Arming Against The Worst VoIP Dangers - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

10:28 AM

Arming Against The Worst VoIP Dangers

Best-practice tactics include consistent security policies and VoIP-specific tools and hardware.

If the Voice over IP Security Alliance (VOIPSA) proves anything, it's that voice over IP (VoIP) security is something that a whole lot of people take very seriously. "The reason why our membership has mushroomed is that the industry as whole is saying 'we're concerned," VOIPSA secretary and Sonicwall senior director Jonathan Zar says. "The carriers are saying 'we're ultimately responsible for integrating all of these products and we know there are problems."

Many of VoIP's security vulnerabilities are nothing new; they are simple the consequence of routing voice traffic over IP networks. Traditional telephony has been spared the kind of denial of service (DoS) attacks and worms that have bedeviled the Internet since Robert Tappan Morris set the first worm loose in 1988. However, the transport medium changes everything, even if VoIP lets users make and receive telephone calls with the same ease as with traditional phone service.

"You have to consider the underlying infrastructure," Infonetics directing analyst for enterprise voice and data Matthias Machowinski says. "If worms and viruses bog down your network, it's a data security issue, of course, but that's also going to affect voice quality and reliability."

In fact, real-time traffic like voice is particularly susceptible to any attacks on the IP network carrying it. Few users, Machowinski notes, will notice a network hiccup when they're downloading an e-mail attachment, but the same minute delay could play havoc with voice data. The bottom line is that VoIP security is only as good as the overall security of the network it's on, but even that's just a starting point.

"VoIP inherits every one of the denial of service vulnerabilities that you have on the net," Zar says. "It's also vulnerable to DoS attacks that are protocol-aware."

With that in mind, the first step to ensuring VoIP security is to plug the holes in the network. "It's important to look holistically at security," Machowinski. "It has to be an overall strategy for data as well as voice."

Nevertheless, VoIP's vulnerabilities don't end with the IP network. Zar says that there are a number of security risks specific to IP telephony that VOIPSA has categorized, catalogued and presented in a thorough taxonomy. A good number of these relate specifically to the perils inherent in moving voice traffic from the closed circuits of the public switched telephone network (PSTN) to the wide-open Internet.

Traditional telephone calls aren't usually encrypted, primarily because they don't have to be. They're carried end-to-end on a managed network subject to rigorous regulation and controls. In theory at least, tapping a traditional phone requires some kind of physical intervention.

"Internet phone traffic isn't protected like that," he says. "The IP protocols were never really intended to be attack resistant, but there's also the question of privacy."

Unencrypted voice packets can be intercepted. Neither Zar, nor Machowinski think that packet interception is a widespread problem -- yet -- but it will probably become more common as VoIP goes increasingly mainstream. And it's not technically difficult, Zar says. "You have to know the art, but it's not a black art," he says. "As with viruses, there are two groups of people who are interested in these things. There are those who like to develop the tools to do it, and the less sophisticated people who use the tools."

Few users regularly encrypt their e-mail, gambling that, with the number of packets flying around the Internet, interception is unlikely, so why encrypt voice calls? "Yes, it's a needle in a haystack," Zar says. "But not all haystacks are the same."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Flash Poll