Voice over IP (VoIP) brings converged networks security challenges that never existed for the data network or traditional telephony. In this VoIP security series, industry expert Gary Audin reveals these IP telephony threats, the added costs of securing VoIP, and how your organization can keep VoIP secure.
Security requires constant vigilance. The security job is never finished. Security is all about the protection of resources -- data, devices, networks, applications and people. While access to these resources is the goal of the user, securing access to these resources means the administrator of the resources wants to limit, even prevent, that access. These two goals are at odds: The most secure environment is one that prevents any access, which is contrary to the business needs of an enterprise.
Enterprises already have many security problems with their data network infrastructure, servers, desktops and software. Adding voice over IP (VoIP) and IP telephony (IPT) to the mix only compounds the security problems. VoIP and IPT will have all of the security problems that the data organization has, plus new threats and vulnerabilities.
What's new about VoIP security?
There are several security issues with VoIP networks:
VoIP security vs. voice quality
It may not be apparent, but security tools and solutions will conflict with voice quality. The more barriers there are in the network and endpoints for security purposes, the more interference there will be with voice quality.
One of the first issues is the firewall. The firewall can block calls because it cannot process the signaling or dynamically allocate the UDP ports for the calls to pass through it. Firewalls may not read the QoS markers in the voice packet, thereby degrading the packet delivery service. Other issues include:
The security vs. voice quality conflict will be hard to resolve. The voice manager, obviously, does not want poor-quality calls. If the calls
To continue reading for free, register below or login
To read more you must become a member of SearchUnifiedCommunications.com
are poor, then why have calls travel over the data network in the first place? The security manager does not want to open the network and endpoints to security exposures that will not only compromise the voice services but weaken the data functions as well. This will require a great deal of negotiation and compromise. Security is important, but not at the cost of an unacceptable voice service.
Finding vulnerabilities
There are two sites that demonstrate the software security threats to the data functions. These lists now include VoIP/IPT vulnerabilities. Both lists are funded by the federal Homeland Security Administration. The first is hosted at Mitre. This site has a dictionary of standardized names and descriptions for Common Vulnerabilities and Exposures (CVE). The second site hosts the National Vulnerability Database at the federal National Institute of Standards and Technology (NIST). The NIST site has about 21 additional security vulnerabilities listed every day. I searched on both sites in early February 2007 and found the number of VoIP/IPT vulnerabilities listed in the following table.
[TABLE]
The two sites overlap but do not have exactly the same lists. The published vulnerabilities have patches available from the vendors. The sites are not as up-to-date as individual vendors' lists, so check with your vendor as well as these two sites. The NIST site also evaluates the severity of the security problem. A severity rating of 1 is the lowest and 10 is the highest. Most of the vulnerabilities are rated between 3 and 8. I strongly recommend accessing these sites in order to learn of the types of vulnerabilities that are occurring in VoIP/IPT.
Cost to the enterprise
Tangible and measurable monetary costs -- which can accrue to an enterprise when security problems occur -- will include the following:
Case studies published in the article The Cost of Network Downtime show that one hour of downtime can cost an enterprise up to $96,632. What if the network and voice service need to be shut down for one hour to resolve a security problem? Costs that are hard to calculate include loss of the future business caused by bad publicity about the security breach, as well as the loss of market share to competitors.
VoIP security: Where do you start?
Assume an attack will occur and probably be successful. You will always have a limited budget, so you will have to prioritize the allocation of the budget. Start looking at the core components: storage, applications, servers and network. Locate the most valuable and sensitive resources. Evaluate the security risks to these resources. You need to protect these resources first. Work outward to less valuable, less sensitive resources. The suggested order of protection is the call server first, then the trunk gateway, next the media gateway, then the softphones, and finally the IP phones.
The discussion of security issues for VoIP/IPT will continue in several more tips. These tips will cover:
About the author:
Gary Audin has more than 40 years of computer, communications and security experience. He has planned, designed, specified, implemented and operated data, LAN and telephone networks. These have included local area, national and international networks, as well as VoIP and IP convergent networks, in the U.S., Canada, Europe, Australia and Asia.
