Employing penetration testing as an audit methodology for the security review of VoIP: Tests and examples

The purpose of this paper is to discuss and amalgamate information security principles, and legal and ethical concerns that surround security testing and components of generic security testing methodologies that can be applied to Voice over Internet Protocol (VoIP), in order to form an audit methodology that specifically addresses the needs of this technology.

Information security principles, legal and ethical concerns are amalgamated that surround security testing and components of generic security testing methodologies that can be applied to VoIP. A simple model is created of a business infrastructure (core network) for the delivery of enterprise VoIP services and the selected tests are applied through a methodically structured action plan.

The main output of this paper is a, documented in detail, testing plan (audit programme) for the security review of a core VoIP enterprise network infrastructure. Also, a list of recommendations for good testing practice based on the testing experience and derived through the phase of the methodology evaluation stage.

The methodology in the paper does not extend at the moment to the testing of the business operation issues of VoIP telephony, such as revenue assurance or toll fraud detection.

This approach facilitates the conduct or security reviews and auditing in a VoIP infrastructure.

VoIP requires appropriate security testing before its deployment in a commercial environment. A key factor is the security of the underlying data network. If the business value of adopting VoIP is considered then the potential impact of a related security incident becomes clear. This highlights the need for a coherent security framework that includes means for security reviews, risk assessments, and influencing design and deployment. In this respect, this approach can meet this requirement.