NEW YORK -- If there was one strong message about VoIP at Interop yesterday, it was be afraid. Be very afraid.
A panel of experts outlined for about 30 onlookers current and future VoIP security threats, and offered them potential remedies. Though the conference was called "The Top Five VoIP Security Challenges and What You Can Do About Them," none of the panelists could agree on the same five.
"There is no way to narrow it down to just five," said Richard DeSoto, director of IP telephony solutions at Extreme Networks.
One thing the group did agree on, though, is that VoIP security should be treated just like data security. Users should ensure that they have protection from a voice-aware firewall; that they have security at three key network layers -- core, edge and endpoint; and remote access should use a VPN.
David Endler, director of security research for 3Com Corp.'s TippingPoint division, called VoIP a "moving target" for growing threats.
"VoIP is going to experience … a tipping point," he said, explaining that once the technology flourishes, attacks will become more commonplace.
"VoIP is not a lot different than data security," he said.
DeSoto agreed that DoS attacks rank highest of VoIP security fears. He added that Trojan horses, worms and viruses are also becoming more prevalent, along with DHCP attacks like eavesdropping.
He said authentication and encryption, firewalls, session boarder control products, routers and gateways are all necessary to keep VoIP intrusions at bay. The routers and application layer gateways, he said, must be voice-aware to ensure that voice packets receive priority over data packets to cut latency.
"VoIP security must be part of your overall security policy," he said.
Rob Smithers, CEO of Miercom, a network product testing and analysis group, said the potential for attacks lies in VoIP product vulnerabilities.
Smithers outlined a recent attack, which occurred on a west coast municipality's voice system about a month ago. That attack, he said, shut down about 2,000 IP phones for six hours after someone introduced a virus to the network that came in through an e-mail.
"The threats are real," he cautioned. "You will see this."
Smithers suggested anyone planning to deploy VoIP should look into a way to monitor and intercept any threats that could come in. He said companies should plan to spend roughly 20% of their VoIP budget on security.
"Do spend money and resources on VoIP security to keep the network healthy," Smithers said.
The best advice, Smithers said, is run pre- and post-deployment site surveys and security audits, integrate a unified threat management system and purchase a tool that monitors the quality of the VoIP system.
Members of the audience, which was evenly split between companies that use VoIP and those that are considering it, went away a bit frightened, but many said they understand security threats are a reality that must be dealt with for any technology.
"The technology is heading that way and you have to move along with it to survive," she said. "But now there are definitely some things I'm going to make sure I require [from a vendor] before we deploy."
Glenn Allison, the voice and data team leader for W.W. Grainger, said he also worries about VoIP security breaches, but when managing roughly 8,000 VoIP phones, keeping on top of current and potential threats can be daunting.
"To stay current is a very huge undertaking," he said.
W.W. Grainger, a North American supplier of facilities maintenance products, uses Cisco Call Manager, which runs on a Microsoft-based operating system. Though the voice system there never suffered an attack, Allison said, keeping current on the Microsoft patches and fixes to keep the system secure has been tough.
However, after hearing the panel's advice, Allison said he plans to run an assessment of the company's VoIP network to ensure there are no vulnerabilities.