This is largely because organizations adopting voice, video and multimedia over IP stand to reap huge benefits in productivity and cost savings. The dark cloud on the horizon is that, without precautions, these very technologies put the whole corporate infrastructure at risk. To a large extent, global industry has embraced the need for data network security, but we are only on the threshold of understanding the potential problems of the unprotected VoIP network -- such as the phone mailbox jammed with unsolicited special offers, unauthorized eavesdropping or losing voice communications because your network has run out of bandwidth.
VoIP security concerns apply beyond VoIP-enabled organizations. Corporate officers, especially those with an eye to compliance or in highly data-sensitive areas such as finance, are increasingly placing a premium on doing business with organizations who can demonstrate that both their data and VoIP communications are unlikely to propagate digital threats. Some of the most critical issues to consider when moving from a traditional telephone service to a VoIP network are quality of service (QoS), denial of service (DoS) attacks and endpoint security.
Without a firewall, companies have no network security and the endpoints, which need a public IP address in order to function, become accessible to anyone. Alternative solutions such as traversal technology, which allows VoIP traffic to bypass the firewall, or session border controllers, have inherent limitations. Most networks already have a firewall protecting the LAN as well as connecting remote sites and users through secure VPN technology and are therefore the most popular choice when adding facilities for VoIP security. However, there are reasons why some firewalls are not so VoIP-compliant.
First, the firewall must understand the VoIP protocols it wants to protect. A small group of vendors provides virus scanning, intrusion prevention and other security services on VoIP traffic. The VoIP-enabled firewall is gaining popularity among IT managers because of its effectiveness, simplicity, and low cost.
For any successful VoIP implementation, three key factors must be considered: security, network interoperability and protocol support, and vendor interoperability.
VoIP encompasses a large number of complex standards that leave the door open to bugs in the software implementation. With standard public switched telephone network (PSTN), phones are just dumb terminals -- all the logic and intelligence resides centrally in the private branch exchange (PBX) and there is not a lot an attacker can do to disrupt access to a PSTN network. With VoIP, the same bugs and exploits that hamper every operating system and application available today can also hit VoIP equipment.
Without proper safeguards, VoIP calls are also vulnerable; an attacker can intercept a VoIP call and modify its parameters/addresses. This opens up the call to spoofing, identity theft, call redirection and other attacks. Even without modifying VoIP packets, attackers can eavesdrop on conversations carried over a VoIP network. With a PSTN connection, intercepting conversations requires physical access to phone lines or access to the PBX.
There is also the problem of interoperability and protocol support when integrating VoIP into an existing network security infrastructure. Because of the complexities of VoIP signalling and protocols it is difficult for VoIP to traverse many types of firewalls. Firewalls need to process the signalling protocol suites that consist of the different message formats used by different VoIP systems. Just because two vendors use the same protocol suite does not mean they interoperate.
The last element in a secure VoIP infrastructure is ensuring that the firewall will interoperate with all of the VoIP devices used in the infrastructure. A partial list of devices includes IP phones, videophones, videoconferencing equipment, Session Initiation Protocol (SIP) proxies and H.323 gatekeepers. It is largely up to the security appliance vendors to ensure they interoperate with VoIP infrastructure devices.
However, VoIP is a market where, until recently, you could buy interoperability without security or buy security without interoperability. Clearly this is not an acceptable choice and it's one of the driving factors behind the rapid growth of the VoIP Security Alliance (VOIPSA). VOIPSA is a worldwide organization founded to help create global standards for VoIP technology, bringing together a worldwide network of global carriers, equipment providers, software and service companies, academics and policy experts, all working to ensure that the adoption of VoIP does not draw a train of network vulnerabilities and digital threats in its wake.
For executives managing a distributed operation -- and that can be in any vertical, for example: retail, wholesale, manufacturing, government or simply branch offices -- it makes sense to consider IP for voice and video as the best means of linking their sites, as long as these elements are factored into the planning stages. These need to be secured with firewalls at headquarters and branch, linked with either virtual private network (VPN) or Secure Sockets Layer (SSL) tunnels, while the tunnels themselves must be capable of remote management to ensure quality of service. The wins are cost savings, convenience and the ability to integrate new voice and data features on an ongoing basis.
For a VoIP installation in a large facility, chief technology officers (CTO) are looking to isolate traffic internally by department or function, so that sensitive data, including voice traffic, moves as isolated streams. In a hospital or a hotel, for example, they really want to make sure that administrative, financial, operations and guest data are all isolated from each other, and in some cases, from room to room, as well as being secured from external network threats. Executives are looking for ease of management in administering and securing the voice network, or virtual LAN (VLAN), along with the flexibility to isolate, filter and manage the content that flows within their networks.
EU research data indicates that executives as a group like to make purchases quickly once a need has been identified and funding allocated. The goal of VoIPSA is to take the guesswork out of decisions.
SonicWALL is exhibiting at Infosecurity Europe 2006 which is Europe's number one Information Security Event. Now in its eleventh year, Infosecurity Europe continues to provide an unrivalled education program, new products and services, with over 300 exhibitors and 10,000 visitors from every segment of the industry. Held on April 25 – 27, 2006 in the Grand Hall, Olympia, this is a must-attend event for all IT professionals involved in Information Security.
This was first published in April 2006