Keeping the VoIP house in order The European Union is at the forefront of VoIP adoption. If we look at how new E1 line deployments in Europe are being set up, we see that fewer and fewer are being configured for TDM while more and more are being configured for IP. The ratios of IP to TDM are predicted to rise from 3:5 to parity within two years. This is largely because organisations adopting voice, video and multimedia over IP stand to reap huge benefits in productivity and cost savings. The dark cloud on the horizon is that, without precautions, these very technologies put the whole corporate infrastructure at risk. To a large extent, global industry has embraced the need for data network security, but we are only on the threshold of understanding the potential problems of the unprotected VoIP network – such as the phone mailbox jammed with unsolicited ‘special offers’, unauthorised eavesdropping, or losing voice communications because your network has run out of bandwidth. VoIP security concerns apply beyond VoIP-enabled organisations. Corporate officers, especially those with an eye to compliance or in highly data-sensitive areas such as finance, are increasingly placing a premium on doing business with organisations who can demonstrate that both their data and Voice over IP communications are unlikely to propagate digital threats. Some of the most critical issues to consider when moving from a traditional telephone service to a VoIP network are quality of service, denial of service attacks, and endpoint security. Without a firewall, companies have no network security and the endpoints, which need a public IP address in order to function, become accessible to anyone. Alternative solutions such as traversal technology, which allows VoIP traffic to bypass the firewall, or session border controllers, have inherent limitations. Most networks already have a firewall protecting the LAN as well as connecting remote sites and users through secure VPN technology and are therefore the most popular choice when adding facilities for VoIP security. However, many firewalls aren’t fully VoIP-compliant. Therefore, for any successful VoIP implementation, three key factors must be considered: security, network interoperability and protocol support, and vendor interoperability. VoIP encompasses a large number of complex standards that leave the door open to bugs in the software implementation. With PSTN, phones are just dumb terminals – all the logic and intelligence resides centrally in the private branch exchange (PBX) and there’s not a lot an attacker can do to disrupt access to a PSTN network. With VoIP, the same bugs and exploits that hamper every operating system and application available today can also hit VoIP equipment. Without proper safeguards, VoIP calls are also vulnerable; an attacker can intercept a VoIP call and modify its parameters/addresses. This opens up the call to spoofing, identity theft, call redirection, and other attacks. Even without modifying VoIP packets, attackers can eavesdrop on conversations carried over a VoIP network. With a standard public switched telephone network (PSTN) connection, intercepting conversations requires physical access to phone lines or access to the PBX. PSTN availability has reached 99.999 percent – attackers need physical access to telephone exchanges or have to cut the phone lines to have any impact. A simple denial of service attack aimed at key points of an unprotected VoIP network can disrupt, or worse cripple, voice and data communications. There is also the problem of interoperability and protocol support when integrating VoIP into an existing network security infrastructure. Because of the complexities of VoIP signalling and protocols it’s difficult for VoIP to traverse many types of firewall. Firewalls need to process the signalling protocol suites that consist of the different message formats used by different VoIP systems. Just because two vendors use the same protocol suite doesn’t mean they interoperate. The last element in a secure VoIP infrastructure is ensuring that the firewall will interoperate with all of the VoIP devices used in the infrastructure. A partial list of devices includes IP phones, videophones, videoconferencing equipment, SIP proxies and H.323 gatekeepers. It’s largely up to the security appliance vendors to ensure they interoperate with VoIP infrastructure devices. However, VoIP is a market where, until recently, you could buy interoperability without security or buy security without interoperability. Clearly this is not an acceptable choice and it’s one of the driving factors behind the rapid growth of the Voice over IP Security Alliance (VOIPSA). VOIPSA is a worldwide organisation founded to help create global standards for VoIP technology, bringing together a worldwide network of global carriers, equipment providers, software and service companies, academics and policy experts, all working to ensure that the adoption of VoIP does not draw a train of network vulnerabilities and digital threats in its wake. For anyone managing a distributed operation - and that can be in any vertical for example retail, wholesale, manufacturing, government or simply branch offices - it makes sense to consider IP for voice and video as the best means of linking their sites, as long as these elements are factored into the planning stages. These need to be secured with firewalls at headquarters and branch, linked with either VPN or SSL tunnels, while the tunnels themselves must be capable of remote management to ensure quality of service. The wins are cost savings, convenience and the ability to integrate new voice and data features on an ongoing basis. For a VoIP installation in a large facility, technology managers are looking to isolate traffic internally by department or function, so that sensitive data, including voice traffic, moves as isolated streams. In a hospital or a hotel, for example, they really want to make sure that administrative, financial, operations and guest data are all isolated from each other, and in some cases, from room to room, as well as being secured from external network threats. Managers are looking for ease of management in administering and security the voice network, or VLAN, along with the flexibility to isolate, filter and manage the content that flows within their networks. The goal of VoIPSA is to take the guesswork out of such decisions. Jonathan Zar is secretary to the Voice over IP Security Alliance and senior director at SonicWALL Inc. SonicWALL is exhibiting at Infosecurity Europe 2006 which is Europe 's number one information Security Event. Now in its 11th year, Infosecurity Europe continues to provide a free education programme, new products and services, over 300 exhibitors and 10,000 visitors from every segment of the industry. Infosecurity Europe 2006 will be held on the 25th – 27th April 2006 in the Grand Hall, Olympia. www.infosec.co.uk
•Date: 17th March 2006 • Region: World • Type: Article •Topic: ITC / Telecoms cont. |
