Imagine an intruder found his way into your VOIP network undetected and began listening to any conversation he chose, extracting sensitive information, company secrets or even details he could use to blackmail your CEO. Last month, a company called Internet Security Systems (ISS) issued an alert to warn users that Cisco's VOIP offering had a security flaw that would allow just that. According to the company, this implementation flaw in Cisco's Call Manager, which handles call signaling and routing, could allow a buffer overflow that would grant an intruder access to the system to listen in on all calls routed through it.
This is one scenario described by ISS and other vendors focused on selling technology to plug the security holes in VOIP, a method for sending voice traffic over IP that many say was not designed with security in mind. ISS and its competitors, which come to this new field largely from the VOIP management and IP security markets, forecast big risks for companies that don't take VOIP security seriously, and undoubtedly look forward to formidable revenue streams generated by those that do.
Growing pains
VOIP "is going to have growing pains when it comes to security," says Neel Mehta, team lead with ISS's X-Force research and development group. "It's still an emerging threat, but one we take very seriously."
This group of vendors, which includes BorderWare, Secure Logix and NFR, urges the use of such security appliances as firewalls that are specifically designed to filter VOIP traffic for suspicious patterns and drop those connections.
Yet it's difficult to find a company that has suffered at the hands of VOIP abusers, be they spammers clogging voice mail boxes with unwanted messages, intruders listening to phone conversations or scammers masking their true identity. So far, the threats appear to be largely hypothetical (see graphic).
"I don't think there's a whole lot of real threats right now," says Irwin Lazar, senior analyst with Burton Group. "VOIP is still pretty much a closed system; almost no company exposes their VOIP system to the Internet." However, once that changes and companies start publicizing their SIP addresses used in VOIP communications on business cards and Web sites, security will become essential, he says.
For the moment, VOIP security does not appear to be at the forefront of IT managers' minds.
Last year, VOIP management vendor Qovia announced it had filed a patent covering a technique for catching VOIP spam, considered to be one of the more immediate threats to these networks. Qovia planned to release this spam-catching module last year, but hasn't yet done so, because of lack of market interest, says Pierce Reid, Qovia's vice president of marketing.
Hot topics
However, Reid says interest in such products is beginning to pick up, adding that security issues are now hot topics at VOIP events. "Part of what we wanted to do a year ago was helping to raise awareness in time to protect ourselves before we're hit" with VOIP threats, Reid says. The company plans to announce its anti-spam product's availability later this year.
When the city of Jacksonville, N.C., installed Cisco's VOIP equipment about three years ago, the organization focused on cutting costs, and security wasn't a primary concern, says Bobby Parrish, senior IT specialist for the city. Nonetheless, his group took a few steps toward protecting its voice network such as separating it from the data network and providing some physical security for the phones.
While the city hasn't suffered any security breaches to its VOIP network, Parrish believes his organization might have been lucky, and that the luck won't last forever. "I haven't seen the horror side of it, but I'm not naive enough to think that it won't happen," he says. Jacksonville will evaluate Qovia's anti-spam for VOIP offering when it's released, he says.
There are a few good reasons for not dismissing the potential threats to VOIP out of hand, even before they become widespread realities. First, given how abuses such as viruses, spam and phishing have run rampant on other IP-based communications systems, particularly e-mail, it isn't difficult to imagine similar threats finding their way to VOIP. Second, if these theoretical threats do make their way to the corporate world, they can wreak significant havoc.
Watch your step
"I really don't think people should be deploying VOIP unless they have the necessary security in place," says Bob Gligorea, information security officer with Exchange Bank in Santa Rosa, Calif. The community bank is currently installing new network hardware, including ISS security gear, so it can transition to VOIP next year. "I haven't heard about these abuses actually happening, but think about eavesdropping from a competitive advantage [standpoint], that could be pretty bad."
So what should organizations do about these threats? Earlier this year the U.S. government offered some suggestions. The National Institute for Standards and Technology, a division of the Department of Commerce, in January issued a report evaluating the security of VOIP, pointing out that IT managers should not assume that because their data networks are protected, adding voice to their systems will be secure, as well. "Administrators may mistakenly assume that since digitized voice travels in packets, they can simply plug VOIP components into their already-secured networks and remain secure," the report states. "However, the process is not that simple."
The report recommends the now-popular refrain to separate voice and data traffic, the use of security products such as firewalls that can detect VOIP's protocols, and avoiding "softphones" that implement VOIP by using a PC and headphones, leaving networks vulnerable to viruses and other malware.
In addition to installing specific products that can weed out suspicious VOIP traffic, companies should consider how their VOIP networks play in their overall security efforts, says Susan Larson, vice president of global threat analysis and research for SurfControl, a Web and e-mail filtering provider. With the growing popularity of applications such as Skype, a free peer-to-peer program that lets PC users make phone calls over the Internet - and therefore establish unprotected connections to the outside world -- companies need to consider what their employees might be downloading. SurfControl's products can block downloads from such sites, as well as trap incoming e-mails with embedded URLs pointing to these sites before they enter an organization, Larson says. " -- Network World (US)