It's not that companies aren't interested in the best possible security for technologies like voice over Internet protocol (VoIP). It's just that they're unwilling to put up with the network performance issues deeper defenses can cause. Check Point Software Technologies has unveiled a new Open Performance Architecture it believes will offset the problem.
The Israeli enterprise security vendor describes the Open Performance Architecture as an acceleration framework to combine security with high levels of performance and reliability that allows for deep security inspection at multi-gigabit speeds. This framework is a component of Check Point's Unified Security Architecture and is now available in its VPN-1 line of network security gateways.
Dave Burton, Check Point's product marketing director, said many organizations are rolling out technologies like VoIP without the necessary due diligence on security. One reason is that deeper security scans can become impractical because of the throughput problems that are caused. The new Open Performance Architecture will help solve the problem, he said.
"Customers have had throughput issues that made deep inspection not so practical," Burton said. "But [the architecture's Core XL-based technology] allows a strict level of application protection at the necessary speed. It means more inspection of VoIP traffic without having to take a performance hit."
The new architecture arrives as an increasing number of security experts worry that technologies like VoIP are being deployed far faster than the ability of companies to properly secure it.
The Bethesda, Md.-based SANS Institute recognized the VoIP problem in its November 2006 Top 20 attack targets list. Attackers can exploit VoIP to change what you hear and cause huge outages.
"There are a large number of security risks that should be considered for a converged data and VoIP network, primarily denial of service, loss of confidentiality and having someone else use your service," said Stephen Northcutt, training and certification director at the SANS Institute. "Security vendors like Check Point, TippingPoint and Cisco sell devices that are looking at packets anyway, so it makes all the sense in the world to converge VoIP protection with data protection."
But in the final analysis, he said, all the security technology in the world won't help stem the tide of such threats if IT administrators aren't being trained properly to deal with the risks.
"My advice is to invest a bit of that savings into getting an engineer trained to look at and troubleshoot VoIP protocols," he said. "When the new converged network is down and nothing works, no data, no voice, no video you do not want to be depending on a technology you do not understand."