The vulnerability of Cisco IP phones to denial of service attacks doesn’t appear to be fazing New Zealand IT managers.
Users have to realise the technology’s security limitations, they say.
Bay of Plenty District Health board IT systems manager Grant Ardern says most businesses will have more mission-critical applications that are vulnerable to denial of service (DoS) attacks than just the phone system. “It’s up to businesses to protect themselves,” Ardern says.
Cisco announced late last month that its 7910, 7490 and 7960 phones could be vulnerable to attacks by web-based hackers using common DoS programs, which aim to overload internet servers.
Such an attack could make a Cisco IP phone restart, cutting off calls and the same result could be achieved by sending invalid HTTP requests to a web server running on some IP phone set-ups. The latter method won’t work on phones equipped with SIP (session initation protocol) and MGCP (media gateway control protocol) software, though DoS programs can be used against the software.
Cisco has issued a patch that protects its IP phones and its website warns that “a successful attacker could gain full control over the operation of the IP phone and any call set-up requests and responses made between the IP phone and Cisco CallManager software or other VoIP gateways”.
Ardern says the warning and patch highlight the need for an efficient firewall.
On the question of insider attacks, “if someone wants to have a go, it would be a potential problem but any phone system is vulnerable to an insider attack”.
“IP phones are in the same basket as any other application that runs off servers.”
Peter Mangin, IT manager at advertising agency FCB, says DoS attacks are a fact of life.
The agency’s PC and Cisco IP phone networks occupy separate VLANs, he says. “We know there can be problems with DoS attacks and hence our networks can’t see each other.”
Neil Miranda, IS coordinator at the Ministry of Social Policy, which has one of the biggest Cisco IP telephony installations in the world, says Cisco’s telephony delivery is based on a system that has Microsoft NT Server as part of its platform attributes, “and it’s too proprietory and too open to attacks from the hacker world”.
It’s up to organisations that implement Cisco IP telephony to realise its security limitations and act accordingly, he says.
“We have stringent firewalls and in the open systems area we use Netscape and other non-Microsoft product. And while we rely heavily on Cisco for IP, I made sure our CallManager software is behind a zone that is well protected.
“People in the IP telephony world need to understand the environment they subscribe to and what additional measures they need to protect themselves,” says Miranda.