VoIP turns up the heat on firewalls

Because of VoIP, firewalls may never be the same. New research shows that organizations underestimate the demands that enterprise VoIP security places on existing firewalls, and that those demands are altering the landscape of the firewall market.

Scottsdale, Ariz.-based research firm InStat in June surveyed 220 IT professionals from companies of all sizes, and more than 75% of respondents at companies that have implemented VoIP plan to replace their security appliances within the next year.

That could further bolster the security appliance market, which InStat has forecast to eclipse $7 billion in revenue by 2009.

Victoria Fodale, a research analyst with InStat and author of the report "Trends and Spending Plans for Security Appliances," said the research revealed that organizations often aren't concerned about whether their firewalls can handle VoIP traffic -- specifically specialized protocols like Session Initiation Protocol (SIP) and H.323 -- until after their VoIP implementations are completed or well under way.

"At first glance it seems organizations aren't being proactive," Fodale said, "but I think there are a couple of other things that could be happening."

For instance, Fodale said, since companies commonly begin VoIP implementations with limited internal trials, they often fail to realize the breadth of the security implications that come with securely transmitting voice packets beyond the network perimeter, like the need to prevent call recording, denial-of-service attacks and other threats without degrading call quality.

Or those that do, she said, falsely believe existing firewalls are capable of handing VoIP security and lack information to the contrary until they get hands-on experience.

"For some reason security seems to lag behind advances in technology. We saw the same thing with Wi-Fi," Fodale said.

She noted that many organizations do have a heightened awareness of security issues, but budget pressures and the fact that there has yet to be a publicized major corporate VoIP security breach seem to prevent companies from investing in VoIP security appliances from the get-go.

Despite that, more than 60% of survey respondents said they were concerned about several VoIP security issues, including exposure of sensitive company information via call logs or voice mail, eavesdropping, system failures due to malware and other malicious attacks, and fraudulent use of voice services by those inside and outside the organization.

However, since many of these fears can be allayed with new firewall technology, Fodale said it's only a matter of time before organizations make major investments in VoIP-specific security appliances.

"SIP, unlike HTTP, contains the IP address information in the message payload, not the header," Fodale said, "so for firewalls to deliver SIP messages, they have to have application awareness to translate that information."

Without that awareness, Fodale said, companies would be forced to scale back their security measures, like leaving a wide range of port addresses open, which would be the equivalent of tearing a gaping hole in an organization's network perimeter.

For more information Check out our VoIP Security Resource Guide. Learn more on how VoIP demands more from a firewall. Read more articles written by News Editor Eric B. Parizo.

Fodale said traditional firewall vendors such as SonicWall Inc., Check Point Software Technologies Ltd. and niche security appliance specialists like BorderWare Technologies Inc., Ingate and TippingPoint (acquired by 3Com Corp. late last year) have made strides in developing VoIP-specific firewalls. Plus, giants like Cisco Systems Inc. and Juniper Networks Inc. have addressed VoIP security via acquisitions.

Even with so many vendors working to thwart potential VoIP security problems, Fodale said it's likely inevitable that the firewall market will become much more specialized to deal with not only VoIP concerns, but also an increasingly creative group of malicious hackers.

"I think it's unrealistic to think that a single firewall could manage the security in a converged network," Fodale said. "I think there will be multiple devices involved, maybe [intrusion prevention system] overlays, maybe software, maybe new devices that work in conjunction with switches."