You’re familiar with spam — those odious promotional emails that keep clogging your inbox. Now get ready for SPIT, or spam over Internet telephony. SPIT is just one new worry for companies using Voice over Internet Protocol (VoIP).
But clever new acronyms aren’t the biggest VoIP security concern. When traveling over data networks, voice traffic is most susceptible to the usual suspects: viruses, network intrusions, and denial-of-service attacks, which cripple networks with nonsense traffic. In fact, such assaults can be more damaging when leveled at voice traffic.
The good news is that secure VoIP is achievable — especially with hosted VoIP, in which the VoIP service is provided by a qualified outsourcer.
VoIP, which a growing number of enterprises use to route voice traffic over their computer networks, promises a range of benefits. Chief among them are reduced costs, easier management, and new capabilities such as linking caller ID to customer databases.
But along with those advantages comes the specter of new security threats. In a February 2005 poll of online readers by Chief Security Officer magazine, about 43 percent said VoIP isn’t secure enough for enterprise use, 29 percent said it is, and 27 percent were unsure.
“VoIP is no different from any other new technology in that, as it is adopted, security issues emerge that weren’t anticipated,” says David Endler, Director of Security Research for TippingPoint, a division of 3Com, and Chairman of the VoIP Security Alliance, a vendor-neutral consortium.
And security issues are emerging. For example, malicious users can hack into IP phones from remote locations and block or forward calls. Attackers with local access can install a hub between the IP phone and the switch and eavesdrop on calls. Intruders can also insert packets into VoIP traffic, interrupting conversations.
But most VoIP security threats are familiar. Because VoIP routes voiceover IP networks, it’s subject to the same security problems as the rest of your computer infrastructure. “Traditional phone networks are complex and proprietary,” says William Stofega, Research Manager of VoIP Services for IDC. “IP networks are open. So there’s a greater chance that malicious people can break into VoIP.”
What’s more, even a minor interruption can make voice unusable. “In a denial-of-service attack, your voice traffic may become unintelligible or may fail to work altogether,” Endler explains. “And telephone service is mission-critical — especially when you consider issues like customer service calls or emergency calls.”
So even without new threats, VoIP introduces new requirements. “VoIP places a premium on reliability and quality of service,” Endler says. “You may need to upgrade your infrastructure to meet those requirements.”
Solutions to Fill the VoIP
VoIP security solutions are already emerging. Major security vendors have added functionality to their firewalls and intrusion-prevention systems to protect against VoIP-specific threats. Virtual private networks (VPNs) can allow you to encrypt voice traffic and send it over secure “tunnels.” But encrypted voice streams “raise other issues, such as the need to agree on encryption standards and potentially upgrade your processing power,” Stofega says.
Like any security measure, VoIP security is a tradeoff between keeping assets protected and making sure they’re accessible. “If you require users to enter a password every time they use the phone, it will be secure, but it won’t be very usable,” Stofega points out.
Toward that end, the VoIP Security Alliance is developing methodologies for VoIP security practices. In the meantime, organizations such as the International Organization for Standardization offer security guidelines that can be applied to VoIP.
Ultimately, VoIP should be part of an overall security and business-continuity policy. Such a policy should focus on assessing the value of your information assets, determining their vulnerability to security breaches, and investing the appropriate resources to protect them.
Batten Down the Hatches: Hosted VoIP
Security is one reason firms are turning to hosted VoIP. The market for hosted IP voice services in the United States will record compound annual growth rates in excess of 280 percent between 2004 and 2008, according to IDC.
“Hosting companies can leverage the fees of many customers to enhance security,” says Dave Dawson, President of Capital4 Inc., a provider of outsourced voice and data services. “Security tools are expensive, so this is another cost that a customer can bypass by outsourcing their VoIP infrastructure.”
IDC’s Stofega concurs. “Complex security issues you probably want to leave to the experts,” he says. “A qualified provider of VoIP hosting services will have up-to-date security patches and 24/7 monitoring.”
One organization taking advantage of hosted VoIP is the University of Notre Dame. The venerable institution plans to replace its entire 10,000-line centrex phone system with VoIP service hosted by SBC. Voice traffic for the first 250 employees is now routed over the university’s IP network to a VoIP platform in SBC’s network.
“We operate the local-area network and the IP telephones in our buildings. But the rest of the telephony system” — all the hardware and software that supports the services of a traditional PBX system — “resides and is managed at a remote location,” explains Dewitt Latimer, Ph.D., Deputy CIO and Chief Technology Officer for the university.
Latimer concedes that he initially had concerns about VoIP security. “We weren’t as worried about someone hacking into conversations,” he says. “But we were concerned about the denial-of-service attacks frequently experienced on college campuses and the affect they could have on the quality of voice conversations.”
The university has taken security measures such as separating voice and data traffic, which resides on one physical network into two separate “virtual” networks. “That allows us to monitor the [virtual LAN] carrying voice traffic more effectively and look for specific activities without the background noise of a normal data network,” Latimer says.
Just as important, Notre Dame is ensuring VoIP security by outsourcing it. “Hosted VoIP is more secure than doing it in-house,” Latimer believes. “We would have to dedicate a large amount of resources to achieve an equivalent level of security if we were doing it ourselves — demands that would detract from our mission of excellence in teaching and learning.”
Knowing What to Ask
When seeking a hosted VoIP provider, ask about privacy, reliability, and quality of service, Endler advises. Also get assurances that the provider can get you back online quickly should something go wrong. “Hosted VoIP is new, so not all providers will be up-to-speed,” he says.
“Inquire about the VoIP technology that the service provider has architected and demand that it include VoIP security features,” recommends Dawson of Capital4. “The hosting provider should demonstrate the basics, like firewalls, and should describe their use of more advanced security, such as intrusion-prevention systems.”
Notre Dame went even further, requiring that SBC share an audit trail from an independent auditor to prove it was secure. “We were satisfied that they had totally certified their network,” Latimer reports.
Widespread, highly publicized VoIP attacks haven’t occurred yet. But experts believe that as VoIP becomes more popular, the threat will increase. Taking the appropriate security measures — from deploying antivirus software to outsourcing your VoIP service — can ensure that voice over IP delivers on its promise. And that’s nothing to SPIT at.