This article can also be found in the Premium Editorial Download "Information Security magazine: CISO survival guide: 18 of the best security tips."
Download it now to read this article plus other related content.
It's Your Call
IP telephony saves money and resources, but don't ignore security. by Neil Roiter
IP telephony is going mainstream. The cost savings of deploying, expanding and maintaining a converged network rather than separate voice, data and video infrastructure is too good to ignore. Frost & Sullivan recently reported that the North American enterprise IP telephony endpoint market revenues hit $1.02 billion in 2006 and predicts it will reach $2.79 billion in 2011.
As with any emerging technology, there's some confusion over security. It hasn't been much of an issue with traditional phone systems.
"It's been the most mission-critical and reliable application in the environment," says Gartner research analyst Lawrence Orans. Now, "It's just another application on top of the data network. The IP-PBX becomes just another vulnerable server."
But a server that controls the most important business application. Denial-of-service attacks against the IP-PBX or the network could bring business to a crashing halt.
"We haven't seen the kind of high-profile attacks on voice as we saw on the data side," says Orans. "That doesn't mean you shouldn't take precautions." He says targeted attacks will increase as IP telephony deployment grows.
Almost without exception, IP telephony is contained internally; the IP-PBX connecting to traditional communications infrastructure.
"The threat is still relatively low. IP telephony will become a more lucrative target as there are more vectors of attack," says Mark Collier, CTO of telephony security company SecureLogix. "There's little visibility outside of the perimeter."
Gartner advises to protect the IP-PBX the same way as any critical server, including a network firewall that supports VoIP protocols, including SIP, H.323 and the various proprietary protocols, depending on the IP-PBX vendor. Separate VLANs and bandwidth controls help assure quality of service.
"What you need to do is basic network security," says Collier. "We recommend an audit. Most threats can be eliminated by configuring correctly, fixing the dumb stuff. You should still have a traditional firewall; it's too early for a VoIP-specific firewall."
That will probably change over time. There are VoIP-based attack tools, mostly based on SIP. Although IP telephony providers like Cisco, Avaya and Nortel use proprietary protocols, market pressures are bound to push them toward SIP over time.
Sipera Systems' Viper Lab regularly discloses vulnerabilities in SIP systems. Sipera, along with companies like Natural Convergence and BorderWare, offer specialized VoIP security products.
"Many enterprises, primarily financial and health care, know these attacks are possible and are taking measures now rather than wait for an attack," says Krishna Kurapati, Sipera CTO.
Further, financials rely heavily on instant messaging for trading, including SIP-based applications like MS Office Communicator and Lotus Sametime. SIP security products may make sense for these companies, and for SIP-based voice going forward.
"IP telephony can be secured," says Gartner's Orans. "We advise our clients to move ahead if it makes sense to the business, and protect it properly."
Neil Roiter is Information Security senior technology editor.
This was first published in July 2007