• E-mail this page
• |  Print this page
• | 
• | 
• | 

Paint Another Target On Cisco As Enterprise VoIP Grows

Cisco's revelation Wednesday of two security alerts and fixes for CallManager, the software-based call-processing component of its IP communications technology, could have washed waves of despair over the budding voice-over-IP market. That is, if it had been the first whiff of security trouble for VoIP. The ability to launch denial-of-service attacks against VoIP networks, Cisco VoIP networks in particular, is nothing new. The real concern is holding the line against damage inflicted by VoIP attacks as the technology grows into the mainstream.

Cisco CallManager versions with multilevel administration enabled may be vulnerable to privilege escalations, which may result in read-only users gaining administrative access to create, delete, or reset devices. The user-privilege problem, which was discovered by Switzerland's Cnlab AG, affects only CallManager systems that have multilevel administration enabled. CallManager's DOS vulnerability makes some of the company's IP telephony systems susceptible to attacks that interrupt service because of an inability to manage TCP network connections and Windows messages properly and could lead to phones not responding, phones unregistering from the Cisco CallManager, or Cisco CallManager restarting.

CallManager's vulnerability to denial-of-service attacks as well as hacks that would let users increase their system access privileges don't constitute a worst-case scenario. But when you consider Infonetics Research's prediction that spending on VoIP will grow from $1.2 billion in 2004 to $23 billion in 2009, it quickly becomes obvious that even minor security lapses could have a widespread impact on a company's ability to keep the phones up during a major network attack.

Cisco CallManager extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, VoIP gateways, and multimedia applications. Both the DOS and privilege-escalation vulnerabilities, whose patches are available, affect CallManager 3.2 and earlier, as well as certain versions of CallManager 3.3, 4.0, and 4.1.

Cisco's influence in the IP telephony market will only grow. A market share report issued Thursday by Synergy Research Group indicates that Cisco's IP telephony technology over the past year owned about 18% of the office telephone system market with more than 30,000 customers and 7 million phones sold over the six years Cisco has been in the market. This means Cisco's chances to avoid being a major target for security attacks is about as effective as an elephant successfully hiding behind a lamppost.

My colleague Nick Hoover and I set out to understand the implications of Cisco's growing dominance in the IP telephony market, and you can in the January 23 issue read what we discovered.

One source that didn't make it into Monday's story told me that people think that because they've implemented security on their IP network that voice-over-IP is taken care of. Think again, says Frank Dzubeck, president of Communications Network Architects Inc., an industry analysis firm in Washington, D.C. "Security in IT is not enough," he says. "You're going to have to consider security on the protocols that you use in the VoIP environment." Companies must also consider implementing network tunneling and data encryption to protect their VoIP communications.

Nick learned that, despite a lack of widespread attacks, security researchers have seen heavy scrutiny from hackers trying to probe endpoints -- phones and PC-based softphones -- for vulnerabilities. And there's also the possibility that hackers will trick phone users into handing over personal information, not unlike the goal of phishing. But that's not to exaggerate the risk. Symantec's Dave Cole calls the threat of VoIP attacks real, but warns that it shouldn't be overblown. There are many benefits. "Is there a dramatic amount of risk over people using normal phones?" says Cole, director of the company's Security Response program. "I don't think it is."

Sounds like a split decision for now, but keep in mind that any technology that becomes widely deployed also becomes a bigger target to the hacker community. Any plans for VoIP implementation should include a plan for managing worst-case-scenario security issues.

« Lower That Windows Threat Condition Level, Please | Main | Five Ways To Avoid Gaming Addiction »