In Autumn 2005, ComputerWeekly.com tried to instigate an
interactive forum asking the question as to whether Windows-based
systems were inherently secure. One of the reader replies suggested
the fact that Windows-oriented attacks were so common just because
of the almost ubiquitous nature of Windows based products and
produced empirical evidence of the growing number of OpenSource
based attacks as such solutions grew popular.
The same is now being seen in the voice over IP (VoIP) arena,
especially with market leader Skype. Once regarded as niche
technology, VoIP is firmly established within businesses of all
sorts as offering huge potential savings by running telecoms and
data networks off the same IP based infrastructure.
In September we reported that security managers will just have
to realise that very soon their company will probably either assess
or deploy a VoIP service and that it was likely that hackers would
soon start targeting VoIP: this is precisely what has happened.
To get the seriousness of this into perspective, let’s look at
some market numbers. A wide variety of surveys have produced a wide
variety of results but by November 2005, there had been 215
million-plus downloads of the free P2P Skype VOIP client.
Earlier this year, Skype CEO and co-founder Niklas Zennström
stated that throughout 2005, the company would introduce more
enterprise-oriented services and be more relevant to enterprises.
Skype has made good on this promise and has become a hit with
business users who obviously saw great attraction in cost
saving.
Yet there is a welter of opinion warning users against Skype,
slamming it for offering weak defences against hackers and
bypassing corporate firewalls, for being susceptible to denial of
service attacks and also generally being prone to virus attack.
The attacks on Skype and VoIP in general, are being led by
Info-Tech who is calling for businesses to impose an outright ban
of Skype. Commented senior research analyst Ross Armstrong: "The
bottom line is that even a mediocre hacker could take advantage of
a Skype vulnerability,” says Info-Tech. “If you are going to use
Skype within the enterprise, manage it as you would any other IT
service: with policy and diligence.” Info-Tech added that as Skype
is 'undetectable, untraceable and unauditable’, the product would
also threaten companies’ ability to satisfy compliance regulations,
as well as opening up them up to a legal quagmire.
UK analyst Butler Group has also weighed in; identifying what it
says is Skype’s problem of ‘super nodes’. These occur when lots of
Skype users need a route onto the wider internet from behind the
firewall and open potential result is that a machine and its
network segment could become deluged with Skype traffic.
More alarmingly, according to research by European business
communications company Viatel, almost half of European IT directors
believe VoIP networks are “inherently insecure”, with the figure
rising to 56% among computing professionals working in the
financial sector. According to the study, DoS attacks and viruses
are viewed by IT directors as the most significant VoIP security
threats (53 percent). The second most significant perceived threat
(25 percent) identified by the survey is eavesdropping - where
those connected to the IP network hack into important calls.
It’s not just the analysts who are reacting to such concerns.
Bulletin boards and blogs are highlighting the view held by a
number of network administrators that Skype bypasses firewalls,
NATs and proxies; its traffic cannot be isolated; is inherently
susceptible by being P2P; and is, in one opinion, “the perfect
backdoor” and may even protect zero-day attacks. In October even
Skype itself found a bug in its user client, although it wasted no
time in identifying and fixing the problem that could cause Skype
to be remotely forced to crash.
Yet before security managers get ready en mass to brandish their
pitchforks and march upon Skype, you should bear a few things in
mind: Skype is here to stay and there are techniques to secure its
use. In spite of its generally gloomy outlook, the Viatel study
concluded that despite continued security concerns firms would not
be put off from adopting converged voice/data technology. In fact,
some two-thirds of IT managers responding to Viatel said they do
not see the perceived security issues as a deterrent: respondents
indicated that they see the cost savings and advanced functionality
of VoIP as a significant enough reason to make the switch and
override their security fears.
Such thinking brought this advice from senior vice president of
business development Roberto Bonanzinga who suggests adopting a
number of measures: encrypting voice traffic; running it over a
VPN; properly configuring firewalls; choosing a provider where you
do not have to completely overhaul your firewall configuration.
And Bonanzinga also gave a very good summation of what you
should be doing regarding making all VoIP applications secure.
"When you cut through all the hype, securing voice traffic really
isn't any different from securing data traffic - it's all about
ensuring your IP network is secure, "he states. Wise words that
should be heeded: your business managers will be thinking the same
thing.