Among the myriad conference panels at last week's VON show in Boston were a number on the topic of VoIP security. Among the issues tackled were:
- Is VoIP security overhyped?
- What issues need to be addressed?
- How best to address them?
Juniper Networks's vice president of voice technologies, Opher Kahane, and SecureLogix's CTO Mark Collier were among those that sat on VoIP security panels. They recently spoke with VoIPplanet.com about their security observations from the VON panels and the future of VoIP security.
VoIP security challenges
Opher Kahane is no stranger to the world of VoIP security. Kahane was the cofounder of Kagoor Networks, which was acquired by Juniper in March of this year. Kagoor's claim to fame was its session border control (SBC) products.
Kahane noted that one of the issues discussed that seemed to resonate with the audience was the generally shared assumption that the good old TDM (traditional telephone) world is secure from a telecom perspective. TDM telephony is, however, also susceptible to attack. That said, Kahane commented that securing a VoIP enabled network is clearly more complex than TDMand more complex than securing a regular data network that doesn't need to carry voice traffic.
"As is the case with many security related paradigms, there is always some aspect of hype associated with it in the early phase of the market," Kahane told VoIPplanet.com. "But when reality catches up, it catches up real quick."
"As VoIP becomes more pervasive, the types of threats that will surface will increase both in complexity and breadth of applicability," he added.
Kahane commented that SPIT (Spam over Internet Telephony) is an example of a threat that is, "pretty far out there." In his view, until there is significant penetration of VoIP, no one will really have the motivation to engage in VoIP based spam.
"On the other hand, the notion of how do you secure the periphery of your network, how do you deal with DoS [denial of service] issues? These seem to be more tangible today," Kahane said.
SecureLogix has been selling voice firewalls for over six years and is no stranger to VoIP security. SecureLogix CTO Mark Collier noted that he pointed out to his panel that while VoIP systems are vulnerable, the threat to them is still moderate, because there isn't a lot of VoIP deployed. In his estimation VoIP is pretty much all enterprise- and campus-based, mostly separate from the data VLAN, and based on proprietary protocols. Furthermore, since most VoIP deployments involve only one vendor's systems, this makes for a fair degree of controland makes it easier to provide security.
["In my session,] I covered the basic vulnerabilities and stated that the threat will increase as we move to SIP (a complex, free-format protocol), start merging the data/voice VLANS (via softphones and other applications), and connect enterprise VoIP islands to public networks via SIP trunking," Collier told VoIPplanet.com. "Enterprises can't control what arrives via SIP trunks and therefore need a SIP firewall/Secure Edge Proxy to detect and mitigate attacks."
Collier thinks that there is a problem with a lack of awareness when it comes to VoIP security, the biggest issue being a lack of familiarly with basic IP security.
"Voice managers have not had to deal with IP security issues for TDM networks," Collier said. "They have heard the terms DoS, virus, worm, man-in-the-middle, etc., but many are not familiar with what they really mean and how they might affect a VoIP system. Voice managers have not had to monitor sites for security vulnerabilities and apply frequent patches."
"Plus, while security is often a hot topic in the media and at conferences, deployment of VoIP security technologies is still uncommon," Collier added. "I think enterprises are still waiting for some significant, well-known attacks to take place before they respond."
Juniper's Kahane didn't entirely share Collier's view of the awareness issue.
"I think that people are aware of security to a certain extent, and that has been a driver for sales of session border control products into the market," Kahane said. "On the other hand I'm not sure the awareness level is where it should be."
Kahane cited the example of IP phones as one where a lot of people don't see the inherent risks. In many respects hardware IP phones are susceptible to threats of malware in Kahane's estimation.
"For the first time in the telecom world, phones, which are endpoints, are also susceptible to attack from either the outside or the inside," Kahane said.
One security appliance or many?
A recent report from research firm In-Stat indicates that concerns over VoIP security are fueling sales of security appliances. Some have argued that as the market matures, the need for standalone VoIP security products will diminish as features are integrated into all-in-one security appliances.
SecureLogix's Collier doesn't agree.
"Application security for critical IP-based services is generally implemented in separate products, such e-mail content filtering and web server security," Collier said. "While these functions may be combined into one product for a consumer or small site, separate solutions are generally used for large enterprise sites. Some consolidation may occur, but you can't expect to see VoIP-specific firewalls/proxies for at least five years."
Juniper's Kahane, on the other hand, does foresee integration taking place.
"Long term, I think you will see a lot of the functions merged into general purpose security devices, be they firewalls or other elements," Kahane said. "In some cases, though, you will find the independent application security functions still manifest themselves in the form of a standalone device every now and then."
Architectural issues may also mitigate the integration of VoIP security into all-in-one devices. Kahane explained that depending on network topology there may be situations where various functions are better architected as separate solutions, as opposed to being integrated into one package.
VoIP security shouldn't be an afterthought
There is a close relationship between VoIP quality of service and security, in Kahane's view. He mentioned Call Admission Control as one such feature that could be perceived as either a security or a quality of service feature. With Call Admission Control if the system can only handle ten calls the eleventh call is blockedwhether it was part of a DoS attack or a legitimate call that if handled would degrade overall quality of service.
"One cannot look at security for voice-related services and applications as a totally separate issue," Kahane said. "It needs to be a design consideration of network infrastructure from firewall to routing to session border controllers, an end to end approach that takes into account security and quality assurance."