Commentary
UC Security
It's become conventional wisdom in the VoIP/IP telephony/UC security space that the major vulnerability for voice-over-IP traffic today remains the simple fact that it runs on IP infrastructures that may be the targets of attacks that have been plaguing data networks for years. In other words, all those exotic types of attacks with names like SPIT (spam over IP telephony); VOMIT (voice over misconfigured IP telephony); or eavesdropping via packet capture -- these have not yet materialized to any significant degree. But there is plenty of reason to stay vigilant when it comes to VoIP/UC security.It's become conventional wisdom in the VoIP/IP telephony/UC security space that the major vulnerability for voice-over-IP traffic today remains the simple fact that it runs on IP infrastructures that may be the targets of attacks that have been plaguing data networks for years. In other words, all those exotic types of attacks with names like SPIT (spam over IP telephony); VOMIT (voice over misconfigured IP telephony); or eavesdropping via packet capture -- these have not yet materialized to any significant degree. But there is plenty of reason to stay vigilant when it comes to VoIP/UC security.I'll break the types of threat down into three categories:
1.) New types of attacks unique to voice, along with voice-oriented versions of traditional attacks -- These include eavesdropping by capturing packets, or SPIT, which would consist of overwhelming an IP telephony line with voice messages, comparable with overwhelming an e-mail box with spam. As I noted above, these aren't really being considered a top threat today.
More Telecom Insights
White Papers
- Mobile BI: Actionable Intelligence for the Agile Enterprise
- The BlackBerry PlayBook tablet's Good Bones - by BlackBerry
Reports
More >>Webcasts
- Maximize ROI with Database Consolidation onto Private Clouds
- Effective IT Inventory and Asset Management: From Quagmire to Quick Fix
2.) Voice traffic as collateral damage in an IP network attack -- This is the second type of attack I described above, where an attack on a router brings down the entire IP network, let's say. Since the voice is riding on that network, it suffers the same fate as all the other traffic on the network.
3.) Traditional types of attacks aimed at VoIP/IP telephony systems -- This is yet another threat that hasn't materialized to a great extent in the wild yet, but probably ought to be taken more seriously as a near-term danger than category #1 above. This is, for example, when vulnerabilities to packet flooding and other types of DoS exploits are found within IP telephony gear such as IP-PBXs and related servers. A relatively new security company called VoIPShield has been making news by discovering these types of vulnerabilities in the most popular IP telephony systems, namely those from Avaya, Cisco, and Nortel.
I recently moderated a VoiceCon Webinar (replay here) in which Ted Ritter of Nemertes Research discussed some survey data Nemertes had gathered on the issue of security. Ted reported that:
That's in today's environment. Ted Ritter, who's a CISSP, explained in the Webinar that the security threat will become more amorphous as enterprises migrate their IP telephony infrastructure to a Unified Communications implementation. As voice enablement moves into traditional "data" applications, the lines will blur and the notion of a security "perimeter" will further dissolve.
Ted noted that many of the most important characteristics of UC -- openness, integration -- work against the technologies and principles of security, such as confidentiality. Specifically:
Related Reading
 |
To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy. |
|
T-Shirt Giveaway: Each week we're selecting one great comment from our readers. The author of the comment will receive an InformaitonWeek Community t-shirt. So get posting! |
Subscribe to RSSResource Links
This Week's Issue
Technology Whitepapers
- Mobile BI: Actionable Intelligence for the Agile Enterprise
- Creating the Enterprise-Class Tablet Environment - by Yankee Group
- How To Regain IT Control In An Increasingly Mobile World - by BlackBerry
- The BlackBerry PlayBook tablet's Good Bones - by BlackBerry
- New Visual and Wizard-Driven Paradigms for Exploring Data and Developing Analytic Workflows
IBM collaboration software for Android devices
IBM Lotus applications for Android devices provide mobile workers with a smooth transition from the desktop to the smartphone, helping give them the full benefit of Web 2.0 capabilities on the Android platform - with the enterprise security features the business needs to help keep critical information safe.
