VoIP networks need serious security review

Internet protocol-based voice networks may be the wave of the future, but they will require a whole new approach to security,...

Internet protocol-based voice networks may be the wave of the future, but they will require a whole new approach to security, warned telecoms experts at the VON Europe voice-over IP conference in London this week.

A wide-ranging programme ranged from the nuts and bolts of connecting 3G and IP networks to a look at "disruptive" VoIP systems that could permanently change the way people use telephony.

The most controversial presentation was from Niklas Zennstrom, chief executive of peer-to-peer VoIP service Skype Technologies, who argued traditional telcos were heading for oblivion.

And as if in response, hours later BT Group revealed its plans to turn its entire PSTN phone network into an IP work by 2009.

VoIP has many advantages over traditional telephone networks, both in cost advantages and value-added services such as integrated multimedia and file transfer. But there is a catch: enterprise users will suddenly have to think about threats such as denial-of-service attacks, worms and even VoIP spam, warned executives from networking giants such as Nortel Networks, Cisco Systems and Alcatel.

"As with any IP network, security is a permanent issue," said Francois Cosquer, director of security research with Alcatel. "You're not secure or insecure, you have a security process. You always have to be getting ready for the next issue."

Networking companies and telcos are confident they can toughen IP networks sufficiently that services will be as reliable as traditional infrastructure - indeed, Brian Day, Nortel vice president of wireline networks, noted that carrier-grade offerings are in place already and there have been no major security incidents so far.

And most agreed that VoIP would not be offered to customers unless quality can be guaranteed. Still, the seriousness of the threats will come as a wake-up call to companies considering IP-based voice services.

Ari Takanen, chief executive of security firm Codenomicon, made the bracing argument that security problems are really a matter of rooting out software bugs, something that can't be addressed by security protocols and standards.

"You can have five nines [99.999] reliability, but if there's one software flaw, it can bring the network down," he said. "If you know a vulnerability you can disable a network anywhere, any time, repeatedly."

The problem can be addressed by third-party testing - from firms such as Codenomicon - but requires attention and investment from the software provider.

For that reason, Takanen said he would steer clear of open-source applications. "With open source, I would question whether anyone is investing in it," he said. "I wouldn't trust it. I want somebody to be responsible for security."

The relative security of open-source and proprietary software is a controversial issue, with some proprietary suppliers arguing open source is patched more slowly and is exposed to the scrutiny of potential attackers. Open-source suppliers say they patch at least as quickly as proprietary companies, and have the advantage of security contributions from a huge developer community.

Other experts downplayed the security issue, saying solutions could be found. In fact, IP systems can be more reliable than traditional voice networks, said Cisco Systems technical marketing engineer Greg Moore. "After 9/11, the PBXs went down, but the VoIP networks stayed up," he said. "Disaster recovery is easier with IP PBXs."

Alcatel's Cosquer said that while security is important, it is something of a red herring. "There is not really a choice between IP and traditional networks," he said. "IP is what the research and development resources are going into. We are going to have a good IP-based infrastructure."

The most advanced IP-based voice networks do not even come into contact with the general internet, he said, because they are completely insulated from the network manager's bête noire, "a guy at home with a broadband connection trying to take down your network".

Consumer-oriented VoIP services such as Vonage Holdings in the US do transmit voice over the public internet, he said, and might be vulnerable to such attacks. Vonage routes calls over a broadband connection using a standard telephone.

While big networking companies and telcos are taking an evolutionary approach to VoIP, they should be nervous about the emergence of completely new ways of using voice that are based on disruptive business models, said one analyst at VON.

James Enck, European telecoms analyst with Daiwa Securities SMBC Europe, warned that the next big trend in voice is likely to come from outside the traditional telecommunications world, from small groups of programmers or web companies such as Google.

Such organizations are not tied down by the need to protect revenues from traditional networks and could end up grabbing consumers from telcos, Enck said.

Skype, which offers a PC-based, peer-to-peer VoIP service similar to an instant-messaging application, is a case in point. CEO Zennstrom, who delivered an afternoon keynote speech on Tuesday, said his company does not need to make money from every user, a complete turnaround from the telecoms industry's focus on average revenue per user (ARPU).

Instead, the company is modelling itself on Yahoo - it wants to achieve a broad user base with free services, and then sell value-added services such as the ability to connect calls to traditional telephone numbers. Skype says more than 13 million users have downloaded its software.

Zennstrom surprised the audience of telecommunications service providers by arguing that the voice revenues on which they depend for the majority of their revenues will inevitably disappear under the onslaught of free VoIP services.

"Revenues from voice will go down," said Zennstrom. "Telecoms companies can see this as a problem, and try to protect their voice revenues, or they can see it as an opportunity to sell more broadband and come up with other services."

Skype's software, which combines video calling, IM and voice, is aimed at consumers, but it is not altogether different from a system demonstrated by Nortel's Day. The system, already in use by Nortel internally, integrates with desktop phones in the office, but adds multimedia and IM-like presence management. Users can also make calls from their laptops over any IP network, including public wireless Lans.

However, Nortel's system aims to deliver a healthy ARPU to service providers. Day said the basic VoIP service would deliver about $200 ARPU a year, while the multimedia service would bring this up to $300 a year.

Matthew Broersma writes for Techworld.com

Read more on IT operations management and IT support