VOIPShield Says It's Found Lots of VulnerabilitiesVOIPShield Says It's Found Lots of Vulnerabilities
VOIPShield, a VOIP security company, says it's found some 80 vulnerabilities in Avaya, Cisco and Nortel IP-telephony gear, and another 44 vulnerabilities in the SIP protocol. More detail on each vulnerability is spelled out in the Research section of VOIPShield's website . According to the website, the vendors are working on fixes for their respective vulnerabilities, and in cases of 3 vulnerabilities rated as "critical," patches are already available.
April 2, 2008
VOIPShield, a VOIP security company, says it's found some 80 vulnerabilities in Avaya, Cisco and Nortel IP-telephony gear, and another 44 vulnerabilities in the SIP protocol. More detail on each vulnerability is spelled out in the Research section of VOIPShield's website. According to the website, the vendors are working on fixes for their respective vulnerabilities, and in cases of 3 vulnerabilities rated as "critical," patches are already available.
VOIPShield, a VOIP security company, says it's found some 80 vulnerabilities in Avaya, Cisco and Nortel IP-telephony gear, and another 44 vulnerabilities in the SIP protocol. More detail on each vulnerability is spelled out in the Research section of VOIPShield's website. According to the website, the vendors are working on fixes for their respective vulnerabilities, and in cases of 3 vulnerabilities rated as "critical," patches are already available.VOIPShield cleverly timed the announcement of these vulnerabilities to coincide with the release of new products aimed at mitigating security risks: VOIPguard is a "voice intrusion prevention system" that scans voice packets for attack signatures; and the existing VOIPAudit vulnerability-assessment tool is being released as a software download that can run on any OS, where previously it had been a Linux appliance.
The 80 vendor-related vulnerabilities break down as 39 for Nortel, 29 for Cisco, and 12 for Avaya. However, when I talked with VOIPShield CEO Rick Dalmazzi about the announcement, he cautioned that you shouldn't read anything into which vendor had more vulnerabilities. That's because VOIPShield has been testing Nortel longer than any of the other systems; it doesn't mean Nortel systems inherently have more vulnerabilities than the others': "This is sort of an arbitrary number based on the amount of time we spent banging on these systems," Dalmazzi told me.
An obvious concern with any system that does deep-packet inspection would be the effect on real-time performance, but Dalmazzi claims that the VOIPguard "VIPS" can inspect packets for attack signatures while introducing no more than 10 milliseconds' latency. He also said that federal agencies--he named the FDIC--are starting to ask about protection for VOIP traffic among the enterprises they oversee.
The VOIPguard system comes in four models, supporting:
20 calls per second/72,000 busy hour call attempts (BHCA); list price $5,000
50 calls per second/180,000 BHCA; list price $10,000
100 calls per second/360,000 BHCA; list price $25,000
200 calls per second/720,000 BHCA; list price $50,000
There's also a yearly subscription fee to keep the signature database updated.
It's been noted, most recently at VoiceCon by Mark Collier of SecureLogix, that we aren't seeing a lot of attacks actually directed at the vulnerabilities that may exist within VOIP systems themselves; the big danger remains more generalized attacks on the underlying IP infrastructure. Still, it's wise to keep informed on vulnerabilities and patch them before the attackers turn their attention to IP telephony systems.
There's also a yearly subscription fee to keep the signature database updated.
It's been noted, most recently at VoiceCon by Mark Collier of SecureLogix, that we aren't seeing a lot of attacks actually directed at the vulnerabilities that may exist within VOIP systems themselves; the big danger remains more generalized attacks on the underlying IP infrastructure. Still, it's wise to keep informed on vulnerabilities and patch them before the attackers turn their attention to IP telephony systems.
