Alliance Defines VOIP Threats

For all the developments around enterprise voice-over-IP solutions, there has been only scattered interest in the related potential security threats. Now the Voice over IP Security Alliance (VOIPSA) has shone a spotlight on problems that IT managers ought to be concerned about.

VOIPSA was formed in February and one of its first initiatives was to define a set of security and privacy threats facing VOIP. The group released on Monday its VOIP Security Threat Taxonomy, a list of security threats in the VOIP world. The next steps will include releasing a set of best practices to help enterprises and other VOIP users determine whether they have implemented the proper safeguards. The group will also develop testing suites that will allow vendors to test that their products match best practices for equipment.

In the meantime, IT managers are unlikely to rest easier since the group has categorized the threats to VOIP. VOIPSA defined one category as deceptive practices and fraud. For example, it’s possible for attackers to spoof caller ID to look like a call is coming from a specific source or even to mimic the sound of someone’s voice, said Jonathan Zar, secretary and outreach chair for VOIPSA and a senior director at Sonicwall Inc., a company offering security products. Such fraud is possible on the public switched telephone network but it’s much more difficult because the networks are managed end-to-end by operators, he said.

Other threats to VOIP come from attackers who can intercept or monitor calls, which can involve both listening in on calls or tracking who is talking to whom. VOIPSA also identified a variety of types of denial of service ranging from attacks that can essentially tie up the network so it’s unusable to hacks that can prematurely run down the battery on mobile user devices.

“We know some of these things are happening anecdotally,” Zar said. So far, there aren’t good statistics on how often these types of attacks are happening though, he said.

While many IT managers are aware of these issues, many also aren’t quite sure how to address them, Zar said. “I would say the majority of CIOs I talk to want to do more and are concerned about what happens when they start to extend VOIP beyond site to site,” he said. Today, securing VOIP connections between company sites where all the traffic is within a virtual private network can be relatively straightforward but once those connections extend beyond the realm of the enterprise, to include teleworkers for example, or once they begin to include additional services, the security may begin to break down, he said. Many CIOs are aware that such steps may open the door to problems but they aren’t sure how to protect against them, he said. VOIPSA hopes its future release of best practices will help steer IT leaders in the right direction.

Products do exist to help secure most VOIP enterprise usage. IT departments can isolate VOIP traffic and deploy VOIP-enabled firewalls and VOIP-aware intrusion protection tools, Zar said.

Over 100 companies, including 3Com Corp., Alcatel SA, Level 3 Communications Inc., Nokia Corp., Agilent Technologies Inc., Accenture Ltd., Symantec Corp., Nortel Corp. and Juniper Networks Inc., have joined VOIPSA since its formation.

By Nancy Gohring, IDG News Service