ComputerWeekly.com recently tried to instigate an interactive forum asking the question as to whether Windows-based systems were inherently secure. One of the reader replies suggested the fact that Windows-oriented attacks were so common jwas just because of the almost ubiquitous nature of Windows based products. He also produced empirical evidence of the growing number of OpenSource based attacks being attributable to the fact that such solutions had simply grew more popular.
The same is now being seen in the voice over IP (VoIP) arena, especially with market leader Skype. Once regarded as niche technology, VoIP is firmly established within businesses of all sorts, especially SMBs, as it offers huge potential savings by running telecoms and data networks off the same IP based infrastructure.
The majority of security managers in SMBs will just have to realise that very soon their company will probably either assess or deploy a VoIP service and that it was likely that hackers would soon start targeting VoIP: this is precisely what has happened.
To get the seriousness of this into perspective, let’s look at some market numbers. A wide variety of surveys have produced a wide variety of results but by January 2006, analysts predicted that there were upwards of five million people using Skype at any given time. The number of downloads of the client software is well past the 200 million mark.
For some time, Skype has introduced more enterprise-oriented services and become more relevant to enterprises. Yet there is a welter of opinion warning users against Skype, slamming it for offering weak defences against hackers and bypassing corporate firewalls, for being susceptible to denial of service attacks and also generally being prone to virus attack.
The attacks on Skype and VoIP in general, are being led by Info-Tech who is calling for businesses to impose an outright ban of Skype. Commented senior research analyst Ross Armstrong: "The bottom line is that even a mediocre hacker could take advantage of a Skype vulnerability,” says Info-Tech. “If you are going to use Skype within the enterprise, manage it as you would any other IT service: with policy and diligence.” Info-Tech added that as Skype is 'undetectable, untraceable and unauditable’, the product would also threaten companies’ ability to satisfy compliance regulations, as well as opening up them up to a legal quagmire.
UK analyst Butler Group has also weighed in; identifying what it says is Skype’s problem of ‘super nodes’. These occur when lots of Skype users need a route onto the wider internet from behind the firewall and open potential result is that a machine and its network segment could become deluged with Skype traffic.
More alarmingly, according to research by European business communications company Viatel, almost half of European IT directors believe VoIP networks are “inherently insecure”, with the figure rising to 56% among computing professionals working in the financial sector. According to the study, DoS attacks and viruses are viewed by IT directors as the most significant VoIP security threats (53 percent). The second most significant perceived threat (25 percent) identified by the survey is eavesdropping - where those connected to the IP network hack into important calls.
It’s not just the analysts who are reacting to such concerns. Bulletin boards and blogs are highlighting the view held by a number of network administrators that Skype bypasses firewalls, NATs and proxies; its traffic cannot be isolated; is inherently susceptible by being P2P; and is, in one opinion, “the perfect backdoor” and may even protect zero-day attacks. In October even Skype itself found a bug in its user client, although it wasted no time in identifying and fixing the problem that could cause Skype to be remotely forced to crash.
Yet before security managers get ready en mass to brandish their pitchforks and march upon Skype, you should bear a few things in mind: Skype is here to stay and there are techniques to secure its use. In spite of its generally gloomy outlook, the Viatel study concluded that despite continued security concerns firms would not be put off from adopting converged voice/data technology. In fact, some two-thirds of IT managers responding to Viatel said they do not see the perceived security issues as a deterrent: respondents indicated that they see the cost savings and advanced functionality of VoIP as a significant enough reason to make the switch and override their security fears.
Such thinking brought this advice from senior vice president of business development Roberto Bonanzinga who suggests adopting a number of measures: encrypting voice traffic; running it over a VPN; properly configuring firewalls; choosing a provider where you do not have to completely overhaul your firewall configuration.
And Bonanzinga also gave a very good summation of what you should be doing regarding making all VoIP applications secure. "When you cut through all the hype, securing voice traffic really isn't any different from securing data traffic - it's all about ensuring your IP network is secure, "he states.
Your business managers will be thinking the same thing.