How to think about VoIP securitySecurity requires constant vigilance. Security is all about the protection of resources -- data, devices, networks, applications and people. While access to these resources is the goal of the user, securing access to these resources means the administrator of the resources wants to limit, even prevent, that access. Enterprises already have many security problems with their data network infrastructure, servers, desktops and software. Adding VoIP and IPT to the mix only compounds the security problems.There are several security issues with VoIP networks:The VoIP/IPT devices, servers, gateways and phones share the data network and inherit the data network's security problems.There will be data attacks on voice devices such as Denial of Service (DoS) and malware.It is easier to eavesdrop on IP calls than on TDM calls.The centralized TDM PBX is gone. The VoIP/IPT resources are scattered around a network.The operating systems of the VoIP/IPT devices are less secure than the TDM operating systems of the past.Systems (PBX) administration can be located at multiple locations and can be accessed by Web browsers.VoIP security vs. voice qualityIt may not be apparent, but security tools and solutions will conflict with voice quality. The more barriers there are in the network and endpoints for security purposes, the more interference there will be with voice quality.One of the first issues is the firewall. The firewall can block calls because it cannot process
Requires Free Membership to View
the signaling or dynamically allocate the UDP
ports for the calls to pass through it. Firewalls may not read the QoS markers in the voice packet,
thereby degrading the packet delivery service. Other issues include:Voice packets, when they pass
through security devices, can cause added delay, jitter and packet loss during the call.Intrusion
prevention systems perform considerably more processing than a firewall and have been proven to
cause voice quality degradation.Encryption and decryption add delay to the calls.VPN connections
encrypt the QoS markers. The routers consequently cannot deliver the needed QoS for the voice
packets.The security vs. voice quality conflict will be hard to resolve. The voice manager,
obviously, does not want poor-quality calls. If the calls are poor, then why have calls travel over
the data network in the first place? The security manager does not want to open the network and
endpoints to security exposures that will not only compromise the voice services but weaken the
data functions as well. This will require a great deal of negotiation and compromise. Security is
important, but not at the cost of an unacceptable voice service.Finding vulnerabilitiesThere are
two sites that demonstrate the software security threats to the data functions. These lists now
include VoIP/IPT vulnerabilities. Both lists are funded by the federal Homeland Security
Administration. The first is hosted at Mitre. This site has a dictionary of standardized names and
descriptions for Common Vulnerabilities and Exposures (CVE). The second site hosts the National
Vulnerability Database at the federal National Institute of Standards and Technology (NIST).The
voice staff has not encountered many security problems with traditional TDM PBXs, but voice staff
may not be prepared for the new range of security issues that will become evident as the enterprise
migrates to IPT or VoIP. The VoIP personnel will either have to take on their own security
responsibilities or use the existing security personnel. In either case, the new responsibilities
for VoIP security will require education, possibly some organizational adjustment, and expanded job
descriptions.NEXT: VoIP security threats dissected