A closer look at VOIP security
In today's Boston.com, I see an article casting doubt on the security of VOIP, with the ubiquitous Vonage advertisment below it.
The gist of the article is that VOIP is vulnerable denial of service attacks. It doesn't draw a distinction between hardware-based VOIP (e.g. Vonage) and P2P-based VOIP (e.g. Skype). There is a difference. Let me try to explain what I'm getting at:
I'm a Vonage customer. I was about to describe my home network, but I'm pleased to see that Omar Shahine has the exact same network, so that saves me the trouble. All that is missing from his diagram is Maisy the cat which likes to curl up next to the hardware on my "network shelf", and then you would have an exact replica of my network. Anyway, the key point is that the Motorola VOIP Router (i'll call it the "Vonage box") is at the most upstream point of the network. It is what is connected to the cable modem. Therefore, it gets a public IP address. The Vonage box then issues DHCP (192.168.*) which means that any computers downstream from the Vonage box have private non-routable IP addresses. If I had just plugged my computer directly into the cable modem (as many people without VOIP routinely do), then my computer would have a public IP address and would be much more vulnerable to attacks from the outside world. So, for the regular home computer user, the use of a VOIP box such as the Vonage box increases the security of their network. Of course, the Vonage box is (literally) a black box so it may well have vulnerabilities. But I'm betting that it has much fewer open ports and listening processes than the PC of the average home user.
Now consider Skype. I've written before that Skype relies on PCs with public IP addresses in order to act as "super nodes" to route calls. For example, I noticed during the week that one of my Skype calls had gone through a PC in a dorm at Brandeis University. That PC in the Brandeis dorm had a public IP address. But, if that Brandeis student had been using Vonage, then their PC would not have had a public IP address, they'd have had a private non-routable IP address instead. So, that would have been one less Skype supernode to go around. So, there is a sort of zero-sum game between Vonage and Skype. The more people buy Vonage service, the less Skype supernodes there are to go around, and that hits Skype's voice quality. Skype relies on home users connecting straight into a DSL or cable router, to get a public IP address (and hence be subject to all the wind and the rain on the Internet, so to speak). If you're running Skype, type "netstat" and look at what gets returned. I'm connected right now to someone's home PC sitting on a Bezeqint cable modem in Israel.
When I wrote that original blog post about how computers with public IP addresses became Skype supernodes, I was surprised that many people remarked that they wanted to get public IP addresses in order for their computers to become supernodes. Becoming a supernodes "cuts out the middleman" so that people calling you with Skype can directly open a connection to your computer. But your computer becomes the middleman for other people. Random people from around the world now route phone calls through your PC. Do you really want that? Can you be sure that there are no security holes in Skype (judging by how many times I has crashed with a memory leak error on me, I wouldn't be surprised if there are buffer overflow holes in it).
So, all VOIP is not the same. I'd argue that if you are a home user router-based VOIP systems (such as Vonage) increase security (by giving your computer a private IP address) whereas P2P-based VOIP systems (such as Skype) decrease security. If you're using VOIP at work, you're already on a private IP address range so the distinction isn't so wide. 
9:31:22 AM 
|
