Wanna be clued in on a little secret? VoIP security isn't all that
difficult after all.
Actually, a lot of the necessary tools and tricks to lock down
and secure a voice network are there already, they just have to be
used correctly.
"It's not an add-on," Kevin Flynn, senior manager of unified
communications for Cisco, said about VoIP security. "It's built
into the network already or in the VoIP products themselves."
According to Flynn, pretty much every facet of VoIP security
should already be part of the data network, so finding ways to
apply them to VoIP should be a breeze.
"These are things a company ought to be doing anyway," he said.
"They ought to be doing antivirus in the network, access control
and IDS. It's stuff they already own."
Yankee Group vice president Zeus Kerravala agreed. He said some
of the biggest security issues affecting VoIP now are not
necessarily VoIP specific, but broader networking issues. He said
many more voice-specific concerns stem from vendor hype than from
actual issues.
"You can take care of a lot of [VoIP security issues] with QoS
and by minimizing the amount of malicious traffic on the network,"
Kerravala said. "But you should be doing that already anyway."
Flynn said many enterprises that are new to the VoIP arena fall
prey to some myths and misconceptions when they begin thinking
about VoIP security. And though a lot of it is hype, he said,
security and security best practices are still an important part of
a VoIP deployment. He noted, however, that companies need to
"respect security, not be afraid of it."
One common fear, according to Flynn, is that putting voice
traffic over the data network will expose the voice system to the
security problems that can often plague the network. A secure
infrastructure, he said, allows for a secure VoIP infrastructure as
well.
"What they should do is protect the infrastructure itself," he
said. "You can't have a secure voice system over an insecure data
infrastructure. If they put VoIP traffic on the data network, data
problems are going to affect VoIP traffic – you have to segment.
Your biggest problem is going to be bad stuff on the data network
getting into the voice network."
Another key, Flynn said, is segmentation. Separate voice and
data traffic. "Separation is next to godliness," he said. VoIP
security 101 is segmenting traffic into VLANs. One way is to block
PC port access to the voice VLAN.
A secure VoIP deployment starts protecting at four levels: the
infrastructure, call management, endpoints and applications. The
systems need to be designed so that they can be managed and
understood as a whole.
"Look at all four levels," Flynn said. "Look at what's there
already. Separate the traffic, architect it appropriately and
protect the infrastructure. If you miss one, the bad guys will find
your weakness."
And the bad guys will be out there. According to a recent report
from the SANS Institute, VoIP systems will be among the most
popular targets for security attacks come 2007. Mary Allan, telecom
technology manager at a Fortune 500 company, said she knows that
VoIP security is necessary, but added that her organization has yet
to develop a watertight VoIP security plan. Allan admits that her
company has its share of VoIP-related security concerns, but it has
yet to delve deeply into them.
Nevertheless, she said, her company is taking some measures to
ensure VoIP safety.
"Our primary concern is keeping the hardware away from the
Internet as much as possible," Allan said. "We do that by assigning
private subnets and managing devices -- antivirus, security --
internally.
"Having said that, we also have a lot of work to do, especially
with IP endpoints and extended topologies," she continued. "I would
advise any company to make [VoIP] security one of [its] leading
initiatives when considering an IP [telephony] solution, rather
than making it an afterthought -- or worse, a reactive measurement
taken when there's been a breach."
Additional concerns, Allan said, come from the difference in
hardware when a company switches from TDM to an IP telephony
world.
"In the traditional world, TDM systems were really secure from a
hardware perspective, and our biggest risk was toll fraud," she
said. "In the IPT world, the boxes have needs -- i.e., patching --
that voice people haven't faced before. That puts us at a distinct
disadvantage for managing the hardware, and we have to rely on
other groups in the company to help us -- either by training or
actual management. That presents a whole set of issues regarding
control, standards, compliance by the vendor to corporate
standards, and testing patches before deploying -- just to name a
few."
Although Allan's Fortune 500 company has yet to institute any
formal VoIP security policies or best practices, it has strong
security policies in place for the existing network, she said. The
company is piggy-backing on that until the IP telephony
architecture is more widely deployed, at which time it'll include a
standard specific to voice.
Still, Allan recommends that companies get VoIP security on
their radar screens now. She said many companies are unaware of the
threats that can be introduced through IP endpoints and need to
safeguard the voice network now, before it's too late.
"I think it's too far down the list of considerations, based on
the fact that most people wouldn't care if their phone was tapped
into," she said. "The lack of understanding related to how IP
endpoints can become another point of entry for a virus or worm
contributes to that. Taking a pessimistic approach, the assumption
is that hackers are already working hard on how to use IPT to get
inside a network. Security in general for telecommunications has
always seemed to be an afterthought, but we're now part of a much
bigger community with more at stake."
Allan said she would advise telecom and voice teams to meet with
folks on the security side to develop a VoIP security action plan.
VoIP security differs from standard network security, she said, so
a new set of best practices may be needed. Flynn agreed, advising
companies to take into account the knowledge and expertise of all
of IT, including voice operations, the networking group, the
security team and the folks on the business side.
"The security team needs to know what we're doing and needs to
understand how VoIP is a different beast on the same pipe to make
the best decisions on what to do," Allan said. "I don't know that
the standard security best practices are all a 100% fit into VoIP,
and that's a challenge for me personally to work on."