needs of the enterprise. Technology area
485 communication protocol program how to write (51 single-chip 485 communication program case)
How to use 485 communication agreement (typical circuit instance of traditional photoelectric isolation)
MODBUSRTU packet format detailed introduction
Eight modbus RTU data frame formats detailed
Modbus RTU Communication Protocol Format Detailed Description
Our other product:
