Unified communications security vulnerabilities

Brien Posey

In fact, a recent SearchVoIP.com article, VoIP vulnerability threatens data, cited a rather serious vulnerability related to the SIP protocol. This particular vulnerability would allow an attacker to use a weakness in the SIP protocol to force a buffer overflow on machines running Windows XP Service Pack 2. In the past, this type of overflow attack was used only to crash soft phones, but the article states that a similar type of attack could be used to open a connection between the attacker and the victim's computer, which would essentially give the attacker full access to the machine. As a result, the attacker would be able to create, copy or delete files.

This is only one of dozens of known exploits against unified communications systems. The reason I mention this particular type of attack is that it illustrates the need for strong security for unified communications.

Even organizations that think they are secure should consider reevaluating their security mechanisms. Oftentimes, security mechanisms that are designed for traditional data networks cannot detect attacks against unified communications. That's because such attacks often make use of unified communications-related protocols, such as SIP, and traditional security mechanisms do not usually perform a detailed examination of such packets, which would allow attack signatures to be detected.

One cannot ignore the seriousness of attacks against unified communications systems. At best, such an attack might disable your company's phones. At worst, though, a unified communications-based attack could allow an attacker to steal or modify data, or eavesdrop on voice or video calls.

Unfortunately, I would have to write a good-sized book in order to cover all of the known exploits and countermeasures related to unified communications systems. Since I can't possibly tell you everything that you need to know, I'll at least show you where you can get information on how to secure your network against these types of attacks.

If your unified communications systems do not have an automatic update feature, I recommend checking the manufacturer's website at least once a week to see whether any security patches have been released or whether any security advisory bulletins have been posted. One thing to keep in mind, though, is that every manufacturer does things a little bit differently. Some manufacturers are very security conscious and post security information and patches on a regular basis. Others tend to neglect known security issues.

While researching this article, I found a post on a website indicating that the systems of one of the leading VoIP companies contained a major security hole. The company that discovered this vulnerability contacted the manufacturer, but the manufacturer has yet to even acknowledge the issue. I don't like to point fingers or name names, so I'm not going to name the manufacturer, but if you would like to see the post that I am referring to, you can find it here.

By far the best resource that I have found for information on vulnerabilities with unified communications systems is here. VIPER Lab is dedicated to discovering unified communications-related vulnerabilities and to making those vulnerabilities public. Some of the vulnerabilities that are listed on the site are specific to individual manufacturers, but others exist at the protocol level and are inherent to any unified communications product which uses that protocol.

Conclusion
Unfortunately, there is no easy way to secure your unified messaging systems. Some vulnerabilities affect almost all unified messaging systems, regardless of make or model, while other vulnerabilities are specific to certain brands. Until traditional firewalls and IDS systems evolve to the point where they can detect unified messaging-based attacks, your best defense is to monitor the various websites that I have mentioned in this article in order to arm yourself with the latest security information.

About the author:
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com..

Rate this Tip To rate tips, you must be a member of SearchUnifiedCommunications.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Unified Communications Tech Tip Demystifying unified communications deployment strategies Presence management and security Presence: SIMPLE versus XMPP Four factors driving videoconferencing Consider IBM Lotus SameTime for UC, not just Microsoft OCS An introduction to SIP, part 1 What's the value of unified communications? The benefits and challenges of presence within unified communications Will we get reliable unified communications? Top 10 VoIP tips for 2007 RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.