QUESTION & ANSWER

Avoiding a VoIP security 'judgment day'

By Eric B. Parizo, News Editor 01 Mar 2005 | SearchEnterpriseVoice.com

Digg This!     StumbleUpon     Del.icio.us

But David Endler, the first chairman of the newly created VoIP Security Alliance and director of security research for 3Com Corp. subsidiary TippingPoint Technologies Inc., doesn't buy it. SearchEnterpriseVoice.com spoke with Endler this week about his group's mission, what it takes to keep voice networks safe and why organized crime might soon be interested in VoIP attacks.

What is the mission of the VoIP Security Alliance?
David Endler: Our mission is to become the central authority on VoIP security, and provide a repository of resources to raise awareness and educate the industry.

As soon as it becomes lucrative to launch those kinds of [VoIP] attacks, then you can expect to see a huge surge, similar to what happened in the realm of spyware. David Endler

A year ago, when many of [TippingPoint's] customers were considering rolling out VoIP, we came to the conclusion that there wasn't a central place where someone could go and answer fundamental questions about VoIP security, specifically regarding best practices for secure deployment, configuration and network design.

Including vendors and other organizations, the group already has nearly 50 members. What's at the top of your agenda?
Endler: In the near term, we want to educate people on fundamental security strategies to apply on their voice networks, and apply best practices on a vendor-neutral basis. In the next year or two, we're going to see an explosion in VoIP deployments, and as the accessibility and popularity of any particular technology grows, the potential threats increase. It was the same with Wi-Fi. You'll have attackers who have a bigger sandbox for playing with this technology. We'll see a rise from the elite few who know what they're doing to massive groups of "script kitties."

With so many VoIP vendors and so many kinds of implementations, is it possible to foster industry-wise security best practices among vendors?
Endler: I think so. In fact, I think you'll find that, because so many of the vendors are involved with this project, it'll be vendor neutral. I think there are some general recommendations that people can apply regardless of their specific architecture. Things like a threat taxonomy that identifies what the real threats are, testing tools and methodologies, and configuration checklists for network design.

Is it possible to raise VoIP security awareness, or must a successful high-profile VoIP attack happen first?
Endler: It's only a matter of time before tools are released to exploit certain VoIP networks, and there are already a variety of vulnerabilities that affect the infrastructure components that VoIP systems use, like servers and routers. We want to raise the bar when it comes to those best practices so that the necessary security requirements are met.

When you get a call on your Caller ID, it may look like a call from your bank when it's really someone trying to get your personal information. David Endler

Are there specific kinds of VoIP network attacks that will become more common over time?
Endler: Quite frankly, the most prevalent threats to VoIP are the same threats that endanger the data network, but in some cases those threats can take on an increased impact. For instance, if your data network is under a DoS attack, your systems can have a slower-than-normal response. If a call center is under attack, it may mean that a 911 call is hard to hear because of latency, or might not go through at all. But over time you'll see attacks specific to VoIP applications, like caller spoofing, toll fraud, call hijacking and call redirection.

When will that be?
Endler: As soon as it becomes lucrative to launch those kinds of attacks, then you can expect to see a huge surge, similar to what happened in the realm of spyware. It's become a hugely lucrative enterprise for organized crime, and there are tools and templates for rolling out new threats and convincing people to load malicious apps on the desktop. Eventually, you'll see auto-generated toolkits that let people make free phone calls.

Or, in terms of social engineering, you see a sort of phishing but in a voice manner. When you get a call on your Caller ID, it may look like a call from your bank when it's really someone trying to get your personal information. Or if someone calls you and asks you for your password and the call looks like it's from your IT group, you're more likely to give out that information. The infrastructure for these kinds of exploits is just starting to get rolled out.

Most of the major VoIP vendors have already signed on, although one notable exception is Cisco Systems. Has Cisco been approached about joining?
Endler: Absolutely, and it's considering how it wants to be involved. There are a lot of groups that have been invited and are shopping it around for approval within their organizations. Typically, we'll get the technical point of contact excited, but he needs to wait around for the final authority from the mothership.

((Content component not found.)) Can any particular protocol -- like Session Initiation Protocol or H.323 -- make an enterprise more vulnerable?
Endler: Part of the problem in that question is that the state of security research around VoIP is very young. It's at the tip of the iceberg. There's been some research done that's uncovered vulnerabilities in SIP and H.323 that were publicized two or three years ago, but surely there will be many more things to come. But it all depends on how vendors implement those protocols. It's not the protocols that are vulnerable, it's how vendors choose to implement them.

More information on VoIP Better watch what you say Spitting on VoIP

Finally, what will the organization focus on during the next few months?
Endler: This week we're electing committee chairs for various groups such as research, best practices and community outreach, and within another week we'll issue a general call for participation in our near-term projects. We'll know exactly what those are after the elections.

This interview originally appeared on SearchEnterpriseVoice.com.

Tags: VoIP QoS and VoIP Security,  VoIP Protocols,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT VoIP QoS and VoIP Security Linking VoIP islands: The value of SIP trunking SIP trunking ROI: Linking VoIP islands and more The benefits of linking VoIP islands Mobile IP networks: An overview Tutorial: VoIP ROI VoIP implementation study guide How will VoIP impact the quality of phone calls on our network? How does one cope with echo in a VoIP-enabled network? What's the best way to use an echo canceller? Does implementing VoIP security affect the QoS? How would one handle it, if it does? IBM, Avaya deals signal IP telephony quality control's coming of age VoIP Protocols How can MPLS help in VoIP implementation between a parent company and its branch offices? HD voice value proposition: Just try using an HD phone SIP trunks a no-brainer for VoIP rollouts Digium's Asterisk PBX does God's work at Midwest church Microsoft's Real-Time Codec (RTC) for VoIP optimization Is there a difference between VoIP and IP telephony? VoIP for the globe-trotting frequent traveler SIP tutorial Springer Handbook of Speech Processing Top 10 VoIP tips for 2007

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary vishing  (SearchUnifiedCommunications.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary