It is a simple truth that any new technology tends to develop faster in terms of performance and functionality than it does in terms of security.
Good examples are Wi-Fi, mobile phones (problems of phone cloning with original analogue systems), widespread use of the internet and voice over IP (VoIP).
In all these cases, as security technologies catch up through improved encryption and authentication mechanisms, digital mobile phones, firewalls and intrusion detection systems new security vulnerabilities appear.
This is simply an inevitable function of the drive away from restrictive, closed, proprietary architectures towards flexible, distributed and open architectures. The more we increase the reach and availability of our technology, the more we do so for the attackers.
A balance between convenient, flexible access and the degree of risk from external attack has to be reached, and that balance point is potentially different for every organisation.
VoIP is no exception, but the outlook at the moment seems to be doom and gloom. For example, in January, the US National Institute of Standards and Technology (Nist) published a report titled Security Considerations for VoIP Systems. Also in response to VoIP security fears, the Voice Over IP Security Alliance (VoIPSA) has been formed.
According to the information on its website, VoIPSA has been formed to help suppliers stay one jump ahead of the bad guys in VoIP security by proactive testing. A noble sentiment, but one that is difficult to comment on with authority until the various projects firm up. I would like to see more academic institutions involved.
Although there are issues to be addressed in VoIP security, the publication of the Nist report and the formation of VoIPSA are clear indications that VoIP is a mainstream technology. The Nist report should be required reading for any organisation considering the adoption of VoIP.
One of the most fundamental points made by the report is that VoIP traffic is carried inside IP packets like 'normal' data. It raises the question, 'Surely my existing data network can carry it and I can use the same tools to manage it? After all, my kids can use a free internet telephony tool called Skype, so it cannot be very complicated, can it?'
Unfortunately, these statements are both true and false. Any modern switched Ethernet Lan will carry VoIP traffic under very low load conditions, and yes, Skype is easy to use and seems to work well most of the time.
However, in both of these cases there is no guarantee things will carry on working in less than ideal conditions. There is little or no applied quality of service, so when the network starts to get busy, both voice and data traffic suffers equally. Voice traffic is much more susceptible to packet delay, jitter, etc, and can break down very quickly under 'best effort' conditions without sophisticated quality of service mechanisms to protect it.
The Nist report said the establishment of security mechanisms can cause a marked deterioration in quality of service through additional packet delays. Although this is true to an extent, Moore's Law - which states that processing power doubles every 18 months - will sort this out by allowing increases in packet inspection, filtering and processing speeds to outstrip the sophistication required to keep the bad guys out.
Skype and similar systems are superb examples of simplicity hiding complexity. Although it is true that business-quality VoIP needs to deliver a far higher level of guaranteed quality and security than that offered by Skype, the same principle applies.
The Nist report goes into detail about the complexity and vulnerability of the underlying protocols used by VoIP and how a large number of configurable parameters can open a multitude of attack points. However, as technology matures, that complexity becomes abstracted and hidden behind friendly front-ends which can not only make systems easier to configure and use but also harder to break.
The report concluded that secure VoIP can be done, but it must be done properly. Because there is no one-size-fits-all solution and the standards are still fluid, it should be done in a supplier-independent way. The recommendations made are mostly extensions of existing security best practices and should come as no surprise to anyone already taking security seriously.
Ian Shepherd is solutions manager at network provider Telindus
Voice Over IP Security Alliance
Nist VoIP security report
Nist VoIP security report in a nutshell
The transmission of voice over packet-switched IP networks is one of the most important trends in telecommunications. VoIP introduces both security risks and opportunities. VoIP has a very different architecture than traditional circuit-based telephony, and this results in security issues. Lower cost and greater flexibility are among the promises of VoIP, but it should not be installed without careful consideration of the security problems introduced.
This was first published in April 2005