by Jonathan Zar
The European Union is at the forefront of VoIP adoption. If we look at how new E1 line deployments in Europe are being set up, we see that fewer
and fewer are being configured for TDM while more and more are being configured for IP.
The ratios of IP to TDM are predicted to rise from 3:5 to parity within two years, this is largely because organisations adopting voice, video and multimedia over IP stand to reap huge benefits in productivity cost savings.
The dark cloud on the horizon is that, without precautions, these very technologies the whole corporate infrastructure at risk. To a large extent, global industry has embraced the need for data network security, but we are only on the threshold of understanding the potential problems of the unprotected VoIP network - such as the phone mailbox jammed with unsolicited 'special offers', unauthorised eavesdropping, or losing voice communications because your network has run out of bandwidth.
VoIP security concerns apply beyond VoIP-enabled organisations. Companies, especially those with an eye to compliance or in highly data-sensitive areas such as finance, are increasingly placing a premium on doing business with organisations who can demonstrate that both their data and voice over IP communications are unlikely to propagate digital threats. Some of the most critical issues to consider when moving from a traditional telephone service to a VoIP network are quality of service, denial of service attacks, and endpoint security.
Without a firewall, companies have no network security and the endpoints, which need a public IP address in order to function, become accessible to anyone. Alternative solutions such as traversal technology, which allows VoIP traffic to bypass the firewall, or session border controllers, have inherent limitations. Most networks already a firewall protecting the LAN as well connecting remote sites and users secure VPN technology and are therefore the most popular choice when adding facilities for VoIP. However, there are reasons why more aren't so VoIP-compliant.
First, firewall must understand the VoIP it wants to protect. A smaller group of vendors provides scanning, intrusion prevention other security services on VoIP The VoIP-enabled firewall is gaining among IT managers because its effectiveness, simplicity, and low.
For any successful VoIP implementation, three key factors must be considered: security, network interoperability and protocol support, and vendor interoperability.
VoIP encompasses a large number of standards that leave the door to bugs in the software implementation. PSTN, phones are just dumb terminals- all the logic and intelligence resides centrally in the private branch exchange (PBX) and there's not a lot an attacker can to disrupt access to a PSTN network. VoIP, the same bugs and exploits hamper every operating system and available today can also hit equipment.
Without proper safeguards, VoIP calls are also vulnerable; an attacker can intercept a VoIP call and modify its parameters/addresses. This up the call to spoofing, identity theft, call redirection, and other attacks. Even without modifying VoIP packets, attackers can eavesdrop on conversations carried over a VoIP network. a standard public switched telephone network (PSTN) connection, intercepting conversations requires physical access to phone lines or access to the PBX.
PSTN availability has reached 99.999% - attackers need physical access to telephone exchanges or have to cut the phone lines to have any impact. A simple denial of service attack aimed at key points an unprotected VoIP network can or worse cripple, voice and data communications.
There is also the problem of interoperability and protocol support when integrating VoIP into an existing network security infrastructure. Because of complexities of VoIP signalling and it's difficult for VoIP to many types of firewall. Firewalls need to process the signalling protocol suites that consist of the message formats used by different systems. Just because two use the same protocol suite't mean they interoperate.
The last element in a secure VoIPinfrastructure is ensuring that the firewall interoperate with all of the devices used in the infrastructure. A list of devices includes IP phones, videoconferencing equipment, SIP and H.323 gatekeepers. It's largelyup to the security appliance vendors to they interoperate with VoIP infrastructure.
However, VoIP is a market where, until recently, you could buy interoperability without security or buy security without interoperability. Clearly this is not an acceptable choice and it's one of the driving factors behind the rapid growth of the Voice Over IP Security Alliance (VoIPSA). VoIPSA is a worldwide organization founded to help create global standards for VoIP technology, bringing together a worldwide network of global carriers, equipment providers, software and service companies, academics and policy experts, all working to ensure that the adoption of VoIP does not draw a train of network vulnerabilities and digital threats in its wake.
For any CXO managing a distributed operation - and that can be in any vertical for example retail, wholesale, manufacturing, government or simply branch offices - it makes sense to consider IP for voice and video as the best means of linking their sites, as long as these elements are factored into the planning stages. These need to be secured with firewalls at headquarters and branch, linked with either VPN or SSL tunnels, while the tunnels themselves must be capable of remote management to ensure quality of service. The wins are cost savings, convenience and the ability to integrate new voice and data features on an ongoing basis.
For a VoIP installation in a large facility, CTO's are looking to isolate traffic internally by department or function, so that sensitive data, including voice traffic, moves as isolated streams. In a hospital or a hotel, for example, they really want to make sure that administrative, financial, operations and guest data are all isolated from each other, and in some cases, from room to room, as well as being secured from external network threats. CXO's are looking for ease of management in administering and security the voice network, or VLAN, along with the flexibility to isolate, filter and manage the content that flows within their networks.
EU research data indicates that CXOs as a group like to make purchases quickly once a need has been identified and funding allocated. The goal of VoIPSA is to take the guesswork out of decisions.
Jonathan Zar is Secretary to the Voice Over IP Security Alliance and Senior Director at SonicWALL Inc. SonicWALL is exhibiting at Infosecurity Europe 2006 from 25th - 27th April 2006 in the Grand Hall, Olympia. www.infosec.co.uk.