Computer Telephony Integration

This section of our technical library presents information and documentation relating to CTI Computer Telephony Integration software and products. Computer Telephony Integration CTI software is a rich set of phone software library routines that enable application programs to control your phone system. This comprehensive CTI software lets you increase employee productivity, enhance customer service and reduce costs by combining the capabilities of our PACER phone system with the custom functionality of your Windows, Unix or Web applications. Data collected by your phone ACD (Automatic Call Distribution) or IVR (Interactive Voice Response) systems can be passed to your existing PC, Unix or Web applications through our phone software. The PACER predictive dialer can automatically call your customers and pass only connected calls to your agents. With our computer telephony software, your telephone and computer work together to provide cost-saving benefits.

Dick Bussiere, 1-Aug-2003

www.ncasia.com

To understand the security risks associated with VoIP, it is first necessary to understand the three components involved, namely, the phones (softphone or IP phone appliance), call manager (IP-PBX), and voice gateway, which allows the VoIP system to connect to the traditional telephony network.

VoIP data is exposed to more or less the same threats as regular data. For example, an unauthorised user could make use of your IP infrastructure, IP-PBX and voice gateway to make a call using a soft phone on a wireless laptop.

Another way to launch a theft of service attack would be to target the underlying OS on either the IP-PBX or the voice gateway. Once this is compromised, all of the services provided by the platform will be possibly 'open'.

Denial of service (DoS) attacks are also easy to execute-just attack the IP-PBX or voice gateway and no incoming or outgoing calls can be made. Attacking the IP infrastructure itself, by loading it with broadcast traffic, can also disable or degrade the VoIP service.

In addition, VoIP traffic interception can also be easily accomplished. A strategically located hub-or a hacker tool such as Dsniff-can duplicate traffic, capture and replay the entire voice conversation. And this is significantly easier to do on a VoIP infrastructure than it is with the traditional telephone network.

Countermeasures

How does one address these vulnerabilities? First, ensure that basic network security measures are in place. These include firewalls, site-to-site VPNs, penetration testing of VoIP components, and network IDS, as well as host IDS systems to monitor critical VoIP components (easily done if they are based on standard OS platforms).

More advanced security measures would include:

• The use of SNMPv3 management to manage the VoIP components-it is more difficult for an attacker to attempt to maliciously configure a device if he does not know the shared encryption secret.
• The use of SSL and/or SSH to manage the VoIP components-this makes it virtually impossible to 'see' the management traffic.
• The use of strong authentication for the management plane of these devices.