This year, many companies that have piloted VoIP on internal networks are expected to extend IP telephony to customers, suppliers and the public.
"As businesses have pure IP voice connections going out, there will be many more security problems," said Matthias Machowinski, enterprise voice and data directing analyst at Campbell, Calif.-based Infonetics Research. He said he envisions such bad scenes as spam that makes IP phones ring constantly, e-mail viruses shutting down VoIP systems entirely, and spoofs inundating the displays of IP phones.
IP-based voice networks require new VoIP security strategies and pose cultural issues not faced when protecting data networks.
Until now, VOIP has largely been implemented inside organizations on internal networks protected by IP security policies and tools, safe inside virtual private networks (VPNs).
IT, phone home
Traditional data network security and monitoring practices won't gain user acceptance, either. "We expect our enterprise systems to monitor and block e-mail, but we expect everyone to be able to call us on the telephone," Graydon said.
People accept that e-mails, files or packets may be delayed a few seconds by security scans. With phone calls, people won't tolerate delays, said Steve Mank, chief operating officer at Qovia Inc., a Frederick, Md., VoIP management systems vendor.
Users will also rebel against VoIP if downtime occurs. "We have different expectations for e-mail versus phones," Machowinski said. "We understand that the Internet may go out sometimes, or our e-mail server may not be accessible. Our phones, we expect to work all the time."
The challenge for administrators is to deliver VoIP security models that don't interfere with the ways people use phones. "Otherwise, they won't use it," Graydon said.
Peeling the VoIP security onion
A first line of defense for IP voice networks is a Session Initiation Protocol (SIP)-enabled firewall working in conjunction with existing firewalls. "A SIP perimeter device can provide full application-layer security with authentication and protection against transport and protocol attacks," Graydon said.
More defenses are needed to protect other layers of the VoIP stack, which include physical devices, applications and session/transport technologies. Here's Mank's list of each layer's vulnerabilities and protection needs:
Physical devices: This layer includes phones, servers and gateways, which are vulnerable to spoofing and rogue device attacks. Protective measures include asset tracking, which is needed to make sure all phones are accounted for and unauthorized phones aren't added, and controlling physical access to phones.
"Be sure you can discriminate between valid and rogue phones," Mank said. "Make sure that all your voice traffic is on a separate VLAN from your data traffic. Make sure there is nothing but phones on the endpoints."
Application semantics: The application semantics layer handles registration, call management, conferencing, voice mail, user identity, contacts list and more. Threats at the application layer include spam, viruses, hijacking, eavesdropping, toll fraud, application-specific denial of service and spoofing, and identity theft.
This is a tricky layer to protect, because so many different applications are involved. Generally speaking, an obvious indicator of trouble is increased call volume.
"Voice traffic patterns become very predictable over time," Mank said. "If you spot a sudden anomalous spike in traffic, it's a good bet that someone is doing something you don't want them to."
Other protective measures for the application semantics layer include tracking gateway usage and active call testing, checking for odd entry activity or changes in system availability and performance.
Session and transport: This layer of VOIP includes protocols such as SIP, CCP (Cisco Discovery Protocol), Media Gateway Control Protocol, Real-time Transport Protocol, Signalling Connection Control Part, AVVID XML Layer, Secure Real-time Transport Protocol (SRTP), and Transport Layer Security (TLS).
They are vulnerable to protocol-specific denial-of-service and spoofing attacks. Security can be addressed through use of emerging standards, like SRTP, which encrypts endpoint-to-endpoint access spots; TLS, which encrypts call manager to call manager, and Secure Sockets Layer, which encrypts communications between call managers and gateways.
In general, Mank believes that most firewall-based security solutions impose a variable latency on traffic when scanning for content patterns. This can have a significant impact on your call quality.
Plan well, or pay later
With voice, as with data networks, security is only as good as your plan and policies. Build the VoIP policies on the foundation of the strong security policies you've created for the existing data network.
"With comprehensive and enforced security policies in place, VoIP systems can be deployed with the same piece of mind as e-mail," Graydon said.
Maxine Kincora is a technology writer in Berkeley, Calif. She can be reached at email@example.com.