Suppliers and consultants have reacted to criticism of the security of voice over IP technology by forming a group...
- the VoIP Security Alliance - to address user concerns. Members include 3Com, Alcatel, Avaya, Ernst & Young's Giuliani Advanced Security Center, Qualys, Siemens, Spirent, Symantec, the Sans Institute and TippingPoint. Now experts are warning that the low-cost telecoms technology, based on converged voice and data networks, may not be mature enough to use on the public internet, particularly for communicating with teleworkers and business partners. At last week's Communications Management Association 2005 conference in London, Paul Simmonds, director of global information security at chemical firm ICI, expressed concerns that the protocols used were only viable within a secure intranet. "VoIP is not fit for purpose. Companies need a strong corporate solution that works outside the traditional network perimeter," he said. However, VoIP use has grown rapidly within corporate intranets. High street bank Abbey, for example, has deployed IP telephony using VoIP on secure intranets. But alliance member Gerhard Eschelbeck, chief technology officer at IT security supplier Qualys, highlighted two potential problems for users trying to secure VoIP communications. Many firewalls use a form of network monitoring known as static packet inspection, which is unsuitable for VoIP traffic. "Users need application packet inspection on firewalls," Eschelbeck said. The second vulnerable area within a company network concerns IP-based private branch exchanges used to route voice traffic. Eschelbeck said such appliances ran general-purpose operating systems such as Linux and Windows. "They require regular patching or a denial of service attack could bring down the phone system," he said. Brian Kelly, director of the Giuliani Advanced Security Center at Ernst & Young, said, "Despite the advantages of VoIP, if the technology is not implemented properly and securely, it can circumvent existing security controls and expose our networks." Thomas Roemer, European IP communications manager at VoIP supplier Avaya, said the company had addressed VoIP security concerns by developing a customised version of Red Hat Linux to run its call centre software. He also recommended users run a virtual private network or encryption hardware to secure VoIP over the internet. A report from the US National Institute of Standards and Technology earlier this month warned that the use of encryption hardware could degrade the quality of voice calls. It urged businesses to proceed with caution on VoIP and even suggested running VoIP on a separate network.
Five ways to secure voice over IP networks
- Make sure your network and security infrastructure, including firewalls, intrusion detection systems and virtual private networks are voice-optimised and capable of supporting the advanced security requirements of VoIP.
- Ensure that the base operating system if your PBX as well as network infrastructure are always updated and patched against the latest security vulnerablities.
- Secure the remote access and configuration function available on VoIP devices to eliminate any back doors that could be exploited by attackers.
- Use encryption technologies such as IPSec tunnels to secure traffic.
- Deploy VoIP devices on seperate virtual local area networks to isolate data traffic from voice and signaling traffic.