Assessing the security of VoIP Services

VoIP networks are in a major deployment phase and are becoming widely spread out due to their extended functionality and cast efficiency. Meanwhile, as VoIP traffic is transported over the Internet, it is the target of a range of attacks that can jeopardize its proper functionality. In this paper we describe our work in a VoIP specific security assessment framework. Such an assessment is automated with integrated discovery actions, data management and security attacks allowing to perform VoIP specific penetration tests. These tests are important because they permit to search and detect existing vulnerabilities or misconflgured devices and services. Our main contributions consist in an elaborated network information model capable to be used in VoIP assessment, an extensible assessment architecture and its implementation, as well as in a comprehensive framework for defining and composing VoIP specific attacks.

[1]  Thomas Porter,et al.  Practical VoIP Security , 2006 .

[2]  Heison Chak VoIP Security , 2006, USENIX Annual Technical Conference, General Track.

[3]  Hong Yan,et al.  Incorporating Active Fingerprinting into SPIT Prevention Systems , 2006 .

[4]  Mark Handley,et al.  SIP: Session Initiation Protocol , 1999, RFC.

[5]  David Lee,et al.  A formal approach for passive testing of protocol data portions , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[6]  Chris McNab Network Security Assessment , 2004 .

[7]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[8]  Stephen D. Wolthusen,et al.  Modeling and execution of complex attack scenarios using interval timed colored Petri nets , 2006, Fourth IEEE International Workshop on Information Assurance (IWIA'06).

[9]  R. State,et al.  VoIP security assessment: methods and tools , 2006, 1st IEEE Workshop on VoIP Management and Security, 2006..

[10]  Ofir Arkin Demystifying Passive Network Discovery and Monitoring Systems , 2005, login Usenix Mag..