ComputerWeekly.com recently tried to instigate an
interactive forum asking the question as to whether Windows-based
systems were inherently secure. One of the reader replies suggested
the fact that Windows-oriented attacks were so common jwas just
because of the almost ubiquitous nature of Windows based products.
He also produced empirical evidence of the growing number of
OpenSource based attacks being attributable to the fact that such
solutions had simply grew more popular.
The same is now being seen in the voice over IP (VoIP) arena,
especially with market leader Skype. Once regarded as niche
technology, VoIP is firmly established within businesses of all
sorts, especially SMBs, as it offers huge potential savings by
running telecoms and data networks off the same IP based
infrastructure.
The majority of security managers in SMBs will just have to
realise that very soon their company will probably either assess or
deploy a VoIP service and that it was likely that hackers would
soon start targeting VoIP: this is precisely what has happened.
To get the seriousness of this into perspective, let’s look at
some market numbers. A wide variety of surveys have produced a wide
variety of results but by January 2006, analysts predicted that
there were upwards of five million people using Skype at any given
time. The number of downloads of the client software is well past
the 200 million mark.
For some time, Skype has introduced more enterprise-oriented
services and become more relevant to enterprises. Yet there is a
welter of opinion warning users against Skype, slamming it for
offering weak defences against hackers and bypassing corporate
firewalls, for being susceptible to denial of service attacks and
also generally being prone to virus attack.
The attacks on Skype and VoIP in general, are being led by
Info-Tech who is calling for businesses to impose an outright ban
of Skype. Commented senior research analyst Ross Armstrong: "The
bottom line is that even a mediocre hacker could take advantage of
a Skype vulnerability,” says Info-Tech. “If you are going to use
Skype within the enterprise, manage it as you would any other IT
service: with policy and diligence.” Info-Tech added that as Skype
is 'undetectable, untraceable and unauditable’, the product would
also threaten companies’ ability to satisfy compliance regulations,
as well as opening up them up to a legal quagmire.
UK analyst Butler Group has also weighed in; identifying what it
says is Skype’s problem of ‘super nodes’. These occur when lots of
Skype users need a route onto the wider internet from behind the
firewall and open potential result is that a machine and its
network segment could become deluged with Skype traffic.
More alarmingly, according to research by European business
communications company Viatel, almost half of European IT directors
believe VoIP networks are “inherently insecure”, with the figure
rising to 56% among computing professionals working in the
financial sector. According to the study, DoS attacks and viruses
are viewed by IT directors as the most significant VoIP security
threats (53 percent). The second most significant perceived threat
(25 percent) identified by the survey is eavesdropping - where
those connected to the IP network hack into important calls.
It’s not just the analysts who are reacting to such concerns.
Bulletin boards and blogs are highlighting the view held by a
number of network administrators that Skype bypasses firewalls,
NATs and proxies; its traffic cannot be isolated; is inherently
susceptible by being P2P; and is, in one opinion, “the perfect
backdoor” and may even protect zero-day attacks. In October even
Skype itself found a bug in its user client, although it wasted no
time in identifying and fixing the problem that could cause Skype
to be remotely forced to crash.
Yet before security managers get ready en mass to brandish their
pitchforks and march upon Skype, you should bear a few things in
mind: Skype is here to stay and there are techniques to secure its
use. In spite of its generally gloomy outlook, the Viatel study
concluded that despite continued security concerns firms would not
be put off from adopting converged voice/data technology. In fact,
some two-thirds of IT managers responding to Viatel said they do
not see the perceived security issues as a deterrent: respondents
indicated that they see the cost savings and advanced functionality
of VoIP as a significant enough reason to make the switch and
override their security fears.
Such thinking brought this advice from senior vice president of
business development Roberto Bonanzinga who suggests adopting a
number of measures: encrypting voice traffic; running it over a
VPN; properly configuring firewalls; choosing a provider where you
do not have to completely overhaul your firewall configuration.
And Bonanzinga also gave a very good summation of what you
should be doing regarding making all VoIP applications secure.
"When you cut through all the hype, securing voice traffic really
isn't any different from securing data traffic - it's all about
ensuring your IP network is secure, "he states.
Your business managers will be thinking the same thing.