VoIP security is still a gray area.
As the technology continues its swing into widespread adoption, more and more threats and vulnerabilities are bound to arise; and according to Cindy Bellefeuille, director of security solutions for Verizon Business, companies are right to be worried.
"They're well-placed concerns," she said, noting that while she doesn't want to be a "scaremonger," the potential for threats is becoming obvious.
According to an annual survey by Distributed Networking Associates, "concerns about security" were the primary inhibitor to VoIP adoption in 2005 and 2006. Security concerns included fraud, privacy, loss of service, denial of service, viruses and VoIP SPAM. Also, other vulnerabilities can arise when new hardware, software, infrastructures and applications are introduced to the network.
With that in mind, Verizon Business recently announced a VoIP Security Assessment Service designed to provide an overall evaluation of the VoIP system and find any holes, flaws or vulnerabilities.
Bellefeuille said the service, which was officially announced last week, can help network operators and architects determine and manage VoIP security risks.
The assessment combines a review of a company's security policies and an analysis of the LAN and WAN architecture. The evaluation process is broken into four parts, using a methodology based on industry best practices and the threat categories and guidelines developed by the National Institute of Standards and Technology.
The four phases of the assessment are:
- A VoIP architecture review, which includes a comprehensive assessment of VoIP network architecture to identify specific performance criteria and security objectives in terms of overall risk profile. The review focuses on segmentation of VoIP traffic, presence of dedicated firewalls and VoIP servers and the use of VPNs.
- A network and device penetration testing and risk assessment, which scans all VoIP-related devices and underlying network hardware and software for vulnerabilities that could allow unauthorized access, including finding rogue devices and PC-based phones, or softphones. The assessment also evaluates and verifies access control lists, open ports and out-of-date software patches.
- An evaluation of standards, policies and procedures, which reviews a company's existing policies and procedures associated with the overall risk exposure and tolerance. The evaluation focuses on policies related to personal handsets, softphones, connection of VoIP devices to the LAN, intrusion detection systems, and VoIP traffic encryption.
- A discussion of the findings and an action plan, during which the assessment's findings are detailed with a focus on vulnerabilities that were discovered. Detailed remediation plans, with prioritized recommendations for improving overall security, are also discussed.
Bellefeuille said that if the assessors uncover a high-priority vulnerability, risk or threat during any of the four steps, the company can be notified before the findings are presented, to avoid further risks.
The assessment process can ease the minds of a company's network and telecom pros, Bellefeuille said, by helping them ensure that their VoIP system is not vulnerable to attack or by detailing for them how to make sure an attack won't happen.
And with VoIP adoption predicted to rise in coming years, the demand for security assessment will also bloom.
According to research firm IDC, the demand for premises and network-based VoIP services is expected to grow significantly over the next five years, with revenue increasing from $2.9 billion to $6.9 billion. IDC suggests that growth, coupled with a corresponding increase in application-driven business processes and network complexity, will drive security awareness and requirements.
"The VoIP security assessment service launched by Verizon Business offers a comprehensive approach to identify, assess and mitigate potential threats to VoIP systems," said a statement by William Stofega, research manager for IDC's VoIP services. "Despite the growing interest in VoIP, security remains a primary customer concern. This type of security assessment service, with its focus on equipment, policies and network architecture, can be highly beneficial in helping to safeguard next-generation VoIP networks."