Denial-of-service attacks against VoIP systems are still the biggest security threat, according to experts. Beyond that, other frequently mentioned risks, like eavesdropping and voice spam, are not much more than hype.
But from startups to major players, numerous vendors are capitalizing on VoIP concerns, introducing a host of products to protect and monitor VoIP networks. In a push to alleviate some of those concerns and show companies where they should focus their security needs, the VoIP Security Alliance (VoIPSA) recently introduced its "Threat Taxonomy," a reference document listing the threats a VoIP system could face.
"There's a lot of hype about VoIP security," said Lawrence Orans, a research director at Gartner Inc. in Stamford, Conn. "There's hype about Spam over Internet Telephony. There's hype about eavesdropping. These aren't concerns that businesses should have at the top of their priority lists."
Orans said denial-of-service attacks should be a company's biggest concern.
A recent Gartner study predicted that by 2010, voice spam will be less than 5% as prevalent as e-mail-based spam messages. That's not much of a threat, according to Orans, given that Gartner predicts that by the end of 2005, more than 10 million people will be using VoIP.
Orans said because so many companies are unsure of what threats they could face, VoIPSA's taxonomy has become a necessity. He said many companies using or planning to use VoIP are questioning such a system's security, and media hype surrounding the potential for SpIT attacks has shaken a number of would-be VoIP users.
"[The taxonomy] is important so everyone understands exactly what the threats are," he said of the taxonomy. "There's a lot of confusion about VoIP security, and a taxonomy is critical."
The taxonomy highlights a cooperative effort to identify and define VoIP security threats, covering not just voice communication, but text, video and instant messaging as well.
"There really was nobody focused on security and privacy for VoIP," Zar said. He said several users are concerned about their VoIP systems' security, but for different reasons. In other words, he said, "Everybody was touching a different part of the elephant."
"Very simple attacks can take down a system," Zar continued. "There are major gaps, misalignment of people and miscalibrating. Folks just aren't talking the same language. We really wanted to anchor security and privacy."
A recent survey conducted by Framingham, Mass.-based research firm IDC for the Computing Technology Industry Association found that less than half of small and midsized businesses (SMBs) in the U.S. trust the security of VoIP systems. The study suggests that 60% of SMBs had encountered disruptions of voice or data communications and 70% indicated that the disruptions resulted in material loss. Conversely, a mere 8% said the disruptions put the viability of the business in jeopardy.
Orans said while threats against VoIP systems are still in their infancy, companies should keep abreast of what's on the horizon. Firewalls and intrusion prevention systems (IPS) offer the most protection, Orans said.
"The biggest risk is [that] someone would launch a denial-of-service attack against your PBX," he said. "You have to put the PBX behind a firewall. Not just any firewall, but one that can filter over IP telephony protocol."
Orans said Cisco Systems Inc.'s Call Manager is bundled with the vendor's Host IPS software.
"The leading vendors are moving in that direction for a standards-based protocol," he said. "You need to make sure the protocol you're using is supported by the firewall."
Along with Cisco, vendors like VoIPshield Systems Inc., Network Instruments and several others, have launched products so companies can keep tabs on trouble in their VoIP systems.
"[Dynamic Threat Mitigation software] dynamically takes any threat and deals with it there and then, in real time," said Dean Sheffield, voice solutions marketing manager at Juniper. "When the intrusion detection and prevention product detects an anomaly in SIP, it puts the call on hold, sends the user to a capture portal and explains why the call has been dropped."
Sheffield said securing a VoIP network is "not rocket science," but noted Juniper has taken a different approach by protecting at the SIP level.
"If you lose your voice system, the productivity and financial impact is critical," he said. "The dynamic and real-time nature of VoIP means it also needs to be protected in real time."
Scott Heinlein, also a Juniper solutions marketing manager, added that several companies fall short by only protecting their voice networks at the signaling or application levels, but "to fully secure a VoIP network, you really need to look at both parts of it."
Like Orans, Heinlein said firewalls and VPNs are a necessity, but can't defend against every type of attack.
"Enterprises need to make sure someone can't enter the PBX because there's a number of things that can happen," Heinlein said. If a PBX is breached, Heinlein said the attacker could listen to voice mail, access call logs, make calls posing as someone else and listen in on calls.
This article originally appeared on SearchEnterpriseVoice.com.