InformationWeek
Business Innovation Powered By Technology
Powered by InformationWeek Business Technology Network
Topics:
Unified Communications
UC Security
It's become conventional wisdom in the VoIP/IP telephony/UC security space that the major vulnerability for voice-over-IP traffic today remains the simple fact that it runs on IP infrastructures that may be the targets of attacks that have been plaguing data networks for years. In other words, all those exotic types of attacks with names like SPIT (spam over IP telephony); VOMIT (voice over misconfigured IP telephony); or eavesdropping via packet capture -- these have not yet materialized to any significant degree. But there is plenty of reason to stay vigilant when it comes to VoIP/UC security. I'll break the types of threat down into three categories: 1.) New types of attacks unique to voice, along with voice-oriented versions of traditional attacks -- These include eavesdropping by capturing packets, or SPIT, which would consist of overwhelming an IP telephony line with voice messages, comparable with overwhelming an e-mail box with spam. As I noted above, these aren't really being considered a top threat today. 2.) Voice traffic as collateral damage in an IP network attack -- This is the second type of attack I described above, where an attack on a router brings down the entire IP network, let's say. Since the voice is riding on that network, it suffers the same fate as all the other traffic on the network. 3.) Traditional types of attacks aimed at VoIP/IP telephony systems -- This is yet another threat that hasn't materialized to a great extent in the wild yet, but probably ought to be taken more seriously as a near-term danger than category #1 above. This is, for example, when vulnerabilities to packet flooding and other types of DoS exploits are found within IP telephony gear such as IP-PBXs and related servers. A relatively new security company called VoIPShield has been making news by discovering these types of vulnerabilities in the most popular IP telephony systems, namely those from Avaya, Cisco, and Nortel. I recently moderated a VoiceCon Webinar (replay here) in which Ted Ritter of Nemertes Research discussed some survey data Nemertes had gathered on the issue of security. Ted reported that: That's in today's environment. Ted Ritter, who's a CISSP, explained in the Webinar that the security threat will become more amorphous as enterprises migrate their IP telephony infrastructure to a Unified Communications implementation. As voice enablement moves into traditional "data" applications, the lines will blur and the notion of a security "perimeter" will further dissolve. Ted noted that many of the most important characteristics of UC -- openness, integration -- work against the technologies and principles of security, such as confidentiality. Specifically: « Second Life Artist Faces Setback in Struggle For American Citizenship | Main | Google Hears Your Complaints, Revamps Mobile Services Web Site » |
| Sign up now for the weekly InformationWeek Blog Newsletter. |
This is a public forum. United Business Media and its affiliates are not responsible for and do not control what is posted herein. United Business Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.
Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of United Business Media LLC and may be edited and republished in print or electronic format as outlined in United Business Media's Terms of Service.
Important Note: This comment area is NOT intended for commercial messages or solicitations of business.
