The next open relay: VoIP

In the mid to late 90s, the worst thing your organization could do is to have an open SMTP relay on your network. Spammers would use your mail server to send their spam which would lower the reputation of your server and get you black-listed. The next ‘open relay’ is likely to be insecure VoIP servers and unlike SMTP, VoIP is likely to cost you real money.

I have heard all of the arguments about why you need to run an insecure SIP gateway, your users are spread out, they all use different clients or IP phones, etc. These are the exact same arguments that were made for why organizations ran open SMTP relays. The fact is that there are thousands of infected hosts on the Internet right now looking for VoIP/SIP gateways which are exploitable and who’s fault is it if someone uses your SIP gateway without your permission? Yours.

There are all sorts of reasons why open SIP gateways are very valuable to criminals, they can make international phone calls to their buddies on your dime, they can use your system to run identity theft rings, they can sell phone service to their “customers” which ultimately use your system, and all sorts of other things which will cost you big.

So before you decide to jump into 2005 and put your phone system on the Internet, consider the ramifications and the lessons from the past. As bad as open SMTP relays were/are, they are nothing compared to the trouble which will be caused by the trend of open SIP proxies if it continues.

-Drew

Be Sociable, Share!

Leave a Reply

You must be logged in to post a comment.