On the other hand, IAX is a relatively new protocol that Asterisk introduced as an inter-connection protocol between other Asterisks soft switches. This protocol is typically adopted by medium to small companies, but is also used by large companies to connect remote branches. Open source can be easily understood and deployed relatively simply.
Both these protocols have similar applications, and both have similar security weaknesses. H. Dwivedi identified H.323 as having equivalent security weaknesses to SIP during his BlackHat presentation, but he also identified that AIX had similar vulnerabilities and security risks.
Weaknesses occur in both these protocols during Authentication, Authorization phases, the lack of encryption increases the chances of private conversations being discussed or broadcasted in public (Remember the Princess’s mobile phone conversation) and finally both these protocols are susceptible to denial of services attacks of the end-points specifically and potentially spoofing the call manager.
Through the looking Glass:
To understand the risk to our enterprise we need to evaluate a number of key issues for both H.323 and AIX. Can an attack occur remotely or locally? Does the attack need to occur from within our network or can it occur outside our network. What is the cost to our Enterprise in reputation and share value if phone conversations become public? If we answer these three questions in our discovery process, we can start quickly evaluating our risk.
The first question needs to be answered is where are we using these protocols. If we are using both of these protocols within a closed network between PABX’s within a VPN our risk is minimal, and the VPN set-up will define the weakness. If we are using these two protocols over the internet then the risk increases and we need to ensure these network protocols receives the same security review as our Data Network set-ups.
Does our application of H.323 or AIX allow end-points or call managers outside our intranet? If no, the risk again is contained but not eliminated. If we allow end-points or call managers outside the intranet then we have to build security safeguards as we would for any remote user, tele-worker or branch environment.
Since neither protocols H.323 and AIX by default employee encryption nor very few implementations actually use encryption, we need to evaluate our implementations. The next question we have to ask is; what is the impact if a phone conversation became public? We need to evaluate at how likely is eavesdropping of occurring and can it take place un-detected. Can this eavesdropping cause disclosure of customer’s private data or confidential executive conversations. As Wal-Mart discovered the re-routing and recording of calls can take place un-noticed for periods with VoIP technology. We need to review our safe guards, the use of encryption and our Voice Services Corporate policy.
R S S feed
